Merge rc/1.24 into master.

.codeqlmanifest.json

@@ -1,6 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
-               "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml" ] }

.devcontainer/devcontainer.json

@@ -1,9 +0,0 @@
-{
-  "extensions": [
-    "github.vscode-codeql",
-    "slevesque.vscode-zipexplorer"
-  ],
-  "settings": {
-    "codeQL.experimentalBqrsParsing": true
-  }
-}

.github/codeql/codeql-config.yml

@@ -1,9 +0,0 @@
-name: "CodeQL config"
-
-queries:
-  - uses: security-and-quality
-
-paths-ignore:
-  - '/cpp/'
-  - '/java/'
-  - '/python/'

.github/workflows/codeql-analysis.yml

@@ -1,52 +0,0 @@
-name: "Code scanning - action"
-
-on:
-  push:
-  pull_request:
-  schedule:
-    - cron: '0 9 * * 1'
-
-jobs:
-  CodeQL-Build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-      
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      with:
-        languages: csharp
-        config-file: ./.github/codeql/codeql-config.yml
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1

.gitignore

@@ -21,3 +21,4 @@
 /codeql/
 
 csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
+.vscode

.vscode/.gitattributes

@@ -1 +0,0 @@
-*.json  linguist-language=JSON-with-Comments

.vscode/extensions.json

@@ -1,10 +0,0 @@
-{
-    // See https://go.microsoft.com/fwlink/?LinkId=827846 to learn about workspace recommendations.
-    // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
-    // List of extensions which should be recommended for users of this workspace.
-    "recommendations": [
-        "github.vscode-codeql"
-    ],
-    // List of extensions recommended by VS Code that should not be recommended for users of this workspace.
-    "unwantedRecommendations": []
-}

.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-    "omnisharp.autoStart": false
-}

.vscode/tasks.json

@@ -1,27 +0,0 @@
-{
-    // To run a task, select the `Terminal | Run Task...` menu option, and then select the task from
-    // the list in the dropdown, or invoke the `Tasks: Run Task` command from the command palette/
-    // To bind a keyboard shortcut to invoke a task, see https://code.visualstudio.com/docs/editor/tasks#_binding-keyboard-shortcuts-to-tasks.
-    // See https://go.microsoft.com/fwlink/?LinkId=733558
-    // for the documentation about the tasks.json format
-    "version": "2.0.0",
-    "tasks": [
-        {
-            "label": "Sync Identical Files",
-            "type": "process",
-            // Non-Windows OS will usually have Python 3 already installed at /usr/bin/python3.
-            "command": "python3",
-            "args": [
-                "config/sync-files.py",
-                "--latest"
-            ],
-            "group": "build",
-            "windows": {
-                // On Windows, use whatever Python interpreter is configured for this workspace. The default is
-                // just `python`, so if Python is already on the path, this will find it.
-                "command": "${config:python.pythonPath}",
-            },
-            "problemMatcher": []
-        }
-    ]
-}

CODEOWNERS

@@ -1,20 +1,11 @@
-/cpp/ @github/codeql-c-analysis
-/csharp/ @github/codeql-csharp
-/java/ @github/codeql-java
-/javascript/ @github/codeql-javascript
-/python/ @github/codeql-python
-
-# Assign query help for docs review
+/cpp/ @Semmle/cpp-analysis
+/csharp/ @Semmle/cs
+/java/ @Semmle/java
+/javascript/ @Semmle/js
+/python/ @Semmle/python
 /cpp/**/*.qhelp @hubwriter
 /csharp/**/*.qhelp @jf205
 /java/**/*.qhelp @felicitymay
 /javascript/**/*.qhelp @mchammer01
 /python/**/*.qhelp @felicitymay
 /docs/language/ @shati-patel @jf205
-
-# Exclude help for experimental queries from docs review
-/cpp/**/experimental/**/*.qhelp @github/codeql-c-analysis
-/csharp/**/experimental/**/*.qhelp @github/codeql-csharp
-/java/**/experimental/**/*.qhelp @github/codeql-java
-/javascript/**/experimental/**/*.qhelp @github/codeql-javascript
-/python/**/experimental/**/*.qhelp @github/codeql-python

CODE_OF_CONDUCT.md

@@ -1,126 +1,39 @@
-## Our Pledge
+# Code of Conduct
 
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
+This code of conduct outlines expectations for participation in the Semmle open source community, including any open source repositories on GitHub.com, as well as steps for reporting unacceptable behavior. We are committed to providing a welcoming and inspiring community for all.
 
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
+People violating this code of conduct may be banned from the community.
 
-## Our Standards
+Our community strives to:
+* Be friendly and patient: Remember you might not be communicating in someone else’s primary spoken or programming language, and others may not have your level of understanding.
+* Be welcoming: Our community welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, color, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.
+* Be respectful: We are a world-wide community of professionals, and we conduct ourselves professionally. Disagreement is no excuse for poor behavior and poor manners. Disrespectful and unacceptable behavior includes, but is not limited to:
+  * Violent threats or language.
+  * Discriminatory or derogatory jokes and language.
+  * Posting sexually explicit or violent material.
+  * Posting, or threatening to post, people’s personally identifying information (“doxing”).
+  * Insults, especially those using discriminatory terms or slurs.
+  * Behavior that could be perceived as sexual attention.
+  * Advocating for or encouraging any of the above behaviors.
+* Understand disagreements: Disagreements, both social and technical, are useful learning opportunities. Seek to understand others’ viewpoints and resolve differences constructively.
 
-Examples of behavior that contributes to a positive environment for our
-community include:
+This code is not exhaustive or complete. It serves to capture our common understanding of a productive, collaborative environment. We expect the code to be followed in spirit as much as in the letter.
 
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
+# Scope
 
-Examples of unacceptable behavior include:
+This code of conduct applies to all repositories and communities for Semmle open source projects, regardless of whether or not the repository explicitly calls out its use of this code. The code also applies in public spaces when an individual is representing the Semmle open source community. Examples include using an official project email address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
 
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
 
-## Enforcement Responsibilities
+# Reporting Code of Conduct Issues
+We encourage members of the community to resolve issues on their own whenever possible. This builds a broader and deeper understanding and ultimately a healthier interaction. In the event that an issue cannot be resolved locally, please feel free to report your concerns by contacting code-of-conduct@semmle.com. 
+In your report please include:
+* Your contact information.
+* Names (real, usernames or pseudonyms) of any individuals involved. If there are additional witnesses, please include them as well.
+* Your account of what occurred, and if you believe the incident is ongoing. If there is a publicly available record (e.g. a mailing list archive or a public chat log), please include a link or attachment.
+* Any additional information that may be helpful.
 
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
+All reports will be reviewed by a multi-person team and will result in a response that is deemed necessary and appropriate to the circumstances. Where additional perspectives are needed, the team may seek insight from others with relevant expertise or experience. The confidentiality of the person reporting the incident will be kept at all times. Involved parties are never part of the review team.
 
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
+Anyone asked to stop unacceptable behavior is expected to comply immediately. If an individual engages in unacceptable behavior, the review team may take any action they deem appropriate, including a permanent ban from the community.
 
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-opensource@github.com.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
-
-Community Impact Guidelines were inspired by [Mozilla's code of conduct
-enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at
-https://www.contributor-covenant.org/translations.
+*This text is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/) license. It is based on a template established by the [TODO Group](http://todogroup.org/) and variants thereof used by numerous other large communities (e.g., [Microsoft](https://microsoft.github.io/codeofconduct/), [Facebook](https://code.fb.com/codeofconduct/), [Yahoo](https://yahoo.github.io/codeofconduct), [Twitter](https://github.com/twitter/code-of-conduct), [GitHub](https://blog.github.com/2015-07-20-adopting-the-open-code-of-conduct/)) and the Scope section from the [Contributor Covenant version 1.4](http://contributor-covenant.org/version/1/4/).*

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 We welcome contributions to our CodeQL libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
 
-There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
+There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [Writing CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
 
 
 ## Submitting a new experimental query
@@ -20,7 +20,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
       * Python: `python/ql/src`
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
-    - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
+    - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/Semmle/ql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
     - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
     - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
 
@@ -32,11 +32,11 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     For details, see the [guide on query metadata](docs/query-metadata-style-guide.md).
 
-    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
+    Make sure the `select` statement is compatible with the query `@kind`. See [Introduction to query files](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
 
 3. **Formatting**
 
-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
+    - The queries and libraries must be [autoformatted](https://help.semmle.com/codeql/codeql-for-vscode/reference/editor.html#autoformatting).
 
 4. **Compilation**
 
@@ -53,6 +53,14 @@ After the experimental query is merged, we welcome pull requests to improve it.
 
 ## Using your personal data
 
-If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product. 
+If you contribute to this project, we will record your name and email
+address (as provided by you with your contributions) as part of the code
+repositories, which are public. We might also use this information
+to contact you in relation to your contributions, as well as in the
+normal course of software development. We also store records of your
+CLA agreements. Under GDPR legislation, we do this
+on the basis of our legitimate interest in creating the CodeQL product.
+
+Please do get in touch (privacy@github.com) if you have any questions about
+this or our data protection policies.
 
-Please do get in touch (privacy@github.com) if you have any questions about this or our data protection policies.

README.md

@@ -1,6 +1,6 @@
 # CodeQL
 
-This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
+This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide.
 
 ## How do I learn CodeQL and run queries?
 
@@ -9,20 +9,8 @@ You can use the [interactive query console](https://lgtm.com/help/lgtm/using-que
 
 ## Contributing
 
-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/Semmle/ql/tree/master/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
 ## License
 
 The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
-
-## Visual Studio Code integration
-
-If you use Visual Studio Code to work in this repository, there are a few integration features to make development easier.
-
-### CodeQL for Visual Studio Code
-
-You can install the [CodeQL for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) extension to get syntax highlighting, IntelliSense, and code navigation for the QL language, as well as unit test support for testing CodeQL libraries and queries.
-
-### Tasks
-
-The `.vscode/tasks.json` file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the `Terminal | Run Task...` menu option, and then select the desired task from the dropdown. You can also invoke the `Tasks: Run Task` command from the command palette.

change-notes/1.24/analysis-cpp.md

@@ -4,8 +4,6 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
 
 ## General improvements
 
-You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
@@ -14,71 +12,47 @@ You can now suppress alerts using either single-line block comments (`/* ... */`
 
 ## Changes to existing queries
 
-A new taint-tracking library is used by all the security queries that track tainted values
-(`cpp/path-injection`, `cpp/cgi-xss`, `cpp/sql-injection`, `cpp/uncontrolled-process-operation`,
-`cpp/unbounded-write`, `cpp/tainted-format-string`, `cpp/tainted-format-string-through-global`,
-`cpp/uncontrolled-arithmetic`, `cpp/uncontrolled-allocation-size`, `cpp/user-controlled-bypass`,
-`cpp/cleartext-storage-buffer`, `cpp/tainted-permissions-check`).
-These queries now have more precise results and also offer _path explanations_ so you can explore the results easily.
-There is a performance cost to this, and the LGTM query suite will overall run slower than before.
-
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | The identifier was updated to use dashes in place of underscores (previous identifier `cpp/boost/tls_settings_misconfiguration`). |
 | Buffer not sufficient for string (`cpp/overflow-calculated`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
-| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) |  | This query is no longer run on LGTM. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
 | Memory is never freed (`cpp/memory-never-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
 | Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
-| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Improved handling of template code gives greater precision. |
-| Missing return statement (`cpp/missing-return`) | Fewer false positive results and more accurate locations | Functions containing `asm` statements are no longer highlighted by this query. The locations reported by this query are now more accurate in some cases. |
-| No space for zero terminator (`cpp/no-space-for-terminator`) | More results with greater precision | The query gives more precise results for a wider variety of buffer allocations. String arguments to formatting functions are now (usually) expected to be null terminated strings. Use of the `semmle.code.cpp.models.interfaces.Allocation` library identifies problems with a wider variety of buffer allocations. This query is also more conservative when identifying which pointers point to null-terminated strings. |
-| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. Cases where the tainted allocation size is range checked are more reliably excluded. |
+| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed false positive results in template code. |
+| Missing return statement (`cpp/missing-return`) | Fewer false positive results | Functions containing `asm` statements are no longer highlighted by this query. |
+| Missing return statement (`cpp/missing-return`) | More accurate locations | Locations reported by this query are now more accurate in some cases. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
+| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) |  | This query is no longer run on LGTM. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings.  This approach produces fewer, more accurate results. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | Cases where the tainted allocation size is range checked are now more reliably excluded. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. |
 | Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
-| Pointer overflow check (`cpp/pointer-overflow-check`),<br> Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`),<br> Signed overflow check (`cpp/signed-overflow-check`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
 | Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) |  | This query is no longer run on LGTM. |
 | Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |
 
 ## Changes to libraries
 
-* The built-in C++20 "spaceship operator" (`<=>`) is now supported via the QL
-  class `SpaceshipExpr`. Overloaded forms are modeled as calls to functions
-  named `operator<=>`.
-* The data-flow library (`semmle.code.cpp.dataflow.DataFlow` and
-  `semmle.code.cpp.dataflow.TaintTracking`) has been improved, which affects
-  and improves some security queries. The improvements are:
-    - Track flow through functions that combine taint tracking with flow through fields.
-    - Track flow through clone-like functions, that is, functions that read contents of a field from a
-      parameter and stores the value in the field of a returned object.
-* The security pack taint tracking library
-  (`semmle.code.cpp.security.TaintTracking`) uses a new intermediate
-  representation. This provides a more precise analysis of flow through
-  parameters and pointers. For new queries, however, we continue to recommend
-  using `semmle.code.cpp.dataflow.TaintTracking`.
-* The global value numbering library
-  (`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new
-  intermediate representation to provide a more precise analysis of
-  heap-allocated memory and pointers to stack variables.
-* New libraries have been created to provide a more consistent and useful interface
-  for modeling allocation and deallocation. These replace the old
-  `semmle.code.cpp.commons.Alloc` library.
-    * The new `semmle.code.cpp.models.interfaces.Allocation` library models
-      allocations, such as `new` expressions and calls to `malloc`.
-    * The new `semmle.code.cpp.models.interfaces.Deallocation` library
-      models deallocations, such as `delete` expressions and calls to `free`.
-    * The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
-      deprecated. The `Allocation` and `Deallocation` models in
-      `semmle.code.cpp.models.interfaces` should be used instead.
+* The data-flow library has been improved, which affects and improves some security queries. The improvements are:
+  - Track flow through functions that combine taint tracking with flow through fields.
+  - Track flow through clone-like functions, that is, functions that read contents of a field from a
+    parameter and stores the value in the field of a returned object.
+* Created the `semmle.code.cpp.models.interfaces.Allocation` library to model allocation such as `new` expressions and calls to `malloc`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
+* Created the `semmle.code.cpp.models.interfaces.Deallocation` library to model deallocation such as `delete` expressions and calls to `free`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
 * The new class `StackVariable` should be used in place of `LocalScopeVariable`
   in most cases. The difference is that `StackVariable` does not include
   variables declared with `static` or `thread_local`.
-    * As a rule of thumb, custom queries about the _values_ of variables should
-      be changed from `LocalScopeVariable` to `StackVariable`, while queries
-      about the _name or scope_ of variables should remain unchanged.
-    * The `LocalScopeVariableReachability` library is deprecated in favor of
-      `StackVariableReachability`. The functionality is the same.
-* Taint tracking and data flow now features better modeling of commonly-used
-  library functions:
-    * `gets` and similar functions,
-    * the most common operations on `std::string`,
-    * `strdup` and similar functions, and
-    * formatting functions such as `sprintf`.
+  * As a rule of thumb, custom queries about the _values_ of variables should
+    be changed from `LocalScopeVariable` to `StackVariable`, while queries
+    about the _name or scope_ of variables should remain unchanged.
+  * The `LocalScopeVariableReachability` library is deprecated in favor of
+    `StackVariableReachability`. The functionality is the same.
+* The models library models `strlen` in more detail, and includes common variations such as `wcslen`.
+* The models library models `gets` and similar functions.
+* The models library now partially models `std::string`.
+* The taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) has had
+  the following improvements:
+  * The library now models data flow through `strdup` and similar functions.
+  * The library now models data flow through formatting functions such as `sprintf`.
+* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) uses a new intermediate representation. This provides a more precise analysis of pointers to stack variables and flow through parameters, improving the results of many security queries.
+* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new intermediate representation to provide a more precise analysis of heap allocated memory and pointers to stack variables.
+* `freeCall` in `semmle.code.cpp.commons.Alloc` has been deprecated. The`Allocation` and `Deallocation` models in `semmle.code.cpp.models.interfaces` should be used instead.

change-notes/1.24/analysis-csharp.md

@@ -2,31 +2,30 @@
 
 The following changes in version 1.24 affect C# analysis in all applications.
 
-## General improvements
-
-You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. Results are shown on LGTM by default. |
-| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. By default, the query is not run on LGTM. |
-| Insecure SQL connection (`cs/insecure-sql-connection`) | security, external/cwe/cwe-327 | Finds unencrypted SQL connection strings. Results are not shown on LGTM by default. |
-| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. By default, the query is not run on LGTM. |
-| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. Results are not shown on LGTM by default. |
-| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. Results are shown on LGTM by default. |
+| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. |
+| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. |
+| Insecure SQL connection (`cs/insecure-sql-connection`) | security, external/cwe/cwe-327 | Finds unencrypted SQL connection strings. |
+| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. |
+| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. |
+| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. |
 
 ## Changes to existing queries
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
-| Information exposure through an exception (`cs/information-exposure-through-exception`) | More results | The query now recognizes writes to cookies, writes to ASP.NET (`Inner`)`Text` properties, and email contents as additional sinks. |
-| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
+| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the variable is named `_` in a `foreach` statement. | 
 | Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
-| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. Results have also been removed when the variable is named `_` in a `foreach` statement. | 
+| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
+| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. |
 | XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
+| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
+| Information exposure through an exception (`cs/information-exposure-through-exception`) | More results | The query now recognizes writes to cookies, writes to ASP.NET (`Inner`)`Text` properties, and email contents as additional sinks. |
+
+## Removal of old queries
 
 ## Changes to code extraction
 
@@ -38,11 +37,13 @@ You can now suppress alerts using either single-line block comments (`/* ... */`
 ## Changes to libraries
 
 * The data-flow library has been improved, which affects and improves most security queries. The improvements are:
-    - Track flow through methods that combine taint tracking with flow through fields.
-    - Track flow through clone-like methods, that is, methods that read the contents of a field from a
-      parameter and store the value in the field of a returned object.
+  - Track flow through methods that combine taint tracking with flow through fields.
+  - Track flow through clone-like methods, that is, methods that read contents of a field from a
+    parameter and stores the value in the field of a returned object.
 * The taint tracking library now tracks flow through (implicit or explicit) conversion operator calls.
 * [Code contracts](https://docs.microsoft.com/en-us/dotnet/framework/debug-trace-profile/code-contracts) are now recognized, and are treated like any other assertion methods.
 * Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
 * `stackalloc` array creations are now represented by the QL class `Stackalloc`. Previously they were represented by the class `ArrayCreation`.
-* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, emails, and cookies.
+* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, e-mails, and cookies.
+
+## Changes to autobuilder

change-notes/1.24/analysis-java.md

@@ -4,7 +4,7 @@ The following changes in version 1.24 affect Java analysis in all applications.
 
 ## General improvements
 
-* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
+* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`).
 * A `Customizations.qll` file has been added to allow customizations of the standard library that apply to all queries.
 
 ## New queries
@@ -21,16 +21,16 @@ The following changes in version 1.24 affect Java analysis in all applications.
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positive results | Final fields with a non-null initializer are no longer reported. |
-| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positive results | Expressions of the form `0 * x` are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query `java/lshift-larger-than-type-width`. |
-| Useless null check (`java/useless-null-check`) | More true positive results | Useless checks on final fields with a non-null initializer are now reported. |
+| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Final fields with a non-null initializer are no longer reported. |
+| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positives | Expressions of the form `0 * x` are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query `java/lshift-larger-than-type-width`. |
+| Useless null check (`java/useless-null-check`) | More true positives | Useless checks on final fields with a non-null initializer are now reported. |
 
 ## Changes to libraries
 
 * The data-flow library has been improved, which affects and improves most security queries. The improvements are:
-    - Track flow through methods that combine taint tracking with flow through fields.
-    - Track flow through clone-like methods, that is, methods that read contents of a field from a
-      parameter and stores the value in the field of a returned object.
+  - Track flow through methods that combine taint tracking with flow through fields.
+  - Track flow through clone-like methods, that is, methods that read contents of a field from a
+    parameter and stores the value in the field of a returned object.
 * Identification of test classes has been improved. Previously, one of the
   match conditions would classify any class with a name containing the string
   "Test" as a test class, but now this matching has been replaced with one that
@@ -38,6 +38,6 @@ The following changes in version 1.24 affect Java analysis in all applications.
   general file classification mechanism and thus suppression of alerts, and
   also any security queries using taint tracking, as test classes act as
   default barriers stopping taint flow.
-* Parentheses are now no longer modeled directly in the AST, that is, the
+* Parentheses are now no longer modelled directly in the AST, that is, the
   `ParExpr` class is empty. Instead, a parenthesized expression can be
   identified with the `Expr.isParenthesized()` member predicate.

change-notes/1.24/analysis-javascript.md

@@ -4,68 +4,67 @@
 
 * TypeScript 3.8 is now supported.
 
-* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
+* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`).
 
 * Resolution of imports has improved, leading to more results from the security queries:
-    - Imports with the `.js` extension can now be resolved to a TypeScript file,
-      when the import refers to a file generated by TypeScript.
-    - Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved.
-    - Export declarations of the form `export * as ns from "x"` are now analyzed more precisely.
+  - Imports with the `.js` extension can now be resolved to a TypeScript file,
+  when the import refers to a file generated by TypeScript.
+  - Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved.
+  - Export declarations of the form `export * as ns from "x"` are now analyzed more precisely.
 
 * The analysis of sanitizers has improved, leading to more accurate results from the security queries.
   In particular:
-    - Sanitizer guards now act across function boundaries in more cases.
-    - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value.
+  - Sanitizer guards now act across function boundaries in more cases.
+  - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value.
 
 * Call graph construction has been improved, leading to more results from the security queries:
-    - Calls can now be resolved to indirectly-defined class members in more cases.
-    - Calls through partial invocations such as `.bind` can now be resolved in more cases.
+  - Calls can now be resolved to indirectly-defined class members in more cases.
+  - Calls through partial invocations such as `.bind` can now be resolved in more cases.
 
 * Support for flow summaries has been more clearly marked as being experimental and moved to the new `experimental` folder.
 
 * Support for the following frameworks and libraries has been improved:
-    - [chrome-remote-interface](https://www.npmjs.com/package/chrome-remote-interface)
-    - [Electron](https://electronjs.org/)
-    - [for-in](https://www.npmjs.com/package/for-in)
-    - [for-own](https://www.npmjs.com/package/for-own)
-    - [fstream](https://www.npmjs.com/package/fstream)
-    - [Handlebars](https://www.npmjs.com/package/handlebars)
-    - [http2](https://nodejs.org/api/http2.html)
-    - [jQuery](https://jquery.com/)
-    - [jsonfile](https://www.npmjs.com/package/jsonfile)
-    - [Koa](https://www.npmjs.com/package/koa)
-    - [lazy-cache](https://www.npmjs.com/package/lazy-cache)
-    - [mongodb](https://www.npmjs.com/package/mongodb)
-    - [ncp](https://www.npmjs.com/package/ncp)
-    - [Node.js](https://nodejs.org/)
-    - [node-dir](https://www.npmjs.com/package/node-dir)
-    - [path-exists](https://www.npmjs.com/package/path-exists)
-    - [pg](https://www.npmjs.com/package/pg)
-    - [react](https://www.npmjs.com/package/react)
-    - [recursive-readdir](https://www.npmjs.com/package/recursive-readdir)
-    - [request](https://www.npmjs.com/package/request)
-    - [rimraf](https://www.npmjs.com/package/rimraf)
-    - [send](https://www.npmjs.com/package/send)
-    - [Socket.IO](https://socket.io/)
-    - [SockJS](https://www.npmjs.com/package/sockjs)
-    - [SockJS-client](https://www.npmjs.com/package/sockjs-client)
-    - [typeahead.js](https://www.npmjs.com/package/typeahead.js)
-    - [vinyl-fs](https://www.npmjs.com/package/vinyl-fs)
-    - [WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API)
-    - [write-file-atomic](https://www.npmjs.com/package/write-file-atomic)
-    - [ws](https://github.com/websockets/ws)
-
+  - [Electron](https://electronjs.org/)
+  - [fstream](https://www.npmjs.com/package/fstream)
+  - [Handlebars](https://www.npmjs.com/package/handlebars)
+  - [jsonfile](https://www.npmjs.com/package/jsonfile)
+  - [Koa](https://www.npmjs.com/package/koa)
+  - [Node.js](https://nodejs.org/)
+  - [Socket.IO](https://socket.io/)
+  - [WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API)
+  - [chrome-remote-interface](https://www.npmjs.com/package/chrome-remote-interface)
+  - [for-in](https://www.npmjs.com/package/for-in)
+  - [for-own](https://www.npmjs.com/package/for-own)
+  - [http2](https://nodejs.org/api/http2.html)
+  - [jQuery](https://jquery.com/)
+  - [lazy-cache](https://www.npmjs.com/package/lazy-cache)
+  - [mongodb](https://www.npmjs.com/package/mongodb)
+  - [ncp](https://www.npmjs.com/package/ncp)
+  - [node-dir](https://www.npmjs.com/package/node-dir)
+  - [path-exists](https://www.npmjs.com/package/path-exists)
+  - [pg](https://www.npmjs.com/package/pg)
+  - [react](https://www.npmjs.com/package/react)
+  - [recursive-readdir](https://www.npmjs.com/package/recursive-readdir)
+  - [request](https://www.npmjs.com/package/request)
+  - [rimraf](https://www.npmjs.com/package/rimraf)
+  - [send](https://www.npmjs.com/package/send)
+  - [SockJS](https://www.npmjs.com/package/sockjs)
+  - [SockJS-client](https://www.npmjs.com/package/sockjs-client)
+  - [typeahead.js](https://www.npmjs.com/package/typeahead.js)
+  - [vinyl-fs](https://www.npmjs.com/package/vinyl-fs)
+  - [write-file-atomic](https://www.npmjs.com/package/write-file-atomic)
+  - [ws](https://github.com/websockets/ws)
 
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Cross-site scripting through exception (`js/xss-through-exception`) | security, external/cwe/cwe-079, external/cwe/cwe-116              | Highlights potential XSS vulnerabilities where an exception is written to the DOM. Results are not shown on LGTM by default. |
+| Regular expression always matches (`js/regex/always-matches`) | correctness, regular-expressions | Highlights regular expression checks that trivially succeed by matching an empty substring. Results are shown on LGTM by default. |
 | Missing await (`js/missing-await`) | correctness | Highlights expressions that operate directly on a promise object in a nonsensical way, instead of awaiting its result. Results are shown on LGTM by default. |
 | Polynomial regular expression used on uncontrolled data (`js/polynomial-redos`) | security, external/cwe/cwe-730, external/cwe/cwe-400 | Highlights expensive regular expressions that may be used on malicious input. Results are shown on LGTM by default. | 
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | security, external/cwe/cwe-400, external/cwe/cwe-471 | Highlights recursive assignment operations that are susceptible to prototype pollution. Results are shown on LGTM by default. |
-| Regular expression always matches (`js/regex/always-matches`) | correctness, regular-expressions | Highlights regular expression checks that trivially succeed by matching an empty substring. Results are shown on LGTM by default. |
-| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | | Highlights potential XSS vulnerabilities in unsafely designed jQuery plugins. Results are shown on LGTM by default. |
+| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | Highlights potential XSS vulnerabilities in unsafely designed jQuery plugins. Results are shown on LGTM by default. |
 | Unnecessary use of `cat` process (`js/unnecessary-use-of-cat`) | correctness, security, maintainability | Highlights command executions of `cat` where the fs API should be used instead. Results are shown on LGTM by default. |
 
 
@@ -74,20 +73,20 @@
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
 | Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
-| Duplicate parameter names (`js/duplicate-parameter-name`) | Fewer results | This query now ignores additional parameters that reasonably can have duplicated names. |
+| Duplicate parameter names (`js/duplicate-parameter-name`) | Fewer results | This query now recognizes additional parameters that reasonably can have duplicated names. |
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes additional cases where a single replacement is likely to be intentional. |
+| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. | 
 | Expression has no effect (`js/useless-expression`) | Fewer false positive results | The query now recognizes block-level flow type annotations and ignores the first statement of a try block. |
-| Identical operands (`js/redundant-operation`) | Fewer results | This query now excludes cases where the operands change a value using ++/-- expressions. |
-| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes and excludes additional cases where a single replacement is likely to be intentional. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional variations of URL scheme checks. |
-| Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
-| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now excludes cases where a function uses the `Function.arguments` value to process a variable number of parameters. |
-| Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. |
-| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. |
-| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
-| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
 | Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. |
-| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes and excludes additional cases that do not require secure hashing. |
-| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes between escapes in strings and regular expression literals. |
+| Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
+| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
+| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
+| Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. |
+| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. |
+| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes escapes in strings and regular expression literals. |
+| Identical operands (`js/redundant-operation`) | Fewer results | This query now recognizes cases where the operands change a value using ++/-- expressions. |
+| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now recognizes cases where a function uses the `Function.arguments` value to process a variable number of parameters. |
+| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes more variations of URL scheme checks. |
 
 ## Changes to libraries
 
@@ -95,6 +94,6 @@
 * An extensible model of the `EventEmitter` pattern has been implemented.
 * Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
   that combine taint-tracking and flow labels.
-    - Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label.
-    - Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object.
-      To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer.
+  - Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label.
+  - Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object.
+    To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer.

change-notes/1.24/analysis-python.md

@@ -4,52 +4,37 @@ The following changes in version 1.24 affect Python analysis in all applications
 
 ## General improvements
 
-- Support for Django version 2.x and 3.x
+Support for Django version 2.x and 3.x
 
-- Taint tracking now correctly tracks taint in destructuring assignments. For example, if `tainted_list` is a list of tainted tainted elements, then
-    ```python
-    head, *tail = tainted_list
-    ```
-    will result in `tail` being tainted with the same taint as `tainted_list`, and `head` being tainted with the taint of the elements of `tainted_list`.
-
-- A large number of libraries and queries have been moved to the new `Value` API, which should result in more precise results.
-
-- The `Value` interface has been extended in various ways:
-   - A new `StringValue` class has been added, for tracking string literals.
-   - Values now have a `booleanValue` method which returns the boolean interpretation of the given value.
-   - Built-in methods for which the return type is not fixed are now modeled as returning an unknown value by default.
+## New queries
 
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-| Arbitrary file write during tarfile extraction (`py/tarslip`) | Fewer false negative results | Negations are now handled correctly in conditional expressions that may sanitize tainted values. |
-| First parameter of a method is not named 'self' (`py/not-named-self`) | Fewer false positive results | `__class_getitem__` is now recognized as a class method. |
-| Import of deprecated module (`py/import-deprecated-module`) | Fewer false positive results | Deprecated modules that are used to provide backwards compatibility are no longer reported.|
-| Module imports itself (`py/import-own-module`) | Fewer false positive results | Imports local to a given package are no longer classified as self-imports. |
-| Uncontrolled command line (`py/command-line-injection`) | More results | We now model the `fabric` and `invoke` packages for command execution. |
+| Uncontrolled command line (`py/command-line-injection`) | More results | We now model the `fabric` and `invoke` pacakges for command execution. |
 
 ### Web framework support
 
-The CodeQL library has improved support for the web frameworks: Bottle, CherryPy, Falcon, Pyramid, TurboGears, Tornado, and Twisted. They now provide a proper `HttpRequestTaintSource`, instead of a `TaintSource`. This will enable results for the following queries:
+The QL-library support for the web frameworks Bottle, CherryPy, Falcon, Pyramid, TurboGears, Tornado, and Twisted have
+been fixed so they provide a proper HttpRequestTaintSource, instead of a TaintSource. This will enable results for the following queries:
 
-- `py/path-injection`
-- `py/command-line-injection`
-- `py/reflective-xss`
-- `py/sql-injection`
-- `py/code-injection`
-- `py/unsafe-deserialization`
-- `py/url-redirection`
+- py/path-injection
+- py/command-line-injection
+- py/reflective-xss
+- py/sql-injection
+- py/code-injection
+- py/unsafe-deserialization
+- py/url-redirection
 
-The library also has improved support for the web framework Twisted. It now provides a proper
-`HttpResponseTaintSink`, instead of a `TaintSink`. This will enable results for the following
+The QL-library support for the web framework Twisted have been fixed so they provide a proper
+HttpResponseTaintSink, instead of a TaintSink. This will enable results for the following
 queries:
 
-- `py/reflective-xss`
-- `py/stack-trace-exposure`
+- py/reflective-xss
+- py/stack-trace-exposure
 
 ## Changes to libraries
-### Taint tracking
-- The `urlsplit` and `urlparse` functions now propagate taint appropriately.
-- HTTP requests using the `requests` library are now modeled.

change-notes/1.25/analysis-cpp.md

@@ -1,46 +0,0 @@
-# Improvements to C/C++ analysis
-
-The following changes in version 1.25 affect C/C++ analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Uncontrolled format string (`cpp/tainted-format-string`) |  | This query is now displayed by default on LGTM. |
-| Uncontrolled format string (through global variable) (`cpp/tainted-format-string-through-global`) |  | This query is now displayed by default on LGTM. |
-
-## Changes to libraries
-
-* The library `VCS.qll` and all queries that imported it have been removed.
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results. Flow through functions now takes nested field reads/writes into account.
-  For example, the library is able to track flow from `taint()` to `sink()` via the method
-  `getf2f1()` in
-  ```c
-  struct C {
-      int f1;
-  };
-
-  struct C2
-  {
-      C f2;
-
-      int getf2f1() {
-          return f2.f1; // Nested field read
-      }
-
-      void m() {
-          f2.f1 = taint();
-          sink(getf2f1()); // NEW: taint() reaches here
-      }
-  };
-  ```
-* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
-* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.

change-notes/1.25/analysis-csharp.md

@@ -1,78 +0,0 @@
-# Improvements to C# analysis
-
-The following changes in version 1.25 affect C# analysis in all applications.
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-
-
-## Removal of old queries
-
-## Changes to code extraction
-
-* Index initializers, of the form `{ [1] = "one" }`, are extracted correctly. Previously, the kind of the
-  expression was incorrect, and the index was not extracted.
-
-## Changes to libraries
-
-* The class `UnboundGeneric` has been refined to only be those declarations that actually
-  have type parameters. This means that non-generic nested types inside constructed types,
-  such as `A<int>.B`, no longer are considered unbound generics. (Such nested types do,
-  however, still have relevant `.getSourceDeclaration()`s, for example `A<>.B`.)
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results:
-  - Flow through methods now takes nested field reads/writes into account.
-    For example, the library is able to track flow from `"taint"` to `Sink()` via the method
-    `GetF2F1()` in
-    ```csharp
-    class C1
-    {
-        string F1;
-    }
-
-    class C2
-    {
-        C1 F2;
-
-        string GetF2F1() => F2.F1; // Nested field read
-
-        void M()
-        {
-            F2 = new C1() { F1 = "taint" };
-            Sink(GetF2F1()); // NEW: "taint" reaches here
-        }
-    }
-    ```
-  - Flow through collections is now modeled precisely. For example, instead of modeling an array
-    store `a[i] = x` as a taint-step from `x` to `a`, we now model it as a data-flow step that
-    stores `x` into `a`. To get the value back out, a matching read step must be taken.
-
-    For source-code based data-flow analysis, the following constructs are modeled as stores into
-    collections:
-    - Direct array assignments, `a[i] = x`.
-    - Array initializers, `new [] { x }`.
-    - C# 6-style array initializers, `new C() { Array = { [i] = x } }`.
-    - Call arguments that match a `params` parameter, where the C# compiler creates an array under-the-hood.
-    - `yield return` statements.
-
-    The following source-code constructs read from a collection:
-    - Direct array reads, `a[i]`.
-    - `foreach` statements.
-
-    For calls out to library code, existing flow summaries have been refined to precisely
-    capture how they interact with collection contents. For example, a call to
-    `System.Collections.Generic.List<T>.Add(T)` stores the value of the argument into the
-    qualifier, and a call to `System.Collections.Generic.List<T>.get_Item(int)` (that is, an
-    indexer call) reads contents out of the qualifier. Moreover, the effect of
-    collection-clearing methods such as `System.Collections.Generic.List<T>.Clear()` is now
-    also modeled.
-
-## Changes to autobuilder

change-notes/1.25/analysis-java.md

@@ -1,49 +0,0 @@
-# Improvements to Java analysis
-
-The following changes in version 1.25 affect Java analysis in all applications.
-
-## General improvements
-
-The Java autobuilder has been improved to detect more Gradle Java versions.
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-| Hard-coded credential in API call (`java/hardcoded-credential-api-call`) | More results | The query now recognizes the `BasicAWSCredentials` class of the Amazon client SDK library with hardcoded access key/secret key. |
-| Deserialization of user-controlled data (`java/unsafe-deserialization`) | Fewer false positive results | The query no longer reports results using `org.apache.commons.io.serialization.ValidatingObjectInputStream`. |
-| Use of a broken or risky cryptographic algorithm (`java/weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Use of a potentially broken or risky cryptographic algorithm (`java/potentially-weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Reading from a world writable file (`java/world-writable-file-read`) | More results | The query now recognizes more JDK file operations. |
-
-## Changes to libraries
-
-* The data-flow library has been improved with more taint flow modeling for the
-  Collections framework and other classes of the JDK. This affects all security
-  queries using data flow and can yield additional results.
-* The data-flow library has been improved with more taint flow modeling for the
-  Spring framework. This affects all security queries using data flow and can
-  yield additional results on project that rely on the Spring framework.
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results. Flow through methods now takes nested field reads/writes into account.
-  For example, the library is able to track flow from `"taint"` to `sink()` via the method
-  `getF2F1()` in
-  ```java
-  class C1 {
-    String f1;
-    C1(String f1) { this.f1 = f1; }
-  }
-
-  class C2 {
-    C1 f2;
-    String getF2F1() {
-        return this.f2.f1; // Nested field read
-    }
-    void m() {
-        this.f2 = new C1("taint");
-        sink(this.getF2F1()); // NEW: "taint" reaches here
-    }
-  }
-  ```
-* The library has been extended with more support for Java 14 features
-  (`switch` expressions and pattern-matching for `instanceof`).

change-notes/1.25/analysis-javascript.md

@@ -1,111 +0,0 @@
-# Improvements to JavaScript analysis
-
-## General improvements
-
-* Support for the following frameworks and libraries has been improved:
-  - [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
-  - [bluebird](http://bluebirdjs.com/)
-  - [express](https://www.npmjs.com/package/express)
-  - [execa](https://www.npmjs.com/package/execa)
-  - [fancy-log](https://www.npmjs.com/package/fancy-log)
-  - [fastify](https://www.npmjs.com/package/fastify)
-  - [foreground-child](https://www.npmjs.com/package/foreground-child)
-  - [fstream](https://www.npmjs.com/package/fstream)
-  - [jGrowl](https://github.com/stanlemon/jGrowl)
-  - [jQuery](https://jquery.com/)
-  - [marsdb](https://www.npmjs.com/package/marsdb)
-  - [micro](https://www.npmjs.com/package/micro/)
-  - [minimongo](https://www.npmjs.com/package/minimongo/)
-  - [mssql](https://www.npmjs.com/package/mssql)
-  - [mysql](https://www.npmjs.com/package/mysql)
-  - [npmlog](https://www.npmjs.com/package/npmlog)
-  - [opener](https://www.npmjs.com/package/opener)
-  - [pg](https://www.npmjs.com/package/pg)
-  - [sequelize](https://www.npmjs.com/package/sequelize)
-  - [spanner](https://www.npmjs.com/package/spanner)
-  - [sqlite](https://www.npmjs.com/package/sqlite)
-  - [ssh2-streams](https://www.npmjs.com/package/ssh2-streams)
-  - [ssh2](https://www.npmjs.com/package/ssh2)
-  - [vue](https://www.npmjs.com/package/vue)
-  - [yargs](https://www.npmjs.com/package/yargs)
-  - [webpack-dev-server](https://www.npmjs.com/package/webpack-dev-server)
-
-* TypeScript 3.9 is now supported.
-
-* TypeScript code embedded in HTML and Vue files is now extracted and analyzed.
-
-* The analysis of sanitizers has improved, leading to more accurate
-  results from the security queries.
-
-## New queries
-
-| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| DOM text reinterpreted as HTML (`js/xss-through-dom`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are shown on LGTM by default. |
-| Incomplete HTML attribute sanitization (`js/incomplete-html-attribute-sanitization`) | security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default. |
-| Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
-| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
-| Download of sensitive file through insecure connection (`js/insecure-download`) | security, external/cwe/cwe-829 | Highlights downloads of sensitive files through an unencrypted protocol. Results are shown on LGTM by default. |
-| Exposure of private files (`js/exposure-of-private-files`) | security, external/cwe/cwe-200 | Highlights servers that serve private files. Results are shown on LGTM by default. |
-| Creating biased random numbers from a cryptographically secure source (`js/biased-cryptographic-random`) | security, external/cwe/cwe-327 | Highlights mathematical operations on cryptographically secure numbers that can create biased results. Results are shown on LGTM by default. |
-| Storage of sensitive information in build artifact (`js/build-artifact-leak`) | security, external/cwe/cwe-312 | Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default. |
-| Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
-| Disabling certificate validation (`js/disabling-certificate-validation`) | security, external/cwe-295 | Highlights locations where SSL certificate validation is disabled. Results are shown on LGTM by default. | 
-| Incomplete multi-character sanitization (`js/incomplete-multi-character-sanitization`) | correctness, security, external/cwe/cwe-20, external/cwe/cwe-116 | Highlights sanitizers that fail to remove dangerous substrings completely. Results are shown on LGTM by default. |
-
-## Changes to existing queries
-
-| **Query**                      | **Expected impact**          | **Change**                                                                |
-|--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Client-side cross-site scripting (`js/xss`) | Fewer results | This query now recognizes additional safe patterns of constructing HTML. |
-| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
-| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
-| Exception text reinterpreted as HTML (`js/exception-xss`) | Rephrased and changed visibility | Rephrased name and alert message. Severity lowered from error to warning. Results are now shown on LGTM by default. |
-| Expression has no effect (`js/useless-expression`) | Fewer results | This query no longer flags an expression when that expression is the only content of the containing file. |
-| Hard-coded credentials (`js/hardcoded-credentials`) | More results | This query now recognizes hard-coded credentials sent via HTTP authorization headers. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional url scheme checks. |
-| Insecure randomness (`js/insecure-randomness`) | Fewer results | This query now recognizes when an insecure random value is used as a fallback when secure random values are unsupported. |
-| Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
-| Non-linear pattern (`js/non-linear-pattern`) | Fewer duplicates and message changed | This query now generates fewer duplicate alerts and has a clearer explanation in case of type annotations used in a pattern. |
-| Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
-| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
-| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
-| Uncontrolled data used in path expression (`js/path-injection`) | Fewer results | This query no longer flags paths that have been checked to be part of a collection. |
-| Unknown directive (`js/unknown-directive`) | Fewer results | This query no longer flags directives generated by the Babel compiler. |
-| Unneeded defensive code (`js/unneeded-defensive-code`) | Fewer false-positive results | This query now recognizes checks meant to handle the `document.all` object. |
-| Unused property (`js/unused-property`) | Fewer results | This query no longer flags properties of objects that are operands of `yield` expressions. |
-| Zip Slip (`js/zipslip`) | More results | This query now recognizes additional vulnerabilities. |
-
-The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):
-
-  - `js/angular/dead-event-listener`
-  - `js/angular/unused-dependency`
-  - `js/bitwise-sign-check`
-  - `js/comparison-of-identical-expressions`
-  - `js/conflicting-html-attribute`
-  - `js/ignored-setter-parameter`
-  - `js/jsdoc/malformed-param-tag`
-  - `js/jsdoc/missing-parameter`
-  - `js/jsdoc/unknown-parameter`
-  - `js/json-in-javascript-file`
-  - `js/misspelled-identifier`
-  - `js/nested-loops-with-same-variable`
-  - `js/node/cyclic-import`
-  - `js/node/unused-npm-dependency`
-  - `js/omitted-array-element`
-  - `js/return-outside-function`
-  - `js/single-run-loop`
-  - `js/too-many-parameters`
-  - `js/unused-property`
-  - `js/useless-assignment-to-global`
-
-## Changes to libraries
-
-* A library `semmle.javascript.explore.CallGraph` has been added to help write queries for exploring the call graph.
-* Added data flow for `Map` and `Set`, and added matching type-tracking steps that can accessed using the `CollectionsTypeTracking` module.
-* The data-flow node representing a parameter or destructuring pattern is now always the `ValueNode` corresponding to that AST node. This has a few consequences:
-  - `Parameter.flow()` now gets the correct data flow node for a parameter. Previously this had a result, but the node was disconnected from the data flow graph.
-  - `ParameterNode.asExpr()` and `.getAstNode()` now gets the parameter's AST node, whereas previously it had no result.
-  - `Expr.flow()` now has a more meaningful result for destructuring patterns. Previously this node was disconnected from the data flow graph. Now it represents the values being destructured by the pattern.
-* The global data-flow and taint-tracking libraries now model indirect parameter accesses through the `arguments` object in some cases, which may lead to additional results from some of the security queries, particularly "Prototype pollution in utility function".
-* The predicates `Type.getProperty()` and variants of `Type.getMethod()` have been deprecated due to lack of use-cases. Looking up a named property of a static type is no longer supported, favoring faster extraction times instead.

change-notes/1.25/analysis-python.md

@@ -1,22 +0,0 @@
-# Improvements to Python analysis
-
-The following changes in version 1.25 affect Python analysis in all applications.
-
-## General improvements
-
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-
-
-## Changes to libraries
-
-* Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).

config/identical-files.json

@@ -1,5 +1,5 @@
 {
-  "DataFlow Java/C++/C#/Python": [
+  "DataFlow Java/C++/C#": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
@@ -18,18 +18,15 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/experimental/dataflow/internal/DataFlowImpl.qll",
-    "python/ql/src/experimental/dataflow/internal/DataFlowImpl2.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll"
   ],
-  "DataFlow Java/C++/C#/Python Common": [
+  "DataFlow Java/C++/C# Common": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/experimental/dataflow/internal/DataFlowImplCommon.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll"
   ],
-  "TaintTracking::Configuration Java/C++/C#/Python": [
+  "TaintTracking::Configuration Java/C++/C#": [
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -40,15 +37,13 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/experimental/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
   ],
-  "DataFlow Java/C++/C#/Python Consistency checks": [
+  "DataFlow Java/C++/C# Consistency checks": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/experimental/dataflow/internal/DataFlowImplConsistency.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll"
   ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
@@ -58,122 +53,114 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRBlock.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRFunction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll" 
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" 
   ],
   "IR IRType": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
   ],
   "IR IRConfiguration": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/IRConfiguration.qll"
   ],
   "IR UseSoundEscapeAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
-  ],
-  "IR IRFunctionBase": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/UseSoundEscapeAnalysis.qll"
   ],
   "IR Operand Tag": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
-  ],
-  "IR TInstruction":[
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/OperandTag.qll"
   ],
   "IR TIRVariable":[
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll"
   ],
-  "IR IRConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
+  "IR IRSanity": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll"
   ],
   "IR PrintIR": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/PrintIR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/PrintIR.qll"
   ],
   "IR IntegerConstant": [
     "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerConstant.qll"
   ],
   "IR IntegerInteval": [
     "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerInterval.qll"
   ],
   "IR IntegerPartial": [
     "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerPartial.qll"
   ],
   "IR Overlap": [
     "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
-    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/Overlap.qll"
   ],
   "IR EdgeKind": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/EdgeKind.qll"
   ],
   "IR MemoryAccessKind": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll"
   ],
   "IR TempVariableTag": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/TempVariableTag.qll"
   ],
   "IR Opcode": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
-    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
   ],
-  "IR SSAConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
+  "IR SSASanity": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSASanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSASanity.qll"
   ],
   "C++ IR InstructionImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -190,11 +177,6 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
-  "C++ IR IRFunctionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
-  ],
   "C++ IR IRVariableImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
@@ -217,7 +199,7 @@
   "SSA AliasAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
   "C++ SSA AliasAnalysisImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
@@ -230,42 +212,42 @@
   ],
   "IR SSA SimpleSSA": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
   ],
   "IR AliasConfiguration (unaliased_ssa)": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
   ],
   "IR SSA SSAConstruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -294,36 +276,32 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
   "C# IR InstructionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
   ],
   "C# IR IRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll"
   ],
   "C# IR IRBlockImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRBlockImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
-  ],
-  "C# IR IRFunctionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
   ],
   "C# IR IRVariableImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRVariableImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
   ],
   "C# IR OperandImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/OperandImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
   ],
   "C# IR PrintIRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/PrintIRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
   ],
   "C# IR ValueNumberingImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "XML": [
     "cpp/ql/src/semmle/code/cpp/XML.qll",

config/opcode-qldoc.py

@@ -1,102 +0,0 @@
-#!/usr/bin/env python3
-
-import os
-import re
-path = os.path
-
-needs_an_re = re.compile(r'^(?!Unary)[AEIOU]')  # Name requiring "an" instead of "a".
-start_qldoc_re = re.compile(r'^\s*/\*\*')  # Start of a QLDoc comment
-end_qldoc_re = re.compile(r'\*/\s*$')  # End of a QLDoc comment
-blank_qldoc_line_re = re.compile(r'^\s*\*\s*$')  # A line in a QLDoc comment with only the '*'
-instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
-opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
-opcode_class_re = re.compile(r'^  class (?P<name>[A-aa-z0-9]+)\s')  # Declaration of an `Opcode` class
-
-script_dir = path.realpath(path.dirname(__file__))
-instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))
-opcode_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll'))
-
-# Scan `Instruction.qll`, keeping track of the QLDoc comment attached to each declaration of a class
-# whose name ends with `Instruction`.
-instruction_comments = {}
-in_qldoc = False
-saw_blank_line_in_qldoc = False
-qldoc_lines = []
-with open(instruction_path, 'r', encoding='utf-8') as instr:
-    for line in instr:
-        if in_qldoc:
-            if end_qldoc_re.search(line):
-                qldoc_lines.append(line)
-                in_qldoc = False
-            elif blank_qldoc_line_re.search(line):
-                # We're going to skip any lines after the first blank line, to avoid duplicating all
-                # of the verbose description.
-                saw_blank_line_in_qldoc = True
-            elif not saw_blank_line_in_qldoc:
-                qldoc_lines.append(line)
-        else:
-            if start_qldoc_re.search(line):
-                # Starting a new QLDoc comment.
-                saw_blank_line_in_qldoc = False
-                qldoc_lines.append(line)
-                if not end_qldoc_re.search(line):
-                    in_qldoc = True
-            else:
-                instruction_match = instruction_class_re.search(line)
-                if instruction_match:
-                    # Found the declaration of an `Instruction` class. Record the QLDoc comments.
-                    instruction_comments[instruction_match.group('name')] = qldoc_lines
-                qldoc_lines = []
-
-# Scan `Opcode.qll`. Whenever we see the declaration of an `Opcode` class for which we have a
-# corresponding `Instruction` class, we'll attach a copy of the `Instruction`'s QLDoc comment.
-in_qldoc = False
-qldoc_lines = []
-output_lines = []
-with open(opcode_path, 'r', encoding='utf-8') as opcode:
-    for line in opcode:
-        if in_qldoc:
-            qldoc_lines.append(line)
-            if end_qldoc_re.search(line):
-                in_qldoc = False
-        else:
-            if start_qldoc_re.search(line):
-                qldoc_lines.append(line)
-                if not end_qldoc_re.search(line):
-                    in_qldoc = True
-            else:
-                name_without_suffix = None
-                name = None
-                indent = ''
-                opcode_base_match = opcode_base_class_re.search(line)
-                if opcode_base_match:
-                    name_without_suffix = opcode_base_match.group('name')
-                    name = name_without_suffix + 'Opcode'
-                else:
-                    opcode_match = opcode_class_re.search(line)
-                    if opcode_match:
-                        name_without_suffix = opcode_match.group('name')
-                        name = name_without_suffix
-                        # Indent by two additional spaces, since opcodes are declared in the
-                        # `Opcode` module.
-                        indent = '  '
-                
-                if name_without_suffix:
-                    # Found an `Opcode` that matches a known `Instruction`. Replace the QLDoc with
-                    # a copy of the one from the `Instruction`.
-                    if instruction_comments.get(name_without_suffix):
-                        article = 'an' if needs_an_re.search(name_without_suffix) else 'a'
-                        qldoc_lines = [
-                            indent + '/**\n',
-                            indent + ' * The `Opcode` for ' + article + ' `' + name_without_suffix + 'Instruction`.\n',
-                            indent + ' *\n',
-                            indent + ' * See the `' + name_without_suffix + 'Instruction` documentation for more details.\n',
-                            indent + ' */\n'
-                        ]
-                output_lines.extend(qldoc_lines)
-                qldoc_lines = []
-                output_lines.append(line)
-
-# Write out the updated `Opcode.qll`
-with open(opcode_path, 'w', encoding='utf-8') as opcode:
-    opcode.writelines(output_lines)

config/sync-files.py

@@ -59,32 +59,21 @@ def file_checksum(filename):
         return hashlib.sha1(file_handle.read()).hexdigest()
 
 def check_group(group_name, files, master_file_picker, emit_error):
-    extant_files = [f for f in files if path.isfile(f)]
-    if len(extant_files) == 0:
-        emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
-        emit_error(__file__, 0,
-                "Create one of the following files, and then run this script with "
-                "the --latest switch to sync it to the other file locations.")
-        for filename in files:
-            emit_error(__file__, 0, "    " + filename)
+    checksums = {file_checksum(f) for f in files}
+
+    if len(checksums) == 1:
         return
 
-    checksums = {file_checksum(f) for f in extant_files}
-
-    if len(checksums) == 1 and len(extant_files) == len(files):
-        # All files are present and identical.
-        return
-
-    master_file = master_file_picker(extant_files)
+    master_file = master_file_picker(files)
     if master_file is None:
         emit_error(__file__, 0,
                 "Files from group '"+ group_name +"' not in sync.")
         emit_error(__file__, 0,
                 "Run this script with a file-name argument among the "
                 "following to overwrite the remaining files with the contents "
-                "of that file, or run with the --latest switch to update each "
+                "of that file or run with the --latest switch to update each "
                 "group of files from the most recently modified file in the group.")
-        for filename in extant_files:
+        for filename in files:
             emit_error(__file__, 0, "    " + filename)
     else:
         print("  Syncing others from", master_file)
@@ -92,8 +81,7 @@ def check_group(group_name, files, master_file_picker, emit_error):
             if filename == master_file:
                 continue
             print("    " + filename)
-            if path.isfile(filename):
-                os.replace(filename, filename + '~')
+            os.replace(filename, filename + '~')
             shutil.copy(master_file, filename)
         print("  Backups written with '~' appended to file names")
 
@@ -119,7 +107,7 @@ def choose_latest_file(files):
 
 local_error_count = 0
 def emit_local_error(path, line, error):
-    print('ERROR: ' + path + ':' + str(line) + " - " + error)
+    print('ERROR: ' + path + ':' + line + " - " + error)
     global local_error_count
     local_error_count += 1
 

cpp/autobuilder/.gitignore

@@ -1,13 +0,0 @@
-obj/
-TestResults/
-*.manifest
-*.pdb
-*.suo
-*.mdb
-*.vsmdi
-csharp.log
-**/bin/Debug
-**/bin/Release
-*.tlog
-.vs
-*.user

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -1,296 +0,0 @@
-using Xunit;
-using Semmle.Autobuild.Shared;
-using System.Collections.Generic;
-using System;
-using System.Linq;
-using Microsoft.Build.Construction;
-using System.Xml;
-
-namespace Semmle.Autobuild.Cpp.Tests
-{
-    /// <summary>
-    /// Test class to script Autobuilder scenarios.
-    /// For most methods, it uses two fields:
-    /// - an IList to capture the the arguments passed to it
-    /// - an IDictionary of possible return values.
-    /// </summary>
-    class TestActions : IBuildActions
-    {
-        /// <summary>
-        /// List of strings passed to FileDelete.
-        /// </summary>
-        public IList<string> FileDeleteIn = new List<string>();
-
-        void IBuildActions.FileDelete(string file)
-        {
-            FileDeleteIn.Add(file);
-        }
-
-        public IList<string> FileExistsIn = new List<string>();
-        public IDictionary<string, bool> FileExists = new Dictionary<string, bool>();
-
-        bool IBuildActions.FileExists(string file)
-        {
-            FileExistsIn.Add(file);
-            if (FileExists.TryGetValue(file, out var ret))
-                return ret;
-            if (FileExists.TryGetValue(System.IO.Path.GetFileName(file), out ret))
-                return ret;
-            throw new ArgumentException("Missing FileExists " + file);
-        }
-
-        public IList<string> RunProcessIn = new List<string>();
-        public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
-        public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
-        public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
-
-        int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
-        {
-            var pattern = cmd + " " + args;
-            RunProcessIn.Add(pattern);
-            if (RunProcessOut.TryGetValue(pattern, out var str))
-                stdOut = str.Split("\n");
-            else
-                throw new ArgumentException("Missing RunProcessOut " + pattern);
-            RunProcessWorkingDirectory.TryGetValue(pattern, out var wd);
-            if (wd != workingDirectory)
-                throw new ArgumentException("Missing RunProcessWorkingDirectory " + pattern);
-            if (RunProcess.TryGetValue(pattern, out var ret))
-                return ret;
-            throw new ArgumentException("Missing RunProcess " + pattern);
-        }
-
-        int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env)
-        {
-            var pattern = cmd + " " + args;
-            RunProcessIn.Add(pattern);
-            RunProcessWorkingDirectory.TryGetValue(pattern, out var wd);
-            if (wd != workingDirectory)
-                throw new ArgumentException("Missing RunProcessWorkingDirectory " + pattern);
-            if (RunProcess.TryGetValue(pattern, out var ret))
-                return ret;
-            throw new ArgumentException("Missing RunProcess " + pattern);
-        }
-
-        public IList<string> DirectoryDeleteIn = new List<string>();
-
-        void IBuildActions.DirectoryDelete(string dir, bool recursive)
-        {
-            DirectoryDeleteIn.Add(dir);
-        }
-
-        public IDictionary<string, bool> DirectoryExists = new Dictionary<string, bool>();
-        public IList<string> DirectoryExistsIn = new List<string>();
-
-        bool IBuildActions.DirectoryExists(string dir)
-        {
-            DirectoryExistsIn.Add(dir);
-            if (DirectoryExists.TryGetValue(dir, out var ret))
-                return ret;
-            throw new ArgumentException("Missing DirectoryExists " + dir);
-        }
-
-        public IDictionary<string, string?> GetEnvironmentVariable = new Dictionary<string, string?>();
-
-        string? IBuildActions.GetEnvironmentVariable(string name)
-        {
-            if (GetEnvironmentVariable.TryGetValue(name, out var ret))
-                return ret;
-            throw new ArgumentException("Missing GetEnvironmentVariable " + name);
-        }
-
-        public string GetCurrentDirectory = "";
-
-        string IBuildActions.GetCurrentDirectory()
-        {
-            return GetCurrentDirectory;
-        }
-
-        public IDictionary<string, string> EnumerateFiles = new Dictionary<string, string>();
-
-        IEnumerable<string> IBuildActions.EnumerateFiles(string dir)
-        {
-            if (EnumerateFiles.TryGetValue(dir, out var str))
-                return str.Split("\n");
-            throw new ArgumentException("Missing EnumerateFiles " + dir);
-        }
-
-        public IDictionary<string, string> EnumerateDirectories = new Dictionary<string, string>();
-
-        IEnumerable<string> IBuildActions.EnumerateDirectories(string dir)
-        {
-            if (EnumerateDirectories.TryGetValue(dir, out var str))
-                return string.IsNullOrEmpty(str) ? Enumerable.Empty<string>() : str.Split("\n");
-            throw new ArgumentException("Missing EnumerateDirectories " + dir);
-        }
-
-        public bool IsWindows;
-
-        bool IBuildActions.IsWindows() => IsWindows;
-
-        string IBuildActions.PathCombine(params string[] parts)
-        {
-            return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
-        }
-
-        string IBuildActions.GetFullPath(string path) => path;
-
-        void IBuildActions.WriteAllText(string filename, string contents)
-        {
-        }
-
-        public IDictionary<string, XmlDocument> LoadXml = new Dictionary<string, XmlDocument>();
-        XmlDocument IBuildActions.LoadXml(string filename)
-        {
-            if (LoadXml.TryGetValue(filename, out var xml))
-                return xml;
-            throw new ArgumentException("Missing LoadXml " + filename);
-        }
-
-        public string EnvironmentExpandEnvironmentVariables(string s)
-        {
-            foreach (var kvp in GetEnvironmentVariable)
-                s = s.Replace($"%{kvp.Key}%", kvp.Value);
-            return s;
-        }
-    }
-
-    /// <summary>
-    /// A fake solution to build.
-    /// </summary>
-    class TestSolution : ISolution
-    {
-        public IEnumerable<SolutionConfigurationInSolution> Configurations => throw new NotImplementedException();
-
-        public string DefaultConfigurationName => "Release";
-
-        public string DefaultPlatformName => "x86";
-
-        public string FullPath { get; set; }
-
-        public Version ToolsVersion => new Version("14.0");
-
-        public IEnumerable<IProjectOrSolution> IncludedProjects => throw new NotImplementedException();
-
-        public TestSolution(string path)
-        {
-            FullPath = path;
-        }
-    }
-
-    public class BuildScriptTests
-    {
-        TestActions Actions = new TestActions();
-
-        // Records the arguments passed to StartCallback.
-        IList<string> StartCallbackIn = new List<string>();
-
-        void StartCallback(string s, bool silent)
-        {
-            StartCallbackIn.Add(s);
-        }
-
-        // Records the arguments passed to EndCallback
-        IList<string> EndCallbackIn = new List<string>();
-        IList<int> EndCallbackReturn = new List<int>();
-
-        void EndCallback(int ret, string s, bool silent)
-        {
-            EndCallbackReturn.Add(ret);
-            EndCallbackIn.Add(s);
-        }
-
-        CppAutobuilder CreateAutoBuilder(bool isWindows,
-            string? buildless = null, string? solution = null, string? buildCommand = null, string? ignoreErrors = null,
-            string? msBuildArguments = null, string? msBuildPlatform = null, string? msBuildConfiguration = null, string? msBuildTarget = null,
-            string? dotnetArguments = null, string? dotnetVersion = null, string? vsToolsVersion = null,
-            string? nugetRestore = null, string? allSolutions = null,
-            string cwd = @"C:\Project")
-        {
-            string codeqlUpperLanguage = Language.Cpp.UpperCaseName;
-            Actions.GetEnvironmentVariable[$"CODEQL_AUTOBUILDER_{codeqlUpperLanguage}_NO_INDEXING"] = "false";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_TRAP_DIR"] = "";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
-            Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
-            Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
-            Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
-            Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
-            Actions.GetEnvironmentVariable["LGTM_INDEX_VSTOOLS_VERSION"] = vsToolsVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_ARGUMENTS"] = msBuildArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_PLATFORM"] = msBuildPlatform;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_CONFIGURATION"] = msBuildConfiguration;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_TARGET"] = msBuildTarget;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_ARGUMENTS"] = dotnetArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_VERSION"] = dotnetVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILD_COMMAND"] = buildCommand;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_SOLUTION"] = solution;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_IGNORE_ERRORS"] = ignoreErrors;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILDLESS"] = buildless;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_ALL_SOLUTIONS"] = allSolutions;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_NUGET_RESTORE"] = nugetRestore;
-            Actions.GetEnvironmentVariable["ProgramFiles(x86)"] = isWindows ? @"C:\Program Files (x86)" : null;
-            Actions.GetCurrentDirectory = cwd;
-            Actions.IsWindows = isWindows;
-
-            var options = new AutobuildOptions(Actions, Language.Cpp);
-            return new CppAutobuilder(Actions, options);
-        }
-
-        void TestAutobuilderScript(Autobuilder autobuilder, int expectedOutput, int commandsRun)
-        {
-            Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(Actions, StartCallback, EndCallback));
-
-            // Check expected commands actually ran
-            Assert.Equal(commandsRun, StartCallbackIn.Count);
-            Assert.Equal(commandsRun, EndCallbackIn.Count);
-            Assert.Equal(commandsRun, EndCallbackReturn.Count);
-
-            var action = Actions.RunProcess.GetEnumerator();
-            for (int cmd = 0; cmd < commandsRun; ++cmd)
-            {
-                Assert.True(action.MoveNext());
-
-                Assert.Equal(action.Current.Key, StartCallbackIn[cmd]);
-                Assert.Equal(action.Current.Value, EndCallbackReturn[cmd]);
-            }
-        }
-
-
-        [Fact]
-        public void TestDefaultCppAutobuilder()
-        {
-            Actions.EnumerateFiles[@"C:\Project"] = "";
-            Actions.EnumerateDirectories[@"C:\Project"] = "";
-
-            var autobuilder = CreateAutoBuilder(true);
-            var script = autobuilder.GetBuildScript();
-
-            // Fails due to no solutions present.
-            Assert.NotEqual(0, script.Run(Actions, StartCallback, EndCallback));
-        }
-
-        [Fact]
-        public void TestCppAutobuilderSuccess()
-        {
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
-            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
-            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
-            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
-            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;
-            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = "";
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
-            Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
-            Actions.EnumerateDirectories[@"C:\Project"] = "";
-
-            var autobuilder = CreateAutoBuilder(true);
-            var solution = new TestSolution(@"C:\Project\test.sln");
-            autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
-            TestAutobuilderScript(autobuilder, 0, 2);
-        }
-    }
-}

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -1,25 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp3.0</TargetFramework>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
-    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Autobuild.Cpp\Semmle.Autobuild.Cpp.csproj" />
-    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-</Project>

cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs

@@ -1,23 +0,0 @@
-using Semmle.Autobuild.Shared;
-
-namespace Semmle.Autobuild.Cpp
-{
-    public class CppAutobuilder : Autobuilder
-    {
-        public CppAutobuilder(IBuildActions actions, AutobuildOptions options) : base(actions, options) { }
-
-        public override BuildScript GetBuildScript()
-        {
-            if (Options.BuildCommand != null)
-                return new BuildCommandRule((_, f) => f(null)).Analyse(this, false);
-
-            return
-                // First try MSBuild
-                new MsBuildRule().Analyse(this, true) |
-                // Then look for a script that might be a build script
-                (() => new BuildCommandAutoRule((_, f) => f(null)).Analyse(this, true)) |
-                // All attempts failed: print message
-                AutobuildFailure();
-        }
-    }
-}

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,28 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>netcoreapp3.0</TargetFramework>
-    <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
-    <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
-    <ApplicationIcon />
-    <OutputType>Exe</OutputType>
-    <StartupObject />
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.0.461" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\csharp\extractor\Semmle.Util\Semmle.Util.csproj" />
-    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-
-</Project>

cpp/ql/examples/qlpack.yml

@@ -1,3 +0,0 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp

cpp/ql/src/Documentation/CaptionedComments.qll

@@ -4,10 +4,6 @@
 
 import cpp
 
-/**
- * Gets a string representation of the comment `c` containing the caption 'TODO' or 'FIXME'.
- * If `c` spans multiple lines, all lines after the first are abbreviated as [...].
- */
 string getCommentTextCaptioned(Comment c, string caption) {
   (caption = "TODO" or caption = "FIXME") and
   exists(

cpp/ql/src/Documentation/CommentedOutCode.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes and predicates for identifying C/C++ comments that look like code.
- */
-
 import cpp
 
 /**
@@ -141,14 +137,8 @@ class CommentBlock extends Comment {
     )
   }
 
-  /**
-   * Gets the last comment associated with this comment block.
-   */
   Comment lastComment() { result = this.getComment(max(int i | exists(this.getComment(i)))) }
 
-  /**
-   * Gets the contents of the `i`'th comment associated with this comment block.
-   */
   string getLine(int i) {
     this instanceof CStyleComment and
     result = this.getContents().regexpCapture("(?s)/\\*+(.*)\\*+/", 1).splitAt("\n", i)
@@ -156,24 +146,14 @@ class CommentBlock extends Comment {
     this instanceof CppStyleComment and result = this.getComment(i).getContents().suffix(2)
   }
 
-  /**
-   * Gets the number of lines in the comments associated with this comment block.
-   */
   int numLines() {
     result = strictcount(int i, string line | line = this.getLine(i) and line.trim() != "")
   }
 
-  /**
-   * Gets the number of lines that look like code in the comments associated with this comment block.
-   */
   int numCodeLines() {
     result = strictcount(int i, string line | line = this.getLine(i) and looksLikeCode(line))
   }
 
-  /**
-   * Holds if the comment block is a C-style comment, and each
-   * comment line starts with a *.
-   */
   predicate isDocumentation() {
     // If a C-style comment starts each line with a *, then it's
     // probably documentation rather than code.
@@ -181,12 +161,6 @@ class CommentBlock extends Comment {
     forex(int i | i in [1 .. this.numLines() - 1] | this.getLine(i).trim().matches("*%"))
   }
 
-  /**
-   * Holds if this comment block looks like code that has been commented out. Specifically:
-   * 1. It does not look like documentation (see `isDocumentation`).
-   * 2. It is not in a header file without any declaration entries or top level declarations.
-   * 3. More than half of the lines in the comment block look like code.
-   */
   predicate isCommentedOutCode() {
     not this.isDocumentation() and
     not this.getFile().(HeaderFile).noTopLevelCode() and

cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql

@@ -15,15 +15,6 @@ import cpp
 import semmle.code.cpp.models.implementations.Strcpy
 import semmle.code.cpp.dataflow.DataFlow
 
-/**
- * A string copy function that returns a string, rather than an error code (for
- * example, `strcpy` returns a string, whereas `strcpy_s` returns an error
- * code).
- */
-class InterestingStrcpyFunction extends StrcpyFunction {
-  InterestingStrcpyFunction() { getType().getUnspecifiedType() instanceof PointerType }
-}
-
 predicate isBoolean(Expr e1) {
   exists(Type t1 |
     t1 = e1.getType() and
@@ -34,12 +25,12 @@ predicate isBoolean(Expr e1) {
 predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
   DataFlow::localExprFlow(func, expr1) and
   isBoolean(expr1.getConversion*()) and
-  func.getTarget() instanceof InterestingStrcpyFunction and
+  func.getTarget() instanceof StrcpyFunction and
   msg = "Return value of " + func.getTarget().getName() + " used as a Boolean."
 }
 
 predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
-  func.getTarget() instanceof InterestingStrcpyFunction and
+  func.getTarget() instanceof StrcpyFunction and
   (
     (
       // it is being used in an equality or logical operation

cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql

@@ -23,7 +23,7 @@ import semmle.code.cpp.ir.ValueNumbering
 class NullInstruction extends ConstantValueInstruction {
   NullInstruction() {
     this.getValue() = "0" and
-    this.getResultIRType() instanceof IRAddressType
+    this.getResultType().getUnspecifiedType() instanceof PointerType
   }
 }
 
@@ -44,8 +44,8 @@ predicate explicitNullTestOfInstruction(Instruction checked, Instruction bool) {
   bool =
     any(ConvertInstruction convert |
       checked = convert.getUnary() and
-      convert.getResultIRType() instanceof IRBooleanType and
-      checked.getResultIRType() instanceof IRAddressType
+      convert.getResultType() instanceof BoolType and
+      checked.getResultType() instanceof PointerType
     )
 }
 

cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll

@@ -6,7 +6,6 @@
 
 import cpp
 
-pragma[inline]
 private predicate arithTypesMatch(Type arg, Type parm) {
   arg = parm
   or

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll

@@ -6,50 +6,29 @@
 
 import cpp
 
-/**
- * Holds if `fde` has a parameter declaration that's clear on the minimum
- * number of parameters. This is essentially true for everything except
- * `()`-declarations.
- */
-private predicate hasDefiniteNumberOfParameters(FunctionDeclarationEntry fde) {
-  fde.hasVoidParamList()
-  or
-  fde.getNumberOfParameters() > 0
-  or
-  fde.isDefinition()
-}
-
-/* Holds if function was ()-declared, but not (void)-declared or K&R-defined. */
+// True if function was ()-declared, but not (void)-declared or K&R-defined
 private predicate hasZeroParamDecl(Function f) {
   exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
-    not hasDefiniteNumberOfParameters(fde)
+    not fde.hasVoidParamList() and fde.getNumberOfParameters() = 0 and not fde.isDefinition()
   )
 }
 
-/* Holds if this file (or header) was compiled as a C file. */
+// True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
   f.compiledAsC()
   or
   exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
 }
 
-/** Holds if `fc` is a call to `f` with too few arguments. */
 predicate tooFewArguments(FunctionCall fc, Function f) {
   f = fc.getTarget() and
   not f.isVarargs() and
   not f instanceof BuiltInFunction and
-  // This query should only have results on C (not C++) functions that have a
-  // `()` parameter list somewhere. If it has results on other functions, then
-  // it's probably because the extractor only saw a partial compilation.
   hasZeroParamDecl(f) and
   isCompiledAsC(f.getFile()) and
-  // Produce an alert when all declarations that are authoritative on the
-  // parameter count specify a parameter count larger than the number of call
-  // arguments.
-  forex(FunctionDeclarationEntry fde |
-    fde = f.getADeclarationEntry() and
-    hasDefiniteNumberOfParameters(fde)
-  |
+  // There is an explicit declaration of the function whose parameter count is larger
+  // than the number of call arguments
+  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
     fde.getNumberOfParameters() > fc.getNumberOfArguments()
   )
 }

cpp/ql/src/Metrics/History/HChurn.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Churned lines per file
+ * @description Number of churned lines per file, across the revision
+ *              history in the database.
+ * @kind treemap
+ * @id cpp/historical-churn
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg sum max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f, int n
+where
+  n =
+    sum(Commit entry, int churn |
+      churn = entry.getRecentChurnForFile(f) and
+      not artificialChange(entry)
+    |
+      churn
+    ) and
+  exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, n order by n desc

cpp/ql/src/Metrics/History/HLinesAdded.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Added lines per file
+ * @description Number of added lines per file, across the revision
+ *              history in the database.
+ * @kind treemap
+ * @id cpp/historical-lines-added
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg sum max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f, int n
+where
+  n =
+    sum(Commit entry, int churn |
+      churn = entry.getRecentAdditionsForFile(f) and
+      not artificialChange(entry)
+    |
+      churn
+    ) and
+  exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, n order by n desc

cpp/ql/src/Metrics/History/HLinesDeleted.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Deleted lines per file
+ * @description Number of deleted lines per file, across the revision
+ *              history in the database.
+ * @kind treemap
+ * @id cpp/historical-lines-deleted
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg sum max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f, int n
+where
+  n =
+    sum(Commit entry, int churn |
+      churn = entry.getRecentDeletionsForFile(f) and
+      not artificialChange(entry)
+    |
+      churn
+    ) and
+  exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, n order by n desc

cpp/ql/src/Metrics/History/HNumberOfAuthors.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Number of authors
+ * @description Number of distinct authors for each file.
+ * @kind treemap
+ * @id cpp/historical-number-of-authors
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f
+where exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, count(Author author | author.getAnEditedFile() = f)

cpp/ql/src/Metrics/History/HNumberOfChanges.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Number of file-level changes
+ * @description The number of file-level changes made (by version
+ *              control history).
+ * @kind treemap
+ * @id cpp/historical-number-of-changes
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max sum
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f
+where exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, count(Commit svn | f = svn.getAnAffectedFile() and not artificialChange(svn))

cpp/ql/src/Metrics/History/HNumberOfCoCommits.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Number of co-committed files
+ * @description The average number of other files that are touched
+ *              whenever a file is affected by a commit.
+ * @kind treemap
+ * @id cpp/historical-number-of-co-commits
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+int committedFiles(Commit commit) { result = count(commit.getAnAffectedFile()) }
+
+from File f
+where exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, avg(Commit commit | commit.getAnAffectedFile() = f | committedFiles(commit) - 1)

cpp/ql/src/Metrics/History/HNumberOfReCommits.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Number of re-commits for each file
+ * @description A re-commit is taken to mean a commit to a file that
+ *              was touched less than five days ago.
+ * @kind treemap
+ * @id cpp/historical-number-of-re-commits
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+predicate inRange(Commit first, Commit second) {
+  first.getAnAffectedFile() = second.getAnAffectedFile() and
+  first != second and
+  exists(int n |
+    n = first.getDate().daysTo(second.getDate()) and
+    n >= 0 and
+    n < 5
+  )
+}
+
+int recommitsForFile(File f) {
+  result =
+    count(Commit recommit |
+      f = recommit.getAnAffectedFile() and
+      exists(Commit prev | inRange(prev, recommit))
+    )
+}
+
+from File f
+where exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, recommitsForFile(f)

cpp/ql/src/Metrics/History/HNumberOfRecentAuthors.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Number of recent authors
+ * @description Number of distinct authors that have recently made
+ *              changes.
+ * @kind treemap
+ * @id cpp/historical-number-of-recent-authors
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f
+where exists(f.getMetrics().getNumberOfLinesOfCode())
+select f,
+  count(Author author |
+    exists(Commit e |
+      e = author.getACommit() and
+      f = e.getAnAffectedFile() and
+      e.daysToNow() <= 180 and
+      not artificialChange(e)
+    )
+  )

cpp/ql/src/Metrics/History/HNumberOfRecentChangedFiles.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Recently changed files
+ * @description Number of files recently edited.
+ * @kind treemap
+ * @id cpp/historical-number-of-recent-changed-files
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max sum
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f
+where
+  exists(Commit e |
+    e.getAnAffectedFile() = f and
+    e.daysToNow() <= 180 and
+    not artificialChange(e)
+  ) and
+  exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, 1

cpp/ql/src/Metrics/History/HNumberOfRecentChanges.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Recent changes
+ * @description Number of recent commits to this file.
+ * @kind treemap
+ * @id cpp/historical-number-of-recent-changes
+ * @treemap.warnOn highValues
+ * @metricType file
+ * @metricAggregate avg min max sum
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+from File f, int n
+where
+  n =
+    count(Commit e |
+      e.getAnAffectedFile() = f and
+      e.daysToNow() <= 180 and
+      not artificialChange(e)
+    ) and
+  exists(f.getMetrics().getNumberOfLinesOfCode())
+select f, n order by n desc

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @precision high
+ * @precision medium
  * @id cpp/tainted-format-string
  * @tags reliability
  *       security

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @precision high
+ * @precision medium
  * @id cpp/tainted-format-string-through-global
  * @tags reliability
  *       security

cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {
 }
 
 Function getAnInsecureFunction() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  result.getName().regexpMatch(algorithmBlacklistRegex()) and
   exists(result.getACallToThisFunction())
 }
 
@@ -33,7 +33,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
 }
 
 Macro getAnInsecureMacro() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  result.getName().regexpMatch(algorithmBlacklistRegex()) and
   exists(result.getAnInvocation())
 }
 

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql

@@ -21,7 +21,7 @@ where
   destBase = baseType(destType) and
   destBase.getSize() != sourceBase.getSize() and
   not dest.isInMacroExpansion() and
-  // If the source type is a `char*` or `void*` then don't
+  // If the source type is a char* or void* then don't
   // produce a result, because it is likely to be a false
   // positive.
   not sourceBase instanceof CharType and

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql

@@ -21,7 +21,7 @@ where
   destBase = baseType(destType) and
   destBase.getSize() != sourceBase.getSize() and
   not dest.isInMacroExpansion() and
-  // If the source type is a `char*` or `void*` then don't
+  // If the source type is a char* or void* then don't
   // produce a result, because it is likely to be a false
   // positive.
   not sourceBase instanceof CharType and

cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql

@@ -24,9 +24,9 @@ private predicate isCharSzPtrExpr(Expr e) {
 from Expr sizeofExpr, Expr e
 where
   // If we see an addWithSizeof then we expect the type of
-  // the pointer expression to be `char*` or `void*`. Otherwise it
+  // the pointer expression to be char* or void*. Otherwise it
   // is probably a mistake.
   addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e)
 select sizeofExpr,
-  "Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.",
-  e.getFullyConverted().getType() as t, t.toString()
+  "Suspicious sizeof offset in a pointer arithmetic expression. " + "The type of the pointer is " +
+    e.getFullyConverted().getType().toString() + "."

cpp/ql/src/codeql-suites/cpp-code-scanning.qls

@@ -2,5 +2,3 @@
 - qlpack: codeql-cpp
 - apply: code-scanning-selectors.yml
   from: codeql-suite-helpers
-- apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql-cpp

cpp/ql/src/codeql-suites/cpp-lgtm-full.qls

@@ -2,17 +2,13 @@
 - qlpack: codeql-cpp
 - apply: lgtm-selectors.yml
   from: codeql-suite-helpers
-- apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql-cpp 
-# These are only for IDE use.
+# These queries are infeasible to compute on large projects:
 - exclude:
-    tags contain:
-      - ide-contextual-queries/local-definitions
-      - ide-contextual-queries/local-references
-- query: Metrics/Dependencies/ExternalDependencies.ql
-- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
-- query: Metrics/Files/FLinesOfCode.ql
-- query: Metrics/Files/FLinesOfCommentedOutCode.ql
-- query: Metrics/Files/FLinesOfComments.ql
-- query: Metrics/Files/FLinesOfDuplicatedCode.ql
-- query: Metrics/Files/FNumberOfTests.ql
+    query path:
+      - Security/CWE/CWE-497/ExposedSystemData.ql
+      - Critical/DescriptorMayNotBeClosed.ql
+      - Critical/DescriptorNeverClosed.ql
+      - Critical/FileMayNotBeClosed.ql
+      - Critical/FileNeverClosed.ql
+      - Critical/MemoryMayNotBeFreed.ql
+      - Critical/MemoryNeverFreed.ql

cpp/ql/src/codeql-suites/cpp-security-and-quality.qls

@@ -1,6 +0,0 @@
-- description: Security-and-quality queries for C and C++
-- qlpack: codeql-cpp
-- apply: security-and-quality-selectors.yml
-  from: codeql-suite-helpers
-- apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql-cpp

cpp/ql/src/codeql-suites/cpp-security-extended.qls

@@ -1,6 +0,0 @@
-- description: Security-extended queries for C and C++
-- qlpack: codeql-cpp
-- apply: security-extended-selectors.yml
-  from: codeql-suite-helpers
-- apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql-cpp

cpp/ql/src/codeql-suites/exclude-slow-queries.yml

@@ -1,11 +0,0 @@
-- description: C/C++ queries which are infeasible to compute on large projects
-# These queries are infeasible to compute on large projects:
-- exclude:
-    query path:
-      - Security/CWE/CWE-497/ExposedSystemData.ql
-      - Critical/DescriptorMayNotBeClosed.ql
-      - Critical/DescriptorNeverClosed.ql
-      - Critical/FileMayNotBeClosed.ql
-      - Critical/FileNeverClosed.ql
-      - Critical/MemoryMayNotBeFreed.ql
-      - Critical/MemoryNeverFreed.ql

cpp/ql/src/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Enum
 import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
-import semmle.code.cpp.MemberFunction
 import semmle.code.cpp.Parameter
 import semmle.code.cpp.Variable
 import semmle.code.cpp.Initializer

cpp/ql/src/default.qll

@@ -1,7 +1 @@
-/**
- * DEPRECATED: use `import cpp` instead of `import default`.
- *
- * Provides classes and predicates for working with C/C++ code.
- */
-
 import cpp

cpp/ql/src/definitions.qll

@@ -132,7 +132,6 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
  *  - `"X"` for macro accesses
  *  - `"I"` for import / include directives
  */
-cached
 Top definitionOf(Top e, string kind) {
   (
     // call -> function called
@@ -214,11 +213,3 @@ Top definitionOf(Top e, string kind) {
   // later on.
   strictcount(result.getLocation()) < 10
 }
-
-/**
- * Returns an appropriately encoded version of a filename `name`
- * passed by the VS Code extension in order to coincide with the
- * output of `.getFile()` on locatable entities.
- */
-cached
-File getEncodedFile(string name) { result.getAbsolutePath().replaceAll(":", "_") = name }

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll

@@ -1,282 +0,0 @@
-/**
- * Provides precise tracking of how big the memory pointed to by pointers is.
- * For each pointer, we start tracking (starting from the allocation or an array declaration)
- * 1) how long is the chunk of memory allocated
- * 2) where the current pointer is in this chunk of memory
- * As computing this information is obviously not possible for all pointers,
- * we do not guarantee the existence of length/offset information for all pointers.
- * However, when it exists it is guaranteed to be accurate.
- *
- * The  length and offset are tracked in a similar way to the Rangeanalysis.
- * Each length is a `ValueNumber + delta`, and each Offset is an `Operand + delta`.
- * We choose to track a `ValueNumber` for length, because the Rangeanalysis offers
- * integer bounds on instructions and operands in terms of `ValueNumber`s,
- * and `Operand` for offset because integer bounds on `Operand`s are
- * tighter than bounds on `Instruction`s.
- */
-
-import cpp
-import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.internal.CppType
-private import semmle.code.cpp.models.interfaces.Allocation
-private import experimental.semmle.code.cpp.rangeanalysis.RangeUtils
-
-private newtype TLength =
-  TZeroLength() or
-  TVNLength(ValueNumber vn) {
-    not vn.getAnInstruction() instanceof ConstantInstruction and
-    exists(Instruction i |
-      vn.getAnInstruction() = i and
-      (
-        i.getResultIRType() instanceof IRSignedIntegerType or
-        i.getResultIRType() instanceof IRUnsignedIntegerType
-      )
-    |
-      i instanceof PhiInstruction
-      or
-      i instanceof InitializeParameterInstruction
-      or
-      i instanceof CallInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof VariableAddressInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof FieldAddressInstruction
-      or
-      i.getAUse() instanceof ArgumentOperand
-    )
-  }
-
-/**
- * Array lengths are represented in a ValueNumber | Zero + delta format.
- * This class keeps track of the ValueNumber or Zero.
- * The delta is tracked in the predicate `knownArrayLength`.
- */
-class Length extends TLength {
-  string toString() { none() } // overridden in subclasses
-}
-
-/**
- * This length class corresponds to an array having a constant length
- * that is tracked by the delta value.
- */
-class ZeroLength extends Length, TZeroLength {
-  override string toString() { result = "ZeroLength" }
-}
-
-/**
- * This length class corresponds to an array having variable length, i.e. the
- * length is tracked by a value number. One example is an array having length
- * `count` for an integer variable `count` in the program.
- */
-class VNLength extends Length, TVNLength {
-  ValueNumber vn;
-
-  VNLength() { this = TVNLength(vn) }
-
-  /** Gets an instruction with this value number bound. */
-  Instruction getInstruction() { this = TVNLength(valueNumber(result)) }
-
-  ValueNumber getValueNumber() { result = vn }
-
-  override string toString() { result = "VNLength(" + vn.getExampleInstruction().toString() + ")" }
-}
-
-private newtype TOffset =
-  TZeroOffset() or
-  TOpOffset(Operand op) {
-    op.getAnyDef().getResultIRType() instanceof IRSignedIntegerType or
-    op.getAnyDef().getResultIRType() instanceof IRUnsignedIntegerType
-  }
-
-/**
- * This class describes the offset of a pointer in a chunk of memory.
- * It is either an `Operand` or zero, an additional integer delta is added later.
- */
-class Offset extends TOffset {
-  string toString() { none() } // overridden in subclasses
-}
-
-/**
- * This class represents a fixed offset, only specified by a delta.
- */
-class ZeroOffset extends Offset, TZeroOffset {
-  override string toString() { result = "ZeroOffset" }
-}
-
-/**
- * This class represents an offset of an operand.
- */
-class OpOffset extends Offset, TOpOffset {
-  Operand op;
-
-  OpOffset() { this = TOpOffset(op) }
-
-  Operand getOperand() { result = op }
-
-  override string toString() { result = "OpOffset(" + op.getDef().toString() + ")" }
-}
-
-private int getBaseSizeForPointerType(PointerType type) { result = type.getBaseType().getSize() }
-
-/**
- * Holds if pointer `prev` that points at offset `prevOffset + prevOffsetDelta`
- * steps to `array` that points to `offset + offsetDelta` in one step.
- * This predicate does not contain any recursive steps.
- */
-bindingset[prevOffset, prevOffsetDelta]
-predicate simpleArrayLengthStep(
-  Instruction array, Offset offset, int offsetDelta, Instruction prev, Offset prevOffset,
-  int prevOffsetDelta
-) {
-  // array assign
-  array.(CopyInstruction).getSourceValue() = prev and
-  offset = prevOffset and
-  offsetDelta = prevOffsetDelta
-  or
-  // pointer add with constant
-  array.(PointerAddInstruction).getLeft() = prev and
-  offset = prevOffset and
-  offsetDelta = prevOffsetDelta + getConstantValue(array.(PointerAddInstruction).getRight())
-  or
-  // pointer add with variable
-  array.(PointerAddInstruction).getLeft() = prev and
-  prevOffset instanceof ZeroOffset and
-  offset.(OpOffset).getOperand() = array.(PointerAddInstruction).getRightOperand() and
-  offsetDelta = prevOffsetDelta and
-  not exists(getConstantValue(array.(PointerAddInstruction).getRight()))
-  or
-  // pointer sub with constant
-  array.(PointerSubInstruction).getLeft() = prev and
-  offset = prevOffset and
-  offsetDelta = prevOffsetDelta - getConstantValue(array.(PointerSubInstruction).getRight())
-  or
-  // array to pointer decay
-  array.(ConvertInstruction).getUnary() = prev and
-  array.getConvertedResultExpression() instanceof ArrayToPointerConversion and
-  offset = prevOffset and
-  offsetDelta = prevOffsetDelta
-  or
-  // cast of pointer to pointer with the same element size
-  exists(PointerType fromTyp, PointerType toTyp |
-    array.(PtrToPtrCastInstruction).getUnary() = prev and
-    prev.getResultLanguageType().hasType(fromTyp, false) and
-    array.getResultLanguageType().hasType(toTyp, false) and
-    offset = prevOffset and
-    offsetDelta = prevOffsetDelta and
-    if fromTyp instanceof VoidPointerType
-    then getBaseSizeForPointerType(toTyp) = 1
-    else (
-      if toTyp instanceof VoidPointerType
-      then getBaseSizeForPointerType(fromTyp) = 1
-      else getBaseSizeForPointerType(toTyp) = getBaseSizeForPointerType(fromTyp)
-    )
-  )
-}
-
-/**
- * Parses a `sizeExpr` of malloc into a variable part (`lengthExpr`) and an integer offset (`delta`).
- */
-private predicate deconstructMallocSizeExpr(Expr sizeExpr, Expr lengthExpr, int delta) {
-  sizeExpr instanceof AddExpr and
-  exists(Expr constantExpr |
-    lengthExpr = sizeExpr.(AddExpr).getAnOperand() and
-    constantExpr = sizeExpr.(AddExpr).getAnOperand() and
-    lengthExpr != constantExpr and
-    delta = constantExpr.getValue().toInt()
-  )
-  or
-  sizeExpr instanceof SubExpr and
-  exists(Expr constantExpr |
-    lengthExpr = sizeExpr.(SubExpr).getLeftOperand() and
-    constantExpr = sizeExpr.(SubExpr).getRightOperand() and
-    delta = -constantExpr.getValue().toInt()
-  )
-}
-
-/**
- * Holds if the instruction `array` is a dynamic memory allocation of `length`+`delta` elements.
- */
-private predicate allocation(Instruction array, Length length, int delta) {
-  exists(AllocationExpr alloc, Type ptrTyp |
-    array.getUnconvertedResultExpression() = alloc and
-    array.getResultLanguageType().hasType(ptrTyp, false) and
-    // ensure that we have the same type of the allocation and the pointer
-    ptrTyp.stripTopLevelSpecifiers().(PointerType).getBaseType().getUnspecifiedType() =
-      alloc.getAllocatedElementType().getUnspecifiedType() and
-    // ensure that the size multiplier of the allocation is the same as the
-    // size of the type we are allocating
-    alloc.getSizeMult() = getBaseSizeForPointerType(ptrTyp) and
-    (
-      length instanceof ZeroLength and
-      delta = alloc.getSizeExpr().getValue().toInt()
-      or
-      not exists(alloc.getSizeExpr().getValue().toInt()) and
-      (
-        exists(Expr lengthExpr |
-          deconstructMallocSizeExpr(alloc.getSizeExpr(), lengthExpr, delta) and
-          length.(VNLength).getInstruction().getConvertedResultExpression() = lengthExpr
-        )
-        or
-        not exists(int d | deconstructMallocSizeExpr(alloc.getSizeExpr(), _, d)) and
-        length.(VNLength).getInstruction().getConvertedResultExpression() = alloc.getSizeExpr() and
-        delta = 0
-      )
-    )
-  )
-}
-
-/**
- * Holds if `array` is declared as an array with length `length + lengthDelta`
- */
-private predicate arrayDeclaration(Instruction array, Length length, int lengthDelta) {
-  (
-    array instanceof VariableAddressInstruction or
-    array instanceof FieldAddressInstruction
-  ) and
-  exists(ArrayType type | array.getResultLanguageType().hasType(type, _) |
-    length instanceof ZeroLength and
-    lengthDelta = type.getArraySize()
-  )
-}
-
-/**
- * Holds if `array` is declared as an array or allocated
- * with length `length + lengthDelta`
- */
-predicate arrayAllocationOrDeclaration(Instruction array, Length length, int lengthDelta) {
-  allocation(array, length, lengthDelta)
-  or
-  // declaration of variable of array type
-  arrayDeclaration(array, length, lengthDelta)
-}
-
-/**
- * Holds if the instruction `array` represents a pointer to a chunk of memory that holds
- * `length + lengthDelta` elements, using only local analysis.
- * `array` points at `offset + offsetDelta` in the chunk of memory.
- * The pointer is in-bounds if `offset + offsetDelta < length + lengthDelta` and
- * `offset + offsetDelta >= 0` holds.
- * The pointer is out-of-bounds if `offset + offsetDelta >= length + lengthDelta`
- * or `offset + offsetDelta < 0` holds.
- * All pointers in this predicate are guaranteed to be non-null,
- * but are not guaranteed to be live.
- */
-predicate knownArrayLength(
-  Instruction array, Length length, int lengthDelta, Offset offset, int offsetDelta
-) {
-  arrayAllocationOrDeclaration(array, length, lengthDelta) and
-  offset instanceof ZeroOffset and
-  offsetDelta = 0
-  or
-  // simple step (no phi nodes)
-  exists(Instruction prev, Offset prevOffset, int prevOffsetDelta |
-    knownArrayLength(prev, length, lengthDelta, prevOffset, prevOffsetDelta) and
-    simpleArrayLengthStep(array, offset, offsetDelta, prev, prevOffset, prevOffsetDelta)
-  )
-  or
-  // merge control flow after phi node - but only if all the bounds agree
-  forex(Instruction input | array.(PhiInstruction).getAnInput() = input |
-    knownArrayLength(input, length, lengthDelta, offset, offsetDelta)
-  )
-}

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll

@@ -1,105 +0,0 @@
-/**
- * This library proves that a subset of pointer dereferences in a program are
- * safe, i.e. in-bounds.
- * It does so by first defining what a pointer dereference is (on the IR
- * `Instruction` level), and then using the array length analysis and the range
- * analysis together to prove that some of these pointer dereferences are safe.
- *
- * The analysis is soundy, i.e. it is sound if no undefined behaviour is present
- * in the program.
- * Furthermore, it crucially depends on the soundiness of the range analysis and
- * the array length analysis.
- */
-
-import cpp
-private import experimental.semmle.code.cpp.rangeanalysis.ArrayLengthAnalysis
-private import experimental.semmle.code.cpp.rangeanalysis.RangeAnalysis
-
-/**
- * Gets the instruction that computes the address of memory that `i` accesses.
- * Only holds if `i` dereferences a pointer, not when the computation of the
- * memory address is constant, or if the address of a local variable is loaded/stored to.
- */
-private Instruction getMemoryAddressInstruction(Instruction i) {
-  (
-    result = i.(FieldAddressInstruction).getObjectAddress() or
-    result = i.(LoadInstruction).getSourceAddress() or
-    result = i.(StoreInstruction).getDestinationAddress()
-  ) and
-  not result instanceof FieldAddressInstruction and
-  not result instanceof VariableAddressInstruction and
-  not result instanceof ConstantValueInstruction
-}
-
-/**
- * All instructions that dereference a pointer.
- */
-class PointerDereferenceInstruction extends Instruction {
-  PointerDereferenceInstruction() { exists(getMemoryAddressInstruction(this)) }
-
-  Instruction getAddress() { result = getMemoryAddressInstruction(this) }
-}
-
-/**
- * Holds if `ptrDeref` can be proven to always access allocated memory.
- */
-predicate inBounds(PointerDereferenceInstruction ptrDeref) {
-  exists(Length length, int lengthDelta, Offset offset, int offsetDelta |
-    knownArrayLength(ptrDeref.getAddress(), length, lengthDelta, offset, offsetDelta) and
-    // lower bound - note that we treat a pointer that accesses an array of
-    // length 0 as on upper-bound violation, but not as a lower-bound violation
-    (
-      offset instanceof ZeroOffset and
-      offsetDelta >= 0
-      or
-      offset instanceof OpOffset and
-      exists(int lowerBoundDelta |
-        boundedOperand(offset.(OpOffset).getOperand(), any(ZeroBound b), lowerBoundDelta,
-          /*upper*/ false, _) and
-        lowerBoundDelta + offsetDelta >= 0
-      )
-    ) and
-    // upper bound
-    (
-      // both offset and length are only integers
-      length instanceof ZeroLength and
-      offset instanceof ZeroOffset and
-      offsetDelta < lengthDelta
-      or
-      exists(int lengthBound |
-        // array length is variable+integer, and there's a fixed (integer-only)
-        // lower bound on the variable, so we can guarantee this access is always in-bounds
-        length instanceof VNLength and
-        offset instanceof ZeroOffset and
-        boundedInstruction(length.(VNLength).getInstruction(), any(ZeroBound b), lengthBound,
-          /* upper*/ false, _) and
-        offsetDelta < lengthBound + lengthDelta
-      )
-      or
-      exists(int offsetBoundDelta |
-        length instanceof ZeroLength and
-        offset instanceof OpOffset and
-        boundedOperand(offset.(OpOffset).getOperand(), any(ZeroBound b), offsetBoundDelta,
-          /* upper */ true, _) and
-        // offset <= offsetBoundDelta, so offset + offsetDelta <= offsetDelta + offsetBoundDelta
-        // Thus, in-bounds if offsetDelta + offsetBoundDelta < lengthDelta
-        // as we have length instanceof ZeroLength
-        offsetDelta + offsetBoundDelta < lengthDelta
-      )
-      or
-      exists(ValueNumberBound b, int offsetBoundDelta |
-        length instanceof VNLength and
-        offset instanceof OpOffset and
-        b.getValueNumber() = length.(VNLength).getValueNumber() and
-        // It holds that offset <= length + offsetBoundDelta
-        boundedOperand(offset.(OpOffset).getOperand(), b, offsetBoundDelta, /*upper*/ true, _) and
-        // it also holds that
-        offsetDelta < lengthDelta - offsetBoundDelta
-        // taking both inequalities together we get
-        //    offset <= length + offsetBoundDelta
-        // => offset + offsetDelta <= length + offsetBoundDelta + offsetDelta < length + offsetBoundDelta + lengthDelta - offsetBoundDelta
-        // as required
-      )
-    )
-  )
-}

cpp/ql/src/external/CodeDuplication.qll

@@ -1,5 +1,3 @@
-/** Provides classes for detecting duplicate or similar code. */
-
 import cpp
 
 private string relativePath(File file) { result = file.getRelativePath().replaceAll("\\", "/") }
@@ -10,12 +8,9 @@ private predicate tokenLocation(string path, int sl, int sc, int ec, int el, Cop
   tokens(copy, index, sl, sc, ec, el)
 }
 
-/** A token block used for detection of duplicate and similar code. */
 class Copy extends @duplication_or_similarity {
-  /** Gets the index of the last token in this block. */
   private int lastToken() { result = max(int i | tokens(this, i, _, _, _, _) | i) }
 
-  /** Gets the index of the token in this block starting at the location `loc`, if any. */
   int tokenStartingAt(Location loc) {
     exists(string filepath, int startline, int startcol |
       loc.hasLocationInfo(filepath, startline, startcol, _, _) and
@@ -23,7 +18,6 @@ class Copy extends @duplication_or_similarity {
     )
   }
 
-  /** Gets the index of the token in this block ending at the location `loc`, if any. */
   int tokenEndingAt(Location loc) {
     exists(string filepath, int endline, int endcol |
       loc.hasLocationInfo(filepath, _, _, endline, endcol) and
@@ -31,38 +25,24 @@ class Copy extends @duplication_or_similarity {
     )
   }
 
-  /** Gets the line on which the first token in this block starts. */
   int sourceStartLine() { tokens(this, 0, result, _, _, _) }
 
-  /** Gets the column on which the first token in this block starts. */
   int sourceStartColumn() { tokens(this, 0, _, result, _, _) }
 
-  /** Gets the line on which the last token in this block ends. */
   int sourceEndLine() { tokens(this, lastToken(), _, _, result, _) }
 
-  /** Gets the column on which the last token in this block ends. */
   int sourceEndColumn() { tokens(this, lastToken(), _, _, _, result) }
 
-  /** Gets the number of lines containing at least (part of) one token in this block. */
   int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() }
 
-  /** Gets an opaque identifier for the equivalence class of this block. */
   int getEquivalenceClass() { duplicateCode(this, _, result) or similarCode(this, _, result) }
 
-  /** Gets the source file in which this block appears. */
   File sourceFile() {
     exists(string name | duplicateCode(this, name, _) or similarCode(this, name, _) |
       name.replaceAll("\\", "/") = relativePath(result)
     )
   }
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
@@ -73,30 +53,25 @@ class Copy extends @duplication_or_similarity {
     endcolumn = sourceEndColumn()
   }
 
-  /** Gets a textual representation of this element. */
   string toString() { none() }
 }
 
-/** A block of duplicated code. */
 class DuplicateBlock extends Copy, @duplication {
   override string toString() { result = "Duplicate code: " + sourceLines() + " duplicated lines." }
 }
 
-/** A block of similar code. */
 class SimilarBlock extends Copy, @similarity {
   override string toString() {
     result = "Similar code: " + sourceLines() + " almost duplicated lines."
   }
 }
 
-/** Gets a function with a body and a location. */
 FunctionDeclarationEntry sourceMethod() {
   result.isDefinition() and
   exists(result.getLocation()) and
   numlines(unresolveElement(result.getFunction()), _, _, _)
 }
 
-/** Gets the number of member functions in `c` with a body and a location. */
 int numberOfSourceMethods(Class c) {
   result =
     count(FunctionDeclarationEntry m |
@@ -133,10 +108,6 @@ private predicate duplicateStatement(
   )
 }
 
-/**
- * Holds if `m1` is a function with `total` lines, and `m2` is a function
- * that has `duplicate` lines in common with `m1`.
- */
 predicate duplicateStatements(
   FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, int duplicate, int total
 ) {
@@ -144,16 +115,13 @@ predicate duplicateStatements(
   total = strictcount(statementInMethod(m1))
 }
 
-/** Holds if `m` and other are identical functions. */
+/**
+ * Find pairs of methods are identical
+ */
 predicate duplicateMethod(FunctionDeclarationEntry m, FunctionDeclarationEntry other) {
   exists(int total | duplicateStatements(m, other, total, total))
 }
 
-/**
- * INTERNAL: do not use.
- *
- * Holds if `line` in `f` is similar to a line somewhere else.
- */
 predicate similarLines(File f, int line) {
   exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()])
 }
@@ -184,7 +152,6 @@ private predicate similarLinesCoveredFiles(File f, File otherFile) {
   )
 }
 
-/** Holds if `coveredLines` lines of `f` are similar to lines in `otherFile`. */
 predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
   exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
     similarLinesCoveredFiles(f, otherFile) and
@@ -199,11 +166,6 @@ predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
   )
 }
 
-/**
- * INTERNAL: do not use.
- *
- * Holds if `line` in `f` is duplicated by a line somewhere else.
- */
 predicate duplicateLines(File f, int line) {
   exists(DuplicateBlock b |
     b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]
@@ -220,7 +182,6 @@ private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, F
     )
 }
 
-/** Holds if `coveredLines` lines of `f` are duplicates of lines in `otherFile`. */
 predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
   exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
     exists(int coveredApprox |
@@ -245,7 +206,6 @@ predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
   )
 }
 
-/** Holds if most of `f` (`percent`%) is similar to `other`. */
 predicate similarFiles(File f, File other, int percent) {
   exists(int covered, int total |
     similarLinesCovered(f, covered, other) and
@@ -256,7 +216,6 @@ predicate similarFiles(File f, File other, int percent) {
   not duplicateFiles(f, other, _)
 }
 
-/** Holds if most of `f` (`percent`%) is duplicated by `other`. */
 predicate duplicateFiles(File f, File other, int percent) {
   exists(int covered, int total |
     duplicateLinesCovered(f, covered, other) and
@@ -266,10 +225,6 @@ predicate duplicateFiles(File f, File other, int percent) {
   )
 }
 
-/**
- * Holds if most member functions of `c` (`numDup` out of `total`) are
- * duplicates of member functions in `other`.
- */
 predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) {
   numDup =
     strictcount(FunctionDeclarationEntry m1 |
@@ -285,11 +240,6 @@ predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total)
   (numDup * 100) / total > 80
 }
 
-/**
- * Holds if most member functions of `c` are duplicates of member functions in
- * `other`. Provides the human-readable `message` to describe the amount of
- * duplication.
- */
 predicate mostlyDuplicateClass(Class c, Class other, string message) {
   exists(int numDup, int total |
     mostlyDuplicateClassBase(c, other, numDup, total) and
@@ -314,21 +264,12 @@ predicate mostlyDuplicateClass(Class c, Class other, string message) {
   )
 }
 
-/** Holds if `f` and `other` are similar or duplicates. */
 predicate fileLevelDuplication(File f, File other) {
   similarFiles(f, other, _) or duplicateFiles(f, other, _)
 }
 
-/**
- * Holds if most member functions of `c` are duplicates of member functions in
- * `other`.
- */
 predicate classLevelDuplication(Class c, Class other) { mostlyDuplicateClass(c, other, _) }
 
-/**
- * Holds if `line` in `f` should be allowed to be duplicated. This is the case
- * for `#include` directives.
- */
 predicate whitelistedLineForDuplication(File f, int line) {
   exists(Include i | i.getFile() = f and i.getLocation().getStartLine() = line)
 }

cpp/ql/src/external/DefectFilter.qll

@@ -1,52 +1,31 @@
-/** Provides a class for working with defect query results stored in dashboard databases. */
-
 import cpp
 
-/**
- * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
- * such that `message` is the associated message and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
- *
- * For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
- */
 external predicate defectResults(
   int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
   string message
 );
 
-/**
- * A defect query result stored in a dashboard database.
- */
 class DefectResult extends int {
   DefectResult() { defectResults(this, _, _, _, _, _, _, _) }
 
-  /** Gets the path of the query that reported the result. */
   string getQueryPath() { defectResults(this, result, _, _, _, _, _, _) }
 
-  /** Gets the file in which this query result was reported. */
   File getFile() {
     exists(string path |
       defectResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
     )
   }
 
-  /** Gets the line on which the location of this query result starts. */
   int getStartLine() { defectResults(this, _, _, result, _, _, _, _) }
 
-  /** Gets the column on which the location of this query result starts. */
   int getStartColumn() { defectResults(this, _, _, _, result, _, _, _) }
 
-  /** Gets the line on which the location of this query result ends. */
   int getEndLine() { defectResults(this, _, _, _, _, result, _, _) }
 
-  /** Gets the column on which the location of this query result ends. */
   int getEndColumn() { defectResults(this, _, _, _, _, _, result, _) }
 
-  /** Gets the message associated with this query result. */
   string getMessage() { defectResults(this, _, _, _, _, _, _, result) }
 
-  /** Gets the URL corresponding to the location of this query result. */
   string getURL() {
     result =
       "file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +

cpp/ql/src/external/ExternalArtifact.qll

@@ -1,45 +1,26 @@
-/**
- * Provides classes for working with external data.
- */
-
 import cpp
 
-/**
- * An external data item.
- */
 class ExternalData extends @externalDataElement {
-  /** Gets the path of the file this data was loaded from. */
   string getDataPath() { externalData(this, result, _, _) }
 
-  /**
-   * Gets the path of the file this data was loaded from, with its
-   * extension replaced by `.ql`.
-   */
   string getQueryPath() { result = getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
 
-  /** Gets the number of fields in this data item. */
   int getNumFields() { result = 1 + max(int i | externalData(this, _, i, _) | i) }
 
-  /** Gets the value of the `i`th field of this data item. */
-  string getField(int i) { externalData(this, _, i, result) }
+  string getField(int index) { externalData(this, _, index, result) }
 
-  /** Gets the integer value of the `i`th field of this data item. */
-  int getFieldAsInt(int i) { result = getField(i).toInt() }
+  int getFieldAsInt(int index) { result = getField(index).toInt() }
 
-  /** Gets the floating-point value of the `i`th field of this data item. */
-  float getFieldAsFloat(int i) { result = getField(i).toFloat() }
+  float getFieldAsFloat(int index) { result = getField(index).toFloat() }
 
-  /** Gets the value of the `i`th field of this data item, interpreted as a date. */
-  date getFieldAsDate(int i) { result = getField(i).toDate() }
+  date getFieldAsDate(int index) { result = getField(index).toDate() }
 
-  /** Gets a textual representation of this data item. */
   string toString() { result = getQueryPath() + ": " + buildTupleString(0) }
 
-  /** Gets a textual representation of this data item, starting with the `n`th field. */
-  private string buildTupleString(int n) {
-    n = getNumFields() - 1 and result = getField(n)
+  private string buildTupleString(int start) {
+    start = getNumFields() - 1 and result = getField(start)
     or
-    n < getNumFields() - 1 and result = getField(n) + "," + buildTupleString(n + 1)
+    start < getNumFields() - 1 and result = getField(start) + "," + buildTupleString(start + 1)
   }
 }
 
@@ -52,9 +33,7 @@ class DefectExternalData extends ExternalData {
     this.getNumFields() = 2
   }
 
-  /** Gets the URL associated with this data item. */
   string getURL() { result = getField(0) }
 
-  /** Gets the message associated with this data item. */
   string getMessage() { result = getField(1) }
 }

cpp/ql/src/external/MetricFilter.qll

@@ -1,58 +1,31 @@
-/** Provides a class for working with metric query results stored in dashboard databases. */
-
 import cpp
 
-/**
- * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
- * such that `value` is the reported metric value and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
- *
- * For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
- */
 external predicate metricResults(
   int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
   float value
 );
 
-/**
- * A metric query result stored in a dashboard database.
- */
 class MetricResult extends int {
   MetricResult() { metricResults(this, _, _, _, _, _, _, _) }
 
-  /** Gets the path of the query that reported the result. */
   string getQueryPath() { metricResults(this, result, _, _, _, _, _, _) }
 
-  /** Gets the file in which this query result was reported. */
   File getFile() {
     exists(string path |
       metricResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
     )
   }
 
-  /** Gets the line on which the location of this query result starts. */
   int getStartLine() { metricResults(this, _, _, result, _, _, _, _) }
 
-  /** Gets the column on which the location of this query result starts. */
   int getStartColumn() { metricResults(this, _, _, _, result, _, _, _) }
 
-  /** Gets the line on which the location of this query result ends. */
   int getEndLine() { metricResults(this, _, _, _, _, result, _, _) }
 
-  /** Gets the column on which the location of this query result ends. */
   int getEndColumn() { metricResults(this, _, _, _, _, _, result, _) }
 
-  /**
-   * Holds if there is a `Location` entity whose location is the same as
-   * the location of this query result.
-   */
   predicate hasMatchingLocation() { exists(this.getMatchingLocation()) }
 
-  /**
-   * Gets the `Location` entity whose location is the same as the location
-   * of this query result.
-   */
   Location getMatchingLocation() {
     result.getFile() = this.getFile() and
     result.getStartLine() = this.getStartLine() and
@@ -61,10 +34,8 @@ class MetricResult extends int {
     result.getEndColumn() = this.getEndColumn()
   }
 
-  /** Gets the value associated with this query result. */
   float getValue() { metricResults(this, _, _, _, _, _, _, result) }
 
-  /** Gets the URL corresponding to the location of this query result. */
   string getURL() {
     result =
       "file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +

cpp/ql/src/external/VCS.qll

@@ -0,0 +1,92 @@
+import cpp
+
+class Commit extends @svnentry {
+  Commit() {
+    svnaffectedfiles(this, _, _) and
+    exists(date svnDate, date snapshotDate |
+      svnentries(this, _, _, svnDate, _) and
+      snapshotDate(snapshotDate) and
+      svnDate <= snapshotDate
+    )
+  }
+
+  string toString() { result = this.getRevisionName() }
+
+  string getRevisionName() { svnentries(this, result, _, _, _) }
+
+  string getAuthor() { svnentries(this, _, result, _, _) }
+
+  date getDate() { svnentries(this, _, _, result, _) }
+
+  int getChangeSize() { svnentries(this, _, _, _, result) }
+
+  string getMessage() { svnentrymsg(this, result) }
+
+  string getAnAffectedFilePath(string action) {
+    exists(File rawFile | svnaffectedfiles(this, unresolveElement(rawFile), action) |
+      result = rawFile.getAbsolutePath()
+    )
+  }
+
+  string getAnAffectedFilePath() { result = getAnAffectedFilePath(_) }
+
+  File getAnAffectedFile(string action) {
+    // Workaround for incorrect keys in SVN data
+    exists(File svnFile | svnFile.getAbsolutePath() = result.getAbsolutePath() |
+      svnaffectedfiles(this, unresolveElement(svnFile), action)
+    ) and
+    exists(result.getMetrics().getNumberOfLinesOfCode())
+  }
+
+  File getAnAffectedFile() { exists(string action | result = this.getAnAffectedFile(action)) }
+
+  private predicate churnForFile(File f, int added, int deleted) {
+    // Workaround for incorrect keys in SVN data
+    exists(File svnFile | svnFile.getAbsolutePath() = f.getAbsolutePath() |
+      svnchurn(this, unresolveElement(svnFile), added, deleted)
+    ) and
+    exists(f.getMetrics().getNumberOfLinesOfCode())
+  }
+
+  int getRecentChurnForFile(File f) {
+    exists(int added, int deleted | churnForFile(f, added, deleted) and result = added + deleted)
+  }
+
+  int getRecentAdditionsForFile(File f) { churnForFile(f, result, _) }
+
+  int getRecentDeletionsForFile(File f) { churnForFile(f, _, result) }
+
+  predicate isRecent() { recentCommit(this) }
+
+  int daysToNow() {
+    exists(date now | snapshotDate(now) | result = getDate().daysTo(now) and result >= 0)
+  }
+}
+
+class Author extends string {
+  Author() { exists(Commit e | this = e.getAuthor()) }
+
+  Commit getACommit() { result.getAuthor() = this }
+
+  File getAnEditedFile() { result = this.getACommit().getAnAffectedFile() }
+}
+
+predicate recentCommit(Commit e) {
+  exists(date snapshotDate, date commitDate, int days |
+    snapshotDate(snapshotDate) and
+    e.getDate() = commitDate and
+    days = commitDate.daysTo(snapshotDate) and
+    days >= 0 and
+    days <= 60
+  )
+}
+
+date firstChange(File f) {
+  result = min(Commit e, date toMin | f = e.getAnAffectedFile() and toMin = e.getDate() | toMin)
+}
+
+predicate firstCommit(Commit e) {
+  not exists(File f | f = e.getAnAffectedFile() | firstChange(f) < e.getDate())
+}
+
+predicate artificialChange(Commit e) { firstCommit(e) or e.getChangeSize() >= 50000 }

cpp/ql/src/external/tests/DefectFromSVN.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Defect from SVN
+ * @description A test case for creating a defect from SVN data.
+ * @kind problem
+ * @problem.severity warning
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.ExternalArtifact
+import external.VCS
+
+predicate numCommits(File f, int i) { i = count(Commit e | e.getAnAffectedFile() = f) }
+
+predicate maxCommits(int i) { i = max(File f, int j | numCommits(f, j) | j) }
+
+from File f, int i
+where numCommits(f, i) and maxCommits(i)
+select f, "This file has " + i + " commits."

cpp/ql/src/external/tests/MetricFromSVN.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Metric from SVN
+ * @description Find number of commits for a file
+ * @treemap.warnOn lowValues
+ * @metricType file
+ * @tags external-data
+ * @deprecated
+ */
+
+import cpp
+import external.VCS
+
+predicate numCommits(File f, int i) { i = count(Commit e | e.getAnAffectedFile() = f) }
+
+from File f, int i
+where numCommits(f, i)
+select f, i

cpp/ql/src/filters/RecentDefects.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Filter: exclude results from files that have not recently been
+ *               edited
+ * @description Use this filter to return results only if they are
+ *              located in files that have been modified in the 60 days
+ *              before the date of the snapshot.
+ * @kind problem
+ * @id cpp/recent-defects-filter
+ * @tags filter
+ *       external-data
+ * @deprecated
+ */
+
+import cpp
+import external.DefectFilter
+import external.VCS
+
+pragma[noopt]
+private predicate recent(File file) {
+  exists(Commit e | file = e.getAnAffectedFile() | e.isRecent() and not artificialChange(e))
+}
+
+from DefectResult res
+where recent(res.getFile())
+select res, res.getMessage()

cpp/ql/src/filters/RecentDefectsForMetric.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Metric filter: exclude results from files that have not
+ *       recently been edited
+ * @description Use this filter to return results only if they are
+ *              located in files that have been modified in the 60 days
+ *              before the snapshot.
+ * @kind treemap
+ * @id cpp/recent-defects-for-metric-filter
+ * @tags filter
+ *       external-data
+ * @deprecated
+ */
+
+import cpp
+import external.MetricFilter
+import external.VCS
+
+pragma[noopt]
+private predicate recent(File file) {
+  exists(Commit e | file = e.getAnAffectedFile() | e.isRecent() and not artificialChange(e))
+}
+
+from MetricResult res
+where recent(res.getFile())
+select res, res.getValue()

cpp/ql/src/localDefinitions.ql

@@ -1,16 +0,0 @@
-/**
- * @name Jump-to-definition links
- * @description Generates use-definition pairs that provide the data
- *              for jump-to-definition in the code viewer.
- * @kind definitions
- * @id cpp/ide-jump-to-definition
- * @tags ide-contextual-queries/local-definitions
- */
-
-import definitions
-
-external string selectedSourceFile();
-
-from Top e, Top def, string kind
-where def = definitionOf(e, kind) and e.getFile() = getEncodedFile(selectedSourceFile())
-select e, def, kind

cpp/ql/src/localReferences.ql

@@ -1,16 +0,0 @@
-/**
- * @name Find-references links
- * @description Generates use-definition pairs that provide the data
- *              for find-references in the code viewer.
- * @kind definitions
- * @id cpp/ide-find-references
- * @tags ide-contextual-queries/local-references
- */
-
-import definitions
-
-external string selectedSourceFile();
-
-from Top e, Top def, string kind
-where def = definitionOf(e, kind) and def.getFile() = getEncodedFile(selectedSourceFile())
-select e, def, kind

cpp/ql/src/objc.qll

@@ -1,7 +1 @@
-/**
- * DEPRECATED: Objective C is no longer supported.
- *
- * Import `cpp` instead of `objc`.
- */
-
 import cpp

cpp/ql/src/printAst.ql

@@ -1,27 +0,0 @@
-/**
- * @name Print AST
- * @description Outputs a representation of a file's Abstract Syntax Tree. This
- *              query is used by the VS Code extension.
- * @id cpp/print-ast
- * @kind graph
- * @tags ide-contextual-queries/print-ast
- */
-
-import cpp
-import semmle.code.cpp.PrintAST
-import definitions
-
-/**
- * The source file to generate an AST from.
- */
-external string selectedSourceFile();
-
-class Cfg extends PrintASTConfiguration {
-  /**
-   * Holds if the AST for `func` should be printed.
-   * Print All functions from the selected file.
-   */
-  override predicate shouldPrintFunction(Function func) {
-    func.getFile() = getEncodedFile(selectedSourceFile())
-  }
-}

cpp/ql/src/semmle/code/cpp/ASTConsistency.ql

@@ -1,9 +0,0 @@
-/**
- * @name AST Consistency Check
- * @description Performs consistency checks on the Abstract Syntax Tree. This query should have no results.
- * @kind table
- * @id cpp/ast-consistency-check
- */
-
-import cpp
-import CastConsistency

cpp/ql/src/semmle/code/cpp/ASTSanity.ql

@@ -0,0 +1,9 @@
+/**
+ * @name AST Sanity Check
+ * @description Performs sanity checks on the Abstract Syntax Tree. This query should have no results.
+ * @kind table
+ * @id cpp/ast-sanity-check
+ */
+
+import cpp
+import CastSanity

cpp/ql/src/semmle/code/cpp/AutogeneratedFile.qll

@@ -1,8 +1,3 @@
-/**
- * Provides a class and predicate for recognizing files that are likely to have been generated
- * automatically.
- */
-
 import semmle.code.cpp.Comments
 import semmle.code.cpp.File
 import semmle.code.cpp.Preprocessor

cpp/ql/src/semmle/code/cpp/Class.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes representing C++ classes, including structs, unions, and template classes.
- */
-
 import semmle.code.cpp.Type
 import semmle.code.cpp.UserType
 import semmle.code.cpp.metrics.MetricClass
@@ -33,7 +29,7 @@ private import semmle.code.cpp.internal.ResolveClass
 class Class extends UserType {
   Class() { isClass(underlyingElement(this)) }
 
-  override string getAPrimaryQlClass() { result = "Class" }
+  override string getCanonicalQLClass() { result = "Class" }
 
   /** Gets a child declaration of this class, struct or union. */
   override Declaration getADeclaration() { result = this.getAMember() }
@@ -768,7 +764,7 @@ class ClassDerivation extends Locatable, @derivation {
    */
   Class getBaseClass() { result = getBaseType().getUnderlyingType() }
 
-  override string getAPrimaryQlClass() { result = "ClassDerivation" }
+  override string getCanonicalQLClass() { result = "ClassDerivation" }
 
   /**
    * Gets the type from which we are deriving, without resolving any
@@ -849,7 +845,9 @@ class ClassDerivation extends Locatable, @derivation {
 class LocalClass extends Class {
   LocalClass() { isLocal() }
 
-  override string getAPrimaryQlClass() { not this instanceof LocalStruct and result = "LocalClass" }
+  override string getCanonicalQLClass() {
+    not this instanceof LocalStruct and result = "LocalClass"
+  }
 
   override Function getEnclosingAccessHolder() { result = this.getEnclosingFunction() }
 }
@@ -870,7 +868,7 @@ class LocalClass extends Class {
 class NestedClass extends Class {
   NestedClass() { this.isMember() }
 
-  override string getAPrimaryQlClass() {
+  override string getCanonicalQLClass() {
     not this instanceof NestedStruct and result = "NestedClass"
   }
 
@@ -891,7 +889,7 @@ class NestedClass extends Class {
 class AbstractClass extends Class {
   AbstractClass() { exists(PureVirtualFunction f | this.getAMemberFunction() = f) }
 
-  override string getAPrimaryQlClass() { result = "AbstractClass" }
+  override string getCanonicalQLClass() { result = "AbstractClass" }
 }
 
 /**
@@ -932,7 +930,7 @@ class TemplateClass extends Class {
     exists(result.getATemplateArgument())
   }
 
-  override string getAPrimaryQlClass() { result = "TemplateClass" }
+  override string getCanonicalQLClass() { result = "TemplateClass" }
 }
 
 /**
@@ -953,7 +951,7 @@ class ClassTemplateInstantiation extends Class {
 
   ClassTemplateInstantiation() { tc.getAnInstantiation() = this }
 
-  override string getAPrimaryQlClass() { result = "ClassTemplateInstantiation" }
+  override string getCanonicalQLClass() { result = "ClassTemplateInstantiation" }
 
   /**
    * Gets the class template from which this instantiation was instantiated.
@@ -994,7 +992,7 @@ abstract class ClassTemplateSpecialization extends Class {
       count(int i | exists(result.getTemplateArgument(i)))
   }
 
-  override string getAPrimaryQlClass() { result = "ClassTemplateSpecialization" }
+  override string getCanonicalQLClass() { result = "ClassTemplateSpecialization" }
 }
 
 /**
@@ -1023,7 +1021,7 @@ class FullClassTemplateSpecialization extends ClassTemplateSpecialization {
     not this instanceof ClassTemplateInstantiation
   }
 
-  override string getAPrimaryQlClass() { result = "FullClassTemplateSpecialization" }
+  override string getCanonicalQLClass() { result = "FullClassTemplateSpecialization" }
 }
 
 /**
@@ -1062,7 +1060,7 @@ class PartialClassTemplateSpecialization extends ClassTemplateSpecialization {
       count(int i | exists(getTemplateArgument(i)))
   }
 
-  override string getAPrimaryQlClass() { result = "PartialClassTemplateSpecialization" }
+  override string getCanonicalQLClass() { result = "PartialClassTemplateSpecialization" }
 }
 
 /**
@@ -1087,7 +1085,7 @@ deprecated class Interface extends Class {
     )
   }
 
-  override string getAPrimaryQlClass() { result = "Interface" }
+  override string getCanonicalQLClass() { result = "Interface" }
 }
 
 /**
@@ -1102,7 +1100,7 @@ deprecated class Interface extends Class {
 class VirtualClassDerivation extends ClassDerivation {
   VirtualClassDerivation() { hasSpecifier("virtual") }
 
-  override string getAPrimaryQlClass() { result = "VirtualClassDerivation" }
+  override string getCanonicalQLClass() { result = "VirtualClassDerivation" }
 }
 
 /**
@@ -1122,7 +1120,7 @@ class VirtualClassDerivation extends ClassDerivation {
 class VirtualBaseClass extends Class {
   VirtualBaseClass() { exists(VirtualClassDerivation cd | cd.getBaseClass() = this) }
 
-  override string getAPrimaryQlClass() { result = "VirtualBaseClass" }
+  override string getCanonicalQLClass() { result = "VirtualBaseClass" }
 
   /** A virtual class derivation of which this class/struct is the base. */
   VirtualClassDerivation getAVirtualDerivation() { result.getBaseClass() = this }
@@ -1144,7 +1142,7 @@ class VirtualBaseClass extends Class {
 class ProxyClass extends UserType {
   ProxyClass() { usertypes(underlyingElement(this), _, 9) }
 
-  override string getAPrimaryQlClass() { result = "ProxyClass" }
+  override string getCanonicalQLClass() { result = "ProxyClass" }
 
   /** Gets the location of the proxy class. */
   override Location getLocation() { result = getTemplateParameter().getDefinitionLocation() }

cpp/ql/src/semmle/code/cpp/Comments.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes representing C and C++ comments.
- */
-
 import semmle.code.cpp.Location
 import semmle.code.cpp.Element
 

cpp/ql/src/semmle/code/cpp/Compilation.qll

@@ -1,7 +1,3 @@
-/**
- * Provides a class representing individual compiler invocations that occurred during the build.
- */
-
 import semmle.code.cpp.File
 
 /*

cpp/ql/src/semmle/code/cpp/Declaration.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes for working with C and C++ declarations.
- */
-
 import semmle.code.cpp.Element
 import semmle.code.cpp.Specifier
 import semmle.code.cpp.Namespace
@@ -29,7 +25,7 @@ private import semmle.code.cpp.internal.QualifiedName as Q
  * `DeclarationEntry`, because they always have a unique source location.
  * `EnumConstant` and `FriendDecl` are both examples of this.
  */
-class Declaration extends Locatable, @declaration {
+abstract class Declaration extends Locatable, @declaration {
   /**
    * Gets the innermost namespace which contains this declaration.
    *
@@ -102,12 +98,7 @@ class Declaration extends Locatable, @declaration {
     this.hasQualifiedName(namespaceQualifier, "", baseName)
   }
 
-  /**
-   * Gets a description of this `Declaration` for display purposes.
-   */
-  string getDescription() { result = this.getName() }
-
-  final override string toString() { result = this.getDescription() }
+  override string toString() { result = this.getName() }
 
   /**
    * Gets the name of this declaration.
@@ -124,7 +115,7 @@ class Declaration extends Locatable, @declaration {
    * To test whether this declaration has a particular name in the global
    * namespace, use `hasGlobalName`.
    */
-  string getName() { none() } // overridden in subclasses
+  abstract string getName();
 
   /** Holds if this declaration has the given name. */
   predicate hasName(string name) { name = this.getName() }
@@ -140,7 +131,7 @@ class Declaration extends Locatable, @declaration {
   }
 
   /** Gets a specifier of this declaration. */
-  Specifier getASpecifier() { none() } // overridden in subclasses
+  abstract Specifier getASpecifier();
 
   /** Holds if this declaration has a specifier with the given name. */
   predicate hasSpecifier(string name) { this.getASpecifier().hasName(name) }
@@ -156,7 +147,7 @@ class Declaration extends Locatable, @declaration {
    * Gets the location of a declaration entry corresponding to this
    * declaration.
    */
-  Location getADeclarationLocation() { none() } // overridden in subclasses
+  abstract Location getADeclarationLocation();
 
   /**
    * Gets the declaration entry corresponding to this declaration that is a
@@ -165,7 +156,7 @@ class Declaration extends Locatable, @declaration {
   DeclarationEntry getDefinition() { none() }
 
   /** Gets the location of the definition, if any. */
-  Location getDefinitionLocation() { none() } // overridden in subclasses
+  abstract Location getDefinitionLocation();
 
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
@@ -289,8 +280,6 @@ class Declaration extends Locatable, @declaration {
   }
 }
 
-private class TDeclarationEntry = @var_decl or @type_decl or @fun_decl;
-
 /**
  * A C/C++ declaration entry. For example the following code contains five
  * declaration entries:
@@ -306,9 +295,9 @@ private class TDeclarationEntry = @var_decl or @type_decl or @fun_decl;
  * See the comment above `Declaration` for an explanation of the relationship
  * between `Declaration` and `DeclarationEntry`.
  */
-class DeclarationEntry extends Locatable, TDeclarationEntry {
+abstract class DeclarationEntry extends Locatable {
   /** Gets a specifier associated with this declaration entry. */
-  string getASpecifier() { none() } // overridden in subclasses
+  abstract string getASpecifier();
 
   /**
    * Gets the name associated with the corresponding definition (where
@@ -331,10 +320,10 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
    *  `I.getADeclarationEntry()` returns `D`
    *  but `D.getDeclaration()` only returns `C`
    */
-  Declaration getDeclaration() { none() } // overridden in subclasses
+  abstract Declaration getDeclaration();
 
   /** Gets the name associated with this declaration entry, if any. */
-  string getName() { none() } // overridden in subclasses
+  abstract string getName();
 
   /**
    * Gets the type associated with this declaration entry.
@@ -343,7 +332,7 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
    * For function declarations, get the return type of the function.
    * For type declarations, get the type being declared.
    */
-  Type getType() { none() } // overridden in subclasses
+  abstract Type getType();
 
   /**
    * Gets the type associated with this declaration entry after specifiers
@@ -361,7 +350,7 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
   predicate hasSpecifier(string specifier) { getASpecifier() = specifier }
 
   /** Holds if this declaration entry is a definition. */
-  predicate isDefinition() { none() } // overridden in subclasses
+  abstract predicate isDefinition();
 
   override string toString() {
     if isDefinition()
@@ -373,8 +362,6 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
   }
 }
 
-private class TAccessHolder = @function or @usertype;
-
 /**
  * A declaration that can potentially have more C++ access rights than its
  * enclosing element. This comprises `Class` (they have access to their own
@@ -396,7 +383,7 @@ private class TAccessHolder = @function or @usertype;
  * the informal phrase "_R_ occurs in a member or friend of class C", where
  * `AccessHolder` corresponds to this _R_.
  */
-class AccessHolder extends Declaration, TAccessHolder {
+abstract class AccessHolder extends Declaration {
   /**
    * Holds if `this` can access private members of class `c`.
    *
@@ -414,7 +401,7 @@ class AccessHolder extends Declaration, TAccessHolder {
   /**
    * Gets the nearest enclosing `AccessHolder`.
    */
-  AccessHolder getEnclosingAccessHolder() { none() } // overridden in subclasses
+  abstract AccessHolder getEnclosingAccessHolder();
 
   /**
    * Holds if a base class `base` of `derived` _is accessible at_ `this` (N4140

cpp/ql/src/semmle/code/cpp/Diagnostics.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes representing warnings generated during compilation.
- */
-
 import semmle.code.cpp.Location
 
 /** A compiler-generated error, warning or remark. */

cpp/ql/src/semmle/code/cpp/Element.qll

@@ -1,8 +1,3 @@
-/**
- * Provides the `Element` class, which is the base class for all classes representing C or C++
- * program elements.
- */
-
 import semmle.code.cpp.Location
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
@@ -55,21 +50,12 @@ class ElementBase extends @element {
   cached
   string toString() { none() }
 
-  /** DEPRECATED: use `getAPrimaryQlClass` instead. */
-  deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }
-
   /**
-   * Gets the name of a primary CodeQL class to which this element belongs.
+   * Canonical QL class corresponding to this element.
    *
-   * For most elements, this is simply the most precise syntactic category to
-   * which they belong; for example, `AddExpr` is a primary class, but
-   * `BinaryOperation` is not.
-   *
-   * This predicate always has a result. If no primary class can be
-   * determined, the result is `"???"`. If multiple primary classes match,
-   * this predicate can have multiple results.
+   * ElementBase is the root class for this predicate.
    */
-  string getAPrimaryQlClass() { result = "???" }
+  string getCanonicalQLClass() { result = "???" }
 }
 
 /**
@@ -197,8 +183,7 @@ class Element extends ElementBase {
     initialisers(underlyingElement(this), unresolveElement(result), _, _) or
     exprconv(unresolveElement(result), underlyingElement(this)) or
     param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
-    using_container(unresolveElement(result), underlyingElement(this)) or
-    static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
+    using_container(unresolveElement(result), underlyingElement(this))
   }
 
   /** Gets the closest `Element` enclosing this one. */
@@ -276,15 +261,9 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
 class StaticAssert extends Locatable, @static_assert {
   override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }
 
-  /**
-   * Gets the expression which this static assertion ensures is true.
-   */
-  Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
+  Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _) }
 
-  /**
-   * Gets the message which will be reported by the compiler if this static assertion fails.
-   */
-  string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
+  string getMessage() { static_asserts(underlyingElement(this), _, result, _) }
 
-  override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
+  override Location getLocation() { static_asserts(underlyingElement(this), _, _, result) }
 }

cpp/ql/src/semmle/code/cpp/Enclosing.qll

@@ -1,7 +1,3 @@
-/**
- * Provides predicates for finding the smallest element that encloses an expression or statement.
- */
-
 import cpp
 
 /**

cpp/ql/src/semmle/code/cpp/Enum.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes representing C/C++ enums and enum constants.
- */
-
 import semmle.code.cpp.Type
 private import semmle.code.cpp.internal.ResolveClass
 
@@ -23,22 +19,11 @@ class Enum extends UserType, IntegralOrEnumType {
   /** Gets an enumerator of this enumeration. */
   EnumConstant getAnEnumConstant() { result.getDeclaringEnum() = this }
 
-  /**
-   * Gets the enumerator of this enumeration that was declared at the zero-based position `index`.
-   * For example, `zero` is at index 2 in the following declaration:
-   * ```
-   * enum ReversedOrder {
-   *   two = 2,
-   *   one = 1,
-   *   zero = 0
-   * };
-   * ```
-   */
   EnumConstant getEnumConstant(int index) {
     enumconstants(unresolveElement(result), underlyingElement(this), index, _, _, _)
   }
 
-  override string getAPrimaryQlClass() { result = "Enum" }
+  override string getCanonicalQLClass() { result = "Enum" }
 
   /**
    * Gets a descriptive string for the enum. This method is only intended to
@@ -87,7 +72,7 @@ class Enum extends UserType, IntegralOrEnumType {
 class LocalEnum extends Enum {
   LocalEnum() { isLocal() }
 
-  override string getAPrimaryQlClass() { result = "LocalEnum" }
+  override string getCanonicalQLClass() { result = "LocalEnum" }
 }
 
 /**
@@ -105,7 +90,7 @@ class LocalEnum extends Enum {
 class NestedEnum extends Enum {
   NestedEnum() { this.isMember() }
 
-  override string getAPrimaryQlClass() { result = "NestedEnum" }
+  override string getCanonicalQLClass() { result = "NestedEnum" }
 
   /** Holds if this member is private. */
   predicate isPrivate() { this.hasSpecifier("private") }
@@ -130,7 +115,7 @@ class NestedEnum extends Enum {
 class ScopedEnum extends Enum {
   ScopedEnum() { usertypes(underlyingElement(this), _, 13) }
 
-  override string getAPrimaryQlClass() { result = "ScopedEnum" }
+  override string getCanonicalQLClass() { result = "ScopedEnum" }
 }
 
 /**
@@ -153,7 +138,7 @@ class EnumConstant extends Declaration, @enumconstant {
     enumconstants(underlyingElement(this), unresolveElement(result), _, _, _, _)
   }
 
-  override string getAPrimaryQlClass() { result = "EnumConstant" }
+  override string getCanonicalQLClass() { result = "EnumConstant" }
 
   override Class getDeclaringType() { result = this.getDeclaringEnum().getDeclaringType() }
 

cpp/ql/src/semmle/code/cpp/Field.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes representing C structure members and C++ non-static member variables.
- */
-
 import semmle.code.cpp.Variable
 import semmle.code.cpp.Enum
 import semmle.code.cpp.exprs.Access
@@ -23,7 +19,7 @@ import semmle.code.cpp.exprs.Access
 class Field extends MemberVariable {
   Field() { fieldoffsets(underlyingElement(this), _, _) }
 
-  override string getAPrimaryQlClass() { result = "Field" }
+  override string getCanonicalQLClass() { result = "Field" }
 
   /**
    * Gets the offset of this field in bytes from the start of its declaring
@@ -90,7 +86,7 @@ class Field extends MemberVariable {
 class BitField extends Field {
   BitField() { bitfield(underlyingElement(this), _, _) }
 
-  override string getAPrimaryQlClass() { result = "BitField" }
+  override string getCanonicalQLClass() { result = "BitField" }
 
   /**
    * Gets the size of this bitfield in bits (on the machine where facts

cpp/ql/src/semmle/code/cpp/File.qll

@@ -1,13 +1,9 @@
-/**
- * Provides classes representing files and folders.
- */
-
 import semmle.code.cpp.Element
 import semmle.code.cpp.Declaration
 import semmle.code.cpp.metrics.MetricFile
 
 /** A file or folder. */
-class Container extends Locatable, @container {
+abstract class Container extends Locatable, @container {
   /**
    * Gets the absolute, canonical path of this container, using forward slashes
    * as path separator.
@@ -32,7 +28,7 @@ class Container extends Locatable, @container {
    * a bare root prefix, that is, the path has no path segments. A container
    * whose absolute path has no segments is always a `Folder`, not a `File`.
    */
-  string getAbsolutePath() { none() } // overridden by subclasses
+  abstract string getAbsolutePath();
 
   /**
    * DEPRECATED: Use `getLocation` instead.
@@ -40,7 +36,7 @@ class Container extends Locatable, @container {
    *
    * For more information see [Providing URLs](https://help.semmle.com/QL/learn-ql/ql/locations.html#providing-urls).
    */
-  deprecated string getURL() { none() } // overridden by subclasses
+  abstract deprecated string getURL();
 
   /**
    * Gets the relative path of this file or folder from the root folder of the
@@ -178,7 +174,7 @@ class Folder extends Container, @folder {
     result.hasLocationInfo(_, 0, 0, 0, 0)
   }
 
-  override string getAPrimaryQlClass() { result = "Folder" }
+  override string getCanonicalQLClass() { result = "Folder" }
 
   /**
    * DEPRECATED: Use `getLocation` instead.
@@ -246,7 +242,7 @@ class File extends Container, @file {
 
   override string toString() { result = Container.super.toString() }
 
-  override string getAPrimaryQlClass() { result = "File" }
+  override string getCanonicalQLClass() { result = "File" }
 
   override Location getLocation() {
     result.getContainer() = this and
@@ -265,6 +261,18 @@ class File extends Container, @file {
   /** Holds if this file was compiled as C++ (at any point). */
   predicate compiledAsCpp() { fileannotations(underlyingElement(this), 1, "compiled as c++", "1") }
 
+  /**
+   * DEPRECATED: Objective-C is no longer supported.
+   * Holds if this file was compiled as Objective C (at any point).
+   */
+  deprecated predicate compiledAsObjC() { none() }
+
+  /**
+   * DEPRECATED: Objective-C is no longer supported.
+   * Holds if this file was compiled as Objective C++ (at any point).
+   */
+  deprecated predicate compiledAsObjCpp() { none() }
+
   /**
    * Holds if this file was compiled by a Microsoft compiler (at any point).
    *
@@ -308,6 +316,14 @@ class File extends Container, @file {
     exists(Include i | i.getFile() = this and i.getIncludedFile() = result)
   }
 
+  /**
+   * DEPRECATED: use `getParentContainer` instead.
+   * Gets the folder which contains this file.
+   */
+  deprecated Folder getParent() {
+    containerparent(unresolveElement(result), underlyingElement(this))
+  }
+
   /**
    * Holds if this file may be from source. This predicate holds for all files
    * except the dummy file, whose name is the empty string, which contains
@@ -325,6 +341,28 @@ class File extends Container, @file {
   /** Gets the metric file. */
   MetricFile getMetrics() { result = this }
 
+  /**
+   * DEPRECATED: Use `getAbsolutePath` instead.
+   * Gets the full name of this file, for example:
+   * "/usr/home/me/myprogram.c".
+   */
+  deprecated string getName() { files(underlyingElement(this), result, _, _, _) }
+
+  /**
+   * DEPRECATED: Use `getAbsolutePath` instead.
+   * Holds if this file has the specified full name.
+   *
+   * Example usage: `f.hasName("/usr/home/me/myprogram.c")`.
+   */
+  deprecated predicate hasName(string name) { name = this.getName() }
+
+  /**
+   * DEPRECATED: Use `getAbsolutePath` instead.
+   * Gets the full name of this file, for example
+   * "/usr/home/me/myprogram.c".
+   */
+  deprecated string getFullName() { result = this.getName() }
+
   /**
    * Gets the remainder of the base name after the first dot character. Note
    * that the name of this predicate is in plural form, unlike `getExtension`,
@@ -339,6 +377,22 @@ class File extends Container, @file {
    */
   string getExtensions() { files(underlyingElement(this), _, _, result, _) }
 
+  /**
+   * DEPRECATED: Use `getBaseName` instead.
+   * Gets the name and extension(s), but not path, of a file. For example,
+   * if the full name is "/path/to/filename.a.bcd" then the filename is
+   * "filename.a.bcd".
+   */
+  deprecated string getFileName() {
+    // [a/b.c/d/]fileName
+    //         ^ beginAfter
+    exists(string fullName, int beginAfter |
+      fullName = this.getName() and
+      beginAfter = max(int i | i = -1 or fullName.charAt(i) = "/" | i) and
+      result = fullName.suffix(beginAfter + 1)
+    )
+  }
+
   /**
    * Gets the short name of this file, that is, the prefix of its base name up
    * to (but not including) the first dot character if there is one, or the
@@ -382,7 +436,7 @@ class HeaderFile extends File {
     exists(Include i | i.getIncludedFile() = this)
   }
 
-  override string getAPrimaryQlClass() { result = "HeaderFile" }
+  override string getCanonicalQLClass() { result = "HeaderFile" }
 
   /**
    * Holds if this header file does not contain any declaration entries or top level
@@ -408,7 +462,7 @@ class HeaderFile extends File {
 class CFile extends File {
   CFile() { exists(string ext | ext = this.getExtension().toLowerCase() | ext = "c" or ext = "i") }
 
-  override string getAPrimaryQlClass() { result = "CFile" }
+  override string getCanonicalQLClass() { result = "CFile" }
 }
 
 /**
@@ -436,7 +490,7 @@ class CppFile extends File {
     )
   }
 
-  override string getAPrimaryQlClass() { result = "CppFile" }
+  override string getCanonicalQLClass() { result = "CppFile" }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/FriendDecl.qll

@@ -1,7 +1,3 @@
-/**
- * Provides a class representing C++ `friend` declarations.
- */
-
 import semmle.code.cpp.Declaration
 private import semmle.code.cpp.internal.ResolveClass
 
@@ -27,7 +23,7 @@ class FriendDecl extends Declaration, @frienddecl {
    */
   override Location getADeclarationLocation() { result = this.getLocation() }
 
-  override string getAPrimaryQlClass() { result = "FriendDecl" }
+  override string getCanonicalQLClass() { result = "FriendDecl" }
 
   /**
    * Implements the abstract method `Declaration.getDefinitionLocation`. A

cpp/ql/src/semmle/code/cpp/Function.qll

@@ -1,8 +1,5 @@
-/**
- * Provides classes for working with functions, including template functions.
- */
-
 import semmle.code.cpp.Location
+import semmle.code.cpp.Member
 import semmle.code.cpp.Class
 import semmle.code.cpp.Parameter
 import semmle.code.cpp.exprs.Call
@@ -106,9 +103,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   /**
    * Holds if this function is declared to be `constexpr`.
-   *
-   * Note that this does not hold if the function has been declared
-   * `consteval`.
    */
   predicate isDeclaredConstexpr() { this.hasSpecifier("declared_constexpr") }
 
@@ -121,16 +115,9 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * template <typename T> constexpr int g(T x) { return f(x); }
    * ```
    * `g<int>` is declared constexpr, but is not constexpr.
-   *
-   * Will also hold if this function is `consteval`.
    */
   predicate isConstexpr() { this.hasSpecifier("is_constexpr") }
 
-  /**
-   * Holds if this function is declared to be `consteval`.
-   */
-  predicate isConsteval() { this.hasSpecifier("is_consteval") }
-
   /**
    * Holds if this function is declared with `__attribute__((naked))` or
    * `__declspec(naked)`.
@@ -187,8 +174,17 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * For example: for a function `int Foo(int p1, int p2)` this would
    * return `int p1, int p2`.
    */
-  string getParameterString() {
-    result = concat(int i | | min(getParameter(i).getTypedName()), ", " order by i)
+  string getParameterString() { result = getParameterStringFrom(0) }
+
+  private string getParameterStringFrom(int index) {
+    index = getNumberOfParameters() and
+    result = ""
+    or
+    index = getNumberOfParameters() - 1 and
+    result = getParameter(index).getTypedName()
+    or
+    index < getNumberOfParameters() - 1 and
+    result = getParameter(index).getTypedName() + ", " + getParameterStringFrom(index + 1)
   }
 
   /** Gets a call to this function. */
@@ -513,7 +509,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
   /** Gets the function which is being declared or defined. */
   override Function getDeclaration() { result = getFunction() }
 
-  override string getAPrimaryQlClass() { result = "FunctionDeclarationEntry" }
+  override string getCanonicalQLClass() { result = "FunctionDeclarationEntry" }
 
   /** Gets the function which is being declared or defined. */
   Function getFunction() { fun_decls(underlyingElement(this), unresolveElement(result), _, _, _) }
@@ -610,8 +606,18 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    * For example: for a function 'int Foo(int p1, int p2)' this would
    * return 'int p1, int p2'.
    */
-  string getParameterString() {
-    result = concat(int i | | min(getParameterDeclarationEntry(i).getTypedName()), ", " order by i)
+  string getParameterString() { result = getParameterStringFrom(0) }
+
+  private string getParameterStringFrom(int index) {
+    index = getNumberOfParameters() and
+    result = ""
+    or
+    index = getNumberOfParameters() - 1 and
+    result = getParameterDeclarationEntry(index).getTypedName()
+    or
+    index < getNumberOfParameters() - 1 and
+    result =
+      getParameterDeclarationEntry(index).getTypedName() + ", " + getParameterStringFrom(index + 1)
   }
 
   /**
@@ -698,7 +704,428 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
 class TopLevelFunction extends Function {
   TopLevelFunction() { not this.isMember() }
 
-  override string getAPrimaryQlClass() { result = "TopLevelFunction" }
+  override string getCanonicalQLClass() { result = "TopLevelFunction" }
+}
+
+/**
+ * A C++ function declared as a member of a class [N4140 9.3]. This includes
+ * static member functions. For example the functions `MyStaticMemberFunction`
+ * and `MyMemberFunction` in:
+ * ```
+ * class MyClass {
+ * public:
+ *   void MyMemberFunction() {
+ *     DoSomething();
+ *   }
+ *
+ *   static void MyStaticMemberFunction() {
+ *     DoSomething();
+ *   }
+ * };
+ * ```
+ */
+class MemberFunction extends Function {
+  MemberFunction() { this.isMember() }
+
+  override string getCanonicalQLClass() {
+    not this instanceof CopyAssignmentOperator and
+    not this instanceof MoveAssignmentOperator and
+    result = "MemberFunction"
+  }
+
+  /**
+   * Gets the number of parameters of this function, including any implicit
+   * `this` parameter.
+   */
+  override int getEffectiveNumberOfParameters() {
+    if isStatic() then result = getNumberOfParameters() else result = getNumberOfParameters() + 1
+  }
+
+  /** Holds if this member is private. */
+  predicate isPrivate() { this.hasSpecifier("private") }
+
+  /** Holds if this member is protected. */
+  predicate isProtected() { this.hasSpecifier("protected") }
+
+  /** Holds if this member is public. */
+  predicate isPublic() { this.hasSpecifier("public") }
+
+  /** Holds if this function overrides that function. */
+  predicate overrides(MemberFunction that) {
+    overrides(underlyingElement(this), unresolveElement(that))
+  }
+
+  /** Gets a directly overridden function. */
+  MemberFunction getAnOverriddenFunction() { this.overrides(result) }
+
+  /** Gets a directly overriding function. */
+  MemberFunction getAnOverridingFunction() { result.overrides(this) }
+
+  /**
+   * Gets the declaration entry for this member function that is within the
+   * class body.
+   */
+  FunctionDeclarationEntry getClassBodyDeclarationEntry() {
+    if strictcount(getADeclarationEntry()) = 1
+    then result = getDefinition()
+    else (
+      result = getADeclarationEntry() and result != getDefinition()
+    )
+  }
+}
+
+/**
+ * A C++ virtual function. For example the two functions called
+ * `myVirtualFunction` in the following code are each a
+ * `VirtualFunction`:
+ * ```
+ * class A {
+ * public:
+ *   virtual void myVirtualFunction() = 0;
+ * };
+ *
+ * class B: public A {
+ * public:
+ *   virtual void myVirtualFunction() {
+ *     doSomething();
+ *   }
+ * };
+ * ```
+ */
+class VirtualFunction extends MemberFunction {
+  VirtualFunction() { this.hasSpecifier("virtual") or purefunctions(underlyingElement(this)) }
+
+  override string getCanonicalQLClass() { result = "VirtualFunction" }
+
+  /** Holds if this virtual function is pure. */
+  predicate isPure() { this instanceof PureVirtualFunction }
+
+  /**
+   * Holds if this function was declared with the `override` specifier
+   * [N4140 10.3].
+   */
+  predicate isOverrideExplicit() { this.hasSpecifier("override") }
+}
+
+/**
+ * A C++ pure virtual function [N4140 10.4]. For example the first function
+ * called `myVirtualFunction` in the following code:
+ * ```
+ * class A {
+ * public:
+ *   virtual void myVirtualFunction() = 0;
+ * };
+ *
+ * class B: public A {
+ * public:
+ *   virtual void myVirtualFunction() {
+ *     doSomething();
+ *   }
+ * };
+ * ```
+ */
+class PureVirtualFunction extends VirtualFunction {
+  PureVirtualFunction() { purefunctions(underlyingElement(this)) }
+
+  override string getCanonicalQLClass() { result = "PureVirtualFunction" }
+}
+
+/**
+ * A const C++ member function [N4140 9.3.1/4]. A const function has the
+ * `const` specifier and does not modify the state of its class. For example
+ * the member function `day` in the following code:
+ * ```
+ * class MyClass {
+ *   ...
+ *
+ *   int day() const {
+ *     return d;
+ *   }
+ *
+ *   ...
+ * };
+ * ```
+ */
+class ConstMemberFunction extends MemberFunction {
+  ConstMemberFunction() { this.hasSpecifier("const") }
+
+  override string getCanonicalQLClass() { result = "ConstMemberFunction" }
+}
+
+/**
+ * A C++ constructor [N4140 12.1]. For example the function `MyClass` in the
+ * following code is a constructor:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass() {
+ *     ...
+ *   }
+ * };
+ * ```
+ */
+class Constructor extends MemberFunction {
+  Constructor() { functions(underlyingElement(this), _, 2) }
+
+  override string getCanonicalQLClass() { result = "Constructor" }
+
+  /**
+   * Holds if this constructor serves as a default constructor.
+   *
+   * This holds for constructors with zero formal parameters. It also holds
+   * for constructors which have a non-zero number of formal parameters,
+   * provided that every parameter has a default value.
+   */
+  predicate isDefault() { forall(Parameter p | p = this.getAParameter() | p.hasInitializer()) }
+
+  /**
+   * Gets an entry in the constructor's initializer list, or a
+   * compiler-generated action which initializes a base class or member
+   * variable.
+   */
+  ConstructorInit getAnInitializer() { result = getInitializer(_) }
+
+  /**
+   * Gets an entry in the constructor's initializer list, or a
+   * compiler-generated action which initializes a base class or member
+   * variable. The index specifies the order in which the initializer is
+   * to be evaluated.
+   */
+  ConstructorInit getInitializer(int i) {
+    exprparents(unresolveElement(result), i, underlyingElement(this))
+  }
+}
+
+/**
+ * A function that defines an implicit conversion.
+ */
+abstract class ImplicitConversionFunction extends MemberFunction {
+  abstract Type getSourceType();
+
+  abstract Type getDestType();
+}
+
+/**
+ * A C++ constructor that also defines an implicit conversion. For example the
+ * function `MyClass` in the following code is a `ConversionConstructor`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass(const MyOtherClass &from) {
+ *     ...
+ *   }
+ * };
+ * ```
+ */
+class ConversionConstructor extends Constructor, ImplicitConversionFunction {
+  ConversionConstructor() {
+    strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
+    not hasSpecifier("explicit") and
+    not this instanceof CopyConstructor
+  }
+
+  override string getCanonicalQLClass() {
+    not this instanceof MoveConstructor and result = "ConversionConstructor"
+  }
+
+  /** Gets the type this `ConversionConstructor` takes as input. */
+  override Type getSourceType() { result = this.getParameter(0).getType() }
+
+  /** Gets the type this `ConversionConstructor` is a constructor of. */
+  override Type getDestType() { result = this.getDeclaringType() }
+}
+
+private predicate hasCopySignature(MemberFunction f) {
+  f.getParameter(0).getUnspecifiedType().(LValueReferenceType).getBaseType() = f.getDeclaringType()
+}
+
+private predicate hasMoveSignature(MemberFunction f) {
+  f.getParameter(0).getUnspecifiedType().(RValueReferenceType).getBaseType() = f.getDeclaringType()
+}
+
+/**
+ * A C++ copy constructor [N4140 12.8]. For example the function `MyClass` in
+ * the following code is a `CopyConstructor`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass(const MyClass &from) {
+ *     ...
+ *   }
+ * };
+ * ```
+ *
+ * As per the standard, a copy constructor of class `T` is a non-template
+ * constructor whose first parameter has type `T&`, `const T&`, `volatile
+ * T&`, or `const volatile T&`, and either there are no other parameters,
+ * or the rest of the parameters all have default values.
+ *
+ * For template classes, it can generally not be determined until instantiation
+ * whether a constructor is a copy constructor. For such classes, `CopyConstructor`
+ * over-approximates the set of copy constructors; if an under-approximation is
+ * desired instead, see the member predicate
+ * `mayNotBeCopyConstructorInInstantiation`.
+ */
+class CopyConstructor extends Constructor {
+  CopyConstructor() {
+    hasCopySignature(this) and
+    (
+      // The rest of the parameters all have default values
+      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
+      or
+      // or this is a template class, in which case the default values have
+      // not been extracted even if they exist. In that case, we assume that
+      // there are default values present since that is the most common case
+      // in real-world code.
+      getDeclaringType() instanceof TemplateClass
+    ) and
+    not exists(getATemplateArgument())
+  }
+
+  override string getCanonicalQLClass() { result = "CopyConstructor" }
+
+  /**
+   * Holds if we cannot determine that this constructor will become a copy
+   * constructor in all instantiations. Depending on template parameters of the
+   * enclosing class, this may become an ordinary constructor or a copy
+   * constructor.
+   */
+  predicate mayNotBeCopyConstructorInInstantiation() {
+    // In general, default arguments of template classes can only be
+    // type-checked for each template instantiation; if an argument in an
+    // instantiation fails to type-check then the corresponding parameter has
+    // no default argument in the instantiation.
+    getDeclaringType() instanceof TemplateClass and
+    getNumberOfParameters() > 1
+  }
+}
+
+/**
+ * A C++ move constructor [N4140 12.8]. For example the function `MyClass` in
+ * the following code is a `MoveConstructor`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass(MyClass &&from) {
+ *     ...
+ *   }
+ * };
+ * ```
+ *
+ * As per the standard, a move constructor of class `T` is a non-template
+ * constructor whose first parameter is `T&&`, `const T&&`, `volatile T&&`,
+ * or `const volatile T&&`, and either there are no other parameters, or
+ * the rest of the parameters all have default values.
+ *
+ * For template classes, it can generally not be determined until instantiation
+ * whether a constructor is a move constructor. For such classes, `MoveConstructor`
+ * over-approximates the set of move constructors; if an under-approximation is
+ * desired instead, see the member predicate
+ * `mayNotBeMoveConstructorInInstantiation`.
+ */
+class MoveConstructor extends Constructor {
+  MoveConstructor() {
+    hasMoveSignature(this) and
+    (
+      // The rest of the parameters all have default values
+      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
+      or
+      // or this is a template class, in which case the default values have
+      // not been extracted even if they exist. In that case, we assume that
+      // there are default values present since that is the most common case
+      // in real-world code.
+      getDeclaringType() instanceof TemplateClass
+    ) and
+    not exists(getATemplateArgument())
+  }
+
+  override string getCanonicalQLClass() { result = "MoveConstructor" }
+
+  /**
+   * Holds if we cannot determine that this constructor will become a move
+   * constructor in all instantiations. Depending on template parameters of the
+   * enclosing class, this may become an ordinary constructor or a move
+   * constructor.
+   */
+  predicate mayNotBeMoveConstructorInInstantiation() {
+    // In general, default arguments of template classes can only be
+    // type-checked for each template instantiation; if an argument in an
+    // instantiation fails to type-check then the corresponding parameter has
+    // no default argument in the instantiation.
+    getDeclaringType() instanceof TemplateClass and
+    getNumberOfParameters() > 1
+  }
+}
+
+/**
+ * A C++ constructor that takes no arguments ('default' constructor). This
+ * is the constructor that is invoked when no initializer is given. For
+ * example the function `MyClass` in the following code is a
+ * `NoArgConstructor`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass() {
+ *     ...
+ *   }
+ * };
+ * ```
+ */
+class NoArgConstructor extends Constructor {
+  NoArgConstructor() { this.getNumberOfParameters() = 0 }
+}
+
+/**
+ * A C++ destructor [N4140 12.4]. For example the function `~MyClass` in the
+ * following code is a destructor:
+ * ```
+ * class MyClass {
+ * public:
+ *   ~MyClass() {
+ *     ...
+ *   }
+ * };
+ * ```
+ */
+class Destructor extends MemberFunction {
+  Destructor() { functions(underlyingElement(this), _, 3) }
+
+  override string getCanonicalQLClass() { result = "Destructor" }
+
+  /**
+   * Gets a compiler-generated action which destructs a base class or member
+   * variable.
+   */
+  DestructorDestruction getADestruction() { result = getDestruction(_) }
+
+  /**
+   * Gets a compiler-generated action which destructs a base class or member
+   * variable. The index specifies the order in which the destruction should
+   * be evaluated.
+   */
+  DestructorDestruction getDestruction(int i) {
+    exprparents(unresolveElement(result), i, underlyingElement(this))
+  }
+}
+
+/**
+ * A C++ conversion operator [N4140 12.3.2]. For example the function
+ * `operator int` in the following code is a `ConversionOperator`:
+ * ```
+ * class MyClass {
+ * public:
+ *   operator int();
+ * };
+ * ```
+ */
+class ConversionOperator extends MemberFunction, ImplicitConversionFunction {
+  ConversionOperator() { functions(underlyingElement(this), _, 4) }
+
+  override string getCanonicalQLClass() { result = "ConversionOperator" }
+
+  override Type getSourceType() { result = this.getDeclaringType() }
+
+  override Type getDestType() { result = this.getType() }
 }
 
 /**
@@ -707,11 +1134,69 @@ class TopLevelFunction extends Function {
 class Operator extends Function {
   Operator() { functions(underlyingElement(this), _, 5) }
 
-  override string getAPrimaryQlClass() {
+  override string getCanonicalQLClass() {
     not this instanceof MemberFunction and result = "Operator"
   }
 }
 
+/**
+ * A C++ copy assignment operator [N4140 12.8]. For example the function
+ * `operator=` in the following code is a `CopyAssignmentOperator`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass &operator=(const MyClass &other);
+ * };
+ * ```
+ *
+ * As per the standard, a copy assignment operator of class `T` is a
+ * non-template non-static member function with the name `operator=` that
+ * takes exactly one parameter of type `T`, `T&`, `const T&`, `volatile
+ * T&`, or `const volatile T&`.
+ */
+class CopyAssignmentOperator extends Operator {
+  CopyAssignmentOperator() {
+    hasName("operator=") and
+    (
+      hasCopySignature(this)
+      or
+      // Unlike CopyConstructor, this member allows a non-reference
+      // parameter.
+      getParameter(0).getUnspecifiedType() = getDeclaringType()
+    ) and
+    not exists(this.getParameter(1)) and
+    not exists(getATemplateArgument())
+  }
+
+  override string getCanonicalQLClass() { result = "CopyAssignmentOperator" }
+}
+
+/**
+ * A C++ move assignment operator [N4140 12.8]. For example the function
+ * `operator=` in the following code is a `MoveAssignmentOperator`:
+ * ```
+ * class MyClass {
+ * public:
+ *   MyClass &operator=(MyClass &&other);
+ * };
+ * ```
+ *
+ * As per the standard, a move assignment operator of class `T` is a
+ * non-template non-static member function with the name `operator=` that
+ * takes exactly one parameter of type `T&&`, `const T&&`, `volatile T&&`,
+ * or `const volatile T&&`.
+ */
+class MoveAssignmentOperator extends Operator {
+  MoveAssignmentOperator() {
+    hasName("operator=") and
+    hasMoveSignature(this) and
+    not exists(this.getParameter(1)) and
+    not exists(getATemplateArgument())
+  }
+
+  override string getCanonicalQLClass() { result = "MoveAssignmentOperator" }
+}
+
 /**
  * A C++ function which has a non-empty template argument list. For example
  * the function `myTemplateFunction` in the following code:
@@ -738,7 +1223,7 @@ class TemplateFunction extends Function {
     is_function_template(underlyingElement(this)) and exists(getATemplateArgument())
   }
 
-  override string getAPrimaryQlClass() { result = "TemplateFunction" }
+  override string getCanonicalQLClass() { result = "TemplateFunction" }
 
   /**
    * Gets a compiler-generated instantiation of this function template.
@@ -778,7 +1263,7 @@ class FunctionTemplateInstantiation extends Function {
 
   FunctionTemplateInstantiation() { tf.getAnInstantiation() = this }
 
-  override string getAPrimaryQlClass() { result = "FunctionTemplateInstantiation" }
+  override string getCanonicalQLClass() { result = "FunctionTemplateInstantiation" }
 
   /**
    * Gets the function template from which this instantiation was instantiated.
@@ -823,7 +1308,7 @@ class FunctionTemplateInstantiation extends Function {
 class FunctionTemplateSpecialization extends Function {
   FunctionTemplateSpecialization() { this.isSpecialization() }
 
-  override string getAPrimaryQlClass() { result = "FunctionTemplateSpecialization" }
+  override string getCanonicalQLClass() { result = "FunctionTemplateSpecialization" }
 
   /**
    * Gets the primary template for the specialization (the function template

cpp/ql/src/semmle/code/cpp/Include.qll

@@ -1,8 +1,3 @@
-/**
- * Provides classes representing C/C++ `#include`, `#include_next`, and `#import` preprocessor
- * directives.
- */
-
 import semmle.code.cpp.Preprocessor
 
 /**

cpp/ql/src/semmle/code/cpp/Initializer.qll

@@ -1,7 +1,3 @@
-/**
- * Provides the `Initializer` class, representing C/C++ declaration initializers.
- */
-
 import semmle.code.cpp.controlflow.ControlFlowGraph
 
 /**
@@ -22,7 +18,7 @@ import semmle.code.cpp.controlflow.ControlFlowGraph
 class Initializer extends ControlFlowNode, @initialiser {
   override Location getLocation() { initialisers(underlyingElement(this), _, _, result) }
 
-  override string getAPrimaryQlClass() { result = "Initializer" }
+  override string getCanonicalQLClass() { result = "Initializer" }
 
   /** Holds if this initializer is explicit in the source. */
   override predicate fromSource() { not this.getLocation() instanceof UnknownLocation }

cpp/ql/src/semmle/code/cpp/Iteration.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes for loop iteration variables.
- */
-
 import semmle.code.cpp.Variable
 
 /**
@@ -11,18 +7,14 @@ import semmle.code.cpp.Variable
 class LoopCounter extends Variable {
   LoopCounter() { exists(ForStmt f | f.getAnIterationVariable() = this) }
 
-  /**
-   *  Gets an access of this variable within loop `f`.
-   */
+  // Gets an access of this variable within loop `f`.
   VariableAccess getVariableAccessInLoop(ForStmt f) {
     this.getALoop() = f and
     result.getEnclosingStmt().getParent*() = f and
     this = result.getTarget()
   }
 
-  /**
-   * Gets a loop which uses this variable as its counter.
-   */
+  // Gets a loop which uses this variable as its counter.
   ForStmt getALoop() { result.getAnIterationVariable() = this }
 }
 
@@ -33,18 +25,14 @@ class LoopCounter extends Variable {
 class LoopControlVariable extends Variable {
   LoopControlVariable() { this = loopControlVariable(_) }
 
-  /**
-   * Gets an access of this variable within loop `f`.
-   */
+  // Gets an access of this variable within loop `f`.
   VariableAccess getVariableAccessInLoop(ForStmt f) {
     this.getALoop() = f and
     result.getEnclosingStmt().getParent*() = f and
     this = result.getTarget()
   }
 
-  /**
-   * Gets a loop which uses this variable as its control variable.
-   */
+  // Gets a loop which uses this variable as its control variable.
   ForStmt getALoop() { this = loopControlVariable(result) }
 }
 

cpp/ql/src/semmle/code/cpp/Linkage.qll

@@ -1,7 +1,3 @@
-/**
- * Proivdes the `LinkTarget` class representing linker invocations during the build process.
- */
-
 import semmle.code.cpp.Class
 import semmle.code.cpp.File
 import semmle.code.cpp.Function

cpp/ql/src/semmle/code/cpp/Location.qll

@@ -1,7 +1,3 @@
-/**
- * Provides classes and predicates for locations in the source code.
- */
-
 import semmle.code.cpp.Element
 import semmle.code.cpp.File
 
@@ -15,16 +11,16 @@ class Location extends @location {
   /** Gets the file corresponding to this location, if any. */
   File getFile() { result = this.getContainer() }
 
-  /** Gets the 1-based line number (inclusive) where this location starts. */
+  /** Gets the start line of this location. */
   int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }
 
-  /** Gets the 1-based column number (inclusive) where this location starts. */
+  /** Gets the start column of this location. */
   int getStartColumn() { this.fullLocationInfo(_, _, result, _, _) }
 
-  /** Gets the 1-based line number (inclusive) where this location ends. */
+  /** Gets the end line of this location. */
   int getEndLine() { this.fullLocationInfo(_, _, _, result, _) }
 
-  /** Gets the 1-based column number (inclusive) where this location ends. */
+  /** Gets the end column of this location. */
   int getEndColumn() { this.fullLocationInfo(_, _, _, _, result) }
 
   /**

cpp/ql/src/semmle/code/cpp/Macro.qll

@@ -13,7 +13,7 @@ class Macro extends PreprocessorDirective, @ppd_define {
    */
   override string getHead() { preproctext(underlyingElement(this), result, _) }
 
-  override string getAPrimaryQlClass() { result = "Macro" }
+  override string getCanonicalQLClass() { result = "Macro" }
 
   /**
    * Gets the body of this macro. For example, `(((x)>(y))?(x):(y))` in
@@ -74,7 +74,7 @@ class MacroAccess extends Locatable, @macroinvocation {
    */
   override Location getLocation() { result = this.getOutermostMacroAccess().getActualLocation() }
 
-  override string getAPrimaryQlClass() { result = "MacroAccess" }
+  override string getCanonicalQLClass() { result = "MacroAccess" }
 
   /**
    * Gets the location of this macro access. For a nested access, where
@@ -147,7 +147,7 @@ class MacroAccess extends Locatable, @macroinvocation {
 class MacroInvocation extends MacroAccess {
   MacroInvocation() { macroinvocations(underlyingElement(this), _, _, 1) }
 
-  override string getAPrimaryQlClass() { result = "MacroInvocation" }
+  override string getCanonicalQLClass() { result = "MacroInvocation" }
 
   /**
    * Gets an element that occurs in this macro invocation or a nested macro
@@ -179,11 +179,6 @@ class MacroInvocation extends MacroAccess {
     result.(Stmt).getGeneratingMacro() = this
   }
 
-  /**
-   * Gets a function that includes an expression that is affected by this macro
-   * invocation. If the macro expansion includes the end of one function and
-   * the beginning of another, this predicate will get both.
-   */
   Function getEnclosingFunction() {
     result = this.getAnAffectedElement().(Expr).getEnclosingFunction()
   }

cpp/ql/src/semmle/code/cpp/Member.qll

@@ -1,6 +1,2 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
 import semmle.code.cpp.Element
 import semmle.code.cpp.Type

cpp/ql/src/semmle/code/cpp/MemberFunction.qll

@@ -1,495 +0,0 @@
-/**
- * Provides classes for working with C++ member functions, constructors, destructors,
- * and user-defined operators.
- */
-
-import cpp
-
-/**
- * A C++ function declared as a member of a class [N4140 9.3]. This includes
- * static member functions. For example the functions `MyStaticMemberFunction`
- * and `MyMemberFunction` in:
- * ```
- * class MyClass {
- * public:
- *   void MyMemberFunction() {
- *     DoSomething();
- *   }
- *
- *   static void MyStaticMemberFunction() {
- *     DoSomething();
- *   }
- * };
- * ```
- */
-class MemberFunction extends Function {
-  MemberFunction() { this.isMember() }
-
-  override string getAPrimaryQlClass() {
-    not this instanceof CopyAssignmentOperator and
-    not this instanceof MoveAssignmentOperator and
-    result = "MemberFunction"
-  }
-
-  /**
-   * Gets the number of parameters of this function, including any implicit
-   * `this` parameter.
-   */
-  override int getEffectiveNumberOfParameters() {
-    if isStatic() then result = getNumberOfParameters() else result = getNumberOfParameters() + 1
-  }
-
-  /** Holds if this member is private. */
-  predicate isPrivate() { this.hasSpecifier("private") }
-
-  /** Holds if this member is protected. */
-  predicate isProtected() { this.hasSpecifier("protected") }
-
-  /** Holds if this member is public. */
-  predicate isPublic() { this.hasSpecifier("public") }
-
-  /** Holds if this function overrides that function. */
-  predicate overrides(MemberFunction that) {
-    overrides(underlyingElement(this), unresolveElement(that))
-  }
-
-  /** Gets a directly overridden function. */
-  MemberFunction getAnOverriddenFunction() { this.overrides(result) }
-
-  /** Gets a directly overriding function. */
-  MemberFunction getAnOverridingFunction() { result.overrides(this) }
-
-  /**
-   * Gets the declaration entry for this member function that is within the
-   * class body.
-   */
-  FunctionDeclarationEntry getClassBodyDeclarationEntry() {
-    if strictcount(getADeclarationEntry()) = 1
-    then result = getDefinition()
-    else (
-      result = getADeclarationEntry() and result != getDefinition()
-    )
-  }
-
-  /**
-   * Gets the type of the `this` parameter associated with this member function, if any. The type
-   * may have `const` and/or `volatile` qualifiers, matching the function declaration.
-   */
-  PointerType getTypeOfThis() {
-    member_function_this_type(underlyingElement(this), unresolveElement(result))
-  }
-}
-
-/**
- * A C++ virtual function. For example the two functions called
- * `myVirtualFunction` in the following code are each a
- * `VirtualFunction`:
- * ```
- * class A {
- * public:
- *   virtual void myVirtualFunction() = 0;
- * };
- *
- * class B: public A {
- * public:
- *   virtual void myVirtualFunction() {
- *     doSomething();
- *   }
- * };
- * ```
- */
-class VirtualFunction extends MemberFunction {
-  VirtualFunction() { this.hasSpecifier("virtual") or purefunctions(underlyingElement(this)) }
-
-  override string getAPrimaryQlClass() { result = "VirtualFunction" }
-
-  /** Holds if this virtual function is pure. */
-  predicate isPure() { this instanceof PureVirtualFunction }
-
-  /**
-   * Holds if this function was declared with the `override` specifier
-   * [N4140 10.3].
-   */
-  predicate isOverrideExplicit() { this.hasSpecifier("override") }
-}
-
-/**
- * A C++ pure virtual function [N4140 10.4]. For example the first function
- * called `myVirtualFunction` in the following code:
- * ```
- * class A {
- * public:
- *   virtual void myVirtualFunction() = 0;
- * };
- *
- * class B: public A {
- * public:
- *   virtual void myVirtualFunction() {
- *     doSomething();
- *   }
- * };
- * ```
- */
-class PureVirtualFunction extends VirtualFunction {
-  PureVirtualFunction() { purefunctions(underlyingElement(this)) }
-
-  override string getAPrimaryQlClass() { result = "PureVirtualFunction" }
-}
-
-/**
- * A const C++ member function [N4140 9.3.1/4]. A const function has the
- * `const` specifier and does not modify the state of its class. For example
- * the member function `day` in the following code:
- * ```
- * class MyClass {
- *   ...
- *
- *   int day() const {
- *     return d;
- *   }
- *
- *   ...
- * };
- * ```
- */
-class ConstMemberFunction extends MemberFunction {
-  ConstMemberFunction() { this.hasSpecifier("const") }
-
-  override string getAPrimaryQlClass() { result = "ConstMemberFunction" }
-}
-
-/**
- * A C++ constructor [N4140 12.1]. For example the function `MyClass` in the
- * following code is a constructor:
- * ```
- * class MyClass {
- * public:
- *   MyClass() {
- *     ...
- *   }
- * };
- * ```
- */
-class Constructor extends MemberFunction {
-  Constructor() { functions(underlyingElement(this), _, 2) }
-
-  override string getAPrimaryQlClass() { result = "Constructor" }
-
-  /**
-   * Holds if this constructor serves as a default constructor.
-   *
-   * This holds for constructors with zero formal parameters. It also holds
-   * for constructors which have a non-zero number of formal parameters,
-   * provided that every parameter has a default value.
-   */
-  predicate isDefault() { forall(Parameter p | p = this.getAParameter() | p.hasInitializer()) }
-
-  /**
-   * Gets an entry in the constructor's initializer list, or a
-   * compiler-generated action which initializes a base class or member
-   * variable.
-   */
-  ConstructorInit getAnInitializer() { result = getInitializer(_) }
-
-  /**
-   * Gets an entry in the constructor's initializer list, or a
-   * compiler-generated action which initializes a base class or member
-   * variable. The index specifies the order in which the initializer is
-   * to be evaluated.
-   */
-  ConstructorInit getInitializer(int i) {
-    exprparents(unresolveElement(result), i, underlyingElement(this))
-  }
-}
-
-/**
- * A function that defines an implicit conversion.
- */
-abstract class ImplicitConversionFunction extends MemberFunction {
-  /** Gets the type this `ImplicitConversionFunction` takes as input. */
-  abstract Type getSourceType();
-
-  /** Gets the type this `ImplicitConversionFunction` converts to. */
-  abstract Type getDestType();
-}
-
-/**
- * A C++ constructor that also defines an implicit conversion. For example the
- * function `MyClass` in the following code is a `ConversionConstructor`:
- * ```
- * class MyClass {
- * public:
- *   MyClass(const MyOtherClass &from) {
- *     ...
- *   }
- * };
- * ```
- */
-class ConversionConstructor extends Constructor, ImplicitConversionFunction {
-  ConversionConstructor() {
-    strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
-    not hasSpecifier("explicit") and
-    not this instanceof CopyConstructor
-  }
-
-  override string getAPrimaryQlClass() {
-    not this instanceof MoveConstructor and result = "ConversionConstructor"
-  }
-
-  /** Gets the type this `ConversionConstructor` takes as input. */
-  override Type getSourceType() { result = this.getParameter(0).getType() }
-
-  /** Gets the type this `ConversionConstructor` is a constructor of. */
-  override Type getDestType() { result = this.getDeclaringType() }
-}
-
-private predicate hasCopySignature(MemberFunction f) {
-  f.getParameter(0).getUnspecifiedType().(LValueReferenceType).getBaseType() = f.getDeclaringType()
-}
-
-private predicate hasMoveSignature(MemberFunction f) {
-  f.getParameter(0).getUnspecifiedType().(RValueReferenceType).getBaseType() = f.getDeclaringType()
-}
-
-/**
- * A C++ copy constructor [N4140 12.8]. For example the function `MyClass` in
- * the following code is a `CopyConstructor`:
- * ```
- * class MyClass {
- * public:
- *   MyClass(const MyClass &from) {
- *     ...
- *   }
- * };
- * ```
- *
- * As per the standard, a copy constructor of class `T` is a non-template
- * constructor whose first parameter has type `T&`, `const T&`, `volatile
- * T&`, or `const volatile T&`, and either there are no other parameters,
- * or the rest of the parameters all have default values.
- *
- * For template classes, it can generally not be determined until instantiation
- * whether a constructor is a copy constructor. For such classes, `CopyConstructor`
- * over-approximates the set of copy constructors; if an under-approximation is
- * desired instead, see the member predicate
- * `mayNotBeCopyConstructorInInstantiation`.
- */
-class CopyConstructor extends Constructor {
-  CopyConstructor() {
-    hasCopySignature(this) and
-    (
-      // The rest of the parameters all have default values
-      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
-      or
-      // or this is a template class, in which case the default values have
-      // not been extracted even if they exist. In that case, we assume that
-      // there are default values present since that is the most common case
-      // in real-world code.
-      getDeclaringType() instanceof TemplateClass
-    ) and
-    not exists(getATemplateArgument())
-  }
-
-  override string getAPrimaryQlClass() { result = "CopyConstructor" }
-
-  /**
-   * Holds if we cannot determine that this constructor will become a copy
-   * constructor in all instantiations. Depending on template parameters of the
-   * enclosing class, this may become an ordinary constructor or a copy
-   * constructor.
-   */
-  predicate mayNotBeCopyConstructorInInstantiation() {
-    // In general, default arguments of template classes can only be
-    // type-checked for each template instantiation; if an argument in an
-    // instantiation fails to type-check then the corresponding parameter has
-    // no default argument in the instantiation.
-    getDeclaringType() instanceof TemplateClass and
-    getNumberOfParameters() > 1
-  }
-}
-
-/**
- * A C++ move constructor [N4140 12.8]. For example the function `MyClass` in
- * the following code is a `MoveConstructor`:
- * ```
- * class MyClass {
- * public:
- *   MyClass(MyClass &&from) {
- *     ...
- *   }
- * };
- * ```
- *
- * As per the standard, a move constructor of class `T` is a non-template
- * constructor whose first parameter is `T&&`, `const T&&`, `volatile T&&`,
- * or `const volatile T&&`, and either there are no other parameters, or
- * the rest of the parameters all have default values.
- *
- * For template classes, it can generally not be determined until instantiation
- * whether a constructor is a move constructor. For such classes, `MoveConstructor`
- * over-approximates the set of move constructors; if an under-approximation is
- * desired instead, see the member predicate
- * `mayNotBeMoveConstructorInInstantiation`.
- */
-class MoveConstructor extends Constructor {
-  MoveConstructor() {
-    hasMoveSignature(this) and
-    (
-      // The rest of the parameters all have default values
-      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
-      or
-      // or this is a template class, in which case the default values have
-      // not been extracted even if they exist. In that case, we assume that
-      // there are default values present since that is the most common case
-      // in real-world code.
-      getDeclaringType() instanceof TemplateClass
-    ) and
-    not exists(getATemplateArgument())
-  }
-
-  override string getAPrimaryQlClass() { result = "MoveConstructor" }
-
-  /**
-   * Holds if we cannot determine that this constructor will become a move
-   * constructor in all instantiations. Depending on template parameters of the
-   * enclosing class, this may become an ordinary constructor or a move
-   * constructor.
-   */
-  predicate mayNotBeMoveConstructorInInstantiation() {
-    // In general, default arguments of template classes can only be
-    // type-checked for each template instantiation; if an argument in an
-    // instantiation fails to type-check then the corresponding parameter has
-    // no default argument in the instantiation.
-    getDeclaringType() instanceof TemplateClass and
-    getNumberOfParameters() > 1
-  }
-}
-
-/**
- * A C++ constructor that takes no arguments ('default' constructor). This
- * is the constructor that is invoked when no initializer is given. For
- * example the function `MyClass` in the following code is a
- * `NoArgConstructor`:
- * ```
- * class MyClass {
- * public:
- *   MyClass() {
- *     ...
- *   }
- * };
- * ```
- */
-class NoArgConstructor extends Constructor {
-  NoArgConstructor() { this.getNumberOfParameters() = 0 }
-}
-
-/**
- * A C++ destructor [N4140 12.4]. For example the function `~MyClass` in the
- * following code is a destructor:
- * ```
- * class MyClass {
- * public:
- *   ~MyClass() {
- *     ...
- *   }
- * };
- * ```
- */
-class Destructor extends MemberFunction {
-  Destructor() { functions(underlyingElement(this), _, 3) }
-
-  override string getAPrimaryQlClass() { result = "Destructor" }
-
-  /**
-   * Gets a compiler-generated action which destructs a base class or member
-   * variable.
-   */
-  DestructorDestruction getADestruction() { result = getDestruction(_) }
-
-  /**
-   * Gets a compiler-generated action which destructs a base class or member
-   * variable. The index specifies the order in which the destruction should
-   * be evaluated.
-   */
-  DestructorDestruction getDestruction(int i) {
-    exprparents(unresolveElement(result), i, underlyingElement(this))
-  }
-}
-
-/**
- * A C++ conversion operator [N4140 12.3.2]. For example the function
- * `operator int` in the following code is a `ConversionOperator`:
- * ```
- * class MyClass {
- * public:
- *   operator int();
- * };
- * ```
- */
-class ConversionOperator extends MemberFunction, ImplicitConversionFunction {
-  ConversionOperator() { functions(underlyingElement(this), _, 4) }
-
-  override string getAPrimaryQlClass() { result = "ConversionOperator" }
-
-  override Type getSourceType() { result = this.getDeclaringType() }
-
-  override Type getDestType() { result = this.getType() }
-}
-
-/**
- * A C++ copy assignment operator [N4140 12.8]. For example the function
- * `operator=` in the following code is a `CopyAssignmentOperator`:
- * ```
- * class MyClass {
- * public:
- *   MyClass &operator=(const MyClass &other);
- * };
- * ```
- *
- * As per the standard, a copy assignment operator of class `T` is a
- * non-template non-static member function with the name `operator=` that
- * takes exactly one parameter of type `T`, `T&`, `const T&`, `volatile
- * T&`, or `const volatile T&`.
- */
-class CopyAssignmentOperator extends Operator {
-  CopyAssignmentOperator() {
-    hasName("operator=") and
-    (
-      hasCopySignature(this)
-      or
-      // Unlike CopyConstructor, this member allows a non-reference
-      // parameter.
-      getParameter(0).getUnspecifiedType() = getDeclaringType()
-    ) and
-    not exists(this.getParameter(1)) and
-    not exists(getATemplateArgument())
-  }
-
-  override string getAPrimaryQlClass() { result = "CopyAssignmentOperator" }
-}
-
-/**
- * A C++ move assignment operator [N4140 12.8]. For example the function
- * `operator=` in the following code is a `MoveAssignmentOperator`:
- * ```
- * class MyClass {
- * public:
- *   MyClass &operator=(MyClass &&other);
- * };
- * ```
- *
- * As per the standard, a move assignment operator of class `T` is a
- * non-template non-static member function with the name `operator=` that
- * takes exactly one parameter of type `T&&`, `const T&&`, `volatile T&&`,
- * or `const volatile T&&`.
- */
-class MoveAssignmentOperator extends Operator {
-  MoveAssignmentOperator() {
-    hasName("operator=") and
-    hasMoveSignature(this) and
-    not exists(this.getParameter(1)) and
-    not exists(getATemplateArgument())
-  }
-
-  override string getAPrimaryQlClass() { result = "MoveAssignmentOperator" }
-}