Python: Fix broken queries

C++ / JS / python: Be consistent in TRAP sections

.bazelversion

@@ -1 +1 @@
-8.1.1
+8.4.2

.github/dependabot.yml

@@ -40,3 +40,8 @@ updates:
       - dependency-name: "*"
     reviewers:
       - "github/codeql-go"
+
+  - package-ecosystem: bazel
+    directory: "/"
+    schedule:
+      interval: weekly

.github/workflows/codeql-analysis.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 9.0.300
+        dotnet-version: 10.0.100
 
     - name: Checkout repository
       uses: actions/checkout@v5

.github/workflows/compile-queries.yml

@@ -17,9 +17,41 @@ permissions:
   contents: read
 
 jobs:
-  compile-queries:
+  detect-changes:
     if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest
+    outputs:
+      languages: ${{ steps.detect.outputs.languages }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Detect changed languages
+        id: detect
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For PRs, detect which languages have changes
+            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
+            languages=()
+            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
+              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
+                languages+=("$lang")
+              fi
+            done
+            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
+          else
+            # For pushes to main/rc branches, run all languages
+            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  compile-queries:
+    needs: detect-changes
+    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
     runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
 
     steps:
       - uses: actions/checkout@v5
@@ -31,16 +63,16 @@ jobs:
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
         with: 
-          key: all-queries
+          key: ${{ matrix.language }}-queries
       - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000

.github/workflows/csharp-qltest.yml

@@ -43,14 +43,14 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 9.0.300
+          dotnet-version: 10.0.100
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

MODULE.bazel

@@ -26,7 +26,7 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.66.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
@@ -172,7 +172,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.300")
+dotnet.toolchain(dotnet_version = "10.0.100")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")
@@ -274,11 +274,11 @@ ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archi
 # go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
 ripunzip_archive(
     name = "ripunzip",
-    sha256_linux = "ee0e8a957687a5dc3a66b2a4b25883bf762df4c9c07f0651af527a32a405054b",
-    sha256_macos_arm = "8a88eea54eac232d162a72a42065e0429b82dbf4f05e9642915dff9d7a81f846",
-    sha256_macos_intel = "4457a18bfcc5feabe09f5ea3d1157128e07b4873392cb404a870e611924abf64",
-    sha256_windows = "66d0c1375301bf5ab815348048f43b110631d3fa7200acd50d50a8ed8655ca62",
-    version = "2.0.3",
+    sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
+    sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
+    sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
+    sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
+    version = "2.0.4",
 )
 
 register_toolchains(

actions/ql/examples/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

actions/ql/examples/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/actions-examples
+groups:
+  - actions
+  - examples
+dependencies:
+  codeql/actions-all: ${workspace}
+warnOnImplicitThis: true

actions/ql/examples/snippets/uses_pinned_sha.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Uses step with pinned SHA
+ * @description Finds 'uses' steps where the version is a pinned SHA.
+ * @id actions/examples/uses-pinned-sha
+ * @tags example
+ */
+
+import actions
+
+from UsesStep uses
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
+select uses, "This 'uses' step has a pinned SHA version."

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
+
 ## 0.4.25
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.26.md

@@ -0,0 +1,5 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.26

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -19,12 +19,7 @@ class CodeInjectionSink extends DataFlow::Node {
 Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
   inPrivilegedContext(sink.asExpr(), result) and
   not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.asExpr() and
-    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
-  )
+  not isGithubScriptUsingToJson(sink.asExpr())
 }
 
 /**
@@ -91,3 +86,38 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
+
+/**
+ * Holds if there is a code injection flow from `source` to `sink` with
+ * critical severity, linked by `event`.
+ */
+predicate criticalSeverityCodeInjection(
+  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
+) {
+  CodeInjectionFlow::flowPath(source, sink) and
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
+}
+
+/**
+ * Holds if there is a code injection flow from `source` to `sink` with medium severity.
+ */
+predicate mediumSeverityCodeInjection(
+  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+) {
+  CodeInjectionFlow::flowPath(source, sink) and
+  not criticalSeverityCodeInjection(source, sink, _) and
+  not isGithubScriptUsingToJson(sink.getNode().asExpr())
+}
+
+/**
+ * Holds if `expr` is the `script` input to `actions/github-script` and it uses
+ * `toJson`.
+ */
+predicate isGithubScriptUsingToJson(Expression expr) {
+  exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = expr and
+    exists(getAToJsonReferenceExpression(expr.getExpression(), _))
+  )
+}

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26-dev
+version: 0.4.27-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.18
+
+No user-facing changes.
+
 ## 0.6.17
 
 No user-facing changes.

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -20,10 +20,7 @@ import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-where
-  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
+where criticalSeverityCodeInjection(source, sink, event)
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

@@ -19,15 +19,7 @@ import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-where
-  CodeInjectionFlow::flowPath(source, sink) and
-  inNonPrivilegedContext(sink.getNode().asExpr()) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.getNode().asExpr() and
-    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
-  )
+where mediumSeverityCodeInjection(source, sink)
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()

actions/ql/src/Security/CWE-275/MissingActionsPermissions.md

@@ -2,6 +2,8 @@
 
 If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.
 
+Note that this query cannot check whether the organization or repository token settings are set to read-only. However, even if they are, it is recommended to define explicit permissions (`contents: read` and `packages: read` are equivalent to the read-only default) so that (a) the actual needs of the workflow are documented, and (b) the permissions will remain restricted if the default is subsequently changed, or the workflow is copied to a different repository or organization.
+
 ## Recommendation
 
 Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.

actions/ql/src/change-notes/released/0.6.18.md

@@ -0,0 +1,3 @@
+## 0.6.18
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.18

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18-dev
+version: 0.6.19-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml

@@ -0,0 +1,18 @@
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.commits[11].message }}'
+    - run: echo '${{ github.event.commits[11].author.email }}'
+    - run: echo '${{ github.event.commits[11].author.name }}'
+    - run: echo '${{ github.event.head_commit.message }}'
+    - run: echo '${{ github.event.head_commit.author.email }}'
+    - run: echo '${{ github.event.head_commit.author.name }}'
+    - run: echo '${{ github.event.head_commit.committer.email }}'
+    - run: echo '${{ github.event.head_commit.committer.name }}'
+    - run: echo '${{ github.event.commits[11].committer.email }}'
+    - run: echo '${{ github.event.commits[11].committer.name }}'

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -435,6 +435,16 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -435,6 +435,16 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -719,6 +729,16 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
+| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
+| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
+| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
+| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
+| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
+| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
+| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
+| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
+| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} |
@@ -729,6 +749,10 @@ subpaths
 | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
+| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

config/identical-files.json

@@ -282,6 +282,7 @@
     "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
     "go/ql/lib/semmle/go/internal/OverlayXml.qll",
     "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll"
+    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll",
+    "cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll"
   ]
 }

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql

@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+predicate isExprWithNewBuiltin(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties

@@ -0,0 +1,4 @@
+description: Add new builtin operations and this parameter access table
+compatibility: partial
+exprs.rel: run exprs.qlo
+param_ref_to_this.rel: delete

cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties

@@ -0,0 +1,2 @@
+description: Sections for databaseMetadata and overlayChangedFiles
+compatibility: full

cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: full

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,27 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
+
 ## 6.1.4
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/7.0.0.md

@@ -0,0 +1,23 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 7.0.0

cpp/ql/lib/ext/empty.model.yml

@@ -9,6 +9,14 @@ extensions:
       pack: codeql/cpp-all
       extensible: sinkModel
     data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierModel
+    data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierGuardModel
+    data: []
   - addsTo:
       pack: codeql/cpp-all
       extensible: summaryModel

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.5-dev
+version: 7.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -1050,10 +1050,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     expr.(Call).getQualifier() = ele and
     pred = "getQualifier()"
     or
-    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/0 also consider arguments, and are already handled below.
+    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/1 also consider arguments, and are already handled below.
     exists(int n, Expr arg | expr.(Call).getArgument(n) = arg |
       not expr.(OverloadedArrayExpr).getArrayBase() = arg and
-      not expr.(OverloadedArrayExpr).getArrayOffset() = arg and
+      not expr.(OverloadedArrayExpr).getAnArrayOffset() = arg and
       arg = ele and
       pred = "getArgument(" + n.toString() + ")"
     )
@@ -1062,7 +1062,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
     or
-    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
+    exists(int n |
+      expr.(OverloadedArrayExpr).getArrayOffset(n) = ele and
+      pred = "getArrayOffset(" + n.toString() + ")"
+    )
     or
     // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, and is already handled above for all Call classes.
     not expr.(OverloadedPointerDereferenceExpr).getQualifier() =

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -802,15 +802,6 @@ private predicate floatingPointTypeMapping(
   // _Complex __float128
   kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
   or
-  // _Decimal32
-  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
-  or
-  // _Decimal64
-  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
-  or
-  // _Decimal128
-  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
-  or
   // _Float32
   kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
   or
@@ -871,9 +862,8 @@ private predicate floatingPointTypeMapping(
 
 /**
  * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
- * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
- * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
- * and imaginary versions of all of these types.
+ * fixed-size floating-point types like `_Float32`, and the extended-precision floating-point types
+ * like `_Float64x`. It also includes the complex and imaginary versions of all of these types.
  */
 class FloatingPointType extends ArithmeticType {
   final int base;
@@ -991,42 +981,6 @@ class Float128Type extends RealNumberType, BinaryFloatingPointType {
   override string getAPrimaryQlClass() { result = "Float128Type" }
 }
 
-/**
- * The GNU C `_Decimal32` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal32 d32;
- * ```
- */
-class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal32Type" }
-}
-
-/**
- * The GNU C `_Decimal64` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal64 d64;
- * ```
- */
-class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal64Type" }
-}
-
-/**
- * The GNU C `_Decimal128` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal128 d128;
- * ```
- */
-class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal128Type" }
-}
-
 /**
  * The C/C++ `void` type. See 4.7.
  * ```

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -101,9 +101,10 @@ private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
-private import internal.ExternalFlowExtensions as Extensions
+private import internal.ExternalFlowExtensions::Extensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
 private import codeql.util.Unit
+private import codeql.mad.static.ModelsAsData as SharedMaD
 
 /**
  * A unit class for adding additional source model rows.
@@ -144,134 +145,81 @@ predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
 /** Holds if `row` is a summary model. */
 predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 
-/** Holds if a source model exists for the given parameters. */
-predicate sourceModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, string model
-) {
-  exists(string row |
-    sourceModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = output and
-    row.splitAt(";", 7) = kind
-  ) and
-  provenance = "manual" and
-  model = ""
-  or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+private module MadInput implements SharedMaD::InputSig {
+  /** Holds if a source model exists for the given parameters. */
+  predicate additionalSourceModel(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string output, string kind, string provenance, string model
+  ) {
+    exists(string row |
+      sourceModel(row) and
+      row.splitAt(";", 0) = namespace and
+      row.splitAt(";", 1) = type and
+      row.splitAt(";", 2) = subtypes.toString() and
+      subtypes = [true, false] and
+      row.splitAt(";", 3) = name and
+      row.splitAt(";", 4) = signature and
+      row.splitAt(";", 5) = ext and
+      row.splitAt(";", 6) = output and
+      row.splitAt(";", 7) = kind
+    ) and
+    provenance = "manual" and
+    model = ""
+  }
+
+  /** Holds if a sink model exists for the given parameters. */
+  predicate additionalSinkModel(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string kind, string provenance, string model
+  ) {
+    exists(string row |
+      sinkModel(row) and
+      row.splitAt(";", 0) = namespace and
+      row.splitAt(";", 1) = type and
+      row.splitAt(";", 2) = subtypes.toString() and
+      subtypes = [true, false] and
+      row.splitAt(";", 3) = name and
+      row.splitAt(";", 4) = signature and
+      row.splitAt(";", 5) = ext and
+      row.splitAt(";", 6) = input and
+      row.splitAt(";", 7) = kind
+    ) and
+    provenance = "manual" and
+    model = ""
+  }
+
+  /**
+   * Holds if a summary model exists for the given parameters.
+   *
+   * This predicate does not expand `@` to `*`s.
+   */
+  predicate additionalSummaryModel(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string output, string kind, string provenance, string model
+  ) {
+    exists(string row |
+      summaryModel(row) and
+      row.splitAt(";", 0) = namespace and
+      row.splitAt(";", 1) = type and
+      row.splitAt(";", 2) = subtypes.toString() and
+      subtypes = [true, false] and
+      row.splitAt(";", 3) = name and
+      row.splitAt(";", 4) = signature and
+      row.splitAt(";", 5) = ext and
+      row.splitAt(";", 6) = input and
+      row.splitAt(";", 7) = output and
+      row.splitAt(";", 8) = kind
+    ) and
+    provenance = "manual" and
+    model = ""
+  }
+
+  string namespaceSegmentSeparator() { result = "::" }
 }
 
-/** Holds if a sink model exists for the given parameters. */
-predicate sinkModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, string model
-) {
-  exists(string row |
-    sinkModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = input and
-    row.splitAt(";", 7) = kind
-  ) and
-  provenance = "manual" and
-  model = ""
-  or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId) and
-    model = "MaD:" + madId.toString()
-  )
-}
+private module MaD = SharedMaD::ModelsAsData<Extensions, MadInput>;
 
-/**
- * Holds if a summary model exists for the given parameters.
- *
- * This predicate does not expand `@` to `*`s.
- */
-private predicate summaryModel0(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
-) {
-  exists(string row |
-    summaryModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = input and
-    row.splitAt(";", 7) = output and
-    row.splitAt(";", 8) = kind
-  ) and
-  provenance = "manual" and
-  model = ""
-  or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
-}
-
-/**
- * Holds if the given extension tuple `madId` should pretty-print as `model`.
- *
- * This predicate should only be used in tests.
- */
-predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance
-  |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId)
-  |
-    model =
-      "Source: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; "
-        + ext + "; " + output + "; " + kind + "; " + provenance
-  )
-  or
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string kind, string provenance
-  |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId)
-  |
-    model =
-      "Sink: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " +
-        ext + "; " + input + "; " + kind + "; " + provenance
-  )
-  or
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance
-  |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId)
-  |
-    model =
-      "Summary: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature +
-        "; " + ext + "; " + input + "; " + output + "; " + kind + "; " + provenance
-  )
-}
+import MaD
 
 /**
  * Holds if `input` is `input0`, but with all occurrences of `@` replaced
@@ -294,69 +242,13 @@ predicate summaryModel(
   string input, string output, string kind, string provenance, string model
 ) {
   exists(string input0, string output0 |
-    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
+    MaD::summaryModel(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
       provenance, model) and
     expandInputAndOutput(input0, input, output0, output,
       [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
   )
 }
 
-private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _, _, _)
-}
-
-private predicate namespaceLink(string shortns, string longns) {
-  relevantNamespace(shortns) and
-  relevantNamespace(longns) and
-  longns.prefix(longns.indexOf("::")) = shortns
-}
-
-private predicate canonicalNamespace(string namespace) {
-  relevantNamespace(namespace) and not namespaceLink(_, namespace)
-}
-
-private predicate canonicalNamespaceLink(string namespace, string subns) {
-  canonicalNamespace(namespace) and
-  (subns = namespace or namespaceLink(namespace, subns))
-}
-
-/**
- * Holds if MaD framework coverage of `namespace` is `n` api endpoints of the
- * kind `(kind, part)`, and `namespaces` is the number of subnamespaces of
- * `namespace` which have MaD framework coverage (including `namespace`
- * itself).
- */
-predicate modelCoverage(string namespace, int namespaces, string kind, string part, int n) {
-  namespaces = strictcount(string subns | canonicalNamespaceLink(namespace, subns)) and
-  (
-    part = "source" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, string provenance, string model |
-        canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, model)
-      )
-    or
-    part = "sink" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string provenance, string model |
-        canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, model)
-      )
-    or
-    part = "summary" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string output, string provenance |
-        canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
-      )
-  )
-}
-
 /** Provides a query predicate to check the CSV data for validation errors. */
 module CsvValidation {
   private string getInvalidModelInput() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -2,6 +2,8 @@
  * This module provides extensible predicates for defining MaD models.
  */
 
+private import codeql.mad.static.ModelsAsData as SharedMaD
+
 /**
  * Holds if an external source model exists for the given parameters.
  */
@@ -18,6 +20,22 @@ extensible predicate sinkModel(
   string input, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
 
+/**
+ * Holds if a barrier model exists for the given parameters.
+ */
+extensible predicate barrierModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if a barrier guard model exists for the given parameters.
+ */
+extensible predicate barrierGuardModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
 /**
  * Holds if an external summary model exists for the given parameters.
  */
@@ -25,3 +43,16 @@ extensible predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
+
+/**
+ * Holds if a neutral model exists for the given parameters.
+ */
+extensible predicate neutralModel(
+  string namespace, string type, string name, string signature, string kind, string provenance
+);
+
+module Extensions implements SharedMaD::ExtensionsSig {
+  import ExternalFlowExtensions
+
+  predicate namespaceGrouping(string group, string namespace) { none() }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -148,6 +148,19 @@ module SourceSinkInterpretationInput implements
     )
   }
 
+  predicate barrierElement(
+    Element n, string output, string kind, Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
+  predicate barrierGuardElement(
+    Element n, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
   private newtype TInterpretNode =
     TElement_(Element n) or
     TNode_(Node n)

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -394,6 +394,11 @@ class FunctionAccess extends Access, @routineexpr {
  */
 class ParamAccessForType extends Expr, @param_ref {
   override string toString() { result = "param access" }
+
+  /**
+   * Holds if the accessed parameter is implicit object parameter of the function.
+   */
+  predicate isThisAccess() { param_ref_to_this(underlyingElement(this)) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1941,3 +1941,61 @@ class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istrivia
 
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
 }
+
+/**
+ * A C++ `__is_bitwise_cloneable` built-in operation.
+ *
+ * Returns `true` if an object of type `_Tp` is bitwise cloneable.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_bitwise_cloneable
+ *   : public integral_constant<bool, __is_bitwise_cloneable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsBitwiseCloneable extends BuiltInOperation, @isbitwisecloneable {
+  override string toString() { result = "__is_bitwise_cloneable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBitwiseCloneable" }
+}
+
+/**
+ * A C++ `__is_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of type `_FTpn` can be invoked with arguments of
+ * type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_invocable
+ *   : public integral_constant<bool, __is_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsInvocable extends BuiltInOperation, @isinvocable {
+  override string toString() { result = "__is_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsInvocable" }
+}
+
+/**
+ * A C++ `__is_nothrow_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of non-throwing type `_FTpn` can be invoked
+ * with arguments of type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_nothrow_invocable
+ *   : public integral_constant<bool, __is_nothrow_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsNothrowInvocable extends BuiltInOperation, @isnothrowinvocable {
+  override string toString() { result = "__is_nothrow_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowInvocable" }
+}

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -387,10 +387,23 @@ class OverloadedArrayExpr extends FunctionCall {
 
   /**
    * Gets the expression giving the index.
+   *
+   * DEPRECATED: Use getArrayOffset/1 instead.
    */
-  Expr getArrayOffset() {
-    if exists(this.getQualifier()) then result = this.getChild(0) else result = this.getChild(1)
+  deprecated Expr getArrayOffset() { result = this.getArrayOffset(0) }
+
+  /**
+   * Gets the expression giving the nth index.
+   */
+  Expr getArrayOffset(int n) {
+    n >= 0 and
+    if exists(this.getQualifier()) then result = this.getChild(n) else result = this.getChild(n + 1)
   }
+
+  /**
+   * Gets an expression giving an index.
+   */
+  Expr getAnArrayOffset() { result = this.getArrayOffset(_) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -2,6 +2,8 @@
  * Defines entity discard predicates for C++ overlay analysis.
  */
 
+private import OverlayXml
+
 /**
  * Holds always for the overlay variant and never for the base variant.
  * This local predicate is used to define local predicates that behave
@@ -20,9 +22,21 @@ private string getLocationFilePath(@location_default loc) {
  */
 overlay[local]
 private string getSingleLocationFilePath(@element e) {
-  // @var_decl has a direct location in the var_decls relation
-  exists(@location_default loc | var_decls(e, _, _, _, loc) | result = getLocationFilePath(loc))
-  //TODO: add other kinds of elements with single locations
+  exists(@location_default loc |
+    var_decls(e, _, _, _, loc)
+    or
+    fun_decls(e, _, _, _, loc)
+    or
+    type_decls(e, _, loc)
+    or
+    namespace_decls(e, _, loc, _)
+    or
+    macroinvocations(e, _, loc, _)
+    or
+    preprocdirects(e, _, loc)
+  |
+    result = getLocationFilePath(loc)
+  )
 }
 
 /**
@@ -30,11 +44,17 @@ private string getSingleLocationFilePath(@element e) {
  */
 overlay[local]
 private string getMultiLocationFilePath(@element e) {
-  // @variable gets its location(s) from its @var_decl(s)
-  exists(@var_decl vd, @location_default loc | var_decls(vd, e, _, _, loc) |
+  exists(@location_default loc |
+    exists(@var_decl vd | var_decls(vd, e, _, _, loc))
+    or
+    exists(@fun_decl fd | fun_decls(fd, e, _, _, loc))
+    or
+    exists(@type_decl td | type_decls(td, e, loc))
+    or
+    exists(@namespace_decl nd | namespace_decls(nd, e, loc, _))
+  |
     result = getLocationFilePath(loc)
   )
-  //TODO: add other kinds of elements with multiple locations
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll

@@ -0,0 +1,46 @@
+overlay[local]
+module;
+
+/**
+ * A local predicate that always holds for the overlay variant and never holds for the base variant.
+ * This is used to define local predicates that behave differently for the base and overlay variant.
+ */
+private predicate isOverlay() { databaseMetadata("isOverlay", "true") }
+
+private string getXmlFile(@xmllocatable locatable) {
+  exists(@location_default location, @file file | xmllocations(locatable, location) |
+    locations_default(location, file, _, _, _, _) and
+    files(file, result)
+  )
+}
+
+private string getXmlFileInBase(@xmllocatable locatable) {
+  not isOverlay() and
+  result = getXmlFile(locatable)
+}
+
+/**
+ * Holds if the given `file` was extracted as part of the overlay and was extracted by the HTML/XML
+ * extractor.
+ */
+private predicate overlayXmlExtracted(string file) {
+  isOverlay() and
+  exists(@xmllocatable locatable |
+    not files(locatable, _) and not xmlNs(locatable, _, _, _) and file = getXmlFile(locatable)
+  )
+}
+
+/**
+ * Holds if the given XML `locatable` should be discarded, because it is part of the overlay base
+ * and is in a file that was also extracted as part of the overlay database.
+ */
+overlay[discard_entity]
+private predicate discardXmlLocatable(@xmllocatable locatable) {
+  exists(string file | file = getXmlFileInBase(locatable) |
+    overlayChangedFiles(file)
+    or
+    // The HTML/XML extractor is currently not incremental and may extract more files than those
+    // included in overlayChangedFiles.
+    overlayXmlExtracted(file)
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -156,7 +156,7 @@ class Node extends TIRDataFlowNode {
    * If `isGLValue()` holds, then the type of this node
    * should be thought of as "pointer to `getType()`".
    */
-  DataFlowType getType() { none() } // overridden in subclasses
+  Type getType() { none() } // overridden in subclasses
 
   /** Gets the instruction corresponding to this node, if any. */
   Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -541,7 +541,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  DataFlowType getTypeBound() { result = this.getType() }
+  Type getTypeBound() { result = this.getType() }
 
   /** Gets the location of this element. */
   cached
@@ -585,7 +585,7 @@ private class Node0 extends Node, TNode0 {
 
   override string toStringImpl() { result = node.toString() }
 
-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }
 
   override predicate isGLValue() { node.isGLValue() }
 }
@@ -704,7 +704,7 @@ class SsaSynthNode extends Node, TSsaSynthNode {
 
   override Declaration getFunction() { result = node.getBasicBlock().getEnclosingFunction() }
 
-  override DataFlowType getType() { result = node.getSourceVariable().getType() }
+  override Type getType() { result = node.getSourceVariable().getType() }
 
   override predicate isGLValue() { node.getSourceVariable().isGLValue() }
 
@@ -732,7 +732,7 @@ class SsaIteratorNode extends Node, TSsaIteratorNode {
 
   override Declaration getFunction() { result = node.getFunction() }
 
-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }
 
   final override Location getLocationImpl() { result = node.getLocation() }
 
@@ -792,7 +792,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
 
   override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }
 
-  override DataFlowType getType() {
+  override Type getType() {
     exists(int indirectionIndex |
       indirectionIndex = globalUse.getIndirectionIndex() and
       result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex)
@@ -826,7 +826,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
 
   final override predicate isGLValue() { globalDef.getIndirectionIndex() = 0 }
 
-  override DataFlowType getType() { result = globalDef.getUnderlyingType() }
+  override Type getType() { result = globalDef.getUnderlyingType() }
 
   final override Location getLocationImpl() { result = globalDef.getLocation() }
 
@@ -853,7 +853,7 @@ class BodyLessParameterNodeImpl extends Node, TBodyLessParameterNodeImpl {
   /** Gets the indirection index of this node. */
   int getIndirectionIndex() { result = indirectionIndex }
 
-  override DataFlowType getType() {
+  override Type getType() {
     result = getTypeImpl(p.getUnderlyingType(), this.getIndirectionIndex())
   }
 
@@ -1117,8 +1117,8 @@ private module RawIndirectNodes {
 
     override predicate isGLValue() { this.getOperand().isGLValue() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
         type = getOperandType(this.getOperand(), isGLValue) and
         if isGLValue = true then sub = 1 else sub = 0
       |
@@ -1163,8 +1163,8 @@ private module RawIndirectNodes {
 
     override predicate isGLValue() { this.getInstruction().isGLValue() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
         type = getInstructionType(this.getInstruction(), isGLValue) and
         if isGLValue = true then sub = 1 else sub = 0
       |
@@ -1263,7 +1263,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
     result.asSourceCallable() = this.getFunction()
   }
 
-  override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
+  override Type getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
 
   final override Location getLocationImpl() {
     // Parameters can have multiple locations. When there's a unique location we use
@@ -1539,7 +1539,7 @@ abstract class PostUpdateNode extends Node {
    */
   abstract Node getPreUpdateNode();
 
-  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
+  final override Type getType() { result = this.getPreUpdateNode().getType() }
 }
 
 /**
@@ -1632,9 +1632,7 @@ class VariableNode extends Node, TGlobalLikeVariableNode {
     result.asSourceCallable() = v
   }
 
-  override DataFlowType getType() {
-    result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
-  }
+  override Type getType() { result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1) }
 
   final override Location getLocationImpl() {
     // Certain variables (such as parameters) can have multiple locations.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -53,7 +53,7 @@ private module SourceVariables {
      * the type of this source variable should be thought of as "pointer
      * to `getType()`".
      */
-    DataFlowType getType() {
+    Type getType() {
       if this.isGLValue()
       then result = base.getType()
       else result = getTypeImpl(base.getType(), ind - 1)
@@ -1051,12 +1051,12 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
   }
 
   private predicate guardChecksInstr(
-    IRGuards::Guards_v1::Guard g, IRGuards::GuardsInput::Expr instr, boolean branch,
+    IRGuards::Guards_v1::Guard g, IRGuards::GuardsInput::Expr instr, IRGuards::GuardValue gv,
     int indirectionIndex
   ) {
     exists(Node node |
       nodeHasInstruction(node, instr, indirectionIndex) and
-      guardChecksNode(g, node, branch, indirectionIndex)
+      guardChecksNode(g, node, gv.asBooleanValue(), indirectionIndex)
     )
   }
 
@@ -1064,8 +1064,15 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
     DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, IRGuards::GuardValue val,
     int indirectionIndex
   ) {
-    IRGuards::Guards_v1::ValidationWrapperWithState<int, guardChecksInstr/4>::guardChecksDef(g, def,
-      val, indirectionIndex)
+    exists(Instruction e |
+      IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecks(g,
+        e, val, indirectionIndex)
+    |
+      indirectionIndex = 0 and
+      def.(Definition).getAUse().getDef() = e
+      or
+      def.(Definition).getAnIndirectUse(indirectionIndex).getDef() = e
+    )
   }
 
   Node getABarrierNode(int indirectionIndex) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -688,15 +688,9 @@ private module Cached {
       conversionFlow(mid, instr, false, _)
     )
     or
-    exists(int ind0 |
-      exists(Operand address |
-        isDereference(operand.getDef(), address, _) and
-        isUseImpl(address, base, ind0)
-      )
-      or
-      isUseImpl(operand.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
-    |
-      ind0 = ind - 1
+    exists(Operand address |
+      isDereference(operand.getDef(), address, _) and
+      isUseImpl(address, base, ind - 1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2679,7 +2679,7 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr, St
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(getEnclosingFunction(expr)).getInitializeThisInstruction()
+    result = getTranslatedFunction(getEnclosingFunction(expr)).getLoadThisInstruction()
   }
 
   final override Field getInstructionField(InstructionTag tag) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -306,11 +306,11 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
   final predicate hasReturnValue() { hasReturnValue(func) }
 
   /**
-   * Gets the single `InitializeThis` instruction for this function. Holds only
-   * if the function is an instance member function, constructor, or destructor.
+   * Gets the first load of `this` for this function. Holds only if the function
+   * is an instance member function, constructor, or destructor.
    */
-  final Instruction getInitializeThisInstruction() {
-    result = getTranslatedThisParameter(func).getInstruction(InitializerStoreTag())
+  final Instruction getLoadThisInstruction() {
+    result = getTranslatedThisParameter(func).getInstruction(InitializerIndirectAddressTag())
   }
 
   /**
@@ -639,7 +639,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
   }
 
   override Instruction getTargetAddress() {
-    result = getTranslatedFunction(func).getInitializeThisInstruction()
+    result = getTranslatedFunction(func).getLoadThisInstruction()
   }
 
   override Type getTargetType() { result = getTranslatedFunction(func).getThisType() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -950,7 +950,7 @@ abstract class TranslatedBaseStructorCall extends TranslatedStructorCallFromStru
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
   }
 
   final override predicate getInstructionInheritance(
@@ -1000,7 +1000,7 @@ class TranslatedConstructorDelegationInit extends TranslatedConstructorCallFromC
   }
 
   final override Instruction getReceiver() {
-    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -158,22 +158,6 @@ private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
   }
 }
 
-/**
- * Gets the floor of `v`, with additional logic to work around issues with
- * large numbers.
- */
-bindingset[v]
-float safeFloor(float v) {
-  // return the floor of v
-  v.abs() < 2.pow(31) and
-  result = v.floor()
-  or
-  // `floor()` doesn't work correctly on large numbers (since it returns an integer),
-  // so fall back to unrounded numbers at this scale.
-  not v.abs() < 2.pow(31) and
-  result = v
-}
-
 /** A `MulExpr` where exactly one operand is constant. */
 private class MulByConstantExpr extends MulExpr {
   float constant;
@@ -1266,7 +1250,7 @@ private float getLowerBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = safeFloor(left / 2.pow(right))
+      result = (left / 2.pow(right)).floorFloat()
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and
@@ -1475,7 +1459,7 @@ private float getUpperBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = safeFloor(left / 2.pow(right))
+      result = (left / 2.pow(right)).floorFloat()
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and
@@ -1725,6 +1709,22 @@ predicate nonNanGuardedVariable(Expr guard, VariableAccess v, boolean branch) {
   nanExcludingComparison(guard, branch)
 }
 
+/**
+ * Adjusts a lower bound to its meaning for integral types.
+ *
+ * Examples:
+ * `>= 3.0` becomes `3.0`
+ * ` > 3.0` becomes `4.0`
+ * `>= 3.5` becomes `4.0`
+ * ` > 3.5` becomes `4.0`
+ */
+bindingset[strictness, lb]
+private float adjustLowerBoundIntegral(RelationStrictness strictness, float lb) {
+  if strictness = Nonstrict() and lb.floorFloat() = lb
+  then result = lb
+  else result = lb.floorFloat() + 1
+}
+
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a lower bound
@@ -1736,15 +1736,29 @@ private predicate lowerBoundFromGuard(Expr guard, VariableAccess v, float lb, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if
-        strictness = Nonstrict() or
-        not getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then lb = childLB
-      else lb = childLB + 1
+      if getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then lb = adjustLowerBoundIntegral(strictness, childLB)
+      else lb = childLB
     else lb = varMinVal(v.getTarget())
   )
 }
 
+/**
+ * Adjusts an upper bound to its meaning for integral types.
+ *
+ * Examples:
+ * `<= 3.0` becomes `3.0`
+ * ` < 3.0` becomes `2.0`
+ * `<= 3.5` becomes `3.0`
+ * ` < 3.5` becomes `3.0`
+ */
+bindingset[strictness, ub]
+private float adjustUpperBoundIntegral(RelationStrictness strictness, float ub) {
+  if strictness = Nonstrict() and ub.ceilFloat() = ub
+  then result = ub
+  else result = ub.ceilFloat() - 1
+}
+
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a upper bound
@@ -1756,11 +1770,9 @@ private predicate upperBoundFromGuard(Expr guard, VariableAccess v, float ub, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if
-        strictness = Nonstrict() or
-        not getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then ub = childUB
-      else ub = childUB - 1
+      if getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then ub = adjustUpperBoundIntegral(strictness, childUB)
+      else ub = childUB
     else ub = varMaxVal(v.getTarget())
   )
 }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -617,9 +617,9 @@ case @builtintype.kind of
 | 37 = @signed_int128         // signed __int128
 | 38 = @float128              // __float128
 | 39 = @complex_float128      // _Complex __float128
-| 40 = @decimal32             // _Decimal32
-| 41 = @decimal64             // _Decimal64
-| 42 = @decimal128            // _Decimal128
+// ... 40 _Decimal32
+// ... 41 _Decimal64
+// ... 42 _Decimal128
 | 43 = @char16_t
 | 44 = @char32_t
 | 45 = @std_float32           // _Float32
@@ -1902,6 +1902,9 @@ case @expr.kind of
 | 391 = @nested_requirement
 | 392 = @compound_requirement
 | 393 = @concept_id
+| 394 = @isinvocable
+| 395 = @isnothrowinvocable
+| 396 = @isbitwisecloneable
 ;
 
 @var_args_expr = @vastartexpr
@@ -2018,6 +2021,9 @@ case @expr.kind of
             | @istriviallyequalitycomparable
             | @isscopedenum
             | @istriviallyrelocatable
+            | @isinvocable
+            | @isnothrowinvocable
+            | @isbitwisecloneable
             ;
 
 compound_requirement_is_noexcept(
@@ -2034,6 +2040,10 @@ new_array_allocated_type(
     int type_id: @type ref
 );
 
+param_ref_to_this(
+    int expr: @param_ref ref
+)
+
 /**
  * The field being initialized by an initializer expression within an aggregate
  * initializer for a class/struct/union. Position is used to sort repeated initializers.
@@ -2379,6 +2389,8 @@ link_parent(
     int link_target : @link_target ref
 );
 
+/*- Database metadata -*/
+
 /**
  * The CLI will automatically emit applicable tuples for this table,
  * such as `databaseMetadata("isOverlay", "true")` when building an
@@ -2389,6 +2401,8 @@ databaseMetadata(
   string value: string ref
 );
 
+/*- Overlay support -*/
+
 /**
  * The CLI will automatically emit tuples for each new/modified/deleted file
  * when building an overlay database.

cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties

@@ -0,0 +1,2 @@
+description: Sections for databaseMetadata and overlayChangedFiles
+compatibility: full

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql

@@ -0,0 +1,11 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+predicate isDecimalBuiltinType(BuiltinType type) { builtintypes(type, _, [40, 41, 42], _, _, _) }
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if isDecimalBuiltinType(type) then kind_new = 1 else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties

@@ -0,0 +1,3 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: partial
+builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add new builtin operations and this parameter access table
+compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.5.9
+
+### Minor Analysis Improvements
+
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
+
 ## 1.5.8
 
 No user-facing changes.

cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql

@@ -25,11 +25,16 @@ import UnsignedGEZero
 //
 // So to reduce the number of false positives, we do not report a result if
 // the comparison is in a macro expansion. Similarly for template
-// instantiations.
+// instantiations, static asserts, non-type template arguments, enum constants,
+// and constexprs.
 from ComparisonOperation cmp, SmallSide ss, float left, float right, boolean value, string reason
 where
   not cmp.isInMacroExpansion() and
   not cmp.isFromTemplateInstantiation(_) and
+  not exists(StaticAssert s | s.getCondition() = cmp.getParent*()) and
+  not exists(Declaration d | d.getATemplateArgument() = cmp.getParent*()) and
+  not exists(Variable v | v.isConstexpr() | v.getInitializer().getExpr() = cmp.getParent*()) and
+  not exists(EnumConstant e | e.getInitializer().getExpr() = cmp.getParent*()) and
   not functionContainsDisabledCode(cmp.getEnclosingFunction()) and
   reachablePointlessComparison(cmp, left, right, value, ss) and
   // a comparison between an enum and zero is always valid because whether

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -122,7 +122,8 @@ module Config implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) {
     // Block flow if the node is guarded by any <, <= or = operations.
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode() or
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getAnIndirectBarrierNode()
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -263,7 +263,7 @@ module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
  * A taint flow configuration for flow from a sensitive expression to an encryption operation.
  */
 module ToEncryptionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flowFrom(source) }
 
   predicate isSink(DataFlow::Node sink) { isSinkEncrypt(sink, _) }
 
@@ -311,7 +311,7 @@ where
   FromSensitiveFlow::flowPath(source, sink) and
   isSinkSendRecv(sink.getNode(), networkSendRecv) and
   // no flow from sensitive -> evidence of encryption
-  not ToEncryptionFlow::flow(source.getNode(), _) and
+  not ToEncryptionFlow::flowFrom(source.getNode()) and
   not FromEncryptionFlow::flowTo(sink.getNode()) and
   // construct result
   if networkSendRecv instanceof NetworkSend

cpp/ql/src/change-notes/released/1.5.9.md

@@ -0,0 +1,5 @@
+## 1.5.9
+
+### Minor Analysis Improvements
+
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.9

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

@@ -129,7 +129,7 @@ module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefC
 
 predicate pointerArithOverflow(PointerArithmeticInstruction pai, int delta) {
   pointerArithOverflow0(pai, delta) and
-  PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
+  PointerArithmeticToDerefFlow::flowFrom(DataFlow::instructionNode(pai))
 }
 
 bindingset[v]

cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll

@@ -13,7 +13,7 @@ class SizeofImpureExprOperator extends SizeofExprOperator {
       not e.(OverloadedPointerDereferenceExpr).getExpr().isPure() and
       not exists(OverloadedArrayExpr op | op = e |
         op.getArrayBase().isPure() and
-        op.getArrayOffset().isPure()
+        forall(Expr offset | offset = op.getAnArrayOffset() | offset.isPure())
       )
     )
   }

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.9-dev
+version: 1.5.10-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -78,7 +78,7 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
 {
   private module DataFlow = Df::DataFlow;
 
-  class Type = DataFlowPrivate::DataFlowType;
+  class Type = Cpp::Type;
 
   // Note: This also includes `this`
   class Parameter = DataFlow::ParameterNode;

cpp/ql/test/library-tests/builtins/type_traits/clang.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 190000
+// semmle-extractor-options: --clang --clang_version 210000
 
 struct S {
     void f() {}
@@ -121,3 +121,11 @@ bool b_is_scoped_enum2 = __is_scoped_enum(int);
 
 bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
 bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);
+
+struct S3{
+    S3(S3 &);
+    S3& operator=(S3&);
+};
+
+bool bok_is_bitwise_cloneable1 = __is_bitwise_cloneable(int);
+bool bok_is_bitwise_cloneable2 = __is_bitwise_cloneable(S3);

cpp/ql/test/library-tests/builtins/type_traits/expr.expected

@@ -165,6 +165,10 @@
 | clang.cpp:122:36:122:66 | int |  | <none> |
 | clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
 | clang.cpp:123:36:123:67 | void |  | <none> |
+| clang.cpp:130:34:130:60 | __is_bitwise_cloneable | int | 1 |
+| clang.cpp:130:34:130:60 | int |  | <none> |
+| clang.cpp:131:34:131:59 | S3 |  | <none> |
+| clang.cpp:131:34:131:59 | __is_bitwise_cloneable | S3 | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 1 |  | 1 |
@@ -211,6 +215,16 @@
 | gcc.cpp:29:45:29:93 | __reference_converts_from_temporary | int &&,int && | 0 |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
+| gcc.cpp:33:24:33:45 | __is_invocable | f_type | 1 |
+| gcc.cpp:33:24:33:45 | f_type |  | <none> |
+| gcc.cpp:34:24:34:51 | __is_invocable | f_type,bool | 0 |
+| gcc.cpp:34:24:34:51 | bool |  | <none> |
+| gcc.cpp:34:24:34:51 | f_type |  | <none> |
+| gcc.cpp:36:32:36:61 | __is_nothrow_invocable | f_type | 1 |
+| gcc.cpp:36:32:36:61 | f_type |  | <none> |
+| gcc.cpp:37:32:37:67 | __is_nothrow_invocable | f_type,bool | 0 |
+| gcc.cpp:37:32:37:67 | bool |  | <none> |
+| gcc.cpp:37:32:37:67 | f_type |  | <none> |
 | ms.cpp:38:41:38:45 | 0 |  | 0 |
 | ms.cpp:88:27:88:45 | __has_assign | empty | 0 |
 | ms.cpp:88:27:88:45 | empty |  | <none> |

cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --gnu_version 130000
+// semmle-extractor-options: --gnu_version 150000
 
 __attribute__ ((aligned(8))) int v;
 bool b_has_attribute1 = __builtin_has_attribute(v, aligned);
@@ -27,3 +27,11 @@ bool b_reference_constructs_from_temporary2 = __reference_constructs_from_tempor
 
 bool b_reference_converts_from_temporary1 = __reference_converts_from_temporary(int&&, int);
 bool b_reference_converts_from_temporary2 = __reference_converts_from_temporary(int&&, int&&);
+
+using f_type = void(*)() noexcept;
+
+bool b_is_invocable1 = __is_invocable(f_type);
+bool b_is_invocable2 = __is_invocable(f_type, bool);
+
+bool b_is_nothrow_invocable1 = __is_nothrow_invocable(f_type);
+bool b_is_nothrow_invocable2 = __is_nothrow_invocable(f_type, bool);

cpp/ql/test/library-tests/builtins/types/types.c

@@ -1,5 +0,0 @@
-
-_Decimal32 d32;
-_Decimal64 d64;
-_Decimal128 d128;
-

cpp/ql/test/library-tests/builtins/types/types.expected

@@ -1,7 +0,0 @@
-| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * |
-| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * |
-| types.c:2:12:2:14 | d32 | file://:0:0:0:0 | _Decimal32 |
-| types.c:3:12:3:14 | d64 | file://:0:0:0:0 | _Decimal64 |
-| types.c:4:13:4:16 | d128 | file://:0:0:0:0 | _Decimal128 |

cpp/ql/test/library-tests/builtins/types/types.ql

@@ -1,5 +0,0 @@
-import cpp
-
-from Variable v, Type t
-where t = v.getType()
-select v, t

cpp/ql/test/library-tests/constants/addresses/addresses.cpp

@@ -26,9 +26,7 @@ void constantAddresses(int param) {
     constexpr int *array2d = &int_arr_arr[1][1] + 1;
     constexpr int *const_ints = &int_arr_arr[int_const][extern_int_const];
 
-    // Commented out because clang and EDG disagree on whether this is
-    // constant.
-    //constexpr int *stmtexpr_int = &int_arr[ ({ 1; }) ];
+    constexpr int *stmtexpr_int = &int_arr[ ({ 1; }) ];
 
     constexpr int *comma_int = &int_arr[ ((void)0, 1) ];
     constexpr int *comma_addr = ((void)0, &int_var);

cpp/ql/test/library-tests/constants/addresses/addresses.expected

@@ -0,0 +1,5 @@
+| addresses.cpp:29:35:29:54 | & ... | stmtexpr_int | misclassified as NOT constant |
+| addresses.cpp:31:32:31:55 | & ... | comma_int | misclassified as NOT constant |
+| addresses.cpp:36:39:36:70 | ... ? ... : ... | ternary_ptr_cond | misclassified as NOT constant |
+| addresses.cpp:37:35:37:69 | & ... | ptr_subtract | misclassified as NOT constant |
+| addresses.cpp:39:35:39:50 | ... + ... | constexpr_va | misclassified as NOT constant |

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -193,10 +193,10 @@ edges
 | C.cpp:18:12:18:18 | call to C [s3] | C.cpp:18:12:18:18 | *new [s3] | provenance |  |
 | C.cpp:19:5:19:5 | *c [s1] | C.cpp:27:8:27:11 | *this [s1] | provenance |  |
 | C.cpp:19:5:19:5 | *c [s3] | C.cpp:27:8:27:11 | *this [s3] | provenance |  |
+| C.cpp:22:3:22:3 | *C [post update] [s1] | C.cpp:22:3:22:3 | *this [Return] [s1] | provenance |  |
 | C.cpp:22:3:22:3 | *this [Return] [s1] | C.cpp:18:12:18:18 | call to C [s1] | provenance |  |
 | C.cpp:22:3:22:3 | *this [Return] [s3] | C.cpp:18:12:18:18 | call to C [s3] | provenance |  |
-| C.cpp:22:3:22:3 | *this [post update] [s1] | C.cpp:22:3:22:3 | *this [Return] [s1] | provenance |  |
-| C.cpp:22:12:22:21 | new | C.cpp:22:3:22:3 | *this [post update] [s1] | provenance |  |
+| C.cpp:22:12:22:21 | new | C.cpp:22:3:22:3 | *C [post update] [s1] | provenance |  |
 | C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | new | provenance |  |
 | C.cpp:24:5:24:8 | *this [post update] [s3] | C.cpp:22:3:22:3 | *this [Return] [s3] | provenance |  |
 | C.cpp:24:5:24:25 | ... = ... | C.cpp:24:5:24:8 | *this [post update] [s3] | provenance |  |
@@ -736,12 +736,12 @@ edges
 | constructors.cpp:19:22:19:23 | *this [b_] | constructors.cpp:19:22:19:23 | b_ | provenance |  |
 | constructors.cpp:19:22:19:23 | b_ | constructors.cpp:19:9:19:9 | *b | provenance |  |
 | constructors.cpp:19:22:19:23 | b_ | constructors.cpp:19:22:19:23 | b_ | provenance |  |
-| constructors.cpp:23:5:23:7 | *this [post update] [a_] | constructors.cpp:23:5:23:7 | *this [Return] [a_] | provenance |  |
-| constructors.cpp:23:5:23:7 | *this [post update] [b_] | constructors.cpp:23:5:23:7 | *this [Return] [b_] | provenance |  |
+| constructors.cpp:23:5:23:7 | *Foo [post update] [a_] | constructors.cpp:23:5:23:7 | *this [Return] [a_] | provenance |  |
+| constructors.cpp:23:5:23:7 | *Foo [post update] [b_] | constructors.cpp:23:5:23:7 | *this [Return] [b_] | provenance |  |
 | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:28:23:28 | a | provenance |  |
 | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | b | provenance |  |
-| constructors.cpp:23:28:23:28 | a | constructors.cpp:23:5:23:7 | *this [post update] [a_] | provenance |  |
-| constructors.cpp:23:35:23:35 | b | constructors.cpp:23:5:23:7 | *this [post update] [b_] | provenance |  |
+| constructors.cpp:23:28:23:28 | a | constructors.cpp:23:5:23:7 | *Foo [post update] [a_] | provenance |  |
+| constructors.cpp:23:35:23:35 | b | constructors.cpp:23:5:23:7 | *Foo [post update] [b_] | provenance |  |
 | constructors.cpp:26:15:26:15 | *f [a_] | constructors.cpp:28:10:28:10 | *f [a_] | provenance |  |
 | constructors.cpp:26:15:26:15 | *f [b_] | constructors.cpp:29:10:29:10 | *f [b_] | provenance |  |
 | constructors.cpp:28:10:28:10 | *f [a_] | constructors.cpp:18:9:18:9 | *this [a_] | provenance |  |
@@ -1122,9 +1122,9 @@ nodes
 | C.cpp:18:12:18:18 | call to C [s3] | semmle.label | call to C [s3] |
 | C.cpp:19:5:19:5 | *c [s1] | semmle.label | *c [s1] |
 | C.cpp:19:5:19:5 | *c [s3] | semmle.label | *c [s3] |
+| C.cpp:22:3:22:3 | *C [post update] [s1] | semmle.label | *C [post update] [s1] |
 | C.cpp:22:3:22:3 | *this [Return] [s1] | semmle.label | *this [Return] [s1] |
 | C.cpp:22:3:22:3 | *this [Return] [s3] | semmle.label | *this [Return] [s3] |
-| C.cpp:22:3:22:3 | *this [post update] [s1] | semmle.label | *this [post update] [s1] |
 | C.cpp:22:12:22:21 | new | semmle.label | new |
 | C.cpp:22:12:22:21 | new | semmle.label | new |
 | C.cpp:24:5:24:8 | *this [post update] [s3] | semmle.label | *this [post update] [s3] |
@@ -1678,10 +1678,10 @@ nodes
 | constructors.cpp:19:22:19:23 | *this [b_] | semmle.label | *this [b_] |
 | constructors.cpp:19:22:19:23 | b_ | semmle.label | b_ |
 | constructors.cpp:19:22:19:23 | b_ | semmle.label | b_ |
+| constructors.cpp:23:5:23:7 | *Foo [post update] [a_] | semmle.label | *Foo [post update] [a_] |
+| constructors.cpp:23:5:23:7 | *Foo [post update] [b_] | semmle.label | *Foo [post update] [b_] |
 | constructors.cpp:23:5:23:7 | *this [Return] [a_] | semmle.label | *this [Return] [a_] |
 | constructors.cpp:23:5:23:7 | *this [Return] [b_] | semmle.label | *this [Return] [b_] |
-| constructors.cpp:23:5:23:7 | *this [post update] [a_] | semmle.label | *this [post update] [a_] |
-| constructors.cpp:23:5:23:7 | *this [post update] [b_] | semmle.label | *this [post update] [b_] |
 | constructors.cpp:23:13:23:13 | a | semmle.label | a |
 | constructors.cpp:23:20:23:20 | b | semmle.label | b |
 | constructors.cpp:23:28:23:28 | a | semmle.label | a |

cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp

@@ -4,6 +4,12 @@ void sink(int);
 
 void testCheckArgument(int* p) {
   if (checkArgument(p)) {
-    sink(*p); // $ barrier barrier=1
+    sink(*p); // $ indirect_barrier=int barrier=int*
+  }
+}
+
+void testCheckArgument(int p) {
+  if (checkArgument(&p)) {
+    sink(p); // $ barrier=glval<int> indirect_barrier=int
   }
 }

cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql

@@ -13,26 +13,33 @@ predicate instructionGuardChecks(IRGuardCondition gc, Instruction checked, boole
 
 module BarrierGuard = DataFlow::InstructionBarrierGuard<instructionGuardChecks/3>;
 
-predicate indirectBarrierGuard(DataFlow::Node node, int indirectionIndex) {
-  node = BarrierGuard::getAnIndirectBarrierNode(indirectionIndex)
+predicate indirectBarrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getAnIndirectBarrierNode(_) and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
 }
 
-predicate barrierGuard(DataFlow::Node node) { node = BarrierGuard::getABarrierNode() }
+predicate barrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getABarrierNode() and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
+}
 
 module Test implements TestSig {
-  string getARelevantTag() { result = "barrier" }
+  string getARelevantTag() { result = ["barrier", "indirect_barrier"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node node |
-      barrierGuard(node) and
-      value = ""
+    exists(DataFlow::Node node, string s |
+      indirectBarrierGuard(node, s) and
+      value = s and
+      tag = "indirect_barrier"
       or
-      exists(int indirectionIndex |
-        indirectBarrierGuard(node, indirectionIndex) and
-        value = indirectionIndex.toString()
-      )
+      barrierGuard(node, s) and
+      value = s and
+      tag = "barrier"
     |
-      tag = "barrier" and
       element = node.toString() and
       location = node.getLocation()
     )

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,9 +1,14 @@
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -27,7 +27,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
-| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
+| ir.cpp:2548:34:2548:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2547:6:2547:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
 nonBooleanOperand
 missingCppType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -27,7 +27,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
-| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
+| ir.cpp:2548:34:2548:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2547:6:2547:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
 nonBooleanOperand
 missingCppType

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -1214,6 +1214,8 @@ void VectorTypes(int i) {
   vi4[i] = x;
   vector(4, int) vi4_shuffle = __builtin_shufflevector(vi4, vi4, 3+0, 2, 1, 0);
   vi4 = vi4 + vi4_shuffle;
+  vi4 = vi4 && vi4_shuffle;
+  vi4 = vi4 || vi4_shuffle;
 }
 
 void *memcpy(void *dst, void *src, int size);

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -20,7 +20,7 @@ multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
-| ir.cpp:1535:8:1535:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1535:8:1535:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1537:8:1537:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1537:8:1537:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated
@@ -28,7 +28,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
-| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
+| ir.cpp:2548:34:2548:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2547:6:2547:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
 nonBooleanOperand
 missingCppType