disabled new features

add functionInterfacesInFile and surroundingFunctionParameters features
documentation for calleeImports ATM feature
2026-06-02 20:30:15 +02:00 · 2022-04-25 09:04:56 +02:00 · 2022-04-25 09:04:56 +02:00 · 2022-04-25 09:04:56 +02:00 · 2022-04-25 09:04:56 +02:00 · 2022-04-25 09:04:56 +02:00
434 changed files with 12452 additions and 4867 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -0,0 +1,3 @@
+build --copt="-std=c++17"
+
+try-import %workspace%/local.bazelrc
--- a/.bazelversion
+++ b/.bazelversion
@@ -0,0 +1 @@
+5.0.0
--- a/.github/actions/fetch-codeql/action.yml
+++ b/.github/actions/fetch-codeql/action.yml
@@ -3,12 +3,22 @@ description: Fetches the latest version of CodeQL
 runs:
  using: composite
  steps:
+    - name: Select platform - Linux
+      if: runner.os == 'Linux'
+      shell: bash
+      run: echo "GA_CODEQL_CLI_PLATFORM=linux64" >> $GITHUB_ENV
+
+    - name: Select platform - MacOS
+      if: runner.os == 'MacOS'
+      shell: bash
+      run: echo "GA_CODEQL_CLI_PLATFORM=osx64" >> $GITHUB_ENV
+
    - name: Fetch CodeQL
      shell: bash
      run: |
        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-        unzip -q -d "${RUNNER_TEMP}" codeql-linux64.zip
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-$GA_CODEQL_CLI_PLATFORM.zip "$LATEST"
+        unzip -q -d "${RUNNER_TEMP}" codeql-$GA_CODEQL_CLI_PLATFORM.zip
        echo "${RUNNER_TEMP}/codeql" >> "${GITHUB_PATH}"
      env:
        GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/post-pr-comment.yml
+++ b/.github/workflows/post-pr-comment.yml
@@ -1,12 +1,17 @@
-name: Post pull-request comment
+# This workflow is the second part of the process described in
+# .github/workflows/qhelp-pr-preview.yml
+# See that file for more info.
+
+name: Post PR comment
 on:
  workflow_run:
-    workflows: ["Query help preview"]
+    workflows: [Render QHelp changes]
    types:
      - completed

 permissions:
  pull-requests: write
+  actions: read

 jobs:
  post_comment:
@@ -17,15 +22,53 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ github.token }}
          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
-      - run: |
-          PR="$(grep -o '^[0-9]\+$' pr.txt)"
+
+      - name: Check that PR SHA matches workflow SHA
+        run: |
+          PR="$(grep -o '^[0-9]\+$' pr_number.txt)"
          PR_HEAD_SHA="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR}" --jq .head.sha)"
          # Check that the pull-request head SHA matches the head SHA of the workflow run
          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
            echo "PR head SHA ${PR_HEAD_SHA} does not match workflow_run event SHA ${WORKFLOW_RUN_HEAD_SHA}. Stopping." 1>&2
            exit 1
          fi
-          gh pr comment "${PR}" --repo "${GITHUB_REPOSITORY}" -F comment.txt
        env:
          GITHUB_TOKEN: ${{ github.token }}
          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}
+
+      - name: Create or update comment
+        run: |
+          COMMENT_PREFIX="QHelp previews"
+          COMMENT_AUTHOR="github-actions[bot]"
+          PR_NUMBER="$(grep -o '^[0-9]\+$' pr_number.txt)"
+
+          # If there is no existing comment, comment_id.txt will contain just a
+          # newline (due to jq & gh behaviour). This will cause grep to fail, so
+          # we catch that.
+          RAW_COMMENT_ID=$(grep -o '^[0-9]\+$' comment_id.txt || true)
+
+          if [ $RAW_COMMENT_ID ]
+          then
+            # Fetch existing comment, and validate:
+            # - comment belongs to the PR with number $PR_NUMBER
+            # - comment starts with the expected prefix ("QHelp previews")
+            # - comment author is github-actions[bot]
+            FILTER='select(.issue_url | endswith($repo+"/issues/"+$pr))
+                  | select(.body | startswith($prefix))
+                  | select(.user.login == $author)
+                  | .id'
+            COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${RAW_COMMENT_ID}" | jq --arg repo "${GITHUB_REPOSITORY}" --arg pr "${PR_NUMBER}" --arg prefix "${COMMENT_PREFIX}" --arg author "${COMMENT_AUTHOR}" "${FILTER}")
+            if [ $COMMENT_ID ]
+            then
+              # Update existing comment
+              jq --rawfile body comment_body.txt '{"body":$body}' -n | gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}" -X PATCH --input -
+            else
+              echo "Comment ${RAW_COMMENT_ID} did not pass validations: not editing." >&2
+              exit 1
+            fi
+          else
+            # Create new comment
+            jq --rawfile body comment_body.txt '{"body":$body}' -n | gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -X POST --input -
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -1,7 +1,25 @@
-name: Query help preview
+# This workflow checks for any changes in .qhelp files in pull requests.
+# For any changed files, it renders them to markdown in a file called `comment_body.txt`.
+# It then checks if there's an existing comment on the pull request generated by
+# this workflow, and writes the comment ID to `comment_id.txt`.
+# It also writes the PR number to `pr_number.txt`.
+# These three files are uploaded as an artifact.
+
+# When this workflow completes, the workflow "Post PR comment" runs.
+# It downloads the artifact and adds a comment to the PR with the rendered
+# QHelp.
+
+# The task is split like this because creating PR comments requires extra
+# permissions that we don't want to expose to PRs from external forks.
+
+# For more info see:
+# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+name: Render QHelp changes

 permissions:
  contents: read
+  pull-requests: read

 on:
  pull_request:
@@ -15,12 +33,16 @@ jobs:
  qhelp:
    runs-on: ubuntu-latest
    steps:
-      - run: echo "${{  github.event.number }}" > pr.txt
+      - run: echo "${PR_NUMBER}" > pr_number.txt
+        env:
+          PR_NUMBER: ${{ github.event.number }}
      - uses: actions/upload-artifact@v2
        with:
          name: comment
-          path: pr.txt
+          path: pr_number.txt
+          if-no-files-found: error
          retention-days: 1
+
      - uses: actions/checkout@v2
        with:
          fetch-depth: 2
@@ -36,7 +58,7 @@ jobs:
      - name: QHelp preview
        run: |
          EXIT_CODE=0
-          echo "QHelp previews:" > comment.txt
+          echo "QHelp previews:" > comment_body.txt
          while read -r -d $'\0' path; do
            if [ ! -f "${path}" ]; then
               exit 1
@@ -52,12 +74,29 @@ jobs:
               echo '```'
            fi
            echo "</details>"
-          done < "${RUNNER_TEMP}/paths.txt" >> comment.txt
+          done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
          exit "${EXIT_CODE}"

      - if: always()
        uses: actions/upload-artifact@v2
        with:
          name: comment
-          path: comment.txt
+          path: comment_body.txt
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Save ID of existing QHelp comment (if it exists)
+        run: |
+          # Find the latest comment starting with "QHelp previews"
+          COMMENT_PREFIX="QHelp previews"
+          gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" '[.[] | select(.body|startswith($prefix)) | .id] | max' > comment_id.txt
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.number }}
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: comment_id.txt
+          if-no-files-found: error
          retention-days: 1
--- a/.github/workflows/swift-qltest.yml
+++ b/.github/workflows/swift-qltest.yml
@@ -0,0 +1,51 @@
+name: "Swift: Run QL Tests"
+
+on:
+  pull_request:
+    paths:
+      - "swift/**"
+      - .github/workflows/swift-qltest.yml
+    branches:
+      - main
+defaults:
+  run:
+    working-directory: swift
+
+jobs:
+  qlformat:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check QL formatting
+        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+  qltest:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os : [ubuntu-20.04, macos-latest]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - name: Install bazelisk - Linux
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget https://github.com/bazelbuild/bazelisk/releases/download/v1.11.0/bazelisk-linux-amd64
+          mv bazelisk-linux-amd64 /usr/local/bin/bazel
+          chmod +x /usr/local/bin/bazel
+      - name: Install bazelisk - macOS
+        if: runner.os == 'MacOS'
+        run: |
+          brew install bazelisk
+      - name: Build Swift extractor
+        run: |
+          bazel run //swift:create-extractor-pack
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
--- a/.gitignore
+++ b/.gitignore
@@ -31,5 +31,8 @@ csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
 # Compiled class file
 *.class

-# links create by bazel
+# links created by bazel
 /bazel-*
+
+# CLion project files
+/.clwb
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,28 +2,41 @@
 # See https://pre-commit.com/hooks.html for more hooks
 exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
 repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.2.0
    hooks:
-    -   id: trailing-whitespace
-    -   id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: end-of-file-fixer

-   repo: local
+  - repo: https://github.com/pre-commit/mirrors-clang-format
+    rev: v13.0.1
    hooks:
-    -   id: codeql-format
+      - id: clang-format
+        files: ^swift/.*\.(h|c|cpp)$
+
+  - repo: local
+    hooks:
+      - id: codeql-format
        name: Fix QL file formatting
        files: \.qll?$
        language: system
        entry: codeql query format --in-place

-    -   id: sync-files
+      - id: sync-files
        name: Fix files required to be identical
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false

-    -   id: qhelp
+      - id: qhelp
        name: Check query help generation
        files: \.qhelp$
        language: system
        entry: python3 misc/scripts/check-qhelp.py
+
+      - id: swift-codegen
+        name: Run Swift checked in code generation
+        files: ^swift/(codegen/|.*/generated/|ql/lib/swift\.dbscheme$)
+        language: system
+        entry: bazel run //swift/codegen
+        pass_filenames: false
--- a/BUILD.bazel
+++ b/BUILD.bazel
--- a/12
+++ b/12
@@ -5,14 +5,6 @@
 /python/ @github/codeql-python
 /ruby/ @github/codeql-ruby

-# Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
-/cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
-/csharp/**/experimental/**/* @github/codeql-csharp @xcorail
-/java/**/experimental/**/* @github/codeql-java @xcorail
-/javascript/**/experimental/**/* @github/codeql-javascript @xcorail
-/python/**/experimental/**/* @github/codeql-python @xcorail
-/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
-
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

@@ -35,3 +27,7 @@
 # Bazel
 **/*.bazel @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
+
+# Documentation etc
+/*.md @github/code-scanning-product
+/LICENSE @github/code-scanning-product
--- a/README.md
+++ b/README.md
@@ -13,7 +13,9 @@ We welcome contributions to our standard library and standard checks. Do you hav

 ## License

-The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com). The use of CodeQL on open source code is licensed under specific [Terms & Conditions](https://securitylab.github.com/tools/codeql/license/) UNLESS you have a commercial license in place. If you'd like to use CodeQL with a commercial codebase, please [contact us](https://github.com/enterprise/contact) for further help.
+The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
+
+The CodeQL CLI (including the CodeQL engine) is hosted in a [different repository](https://github.com/github/codeql-cli-binaries) and is [licensed separately](https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md). If you'd like to use the CodeQL CLI to analyze closed-source code, you will need a separate commercial license; please [contact us](https://github.com/enterprise/contact) for further help.

 ## Visual Studio Code integration

--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@@ -1,2 +1,12 @@
 # Please notice that any bazel targets and definitions in this repository are currently experimental
 # and for internal use only.
+
+workspace(name = "codeql")
+
+load("//misc/bazel:workspace.bzl", "codeql_workspace")
+
+codeql_workspace()
+
+load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
+
+codeql_workspace_deps()
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -51,6 +51,7 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -383,7 +384,8 @@
    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll"
  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -549,4 +551,4 @@
    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
  ]
-}
+}
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,26 @@
+## 0.0.13
+
+## 0.0.12
+
+### Breaking Changes
+
+* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
+
+### Deprecated APIs
+
+* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
+
+### Minor Analysis Improvements
+
+* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
+* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
 ## 0.0.11

 ### Minor Analysis Improvements
--- a/cpp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
+++ b/cpp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
--- a/cpp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
+++ b/cpp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
@@ -1,5 +0,0 @@
---
-category: deprecated
---
-* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
--- a/cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
+++ b/cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
--- a/cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
+++ b/cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
--- a/cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
+++ b/cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
--- a/cpp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
+++ b/cpp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
--- a/cpp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
+++ b/cpp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
--- a/cpp/ql/lib/change-notes/released/0.0.12.md
+++ b/cpp/ql/lib/change-notes/released/0.0.12.md
@@ -0,0 +1,20 @@
+## 0.0.12
+
+### Breaking Changes
+
+* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
+
+### Deprecated APIs
+
+* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
+
+### Minor Analysis Improvements
+
+* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
+* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
--- a/cpp/ql/lib/change-notes/released/0.0.13.md
+++ b/cpp/ql/lib/change-notes/released/0.0.13.md
@@ -0,0 +1 @@
+## 0.0.13
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.11
+lastReleaseVersion: 0.0.13
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.0.12-dev
+version: 0.1.0-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
+++ b/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
@@ -84,6 +84,7 @@ private int fileHeaderLimit(File f) {
    fc = fileFirstComment(f) and
    result =
      min(int line |
+        // code ending the initial comments
        exists(DeclarationEntry de, Location l |
          l = de.getLocation() and
          l.getFile() = f and
@@ -105,7 +106,13 @@ private int fileHeaderLimit(File f) {
          line > fc
        )
        or
+        // end of the file
        line = f.getMetrics().getNumberOfLines()
+        or
+        // rarely, we've seen extremely long sequences of initial comments
+        // (and/or limitations in the above constraints) cause an overflow of
+        // the maximum string length. So don't look past 1000 lines regardless.
+        line = 1000
      )
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -109,10 +109,7 @@ class Element extends ElementBase {
    then
      exists(MacroInvocation mi |
        this = mi.getAGeneratedElement() and
-        not exists(MacroInvocation closer |
-          this = closer.getAGeneratedElement() and
-          mi = closer.getParentInvocation+()
-        ) and
+        not hasCloserMacroInvocation(this, mi) and
        result = mi.getMacro()
      )
    else result = this
@@ -236,6 +233,14 @@ class Element extends ElementBase {
  }
 }

+pragma[noinline]
+private predicate hasCloserMacroInvocation(Element elem, MacroInvocation mi) {
+  exists(MacroInvocation closer |
+    elem = closer.getAGeneratedElement() and
+    mi = closer.getParentInvocation()
+  )
+}
+
 private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
  instantiation.(Function).isConstructedFrom(_) and
  e = instantiation
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -27,11 +27,11 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
    why = bufferVar and
    not memberMayBeVarSize(_, bufferVar) and
-    not result = 0 // zero sized arrays are likely to have special usage, for example
-    or
+    // zero sized arrays are likely to have special usage, for example
    // behaving a bit like a 'union' overlapping other fields.
-    // buffer is an initialized array
-    //  e.g. int buffer[] = {1, 2, 3};
+    not result = 0
+    or
+    // buffer is an initialized array, e.g., int buffer[] = {1, 2, 3};
    why = bufferVar.getInitializer().getExpr() and
    (
      why instanceof AggregateLiteral or
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
@@ -80,7 +80,11 @@ abstract class StackVariableReachability extends string {
        j > i and
        sink = bb.getNode(j) and
        this.isSink(sink, v) and
-        not exists(int k | this.isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
+        not exists(int k, ControlFlowNode node |
+          node = bb.getNode(k) and this.isBarrier(pragma[only_bind_into](node), v)
+        |
+          k in [i + 1 .. j - 1]
+        )
      )
      or
      not exists(int k | this.isBarrier(bb.getNode(k), v) | k > i) and
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
@@ -141,7 +141,7 @@ private predicate isOpaqueType(Type type) {
 * Holds if an `IROpaqueType` with the specified `tag` and `byteSize` should exist.
 */
 predicate hasOpaqueType(Type tag, int byteSize) {
-  isOpaqueType(tag) and byteSize = getTypeSize(tag)
+  isOpaqueType(tag) and byteSize = getTypeSize(tag.getUnspecifiedType())
  or
  tag instanceof UnknownType and Raw::needsUnknownOpaqueType(byteSize)
 }
@@ -153,17 +153,18 @@ private IRType getIRTypeForPRValue(Type type) {
  exists(Type unspecifiedType | unspecifiedType = type.getUnspecifiedType() |
    isOpaqueType(unspecifiedType) and
    exists(IROpaqueType opaqueType | opaqueType = result |
-      opaqueType.getByteSize() = getTypeSize(type) and
+      opaqueType.getByteSize() = getTypeSize(unspecifiedType) and
      opaqueType.getTag() = unspecifiedType
    )
    or
-    unspecifiedType instanceof BoolType and result.(IRBooleanType).getByteSize() = type.getSize()
+    unspecifiedType instanceof BoolType and
+    result.(IRBooleanType).getByteSize() = unspecifiedType.getSize()
    or
    isSignedIntegerType(unspecifiedType) and
-    result.(IRSignedIntegerType).getByteSize() = type.getSize()
+    result.(IRSignedIntegerType).getByteSize() = unspecifiedType.getSize()
    or
    isUnsignedIntegerType(unspecifiedType) and
-    result.(IRUnsignedIntegerType).getByteSize() = type.getSize()
+    result.(IRUnsignedIntegerType).getByteSize() = unspecifiedType.getSize()
    or
    exists(FloatingPointType floatType, IRFloatingPointType irFloatType |
      floatType = unspecifiedType and
@@ -173,7 +174,8 @@ private IRType getIRTypeForPRValue(Type type) {
      irFloatType.getDomain() = floatType.getDomain()
    )
    or
-    isPointerIshType(unspecifiedType) and result.(IRAddressType).getByteSize() = getTypeSize(type)
+    isPointerIshType(unspecifiedType) and
+    result.(IRAddressType).getByteSize() = getTypeSize(unspecifiedType)
    or
    unspecifiedType instanceof FunctionPointerIshType and
    result.(IRFunctionAddressType).getByteSize() = getTypeSize(type)
--- a/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
@@ -25,6 +25,7 @@ predicate guardedAbs(Operation e, Expr use) {
 * Holds if the value of `use` is guarded to be less than something, and `e`
 * is in code controlled by that guard (where the guard condition held).
 */
+pragma[nomagic]
 predicate guardedLesser(Operation e, Expr use) {
  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
  or
@@ -35,6 +36,7 @@ predicate guardedLesser(Operation e, Expr use) {
 * Holds if the value of `use` is guarded to be greater than something, and `e`
 * is in code controlled by that guard (where the guard condition held).
 */
+pragma[nomagic]
 predicate guardedGreater(Operation e, Expr use) {
  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), false))
  or
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 0.0.13
+
+## 0.0.12
+
+### Minor Analysis Improvements
+
+* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
+* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.
+
 ## 0.0.11

 ### Breaking Changes
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -116,8 +116,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
    state instanceof ConcatState
  }

-  override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) {
-    isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
  }
 }

--- a/cpp/ql/src/change-notes/2022-03-07-system-data-exposure.md
+++ b/cpp/ql/src/change-notes/2022-03-07-system-data-exposure.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.
--- a/cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md
+++ b/cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md
@@ -1,4 +1,6 @@
---
-category: minorAnalysis
---
+## 0.0.12
+
+### Minor Analysis Improvements
+
 * The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
+* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.
--- a/cpp/ql/src/change-notes/released/0.0.13.md
+++ b/cpp/ql/src/change-notes/released/0.0.13.md
@@ -0,0 +1 @@
+## 0.0.13
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.11
+lastReleaseVersion: 0.0.13
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {
  VariableAccess va;

  WriteAccessCheckMacro() {
-    this.getName() = ["user_write_access_begin", "user_access_begin"] and
+    this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and
    va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
  }

@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {
  }

  Expr getUserModePtr() {
-    result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
+    result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or
+    result = writeUserPtr.getOperand()
  }
 }

@@ -46,11 +47,13 @@ class ExploitableUserModePtrParam extends Parameter {
    not exists(WriteAccessCheckMacro writeAccessCheck |
      DataFlow::localFlow(DataFlow::parameterNode(this),
        DataFlow::exprNode(writeAccessCheck.getArgument()))
+    ) and
+    exists(UnSafePutUserMacro unsafePutUser |
+      DataFlow::localFlow(DataFlow::parameterNode(this),
+        DataFlow::exprNode(unsafePutUser.getUserModePtr()))
    )
  }
 }

-from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser
-where
-  DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+from ExploitableUserModePtrParam p
 select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.0.12-dev
+version: 0.1.0-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -13365,6 +13365,200 @@ ir.cpp:
 # 1717|   <params>: 
 # 1717|   getEntryPoint(): [BlockStmt] { ... }
 # 1717|     getStmt(0): [ReturnStmt] return ...
+# 1721| [CopyAssignmentOperator] CopyConstructorWithImplicitArgumentClass& CopyConstructorWithImplicitArgumentClass::operator=(CopyConstructorWithImplicitArgumentClass const&)
+# 1721|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
+# 1724| [Constructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
+# 1724|   <params>: 
+# 1724|   <initializations>: 
+# 1724|   getEntryPoint(): [BlockStmt] { ... }
+# 1724|     getStmt(0): [ReturnStmt] return ...
+# 1725| [CopyConstructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
+# 1725|   <params>: 
+# 1725|     getParameter(0): [Parameter] c
+# 1725|         Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
+# 1725|   <initializations>: 
+# 1725|   getEntryPoint(): [BlockStmt] { ... }
+# 1726|     getStmt(0): [ExprStmt] ExprStmt
+# 1726|       getExpr(): [AssignExpr] ... = ...
+# 1726|           Type = [IntType] int
+# 1726|           ValueCategory = lvalue
+# 1726|         getLValue(): [PointerFieldAccess] x
+# 1726|             Type = [IntType] int
+# 1726|             ValueCategory = lvalue
+# 1726|           getQualifier(): [ThisExpr] this
+# 1726|               Type = [PointerType] CopyConstructorWithImplicitArgumentClass *
+# 1726|               ValueCategory = prvalue(load)
+# 1726|         getRValue(): [ReferenceFieldAccess] x
+# 1726|             Type = [IntType] int
+# 1726|             ValueCategory = prvalue(load)
+# 1726|           getQualifier(): [VariableAccess] c
+# 1726|               Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
+# 1726|               ValueCategory = prvalue(load)
+# 1726|           getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1726|               Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
+# 1726|               ValueCategory = lvalue
+# 1727|     getStmt(1): [ReturnStmt] return ...
+# 1730| [CopyAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass const&)
+# 1730|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
+# 1730| [MoveAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass&&)
+# 1730|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
+# 1730| [CopyConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass const&)
+# 1730|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
+# 1730| [MoveConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass&&)
+# 1730|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
+# 1733| [Constructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
+# 1733|   <params>: 
+# 1733|   <initializations>: 
+# 1733|   getEntryPoint(): [BlockStmt] { ... }
+# 1733|     getStmt(0): [ReturnStmt] return ...
+# 1736| [CopyAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass const&)
+# 1736|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1736| [MoveAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass&&)
+# 1736|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
+# 1736| [CopyConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
+# 1736|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1736|   <initializations>: 
+# 1736|     getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
+# 1736|         Type = [VoidType] void
+# 1736|         ValueCategory = prvalue
+# 1736|       getArgument(0): [VariableAccess] (unnamed parameter 0)
+# 1736|           Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1736|           ValueCategory = prvalue(load)
+# 1736|       getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1736|           Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
+# 1736|           ValueCategory = prvalue
+# 1736|         getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
+# 1736|             Conversion = [BaseClassConversion] base class conversion
+# 1736|             Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
+# 1736|             ValueCategory = lvalue
+# 1736|           getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+# 1736|               Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
+# 1736|               ValueCategory = lvalue
+# 1736|     getInitializer(1): (no string representation)
+# 1736|         Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
+# 1736|         ValueCategory = prvalue
+# 1736|   getEntryPoint(): [BlockStmt] { ... }
+# 1736|     getStmt(0): [ReturnStmt] return ...
+# 1736| [MoveConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass&&)
+# 1736|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
+# 1740| [Constructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
+# 1740|   <params>: 
+# 1740|   <initializations>: 
+# 1740|     getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
+# 1740|         Type = [VoidType] void
+# 1740|         ValueCategory = prvalue
+# 1740|     getInitializer(1): [ConstructorDirectInit] call to CopyConstructorWithBitwiseCopyClass
+# 1740|         Type = [VoidType] void
+# 1740|         ValueCategory = prvalue
+# 1740|   getEntryPoint(): [BlockStmt] { ... }
+# 1740|     getStmt(0): [ReturnStmt] return ...
+# 1743| [CopyAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass const&)
+# 1743|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1743| [MoveAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass&&)
+# 1743|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
+# 1743| [CopyConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
+# 1743|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1743|   <initializations>: 
+# 1743|     getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
+# 1743|         Type = [VoidType] void
+# 1743|         ValueCategory = prvalue
+# 1743|       getArgument(0): [VariableAccess] (unnamed parameter 0)
+# 1743|           Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1743|           ValueCategory = prvalue(load)
+# 1743|       getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1743|           Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
+# 1743|           ValueCategory = prvalue
+# 1743|         getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
+# 1743|             Conversion = [BaseClassConversion] base class conversion
+# 1743|             Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
+# 1743|             ValueCategory = lvalue
+# 1743|           getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+# 1743|               Type = [SpecifiedType] const CopyConstructorTestVirtualClass
+# 1743|               ValueCategory = lvalue
+# 1743|     getInitializer(1): (no string representation)
+# 1743|         Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
+# 1743|         ValueCategory = prvalue
+# 1743|   getEntryPoint(): [BlockStmt] { ... }
+# 1743|     getStmt(0): [ReturnStmt] return ...
+# 1743| [MoveConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass&&)
+# 1743|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
+# 1747| [Constructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
+# 1747|   <params>: 
+# 1747|   <initializations>: 
+# 1747|     getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
+# 1747|         Type = [VoidType] void
+# 1747|         ValueCategory = prvalue
+# 1747|     getInitializer(1): [ConstructorVirtualInit] call to CopyConstructorWithBitwiseCopyClass
+# 1747|         Type = [VoidType] void
+# 1747|         ValueCategory = prvalue
+# 1747|   getEntryPoint(): [BlockStmt] { ... }
+# 1747|     getStmt(0): [ReturnStmt] return ...
+# 1750| [TopLevelFunction] int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
+# 1750|   <params>: 
+# 1751|     getParameter(0): [Parameter] x
+# 1751|         Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1752|     getParameter(1): [Parameter] y
+# 1752|         Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1752|   getEntryPoint(): [BlockStmt] { ... }
+# 1753|     getStmt(0): [DeclStmt] declaration
+# 1753|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of cx
+# 1753|           Type = [Class] CopyConstructorTestNonVirtualClass
+# 1753|         getVariable().getInitializer(): [Initializer] initializer for cx
+# 1753|           getExpr(): [ConstructorCall] call to CopyConstructorTestNonVirtualClass
+# 1753|               Type = [VoidType] void
+# 1753|               ValueCategory = prvalue
+# 1753|             getArgument(0): [VariableAccess] x
+# 1753|                 Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1753|                 ValueCategory = prvalue(load)
+# 1753|             getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1753|                 Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
+# 1753|                 ValueCategory = prvalue
+# 1753|               getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+# 1753|                   Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
+# 1753|                   ValueCategory = lvalue
+# 1754|     getStmt(1): [DeclStmt] declaration
+# 1754|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of cy
+# 1754|           Type = [Class] CopyConstructorTestVirtualClass
+# 1754|         getVariable().getInitializer(): [Initializer] initializer for cy
+# 1754|           getExpr(): [ConstructorCall] call to CopyConstructorTestVirtualClass
+# 1754|               Type = [VoidType] void
+# 1754|               ValueCategory = prvalue
+# 1754|             getArgument(0): [VariableAccess] y
+# 1754|                 Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1754|                 ValueCategory = prvalue(load)
+# 1754|             getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1754|                 Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
+# 1754|                 ValueCategory = prvalue
+# 1754|               getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+# 1754|                   Type = [SpecifiedType] const CopyConstructorTestVirtualClass
+# 1754|                   ValueCategory = lvalue
+# 1755|     getStmt(2): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1718,4 +1718,40 @@ void captured_lambda2(TrivialLambdaClass p1, TrivialLambdaClass &p2, TrivialLamb
    };
 }

+class CopyConstructorWithImplicitArgumentClass {
+    int x;
+public:
+    CopyConstructorWithImplicitArgumentClass() {}
+    CopyConstructorWithImplicitArgumentClass(const CopyConstructorWithImplicitArgumentClass &c) {
+        x = c.x;
+    }
+};
+
+class CopyConstructorWithBitwiseCopyClass {
+    int y;
+public:
+    CopyConstructorWithBitwiseCopyClass() {}
+};
+
+class CopyConstructorTestNonVirtualClass :
+        public CopyConstructorWithImplicitArgumentClass,
+        public CopyConstructorWithBitwiseCopyClass {
+public:
+    CopyConstructorTestNonVirtualClass() {}
+};
+
+class CopyConstructorTestVirtualClass :
+        public virtual CopyConstructorWithImplicitArgumentClass,
+        public virtual CopyConstructorWithBitwiseCopyClass {
+public:
+    CopyConstructorTestVirtualClass() {}
+};
+
+int implicit_copy_constructor_test(
+        const CopyConstructorTestNonVirtualClass &x,
+        const CopyConstructorTestVirtualClass &y) {
+    CopyConstructorTestNonVirtualClass cx = x;
+    CopyConstructorTestVirtualClass cy = y;
+}
+
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -670,6 +670,10 @@
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_2 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
@@ -686,6 +690,10 @@
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
@@ -746,6 +754,8 @@
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m745_6 |
 | file://:0:0:0:0 | Load | m754_6 |
 | file://:0:0:0:0 | Load | m763_6 |
@@ -767,6 +777,8 @@
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
 | file://:0:0:0:0 | SideEffect | m1084_23 |
@@ -8009,6 +8021,200 @@
 | ir.cpp:1717:30:1717:30 | Load | m1717_6 |
 | ir.cpp:1717:30:1717:30 | SideEffect | m1717_3 |
 | ir.cpp:1717:30:1717:30 | SideEffect | m1717_8 |
+| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
+| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
+| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
+| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
+| ir.cpp:1724:5:1724:44 | ChiPartial | partial:m1724_3 |
+| ir.cpp:1724:5:1724:44 | ChiTotal | total:m1724_2 |
+| ir.cpp:1724:5:1724:44 | Load | m1724_6 |
+| ir.cpp:1724:5:1724:44 | SideEffect | m1724_3 |
+| ir.cpp:1724:5:1724:44 | SideEffect | m1724_8 |
+| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
+| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
+| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
+| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
+| ir.cpp:1725:5:1725:44 | ChiPartial | partial:m1725_3 |
+| ir.cpp:1725:5:1725:44 | ChiTotal | total:m1725_2 |
+| ir.cpp:1725:5:1725:44 | Load | m1725_6 |
+| ir.cpp:1725:5:1725:44 | SideEffect | m1725_3 |
+| ir.cpp:1725:5:1725:44 | SideEffect | m1726_10 |
+| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
+| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
+| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
+| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
+| ir.cpp:1725:94:1725:94 | Load | m1725_10 |
+| ir.cpp:1725:94:1725:94 | SideEffect | m1725_12 |
+| ir.cpp:1726:9:1726:9 | Address | &:r1726_6 |
+| ir.cpp:1726:9:1726:9 | Address | &:r1726_8 |
+| ir.cpp:1726:9:1726:9 | Load | m1725_6 |
+| ir.cpp:1726:9:1726:9 | Unary | r1726_7 |
+| ir.cpp:1726:9:1726:15 | ChiPartial | partial:m1726_9 |
+| ir.cpp:1726:9:1726:15 | ChiTotal | total:m1725_8 |
+| ir.cpp:1726:13:1726:13 | Address | &:r1726_1 |
+| ir.cpp:1726:13:1726:13 | Load | m1725_10 |
+| ir.cpp:1726:13:1726:13 | Unary | r1726_2 |
+| ir.cpp:1726:13:1726:13 | Unary | r1726_3 |
+| ir.cpp:1726:15:1726:15 | Address | &:r1726_4 |
+| ir.cpp:1726:15:1726:15 | Load | ~m1725_12 |
+| ir.cpp:1726:15:1726:15 | StoreValue | r1726_5 |
+| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
+| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
+| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
+| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
+| ir.cpp:1733:5:1733:39 | ChiPartial | partial:m1733_3 |
+| ir.cpp:1733:5:1733:39 | ChiTotal | total:m1733_2 |
+| ir.cpp:1733:5:1733:39 | Load | m1733_6 |
+| ir.cpp:1733:5:1733:39 | SideEffect | m1733_3 |
+| ir.cpp:1733:5:1733:39 | SideEffect | m1733_8 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_9 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_11 |
+| ir.cpp:1736:7:1736:7 | Address | &:r1736_15 |
+| ir.cpp:1736:7:1736:7 | Arg(0) | 0:r1736_15 |
+| ir.cpp:1736:7:1736:7 | Arg(this) | this:r1736_9 |
+| ir.cpp:1736:7:1736:7 | CallTarget | func:r1736_10 |
+| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_3 |
+| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_17 |
+| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_20 |
+| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_2 |
+| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_4 |
+| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_8 |
+| ir.cpp:1736:7:1736:7 | Load | m0_2 |
+| ir.cpp:1736:7:1736:7 | Load | m1736_6 |
+| ir.cpp:1736:7:1736:7 | SideEffect | m1736_21 |
+| ir.cpp:1736:7:1736:7 | SideEffect | ~m0_4 |
+| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_4 |
+| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_18 |
+| ir.cpp:1736:7:1736:7 | Unary | m1736_6 |
+| ir.cpp:1736:7:1736:7 | Unary | r1736_12 |
+| ir.cpp:1736:7:1736:7 | Unary | r1736_13 |
+| ir.cpp:1736:7:1736:7 | Unary | r1736_14 |
+| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
+| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
+| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
+| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
+| ir.cpp:1740:5:1740:38 | ChiPartial | partial:m1740_3 |
+| ir.cpp:1740:5:1740:38 | ChiTotal | total:m1740_2 |
+| ir.cpp:1740:5:1740:38 | Load | m1740_6 |
+| ir.cpp:1740:5:1740:38 | SideEffect | m1740_22 |
+| ir.cpp:1740:5:1740:38 | SideEffect | ~m1740_20 |
+| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
+| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
+| ir.cpp:1740:42:1740:42 | Address | &:r1740_9 |
+| ir.cpp:1740:42:1740:42 | Address | &:r1740_16 |
+| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_9 |
+| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_16 |
+| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_10 |
+| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_17 |
+| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_12 |
+| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_14 |
+| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_19 |
+| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_21 |
+| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_4 |
+| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_8 |
+| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_13 |
+| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_15 |
+| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_4 |
+| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_13 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_9 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_11 |
+| ir.cpp:1743:7:1743:7 | Address | &:r1743_15 |
+| ir.cpp:1743:7:1743:7 | Arg(0) | 0:r1743_15 |
+| ir.cpp:1743:7:1743:7 | Arg(this) | this:r1743_9 |
+| ir.cpp:1743:7:1743:7 | CallTarget | func:r1743_10 |
+| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_3 |
+| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_17 |
+| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_20 |
+| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_2 |
+| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_4 |
+| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_18 |
+| ir.cpp:1743:7:1743:7 | Load | m0_2 |
+| ir.cpp:1743:7:1743:7 | Load | m1743_6 |
+| ir.cpp:1743:7:1743:7 | SideEffect | m1743_8 |
+| ir.cpp:1743:7:1743:7 | SideEffect | ~m0_4 |
+| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_4 |
+| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_21 |
+| ir.cpp:1743:7:1743:7 | Unary | m1743_6 |
+| ir.cpp:1743:7:1743:7 | Unary | r1743_12 |
+| ir.cpp:1743:7:1743:7 | Unary | r1743_13 |
+| ir.cpp:1743:7:1743:7 | Unary | r1743_14 |
+| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
+| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
+| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
+| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
+| ir.cpp:1747:5:1747:35 | ChiPartial | partial:m1747_3 |
+| ir.cpp:1747:5:1747:35 | ChiTotal | total:m1747_2 |
+| ir.cpp:1747:5:1747:35 | Load | m1747_6 |
+| ir.cpp:1747:5:1747:35 | SideEffect | m1747_8 |
+| ir.cpp:1747:5:1747:35 | SideEffect | ~m1747_22 |
+| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
+| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
+| ir.cpp:1747:39:1747:39 | Address | &:r1747_9 |
+| ir.cpp:1747:39:1747:39 | Address | &:r1747_16 |
+| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_9 |
+| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_16 |
+| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_10 |
+| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_17 |
+| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_12 |
+| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_14 |
+| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_19 |
+| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_21 |
+| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_4 |
+| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_13 |
+| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_15 |
+| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_20 |
+| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_4 |
+| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_15 |
+| ir.cpp:1750:5:1750:34 | ChiPartial | partial:m1750_3 |
+| ir.cpp:1750:5:1750:34 | ChiTotal | total:m1750_2 |
+| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
+| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
+| ir.cpp:1751:51:1751:51 | Address | &:r1751_3 |
+| ir.cpp:1751:51:1751:51 | Load | m1751_2 |
+| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
+| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
+| ir.cpp:1752:48:1752:48 | Address | &:r1752_3 |
+| ir.cpp:1752:48:1752:48 | Load | m1752_2 |
+| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
+| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
+| ir.cpp:1753:40:1753:41 | Arg(this) | this:r1753_1 |
+| ir.cpp:1753:44:1753:45 | CallTarget | func:r1753_3 |
+| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_9 |
+| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_12 |
+| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1750_4 |
+| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1753_2 |
+| ir.cpp:1753:44:1753:45 | SideEffect | ~m1750_4 |
+| ir.cpp:1753:45:1753:45 | Address | &:r1753_4 |
+| ir.cpp:1753:45:1753:45 | Address | &:r1753_7 |
+| ir.cpp:1753:45:1753:45 | Arg(0) | 0:r1753_7 |
+| ir.cpp:1753:45:1753:45 | Load | m1751_2 |
+| ir.cpp:1753:45:1753:45 | SideEffect | ~m1751_4 |
+| ir.cpp:1753:45:1753:45 | Unary | r1753_5 |
+| ir.cpp:1753:45:1753:45 | Unary | r1753_6 |
+| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
+| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
+| ir.cpp:1754:37:1754:38 | Arg(this) | this:r1754_1 |
+| ir.cpp:1754:41:1754:42 | CallTarget | func:r1754_3 |
+| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_9 |
+| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_12 |
+| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1753_10 |
+| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1754_2 |
+| ir.cpp:1754:41:1754:42 | SideEffect | ~m1753_10 |
+| ir.cpp:1754:42:1754:42 | Address | &:r1754_4 |
+| ir.cpp:1754:42:1754:42 | Address | &:r1754_7 |
+| ir.cpp:1754:42:1754:42 | Arg(0) | 0:r1754_7 |
+| ir.cpp:1754:42:1754:42 | Load | m1752_2 |
+| ir.cpp:1754:42:1754:42 | SideEffect | ~m1752_4 |
+| ir.cpp:1754:42:1754:42 | Unary | r1754_5 |
+| ir.cpp:1754:42:1754:42 | Unary | r1754_6 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
@@ -18,6 +18,8 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1751:51:1751:51 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
+| ir.cpp:1752:48:1752:48 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -9202,6 +9202,222 @@ ir.cpp:
 # 1717|     v1717_11(void)                             = AliasedUse                   : ~m?
 # 1717|     v1717_12(void)                             = ExitFunction                 : 

+# 1724| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
+# 1724|   Block 0
+# 1724|     v1724_1(void)                                             = EnterFunction                : 
+# 1724|     mu1724_2(unknown)                                         = AliasedDefinition            : 
+# 1724|     mu1724_3(unknown)                                         = InitializeNonLocal           : 
+# 1724|     r1724_4(glval<unknown>)                                   = VariableAddress[#this]       : 
+# 1724|     mu1724_5(glval<CopyConstructorWithImplicitArgumentClass>) = InitializeParameter[#this]   : &:r1724_4
+# 1724|     r1724_6(glval<CopyConstructorWithImplicitArgumentClass>)  = Load[#this]                  : &:r1724_4, ~m?
+# 1724|     mu1724_7(CopyConstructorWithImplicitArgumentClass)        = InitializeIndirection[#this] : &:r1724_6
+# 1724|     v1724_8(void)                                             = NoOp                         : 
+# 1724|     v1724_9(void)                                             = ReturnIndirection[#this]     : &:r1724_6, ~m?
+# 1724|     v1724_10(void)                                            = ReturnVoid                   : 
+# 1724|     v1724_11(void)                                            = AliasedUse                   : ~m?
+# 1724|     v1724_12(void)                                            = ExitFunction                 : 
+
+# 1725| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
+# 1725|   Block 0
+# 1725|     v1725_1(void)                                              = EnterFunction                : 
+# 1725|     mu1725_2(unknown)                                          = AliasedDefinition            : 
+# 1725|     mu1725_3(unknown)                                          = InitializeNonLocal           : 
+# 1725|     r1725_4(glval<unknown>)                                    = VariableAddress[#this]       : 
+# 1725|     mu1725_5(glval<CopyConstructorWithImplicitArgumentClass>)  = InitializeParameter[#this]   : &:r1725_4
+# 1725|     r1725_6(glval<CopyConstructorWithImplicitArgumentClass>)   = Load[#this]                  : &:r1725_4, ~m?
+# 1725|     mu1725_7(CopyConstructorWithImplicitArgumentClass)         = InitializeIndirection[#this] : &:r1725_6
+# 1725|     r1725_8(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c]           : 
+# 1725|     mu1725_9(CopyConstructorWithImplicitArgumentClass &)       = InitializeParameter[c]       : &:r1725_8
+# 1725|     r1725_10(CopyConstructorWithImplicitArgumentClass &)       = Load[c]                      : &:r1725_8, ~m?
+# 1725|     mu1725_11(unknown)                                         = InitializeIndirection[c]     : &:r1725_10
+# 1726|     r1726_1(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c]           : 
+# 1726|     r1726_2(CopyConstructorWithImplicitArgumentClass &)        = Load[c]                      : &:r1726_1, ~m?
+# 1726|     r1726_3(glval<CopyConstructorWithImplicitArgumentClass>)   = CopyValue                    : r1726_2
+# 1726|     r1726_4(glval<int>)                                        = FieldAddress[x]              : r1726_3
+# 1726|     r1726_5(int)                                               = Load[?]                      : &:r1726_4, ~m?
+# 1726|     r1726_6(glval<unknown>)                                    = VariableAddress[#this]       : 
+# 1726|     r1726_7(CopyConstructorWithImplicitArgumentClass *)        = Load[#this]                  : &:r1726_6, ~m?
+# 1726|     r1726_8(glval<int>)                                        = FieldAddress[x]              : r1726_7
+# 1726|     mu1726_9(int)                                              = Store[?]                     : &:r1726_8, r1726_5
+# 1727|     v1727_1(void)                                              = NoOp                         : 
+# 1725|     v1725_12(void)                                             = ReturnIndirection[#this]     : &:r1725_6, ~m?
+# 1725|     v1725_13(void)                                             = ReturnIndirection[c]         : &:r1725_10, ~m?
+# 1725|     v1725_14(void)                                             = ReturnVoid                   : 
+# 1725|     v1725_15(void)                                             = AliasedUse                   : ~m?
+# 1725|     v1725_16(void)                                             = ExitFunction                 : 
+
+# 1733| void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
+# 1733|   Block 0
+# 1733|     v1733_1(void)                                        = EnterFunction                : 
+# 1733|     mu1733_2(unknown)                                    = AliasedDefinition            : 
+# 1733|     mu1733_3(unknown)                                    = InitializeNonLocal           : 
+# 1733|     r1733_4(glval<unknown>)                              = VariableAddress[#this]       : 
+# 1733|     mu1733_5(glval<CopyConstructorWithBitwiseCopyClass>) = InitializeParameter[#this]   : &:r1733_4
+# 1733|     r1733_6(glval<CopyConstructorWithBitwiseCopyClass>)  = Load[#this]                  : &:r1733_4, ~m?
+# 1733|     mu1733_7(CopyConstructorWithBitwiseCopyClass)        = InitializeIndirection[#this] : &:r1733_6
+# 1733|     v1733_8(void)                                        = NoOp                         : 
+# 1733|     v1733_9(void)                                        = ReturnIndirection[#this]     : &:r1733_6, ~m?
+# 1733|     v1733_10(void)                                       = ReturnVoid                   : 
+# 1733|     v1733_11(void)                                       = AliasedUse                   : ~m?
+# 1733|     v1733_12(void)                                       = ExitFunction                 : 
+
+# 1736| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
+# 1736|   Block 0
+# 1736|     v1736_1(void)                                             = EnterFunction                                                                                          : 
+# 1736|     mu1736_2(unknown)                                         = AliasedDefinition                                                                                      : 
+# 1736|     mu1736_3(unknown)                                         = InitializeNonLocal                                                                                     : 
+# 1736|     r1736_4(glval<unknown>)                                   = VariableAddress[#this]                                                                                 : 
+# 1736|     mu1736_5(glval<CopyConstructorTestNonVirtualClass>)       = InitializeParameter[#this]                                                                             : &:r1736_4
+# 1736|     r1736_6(glval<CopyConstructorTestNonVirtualClass>)        = Load[#this]                                                                                            : &:r1736_4, ~m?
+# 1736|     mu1736_7(CopyConstructorTestNonVirtualClass)              = InitializeIndirection[#this]                                                                           : &:r1736_6
+#-----|     r0_1(glval<CopyConstructorTestNonVirtualClass &>)         = VariableAddress[(unnamed parameter 0)]                                                                 : 
+#-----|     mu0_2(CopyConstructorTestNonVirtualClass &)               = InitializeParameter[(unnamed parameter 0)]                                                             : &:r0_1
+#-----|     r0_3(CopyConstructorTestNonVirtualClass &)                = Load[(unnamed parameter 0)]                                                                            : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                            = InitializeIndirection[(unnamed parameter 0)]                                                           : &:r0_3
+# 1736|     r1736_8(glval<CopyConstructorWithImplicitArgumentClass>)  = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1736_5
+# 1736|     r1736_9(glval<unknown>)                                   = FunctionAddress[CopyConstructorWithImplicitArgumentClass]                                              : 
+# 1736|     r1736_10(glval<CopyConstructorTestNonVirtualClass &>)     = VariableAddress[(unnamed parameter 0)]                                                                 : 
+# 1736|     r1736_11(CopyConstructorTestNonVirtualClass &)            = Load[(unnamed parameter 0)]                                                                            : &:r1736_10, ~m?
+# 1736|     r1736_12(glval<CopyConstructorTestNonVirtualClass>)       = CopyValue                                                                                              : r1736_11
+# 1736|     r1736_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : r1736_12
+# 1736|     r1736_14(CopyConstructorWithImplicitArgumentClass &)      = CopyValue                                                                                              : r1736_13
+# 1736|     v1736_15(void)                                            = Call[CopyConstructorWithImplicitArgumentClass]                                                         : func:r1736_9, this:r1736_8, 0:r1736_14
+# 1736|     mu1736_16(unknown)                                        = ^CallSideEffect                                                                                        : ~m?
+# 1736|     v1736_17(void)                                            = ^BufferReadSideEffect[0]                                                                               : &:r1736_14, ~m?
+# 1736|     mu1736_18(CopyConstructorWithImplicitArgumentClass)       = ^IndirectMayWriteSideEffect[-1]                                                                        : &:r1736_8
+# 1736|     v1736_19(void)                                            = NoOp                                                                                                   : 
+# 1736|     v1736_20(void)                                            = ReturnIndirection[#this]                                                                               : &:r1736_6, ~m?
+#-----|     v0_5(void)                                                = ReturnIndirection[(unnamed parameter 0)]                                                               : &:r0_3, ~m?
+# 1736|     v1736_21(void)                                            = ReturnVoid                                                                                             : 
+# 1736|     v1736_22(void)                                            = AliasedUse                                                                                             : ~m?
+# 1736|     v1736_23(void)                                            = ExitFunction                                                                                           : 
+
+# 1740| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
+# 1740|   Block 0
+# 1740|     v1740_1(void)                                            = EnterFunction                                                                                          : 
+# 1740|     mu1740_2(unknown)                                        = AliasedDefinition                                                                                      : 
+# 1740|     mu1740_3(unknown)                                        = InitializeNonLocal                                                                                     : 
+# 1740|     r1740_4(glval<unknown>)                                  = VariableAddress[#this]                                                                                 : 
+# 1740|     mu1740_5(glval<CopyConstructorTestNonVirtualClass>)      = InitializeParameter[#this]                                                                             : &:r1740_4
+# 1740|     r1740_6(glval<CopyConstructorTestNonVirtualClass>)       = Load[#this]                                                                                            : &:r1740_4, ~m?
+# 1740|     mu1740_7(CopyConstructorTestNonVirtualClass)             = InitializeIndirection[#this]                                                                           : &:r1740_6
+# 1740|     r1740_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1740_5
+# 1740|     r1740_9(glval<unknown>)                                  = FunctionAddress[CopyConstructorWithImplicitArgumentClass]                                              : 
+# 1740|     v1740_10(void)                                           = Call[CopyConstructorWithImplicitArgumentClass]                                                         : func:r1740_9, this:r1740_8
+# 1740|     mu1740_11(unknown)                                       = ^CallSideEffect                                                                                        : ~m?
+# 1740|     mu1740_12(CopyConstructorWithImplicitArgumentClass)      = ^IndirectMayWriteSideEffect[-1]                                                                        : &:r1740_8
+# 1740|     r1740_13(glval<CopyConstructorWithBitwiseCopyClass>)     = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithBitwiseCopyClass]      : mu1740_5
+# 1740|     r1740_14(glval<unknown>)                                 = FunctionAddress[CopyConstructorWithBitwiseCopyClass]                                                   : 
+# 1740|     v1740_15(void)                                           = Call[CopyConstructorWithBitwiseCopyClass]                                                              : func:r1740_14, this:r1740_13
+# 1740|     mu1740_16(unknown)                                       = ^CallSideEffect                                                                                        : ~m?
+# 1740|     mu1740_17(CopyConstructorWithBitwiseCopyClass)           = ^IndirectMayWriteSideEffect[-1]                                                                        : &:r1740_13
+# 1740|     v1740_18(void)                                           = NoOp                                                                                                   : 
+# 1740|     v1740_19(void)                                           = ReturnIndirection[#this]                                                                               : &:r1740_6, ~m?
+# 1740|     v1740_20(void)                                           = ReturnVoid                                                                                             : 
+# 1740|     v1740_21(void)                                           = AliasedUse                                                                                             : ~m?
+# 1740|     v1740_22(void)                                           = ExitFunction                                                                                           : 
+
+# 1743| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
+# 1743|   Block 0
+# 1743|     v1743_1(void)                                             = EnterFunction                                                                                       : 
+# 1743|     mu1743_2(unknown)                                         = AliasedDefinition                                                                                   : 
+# 1743|     mu1743_3(unknown)                                         = InitializeNonLocal                                                                                  : 
+# 1743|     r1743_4(glval<unknown>)                                   = VariableAddress[#this]                                                                              : 
+# 1743|     mu1743_5(glval<CopyConstructorTestVirtualClass>)          = InitializeParameter[#this]                                                                          : &:r1743_4
+# 1743|     r1743_6(glval<CopyConstructorTestVirtualClass>)           = Load[#this]                                                                                         : &:r1743_4, ~m?
+# 1743|     mu1743_7(CopyConstructorTestVirtualClass)                 = InitializeIndirection[#this]                                                                        : &:r1743_6
+#-----|     r0_1(glval<CopyConstructorTestVirtualClass &>)            = VariableAddress[(unnamed parameter 0)]                                                              : 
+#-----|     mu0_2(CopyConstructorTestVirtualClass &)                  = InitializeParameter[(unnamed parameter 0)]                                                          : &:r0_1
+#-----|     r0_3(CopyConstructorTestVirtualClass &)                   = Load[(unnamed parameter 0)]                                                                         : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                            = InitializeIndirection[(unnamed parameter 0)]                                                        : &:r0_3
+# 1743|     r1743_8(glval<CopyConstructorWithImplicitArgumentClass>)  = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1743_5
+# 1743|     r1743_9(glval<unknown>)                                   = FunctionAddress[CopyConstructorWithImplicitArgumentClass]                                           : 
+# 1743|     r1743_10(glval<CopyConstructorTestVirtualClass &>)        = VariableAddress[(unnamed parameter 0)]                                                              : 
+# 1743|     r1743_11(CopyConstructorTestVirtualClass &)               = Load[(unnamed parameter 0)]                                                                         : &:r1743_10, ~m?
+# 1743|     r1743_12(glval<CopyConstructorTestVirtualClass>)          = CopyValue                                                                                           : r1743_11
+# 1743|     r1743_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass]    : r1743_12
+# 1743|     r1743_14(CopyConstructorWithImplicitArgumentClass &)      = CopyValue                                                                                           : r1743_13
+# 1743|     v1743_15(void)                                            = Call[CopyConstructorWithImplicitArgumentClass]                                                      : func:r1743_9, this:r1743_8, 0:r1743_14
+# 1743|     mu1743_16(unknown)                                        = ^CallSideEffect                                                                                     : ~m?
+# 1743|     v1743_17(void)                                            = ^BufferReadSideEffect[0]                                                                            : &:r1743_14, ~m?
+# 1743|     mu1743_18(CopyConstructorWithImplicitArgumentClass)       = ^IndirectMayWriteSideEffect[-1]                                                                     : &:r1743_8
+# 1743|     v1743_19(void)                                            = NoOp                                                                                                : 
+# 1743|     v1743_20(void)                                            = ReturnIndirection[#this]                                                                            : &:r1743_6, ~m?
+#-----|     v0_5(void)                                                = ReturnIndirection[(unnamed parameter 0)]                                                            : &:r0_3, ~m?
+# 1743|     v1743_21(void)                                            = ReturnVoid                                                                                          : 
+# 1743|     v1743_22(void)                                            = AliasedUse                                                                                          : ~m?
+# 1743|     v1743_23(void)                                            = ExitFunction                                                                                        : 
+
+# 1747| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
+# 1747|   Block 0
+# 1747|     v1747_1(void)                                            = EnterFunction                                                                                       : 
+# 1747|     mu1747_2(unknown)                                        = AliasedDefinition                                                                                   : 
+# 1747|     mu1747_3(unknown)                                        = InitializeNonLocal                                                                                  : 
+# 1747|     r1747_4(glval<unknown>)                                  = VariableAddress[#this]                                                                              : 
+# 1747|     mu1747_5(glval<CopyConstructorTestVirtualClass>)         = InitializeParameter[#this]                                                                          : &:r1747_4
+# 1747|     r1747_6(glval<CopyConstructorTestVirtualClass>)          = Load[#this]                                                                                         : &:r1747_4, ~m?
+# 1747|     mu1747_7(CopyConstructorTestVirtualClass)                = InitializeIndirection[#this]                                                                        : &:r1747_6
+# 1747|     r1747_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1747_5
+# 1747|     r1747_9(glval<unknown>)                                  = FunctionAddress[CopyConstructorWithImplicitArgumentClass]                                           : 
+# 1747|     v1747_10(void)                                           = Call[CopyConstructorWithImplicitArgumentClass]                                                      : func:r1747_9, this:r1747_8
+# 1747|     mu1747_11(unknown)                                       = ^CallSideEffect                                                                                     : ~m?
+# 1747|     mu1747_12(CopyConstructorWithImplicitArgumentClass)      = ^IndirectMayWriteSideEffect[-1]                                                                     : &:r1747_8
+# 1747|     r1747_13(glval<CopyConstructorWithBitwiseCopyClass>)     = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithBitwiseCopyClass]      : mu1747_5
+# 1747|     r1747_14(glval<unknown>)                                 = FunctionAddress[CopyConstructorWithBitwiseCopyClass]                                                : 
+# 1747|     v1747_15(void)                                           = Call[CopyConstructorWithBitwiseCopyClass]                                                           : func:r1747_14, this:r1747_13
+# 1747|     mu1747_16(unknown)                                       = ^CallSideEffect                                                                                     : ~m?
+# 1747|     mu1747_17(CopyConstructorWithBitwiseCopyClass)           = ^IndirectMayWriteSideEffect[-1]                                                                     : &:r1747_13
+# 1747|     v1747_18(void)                                           = NoOp                                                                                                : 
+# 1747|     v1747_19(void)                                           = ReturnIndirection[#this]                                                                            : &:r1747_6, ~m?
+# 1747|     v1747_20(void)                                           = ReturnVoid                                                                                          : 
+# 1747|     v1747_21(void)                                           = AliasedUse                                                                                          : ~m?
+# 1747|     v1747_22(void)                                           = ExitFunction                                                                                        : 
+
+# 1750| int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
+# 1750|   Block 0
+# 1750|     v1750_1(void)                                        = EnterFunction                                       : 
+# 1750|     mu1750_2(unknown)                                    = AliasedDefinition                                   : 
+# 1750|     mu1750_3(unknown)                                    = InitializeNonLocal                                  : 
+# 1751|     r1751_1(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x]                                  : 
+# 1751|     mu1751_2(CopyConstructorTestNonVirtualClass &)       = InitializeParameter[x]                              : &:r1751_1
+# 1751|     r1751_3(CopyConstructorTestNonVirtualClass &)        = Load[x]                                             : &:r1751_1, ~m?
+# 1751|     mu1751_4(unknown)                                    = InitializeIndirection[x]                            : &:r1751_3
+# 1752|     r1752_1(glval<CopyConstructorTestVirtualClass &>)    = VariableAddress[y]                                  : 
+# 1752|     mu1752_2(CopyConstructorTestVirtualClass &)          = InitializeParameter[y]                              : &:r1752_1
+# 1752|     r1752_3(CopyConstructorTestVirtualClass &)           = Load[y]                                             : &:r1752_1, ~m?
+# 1752|     mu1752_4(unknown)                                    = InitializeIndirection[y]                            : &:r1752_3
+# 1753|     r1753_1(glval<CopyConstructorTestNonVirtualClass>)   = VariableAddress[cx]                                 : 
+# 1753|     mu1753_2(CopyConstructorTestNonVirtualClass)         = Uninitialized[cx]                                   : &:r1753_1
+# 1753|     r1753_3(glval<unknown>)                              = FunctionAddress[CopyConstructorTestNonVirtualClass] : 
+# 1753|     r1753_4(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x]                                  : 
+# 1753|     r1753_5(CopyConstructorTestNonVirtualClass &)        = Load[x]                                             : &:r1753_4, ~m?
+# 1753|     r1753_6(glval<CopyConstructorTestNonVirtualClass>)   = CopyValue                                           : r1753_5
+# 1753|     r1753_7(CopyConstructorTestNonVirtualClass &)        = CopyValue                                           : r1753_6
+# 1753|     v1753_8(void)                                        = Call[CopyConstructorTestNonVirtualClass]            : func:r1753_3, this:r1753_1, 0:r1753_7
+# 1753|     mu1753_9(unknown)                                    = ^CallSideEffect                                     : ~m?
+# 1753|     v1753_10(void)                                       = ^BufferReadSideEffect[0]                            : &:r1753_7, ~m?
+# 1753|     mu1753_11(CopyConstructorTestNonVirtualClass)        = ^IndirectMayWriteSideEffect[-1]                     : &:r1753_1
+# 1754|     r1754_1(glval<CopyConstructorTestVirtualClass>)      = VariableAddress[cy]                                 : 
+# 1754|     mu1754_2(CopyConstructorTestVirtualClass)            = Uninitialized[cy]                                   : &:r1754_1
+# 1754|     r1754_3(glval<unknown>)                              = FunctionAddress[CopyConstructorTestVirtualClass]    : 
+# 1754|     r1754_4(glval<CopyConstructorTestVirtualClass &>)    = VariableAddress[y]                                  : 
+# 1754|     r1754_5(CopyConstructorTestVirtualClass &)           = Load[y]                                             : &:r1754_4, ~m?
+# 1754|     r1754_6(glval<CopyConstructorTestVirtualClass>)      = CopyValue                                           : r1754_5
+# 1754|     r1754_7(CopyConstructorTestVirtualClass &)           = CopyValue                                           : r1754_6
+# 1754|     v1754_8(void)                                        = Call[CopyConstructorTestVirtualClass]               : func:r1754_3, this:r1754_1, 0:r1754_7
+# 1754|     mu1754_9(unknown)                                    = ^CallSideEffect                                     : ~m?
+# 1754|     v1754_10(void)                                       = ^BufferReadSideEffect[0]                            : &:r1754_7, ~m?
+# 1754|     mu1754_11(CopyConstructorTestVirtualClass)           = ^IndirectMayWriteSideEffect[-1]                     : &:r1754_1
+# 1755|     v1755_1(void)                                        = Unreached                                           : 
+
+# 1751|   Block 1
+# 1751|     v1751_5(void)       = ReturnIndirection[x]     : &:r1751_3, ~m?
+# 1752|     v1752_5(void)       = ReturnIndirection[y]     : &:r1752_3, ~m?
+# 1750|     r1750_4(glval<int>) = VariableAddress[#return] : 
+# 1750|     v1750_5(void)       = ReturnValue              : &:r1750_4, ~m?
+# 1750|     v1750_6(void)       = AliasedUse               : ~m?
+# 1750|     v1750_7(void)       = ExitFunction             : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
@@ -123,3 +123,4 @@ postWithInFlow
 | misc.c:220:4:220:5 | sp [inner post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:3:2:3:4 | ref [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:21:2:21:4 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/usings/Usings1.expected
+++ b/cpp/ql/test/library-tests/usings/Usings1.expected
@@ -1,7 +1,7 @@
-| templates.cpp:9:5:9:14 | using c | UsingDeclarationEntry, enclosingElement:std |
-| usings.cpp:8:1:8:11 | using nf | UsingDeclarationEntry, enclosingElement:(global namespace) |
+| templates.cpp:9:14:9:14 | using c | UsingDeclarationEntry, enclosingElement:std |
+| usings.cpp:8:10:8:11 | using nf | UsingDeclarationEntry, enclosingElement:(global namespace) |
 | usings.cpp:9:1:9:17 | using namespace N | UsingDirectiveEntry, enclosingElement:(global namespace) |
-| usings.cpp:18:3:18:13 | using bf | UsingDeclarationEntry, enclosingElement:D |
-| usings.cpp:21:5:21:14 | using gf | UsingDeclarationEntry, enclosingElement:{ ... } |
-| usings.cpp:34:3:34:20 | using tbf | UsingDeclarationEntry, enclosingElement:TD |
-| usings.cpp:42:5:42:22 | using foo | UsingDeclarationEntry, enclosingElement:nsbar |
+| usings.cpp:18:12:18:13 | using bf | UsingDeclarationEntry, enclosingElement:D |
+| usings.cpp:21:13:21:14 | using gf | UsingDeclarationEntry, enclosingElement:{ ... } |
+| usings.cpp:34:18:34:20 | using tbf | UsingDeclarationEntry, enclosingElement:TD |
+| usings.cpp:42:20:42:22 | using foo | UsingDeclarationEntry, enclosingElement:nsbar |
--- a/cpp/ql/test/query-tests/jsf/4.13
+++ b/cpp/ql/test/query-tests/jsf/4.13
@@ -105,3 +105,8 @@ _Noreturn void f15();
 int f16() {
    f15(); // GOOD
 }
+
+int f17() {
+    if (__builtin_expect(1, 0))
+        __builtin_unreachable(); // GOOD
+}
--- a/csharp/downgrades/qlpack.yml
+++ b/csharp/downgrades/qlpack.yml
@@ -1,5 +1,4 @@
 name: codeql/csharp-downgrades
 groups: csharp
-version: 0.0.6-dev
 downgrades: .
-library: true
+library: true
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.7
+
+## 1.0.6
+
 ## 1.0.5

 ## 1.0.4
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.6.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.6.md
@@ -0,0 +1 @@
+## 1.0.6
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.7.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.7.md
@@ -0,0 +1 @@
+## 1.0.7
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.5
+lastReleaseVersion: 1.0.7
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,8 +1,8 @@
 name: codeql/csharp-solorigate-all
-version: 1.0.6-dev
+version: 1.1.0-dev
 groups:
    - csharp
    - solorigate
 library: true
 dependencies:
-    codeql/csharp-all: ~0.0.3
+    codeql/csharp-all: "*"
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.7
+
+## 1.0.6
+
 ## 1.0.5

 ## 1.0.4
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.6.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.6.md
@@ -0,0 +1 @@
+## 1.0.6
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.7.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.7.md
@@ -0,0 +1 @@
+## 1.0.7
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.5
+lastReleaseVersion: 1.0.7
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,9 +1,9 @@
 name: codeql/csharp-solorigate-queries
-version: 1.0.6-dev
+version: 1.1.0-dev
 groups:
    - csharp
    - solorigate
 defaultSuiteFile: codeql-suites/solorigate.qls
 dependencies:
-    codeql/csharp-all: ~0.0.3
-    codeql/csharp-solorigate-all: ^1.0
+    codeql/csharp-all: "*"
+    codeql/csharp-solorigate-all: "*"
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.0.13
+
+## 0.0.12
+
+### Breaking Changes
+
+* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
+
+### Deprecated APIs
+
+* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
+
+### Minor Analysis Improvements
+
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
 ## 0.0.11

 ### Breaking Changes
--- a/csharp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
+++ b/csharp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
--- a/csharp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
+++ b/csharp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
@@ -1,5 +0,0 @@
---
-category: deprecated
---
-* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
--- a/csharp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
+++ b/csharp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
--- a/csharp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
+++ b/csharp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
--- a/csharp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
+++ b/csharp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
--- a/csharp/ql/lib/change-notes/released/0.0.12.md
+++ b/csharp/ql/lib/change-notes/released/0.0.12.md
@@ -0,0 +1,18 @@
+## 0.0.12
+
+### Breaking Changes
+
+* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
+
+### Deprecated APIs
+
+* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
+
+### Minor Analysis Improvements
+
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
--- a/csharp/ql/lib/change-notes/released/0.0.13.md
+++ b/csharp/ql/lib/change-notes/released/0.0.13.md
@@ -0,0 +1 @@
+## 0.0.13
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.11
+lastReleaseVersion: 0.0.13
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.0.12-dev
+version: 0.1.0-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll
@@ -42,9 +42,7 @@ module AccessPath {
   * Parses a lower-bounded interval `n..` and gets the lower bound.
   */
  bindingset[arg]
-  private int parseLowerBound(string arg) {
-    result = arg.regexpCapture("(-?\\d+)\\.\\.", 1).toInt()
-  }
+  int parseLowerBound(string arg) { result = arg.regexpCapture("(-?\\d+)\\.\\.", 1).toInt() }

  /**
   * Parses an integer constant or interval (bounded or unbounded) that explicitly
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1158,8 +1118,8 @@ private module Stage2 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  bindingset[node1, state1, config]
  bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
  bindingset[call, c, innercc]
  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }

  private predicate localStep(
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
  }

-  bindingset[node, cc, config]
-  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
+  bindingset[node, cc]
+  private LocalCc getLocalCc(NodeEx node, Cc cc) {
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable()) and
-    exists(config)
+        node.getEnclosingCallable())
  }

  private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
    or
    exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
      fwdFlow(mid, state0, cc, argAp, ap0, config) and
-      localCc = getLocalCc(mid, cc, config)
+      localCc = getLocalCc(mid, cc)
    |
      localStep(mid, state0, node, state, true, _, config, localCc) and
      ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.13
+
+## 0.0.12
+
 ## 0.0.11

 ### Minor Analysis Improvements
--- a/csharp/ql/src/change-notes/released/0.0.12.md
+++ b/csharp/ql/src/change-notes/released/0.0.12.md
@@ -0,0 +1 @@
+## 0.0.12
--- a/csharp/ql/src/change-notes/released/0.0.13.md
+++ b/csharp/ql/src/change-notes/released/0.0.13.md
@@ -0,0 +1 @@
+## 0.0.13
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.11
+lastReleaseVersion: 0.0.13
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.0.12-dev
+version: 0.1.0-dev
 groups: 
  - csharp
  - queries
--- a/csharp/ql/src/utils/model-generator/CaptureSinkModels.ql
+++ b/csharp/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -1,7 +1,9 @@
 /**
 * @name Capture sink models.
 * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @kind diagnostic
 * @id cs/utils/model-generator/sink-models
+ * @tags model-generator
 */

 private import internal.CaptureModels
--- a/csharp/ql/src/utils/model-generator/CaptureSourceModels.ql
+++ b/csharp/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -1,7 +1,9 @@
 /**
 * @name Capture source models.
 * @description Finds APIs that act as sources as they expose already known sources.
+ * @kind diagnostic
 * @id cs/utils/model-generator/source-models
+ * @tags model-generator
 */

 private import internal.CaptureModels
--- a/Show More
+++ b/Show More