use ATM model from training run classification_1664426242_47bf526e

.github/workflows/atm-check-queries-run.yml

@@ -1,13 +0,0 @@
-name: ATM Check Queries Run
-
-# This check is required, therefore we must run it on all PRs, even if only Markdown has changed.
-on:
-  workflow_dispatch:
-
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: foo
-        run: echo "Hello world"

.github/workflows/go-tests.yml

@@ -43,7 +43,7 @@ jobs:
           env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
 
       - name: Upload qhelp markdown
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v2
         with:
           name: qhelp-markdown
           path: go/qhelp-out/**/*.md

.github/workflows/qhelp-pr-preview.yml

@@ -27,7 +27,7 @@ on:
       - main
       - "rc/*"
     paths:
-      - "**/*.qhelp"
+      - "ruby/**/*.qhelp"
 
 jobs:
   qhelp:
@@ -52,7 +52,7 @@ jobs:
         id: changes
         run: |
           (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
-           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) |
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
            grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
 
       - name: QHelp preview

.github/workflows/swift-autobuilder.yml

@@ -1,27 +0,0 @@
-name: "Swift: Build and test Xcode autobuilder"
-
-on:
-  pull_request:
-    paths:
-      - "swift/xcode-autobuilder/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift-autobuilder.yml
-    branches:
-      - main
-
-jobs:
-  autobuilder:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - name: Build the Xcode autobuilder
-        run: |
-          bazel build //swift/xcode-autobuilder
-      - name: Test the Xcode autobuilder
-        run: |
-          bazel test //swift/xcode-autobuilder/tests

.github/workflows/swift-codegen.yml

@@ -10,9 +10,6 @@ on:
       - .github/actions/fetch-codeql/action.yml
     branches:
       - main
-defaults:
-  run:
-    working-directory: swift
 
 jobs:
   codegen:
@@ -21,9 +18,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
+      - uses: actions/setup-python@v3
       - uses: pre-commit/action@v3.0.0
         name: Check that python code is properly formatted
         with:

.github/workflows/swift-integration-tests.yml

@@ -28,9 +28,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
+      - uses: actions/setup-python@v3
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

.github/workflows/swift-qltest.yml

@@ -23,30 +23,16 @@ jobs:
       - uses: ./.github/actions/fetch-codeql
       - name: Check QL formatting
         run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
-  qltest-test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - name: Test qltest.sh
-        run: |
-          bazel test //swift/tools/test/qltest
   qltest:
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-20.04, macos-latest ]
+        os : [ubuntu-20.04, macos-latest]
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

CODEOWNERS

@@ -20,9 +20,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 
 # CodeQL tools and associated docs
-/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
-/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
-/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
 # QL for QL reviewers

README.md

@@ -4,7 +4,8 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
+You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

config/identical-files.json

@@ -33,9 +33,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
@@ -70,6 +69,7 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [

cpp/ql/lib/CHANGELOG.md

@@ -1,26 +1,3 @@
-## 0.4.2
-
-No user-facing changes.
-
-## 0.4.1
-
-No user-facing changes.
-
-## 0.4.0
-
-### Deprecated APIs
-
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
-* Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
-
-### Bug Fixes
-
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
-
 ## 0.3.5
 
 ## 0.3.4

cpp/ql/lib/change-notes/2022-09-06-additional-builtin-support.md

@@ -1,14 +1,4 @@
-## 0.4.0
-
-### Deprecated APIs
-
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
+---
+category: feature
+---
 * Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
-
-### Bug Fixes
-
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/change-notes/2022-09-12-uppercase.md

@@ -1,6 +1,5 @@
-## 0.3.0
-
-### Deprecated APIs
-
+---
+category: deprecated
+---
 * Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
+  The old name still exists as a deprecated alias.

cpp/ql/lib/change-notes/released/0.4.1.md

@@ -1,3 +0,0 @@
-## 0.4.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.4.2.md

@@ -1,3 +0,0 @@
-## 0.4.2
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.3.5

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -20,8 +20,7 @@ module ProductFlow {
      * `source1` and `source2` must belong to the same callable.
      */
     predicate isSourcePair(
-      DataFlow::Node source1, DataFlow::FlowState state1, DataFlow::Node source2,
-      DataFlow::FlowState state2
+      DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
     ) {
       state1 = "" and
       state2 = "" and
@@ -50,101 +49,6 @@ module ProductFlow {
       this.isSinkPair(sink1, sink2)
     }
 
-    /**
-     * Holds if data flow through `node` is prohibited through the first projection of the product
-     * dataflow graph when the flow state is `state`.
-     */
-    predicate isBarrier1(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier1(node) and state = ""
-    }
-
-    /**
-     * Holds if data flow through `node` is prohibited through the second projection of the product
-     * dataflow graph when the flow state is `state`.
-     */
-    predicate isBarrier2(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier2(node) and state = ""
-    }
-
-    /**
-     * Holds if data flow through `node` is prohibited through the first projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrier1(DataFlow::Node node) { none() }
-
-    /**
-     * Holds if data flow through `node` is prohibited through the second projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrier2(DataFlow::Node node) { none() }
-
-    /**
-     * Holds if data flow out of `node` is prohibited in the first projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrierOut1(DataFlow::Node node) { none() }
-
-    /**
-     * Holds if data flow out of `node` is prohibited in the second projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrierOut2(DataFlow::Node node) { none() }
-
-    /*
-     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
-     * the first projection of the product dataflow graph.
-     */
-
-    predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    /**
-     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
-     * the first projection of the product dataflow graph.
-     *
-     * This step is only applicable in `state1` and updates the flow state to `state2`.
-     */
-    predicate isAdditionalFlowStep1(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep1(node1, node2)
-    }
-
-    /**
-     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
-     * the second projection of the product dataflow graph.
-     */
-    predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    /**
-     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
-     * the second projection of the product dataflow graph.
-     *
-     * This step is only applicable in `state1` and updates the flow state to `state2`.
-     */
-    predicate isAdditionalFlowStep2(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep2(node1, node2)
-    }
-
-    /**
-     * Holds if data flow into `node` is prohibited in the first projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrierIn1(DataFlow::Node node) { none() }
-
-    /**
-     * Holds if data flow into `node` is prohibited in the second projection of the product
-     * dataflow graph.
-     */
-    predicate isBarrierIn2(DataFlow::Node node) { none() }
-
     predicate hasFlowPath(
       DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
       DataFlow2::PathNode sink2
@@ -159,78 +63,38 @@ module ProductFlow {
     class Conf1 extends DataFlow::Configuration {
       Conf1() { this = "Conf1" }
 
-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+      override predicate isSource(DataFlow::Node source, string state) {
         exists(Configuration conf | conf.isSourcePair(source, state, _, _))
       }
 
-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+      override predicate isSink(DataFlow::Node sink, string state) {
         exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
       }
-
-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier1(node, state))
-      }
-
-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut1(node))
-      }
-
-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
-      ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep1(node1, state1, node2, state2))
-      }
-
-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn1(node))
-      }
     }
 
     class Conf2 extends DataFlow2::Configuration {
       Conf2() { this = "Conf2" }
 
-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode source1 |
-          conf.isSourcePair(source1.getNode(), source1.getState(), source, state) and
-          any(Conf1 c).hasFlowPath(source1, _)
+      override predicate isSource(DataFlow::Node source, string state) {
+        exists(Configuration conf, DataFlow::Node source1 |
+          conf.isSourcePair(source1, _, source, state) and
+          any(Conf1 c).hasFlow(source1, _)
         )
       }
 
-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode sink1 |
-          conf.isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
-          any(Conf1 c).hasFlowPath(_, sink1)
+      override predicate isSink(DataFlow::Node sink, string state) {
+        exists(Configuration conf, DataFlow::Node sink1 |
+          conf.isSinkPair(sink1, _, sink, state) and any(Conf1 c).hasFlow(_, sink1)
         )
       }
-
-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier2(node, state))
-      }
-
-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut2(node))
-      }
-
-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
-      ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep2(node1, state1, node2, state2))
-      }
-
-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn2(node))
-      }
     }
   }
 
-  pragma[nomagic]
   private predicate reachableInterprocEntry(
     Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
     DataFlow::PathNode node1, DataFlow2::PathNode node2
   ) {
-    conf.isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
+    conf.isSourcePair(node1.getNode(), _, node2.getNode(), _) and
     node1 = source1 and
     node2 = source2
     or
@@ -293,7 +157,7 @@ module ProductFlow {
   ) {
     exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
       reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
-      conf.isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
+      conf.isSinkPair(sink1.getNode(), _, sink2.getNode(), _) and
       localPathStep1*(mid1, sink1) and
       localPathStep2*(mid2, sink2)
     )

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -137,7 +137,7 @@ private newtype TReturnKind =
     exists(IndirectReturnNode return, ReturnIndirectionInstruction returnInd |
       returnInd.hasIndex(argumentIndex) and
       return.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      indirectionIndex = return.getIndirectionIndex()
+      indirectionIndex = return.getIndirectionIndex() - 1 // We subtract one because the return loads the value.
     )
   }
 
@@ -197,7 +197,7 @@ class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
     exists(int argumentIndex, ReturnIndirectionInstruction returnInd |
       returnInd.hasIndex(argumentIndex) and
       this.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex()) and
+      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex() - 1) and
       hasNonInitializeParameterDef(returnInd.getIRVariable())
     )
     or
@@ -241,7 +241,7 @@ private Instruction getANonConversionUse(Operand operand) {
 
 /**
  * Gets the operand that represents the first use of the value of `call` following
- * a sequence of conversion-like instructions.
+ * a sequnce of conversion-like instructions.
  */
 predicate operandForfullyConvertedCall(Operand operand, CallInstruction call) {
   exists(getANonConversionUse(operand)) and
@@ -254,7 +254,7 @@ predicate operandForfullyConvertedCall(Operand operand, CallInstruction call) {
 
 /**
  * Gets the instruction that represents the first use of the value of `call` following
- * a sequence of conversion-like instructions.
+ * a sequnce of conversion-like instructions.
  *
  * This predicate only holds if there is no suitable operand (i.e., no operand of a non-
  * conversion instruction) to use to represent the value of `call` after conversions.
@@ -365,7 +365,7 @@ predicate jumpStep(Node n1, Node n2) {
 predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
   exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
     nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
-    node2.getIndirectionIndex() = 1 and
+    node2.getIndirectionIndex() = 0 and
     numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
       numberOfLoads)
   |
@@ -465,20 +465,20 @@ predicate clearsContent(Node n, Content c) {
 predicate expectsContent(Node n, ContentSet c) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(Node n) {
+IRType getNodeType(Node n) {
   suppressUnusedNode(n) and
-  result instanceof VoidType // stub implementation
+  result instanceof IRVoidType // stub implementation
 }
 
 /** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(DataFlowType t) { none() } // stub implementation
+string ppReprType(IRType t) { none() } // stub implementation
 
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
 pragma[inline]
-predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
+predicate compatibleTypes(IRType t1, IRType t2) {
   any() // stub implementation
 }
 
@@ -502,7 +502,7 @@ class DataFlowCallable = Cpp::Declaration;
 
 class DataFlowExpr = Expr;
 
-class DataFlowType = Type;
+class DataFlowType = IRType;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends CallInstruction {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -38,12 +38,13 @@ private module Cached {
     TVariableNode(Variable var) or
     TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
       indirectionIndex =
-        [1 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType())]
+        [0 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType()) -
+            1]
     } or
     TSsaPhiNode(Ssa::PhiNode phi) or
     TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
       Ssa::isModifiableByCall(operand) and
-      indirectionIndex = [1 .. Ssa::countIndirectionsForCppType(operand.getLanguageType())]
+      indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(operand.getLanguageType()) - 1]
     } or
     TIndirectOperand(Operand op, int indirectionIndex) {
       Ssa::hasIndirectOperand(op, indirectionIndex)
@@ -112,7 +113,7 @@ class Node extends TIRDataFlowNode {
   Declaration getFunction() { none() } // overridden in subclasses
 
   /** Gets the type of this node. */
-  DataFlowType getType() { none() } // overridden in subclasses
+  IRType getType() { none() } // overridden in subclasses
 
   /** Gets the instruction corresponding to this node, if any. */
   Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -229,13 +230,7 @@ class Node extends TIRDataFlowNode {
   Expr asIndirectArgument() { result = this.asIndirectArgument(_) }
 
   /** Gets the positional parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.asParameter(0) }
-
-  /**
-   * Gets the uninitialized local variable corresponding to this node, if
-   * any.
-   */
-  LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
+  Parameter asParameter() { result = asParameter(0) }
 
   /**
    * Gets the positional parameter corresponding to the node that represents
@@ -278,7 +273,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  DataFlowType getTypeBound() { result = this.getType() }
+  IRType getTypeBound() { result = this.getType() }
 
   /** Gets the location of this element. */
   cached
@@ -327,7 +322,7 @@ class InstructionNode extends Node, TInstructionNode {
 
   override Declaration getFunction() { result = instr.getEnclosingFunction() }
 
-  override DataFlowType getType() { result = instr.getResultType() }
+  override IRType getType() { result = instr.getResultIRType() }
 
   final override Location getLocationImpl() { result = instr.getLocation() }
 
@@ -353,32 +348,13 @@ class OperandNode extends Node, TOperandNode {
 
   override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
 
-  override DataFlowType getType() { result = op.getType() }
+  override IRType getType() { result = op.getIRType() }
 
   final override Location getLocationImpl() { result = op.getLocation() }
 
   override string toStringImpl() { result = this.getOperand().toString() }
 }
 
-/**
- * Returns `t`, but stripped of the `n` outermost pointers, references, etc.
- *
- * For example, `stripPointers(int*&, 2)` is `int` and `stripPointers(int*, 0)` is `int*`.
- */
-private Type stripPointers(Type t, int n) {
-  result = t and n = 0
-  or
-  result = stripPointers(t.(PointerType).getBaseType(), n - 1)
-  or
-  result = stripPointers(t.(ArrayType).getBaseType(), n - 1)
-  or
-  result = stripPointers(t.(ReferenceType).getBaseType(), n - 1)
-  or
-  result = stripPointers(t.(PointerToMemberType).getBaseType(), n - 1)
-  or
-  result = stripPointers(t.(FunctionPointerIshType).getBaseType(), n - 1)
-}
-
 /**
  * INTERNAL: do not use.
  *
@@ -394,6 +370,8 @@ class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
+  override IRType getType() { result = fieldAddress.getIRType() }
+
   FieldAddress getFieldAddress() { result = fieldAddress }
 
   Field getUpdatedField() { result = fieldAddress.getField() }
@@ -401,8 +379,10 @@ class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
   int getIndirectionIndex() { result = indirectionIndex }
 
   override Node getPreUpdateNode() {
+    // + 1 because we're storing into an lvalue, and the original node should be the rvalue of
+    // the same address.
     hasOperandAndIndex(result, pragma[only_bind_into](fieldAddress).getObjectAddressOperand(),
-      indirectionIndex)
+      indirectionIndex + 1)
   }
 
   override Expr getDefinedExpr() {
@@ -431,26 +411,11 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
-  override DataFlowType getType() { result = this.getAnInput().getType() }
+  override IRType getType() { result instanceof IRVoidType }
 
   final override Location getLocationImpl() { result = phi.getBasicBlock().getLocation() }
 
   override string toStringImpl() { result = "Phi" }
-
-  /**
-   * Gets a node that is used as input to this phi node.
-   * `fromBackEdge` is true if data flows along a back-edge,
-   * and `false` otherwise.
-   */
-  final Node getAnInput(boolean fromBackEdge) {
-    localFlowStep(result, this) and
-    if phi.getBasicBlock().dominates(getBasicBlock(result))
-    then fromBackEdge = true
-    else fromBackEdge = false
-  }
-
-  /** Gets a node that is used as input to this phi node. */
-  final Node getAnInput() { result = this.getAnInput(_) }
 }
 
 /**
@@ -474,6 +439,8 @@ class SideEffectOperandNode extends Node, IndirectOperand {
 
   override Function getFunction() { result = call.getEnclosingFunction() }
 
+  override IRType getType() { result instanceof IRVoidType }
+
   Expr getArgument() { result = call.getArgument(argumentIndex).getUnconvertedResultExpression() }
 }
 
@@ -496,6 +463,8 @@ class IndirectParameterNode extends Node, IndirectInstruction {
 
   override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
 
+  override IRType getType() { result instanceof IRVoidType }
+
   override string toStringImpl() {
     result = this.getParameter().toString() + " indirection"
     or
@@ -520,6 +489,8 @@ class IndirectReturnNode extends IndirectOperand {
   Operand getAddressOperand() { result = operand }
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override IRType getType() { result instanceof IRVoidType }
 }
 
 /**
@@ -550,7 +521,9 @@ class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PostUpdate
 
   override Function getFunction() { result = this.getCallInstruction().getEnclosingFunction() }
 
-  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex) }
+  override IRType getType() { result instanceof IRVoidType }
+
+  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex + 1) }
 
   override string toStringImpl() {
     // This string should be unique enough to be helpful but common enough to
@@ -606,38 +579,6 @@ class IndirectReturnOutNode extends Node {
   int getIndirectionIndex() { result = indirectionIndex }
 }
 
-private PointerType getGLValueType(Type t, int indirectionIndex) {
-  result.getBaseType() = stripPointers(t, indirectionIndex - 1)
-}
-
-bindingset[isGLValue]
-private DataFlowType getTypeImpl(Type t, int indirectionIndex, boolean isGLValue) {
-  if isGLValue = true
-  then
-    result = getGLValueType(t, indirectionIndex)
-    or
-    // Ideally, the above case would cover all glvalue cases. However, consider the case where
-    // the database consists only of:
-    // ```
-    // void test() {
-    //   int* x;
-    //   x = nullptr;
-    // }
-    // ```
-    // and we want to compute the type of `*x` in the assignment `x = nullptr`. Here, `x` is an lvalue
-    // of type int* (which morally is an int**). So when we call `getTypeImpl` it will be with the
-    // parameters:
-    // - t = int*
-    // - indirectionIndex = 1 (when we want to model the dataflow node corresponding to *x)
-    // - isGLValue = true
-    // In this case, `getTypeImpl(t, indirectionIndex, isGLValue)` should give back `int**`. In this
-    // case, however, `int**` does not exist in the database. So instead we return int* (which is
-    // wrong, but at least we have a type).
-    not exists(getGLValueType(t, indirectionIndex)) and
-    result = stripPointers(t, indirectionIndex - 1)
-  else result = stripPointers(t, indirectionIndex)
-}
-
 /**
  * INTERNAL: Do not use.
  *
@@ -659,11 +600,7 @@ class IndirectOperand extends Node, TIndirectOperand {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override DataFlowType getType() {
-    exists(boolean isGLValue | if operand.isGLValue() then isGLValue = true else isGLValue = false |
-      result = getTypeImpl(operand.getType().getUnspecifiedType(), indirectionIndex, isGLValue)
-    )
-  }
+  override IRType getType() { result = this.getOperand().getIRType() }
 
   final override Location getLocationImpl() { result = this.getOperand().getLocation() }
 
@@ -672,25 +609,6 @@ class IndirectOperand extends Node, TIndirectOperand {
   }
 }
 
-/**
- * The value of an uninitialized local variable, viewed as a node in a data
- * flow graph.
- */
-class UninitializedNode extends Node {
-  LocalVariable v;
-
-  UninitializedNode() {
-    exists(Ssa::Def def |
-      def.getDefiningInstruction() instanceof UninitializedInstruction and
-      Ssa::nodeToDefOrUse(this, def) and
-      v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst()
-    )
-  }
-
-  /** Gets the uninitialized local variable corresponding to this node. */
-  LocalVariable getLocalVariable() { result = v }
-}
-
 /**
  * INTERNAL: Do not use.
  *
@@ -712,11 +630,7 @@ class IndirectInstruction extends Node, TIndirectInstruction {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override DataFlowType getType() {
-    exists(boolean isGLValue | if instr.isGLValue() then isGLValue = true else isGLValue = false |
-      result = getTypeImpl(instr.getResultType().getUnspecifiedType(), indirectionIndex, isGLValue)
-    )
-  }
+  override IRType getType() { result = this.getInstruction().getResultIRType() }
 
   final override Location getLocationImpl() { result = this.getInstruction().getLocation() }
 
@@ -746,7 +660,7 @@ predicate exprNodeShouldBeOperand(Node node, Expr e) {
 
 /**
  * Holds if `load` is a `LoadInstruction` that is the result of evaluating `e`
- * and `node` is an `IndirectOperandNode` that should map `node.asExpr()` to `e`.
+ * and `node` is an `IndirctOperandNode` that should map `node.asExpr()` to `e`.
  *
  * We map `e` to `node.asExpr()` when `node` semantically represents the
  * same value as `load`. A subsequent flow step will flow `node` to
@@ -930,8 +844,6 @@ abstract class PostUpdateNode extends Node {
    * Gets the node before the state update.
    */
   abstract Node getPreUpdateNode();
-
-  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
 }
 
 /**
@@ -995,7 +907,7 @@ class VariableNode extends Node, TVariableNode {
     result = v
   }
 
-  override DataFlowType getType() { result = v.getType() }
+  override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
 
   final override Location getLocationImpl() { result = v.getLocation() }
 
@@ -1148,7 +1060,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
       store.getDestinationAddressOperand() = address
     )
     or
-    Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
+    Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex - 1)
   )
 }
 

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -41,7 +41,7 @@ Node callOutput(CallInstruction call, FunctionOutput output) {
   // The side effect of a call on the value pointed to by an argument or qualifier
   exists(int index, int indirectionIndex |
     result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() + 1 = indirectionIndex and
     result.(IndirectArgumentOutNode).getCallInstruction() = call and
     output.isParameterDerefOrQualifierObject(index, indirectionIndex)
   )

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -100,7 +100,7 @@ private string getNodeProperty(DataFlow::Node node, string key) {
   or
   // Is there partial flow from a source to this node?
   // This property will only be emitted if partial flow is enabled by overriding
-  // `DataFlow::Configuration::explorationLimit()`.
+  // `DataFlow::Configration::explorationLimit()`.
   key = "pflow" and
   result =
     strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -301,12 +301,7 @@ private predicate defToNode(Node nodeFrom, Def def) {
   nodeHasInstruction(nodeFrom, def.getDefiningInstruction(), def.getIndirectionIndex())
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * Holds if `nodeFrom` is the node that correspond to the definition or use `defOrUse`.
- */
-predicate nodeToDefOrUse(Node nodeFrom, SsaDefOrUse defOrUse) {
+private predicate nodeToDefOrUse(Node nodeFrom, SsaDefOrUse defOrUse) {
   // Node -> Def
   defToNode(nodeFrom, defOrUse)
   or

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -11,9 +11,7 @@ private import DataFlowUtil
  * corresponding `(Indirect)OperandNode`.
  */
 predicate ignoreOperand(Operand operand) {
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand() or
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAUse() or
-  operand instanceof MemoryOperand
+  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand()
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -36,7 +36,7 @@ private module SourceVariables {
 
     override string toString() { result = var.toString() }
 
-    override DataFlowType getType() { result = var.getType() }
+    override DataFlowType getType() { result = var.getIRType() }
   }
 
   class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {
@@ -48,7 +48,7 @@ private module SourceVariables {
 
     override string toString() { result = call.toString() }
 
-    override DataFlowType getType() { result = call.getResultType() }
+    override DataFlowType getType() { result = call.getResultIRType() }
   }
 
   private newtype TSourceVariable =

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -7,7 +7,6 @@ private import semmle.code.cpp.ir.IR as IR
 private import Semantic
 private import experimental.semmle.code.cpp.rangeanalysis.Bound as IRBound
 private import semmle.code.cpp.controlflow.IRGuards as IRGuards
-private import semmle.code.cpp.ir.ValueNumbering
 
 module SemanticExprConfig {
   class Location = Cpp::Location;
@@ -121,15 +120,7 @@ module SemanticExprConfig {
 
   newtype TSsaVariable =
     TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
-    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
-    TSsaPointerArithmeticGuard(IR::PointerArithmeticInstruction instr) {
-      exists(Guard g, IR::Operand use | use = instr.getAUse() |
-        g.comparesLt(use, _, _, _, _) or
-        g.comparesLt(_, use, _, _, _) or
-        g.comparesEq(use, _, _, _, _) or
-        g.comparesEq(_, use, _, _, _)
-      )
-    }
+    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() }
 
   class SsaVariable extends TSsaVariable {
     string toString() { none() }
@@ -138,8 +129,6 @@ module SemanticExprConfig {
 
     IR::Instruction asInstruction() { none() }
 
-    IR::PointerArithmeticInstruction asPointerArithGuard() { none() }
-
     IR::Operand asOperand() { none() }
   }
 
@@ -155,18 +144,6 @@ module SemanticExprConfig {
     final override IR::Instruction asInstruction() { result = instr }
   }
 
-  class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
-    IR::PointerArithmeticInstruction instr;
-
-    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(instr) }
-
-    final override string toString() { result = instr.toString() }
-
-    final override Location getLocation() { result = instr.getLocation() }
-
-    final override IR::PointerArithmeticInstruction asPointerArithGuard() { result = instr }
-  }
-
   class SsaOperand extends SsaVariable, TSsaOperand {
     IR::Operand op;
 
@@ -191,11 +168,7 @@ module SemanticExprConfig {
     )
   }
 
-  Expr getAUse(SsaVariable v) {
-    result.(IR::LoadInstruction).getSourceValue() = v.asInstruction()
-    or
-    result = valueNumber(v.asPointerArithGuard()).getAnInstruction()
-  }
+  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
 
   SemType getSsaVariableType(SsaVariable v) {
     result = getSemanticType(v.asInstruction().getResultIRType())
@@ -235,9 +208,7 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::Operand operand |
-        operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
-      |
+        operand.getDef() = v.asInstruction() and
         not operand instanceof IR::PhiInputOperand and
         operand.getUse().getBlock() = block
       )
@@ -256,9 +227,7 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::PhiInputOperand operand |
-        operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
-      |
+        operand.getDef() = v.asInstruction() and
         operand.getPredecessorBlock() = pred and
         operand.getUse().getBlock() = succ
       )

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticSSA.qll

@@ -10,7 +10,7 @@ class SemSsaVariable instanceof Specific::SsaVariable {
 
   final Specific::Location getLocation() { result = super.getLocation() }
 
-  final SemExpr getAUse() { result = Specific::getAUse(this) }
+  final SemLoadExpr getAUse() { result = Specific::getAUse(this) }
 
   final SemType getType() { result = Specific::getSsaVariableType(this) }
 

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll

@@ -71,7 +71,7 @@ abstract class CustomSignDef extends SignDef {
  * Concrete implementations extend one of the following subclasses:
  * - `ConstantSignExpr`, for expressions with a compile-time constant value.
  * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
- * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
+ * - `CustomsignExpr`, for expressions shose sign can be computed by a language-specific
  *   implementation.
  *
  * If the same expression matches more than one of the above subclasses, the sign is computed as

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisSpecific.qll

@@ -11,7 +11,7 @@ private import experimental.semmle.code.cpp.semantic.Semantic
 predicate ignoreTypeRestrictions(SemExpr e) { none() }
 
 /**
- * Workaround to track the sign of certain expressions even if the type of the expression is not
+ * Workaround to track the sign of cetain expressions even if the type of the expression is not
  * numeric.
  */
 predicate trackUnknownNonNumericExpr(SemExpr e) { none() }

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.3-dev
+version: 0.4.0-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Linkage.qll

@@ -1,5 +1,5 @@
 /**
- * Provides the `LinkTarget` class representing linker invocations during the build process.
+ * Proivdes the `LinkTarget` class representing linker invocations during the build process.
  */
 
 import semmle.code.cpp.Class

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -144,7 +144,7 @@ class Variable extends Declaration, @variable {
    * `Variable.getInitializer()` to get the variable's initializer,
    * or use `Variable.getAnAssignedValue()` to get an expression that
    * is the right-hand side of an assignment or an initialization of
-   * the variable.
+   * the varible.
    */
   Assignment getAnAssignment() { result.getLValue() = this.getAnAccess() }
 
@@ -173,7 +173,7 @@ class Variable extends Declaration, @variable {
   }
 
   /**
-   * Holds if this variable is declared as part of a structured binding
+   * Holds if this variable is declated as part of a structured binding
    * declaration. For example, `x` in `auto [x, y] = ...`.
    */
   predicate isStructuredBinding() { is_structured_binding(underlyingElement(this)) }

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -76,7 +76,7 @@ class TypeBoundsAnalysis extends BufferWriteEstimationReason, TTypeBoundsAnalysi
 
 /**
  * The estimation comes from non trivial bounds found via actual flow analysis,
- * but a widening approximation might have been used for variables in loops.
+ * but a widening aproximation might have been used for variables in loops.
  * For example
  * ```
  * for (int i = 0; i < 10; ++i) {
@@ -141,7 +141,7 @@ class AttributeFormattingFunction extends FormattingFunction {
  *  - `""` is a `vprintf` variant, `outputParamIndex` is `-1`.
  *  - `"f"` is a `vfprintf` variant, `outputParamIndex` indicates the output stream parameter.
  *  - `"s"` is a `vsprintf` variant, `outputParamIndex` indicates the output buffer parameter.
- *  - `"?"` if the type cannot be determined.  `outputParamIndex` is `-1`.
+ *  - `"?"` if the type cannot be deteremined.  `outputParamIndex` is `-1`.
  */
 predicate primitiveVariadicFormatter(
   TopLevelFunction f, string type, int formatParamIndex, int outputParamIndex
@@ -198,7 +198,7 @@ private predicate callsVariadicFormatter(
  *  - `""` is a `vprintf` variant, `outputParamIndex` is `-1`.
  *  - `"f"` is a `vfprintf` variant, `outputParamIndex` indicates the output stream parameter.
  *  - `"s"` is a `vsprintf` variant, `outputParamIndex` indicates the output buffer parameter.
- *  - `"?"` if the type cannot be determined.  `outputParamIndex` is `-1`.
+ *  - `"?"` if the type cannot be deteremined.  `outputParamIndex` is `-1`.
  */
 predicate variadicFormatter(Function f, string type, int formatParamIndex, int outputParamIndex) {
   primitiveVariadicFormatter(f, type, formatParamIndex, outputParamIndex)

cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll

@@ -6,7 +6,7 @@ import cpp
  * A function that concatenates the string from its second argument
  * to the string from its first argument, for example `strcat`.
  */
-deprecated class StrcatFunction extends Function {
+class StrcatFunction extends Function {
   StrcatFunction() {
     getName() =
       [

cpp/ql/lib/semmle/code/cpp/controlflow/BasicBlocks.qll

@@ -12,7 +12,7 @@ private import internal.ConstantExprs
  * relation). The refinement manifests itself in two changes:
  *
  * - The successor relation on `BasicBlock`s uses `successors_adapted`
- * (instead of `successors_extended` used by `PrimitiveBasicBlock`s). Consequently,
+ * (instead of `successors_extended` used by `PrimtiveBasicBlock`s). Consequently,
  * some edges between `BasicBlock`s may be removed. Example:
  * ```
  * x = 1;      // s1

cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll

@@ -149,7 +149,7 @@ private predicate bbLoopEntryConditionAlwaysTrueAt(BasicBlock bb, int i, Control
 /**
  * Basic block `pred` contains all or part of the condition belonging to a loop,
  * and there is an edge from `pred` to `succ` that concludes the condition.
- * If the edge corresponds with the loop condition being found to be `true`, then
+ * If the edge corrseponds with the loop condition being found to be `true`, then
  * `skipsLoop` is `false`.  Otherwise the edge corresponds with the loop condition
  * being found to be `false` and `skipsLoop` is `true`.  Non-concluding edges
  * within a complex loop condition are not matched by this predicate.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1137,7 +1137,7 @@ class BuiltInOperationIsArray extends BuiltInOperation, @isarray {
  * A C++ `__array_rank` built-in operation (used by some implementations of the
  * `<type_traits>` header).
  *
- * If known, returns the number of dimensions of an arrary type.
+ * If known, returns the number of dimentsions of an arrary type.
  * ```
  * template<typename _Tp>
  *   struct rank

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -494,7 +494,7 @@ class VacuousDestructorCall extends Expr, @vacuous_destructor_call {
  * An initialization of a base class or member variable performed as part
  * of a constructor's explicit initializer list or implicit actions.
  *
- * This is a QL root class for representing various types of constructor
+ * This is a QL root class for reprenting various types of constructor
  * initializations.
  */
 class ConstructorInit extends Expr, @ctorinit {

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -779,7 +779,7 @@ class AlignofExprOperator extends AlignofOperator {
 /**
  * A C++11 `alignof` expression whose operand is a type name.
  * ```
- * bool proper_alignment = (alignof(T) == alignof(T[0]);
+ * bool proper_alignment = (alingof(T) == alignof(T[0]);
  * ```
  */
 class AlignofTypeOperator extends AlignofOperator {

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -451,7 +451,7 @@ class Expr extends StmtParent, @expr {
     // For performance, we avoid a full transitive closure over `getConversion`.
     // Since there can be several implicit conversions before and after an
     // explicit conversion, use `getImplicitlyConverted` to step over them
-    // cheaply. Then, if there is an explicit conversion following the implicit
+    // cheaply. Then, if there is an explicit conversion following the implict
     // conversion sequence, recurse to handle multiple explicit conversions.
     if this.getImplicitlyConverted().hasExplicitConversion()
     then result = this.getImplicitlyConverted().getConversion().getExplicitlyConverted()

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -163,9 +163,7 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) {
-    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
-  }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -560,16 +558,13 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
-pragma[nomagic]
-private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
-
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  hasReadStep(tc.getContent(), config) and
+  read(_, tc.getContent(), _, config) and
   stepFilter(node1, node2, config)
 }
 
@@ -603,9 +598,13 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
+  class ApApprox = Unit;
+
   class Ap = Unit;
 
-  private class Cc = boolean;
+  class ApOption = Unit;
+
+  class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -614,7 +613,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -754,7 +753,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -838,13 +837,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  additional predicate viableReturnPosOutNodeCandFwd1(
+  predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -860,7 +859,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  additional predicate viableParamArgNodeCandFwd1(
+  predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -907,7 +906,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate revFlowState(FlowState state, Configuration config) {
+  predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -999,7 +998,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  additional predicate stats(
+  predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1260,7 +1259,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    additional predicate fwdFlow(
+    predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1484,7 +1483,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    additional predicate revFlow(
+    predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1662,7 +1661,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1675,13 +1674,11 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, Configuration config) {
-      revFlow(node, _, _, _, _, config)
-    }
+    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1702,7 +1699,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1744,7 +1741,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    additional predicate stats(
+    predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2929,15 +2926,10 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  pragma[nomagic]
-  private PathNodeImpl getANonHiddenSuccessor0() {
-    result = this.getASuccessorIfHidden*() and
-    not result.isHidden()
-  }
-
   final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
-    not this.isHidden()
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
   }
 
   abstract NodeEx getNodeEx();

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -100,7 +100,7 @@ private string getNodeProperty(DataFlow::Node node, string key) {
   or
   // Is there partial flow from a source to this node?
   // This property will only be emitted if partial flow is enabled by overriding
-  // `DataFlow::Configuration::explorationLimit()`.
+  // `DataFlow::Configration::explorationLimit()`.
   key = "pflow" and
   result =
     strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -267,6 +267,9 @@ Instruction getSourceAddressFromNode(Node node) {
   result = getSourceAddress(node.asOperand().(SideEffectOperand).getUse())
 }
 
+/** Gets the source value of `instr` if it's an instruction that behaves like a `LoadInstruction`. */
+Instruction getSourceValue(Instruction instr) { result = getSourceValueOperand(instr).getDef() }
+
 /**
  * Gets the operand that represents the source value of `instr` if it's an instruction
  * that behaves like a `LoadInstruction`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -742,7 +742,7 @@ class NoOpInstruction extends Instruction {
  * The `ReturnInstruction` for a function will have a control-flow successor edge to a block
  * containing the `ExitFunction` instruction for that function.
  *
- * There are two different return instructions: `ReturnValueInstruction`, for returning a value from
+ * There are two differet return instructions: `ReturnValueInstruction`, for returning a value from
  * a non-`void`-returning function, and `ReturnVoidInstruction`, for returning from a
  * `void`-returning function.
  */
@@ -1331,7 +1331,7 @@ class CheckedConvertOrThrowInstruction extends UnaryInstruction {
  *
  * If the operand holds a null address, the result is a null address.
  *
- * This instruction is used to represent `dynamic_cast<void*>` in C++, which returns the pointer to
+ * This instruction is used to represent `dyanmic_cast<void*>` in C++, which returns the pointer to
  * the most-derived object.
  */
 class CompleteObjectAddressInstruction extends UnaryInstruction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -64,7 +64,7 @@ private module Cached {
     or
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
-    // getDegeneratePhiOperand in the first stage with phi instructions
+    // getDegeneratePhiOperand in the first stage with phi instyructions
     not exists(
       unique(OldIR::PhiInputOperand operand |
         operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
@@ -143,6 +143,16 @@ private module Cached {
     )
   }
 
+  cached
+  Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
+    exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
+      oldInstruction = getOldInstruction(instruction) and
+      oldOperand = oldInstruction.getAnOperand() and
+      tag = oldOperand.getOperandTag() and
+      result = getNewInstruction(oldOperand.getAnyDef())
+    )
+  }
+
   pragma[noopt]
   private predicate hasMemoryOperandDefinition(
     OldInstruction oldInstruction, OldIR::NonPhiMemoryOperand oldOperand, Overlap overlap,
@@ -718,7 +728,7 @@ module DefUse {
   }
 
   /**
-   * Gets the rank index of a hypothetical use one instruction past the end of
+   * Gets the rank index of a hyphothetical use one instruction past the end of
    * the block. This index can be used to determine if a definition reaches the
    * end of the block, even if the definition is the last instruction in the
    * block.

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -172,7 +172,7 @@ deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands;
 
 /**
  * Provides wrappers for the constructors of each branch of `TOperand` that is used by the
- * aliased SSA stage.
+ * asliased SSA stage.
  * These wrappers are not parameterized because it is not possible to invoke an IPA constructor via
  * a class alias.
  */

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -742,7 +742,7 @@ class NoOpInstruction extends Instruction {
  * The `ReturnInstruction` for a function will have a control-flow successor edge to a block
  * containing the `ExitFunction` instruction for that function.
  *
- * There are two different return instructions: `ReturnValueInstruction`, for returning a value from
+ * There are two differet return instructions: `ReturnValueInstruction`, for returning a value from
  * a non-`void`-returning function, and `ReturnVoidInstruction`, for returning from a
  * `void`-returning function.
  */
@@ -1331,7 +1331,7 @@ class CheckedConvertOrThrowInstruction extends UnaryInstruction {
  *
  * If the operand holds a null address, the result is a null address.
  *
- * This instruction is used to represent `dynamic_cast<void*>` in C++, which returns the pointer to
+ * This instruction is used to represent `dyanmic_cast<void*>` in C++, which returns the pointer to
  * the most-derived object.
  */
 class CompleteObjectAddressInstruction extends UnaryInstruction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -256,6 +256,12 @@ CppType getInstructionOperandType(Instruction instruction, TypedOperandTag tag)
         .getInstructionMemoryOperandType(getInstructionTag(instruction), tag)
 }
 
+Instruction getPhiOperandDefinition(
+  PhiInstruction instruction, IRBlock predecessorBlock, Overlap overlap
+) {
+  none()
+}
+
 Instruction getPhiInstructionBlockStart(PhiInstruction instr) { none() }
 
 Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -542,7 +542,7 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
  * The IR translation of an argument side effect for `*this` on a call, where there is no `Expr`
  * object that represents the `this` argument.
  *
- * The applies only to constructor calls, as the AST has exploit qualifier `Expr`s for all other
+ * The applies only to constructor calls, as the AST has explioit qualifier `Expr`s for all other
  * calls to non-static member functions.
  */
 class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect,

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2177,7 +2177,7 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
 /**
  * The IR translation of the ternary conditional operator (`a ? b : c`).
  * For this version, we expand the condition as a `TranslatedCondition`, rather than a
- * `TranslatedExpr`, to simplify the control flow in the presence of short-circuit logical operators.
+ * `TranslatedExpr`, to simplify the control flow in the presence of short-ciruit logical operators.
  */
 class TranslatedTernaryConditionalExpr extends TranslatedConditionalExpr, ConditionContext {
   TranslatedTernaryConditionalExpr() { not expr.isTwoOperand() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -742,7 +742,7 @@ class NoOpInstruction extends Instruction {
  * The `ReturnInstruction` for a function will have a control-flow successor edge to a block
  * containing the `ExitFunction` instruction for that function.
  *
- * There are two different return instructions: `ReturnValueInstruction`, for returning a value from
+ * There are two differet return instructions: `ReturnValueInstruction`, for returning a value from
  * a non-`void`-returning function, and `ReturnVoidInstruction`, for returning from a
  * `void`-returning function.
  */
@@ -1331,7 +1331,7 @@ class CheckedConvertOrThrowInstruction extends UnaryInstruction {
  *
  * If the operand holds a null address, the result is a null address.
  *
- * This instruction is used to represent `dynamic_cast<void*>` in C++, which returns the pointer to
+ * This instruction is used to represent `dyanmic_cast<void*>` in C++, which returns the pointer to
  * the most-derived object.
  */
 class CompleteObjectAddressInstruction extends UnaryInstruction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -64,7 +64,7 @@ private module Cached {
     or
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
-    // getDegeneratePhiOperand in the first stage with phi instructions
+    // getDegeneratePhiOperand in the first stage with phi instyructions
     not exists(
       unique(OldIR::PhiInputOperand operand |
         operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
@@ -143,6 +143,16 @@ private module Cached {
     )
   }
 
+  cached
+  Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
+    exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
+      oldInstruction = getOldInstruction(instruction) and
+      oldOperand = oldInstruction.getAnOperand() and
+      tag = oldOperand.getOperandTag() and
+      result = getNewInstruction(oldOperand.getAnyDef())
+    )
+  }
+
   pragma[noopt]
   private predicate hasMemoryOperandDefinition(
     OldInstruction oldInstruction, OldIR::NonPhiMemoryOperand oldOperand, Overlap overlap,
@@ -718,7 +728,7 @@ module DefUse {
   }
 
   /**
-   * Gets the rank index of a hypothetical use one instruction past the end of
+   * Gets the rank index of a hyphothetical use one instruction past the end of
    * the block. This index can be used to determine if a definition reaches the
    * end of the block, even if the definition is the last instruction in the
    * block.

cpp/ql/lib/semmle/code/cpp/ir/internal/IRUtilities.qll

@@ -12,7 +12,7 @@ private Type getDecayedType(Type type) {
 }
 
 /**
- * Holds if the specified variable is a structured binding with a non-reference
+ * Holds if the sepcified variable is a structured binding with a non-reference
  * type.
  */
 predicate isNonReferenceStructuredBinding(Variable v) {

cpp/ql/lib/semmle/code/cpp/metrics/MetricFile.qll

@@ -209,7 +209,7 @@ private predicate aClassFile(Class c, File file) { c.getDefinitionLocation().get
 
 pragma[noopt]
 private predicate dependsOnFileSimple(MetricFile source, MetricFile dest) {
-  // class derives from another class
+  // class derives from classs
   exists(Class fromClass, Class toClass |
     aClassFile(fromClass, source) and
     fromClass.derivesFrom(toClass) and

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -205,149 +205,57 @@ private predicate deconstructSizeExpr(Expr sizeExpr, Expr lengthExpr, int sizeof
   sizeof = 1
 }
 
-/** A `Function` that is a call target of an allocation. */
-private signature class CallAllocationExprTarget extends Function;
-
 /**
- * This module abstracts over the type of allocation call-targets and provides a
- * class `CallAllocationExprImpl` which contains the implementation of the various
- * predicates required by the `Allocation` class.
- *
- * This module is then instantiated for two types of allocation call-targets:
- * - `AllocationFunction`: Functions that we've explicitly modeled as functions that
- * perform allocations (i.e., `malloc`).
- * - `HeuristicAllocationFunction`: Functions that we deduce as behaving like an allocation
- * function using various heuristics.
+ * An allocation expression that is a function call, such as call to `malloc`.
  */
-private module CallAllocationExprBase<CallAllocationExprTarget Target> {
-  /** A module that contains the collection of member-predicates required on `Target`. */
-  signature module Param {
-    /**
-     * Gets the index of the input pointer argument to be reallocated, if
-     * this is a `realloc` function.
-     */
-    int getReallocPtrArg(Target target);
+private class CallAllocationExpr extends AllocationExpr, FunctionCall {
+  AllocationFunction target;
 
-    /**
-     * Gets the index of the argument for the allocation size, if any. The actual
-     * allocation size is the value of this argument multiplied by the result of
-     * `getSizeMult()`, in bytes.
-     */
-    int getSizeArg(Target target);
-
-    /**
-     * Gets the index of an argument that multiplies the allocation size given
-     * by `getSizeArg`, if any.
-     */
-    int getSizeMult(Target target);
-
-    /**
-     * Holds if this allocation requires a
-     * corresponding deallocation of some sort (most do, but `alloca` for example
-     * does not). If it is unclear, we default to no (for example a placement `new`
-     * allocation may or may not require a corresponding `delete`).
-     */
-    predicate requiresDealloc(Target target);
+  CallAllocationExpr() {
+    target = this.getTarget() and
+    // realloc(ptr, 0) only frees the pointer
+    not (
+      exists(target.getReallocPtrArg()) and
+      this.getArgument(target.getSizeArg()).getValue().toInt() = 0
+    ) and
+    // these are modeled directly (and more accurately), avoid duplication
+    not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
   }
 
-  /**
-   * A module that abstracts over a collection of predicates in
-   * the `Param` module). This should really be member-predicates
-   * on `CallAllocationExprTarget`, but we cannot yet write this in QL.
-   */
-  module With<Param P> {
-    private import P
-
-    /**
-     * An allocation expression that is a function call, such as call to `malloc`.
-     */
-    class CallAllocationExprImpl instanceof FunctionCall {
-      Target target;
-
-      CallAllocationExprImpl() {
-        target = this.getTarget() and
-        // realloc(ptr, 0) only frees the pointer
-        not (
-          exists(getReallocPtrArg(target)) and
-          this.getArgument(getSizeArg(target)).getValue().toInt() = 0
-        ) and
-        // these are modeled directly (and more accurately), avoid duplication
-        not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
-      }
-
-      string toString() { result = super.toString() }
-
-      Expr getSizeExprImpl() {
-        exists(Expr sizeExpr | sizeExpr = super.getArgument(getSizeArg(target)) |
-          if exists(getSizeMult(target))
-          then result = sizeExpr
-          else
-            exists(Expr lengthExpr |
-              deconstructSizeExpr(sizeExpr, lengthExpr, _) and
-              result = lengthExpr
-            )
+  override Expr getSizeExpr() {
+    exists(Expr sizeExpr | sizeExpr = this.getArgument(target.getSizeArg()) |
+      if exists(target.getSizeMult())
+      then result = sizeExpr
+      else
+        exists(Expr lengthExpr |
+          deconstructSizeExpr(sizeExpr, lengthExpr, _) and
+          result = lengthExpr
         )
-      }
-
-      int getSizeMultImpl() {
-        // malloc with multiplier argument that is a constant
-        result = super.getArgument(getSizeMult(target)).getValue().toInt()
-        or
-        // malloc with no multiplier argument
-        not exists(getSizeMult(target)) and
-        deconstructSizeExpr(super.getArgument(getSizeArg(target)), _, result)
-      }
-
-      int getSizeBytesImpl() {
-        result = this.getSizeExprImpl().getValue().toInt() * this.getSizeMultImpl()
-      }
-
-      Expr getReallocPtrImpl() { result = super.getArgument(getReallocPtrArg(target)) }
-
-      Type getAllocatedElementTypeImpl() {
-        result =
-          super.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
-        not result instanceof VoidType
-      }
-
-      predicate requiresDeallocImpl() { requiresDealloc(target) }
-    }
-  }
-}
-
-private module CallAllocationExpr {
-  private module Param implements CallAllocationExprBase<AllocationFunction>::Param {
-    int getReallocPtrArg(AllocationFunction f) { result = f.getReallocPtrArg() }
-
-    int getSizeArg(AllocationFunction f) { result = f.getSizeArg() }
-
-    int getSizeMult(AllocationFunction f) { result = f.getSizeMult() }
-
-    predicate requiresDealloc(AllocationFunction f) { f.requiresDealloc() }
+    )
   }
 
-  /**
-   * A class that provides the implementation of `AllocationExpr` for an allocation
-   * that calls an `AllocationFunction`.
-   */
-  private class Base =
-    CallAllocationExprBase<AllocationFunction>::With<Param>::CallAllocationExprImpl;
-
-  class CallAllocationExpr extends AllocationExpr, Base {
-    override Expr getSizeExpr() { result = super.getSizeExprImpl() }
-
-    override int getSizeMult() { result = super.getSizeMultImpl() }
-
-    override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
-
-    override predicate requiresDealloc() { super.requiresDeallocImpl() }
-
-    override int getSizeBytes() { result = super.getSizeBytesImpl() }
-
-    override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
-
-    override string toString() { result = AllocationExpr.super.toString() }
+  override int getSizeMult() {
+    // malloc with multiplier argument that is a constant
+    result = this.getArgument(target.getSizeMult()).getValue().toInt()
+    or
+    // malloc with no multiplier argument
+    not exists(target.getSizeMult()) and
+    deconstructSizeExpr(this.getArgument(target.getSizeArg()), _, result)
   }
+
+  override int getSizeBytes() {
+    result = this.getSizeExpr().getValue().toInt() * this.getSizeMult()
+  }
+
+  override Expr getReallocPtr() { result = this.getArgument(target.getReallocPtrArg()) }
+
+  override Type getAllocatedElementType() {
+    result =
+      this.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
+    not result instanceof VoidType
+  }
+
+  override predicate requiresDealloc() { target.requiresDealloc() }
 }
 
 /**
@@ -386,99 +294,3 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
 
   override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
 }
-
-private module HeuristicAllocation {
-  /** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
-  private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr {
-    override Expr getSizeExpr() { result = AllocationExpr.super.getSizeExpr() }
-
-    override int getSizeMult() { result = AllocationExpr.super.getSizeMult() }
-
-    override int getSizeBytes() { result = AllocationExpr.super.getSizeBytes() }
-
-    override Expr getReallocPtr() { result = AllocationExpr.super.getReallocPtr() }
-
-    override Type getAllocatedElementType() {
-      result = AllocationExpr.super.getAllocatedElementType()
-    }
-
-    override predicate requiresDealloc() { AllocationExpr.super.requiresDealloc() }
-  }
-
-  /** A class that maps an `AllocationFunction` to an `HeuristicAllocationFunction`. */
-  private class HeuristicAllocationFunctionModeled extends HeuristicAllocationFunction instanceof AllocationFunction {
-    override int getSizeArg() { result = AllocationFunction.super.getSizeArg() }
-
-    override int getSizeMult() { result = AllocationFunction.super.getSizeMult() }
-
-    override int getReallocPtrArg() { result = AllocationFunction.super.getReallocPtrArg() }
-
-    override predicate requiresDealloc() { AllocationFunction.super.requiresDealloc() }
-  }
-
-  private int getAnUnsignedParameter(Function f) {
-    f.getParameter(result).getUnspecifiedType().(IntegralType).isUnsigned()
-  }
-
-  private int getAPointerParameter(Function f) {
-    f.getParameter(result).getUnspecifiedType() instanceof PointerType
-  }
-
-  /**
-   * A class that uses heuristics to find additional allocation functions. The required are as follows:
-   * 1. The word `alloc` must appear in the function name
-   * 2. The function must return a pointer type
-   * 3. There must be a unique parameter of unsigned integral type.
-   */
-  private class HeuristicAllocationFunctionByName extends HeuristicAllocationFunction instanceof Function {
-    int sizeArg;
-
-    HeuristicAllocationFunctionByName() {
-      Function.super.getName().matches("%alloc%") and
-      Function.super.getUnspecifiedType() instanceof PointerType and
-      sizeArg = unique( | | getAnUnsignedParameter(this))
-    }
-
-    override int getSizeArg() { result = sizeArg }
-
-    override int getReallocPtrArg() {
-      Function.super.getName().matches("%realloc%") and
-      result = unique( | | getAPointerParameter(this))
-    }
-
-    override predicate requiresDealloc() { none() }
-  }
-
-  private module Param implements CallAllocationExprBase<HeuristicAllocationFunction>::Param {
-    int getReallocPtrArg(HeuristicAllocationFunction f) { result = f.getReallocPtrArg() }
-
-    int getSizeArg(HeuristicAllocationFunction f) { result = f.getSizeArg() }
-
-    int getSizeMult(HeuristicAllocationFunction f) { result = f.getSizeMult() }
-
-    predicate requiresDealloc(HeuristicAllocationFunction f) { f.requiresDealloc() }
-  }
-
-  /**
-   * A class that provides the implementation of `AllocationExpr` for an allocation
-   * that calls an `HeuristicAllocationFunction`.
-   */
-  private class Base =
-    CallAllocationExprBase<HeuristicAllocationFunction>::With<Param>::CallAllocationExprImpl;
-
-  private class CallAllocationExpr extends HeuristicAllocationExpr, Base {
-    override Expr getSizeExpr() { result = super.getSizeExprImpl() }
-
-    override int getSizeMult() { result = super.getSizeMultImpl() }
-
-    override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
-
-    override predicate requiresDealloc() { super.requiresDeallocImpl() }
-
-    override int getSizeBytes() { result = super.getSizeBytesImpl() }
-
-    override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
-
-    override string toString() { result = HeuristicAllocationExpr.super.toString() }
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -113,84 +113,3 @@ class OperatorNewAllocationFunction extends AllocationFunction {
     result = 1
   }
 }
-
-/**
- * An expression that _might_ allocate memory.
- *
- * Unlike `AllocationExpr`, this class uses heuristics (such as a call target's
- * name and parameters) to include additional expressions.
- */
-abstract class HeuristicAllocationExpr extends Expr {
-  /**
-   * Gets an expression for the allocation size, if any. The actual allocation
-   * size is the value of this expression multiplied by the result of
-   * `getSizeMult()`, in bytes.
-   */
-  Expr getSizeExpr() { none() }
-
-  /**
-   * Gets a constant multiplier for the allocation size given by `getSizeExpr`,
-   * in bytes.
-   */
-  int getSizeMult() { none() }
-
-  /**
-   * Gets the size of this allocation in bytes, if it is a fixed size and that
-   * size can be determined.
-   */
-  int getSizeBytes() { none() }
-
-  /**
-   * Gets the expression for the input pointer argument to be reallocated, if
-   * this is a `realloc` function.
-   */
-  Expr getReallocPtr() { none() }
-
-  /**
-   * Gets the type of the elements that are allocated, if it can be determined.
-   */
-  Type getAllocatedElementType() { none() }
-
-  /**
-   * Whether or not this allocation requires a corresponding deallocation of
-   * some sort (most do, but `alloca` for example does not).  If it is unclear,
-   * we default to no (for example a placement `new` allocation may or may not
-   * require a corresponding `delete`).
-   */
-  predicate requiresDealloc() { any() }
-}
-
-/**
- * An function that _might_ allocate memory.
- *
- * Unlike `AllocationFunction`, this class uses heuristics (such as the function's
- * name and its parameters) to include additional functions.
- */
-abstract class HeuristicAllocationFunction extends Function {
-  /**
-   * Gets the index of the argument for the allocation size, if any. The actual
-   * allocation size is the value of this argument multiplied by the result of
-   * `getSizeMult()`, in bytes.
-   */
-  int getSizeArg() { none() }
-
-  /**
-   * Gets the index of an argument that multiplies the allocation size given by
-   * `getSizeArg`, if any.
-   */
-  int getSizeMult() { none() }
-
-  /**
-   * Gets the index of the input pointer argument to be reallocated, if this
-   * is a `realloc` function.
-   */
-  int getReallocPtrArg() { none() }
-
-  /**
-   * Whether or not this allocation requires a corresponding deallocation of
-   * some sort (most do, but `alloca` for example does not).  If it is unclear,
-   * we default to no (for example a placement `new` allocation may or may not
-   * require a corresponding `delete`).
-   */
-  predicate requiresDealloc() { any() }
-}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll

@@ -173,7 +173,7 @@ predicate eqOpWithSwapAndNegate(EqualityOperation cmp, Expr a, Expr b, boolean i
 
 /**
  * Holds if `cmp` is an unconverted conversion of `a` to a Boolean that
- * evaluates to `isEQ` iff `a` is 0.
+ * evalutes to `isEQ` iff `a` is 0.
  *
  * Note that `a` can be `cmp` itself or a conversion thereof.
  */

cpp/ql/lib/semmle/code/cpp/security/Encryption.qll

@@ -51,14 +51,14 @@ string getInsecureAlgorithmRegex() {
 
 /**
  * Holds if `name` looks like it might be related to operations with an
- * insecure encryption algorithm.
+ * insecure encyption algorithm.
  */
 bindingset[name]
 predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgorithmRegex()) }
 
 /**
  * Holds if there is additional evidence that `name` looks like it might be
- * related to operations with an encryption algorithm, besides the name of a
+ * related to operations with an encyption algorithm, besides the name of a
  * specific algorithm. This can be used in conjunction with
  * `isInsecureEncryption` to produce a stronger heuristic.
  */

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -1,7 +1,7 @@
 /**
  * DEPRECATED: we now use `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`,
  * which is based on the IR but designed to behave similarly to this old
- * library.
+ * libarary.
  *
  * Provides the implementation of `semmle.code.cpp.security.TaintTracking`. Do
  * not import this file directly.

cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll

@@ -104,7 +104,7 @@ private newtype HC_Alloc =
   HC_HasAlloc(HashCons hc) { mk_HasAlloc(hc, _) }
 
 /**
- * Used to implement optional extent expression on `new[]` expressions
+ * Used to implement optional extent expression on `new[]` exprtessions
  */
 private newtype HC_Extent =
   HC_NoExtent() or
@@ -116,7 +116,7 @@ private newtype HC_Args =
   HC_ArgCons(HashCons hc, int i, HC_Args list) { mk_ArgCons(hc, i, list, _) }
 
 /**
- * Used to implement hash-consing of struct initializers.
+ * Used to implement hash-consing of struct initizializers.
  */
 private newtype HC_Fields =
   HC_EmptyFields(Class c) { exists(ClassAggregateLiteral cal | c = cal.getUnspecifiedType()) } or

cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql

@@ -15,4 +15,4 @@ where
   c.fromSource() and
   c.isTopLevel() and
   c.getParentScope() instanceof GlobalNamespace
-select c, "This class is not declared in any namespace."
+select c, "This class is not declared in any namespace"

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql

@@ -16,4 +16,4 @@ where
   t.fromSource() and
   n = t.getMetrics().getEfferentSourceCoupling() and
   n > 10
-select t as class_, "This class has too many dependencies (" + n.toString() + ")."
+select t as class_, "This class has too many dependencies (" + n.toString() + ")"

cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql

@@ -17,4 +17,4 @@ where
   n = f.getMetrics().getNumberOfCalls() and
   n > 99 and
   not f.isMultiplyDefined()
-select f as function, "This function makes too many calls (" + n.toString() + ")."
+select f as function, "This function makes too many calls (" + n.toString() + ")"

cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql

@@ -18,4 +18,4 @@ where
   f.getMetrics().getNumberOfParameters() > 15
 select f,
   "This function has too many parameters (" + f.getMetrics().getNumberOfParameters().toString() +
-    ")."
+    ")"

cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql

@@ -35,4 +35,4 @@ from LocalVariableOrParameter lv, GlobalVariable gv
 where
   lv.getName() = gv.getName() and
   lv.getFile() = gv.getFile()
-select lv, lv.type() + gv.getName() + " hides a $@ with the same name.", gv, "global variable"
+select lv, lv.type() + gv.getName() + " hides $@ with the same name.", gv, "a global variable"

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.cpp

@@ -1,32 +0,0 @@
-/*
- * In this example, the developer intended to use a semicolon but accidentally used a comma:
- */
-
-enum privileges entitlements = NONE;
-
-if (is_admin)
-    entitlements = FULL, // BAD
-
-restrict_privileges(entitlements);
-
-/*
- * The use of a comma means that the first example is equivalent to this second example:
- */
-
-enum privileges entitlements = NONE;
-
-if (is_admin) {
-    entitlements = FULL;
-    restrict_privileges(entitlements);
-}
-
-/*
- * The indentation of the first example suggests that the developer probably intended the following code:
- */
-
-enum privileges entitlements = NONE;
-
-if (is_admin)
-    entitlements = FULL; // GOOD
-
-restrict_privileges(entitlements);

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.qhelp

@@ -1,39 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-If the expression after the comma operator starts at an earlier column than the expression before the comma, then
-this suspicious indentation possibly indicates a logic error, caused by a typo that may escape visual inspection.
-</p>
-<warning>
-This query has medium precision because CodeQL currently does not distinguish between tabs and spaces in whitespace.
-If a file contains mixed tabs and spaces, alerts may highlight code that is correctly indented for one value of tab size but not for other tab sizes.
-</warning>
-</overview>
-
-<recommendation>
-<p>
-To ensure that your code is easy to read and review, use standard indentation around the comma operator. Always begin the right-hand-side operand at the same level of
-indentation (column number) as the left-hand-side operand. This makes it easier for other developers to see the intended behavior of your code.
-</p>
-<p>
-Use whitespace consistently to communicate your coding intentions. Where possible, avoid mixing tabs and spaces within a file. If you need to mix them, use them consistently.
-</p>
-</recommendation>
-
-<example>
-<p>
-This example shows three different ways of writing the same code. The first example contains a comma instead of a semicolon which means that the final line is part of the <code>if</code> statement, even though the indentation suggests that it is intended to be separate. The second example looks different but is functionally the same as the first example. It is more likely that the developer intended to write the third example.
-</p>
-<sample src="CommaBeforeMisleadingIndentation.cpp" />
-</example>
-
-<references>
-<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Comma_operator">Comma operator</a></li>
-<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Indentation_style#Tabs,_spaces,_and_size_of_indentations">Indentation style &mdash; Tabs, spaces, and size of indentations</a></li>
-</references>
-
-</qhelp>

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

@@ -1,53 +0,0 @@
-/**
- * @name Comma before misleading indentation
- * @description If expressions before and after a comma operator use different indentation, it is easy to misread the purpose of the code.
- * @kind problem
- * @id cpp/comma-before-misleading-indentation
- * @problem.severity warning
- * @security-severity 7.8
- * @precision medium
- * @tags maintainability
- *       readability
- *       security
- *       external/cwe/cwe-1078
- *       external/cwe/cwe-670
- */
-
-import cpp
-import semmle.code.cpp.commons.Exclusions
-
-/** Gets the sub-expression of 'e' with the earliest-starting Location */
-Expr normalizeExpr(Expr e) {
-  result =
-    min(Expr child |
-      child.getParentWithConversions*() = e.getFullyConverted() and
-      not child.getParentWithConversions*() = any(Call c).getAnArgument()
-    |
-      child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
-    )
-}
-
-predicate isParenthesized(CommaExpr ce) {
-  ce.getParent*().(Expr).isParenthesised()
-  or
-  ce.isUnevaluated() // sizeof(), decltype(), alignof(), noexcept(), typeid()
-  or
-  ce.getParent*() = [any(IfStmt i).getCondition(), any(SwitchStmt s).getExpr()]
-  or
-  ce.getParent*() = [any(Loop l).getCondition(), any(ForStmt f).getUpdate()]
-  or
-  ce.getEnclosingStmt() = any(ForStmt f).getInitialization()
-}
-
-from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
-where
-  ce.fromSource() and
-  not isFromMacroDefinition(ce) and
-  left = normalizeExpr(ce.getLeftOperand()) and
-  right = normalizeExpr(ce.getRightOperand()) and
-  leftLoc = left.getLocation() and
-  rightLoc = right.getLocation() and
-  not isParenthesized(ce) and
-  leftLoc.getEndLine() < rightLoc.getStartLine() and
-  leftLoc.getStartColumn() > rightLoc.getStartColumn()
-select right, "The indentation level may be misleading for some tab sizes."

cpp/ql/src/Best Practices/Likely Errors/Slicing.ql

@@ -21,5 +21,5 @@ where
     rhsType.getAMember() = m and
     not m.(VirtualFunction).isPure()
   ) // add additional checks for concrete members in in-between supertypes
-select e, "This assignment expression slices from type $@ to $@.", rhsType, rhsType.getName(),
+select e, "This assignment expression slices from type $@ to $@", rhsType, rhsType.getName(),
   lhsType, lhsType.getName()

cpp/ql/src/Best Practices/Magic Constants/MagicConstants.qll

@@ -72,6 +72,18 @@ predicate floatTrivial(Literal lit) {
 
 predicate charLiteral(Literal lit) { lit instanceof CharLiteral }
 
+Type literalType(Literal literal) { result = literal.getType() }
+
+predicate stringType(DerivedType t) {
+  t.getBaseType() instanceof CharType
+  or
+  exists(SpecifiedType constCharType |
+    t.getBaseType() = constCharType and
+    constCharType.isConst() and
+    constCharType.getBaseType() instanceof CharType
+  )
+}
+
 predicate numberType(Type t) { t instanceof FloatingPointType or t instanceof IntegralType }
 
 predicate stringLiteral(Literal literal) { literal instanceof StringLiteral }

cpp/ql/src/Best Practices/NVI.ql

@@ -18,4 +18,4 @@ where
   f.hasSpecifier("virtual") and
   f.getFile().fromSource() and
   not f instanceof Destructor
-select f, "Avoid having public virtual methods (NVI idiom)."
+select f, "Avoid having public virtual methods (NVI idiom)"

cpp/ql/src/Best Practices/NVIHub.ql

@@ -23,4 +23,4 @@ where
   fclass = f.getDeclaringType() and
   hubIndex = fclass.getMetrics().getAfferentCoupling() * fclass.getMetrics().getEfferentCoupling() and
   hubIndex > 100
-select f, "Avoid having public virtual methods (NVI idiom)."
+select f, "Avoid having public virtual methods (NVI idiom)"

cpp/ql/src/Best Practices/SwitchLongCase.ql

@@ -38,5 +38,5 @@ where
   sc = switch.getASwitchCase() and
   tooLong(sc) and
   switchCaseLength(sc, lines)
-select switch, "Switch has at least one case that is too long: $@.", sc,
+select switch, "Switch has at least one case that is too long: $@", sc,
   sc.getExpr().toString() + " (" + lines.toString() + " lines)"

cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql

@@ -58,4 +58,4 @@ where
   not exists(AsmStmt s | f = s.getEnclosingFunction()) and
   not v.getAnAttribute().getName() = "unused" and
   not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v`
-select v, "Variable " + v.getName() + " is not used."
+select v, "Variable " + v.getName() + " is not used"

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql

@@ -13,32 +13,16 @@
 
 import cpp
 
-pragma[noinline]
-predicate possiblyIncompleteFile(File f) {
-  exists(Diagnostic d | d.getFile() = f and d.getSeverity() >= 3)
-}
-
 predicate immediatelyReachableFunction(Function f) {
-  not f.isStatic()
-  or
-  exists(BlockExpr be | be.getFunction() = f)
-  or
-  f instanceof MemberFunction
-  or
-  f instanceof TemplateFunction
-  or
-  f.getFile() instanceof HeaderFile
-  or
-  f.getAnAttribute().hasName("constructor")
-  or
-  f.getAnAttribute().hasName("destructor")
-  or
-  f.getAnAttribute().hasName("used")
-  or
+  not f.isStatic() or
+  exists(BlockExpr be | be.getFunction() = f) or
+  f instanceof MemberFunction or
+  f instanceof TemplateFunction or
+  f.getFile() instanceof HeaderFile or
+  f.getAnAttribute().hasName("constructor") or
+  f.getAnAttribute().hasName("destructor") or
+  f.getAnAttribute().hasName("used") or
   f.getAnAttribute().hasName("unused")
-  or
-  // a compiler error in the same file suggests we may be missing data
-  possiblyIncompleteFile(f.getFile())
 }
 
 predicate immediatelyReachableVariable(Variable v) {

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.qhelp

@@ -11,7 +11,7 @@ caused by an unhandled case.</p>
 
 </overview>
 <recommendation>
-<p>Check that the unused static variable does not indicate a defect, for example, an unhandled case. If the static variable is genuinely not needed, 
+<p>Check that the unused static variable does not indicate a defect, for example, an unhandled case. If the static variable is genuinuely not needed, 
 then removing it will make code more readable. If the static variable is needed then you should update the code to fix the defect.</p>
 
 </recommendation>

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql

@@ -27,4 +27,4 @@ where
   not declarationHasSideEffects(v) and
   not v.getAnAttribute().hasName("used") and
   not v.getAnAttribute().hasName("unused")
-select v, "Static variable " + v.getName() + " is never read."
+select v, "Static variable " + v.getName() + " is never read"

cpp/ql/src/CHANGELOG.md

@@ -1,31 +1,3 @@
-## 0.4.2
-
-### New Queries
-
-* Added a new medium-precision query, `cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.
-
-### Minor Analysis Improvements
-
-* The "Unterminated variadic call" (`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results.
-* Fixed false positives from the "Unused static function" (`cpp/unused-static-function`) query in files that had errors during compilation.
-
-## 0.4.1
-
-### Minor Analysis Improvements
-
-* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
-
-## 0.4.0
-
-### New Queries
-
-* Added a new medium-precision query, `cpp/missing-check-scanf`, which detects `scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an [experimental query by @ihsinme](https://github.com/github/codeql/pull/8246).
-
-### Minor Analysis Improvements
-
-* Modernizations from "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) have been ported to the "Cleartext storage of sensitive information in file" (`cpp/cleartext-storage-file`), "Cleartext transmission of sensitive information" (`cpp/cleartext-transmission`) and "Cleartext storage of sensitive information in an SQLite database" (`cpp/cleartext-storage-database`) queries. These changes may result in more correct results and fewer false positive results from these queries.
-* The alert message of many queries have been changed to make the message consistent with other languages.
-
 ## 0.3.4
 
 ## 0.3.3
@@ -136,7 +108,7 @@
 
 * The `security` tag has been added to the `cpp/return-stack-allocated-memory` query. As a result, its results will now appear by default.
 * The "Uncontrolled data in arithmetic expression" (cpp/uncontrolled-arithmetic) query has been enhanced to reduce false positive results and its @precision increased to high.
-* A new `cpp/very-likely-overrunning-write` query has been added to the default query suite for C/C++. The query reports some results that were formerly flagged by `cpp/overrunning-write`.
+* A new `cpp/very-likely-overruning-write` query has been added to the default query suite for C/C++. The query reports some results that were formerly flagged by `cpp/overruning-write`.
 
 ### Minor Analysis Improvements
 

cpp/ql/src/Critical/DeadCodeCondition.ql

@@ -64,5 +64,5 @@ where
   ) and
   (if context = test then testresult = "succeed" else testresult = "fail")
 select cond,
-  "Variable '" + v.getName() + "' is always " + context + ", this check will always " + testresult +
-    "."
+  "Variable '" + v.getName() + "' is always " + context + " here, this check will always " +
+    testresult + "."

cpp/ql/src/Critical/DescriptorMayNotBeClosed.qhelp

@@ -19,7 +19,7 @@ This can occur when an operation performed on the open descriptor fails, and the
 
 <example>
 <p>In the example below, the <code>sockfd</code> socket may remain open if an error is triggered. 
-The code should be updated to ensure that the socket is always closed when the function ends.
+The code should be updated to ensure that the socket is always closed when when the function ends.
 </p>
 <sample src="DescriptorMayNotBeClosed.cpp" />
 </example>

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -29,4 +29,4 @@ from Expr alloc
 where
   allocateDescriptorCall(alloc) and
   not exists(ClosedExpr closed | closed.pointsTo() = alloc)
-select alloc, "This file descriptor is never closed."
+select alloc, "This file descriptor is never closed"

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -164,4 +164,4 @@ where
     fopenVariableReaches(v, def, ret) and
     ret.getAChild*() = v.getAnAccess()
   )
-select def, "This file may not be closed at $@.", ret, "this exit point"
+select def, "The file opened here may not be closed at $@.", ret, "this exit point"

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -14,4 +14,4 @@ import FileClosed
 
 from Expr alloc
 where fopenCall(alloc) and not fopenCallMayBeClosed(alloc)
-select alloc, "The file is never closed."
+select alloc, "The file is never closed"

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -27,4 +27,4 @@ where
     definitionUsePair(v, other, unchecked)
   )
 select unchecked,
-  "This dereference is not guarded by a non-null check, whereas other dereferences are guarded."
+  "This dereference is not guarded by a non-null check, whereas other dereferences are guarded"

cpp/ql/src/Critical/LateNegativeTest.ql

@@ -49,4 +49,4 @@ where
 select dangerous,
   "Variable '" + v.getName() +
     "' is used as an array-offset before it is tested for being negative (test on line " +
-    check.getLocation().getStartLine().toString() + ")."
+    check.getLocation().getStartLine().toString() + "). "

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -63,7 +63,7 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
       node.(AnalysedExpr).getNonNullSuccessor(newV) = verified and
       // note: this case uses naive flow logic (getAnAssignedValue).
       // special case: if the result of the 'realloc' is assigned to the
-      // same variable, we don't discriminate properly between the old
+      // same variable, we don't descriminate properly between the old
       // and the new allocation; better to not consider this a free at
       // all in that case.
       newV != v
@@ -190,4 +190,4 @@ where
     allocatedVariableReaches(v, def, ret) and
     ret.getAChild*() = v.getAnAccess()
   )
-select def, "This memory allocation may not be released at $@.", ret, "this exit point"
+select def, "The memory allocated here may not be released at $@.", ret, "this exit point"

cpp/ql/src/Critical/MemoryNeverFreed.ql

@@ -16,4 +16,4 @@ from AllocationExpr alloc
 where
   alloc.requiresDealloc() and
   not allocMayBeFreed(alloc)
-select alloc, "This memory is never freed."
+select alloc, "This memory is never freed"

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -117,6 +117,6 @@ where
   output.getCall() = call and
   output.hasGuardedAccess(access, false)
 select access,
-  "This variable is read, but may not have been written. " +
+  "$@ is read here, but may not have been written. " +
     "It should be guarded by a check that the $@ returns at least " +
-    output.getMinimumGuardConstant() + ".", call, call.toString()
+    output.getMinimumGuardConstant() + ".", access, access.toString(), call, call.toString()