From 1c826820ed2f89f575db1809ec6f504ce8460146 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 6 Mar 2025 13:52:09 +0100
Subject: [PATCH 01/88] Update expected test results after frontend update

---
 .../rules/INT31-C/IntegerConversionCausesDataLoss.expected  | 2 ++
 c/cert/test/rules/INT31-C/test.c                            | 6 +++---
 .../UserDefinedConversionOperatorsShouldNotBeUsed.expected  | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected b/c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected
index ee18410a48..f7e4454342 100644
--- a/c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected
+++ b/c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected
@@ -2,6 +2,8 @@
 | test.c:17:3:17:17 | (unsigned int)... | Conversion from signed int to unsigned int may cause data loss (casting from range -2147483648...2147483647 to range 0...4294967295). |
 | test.c:34:3:34:17 | (signed short)... | Conversion from signed int to signed short may cause data loss (casting from range -2147483648...2147483647 to range -32768...32767). |
 | test.c:51:3:51:19 | (unsigned short)... | Conversion from unsigned int to unsigned short may cause data loss (casting from range 0...4294967295 to range 0...65535). |
+| test.c:74:14:74:15 | (unsigned int)... | Conversion from int to unsigned int may cause data loss (casting from range -1...-1 to range 0...4294967295). |
+| test.c:77:14:77:23 | (time_t)... | Conversion from int to unsigned int may cause data loss (casting from range -1...-1 to range 0...4294967295). |
 | test.c:89:3:89:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss (casting from range 100000...100000 to range 0...255). |
 | test.c:92:3:92:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss (casting from range -129...-129 to range 0...255). |
 | test.c:93:3:93:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss (casting from range 256...256 to range 0...255). |
diff --git a/c/cert/test/rules/INT31-C/test.c b/c/cert/test/rules/INT31-C/test.c
index 08b09cf6b8..5988e5cc43 100644
--- a/c/cert/test/rules/INT31-C/test.c
+++ b/c/cert/test/rules/INT31-C/test.c
@@ -71,10 +71,10 @@ time_t time(time_t *seconds);
 
 void test_time_t_check_against_zero(time_t x) {
   time_t now = time(0);
-  if (now != -1) { // NON_COMPLIANT[FALSE_NEGATIVE] - there is no conversion
-                   // here in our model
+  if (now != -1) { // NON_COMPLIANT
   }
-  if (now != (time_t)-1) { // COMPLIANT
+
+  if (now != (time_t)-1) { // COMPLIANT[FALSE_POSITIVE]
   }
 }
 
diff --git a/cpp/autosar/test/rules/A13-5-3/UserDefinedConversionOperatorsShouldNotBeUsed.expected b/cpp/autosar/test/rules/A13-5-3/UserDefinedConversionOperatorsShouldNotBeUsed.expected
index 14e68ab4a9..e757cdf984 100644
--- a/cpp/autosar/test/rules/A13-5-3/UserDefinedConversionOperatorsShouldNotBeUsed.expected
+++ b/cpp/autosar/test/rules/A13-5-3/UserDefinedConversionOperatorsShouldNotBeUsed.expected
@@ -1,4 +1,4 @@
 | test.cpp:33:7:33:7 | call to operator A | User-defined conversion operators should not be used. |
 | test.cpp:35:24:35:24 | call to operator A * | User-defined conversion operators should not be used. |
-| test.cpp:37:15:37:15 | call to operator A (*)[3] | User-defined conversion operators should not be used. |
+| test.cpp:37:15:37:15 | call to operator B::array_A * | User-defined conversion operators should not be used. |
 | test.cpp:41:7:41:7 | call to operator A * | User-defined conversion operators should not be used. |

From a3701af6a62917c18b8c9f40e3087cee80497344 Mon Sep 17 00:00:00 2001
From: idrissrio <idrissrio@github.com>
Date: Wed, 9 Apr 2025 15:13:59 +0200
Subject: [PATCH 02/88] CodeQL: Adjust test results and comments after bug fix

---
 c/misra/test/rules/RULE-17-6/UseOfArrayStatic.expected | 1 -
 c/misra/test/rules/RULE-17-6/test.c                    | 6 +-----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/c/misra/test/rules/RULE-17-6/UseOfArrayStatic.expected b/c/misra/test/rules/RULE-17-6/UseOfArrayStatic.expected
index ddf892a15c..b77efee39a 100644
--- a/c/misra/test/rules/RULE-17-6/UseOfArrayStatic.expected
+++ b/c/misra/test/rules/RULE-17-6/UseOfArrayStatic.expected
@@ -1,3 +1,2 @@
 | test.c:2:33:2:36 | arr2 | Parameter arr2 is declared as an array type using the static keyword. |
 | test.c:3:39:3:42 | arr3 | Parameter arr3 is declared as an array type using the static keyword. |
-| test.c:5:9:5:12 | arr4 | Parameter arr4 is declared as an array type using the static keyword. |
diff --git a/c/misra/test/rules/RULE-17-6/test.c b/c/misra/test/rules/RULE-17-6/test.c
index 14f04b5a9f..b0f0f828cd 100644
--- a/c/misra/test/rules/RULE-17-6/test.c
+++ b/c/misra/test/rules/RULE-17-6/test.c
@@ -1,8 +1,4 @@
 void test_array(int arr1[10]) {}                             // COMPLIANT
 void test_array_uses_static(int arr2[static 11]) {}          // NON_COMPLIANT
 void test_array_uses_static_multi(int arr3[static 12][5]) {} // NON_COMPLIANT
-void test_array_uses_static_again(
-    int arr4[11]) { // COMPLIANT[FALSE_POSITIVE] - apparently a CodeQL
-                    // bug where the static is associated with the fixed
-                    // size
-}
\ No newline at end of file
+void test_array_uses_static_again(int arr4[11]) {}           // COMPLIANT

From f07f569b3268e3283413ebab5780e88e81e1706d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 27 Jun 2025 11:20:00 +0200
Subject: [PATCH 03/88] Update MISRA queries and tests after merging location
 tables

---
 c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected | 1 -
 c/misra/test/rules/RULE-2-4/test.c                        | 6 +++---
 cpp/common/src/codingstandards/cpp/Loops.qll              | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected b/c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected
index abd602e9c8..4028c67366 100644
--- a/c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected
+++ b/c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected
@@ -3,5 +3,4 @@
 | test.c:17:6:17:7 | E1 | struct E1 has an unused tag. |
 | test.c:31:10:31:11 | S7 | struct S7 has an unused tag. |
 | test.c:50:8:50:10 | S10 | struct S10 has an unused tag. |
-| test.c:66:3:66:14 | S13 | struct S13 has an unused tag. |
 | test.c:79:8:79:10 | s14 | struct s14 has an unused tag. |
diff --git a/c/misra/test/rules/RULE-2-4/test.c b/c/misra/test/rules/RULE-2-4/test.c
index 64d05a1cc2..30cce2d224 100644
--- a/c/misra/test/rules/RULE-2-4/test.c
+++ b/c/misra/test/rules/RULE-2-4/test.c
@@ -63,9 +63,9 @@ struct S12 { // COMPLIANT
   };
 
 void testMacroNameUsed() {
-  STRUCT_MACRO // COMPLIANT[FALSE_POSITIVE] - although the struct generated by
-               // the macro is never used in this expansion, it may be used in
-               // other expansions, so we don't want to report it as unused
+  STRUCT_MACRO // COMPLIANT - although the struct generated by the macro is
+               // never used in this expansion, it may be used in other
+               // expansions, so we don't want to report it as unused
 }
 
 void testMacroNameNotUsed() {
diff --git a/cpp/common/src/codingstandards/cpp/Loops.qll b/cpp/common/src/codingstandards/cpp/Loops.qll
index aa3dc64ea5..6aa08532cb 100644
--- a/cpp/common/src/codingstandards/cpp/Loops.qll
+++ b/cpp/common/src/codingstandards/cpp/Loops.qll
@@ -339,7 +339,8 @@ predicate isInvalidLoop(ForStmt forLoop, string reason, Locatable reasonLocation
   isForLoopWithMulipleCounters(forLoop) and
   reason = "it uses multiple loop counters$@" and
   reasonLabel = "" and
-  reasonLocation.getLocation() instanceof UnknownExprLocation
+  reasonLocation instanceof File and
+  reasonLocation.getLocation() instanceof UnknownLocation
   or
   isForLoopWithFloatingPointCounters(forLoop, reasonLocation) and
   reason = "it uses a loop counter '$@' of type floating-point" and

From 67adebb1cf48555bded59ad2c86b7e61e9805a5a Mon Sep 17 00:00:00 2001
From: idrissrio <idrissrio@github.com>
Date: Mon, 30 Jun 2025 12:31:14 +0200
Subject: [PATCH 04/88] C++: accept new test results after QL changes

---
 .../UseCanonicalOrderForMemberInit.expected        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cpp/common/test/rules/usecanonicalorderformemberinit/UseCanonicalOrderForMemberInit.expected b/cpp/common/test/rules/usecanonicalorderformemberinit/UseCanonicalOrderForMemberInit.expected
index d74c29ed83..bff253bc38 100644
--- a/cpp/common/test/rules/usecanonicalorderformemberinit/UseCanonicalOrderForMemberInit.expected
+++ b/cpp/common/test/rules/usecanonicalorderformemberinit/UseCanonicalOrderForMemberInit.expected
@@ -1,13 +1,13 @@
-| test.cpp:7:30:7:36 | (no string representation) | The initializer Base1(...)  for $@ in the constructor DirectDerived(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:2:7:2:11 | Base1 | class Base1 | test.cpp:3:7:3:11 | Base2 | class Base2 | test.cpp:7:21:7:27 | (no string representation) | Base2(...) |
-| test.cpp:8:45:8:51 | (no string representation) | The initializer Base2(...)  for $@ in the constructor DirectDerived(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:3:7:3:11 | Base2 | class Base2 | test.cpp:4:7:4:11 | Base3 | class Base3 | test.cpp:8:27:8:33 | (no string representation) | Base3(...) |
+| test.cpp:7:30:7:36 | constructor init | The initializer Base1(...)  for $@ in the constructor DirectDerived(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:2:7:2:11 | Base1 | class Base1 | test.cpp:3:7:3:11 | Base2 | class Base2 | test.cpp:7:21:7:27 | constructor init | Base2(...) |
+| test.cpp:8:45:8:51 | constructor init | The initializer Base2(...)  for $@ in the constructor DirectDerived(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:3:7:3:11 | Base2 | class Base2 | test.cpp:4:7:4:11 | Base3 | class Base3 | test.cpp:8:27:8:33 | constructor init | Base3(...) |
 | test.cpp:27:38:27:41 | constructor init of field u1 | The initializer u1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:16:9:16:10 | u1 | field u1 | test.cpp:22:7:22:8 | i2 | field i2 | test.cpp:27:32:27:35 | constructor init of field i2 | i2(...) |
 | test.cpp:27:44:27:47 | constructor init of field i1 | The initializer i1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:14:7:14:8 | i1 | field i1 | test.cpp:16:9:16:10 | u1 | field u1 | test.cpp:27:38:27:41 | constructor init of field u1 | u1(...) |
 | test.cpp:28:43:28:46 | constructor init of field l1 | The initializer l1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:18:12:18:13 | l1 | field l1 | test.cpp:22:7:22:8 | i2 | field i2 | test.cpp:28:37:28:40 | constructor init of field i2 | i2(...) |
 | test.cpp:28:49:28:52 | constructor init of field i1 | The initializer i1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:14:7:14:8 | i1 | field i1 | test.cpp:18:12:18:13 | l1 | field l1 | test.cpp:28:43:28:46 | constructor init of field l1 | l1(...) |
 | test.cpp:29:48:29:51 | constructor init of field d1 | The initializer d1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:19:14:19:15 | d1 | field d1 | test.cpp:22:7:22:8 | i2 | field i2 | test.cpp:29:42:29:45 | constructor init of field i2 | i2(...) |
 | test.cpp:29:54:29:57 | constructor init of field i1 | The initializer i1(...)  for $@ in the constructor MemberOrder(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:14:7:14:8 | i1 | field i1 | test.cpp:19:14:19:15 | d1 | field d1 | test.cpp:29:48:29:51 | constructor init of field d1 | d1(...) |
-| test.cpp:48:9:48:27 | (no string representation) | The initializer VirtualBaseClass1(...)  for $@ in the constructor Derived3(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:32:7:32:23 | VirtualBaseClass1 | class VirtualBaseClass1 | test.cpp:33:7:33:23 | VirtualBaseClass2 | class VirtualBaseClass2 | test.cpp:47:30:47:48 | (no string representation) | VirtualBaseClass2(...) |
-| test.cpp:53:9:53:27 | (no string representation) | The initializer VirtualBaseClass2(...)  for $@ in the constructor Derived3(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:33:7:33:23 | VirtualBaseClass2 | class VirtualBaseClass2 | test.cpp:36:7:36:14 | Derived1 | class Derived1 | test.cpp:51:9:51:18 | call to Derived1 | Derived1(...) |
-| test.cpp:63:29:63:46 | (no string representation) | The initializer MixedVirtualBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:57:7:57:22 | MixedVirtualBase | class MixedVirtualBase | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:63:16:63:26 | (no string representation) | MixedBase(...) |
-| test.cpp:64:28:64:38 | (no string representation) | The initializer MixedBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:61:7:61:9 | m_i | field m_i | test.cpp:64:21:64:25 | constructor init of field m_i | m_i(...) |
-| test.cpp:64:41:64:58 | (no string representation) | The initializer MixedVirtualBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:57:7:57:22 | MixedVirtualBase | class MixedVirtualBase | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:64:28:64:38 | (no string representation) | MixedBase(...) |
+| test.cpp:48:9:48:27 | constructor init | The initializer VirtualBaseClass1(...)  for $@ in the constructor Derived3(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:32:7:32:23 | VirtualBaseClass1 | class VirtualBaseClass1 | test.cpp:33:7:33:23 | VirtualBaseClass2 | class VirtualBaseClass2 | test.cpp:47:30:47:48 | constructor init | VirtualBaseClass2(...) |
+| test.cpp:53:9:53:27 | constructor init | The initializer VirtualBaseClass2(...)  for $@ in the constructor Derived3(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:33:7:33:23 | VirtualBaseClass2 | class VirtualBaseClass2 | test.cpp:36:7:36:14 | Derived1 | class Derived1 | test.cpp:51:9:51:18 | call to Derived1 | Derived1(...) |
+| test.cpp:63:29:63:46 | constructor init | The initializer MixedVirtualBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:57:7:57:22 | MixedVirtualBase | class MixedVirtualBase | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:63:16:63:26 | constructor init | MixedBase(...) |
+| test.cpp:64:28:64:38 | constructor init | The initializer MixedBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:61:7:61:9 | m_i | field m_i | test.cpp:64:21:64:25 | constructor init of field m_i | m_i(...) |
+| test.cpp:64:41:64:58 | constructor init | The initializer MixedVirtualBase(...)  for $@ in the constructor Mixed(...) is initialized before $@, but appears after $@ in the initialization list. | test.cpp:57:7:57:22 | MixedVirtualBase | class MixedVirtualBase | test.cpp:56:7:56:15 | MixedBase | class MixedBase | test.cpp:64:28:64:38 | constructor init | MixedBase(...) |

From 2089bcdc9f97239eb37e98a543986a604100c947 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:16:49 +0200
Subject: [PATCH 05/88] Comvert ARR37-C to use the new dataflow library

---
 ...interArithmeticOnNonArrayObjectPointers.ql |  2 +-
 ...rithmeticOnNonArrayObjectPointers.expected | 21 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql b/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
index 635d9d5c03..39e15c7ad3 100644
--- a/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
+++ b/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import NonArrayPointerToArrayIndexingExprFlow::PathGraph
 
 /**
diff --git a/c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected b/c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected
index fb0074e0e6..adabbcf759 100644
--- a/c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected
+++ b/c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected
@@ -1,22 +1,21 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:28,60-68)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:29,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:41,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:49,26-34)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:70,3-11)
 edges
-| test.c:14:38:14:39 | p1 | test.c:18:10:18:11 | v1 | provenance |  |
-| test.c:14:38:14:39 | p1 | test.c:19:10:19:11 | v2 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:16:13:16:14 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:17:13:17:14 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:20:10:20:11 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:21:10:21:11 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:22:9:22:10 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:23:13:23:14 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:24:9:24:10 | p1 | provenance |  |
 | test.c:14:38:14:39 | p1 | test.c:25:9:25:10 | p1 | provenance |  |
+| test.c:16:13:16:14 | p1 | test.c:18:10:18:13 | ... ++ | provenance |  |
+| test.c:17:13:17:14 | p1 | test.c:19:10:19:13 | ... -- | provenance |  |
 | test.c:51:30:51:38 | & ... | test.c:14:38:14:39 | p1 | provenance |  |
 nodes
 | test.c:14:38:14:39 | p1 | semmle.label | p1 |
-| test.c:18:10:18:11 | v1 | semmle.label | v1 |
-| test.c:19:10:19:11 | v2 | semmle.label | v2 |
+| test.c:16:13:16:14 | p1 | semmle.label | p1 |
+| test.c:17:13:17:14 | p1 | semmle.label | p1 |
+| test.c:18:10:18:13 | ... ++ | semmle.label | ... ++ |
+| test.c:19:10:19:13 | ... -- | semmle.label | ... -- |
 | test.c:20:10:20:11 | p1 | semmle.label | p1 |
 | test.c:21:10:21:11 | p1 | semmle.label | p1 |
 | test.c:22:9:22:10 | p1 | semmle.label | p1 |
@@ -32,8 +31,8 @@ nodes
 | test.c:51:30:51:38 | & ... | semmle.label | & ... |
 subpaths
 #select
-| test.c:18:10:18:11 | v1 | test.c:51:30:51:38 | & ... | test.c:18:10:18:11 | v1 | Pointer arithmetic on non-array object pointer. |
-| test.c:19:10:19:11 | v2 | test.c:51:30:51:38 | & ... | test.c:19:10:19:11 | v2 | Pointer arithmetic on non-array object pointer. |
+| test.c:18:10:18:13 | ... ++ | test.c:51:30:51:38 | & ... | test.c:18:10:18:13 | ... ++ | Pointer arithmetic on non-array object pointer. |
+| test.c:19:10:19:13 | ... -- | test.c:51:30:51:38 | & ... | test.c:19:10:19:13 | ... -- | Pointer arithmetic on non-array object pointer. |
 | test.c:20:10:20:11 | p1 | test.c:51:30:51:38 | & ... | test.c:20:10:20:11 | p1 | Pointer arithmetic on non-array object pointer. |
 | test.c:21:10:21:11 | p1 | test.c:51:30:51:38 | & ... | test.c:21:10:21:11 | p1 | Pointer arithmetic on non-array object pointer. |
 | test.c:22:9:22:10 | p1 | test.c:51:30:51:38 | & ... | test.c:22:9:22:10 | p1 | Pointer arithmetic on non-array object pointer. |

From cf1b625569a8e79c82561f3e12119ca41b8c4422 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:19:48 +0200
Subject: [PATCH 06/88] Conver ARR39-C to the new dataflow library

Observe that `sizeof(...)` might not occur as a dataflow node if it has a
parent node with a concrete value. That value will be a dataflow node instead.
Hence, the query has be changed to check for expressions where `sizeof(...)`
is a child of an expression with a concrete value.
---
 .../DoNotAddOrSubtractAScaledIntegerToAPointer.ql    |  8 +++++---
 ...NotAddOrSubtractAScaledIntegerToAPointer.expected | 12 ++++++------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql b/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql
index c3ebd6ede6..18631f579a 100644
--- a/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql
+++ b/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.types.Pointers
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import ScaledIntegerPointerArithmeticFlow::PathGraph
 
 /**
@@ -61,9 +61,11 @@ class ScaledIntegerExpr extends Expr {
   ScaledIntegerExpr() {
     not this.getParent*() instanceof ArrayCountOfExpr and
     (
-      this.(SizeofExprOperator).getExprOperand().getType().getSize() > 1
+      exists(this.getValue()) and
+      this.getAChild*().(SizeofExprOperator).getExprOperand().getType().getSize() > 1
       or
-      this.(SizeofTypeOperator).getTypeOperand().getSize() > 1
+      exists(this.getValue()) and
+      this.getAChild*().(SizeofTypeOperator).getTypeOperand().getSize() > 1
       or
       this instanceof OffsetOfExpr
     )
diff --git a/c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected b/c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected
index 0a6471deac..7a7f740547 100644
--- a/c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected
+++ b/c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected
@@ -1,22 +1,22 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:77,56-64)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:78,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:80,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:89,45-53)
 edges
 | test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 | provenance |  |
+| test.c:16:19:16:41 | ... - ... | test.c:16:19:16:41 | ... - ... | provenance |  |
 | test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset | provenance |  |
 | test.c:16:19:16:41 | ... - ... | test.c:29:6:29:11 | offset | provenance |  |
+| test.c:17:17:17:26 | sizeof(<expr>) | test.c:17:17:17:26 | sizeof(<expr>) | provenance |  |
 | test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | provenance |  |
 | test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 | provenance |  |
 nodes
 | test.c:7:13:7:14 | p1 | semmle.label | p1 |
 | test.c:9:9:9:10 | p1 | semmle.label | p1 |
 | test.c:16:19:16:41 | ... - ... | semmle.label | ... - ... |
+| test.c:16:19:16:41 | ... - ... | semmle.label | ... - ... |
+| test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
 | test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
 | test.c:18:26:18:31 | offset | semmle.label | offset |
 | test.c:23:9:23:12 | size | semmle.label | size |
 | test.c:25:9:25:18 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
-| test.c:27:17:27:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:27:12:27:26 | ... / ... | semmle.label | ... / ... |
 | test.c:29:6:29:11 | offset | semmle.label | offset |
 subpaths
 #select
@@ -24,4 +24,4 @@ subpaths
 | test.c:18:26:18:31 | offset | test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset | Scaled integer used in pointer arithmetic. |
 | test.c:23:9:23:12 | size | test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | Scaled integer used in pointer arithmetic. |
 | test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
-| test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
+| test.c:27:12:27:26 | ... / ... | test.c:27:12:27:26 | ... / ... | test.c:27:12:27:26 | ... / ... | Scaled integer used in pointer arithmetic. |

From 8d73f3bf3402b2220a1bcef3e7556705471b411d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:23:50 +0200
Subject: [PATCH 07/88] Convert ERR30-C to use the new dataflow library

---
 c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql         | 2 +-
 c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql        | 2 +-
 c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected  | 1 -
 c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected | 1 -
 4 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql b/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
index 13f7e40303..bea6ae3ec8 100644
--- a/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
+++ b/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Errno
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * A call to an `OutOfBandErrnoSettingFunction`
diff --git a/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql b/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
index a7ccf8c041..eaecf29a85 100644
--- a/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
+++ b/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
@@ -18,7 +18,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Errno
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class SetlocaleFunctionCall extends FunctionCall {
   SetlocaleFunctionCall() { this.getTarget().hasGlobalName("setlocale") }
diff --git a/c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected b/c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected
index 125f55118b..b6d7caa513 100644
--- a/c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected
+++ b/c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ErrnoReadBeforeReturn.ql:46,7-15)
 | test.c:69:7:69:11 | * ... | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
 | test.c:69:7:69:11 | call to __errno_location | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
 | test.c:70:5:70:10 | call to perror | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
diff --git a/c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected b/c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected
index 20a7ff60b1..9ab88a3395 100644
--- a/c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected
+++ b/c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected
@@ -1,3 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (SetlocaleMightSetErrno.ql:70,7-15)
 | test.c:98:3:98:11 | call to setlocale | Do not read `errno` before checking the return value of a call to `setlocale`. |
 | test.c:104:7:104:15 | call to setlocale | The value of `errno` may be different than `0` when `setlocale` is called. The following `errno` check might be invalid. |

From 7a1577e94f0586f38e657ce5bed7069c15480b75 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:27:50 +0200
Subject: [PATCH 08/88] Convert FIO45-C to use the new dataflow library

---
 .../rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql    | 2 +-
 .../FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected    | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql b/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql
index 85369b502e..0500294b9b 100644
--- a/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql
+++ b/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.standardlibrary.FileAccess
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**
diff --git a/c/cert/test/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected b/c/cert/test/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected
index a211aa4002..1b2923b780 100644
--- a/c/cert/test/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected
+++ b/c/cert/test/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected
@@ -1,3 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ToctouRaceConditionsWhileAccessingFiles.ql:32,35-43)
 | test.c:4:13:4:17 | call to fopen | This call is trying to prevent an existing file from being overwritten by $@. An attacker might be able to exploit the race window between the two calls. | test.c:11:9:11:13 | call to fopen | another call |
 | test.c:88:13:88:17 | call to fopen | This call is trying to prevent an existing file from being overwritten by $@. An attacker might be able to exploit the race window between the two calls. | test.c:95:9:95:13 | call to fopen | another call |

From c5c6c58b72bc35ddac06714267d3feaa747b6255 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:29:48 +0200
Subject: [PATCH 09/88] Convert EXP36-C to the new datafow library

Note that we now properly report the offending cast instead of the expression
that is being cast.
---
 ...PointerToMoreStrictlyAlignedPointerType.ql |   2 +-
 ...rToMoreStrictlyAlignedPointerType.expected | 479 +++++++++---------
 2 files changed, 247 insertions(+), 234 deletions(-)

diff --git a/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql b/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
index 0d294e48b1..7b428a7eee 100644
--- a/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
+++ b/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Alignment
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import ExprWithAlignmentToCStyleCastFlow::PathGraph
 
diff --git a/c/cert/test/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.expected b/c/cert/test/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.expected
index eb7642ae28..381f2b053c 100644
--- a/c/cert/test/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.expected
+++ b/c/cert/test/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.expected
@@ -1,277 +1,290 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:103,86-94)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:125,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:127,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:132,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:138,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:144,55-63)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:145,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:147,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:154,26-34)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCastPointerToMoreStrictlyAlignedPointerType.ql:169,44-52)
 edges
-| test.c:75:14:75:16 | & ... | test.c:76:11:76:12 | v1 | provenance |  |
-| test.c:75:14:75:16 | & ... | test.c:77:12:77:13 | v1 | provenance |  |
-| test.c:75:14:75:16 | & ... | test.c:78:10:78:11 | v1 | provenance |  |
-| test.c:75:14:75:16 | & ... | test.c:79:12:79:13 | v1 | provenance |  |
-| test.c:75:14:75:16 | & ... | test.c:80:11:80:12 | v1 | provenance |  |
-| test.c:75:14:75:16 | & ... | test.c:81:13:81:14 | v1 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:85:11:85:12 | v2 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:86:12:86:13 | v2 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:87:10:87:11 | v2 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:88:12:88:13 | v2 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:89:11:89:12 | v2 | provenance |  |
-| test.c:84:14:84:16 | & ... | test.c:90:13:90:14 | v2 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:94:11:94:12 | v3 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:95:12:95:13 | v3 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:96:10:96:11 | v3 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:97:12:97:13 | v3 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:98:11:98:12 | v3 | provenance |  |
-| test.c:93:14:93:16 | & ... | test.c:99:13:99:14 | v3 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:103:11:103:12 | v4 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:104:12:104:13 | v4 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:105:10:105:11 | v4 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:106:12:106:13 | v4 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:107:11:107:12 | v4 | provenance |  |
-| test.c:102:14:102:16 | & ... | test.c:108:13:108:14 | v4 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:112:11:112:12 | v5 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:113:12:113:13 | v5 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:114:10:114:11 | v5 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:115:12:115:13 | v5 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:116:11:116:12 | v5 | provenance |  |
-| test.c:111:14:111:16 | & ... | test.c:117:13:117:14 | v5 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:121:11:121:12 | v6 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:122:12:122:13 | v6 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:123:10:123:11 | v6 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:124:12:124:13 | v6 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:125:11:125:12 | v6 | provenance |  |
-| test.c:120:14:120:16 | & ... | test.c:126:13:126:14 | v6 | provenance |  |
-| test.c:129:22:129:22 | v | test.c:130:17:130:17 | v | provenance |  |
-| test.c:135:21:135:23 | & ... | test.c:129:22:129:22 | v | provenance |  |
-| test.c:138:21:138:23 | & ... | test.c:129:22:129:22 | v | provenance |  |
-| test.c:166:24:166:29 | call to malloc | test.c:167:13:167:15 | & ... | provenance |  |
-| test.c:166:24:166:29 | call to malloc | test.c:168:16:168:17 | s1 | provenance |  |
-| test.c:166:24:166:29 | call to malloc | test.c:169:13:169:14 | s1 | provenance |  |
-| test.c:166:24:166:29 | call to malloc | test.c:169:13:169:14 | s1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:75:14:75:16 | & ... | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:76:3:76:12 | v1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:77:3:77:13 | v1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:78:3:78:11 | v1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:79:3:79:13 | v1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:80:3:80:12 | v1 | provenance |  |
+| test.c:75:14:75:16 | & ... | test.c:81:3:81:14 | v1 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:84:14:84:16 | & ... | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:85:3:85:12 | v2 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:86:3:86:13 | v2 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:87:3:87:11 | v2 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:88:3:88:13 | v2 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:89:3:89:12 | v2 | provenance |  |
+| test.c:84:14:84:16 | & ... | test.c:90:3:90:14 | v2 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:93:14:93:16 | & ... | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:94:3:94:12 | v3 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:95:3:95:13 | v3 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:96:3:96:11 | v3 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:97:3:97:13 | v3 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:98:3:98:12 | v3 | provenance |  |
+| test.c:93:14:93:16 | & ... | test.c:99:3:99:14 | v3 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:102:14:102:16 | & ... | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:103:3:103:12 | v4 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:104:3:104:13 | v4 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:105:3:105:11 | v4 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:106:3:106:13 | v4 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:107:3:107:12 | v4 | provenance |  |
+| test.c:102:14:102:16 | & ... | test.c:108:3:108:14 | v4 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:111:14:111:16 | & ... | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:112:3:112:12 | v5 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:113:3:113:13 | v5 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:114:3:114:11 | v5 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:115:3:115:13 | v5 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:116:3:116:12 | v5 | provenance |  |
+| test.c:111:14:111:16 | & ... | test.c:117:3:117:14 | v5 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:120:14:120:16 | & ... | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:121:3:121:12 | v6 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:122:3:122:13 | v6 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:123:3:123:11 | v6 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:124:3:124:13 | v6 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:125:3:125:12 | v6 | provenance |  |
+| test.c:120:14:120:16 | & ... | test.c:126:3:126:14 | v6 | provenance |  |
+| test.c:129:22:129:22 | v | test.c:130:10:130:17 | v | provenance |  |
+| test.c:135:13:135:23 | & ... | test.c:129:22:129:22 | v | provenance |  |
+| test.c:138:13:138:23 | & ... | test.c:129:22:129:22 | v | provenance |  |
+| test.c:166:15:166:33 | call to malloc | test.c:166:15:166:33 | call to malloc | provenance |  |
+| test.c:166:15:166:33 | call to malloc | test.c:168:3:168:17 | s1 | provenance |  |
+| test.c:166:15:166:33 | call to malloc | test.c:169:13:169:14 | s1 | provenance |  |
+| test.c:166:15:166:33 | call to malloc | test.c:169:13:169:14 | s1 | provenance |  |
 | test.c:169:13:169:14 | s1 | test.c:129:22:129:22 | v | provenance |  |
 | test.c:174:13:174:14 | s2 | test.c:129:22:129:22 | v | provenance |  |
 | test.c:179:13:179:14 | s3 | test.c:129:22:129:22 | v | provenance |  |
-| test.c:183:14:183:26 | call to aligned_alloc | test.c:184:11:184:12 | v1 | provenance |  |
-| test.c:183:14:183:26 | call to aligned_alloc | test.c:185:10:185:11 | v1 | provenance |  |
-| test.c:183:14:183:26 | call to aligned_alloc | test.c:186:13:186:14 | v1 | provenance |  |
+| test.c:183:14:183:26 | call to aligned_alloc | test.c:183:14:183:26 | call to aligned_alloc | provenance |  |
+| test.c:183:14:183:26 | call to aligned_alloc | test.c:184:3:184:12 | v1 | provenance |  |
+| test.c:183:14:183:26 | call to aligned_alloc | test.c:185:3:185:11 | v1 | provenance |  |
+| test.c:183:14:183:26 | call to aligned_alloc | test.c:186:3:186:14 | v1 | provenance |  |
 | test.c:183:14:183:26 | call to aligned_alloc | test.c:187:13:187:14 | v1 | provenance |  |
 | test.c:187:13:187:14 | v1 | test.c:129:22:129:22 | v | provenance |  |
+| test.c:189:14:189:26 | call to aligned_alloc | test.c:189:14:189:26 | call to aligned_alloc | provenance |  |
 | test.c:189:14:189:26 | call to aligned_alloc | test.c:190:13:190:14 | v2 | provenance |  |
 | test.c:190:13:190:14 | v2 | test.c:129:22:129:22 | v | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:223:11:223:12 | v1 | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:224:12:224:13 | v1 | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:225:10:225:11 | v1 | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:226:12:226:13 | v1 | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:227:11:227:12 | v1 | provenance |  |
-| test.c:222:8:222:9 | p2 | test.c:228:13:228:14 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:223:3:223:12 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:224:3:224:13 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:225:3:225:11 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:226:3:226:13 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:227:3:227:12 | v1 | provenance |  |
+| test.c:222:3:222:9 | ... = ... | test.c:228:3:228:14 | v1 | provenance |  |
+| test.c:222:8:222:9 | p2 | test.c:222:3:222:9 | ... = ... | provenance |  |
+| test.c:238:13:238:14 | & ... | test.c:238:13:238:14 | & ... | provenance |  |
 | test.c:238:13:238:14 | & ... | test.c:244:12:244:13 | ip | provenance |  |
-| test.c:241:15:241:18 | & ... | test.c:247:9:247:12 | & ... | provenance |  |
-| test.c:252:16:252:18 | & ... | test.c:254:11:254:13 | ps1 | provenance |  |
-| test.c:252:16:252:18 | & ... | test.c:256:10:256:12 | ps1 | provenance |  |
+| test.c:240:16:240:19 | & ... | test.c:246:9:246:12 | & ... | provenance |  |
+| test.c:252:16:252:18 | & ... | test.c:252:16:252:18 | & ... | provenance |  |
+| test.c:252:16:252:18 | & ... | test.c:254:3:254:13 | ps1 | provenance |  |
+| test.c:252:16:252:18 | & ... | test.c:256:3:256:12 | ps1 | provenance |  |
 nodes
-| test.c:7:11:7:13 | & ... | semmle.label | & ... |
-| test.c:8:12:8:14 | & ... | semmle.label | & ... |
-| test.c:9:10:9:12 | & ... | semmle.label | & ... |
-| test.c:10:11:10:13 | & ... | semmle.label | & ... |
-| test.c:11:12:11:14 | & ... | semmle.label | & ... |
-| test.c:12:13:12:15 | & ... | semmle.label | & ... |
-| test.c:15:11:15:13 | & ... | semmle.label | & ... |
-| test.c:16:12:16:14 | & ... | semmle.label | & ... |
-| test.c:17:10:17:12 | & ... | semmle.label | & ... |
-| test.c:18:11:18:13 | & ... | semmle.label | & ... |
-| test.c:19:12:19:14 | & ... | semmle.label | & ... |
-| test.c:20:13:20:15 | & ... | semmle.label | & ... |
-| test.c:23:11:23:13 | & ... | semmle.label | & ... |
-| test.c:24:12:24:14 | & ... | semmle.label | & ... |
-| test.c:25:10:25:12 | & ... | semmle.label | & ... |
-| test.c:26:12:26:14 | & ... | semmle.label | & ... |
-| test.c:27:11:27:13 | & ... | semmle.label | & ... |
-| test.c:28:13:28:15 | & ... | semmle.label | & ... |
-| test.c:31:11:31:13 | & ... | semmle.label | & ... |
-| test.c:32:12:32:14 | & ... | semmle.label | & ... |
-| test.c:33:10:33:12 | & ... | semmle.label | & ... |
-| test.c:34:12:34:14 | & ... | semmle.label | & ... |
-| test.c:35:11:35:13 | & ... | semmle.label | & ... |
-| test.c:36:13:36:15 | & ... | semmle.label | & ... |
-| test.c:39:11:39:13 | & ... | semmle.label | & ... |
-| test.c:40:12:40:14 | & ... | semmle.label | & ... |
-| test.c:41:10:41:12 | & ... | semmle.label | & ... |
-| test.c:42:12:42:14 | & ... | semmle.label | & ... |
-| test.c:43:11:43:13 | & ... | semmle.label | & ... |
-| test.c:44:13:44:15 | & ... | semmle.label | & ... |
-| test.c:47:11:47:13 | & ... | semmle.label | & ... |
-| test.c:48:12:48:14 | & ... | semmle.label | & ... |
-| test.c:49:10:49:12 | & ... | semmle.label | & ... |
-| test.c:50:12:50:14 | & ... | semmle.label | & ... |
-| test.c:51:11:51:13 | & ... | semmle.label | & ... |
-| test.c:52:13:52:15 | & ... | semmle.label | & ... |
-| test.c:57:11:57:13 | & ... | semmle.label | & ... |
-| test.c:58:12:58:14 | & ... | semmle.label | & ... |
-| test.c:59:10:59:12 | & ... | semmle.label | & ... |
-| test.c:60:12:60:14 | & ... | semmle.label | & ... |
-| test.c:61:11:61:13 | & ... | semmle.label | & ... |
-| test.c:62:13:62:15 | & ... | semmle.label | & ... |
-| test.c:65:11:65:13 | & ... | semmle.label | & ... |
-| test.c:66:12:66:14 | & ... | semmle.label | & ... |
-| test.c:67:10:67:12 | & ... | semmle.label | & ... |
-| test.c:68:12:68:14 | & ... | semmle.label | & ... |
-| test.c:69:11:69:13 | & ... | semmle.label | & ... |
-| test.c:70:13:70:15 | & ... | semmle.label | & ... |
+| test.c:7:3:7:13 | & ... | semmle.label | & ... |
+| test.c:8:3:8:14 | & ... | semmle.label | & ... |
+| test.c:9:3:9:12 | & ... | semmle.label | & ... |
+| test.c:10:3:10:13 | & ... | semmle.label | & ... |
+| test.c:11:3:11:14 | & ... | semmle.label | & ... |
+| test.c:12:3:12:15 | & ... | semmle.label | & ... |
+| test.c:15:3:15:13 | & ... | semmle.label | & ... |
+| test.c:16:3:16:14 | & ... | semmle.label | & ... |
+| test.c:17:3:17:12 | & ... | semmle.label | & ... |
+| test.c:18:3:18:13 | & ... | semmle.label | & ... |
+| test.c:19:3:19:14 | & ... | semmle.label | & ... |
+| test.c:20:3:20:15 | & ... | semmle.label | & ... |
+| test.c:23:3:23:13 | & ... | semmle.label | & ... |
+| test.c:24:3:24:14 | & ... | semmle.label | & ... |
+| test.c:25:3:25:12 | & ... | semmle.label | & ... |
+| test.c:26:3:26:14 | & ... | semmle.label | & ... |
+| test.c:27:3:27:13 | & ... | semmle.label | & ... |
+| test.c:28:3:28:15 | & ... | semmle.label | & ... |
+| test.c:31:3:31:13 | & ... | semmle.label | & ... |
+| test.c:32:3:32:14 | & ... | semmle.label | & ... |
+| test.c:33:3:33:12 | & ... | semmle.label | & ... |
+| test.c:34:3:34:14 | & ... | semmle.label | & ... |
+| test.c:35:3:35:13 | & ... | semmle.label | & ... |
+| test.c:36:3:36:15 | & ... | semmle.label | & ... |
+| test.c:39:3:39:13 | & ... | semmle.label | & ... |
+| test.c:40:3:40:14 | & ... | semmle.label | & ... |
+| test.c:41:3:41:12 | & ... | semmle.label | & ... |
+| test.c:42:3:42:14 | & ... | semmle.label | & ... |
+| test.c:43:3:43:13 | & ... | semmle.label | & ... |
+| test.c:44:3:44:15 | & ... | semmle.label | & ... |
+| test.c:47:3:47:13 | & ... | semmle.label | & ... |
+| test.c:48:3:48:14 | & ... | semmle.label | & ... |
+| test.c:49:3:49:12 | & ... | semmle.label | & ... |
+| test.c:50:3:50:14 | & ... | semmle.label | & ... |
+| test.c:51:3:51:13 | & ... | semmle.label | & ... |
+| test.c:52:3:52:15 | & ... | semmle.label | & ... |
+| test.c:57:3:57:13 | & ... | semmle.label | & ... |
+| test.c:58:3:58:14 | & ... | semmle.label | & ... |
+| test.c:59:3:59:12 | & ... | semmle.label | & ... |
+| test.c:60:3:60:14 | & ... | semmle.label | & ... |
+| test.c:61:3:61:13 | & ... | semmle.label | & ... |
+| test.c:62:3:62:15 | & ... | semmle.label | & ... |
+| test.c:65:3:65:13 | & ... | semmle.label | & ... |
+| test.c:66:3:66:14 | & ... | semmle.label | & ... |
+| test.c:67:3:67:12 | & ... | semmle.label | & ... |
+| test.c:68:3:68:14 | & ... | semmle.label | & ... |
+| test.c:69:3:69:13 | & ... | semmle.label | & ... |
+| test.c:70:3:70:15 | & ... | semmle.label | & ... |
 | test.c:75:14:75:16 | & ... | semmle.label | & ... |
 | test.c:75:14:75:16 | & ... | semmle.label | & ... |
-| test.c:76:11:76:12 | v1 | semmle.label | v1 |
-| test.c:77:12:77:13 | v1 | semmle.label | v1 |
-| test.c:78:10:78:11 | v1 | semmle.label | v1 |
-| test.c:79:12:79:13 | v1 | semmle.label | v1 |
-| test.c:80:11:80:12 | v1 | semmle.label | v1 |
-| test.c:81:13:81:14 | v1 | semmle.label | v1 |
+| test.c:75:14:75:16 | & ... | semmle.label | & ... |
+| test.c:76:3:76:12 | v1 | semmle.label | v1 |
+| test.c:77:3:77:13 | v1 | semmle.label | v1 |
+| test.c:78:3:78:11 | v1 | semmle.label | v1 |
+| test.c:79:3:79:13 | v1 | semmle.label | v1 |
+| test.c:80:3:80:12 | v1 | semmle.label | v1 |
+| test.c:81:3:81:14 | v1 | semmle.label | v1 |
+| test.c:84:14:84:16 | & ... | semmle.label | & ... |
 | test.c:84:14:84:16 | & ... | semmle.label | & ... |
 | test.c:84:14:84:16 | & ... | semmle.label | & ... |
-| test.c:85:11:85:12 | v2 | semmle.label | v2 |
-| test.c:86:12:86:13 | v2 | semmle.label | v2 |
-| test.c:87:10:87:11 | v2 | semmle.label | v2 |
-| test.c:88:12:88:13 | v2 | semmle.label | v2 |
-| test.c:89:11:89:12 | v2 | semmle.label | v2 |
-| test.c:90:13:90:14 | v2 | semmle.label | v2 |
+| test.c:85:3:85:12 | v2 | semmle.label | v2 |
+| test.c:86:3:86:13 | v2 | semmle.label | v2 |
+| test.c:87:3:87:11 | v2 | semmle.label | v2 |
+| test.c:88:3:88:13 | v2 | semmle.label | v2 |
+| test.c:89:3:89:12 | v2 | semmle.label | v2 |
+| test.c:90:3:90:14 | v2 | semmle.label | v2 |
+| test.c:93:14:93:16 | & ... | semmle.label | & ... |
 | test.c:93:14:93:16 | & ... | semmle.label | & ... |
 | test.c:93:14:93:16 | & ... | semmle.label | & ... |
-| test.c:94:11:94:12 | v3 | semmle.label | v3 |
-| test.c:95:12:95:13 | v3 | semmle.label | v3 |
-| test.c:96:10:96:11 | v3 | semmle.label | v3 |
-| test.c:97:12:97:13 | v3 | semmle.label | v3 |
-| test.c:98:11:98:12 | v3 | semmle.label | v3 |
-| test.c:99:13:99:14 | v3 | semmle.label | v3 |
+| test.c:94:3:94:12 | v3 | semmle.label | v3 |
+| test.c:95:3:95:13 | v3 | semmle.label | v3 |
+| test.c:96:3:96:11 | v3 | semmle.label | v3 |
+| test.c:97:3:97:13 | v3 | semmle.label | v3 |
+| test.c:98:3:98:12 | v3 | semmle.label | v3 |
+| test.c:99:3:99:14 | v3 | semmle.label | v3 |
 | test.c:102:14:102:16 | & ... | semmle.label | & ... |
 | test.c:102:14:102:16 | & ... | semmle.label | & ... |
-| test.c:103:11:103:12 | v4 | semmle.label | v4 |
-| test.c:104:12:104:13 | v4 | semmle.label | v4 |
-| test.c:105:10:105:11 | v4 | semmle.label | v4 |
-| test.c:106:12:106:13 | v4 | semmle.label | v4 |
-| test.c:107:11:107:12 | v4 | semmle.label | v4 |
-| test.c:108:13:108:14 | v4 | semmle.label | v4 |
+| test.c:102:14:102:16 | & ... | semmle.label | & ... |
+| test.c:103:3:103:12 | v4 | semmle.label | v4 |
+| test.c:104:3:104:13 | v4 | semmle.label | v4 |
+| test.c:105:3:105:11 | v4 | semmle.label | v4 |
+| test.c:106:3:106:13 | v4 | semmle.label | v4 |
+| test.c:107:3:107:12 | v4 | semmle.label | v4 |
+| test.c:108:3:108:14 | v4 | semmle.label | v4 |
+| test.c:111:14:111:16 | & ... | semmle.label | & ... |
 | test.c:111:14:111:16 | & ... | semmle.label | & ... |
 | test.c:111:14:111:16 | & ... | semmle.label | & ... |
-| test.c:112:11:112:12 | v5 | semmle.label | v5 |
-| test.c:113:12:113:13 | v5 | semmle.label | v5 |
-| test.c:114:10:114:11 | v5 | semmle.label | v5 |
-| test.c:115:12:115:13 | v5 | semmle.label | v5 |
-| test.c:116:11:116:12 | v5 | semmle.label | v5 |
-| test.c:117:13:117:14 | v5 | semmle.label | v5 |
+| test.c:112:3:112:12 | v5 | semmle.label | v5 |
+| test.c:113:3:113:13 | v5 | semmle.label | v5 |
+| test.c:114:3:114:11 | v5 | semmle.label | v5 |
+| test.c:115:3:115:13 | v5 | semmle.label | v5 |
+| test.c:116:3:116:12 | v5 | semmle.label | v5 |
+| test.c:117:3:117:14 | v5 | semmle.label | v5 |
+| test.c:120:14:120:16 | & ... | semmle.label | & ... |
 | test.c:120:14:120:16 | & ... | semmle.label | & ... |
 | test.c:120:14:120:16 | & ... | semmle.label | & ... |
-| test.c:121:11:121:12 | v6 | semmle.label | v6 |
-| test.c:122:12:122:13 | v6 | semmle.label | v6 |
-| test.c:123:10:123:11 | v6 | semmle.label | v6 |
-| test.c:124:12:124:13 | v6 | semmle.label | v6 |
-| test.c:125:11:125:12 | v6 | semmle.label | v6 |
-| test.c:126:13:126:14 | v6 | semmle.label | v6 |
+| test.c:121:3:121:12 | v6 | semmle.label | v6 |
+| test.c:122:3:122:13 | v6 | semmle.label | v6 |
+| test.c:123:3:123:11 | v6 | semmle.label | v6 |
+| test.c:124:3:124:13 | v6 | semmle.label | v6 |
+| test.c:125:3:125:12 | v6 | semmle.label | v6 |
+| test.c:126:3:126:14 | v6 | semmle.label | v6 |
 | test.c:129:22:129:22 | v | semmle.label | v |
-| test.c:130:17:130:17 | v | semmle.label | v |
-| test.c:135:21:135:23 | & ... | semmle.label | & ... |
-| test.c:135:21:135:23 | & ... | semmle.label | & ... |
-| test.c:138:21:138:23 | & ... | semmle.label | & ... |
-| test.c:138:21:138:23 | & ... | semmle.label | & ... |
-| test.c:158:13:158:20 | & ... | semmle.label | & ... |
-| test.c:161:13:161:20 | & ... | semmle.label | & ... |
-| test.c:162:16:162:18 | & ... | semmle.label | & ... |
-| test.c:166:24:166:29 | call to malloc | semmle.label | call to malloc |
-| test.c:166:24:166:29 | call to malloc | semmle.label | call to malloc |
-| test.c:167:13:167:15 | & ... | semmle.label | & ... |
-| test.c:168:16:168:17 | s1 | semmle.label | s1 |
+| test.c:130:10:130:17 | v | semmle.label | v |
+| test.c:135:13:135:23 | & ... | semmle.label | & ... |
+| test.c:135:13:135:23 | & ... | semmle.label | & ... |
+| test.c:138:13:138:23 | & ... | semmle.label | & ... |
+| test.c:138:13:138:23 | & ... | semmle.label | & ... |
+| test.c:158:3:158:20 | & ... | semmle.label | & ... |
+| test.c:161:3:161:20 | & ... | semmle.label | & ... |
+| test.c:162:3:162:18 | & ... | semmle.label | & ... |
+| test.c:166:15:166:33 | call to malloc | semmle.label | call to malloc |
+| test.c:166:15:166:33 | call to malloc | semmle.label | call to malloc |
+| test.c:166:15:166:33 | call to malloc | semmle.label | call to malloc |
+| test.c:167:3:167:15 | & ... | semmle.label | & ... |
+| test.c:168:3:168:17 | s1 | semmle.label | s1 |
 | test.c:169:13:169:14 | s1 | semmle.label | s1 |
 | test.c:169:13:169:14 | s1 | semmle.label | s1 |
-| test.c:172:11:172:12 | s2 | semmle.label | s2 |
-| test.c:173:13:173:14 | s2 | semmle.label | s2 |
+| test.c:172:3:172:12 | s2 | semmle.label | s2 |
+| test.c:173:3:173:14 | s2 | semmle.label | s2 |
 | test.c:174:13:174:14 | s2 | semmle.label | s2 |
 | test.c:174:13:174:14 | s2 | semmle.label | s2 |
-| test.c:177:11:177:12 | s3 | semmle.label | s3 |
-| test.c:178:13:178:14 | s3 | semmle.label | s3 |
+| test.c:177:3:177:12 | s3 | semmle.label | s3 |
+| test.c:178:3:178:14 | s3 | semmle.label | s3 |
 | test.c:179:13:179:14 | s3 | semmle.label | s3 |
 | test.c:179:13:179:14 | s3 | semmle.label | s3 |
 | test.c:183:14:183:26 | call to aligned_alloc | semmle.label | call to aligned_alloc |
-| test.c:184:11:184:12 | v1 | semmle.label | v1 |
-| test.c:185:10:185:11 | v1 | semmle.label | v1 |
-| test.c:186:13:186:14 | v1 | semmle.label | v1 |
+| test.c:183:14:183:26 | call to aligned_alloc | semmle.label | call to aligned_alloc |
+| test.c:184:3:184:12 | v1 | semmle.label | v1 |
+| test.c:185:3:185:11 | v1 | semmle.label | v1 |
+| test.c:186:3:186:14 | v1 | semmle.label | v1 |
 | test.c:187:13:187:14 | v1 | semmle.label | v1 |
 | test.c:189:14:189:26 | call to aligned_alloc | semmle.label | call to aligned_alloc |
+| test.c:189:14:189:26 | call to aligned_alloc | semmle.label | call to aligned_alloc |
 | test.c:190:13:190:14 | v2 | semmle.label | v2 |
-| test.c:214:11:214:12 | p2 | semmle.label | p2 |
-| test.c:215:12:215:13 | p2 | semmle.label | p2 |
-| test.c:216:10:216:11 | p2 | semmle.label | p2 |
-| test.c:217:11:217:12 | p2 | semmle.label | p2 |
-| test.c:218:12:218:13 | p2 | semmle.label | p2 |
-| test.c:219:13:219:14 | p2 | semmle.label | p2 |
+| test.c:214:3:214:12 | p2 | semmle.label | p2 |
+| test.c:215:3:215:13 | p2 | semmle.label | p2 |
+| test.c:216:3:216:11 | p2 | semmle.label | p2 |
+| test.c:217:3:217:12 | p2 | semmle.label | p2 |
+| test.c:218:3:218:13 | p2 | semmle.label | p2 |
+| test.c:219:3:219:14 | p2 | semmle.label | p2 |
+| test.c:222:3:222:9 | ... = ... | semmle.label | ... = ... |
 | test.c:222:8:222:9 | p2 | semmle.label | p2 |
 | test.c:222:8:222:9 | p2 | semmle.label | p2 |
-| test.c:223:11:223:12 | v1 | semmle.label | v1 |
-| test.c:224:12:224:13 | v1 | semmle.label | v1 |
-| test.c:225:10:225:11 | v1 | semmle.label | v1 |
-| test.c:226:12:226:13 | v1 | semmle.label | v1 |
-| test.c:227:11:227:12 | v1 | semmle.label | v1 |
-| test.c:228:13:228:14 | v1 | semmle.label | v1 |
+| test.c:223:3:223:12 | v1 | semmle.label | v1 |
+| test.c:224:3:224:13 | v1 | semmle.label | v1 |
+| test.c:225:3:225:11 | v1 | semmle.label | v1 |
+| test.c:226:3:226:13 | v1 | semmle.label | v1 |
+| test.c:227:3:227:12 | v1 | semmle.label | v1 |
+| test.c:228:3:228:14 | v1 | semmle.label | v1 |
+| test.c:238:13:238:14 | & ... | semmle.label | & ... |
 | test.c:238:13:238:14 | & ... | semmle.label | & ... |
 | test.c:240:16:240:19 | & ... | semmle.label | & ... |
-| test.c:241:15:241:18 | & ... | semmle.label | & ... |
+| test.c:240:16:240:19 | & ... | semmle.label | & ... |
 | test.c:241:15:241:18 | & ... | semmle.label | & ... |
 | test.c:244:12:244:13 | ip | semmle.label | ip |
 | test.c:246:9:246:12 | & ... | semmle.label | & ... |
 | test.c:247:9:247:12 | & ... | semmle.label | & ... |
 | test.c:252:16:252:18 | & ... | semmle.label | & ... |
-| test.c:254:11:254:13 | ps1 | semmle.label | ps1 |
-| test.c:255:11:255:13 | & ... | semmle.label | & ... |
-| test.c:256:10:256:12 | ps1 | semmle.label | ps1 |
-| test.c:257:10:257:12 | & ... | semmle.label | & ... |
+| test.c:252:16:252:18 | & ... | semmle.label | & ... |
+| test.c:254:3:254:13 | ps1 | semmle.label | ps1 |
+| test.c:255:3:255:13 | & ... | semmle.label | & ... |
+| test.c:256:3:256:12 | ps1 | semmle.label | ps1 |
+| test.c:257:3:257:12 | & ... | semmle.label | & ... |
 subpaths
 #select
-| test.c:8:3:8:14 | (short *)... | test.c:8:12:8:14 | & ... | test.c:8:12:8:14 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type short with 2-byte alignment. | test.c:8:12:8:14 | & ... | address-of expression |
-| test.c:9:3:9:12 | (int *)... | test.c:9:10:9:12 | & ... | test.c:9:10:9:12 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:9:10:9:12 | & ... | address-of expression |
-| test.c:10:3:10:13 | (long *)... | test.c:10:11:10:13 | & ... | test.c:10:11:10:13 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:10:11:10:13 | & ... | address-of expression |
-| test.c:11:3:11:14 | (float *)... | test.c:11:12:11:14 | & ... | test.c:11:12:11:14 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:11:12:11:14 | & ... | address-of expression |
-| test.c:12:3:12:15 | (double *)... | test.c:12:13:12:15 | & ... | test.c:12:13:12:15 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:12:13:12:15 | & ... | address-of expression |
-| test.c:17:3:17:12 | (int *)... | test.c:17:10:17:12 | & ... | test.c:17:10:17:12 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:17:10:17:12 | & ... | address-of expression |
-| test.c:18:3:18:13 | (long *)... | test.c:18:11:18:13 | & ... | test.c:18:11:18:13 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:18:11:18:13 | & ... | address-of expression |
-| test.c:19:3:19:14 | (float *)... | test.c:19:12:19:14 | & ... | test.c:19:12:19:14 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:19:12:19:14 | & ... | address-of expression |
-| test.c:20:3:20:15 | (double *)... | test.c:20:13:20:15 | & ... | test.c:20:13:20:15 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:20:13:20:15 | & ... | address-of expression |
-| test.c:27:3:27:13 | (long *)... | test.c:27:11:27:13 | & ... | test.c:27:11:27:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:27:11:27:13 | & ... | address-of expression |
-| test.c:28:3:28:15 | (double *)... | test.c:28:13:28:15 | & ... | test.c:28:13:28:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:28:13:28:15 | & ... | address-of expression |
-| test.c:35:3:35:13 | (long *)... | test.c:35:11:35:13 | & ... | test.c:35:11:35:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:35:11:35:13 | & ... | address-of expression |
-| test.c:36:3:36:15 | (double *)... | test.c:36:13:36:15 | & ... | test.c:36:13:36:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:36:13:36:15 | & ... | address-of expression |
-| test.c:61:3:61:13 | (long *)... | test.c:61:11:61:13 | & ... | test.c:61:11:61:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:61:11:61:13 | & ... | address-of expression |
-| test.c:62:3:62:15 | (double *)... | test.c:62:13:62:15 | & ... | test.c:62:13:62:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:62:13:62:15 | & ... | address-of expression |
-| test.c:77:3:77:13 | (short *)... | test.c:75:14:75:16 | & ... | test.c:77:12:77:13 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type short with 2-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
-| test.c:78:3:78:11 | (int *)... | test.c:75:14:75:16 | & ... | test.c:78:10:78:11 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
-| test.c:79:3:79:13 | (float *)... | test.c:75:14:75:16 | & ... | test.c:79:12:79:13 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
-| test.c:80:3:80:12 | (long *)... | test.c:75:14:75:16 | & ... | test.c:80:11:80:12 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
-| test.c:81:3:81:14 | (double *)... | test.c:75:14:75:16 | & ... | test.c:81:13:81:14 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
-| test.c:87:3:87:11 | (int *)... | test.c:84:14:84:16 | & ... | test.c:87:10:87:11 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
-| test.c:88:3:88:13 | (float *)... | test.c:84:14:84:16 | & ... | test.c:88:12:88:13 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
-| test.c:89:3:89:12 | (long *)... | test.c:84:14:84:16 | & ... | test.c:89:11:89:12 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
-| test.c:90:3:90:14 | (double *)... | test.c:84:14:84:16 | & ... | test.c:90:13:90:14 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
-| test.c:98:3:98:12 | (long *)... | test.c:93:14:93:16 | & ... | test.c:98:11:98:12 | v3 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:93:14:93:16 | & ... | address-of expression |
-| test.c:99:3:99:14 | (double *)... | test.c:93:14:93:16 | & ... | test.c:99:13:99:14 | v3 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:93:14:93:16 | & ... | address-of expression |
-| test.c:107:3:107:12 | (long *)... | test.c:102:14:102:16 | & ... | test.c:107:11:107:12 | v4 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:102:14:102:16 | & ... | address-of expression |
-| test.c:108:3:108:14 | (double *)... | test.c:102:14:102:16 | & ... | test.c:108:13:108:14 | v4 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:102:14:102:16 | & ... | address-of expression |
-| test.c:130:10:130:17 | (int *)... | test.c:135:21:135:23 | & ... | test.c:130:17:130:17 | v | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:135:21:135:23 | & ... | address-of expression |
-| test.c:130:10:130:17 | (int *)... | test.c:174:13:174:14 | s2 | test.c:130:17:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:174:13:174:14 | s2 | pointer base type short |
-| test.c:130:10:130:17 | (int *)... | test.c:179:13:179:14 | s3 | test.c:130:17:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:179:13:179:14 | s3 | pointer base type short |
-| test.c:130:10:130:17 | (int *)... | test.c:189:14:189:26 | call to aligned_alloc | test.c:130:17:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:189:14:189:26 | call to aligned_alloc | call to aligned_alloc |
-| test.c:158:3:158:20 | (size_t *)... | test.c:158:13:158:20 | & ... | test.c:158:13:158:20 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:158:13:158:20 | & ... | address-of expression |
-| test.c:162:3:162:18 | (S3 *)... | test.c:162:16:162:18 | & ... | test.c:162:16:162:18 | & ... | Cast from pointer with 8-byte alignment (defined by $@) to pointer with base type S3 with 64-byte alignment. | test.c:162:16:162:18 | & ... | address-of expression |
-| test.c:168:3:168:17 | (S3 *)... | test.c:166:24:166:29 | call to malloc | test.c:168:16:168:17 | s1 | Cast from pointer with 16-byte alignment (defined by $@) to pointer with base type S3 with 64-byte alignment. | test.c:166:24:166:29 | call to malloc | call to malloc |
-| test.c:173:3:173:14 | (size_t *)... | test.c:173:13:173:14 | s2 | test.c:173:13:173:14 | s2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:173:13:173:14 | s2 | pointer base type short |
-| test.c:178:3:178:14 | (size_t *)... | test.c:178:13:178:14 | s3 | test.c:178:13:178:14 | s3 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:178:13:178:14 | s3 | pointer base type short |
-| test.c:186:3:186:14 | (size_t *)... | test.c:183:14:183:26 | call to aligned_alloc | test.c:186:13:186:14 | v1 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:183:14:183:26 | call to aligned_alloc | call to aligned_alloc |
-| test.c:216:3:216:11 | (int *)... | test.c:216:10:216:11 | p2 | test.c:216:10:216:11 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:216:10:216:11 | p2 | pointer base type short |
-| test.c:217:3:217:12 | (long *)... | test.c:217:11:217:12 | p2 | test.c:217:11:217:12 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:217:11:217:12 | p2 | pointer base type short |
-| test.c:218:3:218:13 | (float *)... | test.c:218:12:218:13 | p2 | test.c:218:12:218:13 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:218:12:218:13 | p2 | pointer base type short |
-| test.c:219:3:219:14 | (double *)... | test.c:219:13:219:14 | p2 | test.c:219:13:219:14 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:219:13:219:14 | p2 | pointer base type short |
-| test.c:225:3:225:11 | (int *)... | test.c:222:8:222:9 | p2 | test.c:225:10:225:11 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
-| test.c:226:3:226:13 | (float *)... | test.c:222:8:222:9 | p2 | test.c:226:12:226:13 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
-| test.c:227:3:227:12 | (long *)... | test.c:222:8:222:9 | p2 | test.c:227:11:227:12 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
-| test.c:228:3:228:14 | (double *)... | test.c:222:8:222:9 | p2 | test.c:228:13:228:14 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
-| test.c:256:3:256:12 | (int *)... | test.c:252:16:252:18 | & ... | test.c:256:10:256:12 | ps1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:252:16:252:18 | & ... | address-of expression |
-| test.c:257:3:257:12 | (int *)... | test.c:257:10:257:12 | & ... | test.c:257:10:257:12 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:257:10:257:12 | & ... | address-of expression |
+| test.c:8:3:8:14 | (short *)... | test.c:8:3:8:14 | & ... | test.c:8:3:8:14 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type short with 2-byte alignment. | test.c:8:12:8:14 | & ... | address-of expression |
+| test.c:9:3:9:12 | (int *)... | test.c:9:3:9:12 | & ... | test.c:9:3:9:12 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:9:10:9:12 | & ... | address-of expression |
+| test.c:10:3:10:13 | (long *)... | test.c:10:3:10:13 | & ... | test.c:10:3:10:13 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:10:11:10:13 | & ... | address-of expression |
+| test.c:11:3:11:14 | (float *)... | test.c:11:3:11:14 | & ... | test.c:11:3:11:14 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:11:12:11:14 | & ... | address-of expression |
+| test.c:12:3:12:15 | (double *)... | test.c:12:3:12:15 | & ... | test.c:12:3:12:15 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:12:13:12:15 | & ... | address-of expression |
+| test.c:17:3:17:12 | (int *)... | test.c:17:3:17:12 | & ... | test.c:17:3:17:12 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:17:10:17:12 | & ... | address-of expression |
+| test.c:18:3:18:13 | (long *)... | test.c:18:3:18:13 | & ... | test.c:18:3:18:13 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:18:11:18:13 | & ... | address-of expression |
+| test.c:19:3:19:14 | (float *)... | test.c:19:3:19:14 | & ... | test.c:19:3:19:14 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:19:12:19:14 | & ... | address-of expression |
+| test.c:20:3:20:15 | (double *)... | test.c:20:3:20:15 | & ... | test.c:20:3:20:15 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:20:13:20:15 | & ... | address-of expression |
+| test.c:27:3:27:13 | (long *)... | test.c:27:3:27:13 | & ... | test.c:27:3:27:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:27:11:27:13 | & ... | address-of expression |
+| test.c:28:3:28:15 | (double *)... | test.c:28:3:28:15 | & ... | test.c:28:3:28:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:28:13:28:15 | & ... | address-of expression |
+| test.c:35:3:35:13 | (long *)... | test.c:35:3:35:13 | & ... | test.c:35:3:35:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:35:11:35:13 | & ... | address-of expression |
+| test.c:36:3:36:15 | (double *)... | test.c:36:3:36:15 | & ... | test.c:36:3:36:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:36:13:36:15 | & ... | address-of expression |
+| test.c:61:3:61:13 | (long *)... | test.c:61:3:61:13 | & ... | test.c:61:3:61:13 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:61:11:61:13 | & ... | address-of expression |
+| test.c:62:3:62:15 | (double *)... | test.c:62:3:62:15 | & ... | test.c:62:3:62:15 | & ... | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:62:13:62:15 | & ... | address-of expression |
+| test.c:77:3:77:13 | (short *)... | test.c:75:14:75:16 | & ... | test.c:77:3:77:13 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type short with 2-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
+| test.c:78:3:78:11 | (int *)... | test.c:75:14:75:16 | & ... | test.c:78:3:78:11 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
+| test.c:79:3:79:13 | (float *)... | test.c:75:14:75:16 | & ... | test.c:79:3:79:13 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
+| test.c:80:3:80:12 | (long *)... | test.c:75:14:75:16 | & ... | test.c:80:3:80:12 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
+| test.c:81:3:81:14 | (double *)... | test.c:75:14:75:16 | & ... | test.c:81:3:81:14 | v1 | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:75:14:75:16 | & ... | address-of expression |
+| test.c:87:3:87:11 | (int *)... | test.c:84:14:84:16 | & ... | test.c:87:3:87:11 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
+| test.c:88:3:88:13 | (float *)... | test.c:84:14:84:16 | & ... | test.c:88:3:88:13 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
+| test.c:89:3:89:12 | (long *)... | test.c:84:14:84:16 | & ... | test.c:89:3:89:12 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
+| test.c:90:3:90:14 | (double *)... | test.c:84:14:84:16 | & ... | test.c:90:3:90:14 | v2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:84:14:84:16 | & ... | address-of expression |
+| test.c:98:3:98:12 | (long *)... | test.c:93:14:93:16 | & ... | test.c:98:3:98:12 | v3 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:93:14:93:16 | & ... | address-of expression |
+| test.c:99:3:99:14 | (double *)... | test.c:93:14:93:16 | & ... | test.c:99:3:99:14 | v3 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:93:14:93:16 | & ... | address-of expression |
+| test.c:107:3:107:12 | (long *)... | test.c:102:14:102:16 | & ... | test.c:107:3:107:12 | v4 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:102:14:102:16 | & ... | address-of expression |
+| test.c:108:3:108:14 | (double *)... | test.c:102:14:102:16 | & ... | test.c:108:3:108:14 | v4 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:102:14:102:16 | & ... | address-of expression |
+| test.c:130:10:130:17 | (int *)... | test.c:135:13:135:23 | & ... | test.c:130:10:130:17 | v | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:135:21:135:23 | & ... | address-of expression |
+| test.c:130:10:130:17 | (int *)... | test.c:174:13:174:14 | s2 | test.c:130:10:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:174:13:174:14 | s2 | pointer base type short |
+| test.c:130:10:130:17 | (int *)... | test.c:179:13:179:14 | s3 | test.c:130:10:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:179:13:179:14 | s3 | pointer base type short |
+| test.c:130:10:130:17 | (int *)... | test.c:189:14:189:26 | call to aligned_alloc | test.c:130:10:130:17 | v | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:189:14:189:26 | call to aligned_alloc | call to aligned_alloc |
+| test.c:158:3:158:20 | (size_t *)... | test.c:158:3:158:20 | & ... | test.c:158:3:158:20 | & ... | Cast from pointer with 1-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:158:13:158:20 | & ... | address-of expression |
+| test.c:162:3:162:18 | (S3 *)... | test.c:162:3:162:18 | & ... | test.c:162:3:162:18 | & ... | Cast from pointer with 8-byte alignment (defined by $@) to pointer with base type S3 with 64-byte alignment. | test.c:162:16:162:18 | & ... | address-of expression |
+| test.c:168:3:168:17 | (S3 *)... | test.c:166:15:166:33 | call to malloc | test.c:168:3:168:17 | s1 | Cast from pointer with 16-byte alignment (defined by $@) to pointer with base type S3 with 64-byte alignment. | test.c:166:24:166:29 | call to malloc | call to malloc |
+| test.c:173:3:173:14 | (size_t *)... | test.c:173:3:173:14 | s2 | test.c:173:3:173:14 | s2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:173:13:173:14 | s2 | pointer base type short |
+| test.c:178:3:178:14 | (size_t *)... | test.c:178:3:178:14 | s3 | test.c:178:3:178:14 | s3 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:178:13:178:14 | s3 | pointer base type short |
+| test.c:186:3:186:14 | (size_t *)... | test.c:183:14:183:26 | call to aligned_alloc | test.c:186:3:186:14 | v1 | Cast from pointer with 4-byte alignment (defined by $@) to pointer with base type unsigned long with 8-byte alignment. | test.c:183:14:183:26 | call to aligned_alloc | call to aligned_alloc |
+| test.c:216:3:216:11 | (int *)... | test.c:216:3:216:11 | p2 | test.c:216:3:216:11 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:216:10:216:11 | p2 | pointer base type short |
+| test.c:217:3:217:12 | (long *)... | test.c:217:3:217:12 | p2 | test.c:217:3:217:12 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:217:11:217:12 | p2 | pointer base type short |
+| test.c:218:3:218:13 | (float *)... | test.c:218:3:218:13 | p2 | test.c:218:3:218:13 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:218:12:218:13 | p2 | pointer base type short |
+| test.c:219:3:219:14 | (double *)... | test.c:219:3:219:14 | p2 | test.c:219:3:219:14 | p2 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:219:13:219:14 | p2 | pointer base type short |
+| test.c:225:3:225:11 | (int *)... | test.c:222:8:222:9 | p2 | test.c:225:3:225:11 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
+| test.c:226:3:226:13 | (float *)... | test.c:222:8:222:9 | p2 | test.c:226:3:226:13 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type float with 4-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
+| test.c:227:3:227:12 | (long *)... | test.c:222:8:222:9 | p2 | test.c:227:3:227:12 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type long with 8-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
+| test.c:228:3:228:14 | (double *)... | test.c:222:8:222:9 | p2 | test.c:228:3:228:14 | v1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type double with 8-byte alignment. | test.c:222:8:222:9 | p2 | pointer base type short |
+| test.c:256:3:256:12 | (int *)... | test.c:252:16:252:18 | & ... | test.c:256:3:256:12 | ps1 | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:252:16:252:18 | & ... | address-of expression |
+| test.c:257:3:257:12 | (int *)... | test.c:257:3:257:12 | & ... | test.c:257:3:257:12 | & ... | Cast from pointer with 2-byte alignment (defined by $@) to pointer with base type int with 4-byte alignment. | test.c:257:10:257:12 | & ... | address-of expression |

From 8fdea498b1575f289798782c06aa500bbd9fc23c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 14:52:09 +0200
Subject: [PATCH 10/88] Convert MSC33-C to the new dataflow library

As it is the dataflow used by `asctime` that is relevant, and not the pointer,
use the indirect expression.
---
 .../DoNotPassInvalidDataToTheAsctimeFunction.ql        | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql b/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql
index 67fa83e852..6342bcbd68 100644
--- a/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql
+++ b/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * The argument of a call to `asctime`
@@ -29,6 +29,8 @@ class AsctimeArg extends Expr {
     this =
       any(FunctionCall f | f.getTarget().hasGlobalName(["asctime", "asctime_r"])).getArgument(0)
   }
+
+  DataFlow::Node asSink() { this = result.asIndirectExpr() }
 }
 
 /**
@@ -37,13 +39,13 @@ class AsctimeArg extends Expr {
  */
 module TmStructSafeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) {
-    src.asExpr()
+    src.asIndirectExpr()
         .(FunctionCall)
         .getTarget()
         .hasGlobalName(["localtime", "localtime_r", "localtime_s", "gmtime", "gmtime_r", "gmtime_s"])
   }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof AsctimeArg }
+  predicate isSink(DataFlow::Node sink) { exists(AsctimeArg arg | arg.asSink() = sink) }
 }
 
 module TmStructSafeFlow = DataFlow::Global<TmStructSafeConfig>;
@@ -51,6 +53,6 @@ module TmStructSafeFlow = DataFlow::Global<TmStructSafeConfig>;
 from AsctimeArg fc
 where
   not isExcluded(fc, Contracts7Package::doNotPassInvalidDataToTheAsctimeFunctionQuery()) and
-  not TmStructSafeFlow::flowToExpr(fc)
+  not TmStructSafeFlow::flowTo(fc.asSink())
 select fc,
   "The function `asctime` and `asctime_r` should be discouraged. Unsanitized input can overflow the output buffer."

From 3289621c7375cec7a97c13bb300d68c041364b46 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:07:39 +0200
Subject: [PATCH 11/88] Convert MSC51-CPP to the new dataflow library

---
 .../src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql     | 2 +-
 .../rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/cert/src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql b/cpp/cert/src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql
index 5322fbbde3..2c015aa680 100644
--- a/cpp/cert/src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql
+++ b/cpp/cert/src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql
@@ -20,7 +20,7 @@
 import cpp
 import codingstandards.cpp.cert
 import codingstandards.cpp.standardlibrary.Random
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 
 from RandomNumberEngineCreation createRandomNumberEngine, string seedSource
 where
diff --git a/cpp/cert/test/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected b/cpp/cert/test/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected
index 606ccbff2b..0128221ffc 100644
--- a/cpp/cert/test/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected
+++ b/cpp/cert/test/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected
@@ -1,4 +1,3 @@
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (BadlySeededRandomNumberGenerator.ql:42,7-20)
 | test.cpp:9:33:9:33 | call to linear_congruential_engine | Random number generator linear_congruential_engine is default-initialized and is therefore not properly seeded. |
 | test.cpp:10:30:10:31 | call to linear_congruential_engine | Random number generator linear_congruential_engine is default-initialized and is therefore not properly seeded. |
 | test.cpp:11:21:11:22 | call to linear_congruential_engine | Random number generator linear_congruential_engine is default-initialized and is therefore not properly seeded. |

From d20cd3a98c692313435cb0ba0fb44c1fcdd1898e Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:16:22 +0200
Subject: [PATCH 12/88] Convert CTR56-CPP to the new dataflow library

---
 .../DoNotUsePointerArithmeticOnPolymorphicObjects.ql      | 2 +-
 ...DoNotUsePointerArithmeticOnPolymorphicObjects.expected | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/cert/src/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.ql b/cpp/cert/src/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.ql
index b4ac267225..2522f6c5e5 100644
--- a/cpp/cert/src/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.ql
+++ b/cpp/cert/src/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.cpp.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import NonFinalClassToPointerArithmeticExprFlow::PathGraph
 
 class ArrayAccessOrPointerArith extends Expr {
diff --git a/cpp/cert/test/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.expected b/cpp/cert/test/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.expected
index 51ef13412c..1477f314ae 100644
--- a/cpp/cert/test/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.expected
+++ b/cpp/cert/test/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.expected
@@ -1,13 +1,11 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnPolymorphicObjects.ql:46,62-70)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnPolymorphicObjects.ql:47,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnPolymorphicObjects.ql:56,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnPolymorphicObjects.ql:62,3-11)
 edges
 | test.cpp:15:19:15:21 | foo | test.cpp:16:24:16:26 | foo | provenance |  |
 | test.cpp:15:19:15:21 | foo | test.cpp:16:51:16:53 | foo | provenance |  |
 | test.cpp:27:19:27:21 | foo | test.cpp:29:18:29:20 | foo | provenance |  |
+| test.cpp:40:12:40:19 | new | test.cpp:40:12:40:19 | new | provenance |  |
 | test.cpp:40:12:40:19 | new | test.cpp:43:6:43:7 | l1 | provenance |  |
 | test.cpp:40:12:40:19 | new | test.cpp:44:6:44:7 | l1 | provenance |  |
+| test.cpp:42:12:42:14 | & ... | test.cpp:42:12:42:14 | & ... | provenance |  |
 | test.cpp:42:12:42:14 | & ... | test.cpp:45:6:45:7 | l3 | provenance |  |
 | test.cpp:42:12:42:14 | & ... | test.cpp:46:6:46:7 | l3 | provenance |  |
 | test.cpp:43:6:43:7 | l1 | test.cpp:15:19:15:21 | foo | provenance |  |
@@ -21,6 +19,8 @@ nodes
 | test.cpp:27:19:27:21 | foo | semmle.label | foo |
 | test.cpp:29:18:29:20 | foo | semmle.label | foo |
 | test.cpp:40:12:40:19 | new | semmle.label | new |
+| test.cpp:40:12:40:19 | new | semmle.label | new |
+| test.cpp:42:12:42:14 | & ... | semmle.label | & ... |
 | test.cpp:42:12:42:14 | & ... | semmle.label | & ... |
 | test.cpp:43:6:43:7 | l1 | semmle.label | l1 |
 | test.cpp:44:6:44:7 | l1 | semmle.label | l1 |

From 77e8e0ebfd842acd21f043d8c8fad519853c1528 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:26:34 +0200
Subject: [PATCH 13/88] Convert EXP51-CPP ot use the new dataflow library

---
 ...DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql | 2 +-
 ...eleteAnArrayThroughAPointerOfTheIncorrectType.expected | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/cert/src/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql b/cpp/cert/src/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql
index d0935cc798..32e3460e0b 100644
--- a/cpp/cert/src/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql
+++ b/cpp/cert/src/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.cpp.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import AllocationToDeleteFlow::PathGraph
 
 module AllocationToDeleteConfig implements DataFlow::ConfigSig {
diff --git a/cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.expected b/cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.expected
index 8b7a4902cc..a9d3df2d2e 100644
--- a/cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.expected
+++ b/cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.expected
@@ -1,12 +1,12 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql:24,44-52)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql:25,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql:27,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql:32,33-41)
 edges
+| test.cpp:6:19:6:37 | new[] | test.cpp:6:19:6:37 | new[] | provenance |  |
 | test.cpp:6:19:6:37 | new[] | test.cpp:9:12:9:13 | l1 | provenance |  |
+| test.cpp:7:22:7:40 | new[] | test.cpp:7:22:7:40 | new[] | provenance |  |
 | test.cpp:7:22:7:40 | new[] | test.cpp:10:12:10:13 | l2 | provenance |  |
 nodes
 | test.cpp:6:19:6:37 | new[] | semmle.label | new[] |
+| test.cpp:6:19:6:37 | new[] | semmle.label | new[] |
+| test.cpp:7:22:7:40 | new[] | semmle.label | new[] |
 | test.cpp:7:22:7:40 | new[] | semmle.label | new[] |
 | test.cpp:9:12:9:13 | l1 | semmle.label | l1 |
 | test.cpp:10:12:10:13 | l2 | semmle.label | l2 |

From 57b6091c6165d210a4590ab8c4661fbe53ea908d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:32:52 +0200
Subject: [PATCH 14/88] Conver M3-9-3 to use the new dataflow library

---
 .../UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql   | 2 +-
 ...erlyingBitRepresentationsOfFloatingPointValuesUsed.expected | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/autosar/src/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql b/cpp/autosar/src/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql
index 279ad08f3c..820efffaeb 100644
--- a/cpp/autosar/src/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql
+++ b/cpp/autosar/src/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql
@@ -14,7 +14,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 predicate pointeeIsModified(PointerDereferenceExpr e, Expr m) {
   exists(Assignment a | a.getLValue() = e and m = a)
diff --git a/cpp/autosar/test/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.expected b/cpp/autosar/test/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.expected
index d0fe6416ca..9aec2314da 100644
--- a/cpp/autosar/test/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.expected
+++ b/cpp/autosar/test/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.expected
@@ -1,5 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql:27,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql:36,10-18)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql:37,5-13)
 | test.cpp:5:3:5:20 | ... &= ... | Modification of bit-representation of float originated at $@ | test.cpp:4:24:4:60 | reinterpret_cast<unsigned char *>... | cast |
 | test.cpp:12:3:12:14 | ... &= ... | Modification of bit-representation of float originated at $@ | test.cpp:11:18:11:30 | (uint8_t *)... | cast |

From 357ee08e35bcc4771bd1282c2217b6858dc4ae12 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:42:37 +0200
Subject: [PATCH 15/88] Convert A9-3-1 to use the new dataflow library

---
 ...sNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql | 2 +-
 ...nstRawPointersOrReferencesToPrivateOrProtectedData.expected | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/autosar/src/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql b/cpp/autosar/src/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql
index 478f8dcdf0..458382c909 100644
--- a/cpp/autosar/src/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql
+++ b/cpp/autosar/src/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql
@@ -15,7 +15,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.CommonTypes as CommonTypes
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class AccessAwareMemberFunction extends MemberFunction {
   Class c;
diff --git a/cpp/autosar/test/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.expected b/cpp/autosar/test/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.expected
index 70892c12c8..04c1f35a45 100644
--- a/cpp/autosar/test/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.expected
+++ b/cpp/autosar/test/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.expected
@@ -1,6 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql:73,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql:73,23-31)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql:73,46-54)
 | test.cpp:20:8:20:12 | getB2 | Member function A::getB2 $@ a non-const raw pointer or reference to a private or protected $@. | test.cpp:20:25:20:25 | b | returns | test.cpp:54:7:54:7 | b | field |
 | test.cpp:22:8:22:12 | getB3 | Member function A::getB3 $@ a non-const raw pointer or reference to a private or protected $@. | test.cpp:22:25:22:26 | & ... | returns | test.cpp:54:7:54:7 | b | field |
 | test.cpp:24:8:24:13 | getB33 | Member function A::getB33 $@ a non-const raw pointer or reference to a private or protected $@. | test.cpp:26:12:26:13 | bb | returns | test.cpp:54:7:54:7 | b | field |

From 30114c5c7fde78d9c1a7368245c070c302674739 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:51:49 +0200
Subject: [PATCH 16/88] Convert A27-0-4 to use the new dataflow library

---
 cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql        | 2 +-
 cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql b/cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql
index b24a4a96cf..5ad2e9ee0a 100644
--- a/cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql
+++ b/cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql
@@ -14,7 +14,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class InstanceOfCStyleString extends Expr {
   InstanceOfCStyleString() {
diff --git a/cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected b/cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected
index 555cb412b8..6184aad74e 100644
--- a/cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected
+++ b/cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected
@@ -1,6 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CStyleStringsUsed.ql:39,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CStyleStringsUsed.ql:39,23-31)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CStyleStringsUsed.ql:39,47-55)
 | test.cpp:7:20:7:27 | CodeQL | Usage of C-style string in $@. | test.cpp:7:20:7:27 | CodeQL | expression |
 | test.cpp:7:20:7:27 | CodeQL | Usage of C-style string in $@. | test.cpp:16:16:16:17 | a1 | expression |
 | test.cpp:8:22:8:26 | call to c_str | Usage of C-style string in $@. | test.cpp:8:22:8:26 | call to c_str | expression |

From d313bf27b4c1767778e70a91371305ba48f06a76 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 15:54:04 +0200
Subject: [PATCH 17/88] Convert A5-0-4 to use the new dataflow library

---
 .../PointerArithmeticUsedWithPointersToNonFinalClasses.ql | 2 +-
 ...erArithmeticUsedWithPointersToNonFinalClasses.expected | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/autosar/src/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.ql b/cpp/autosar/src/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.ql
index ac2375f6aa..eb818204ba 100644
--- a/cpp/autosar/src/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.ql
+++ b/cpp/autosar/src/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.ql
@@ -17,7 +17,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.Type
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import NonFinalClassToPointerArithmeticExprFlow::PathGraph
 
 class ArrayAccessOrPointerArith extends Expr {
diff --git a/cpp/autosar/test/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.expected b/cpp/autosar/test/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.expected
index e2b51e5fb9..fc29955b25 100644
--- a/cpp/autosar/test/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.expected
+++ b/cpp/autosar/test/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.expected
@@ -1,13 +1,11 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (PointerArithmeticUsedWithPointersToNonFinalClasses.ql:45,62-70)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (PointerArithmeticUsedWithPointersToNonFinalClasses.ql:46,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (PointerArithmeticUsedWithPointersToNonFinalClasses.ql:55,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (PointerArithmeticUsedWithPointersToNonFinalClasses.ql:61,3-11)
 edges
 | test.cpp:10:18:10:20 | foo | test.cpp:11:23:11:25 | foo | provenance |  |
 | test.cpp:10:18:10:20 | foo | test.cpp:11:50:11:52 | foo | provenance |  |
 | test.cpp:22:18:22:20 | foo | test.cpp:24:18:24:20 | foo | provenance |  |
+| test.cpp:35:11:35:17 | new | test.cpp:35:11:35:17 | new | provenance |  |
 | test.cpp:35:11:35:17 | new | test.cpp:38:6:38:7 | l1 | provenance |  |
 | test.cpp:35:11:35:17 | new | test.cpp:39:6:39:7 | l1 | provenance |  |
+| test.cpp:37:11:37:13 | & ... | test.cpp:37:11:37:13 | & ... | provenance |  |
 | test.cpp:37:11:37:13 | & ... | test.cpp:40:6:40:7 | l3 | provenance |  |
 | test.cpp:37:11:37:13 | & ... | test.cpp:41:6:41:7 | l3 | provenance |  |
 | test.cpp:38:6:38:7 | l1 | test.cpp:10:18:10:20 | foo | provenance |  |
@@ -21,6 +19,8 @@ nodes
 | test.cpp:22:18:22:20 | foo | semmle.label | foo |
 | test.cpp:24:18:24:20 | foo | semmle.label | foo |
 | test.cpp:35:11:35:17 | new | semmle.label | new |
+| test.cpp:35:11:35:17 | new | semmle.label | new |
+| test.cpp:37:11:37:13 | & ... | semmle.label | & ... |
 | test.cpp:37:11:37:13 | & ... | semmle.label | & ... |
 | test.cpp:38:6:38:7 | l1 | semmle.label | l1 |
 | test.cpp:39:6:39:7 | l1 | semmle.label | l1 |

From 8529fbbe7271f64f2b425e7adb46f8d57b3ce07c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 16:45:10 +0200
Subject: [PATCH 18/88] Update expected test results for MSC33-C

---
 .../MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/c/cert/test/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected b/c/cert/test/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected
index 7ebeb7a8c1..70d60c528a 100644
--- a/c/cert/test/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected
+++ b/c/cert/test/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected
@@ -1,5 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotPassInvalidDataToTheAsctimeFunction.ql:38,38-46)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotPassInvalidDataToTheAsctimeFunction.ql:39,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotPassInvalidDataToTheAsctimeFunction.ql:46,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotPassInvalidDataToTheAsctimeFunction.ql:49,27-35)
 | test.c:6:24:6:30 | time_tm | The function `asctime` and `asctime_r` should be discouraged. Unsanitized input can overflow the output buffer. |

From 012ac3d82d39d4474102ecccc94d1ab33312227c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 16:48:05 +0200
Subject: [PATCH 19/88] Create temporary copies of parts of the concurrency
 library

These use the new dataflow library
---
 .../codingstandards/cpp/ConcurrencyNew.qll    |  15 ++
 .../cpp/concurrency/LockingOperationNew.qll   | 235 +++++++++++++++++
 .../concurrency/ThreadDependentMutexNew.qll   | 246 ++++++++++++++++++
 .../concurrency/ThreadSpecificStorageNew.qll  |  59 +++++
 4 files changed, 555 insertions(+)
 create mode 100644 cpp/common/src/codingstandards/cpp/ConcurrencyNew.qll
 create mode 100644 cpp/common/src/codingstandards/cpp/concurrency/LockingOperationNew.qll
 create mode 100644 cpp/common/src/codingstandards/cpp/concurrency/ThreadDependentMutexNew.qll
 create mode 100644 cpp/common/src/codingstandards/cpp/concurrency/ThreadSpecificStorageNew.qll

diff --git a/cpp/common/src/codingstandards/cpp/ConcurrencyNew.qll b/cpp/common/src/codingstandards/cpp/ConcurrencyNew.qll
new file mode 100644
index 0000000000..37aea01889
--- /dev/null
+++ b/cpp/common/src/codingstandards/cpp/ConcurrencyNew.qll
@@ -0,0 +1,15 @@
+import cpp
+import semmle.code.cpp.dataflow.new.TaintTracking
+import codingstandards.cpp.concurrency.Atomic
+import codingstandards.cpp.concurrency.CConditionOperation
+import codingstandards.cpp.concurrency.ControlFlow
+import codingstandards.cpp.concurrency.ConditionalWait
+import codingstandards.cpp.concurrency.LockingOperationNew
+import codingstandards.cpp.concurrency.LockProtectedControlFlow
+import codingstandards.cpp.concurrency.MutexDestroyer
+import codingstandards.cpp.concurrency.ThreadCreation
+import codingstandards.cpp.concurrency.ThreadedFunction
+import codingstandards.cpp.concurrency.ThreadDependentMutexNew
+import codingstandards.cpp.concurrency.ThreadSpecificStorageNew
+import codingstandards.cpp.concurrency.ThreadWaitDetach
+import codingstandards.cpp.concurrency.Types
diff --git a/cpp/common/src/codingstandards/cpp/concurrency/LockingOperationNew.qll b/cpp/common/src/codingstandards/cpp/concurrency/LockingOperationNew.qll
new file mode 100644
index 0000000000..114b569204
--- /dev/null
+++ b/cpp/common/src/codingstandards/cpp/concurrency/LockingOperationNew.qll
@@ -0,0 +1,235 @@
+import cpp
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+abstract class LockingOperation extends FunctionCall {
+  /**
+   * Returns the target of the lock underlying this RAII-style lock.
+   */
+  abstract Variable getLock();
+
+  /**
+   * Returns the lock underlying this RAII-style lock.
+   */
+  abstract Expr getLockExpr();
+
+  /**
+   * Holds if this is a lock operation
+   */
+  abstract predicate isLock();
+
+  /**
+   * Holds if this is an unlock operation
+   */
+  abstract predicate isUnlock();
+
+  /**
+   * Holds if this locking operation is really a locking operation within a
+   * designated locking operation. This library assumes the underlying locking
+   * operations are implemented correctly in that calling a `LockingOperation`
+   * results in the creation of a singular lock.
+   */
+  predicate isLockingOperationWithinLockingOperation(LockingOperation inner) {
+    exists(LockingOperation outer | outer.getTarget() = inner.getEnclosingFunction())
+  }
+}
+
+/**
+ * Common base class providing an interface into function call
+ * based mutex locks.
+ */
+abstract class MutexFunctionCall extends LockingOperation {
+  abstract predicate isRecursive();
+
+  abstract predicate isSpeculativeLock();
+
+  abstract predicate unlocks(MutexFunctionCall fc);
+}
+
+/**
+ *  Models calls to various mutex types found in CPP.
+ */
+class CPPMutexFunctionCall extends MutexFunctionCall {
+  VariableAccess var;
+
+  CPPMutexFunctionCall() {
+    getTarget()
+        .(MemberFunction)
+        .getDeclaringType()
+        .hasQualifiedName("std",
+          ["mutex", "timed_mutex", "shared_timed_mutex", "recursive_mutex", "recursive_timed_mutex"]) and
+    var = getQualifier()
+  }
+
+  /**
+   * Holds if this mutex is a recursive mutex.
+   */
+  override predicate isRecursive() {
+    getTarget()
+        .(MemberFunction)
+        .getDeclaringType()
+        .hasQualifiedName("std", ["recursive_mutex", "recursive_timed_mutex"])
+  }
+
+  /**
+   * Holds if this `CPPMutexFunctionCall` is a lock.
+   */
+  override predicate isLock() {
+    not isLockingOperationWithinLockingOperation(this) and
+    getTarget().getName() = "lock"
+  }
+
+  /**
+   * Holds if this `CPPMutexFunctionCall` is a speculative lock, defined as calling
+   * one of the speculative locking functions such as `try_lock`.
+   */
+  override predicate isSpeculativeLock() {
+    getTarget().getName() in [
+        "try_lock", "try_lock_for", "try_lock_until", "try_lock_shared_for", "try_lock_shared_until"
+      ]
+  }
+
+  /**
+   * Returns the lock to which this `CPPMutexFunctionCall` refers to.
+   */
+  override Variable getLock() { result = getQualifier().(VariableAccess).getTarget() }
+
+  /**
+   * Returns the qualifier for this `CPPMutexFunctionCall`.
+   */
+  override Expr getLockExpr() { result = var }
+
+  /**
+   * Holds if this is a `unlock` and *may* unlock the previously locked `MutexFunctionCall`.
+   * This predicate does not check that the mutex is currently locked.
+   */
+  override predicate unlocks(MutexFunctionCall fc) {
+    isUnlock() and
+    fc.getQualifier().(VariableAccess).getTarget() = getQualifier().(VariableAccess).getTarget()
+  }
+
+  /**
+   * Holds if this is an unlock call.
+   */
+  override predicate isUnlock() { getTarget().getName() = "unlock" }
+}
+
+/**
+ *  Models calls to various mutex types specialized to C code.
+ */
+class CMutexFunctionCall extends MutexFunctionCall {
+  Expr arg;
+
+  CMutexFunctionCall() {
+    // the non recursive kinds
+    getTarget().getName() = ["mtx_lock", "mtx_unlock", "mtx_timedlock", "mtx_trylock"] and
+    arg = getArgument(0)
+  }
+
+  /**
+   * Holds if this mutex is a recursive mutex.
+   */
+  override predicate isRecursive() { none() }
+
+  /**
+   * Holds if this `CMutexFunctionCall` is a lock.
+   */
+  override predicate isLock() {
+    not isLockingOperationWithinLockingOperation(this) and
+    getTarget().getName() = ["mtx_lock", "mtx_timedlock", "mtx_trylock"]
+  }
+
+  /**
+   * Holds if this `CMutexFunctionCall` is a speculative lock, defined as calling
+   * one of the speculative locking functions such as `try_lock`.
+   */
+  override predicate isSpeculativeLock() {
+    getTarget().getName() in ["mtx_timedlock", "mtx_trylock"]
+  }
+
+  /**
+   * Returns the `Variable` to which this `CMutexFunctionCall` refers to. For this
+   * style of lock it can reference a number of different variables.
+   */
+  override Variable getLock() {
+    exists(VariableAccess va |
+      TaintTracking::localTaint(DataFlow::exprNode(va), DataFlow::exprNode(getLockExpr())) and
+      result = va.getTarget()
+    )
+  }
+
+  /**
+   * Returns the expression for this `CMutexFunctionCall`.
+   */
+  override Expr getLockExpr() { result = arg }
+
+  /**
+   * Holds if this is a `unlock` and *may* unlock the previously locked `CMutexFunctionCall`.
+   * This predicate does not check that the mutex is currently locked.
+   */
+  override predicate unlocks(MutexFunctionCall fc) {
+    isUnlock() and
+    fc.getLock() = getLock()
+  }
+
+  /**
+   * Holds if this is an unlock call.
+   */
+  override predicate isUnlock() { getTarget().getName() = "mtx_unlock" }
+}
+
+/**
+ * Models a RAII-Style lock.
+ */
+class RAIIStyleLock extends LockingOperation {
+  VariableAccess lock;
+
+  RAIIStyleLock() {
+    (
+      getTarget().getDeclaringType().hasQualifiedName("std", "lock_guard") or
+      getTarget().getDeclaringType().hasQualifiedName("std", "unique_lock") or
+      getTarget().getDeclaringType().hasQualifiedName("std", "scoped_lock")
+    ) and
+    (
+      lock = getArgument(0).getAChild*()
+      or
+      this instanceof DestructorCall and
+      exists(RAIIStyleLock constructor |
+        constructor = getQualifier().(VariableAccess).getTarget().getInitializer().getExpr() and
+        lock = constructor.getArgument(0).getAChild*()
+      )
+    )
+  }
+
+  /**
+   * Holds if this is a lock operation
+   */
+  override predicate isLock() {
+    not isLockingOperationWithinLockingOperation(this) and
+    this instanceof ConstructorCall and
+    lock = getArgument(0).getAChild*() and
+    // defer_locks don't cause a lock
+    not exists(Expr exp |
+      exp = getArgument(1) and
+      exp.(VariableAccess)
+          .getTarget()
+          .getUnderlyingType()
+          .(Class)
+          .hasQualifiedName("std", "defer_lock_t")
+    )
+  }
+
+  /**
+   * Holds if this is an unlock operation
+   */
+  override predicate isUnlock() { this instanceof DestructorCall }
+
+  /**
+   * Returns the target of the lock underlying this RAII-style lock.
+   */
+  override Variable getLock() { result = lock.getTarget() }
+
+  /**
+   * Returns the lock underlying this RAII-style lock.
+   */
+  override Expr getLockExpr() { result = lock }
+}
diff --git a/cpp/common/src/codingstandards/cpp/concurrency/ThreadDependentMutexNew.qll b/cpp/common/src/codingstandards/cpp/concurrency/ThreadDependentMutexNew.qll
new file mode 100644
index 0000000000..c761e2b1be
--- /dev/null
+++ b/cpp/common/src/codingstandards/cpp/concurrency/ThreadDependentMutexNew.qll
@@ -0,0 +1,246 @@
+import cpp
+import semmle.code.cpp.dataflow.new.TaintTracking
+private import codingstandards.cpp.concurrency.ControlFlow
+private import codingstandards.cpp.concurrency.ThreadedFunction
+
+abstract class MutexSource extends FunctionCall { }
+
+/**
+ * Models a C++ style mutex.
+ */
+class CPPMutexSource extends MutexSource, ConstructorCall {
+  CPPMutexSource() { getTarget().getDeclaringType().hasQualifiedName("std", "mutex") }
+}
+
+/**
+ * Models a C11 style mutex.
+ */
+class C11MutexSource extends MutexSource, FunctionCall {
+  C11MutexSource() { getTarget().hasName("mtx_init") }
+
+  Expr getMutexExpr() { result = getArgument(0) }
+
+  Expr getMutexTypeExpr() { result = getArgument(1) }
+
+  predicate isRecursive() {
+    exists(EnumConstantAccess recursive |
+      recursive = getMutexTypeExpr().getAChild*() and
+      recursive.getTarget().hasName("mtx_recursive")
+    )
+  }
+}
+
+/**
+ * Models a thread dependent mutex. A thread dependent mutex is a mutex
+ * that is used by a thread. This dependency is established either by directly
+ * passing in a mutex or by referencing a mutex that is in the local scope. The utility
+ * of this class is it captures the `DataFlow::Node` source at which the mutex
+ * came from. For example, if it is passed in from a local function to a thread.
+ * This functionality is critical, since it allows one to inspect how the thread
+ * behaves with respect to the owner of a resource.
+ *
+ * To model the myriad ways this can happen, the subclasses of this class are
+ * responsible for implementing the various usage patterns.
+ */
+abstract class ThreadDependentMutex extends DataFlow::Node {
+  DataFlow::Node sink;
+
+  DataFlow::Node getASource() {
+    // the source is either the thing that declared
+    // the mutex
+    result = this
+    or
+    // or the thread we are using it in
+    result = getAThreadSource()
+  }
+
+  /**
+   * Gets the dataflow nodes corresponding to thread local usages of the
+   * dependent mutex.
+   */
+  DataFlow::Node getAThreadSource() {
+    // here we line up the actual parameter at the thread creation
+    // site with the formal parameter in the target thread.
+    // Note that there are differences between the C and C++ versions
+    // of the argument ordering in the thread creation function. However,
+    // since the C version only takes one parameter (as opposed to multiple)
+    // we can simplify this search by considering only the first argument.
+    exists(FunctionCall fc, Function f, int n |
+      // Get the argument to which the mutex flowed.
+      fc.getArgument(n) = sink.asExpr() and
+      // Get the thread function we are calling.
+      f = fc.getArgument(0).(FunctionAccess).getTarget() and
+      // in C++, there is an extra argument to the `std::thread` call
+      // so we must subtract 1 since this is not passed to the thread.
+      (
+        result = DataFlow::exprNode(f.getParameter(n - 1).getAnAccess())
+        or
+        // In C, only one argument is allowed. Thus IF the flow predicate holds,
+        // it will be to the first argument
+        result = DataFlow::exprNode(f.getParameter(0).getAnAccess())
+      )
+    )
+  }
+
+  /**
+   * Produces the set of dataflow nodes to thread creation for threads
+   * that are dependent on this mutex.
+   */
+  DataFlow::Node getADependentThreadCreationExpr() {
+    exists(FunctionCall fc |
+      fc.getAnArgument() = sink.asExpr() and
+      result = DataFlow::exprNode(fc)
+    )
+  }
+
+  /**
+   * Gets a set of usages of this mutex in both the local and thread scope.
+   * In the case of scoped usage, this also captures typical accesses of variables.
+   */
+  DataFlow::Node getAUsage() { TaintTracking::localTaint(getASource(), result) }
+}
+
+/**
+ * This class models the type of thread/mutex dependency that is established
+ * through the typical parameter passing mechanisms found in C++.
+ */
+class FlowBasedThreadDependentMutex extends ThreadDependentMutex {
+  FlowBasedThreadDependentMutex() {
+    // some sort of dataflow, likely through parameter passing.
+    ThreadDependentMutexFlow::flow(this, sink)
+  }
+}
+
+/**
+ * This class models the type of thread/mutex dependency that is established by
+ * either scope based accesses (e.g., global variables) or block scope differences.
+ */
+class AccessBasedThreadDependentMutex extends ThreadDependentMutex {
+  Variable variableSource;
+
+  AccessBasedThreadDependentMutex() {
+    // encapsulates usages from outside scopes not directly expressed
+    // in dataflow.
+    exists(MutexSource mutexSrc, ThreadedFunction f |
+      DataFlow::exprNode(mutexSrc) = this and
+      // find a variable that was assigned the mutex
+      TaintTracking::localTaint(DataFlow::exprNode(mutexSrc),
+        DataFlow::exprNode(variableSource.getAnAssignedValue())) and
+      // find all subsequent accesses of that variable that are within a
+      // function and set those to the sink
+      exists(VariableAccess va |
+        va = variableSource.getAnAccess() and
+        va.getEnclosingFunction() = f and
+        sink = DataFlow::exprNode(va)
+      )
+    )
+  }
+
+  override DataFlow::Node getAUsage() { DataFlow::exprNode(variableSource.getAnAccess()) = result }
+}
+
+/**
+ * In the typical C thread model, a mutex is a created by a function that is not responsible
+ * for creating the variable. Thus this class encodes a slightly different semantics
+ * wherein the usage pattern is that of variables that have been both initialized
+ * and then subsequently passed into a thread directly.
+ */
+class DeclarationInitBasedThreadDependentMutex extends ThreadDependentMutex {
+  Variable variableSource;
+
+  DeclarationInitBasedThreadDependentMutex() {
+    exists(MutexSource ms, ThreadCreationFunction tcf |
+      this = DataFlow::exprNode(ms) and
+      // accessed as a mutex source
+      TaintTracking::localTaint(DataFlow::exprNode(variableSource.getAnAccess()),
+        DataFlow::exprNode(ms.getAnArgument())) and
+      // subsequently passed to a thread creation function (order not strictly
+      // enforced for performance reasons)
+      sink = DataFlow::exprNode(tcf.getAnArgument()) and
+      TaintTracking::localTaint(DataFlow::exprNode(variableSource.getAnAccess()), sink)
+    )
+  }
+
+  override DataFlow::Node getAUsage() {
+    TaintTracking::localTaint(getASource(), result) or
+    DataFlow::exprNode(variableSource.getAnAccess()) = result
+  }
+
+  override DataFlow::Node getASource() {
+    // the source is either the thing that declared
+    // the mutex
+    result = this
+    or
+    // or the thread we are using it in
+    result = getAThreadSource()
+  }
+
+  DataFlow::Node getSink() { result = sink }
+
+  /**
+   * Gets the dataflow nodes corresponding to thread local usages of the
+   * dependent mutex.
+   */
+  override DataFlow::Node getAThreadSource() {
+    // here we line up the actual parameter at the thread creation
+    // site with the formal parameter in the target thread.
+    // Note that there are differences between the C and C++ versions
+    // of the argument ordering in the thread creation function. However,
+    // since the C version only takes one parameter (as opposed to multiple)
+    // we can simplify this search by considering only the first argument.
+    exists(
+      FunctionCall fc, Function f, int n // CPP Version
+    |
+      fc.getArgument(n) = sink.asExpr() and
+      f = fc.getArgument(0).(FunctionAccess).getTarget() and
+      // in C++, there is an extra argument to the `std::thread` call
+      // so we must subtract 1 since this is not passed to the thread.
+      result = DataFlow::exprNode(f.getParameter(n - 1).getAnAccess())
+    )
+    or
+    exists(
+      FunctionCall fc, Function f // C Version
+    |
+      fc.getAnArgument() = sink.asExpr() and
+      // in C, the second argument is the function
+      f = fc.getArgument(1).(FunctionAccess).getTarget() and
+      // in C, the passed argument is always the zeroth argument
+      result = DataFlow::exprNode(f.getParameter(0).getAnAccess())
+    )
+  }
+}
+
+/**
+ * In the typical C model, another way to use mutexes is to work with global variables
+ * that can be initialized at various points -- one of which must be inside a thread.
+ * This class encapsulates this pattern.
+ */
+class DeclarationInitAccessBasedThreadDependentMutex extends ThreadDependentMutex {
+  Variable variableSource;
+
+  DeclarationInitAccessBasedThreadDependentMutex() {
+    exists(MutexSource ms, ThreadedFunction tf, VariableAccess va |
+      this = DataFlow::exprNode(ms) and
+      // accessed as a mutex source
+      TaintTracking::localTaint(DataFlow::exprNode(variableSource.getAnAccess()),
+        DataFlow::exprNode(ms.getAnArgument())) and
+      // is accessed somewhere else
+      va = variableSource.getAnAccess() and
+      sink = DataFlow::exprNode(va) and
+      // one of which must be a thread
+      va.getEnclosingFunction() = tf
+    )
+  }
+
+  override DataFlow::Node getAUsage() { result = DataFlow::exprNode(variableSource.getAnAccess()) }
+}
+
+module ThreadDependentMutexConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof MutexSource }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(ThreadCreationFunction f | f.getAnArgument() = node.asExpr())
+  }
+}
+
+module ThreadDependentMutexFlow = TaintTracking::Global<ThreadDependentMutexConfig>;
diff --git a/cpp/common/src/codingstandards/cpp/concurrency/ThreadSpecificStorageNew.qll b/cpp/common/src/codingstandards/cpp/concurrency/ThreadSpecificStorageNew.qll
new file mode 100644
index 0000000000..6dcb169250
--- /dev/null
+++ b/cpp/common/src/codingstandards/cpp/concurrency/ThreadSpecificStorageNew.qll
@@ -0,0 +1,59 @@
+import cpp
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import codingstandards.cpp.concurrency.ThreadCreation
+
+/**
+ * Models calls to thread specific storage function calls.
+ */
+abstract class ThreadSpecificStorageFunctionCall extends FunctionCall {
+  /**
+   * Gets the key to which this call references.
+   */
+  Expr getKey() { getArgument(0) = result }
+}
+
+/**
+ * Models calls to `tss_get`.
+ */
+class TSSGetFunctionCall extends ThreadSpecificStorageFunctionCall {
+  TSSGetFunctionCall() { getTarget().getName() = "tss_get" }
+}
+
+/**
+ * Models calls to `tss_set`.
+ */
+class TSSSetFunctionCall extends ThreadSpecificStorageFunctionCall {
+  TSSSetFunctionCall() { getTarget().getName() = "tss_set" }
+}
+
+/**
+ * Models calls to `tss_create`
+ */
+class TSSCreateFunctionCall extends ThreadSpecificStorageFunctionCall {
+  TSSCreateFunctionCall() { getTarget().getName() = "tss_create" }
+
+  predicate hasDeallocator() {
+    not exists(MacroInvocation mi, NullMacro nm |
+      getArgument(1) = mi.getExpr() and
+      mi = nm.getAnInvocation()
+    )
+  }
+}
+
+/**
+ * Models calls to `tss_delete`
+ */
+class TSSDeleteFunctionCall extends ThreadSpecificStorageFunctionCall {
+  TSSDeleteFunctionCall() { getTarget().getName() = "tss_delete" }
+}
+
+/**
+ * Gets a call to `DeallocationExpr` that deallocates memory owned by thread specific
+ * storage.
+ */
+predicate getAThreadSpecificStorageDeallocationCall(C11ThreadCreateCall tcc, DeallocationExpr dexp) {
+  exists(TSSGetFunctionCall tsg |
+    tcc.getFunction().getEntryPoint().getASuccessor*() = tsg and
+    DataFlow::localFlow(DataFlow::exprNode(tsg), DataFlow::exprNode(dexp.getFreedExpr()))
+  )
+}

From 22b886028fb359b59d1ea5713356dfef0d5f5dbd Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 7 Jul 2025 16:50:27 +0200
Subject: [PATCH 20/88] Convert CON30-C to use the new dataflow library

---
 c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql    | 4 ++--
 .../rules/CON30-C/CleanUpThreadSpecificStorage.expected     | 6 ------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql b/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
index 1e03c089e8..afa664448a 100644
--- a/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
+++ b/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
@@ -19,8 +19,8 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
 
 module TssCreateToTssDeleteConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
diff --git a/c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected b/c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected
index f3ea87136a..e03b665a1c 100644
--- a/c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected
+++ b/c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected
@@ -1,9 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:25,46-54)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:26,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:35,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:45,35-43)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:53,36-44)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CleanUpThreadSpecificStorage.ql:55,36-44)
 | test.c:27:3:27:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
 | test.c:49:3:49:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
 | test.c:71:3:71:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |

From 0a846c71cbc0cdebd3f891dc65a76a70702d0f5d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 11:17:40 +0200
Subject: [PATCH 21/88] Convert CON34-C to the new dataflow library

Since the new dataflow library uses use-use dataflow and not def-use dataflow,
we now need to check for definitions. Note that these queries can probably be
improved by using a dataflow configuration - possibly limited to the local
context of a function by including `DataFlow::FeatureEqualSourceSinkCallContext`
---
 .../AppropriateThreadObjectStorageDurations.ql      |  5 +++--
 .../ThreadObjectStorageDurationsNotInitialized.ql   |  7 ++++---
 ...AppropriateThreadObjectStorageDurations.expected | 13 -------------
 ...eadObjectStorageDurationsNotInitialized.expected |  5 -----
 4 files changed, 7 insertions(+), 23 deletions(-)

diff --git a/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql b/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql
index 4fb034406b..10cdec5c73 100644
--- a/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql
+++ b/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql
@@ -20,8 +20,8 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.commons.Alloc
 
 from C11ThreadCreateCall tcc, Expr arg
@@ -53,6 +53,7 @@ where
       not exists(TSSSetFunctionCall tss, DataFlow::Node src |
         // there should be dataflow from somewhere (the same somewhere)
         // into each of the first arguments
+        exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
         DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
         DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
       )
diff --git a/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql b/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql
index 07b114d6ca..40acc1e3ea 100644
--- a/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql
+++ b/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql
@@ -20,8 +20,8 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
 
 from TSSGetFunctionCall tsg, ThreadedFunction tf
 where
@@ -31,7 +31,8 @@ where
   // however, there does not exist a proper sequencing.
   not exists(TSSSetFunctionCall tss, DataFlow::Node src |
     // there should be dataflow from somewhere (the same somewhere)
-    // into each of the first arguments
+    // into each of the first argument
+    exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
     DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
     DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
   )
diff --git a/c/cert/test/rules/CON34-C/AppropriateThreadObjectStorageDurations.expected b/c/cert/test/rules/CON34-C/AppropriateThreadObjectStorageDurations.expected
index 2cd844f81b..c3cdc8bd7b 100644
--- a/c/cert/test/rules/CON34-C/AppropriateThreadObjectStorageDurations.expected
+++ b/c/cert/test/rules/CON34-C/AppropriateThreadObjectStorageDurations.expected
@@ -1,16 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:35,14-22)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:37,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:39,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:42,45-53)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:52,33-41)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:52,58-66)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:53,42-50)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:56,9-17)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:56,34-42)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:57,9-17)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:57,34-42)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:42,9-22)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (AppropriateThreadObjectStorageDurations.ql:52,7-20)
 | test.c:23:3:23:13 | call to thrd_create | $@ not declared with appropriate storage duration | test.c:23:24:23:29 | & ... | Shared object |
 | test.c:74:3:74:13 | call to thrd_create | $@ not declared with appropriate storage duration | test.c:74:24:74:24 | p | Shared object |
 | test.c:85:3:85:13 | call to thrd_create | $@ not declared with appropriate storage duration | test.c:85:24:85:24 | p | Shared object |
diff --git a/c/cert/test/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.expected b/c/cert/test/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.expected
index b2ac853fbf..95d0a20041 100644
--- a/c/cert/test/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.expected
+++ b/c/cert/test/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.expected
@@ -1,6 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThreadObjectStorageDurationsNotInitialized.ql:32,38-46)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThreadObjectStorageDurationsNotInitialized.ql:35,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThreadObjectStorageDurationsNotInitialized.ql:35,30-38)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThreadObjectStorageDurationsNotInitialized.ql:36,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThreadObjectStorageDurationsNotInitialized.ql:36,30-38)
 | test.c:14:7:14:13 | call to tss_get | Call to a thread specific storage function from within a threaded context on an object that may not be owned by this thread. |

From 1c1f3fb8f07bf8bb2b78212d8c4b08a3852c240c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 12:46:28 +0200
Subject: [PATCH 22/88] Move queries not depending on dataflow over to
 `ConcurrencyNew`

---
 .../rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql   | 2 +-
 .../src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql | 2 +-
 c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql    | 2 +-
 .../rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql  | 2 +-
 .../c/initialization/GlobalInitializationAnalysis.qll          | 2 +-
 c/misra/src/rules/DIR-5-1/PossibleDataRaceBetweenThreads.ql    | 2 +-
 c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql       | 2 +-
 c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql             | 2 +-
 .../RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql  | 2 +-
 .../src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql    | 2 +-
 .../RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql    | 2 +-
 c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql  | 2 +-
 c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql   | 2 +-
 c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql   | 2 +-
 .../RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql    | 2 +-
 .../src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql    | 3 +--
 .../src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql | 2 +-
 .../RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql      | 2 +-
 .../RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql     | 2 +-
 .../rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql   | 2 +-
 .../RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql  | 2 +-
 .../DoNotSpeculativelyLockALockedNonRecursiveMutex.ql          | 2 +-
 .../src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql | 2 +-
 .../rules/guardaccesstobitfields/GuardAccessToBitFields.qll    | 2 +-
 .../joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll  | 2 +-
 .../PreserveSafetyWhenUsingConditionVariables.qll              | 2 +-
 .../PreventDeadlockByLockingInPredefinedOrder.qll              | 2 +-
 .../wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll  | 2 +-
 28 files changed, 28 insertions(+), 29 deletions(-)

diff --git a/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql b/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql
index c9bcaa6bd2..dadb21985e 100644
--- a/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql
+++ b/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from ThreadedCFN node
 where
diff --git a/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql b/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql
index 17691f24dd..72fe5b5923 100644
--- a/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql
+++ b/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from FunctionCall fc
 // This should only be applied in the context of a multi-threaded program (since
diff --git a/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql b/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql
index 0ec195868f..cc85cd9d1c 100644
--- a/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql
+++ b/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from MacroInvocation mi, Variable v, Locatable whereFound
 where
diff --git a/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql b/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql
index 57be1bc488..d7754973fe 100644
--- a/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql
+++ b/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from AtomicCompareExchange ace
 where
diff --git a/c/common/src/codingstandards/c/initialization/GlobalInitializationAnalysis.qll b/c/common/src/codingstandards/c/initialization/GlobalInitializationAnalysis.qll
index 2906883ae9..cf32f9bdc6 100644
--- a/c/common/src/codingstandards/c/initialization/GlobalInitializationAnalysis.qll
+++ b/c/common/src/codingstandards/c/initialization/GlobalInitializationAnalysis.qll
@@ -1,6 +1,6 @@
 import cpp
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 
 signature module GlobalInitializationAnalysisConfigSig {
diff --git a/c/misra/src/rules/DIR-5-1/PossibleDataRaceBetweenThreads.ql b/c/misra/src/rules/DIR-5-1/PossibleDataRaceBetweenThreads.ql
index edf3705a9b..768a2b1ae2 100644
--- a/c/misra/src/rules/DIR-5-1/PossibleDataRaceBetweenThreads.ql
+++ b/c/misra/src/rules/DIR-5-1/PossibleDataRaceBetweenThreads.ql
@@ -17,7 +17,7 @@ import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 newtype TNonReentrantOperation =
   TReadWrite(SubObject object) {
diff --git a/c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql b/c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql
index 4bb526306b..cb12a8156b 100644
--- a/c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql
+++ b/c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from CThreadCreateCall tc, Function enclosingFunction
 where
diff --git a/c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql b/c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql
index 207e763fa7..11f76de7ae 100644
--- a/c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql
+++ b/c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql
@@ -17,7 +17,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 class CThreadRoot extends Function {
   CThreadCreateCall threadCreate;
diff --git a/c/misra/src/rules/RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql b/c/misra/src/rules/RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql
index 6a520447d1..a8fea9558e 100644
--- a/c/misra/src/rules/RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql
+++ b/c/misra/src/rules/RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from AssignExpr assignment, Element threadLocal, ObjectIdentity static
 where
diff --git a/c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql b/c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql
index d92b4ccea6..15a437e7ed 100644
--- a/c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql
+++ b/c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql
@@ -15,7 +15,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 
 predicate isThreadingObject(Type t) { t instanceof PossiblySpecified<C11ThreadingObjectType>::Type }
diff --git a/c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql b/c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql
index 066cf3c295..18f3671202 100644
--- a/c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql
+++ b/c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 
 from ObjectIdentity obj, StorageDuration storageDuration, Type type
diff --git a/c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql b/c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql
index a122a0bec4..cda50fbf73 100644
--- a/c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql
+++ b/c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql
@@ -14,7 +14,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 predicate isBaseMutexType(EnumConstantAccess access) {
   access.getTarget().hasName(["mtx_plain", "mtx_timed"])
diff --git a/c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql b/c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql
index 497fdaf14d..4b6afe9f5f 100644
--- a/c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql
+++ b/c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql
@@ -16,7 +16,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from C11MutexSource mutexCreate, ThreadedFunction thread
 where
diff --git a/c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql b/c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql
index f78c25f981..7df3a2dc4d 100644
--- a/c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql
+++ b/c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 import codingstandards.c.initialization.GlobalInitializationAnalysis
 
diff --git a/c/misra/src/rules/RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql b/c/misra/src/rules/RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql
index ec4631ef1b..9f06f441d1 100644
--- a/c/misra/src/rules/RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql
+++ b/c/misra/src/rules/RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 newtype TThreadKind =
   TSpawned(C11ThreadCreateCall tcc) or
diff --git a/c/misra/src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql b/c/misra/src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql
index 252b4a7d9f..f2bb0a519c 100644
--- a/c/misra/src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql
+++ b/c/misra/src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql
@@ -16,9 +16,8 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.dominance.BehavioralSet
-import semmle.code.cpp.dataflow.new.DataFlow::DataFlow as NewDF
 
 /* A call to mtx_unlock() or cnd_wait() or cnd_timedwait(), which require a locked mutex */
 class RequiresLockOperation extends FunctionCall {
diff --git a/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql b/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql
index 17762b3eee..c1ace4489b 100644
--- a/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql
+++ b/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 
 from
diff --git a/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql b/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql
index 7e002585b6..1df7c03825 100644
--- a/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql
+++ b/c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql
@@ -18,7 +18,7 @@ import cpp
 import codeql.util.Boolean
 import codingstandards.c.misra
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 
 predicate isTrackableMutex(CMutexFunctionCall lockCall, Boolean recursive) {
diff --git a/c/misra/src/rules/RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql b/c/misra/src/rules/RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql
index 0d5aa5399f..ce05c2dc74 100644
--- a/c/misra/src/rules/RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql
+++ b/c/misra/src/rules/RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.SubObjects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 bindingset[cond, mutex]
 int countMutexesForConditionVariable(SubObject cond, SubObject mutex) {
diff --git a/c/misra/src/rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql b/c/misra/src/rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql
index 1edf4aa9c3..9a9d924247 100644
--- a/c/misra/src/rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql
+++ b/c/misra/src/rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import codingstandards.cpp.Type
 import codingstandards.c.initialization.GlobalInitializationAnalysis
 
diff --git a/c/misra/src/rules/RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql b/c/misra/src/rules/RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql
index 3c40ea7116..4b7c64d914 100644
--- a/c/misra/src/rules/RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql
+++ b/c/misra/src/rules/RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql
@@ -16,7 +16,7 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from TSSCreateFunctionCall tssCreate, ThreadedFunction thread
 where
diff --git a/cpp/cert/src/rules/CON56-CPP/DoNotSpeculativelyLockALockedNonRecursiveMutex.ql b/cpp/cert/src/rules/CON56-CPP/DoNotSpeculativelyLockALockedNonRecursiveMutex.ql
index 67edf2fc22..a462e60edb 100644
--- a/cpp/cert/src/rules/CON56-CPP/DoNotSpeculativelyLockALockedNonRecursiveMutex.ql
+++ b/cpp/cert/src/rules/CON56-CPP/DoNotSpeculativelyLockALockedNonRecursiveMutex.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.cpp.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from LockProtectedControlFlowNode n
 where
diff --git a/cpp/cert/src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql b/cpp/cert/src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql
index 09ec2fa3d5..99ad966efa 100644
--- a/cpp/cert/src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql
+++ b/cpp/cert/src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.cpp.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from LockProtectedControlFlowNode n
 where
diff --git a/cpp/common/src/codingstandards/cpp/rules/guardaccesstobitfields/GuardAccessToBitFields.qll b/cpp/common/src/codingstandards/cpp/rules/guardaccesstobitfields/GuardAccessToBitFields.qll
index 5b03a4f8bd..8bac7e15ee 100644
--- a/cpp/common/src/codingstandards/cpp/rules/guardaccesstobitfields/GuardAccessToBitFields.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/guardaccesstobitfields/GuardAccessToBitFields.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 abstract class GuardAccessToBitFieldsSharedQuery extends Query { }
 
diff --git a/cpp/common/src/codingstandards/cpp/rules/joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll b/cpp/common/src/codingstandards/cpp/rules/joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll
index 5ccbe83c72..4b09e85873 100644
--- a/cpp/common/src/codingstandards/cpp/rules/joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll
@@ -7,7 +7,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 abstract class JoinOrDetachThreadOnlyOnceSharedQuery extends Query { }
 
diff --git a/cpp/common/src/codingstandards/cpp/rules/preservesafetywhenusingconditionvariables/PreserveSafetyWhenUsingConditionVariables.qll b/cpp/common/src/codingstandards/cpp/rules/preservesafetywhenusingconditionvariables/PreserveSafetyWhenUsingConditionVariables.qll
index 94d9d201c4..0851fe980a 100644
--- a/cpp/common/src/codingstandards/cpp/rules/preservesafetywhenusingconditionvariables/PreserveSafetyWhenUsingConditionVariables.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/preservesafetywhenusingconditionvariables/PreserveSafetyWhenUsingConditionVariables.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 abstract class PreserveSafetyWhenUsingConditionVariablesSharedQuery extends Query { }
 
diff --git a/cpp/common/src/codingstandards/cpp/rules/preventdeadlockbylockinginpredefinedorder/PreventDeadlockByLockingInPredefinedOrder.qll b/cpp/common/src/codingstandards/cpp/rules/preventdeadlockbylockinginpredefinedorder/PreventDeadlockByLockingInPredefinedOrder.qll
index db755293c6..25e169b139 100644
--- a/cpp/common/src/codingstandards/cpp/rules/preventdeadlockbylockinginpredefinedorder/PreventDeadlockByLockingInPredefinedOrder.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/preventdeadlockbylockinginpredefinedorder/PreventDeadlockByLockingInPredefinedOrder.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 import semmle.code.cpp.controlflow.Dominance
 
 abstract class PreventDeadlockByLockingInPredefinedOrderSharedQuery extends Query { }
diff --git a/cpp/common/src/codingstandards/cpp/rules/wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll b/cpp/common/src/codingstandards/cpp/rules/wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll
index 99bdbeee5d..382cda1ae8 100644
--- a/cpp/common/src/codingstandards/cpp/rules/wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 abstract class WrapSpuriousFunctionInLoopSharedQuery extends Query { }
 

From 3ba33c076a69ae7bcc373d65111f07e35565cb11 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 16:01:51 +0200
Subject: [PATCH 23/88] Convert UseOnlyArrayIndexingForPointerArithmetic to use
 the new dataflow library

---
 .../UseOnlyArrayIndexingForPointerArithmetic.qll                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/useonlyarrayindexingforpointerarithmetic/UseOnlyArrayIndexingForPointerArithmetic.qll b/cpp/common/src/codingstandards/cpp/rules/useonlyarrayindexingforpointerarithmetic/UseOnlyArrayIndexingForPointerArithmetic.qll
index 3b0abbad0d..f9ffb4fc9a 100644
--- a/cpp/common/src/codingstandards/cpp/rules/useonlyarrayindexingforpointerarithmetic/UseOnlyArrayIndexingForPointerArithmetic.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/useonlyarrayindexingforpointerarithmetic/UseOnlyArrayIndexingForPointerArithmetic.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 abstract class UseOnlyArrayIndexingForPointerArithmeticSharedQuery extends Query { }
 

From e2d44a680b90b0aa424a00239628e8622349af66 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 16:02:57 +0200
Subject: [PATCH 24/88] Convert StringNumberConversionMissingErrorCheck to use
 the new dataflow library

---
 .../StringNumberConversionMissingErrorCheck.qll                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/stringnumberconversionmissingerrorcheck/StringNumberConversionMissingErrorCheck.qll b/cpp/common/src/codingstandards/cpp/rules/stringnumberconversionmissingerrorcheck/StringNumberConversionMissingErrorCheck.qll
index fd56f5d899..cb0bc765e6 100644
--- a/cpp/common/src/codingstandards/cpp/rules/stringnumberconversionmissingerrorcheck/StringNumberConversionMissingErrorCheck.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/stringnumberconversionmissingerrorcheck/StringNumberConversionMissingErrorCheck.qll
@@ -7,7 +7,7 @@ import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codingstandards.cpp.standardlibrary.CharStreams
 
 abstract class StringNumberConversionMissingErrorCheckSharedQuery extends Query { }

From 5ee401ccc85c44732b3a74c317279339779c5d5a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 16:03:30 +0200
Subject: [PATCH 25/88] Convert FgetsErrorManagement to use the new dataflow
 library

---
 .../FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql   | 2 +-
 .../rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected  | 3 ---
 cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll    | 2 +-
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql b/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
index ad3a2c8192..d9b96d3c86 100644
--- a/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
+++ b/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
@@ -19,7 +19,7 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.FgetsErrorManagement
 import codingstandards.cpp.Dereferenced
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /*
  * CFG nodes that follows a successful call to `fgets`
diff --git a/c/cert/test/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected b/c/cert/test/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected
index 7d3cbe355b..20c108cfa0 100644
--- a/c/cert/test/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected
+++ b/c/cert/test/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected
@@ -1,6 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ResetStringsOnFgetsOrFgetwsFailure.ql:47,11-19)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ResetStringsOnFgetsOrFgetwsFailure.ql:47,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ResetStringsOnFgetsOrFgetwsFailure.ql:48,13-21)
 | test.c:20:10:20:12 | buf | The buffer is not reset before being referenced following a failed $@. | test.c:15:7:15:11 | call to fgets | call to fgets |
 | test.c:57:10:57:12 | buf | The buffer is not reset before being referenced following a failed $@. | test.c:52:7:52:11 | call to fgets | call to fgets |
 | test.c:66:18:66:20 | buf | The buffer is not reset before being referenced following a failed $@. | test.c:61:7:61:11 | call to fgets | call to fgets |
diff --git a/cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll b/cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll
index 4f99b02e2e..7342b92f32 100644
--- a/cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll
+++ b/cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll
@@ -4,7 +4,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.controlflow.Guards
 
 /*

From 96b3137d3d741ccd6fcca849682a2a995bb967d7 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 17:05:19 +0200
Subject: [PATCH 26/88] Convert RULE-22-3 to use the new dataflow library

---
 .../RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql      | 2 +-
 .../FileOpenForReadAndWriteOnDifferentStreams.expected          | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/c/misra/src/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql b/c/misra/src/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql
index 642813bbab..581439c629 100644
--- a/c/misra/src/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql
+++ b/c/misra/src/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql
@@ -15,7 +15,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.standardlibrary.FileAccess
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.controlflow.SubBasicBlocks
 
diff --git a/c/misra/test/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.expected b/c/misra/test/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.expected
index 0365f4980d..6111072ba8 100644
--- a/c/misra/test/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.expected
+++ b/c/misra/test/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (FileOpenForReadAndWriteOnDifferentStreams.ql:39,9-17)
 | test.c:6:14:6:18 | call to fopen | The same file was already opened $@. Files should not be read and written at the same time using different streams. | test.c:5:14:5:18 | call to fopen | here |
 | test.c:17:14:17:18 | call to fopen | The same file was already opened $@. Files should not be read and written at the same time using different streams. | test.c:16:14:16:18 | call to fopen | here |
 | test.c:33:14:33:18 | call to fopen | The same file was already opened $@. Files should not be read and written at the same time using different streams. | test.c:32:14:32:18 | call to fopen | here |

From 0170b58005819901894f22de68d71e60638a20dd Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 17:07:11 +0200
Subject: [PATCH 27/88] Convert RULE-22-4 to use the new dataflow library

---
 .../src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql  | 2 +-
 .../RULE-22-4/AttemptToWriteToAReadOnlyStream.expected      | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/c/misra/src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql b/c/misra/src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql
index 2439d4ca47..2468caa61e 100644
--- a/c/misra/src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql
+++ b/c/misra/src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql
@@ -14,7 +14,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.standardlibrary.FileAccess
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 module FileDFConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
diff --git a/c/misra/test/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.expected b/c/misra/test/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.expected
index dbf08e3d3d..0bfce133c5 100644
--- a/c/misra/test/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.expected
+++ b/c/misra/test/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.expected
@@ -1,8 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:19,32-40)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:20,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:25,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:31,21-29)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:33,6-14)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AttemptToWriteToAReadOnlyStream.ql:36,28-36)
 | test.c:10:3:10:9 | call to fprintf | Attempt to write to a $@ opened as read-only. | test.c:9:14:9:18 | call to fopen | stream |
 | test.c:15:3:15:9 | call to fprintf | Attempt to write to a $@ opened as read-only. | test.c:18:14:18:18 | call to fopen | stream |

From 80809521790c44c5f6097150e1639ec2618d190a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 17:38:05 +0200
Subject: [PATCH 28/88] Convert A7-5-1 to use the new dataflow library

---
 cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql      | 2 +-
 .../test/rules/A7-5-1/InvalidFunctionReturnType.expected       | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql b/cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql
index c36bda6cdd..6b94c68cff 100644
--- a/cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql
+++ b/cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql
@@ -16,7 +16,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 from Parameter p, ReturnStmt ret
 where
diff --git a/cpp/autosar/test/rules/A7-5-1/InvalidFunctionReturnType.expected b/cpp/autosar/test/rules/A7-5-1/InvalidFunctionReturnType.expected
index 3287ba88d1..b6d9490803 100644
--- a/cpp/autosar/test/rules/A7-5-1/InvalidFunctionReturnType.expected
+++ b/cpp/autosar/test/rules/A7-5-1/InvalidFunctionReturnType.expected
@@ -1,5 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (InvalidFunctionReturnType.ql:27,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (InvalidFunctionReturnType.ql:27,23-31)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (InvalidFunctionReturnType.ql:27,51-59)
 | test.cpp:5:3:5:11 | return ... | Function test_refconst_return returns a reference or a pointer to $@ that is passed by reference to const. | test.cpp:4:44:4:44 | x | parameter |
 | test.cpp:8:3:8:14 | return ... | Function test_ptrconst_return returns a reference or a pointer to $@ that is passed by reference to const. | test.cpp:7:44:7:44 | x | parameter |

From c962dbef17937a7ada9d70103469c40ed8f86190 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 17:54:03 +0200
Subject: [PATCH 29/88] Convert DoNotSubtractPointersAddressingDifferentArrays
 to use new dataflow library

---
 ...PointersAddressingDifferentArrays.expected | 28 ++++++++++++-------
 .../PointerSubtractionOnDifferentArrays.ql    |  4 ++-
 ...tractPointersAddressingDifferentArrays.qll |  4 ++-
 ...PointersAddressingDifferentArrays.expected | 28 ++++++++++++-------
 4 files changed, 42 insertions(+), 22 deletions(-)

diff --git a/c/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected b/c/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
index 75866b8503..f9fe72c2a4 100644
--- a/c/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
+++ b/c/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
@@ -4,19 +4,27 @@ problems
 | test.c:13:10:13:11 | p4 | test.c:5:14:5:15 | l2 | test.c:13:10:13:11 | p4 | Subtraction between left operand pointing to array $@ and other operand pointing to array $@. | test.c:3:7:3:8 | l2 | l2 | test.c:2:7:2:8 | l1 | l1 |
 | test.c:13:15:13:16 | l1 | test.c:13:15:13:16 | l1 | test.c:13:15:13:16 | l1 | Subtraction between right operand pointing to array $@ and other operand pointing to array $@. | test.c:2:7:2:8 | l1 | l1 | test.c:3:7:3:8 | l2 | l2 |
 edges
-| test.c:4:14:4:15 | l1 | test.c:4:14:4:18 | access to array | provenance | Config |
-| test.c:4:14:4:18 | access to array | test.c:10:10:10:11 | p1 | provenance |  |
-| test.c:4:14:4:18 | access to array | test.c:12:10:12:11 | p1 | provenance |  |
-| test.c:5:14:5:15 | l2 | test.c:5:14:5:19 | access to array | provenance | Config |
-| test.c:5:14:5:19 | access to array | test.c:11:10:11:11 | p2 | provenance |  |
-| test.c:5:14:5:19 | access to array | test.c:12:15:12:16 | p2 | provenance |  |
-| test.c:5:14:5:19 | access to array | test.c:13:10:13:11 | p4 | provenance |  |
-| test.c:5:14:5:19 | access to array | test.c:14:10:14:11 | p4 | provenance |  |
+| test.c:4:13:4:18 | & ... | test.c:4:13:4:18 | & ... | provenance |  |
+| test.c:4:13:4:18 | & ... | test.c:10:10:10:11 | p1 | provenance |  |
+| test.c:4:13:4:18 | & ... | test.c:12:10:12:11 | p1 | provenance |  |
+| test.c:4:14:4:15 | l1 | test.c:4:13:4:18 | & ... | provenance | Config |
+| test.c:5:13:5:19 | & ... | test.c:5:13:5:19 | & ... | provenance |  |
+| test.c:5:13:5:19 | & ... | test.c:6:13:6:14 | p2 | provenance |  |
+| test.c:5:13:5:19 | & ... | test.c:11:10:11:11 | p2 | provenance |  |
+| test.c:5:13:5:19 | & ... | test.c:12:15:12:16 | p2 | provenance |  |
+| test.c:5:14:5:15 | l2 | test.c:5:13:5:19 | & ... | provenance | Config |
+| test.c:6:13:6:14 | p2 | test.c:7:13:7:14 | p3 | provenance |  |
+| test.c:7:13:7:14 | p3 | test.c:13:10:13:11 | p4 | provenance |  |
+| test.c:7:13:7:14 | p3 | test.c:14:10:14:11 | p4 | provenance |  |
 nodes
+| test.c:4:13:4:18 | & ... | semmle.label | & ... |
+| test.c:4:13:4:18 | & ... | semmle.label | & ... |
 | test.c:4:14:4:15 | l1 | semmle.label | l1 |
-| test.c:4:14:4:18 | access to array | semmle.label | access to array |
+| test.c:5:13:5:19 | & ... | semmle.label | & ... |
+| test.c:5:13:5:19 | & ... | semmle.label | & ... |
 | test.c:5:14:5:15 | l2 | semmle.label | l2 |
-| test.c:5:14:5:19 | access to array | semmle.label | access to array |
+| test.c:6:13:6:14 | p2 | semmle.label | p2 |
+| test.c:7:13:7:14 | p3 | semmle.label | p3 |
 | test.c:10:10:10:11 | p1 | semmle.label | p1 |
 | test.c:10:15:10:16 | l1 | semmle.label | l1 |
 | test.c:11:10:11:11 | p2 | semmle.label | p2 |
diff --git a/cpp/autosar/src/rules/M5-0-17/PointerSubtractionOnDifferentArrays.ql b/cpp/autosar/src/rules/M5-0-17/PointerSubtractionOnDifferentArrays.ql
index d6d4f6130a..29feaa22d5 100644
--- a/cpp/autosar/src/rules/M5-0-17/PointerSubtractionOnDifferentArrays.ql
+++ b/cpp/autosar/src/rules/M5-0-17/PointerSubtractionOnDifferentArrays.ql
@@ -15,7 +15,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import ArrayToPointerDiffOperandFlow::PathGraph
 
 module ArrayToPointerDiffOperandConfig implements DataFlow::ConfigSig {
@@ -34,6 +34,8 @@ module ArrayToPointerDiffOperandConfig implements DataFlow::ConfigSig {
     // Add a flow step from the base to the array expression to track pointers to elements of the array.
     exists(ArrayExpr e | e.getArrayBase() = pred.asExpr() and e = succ.asExpr())
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 module ArrayToPointerDiffOperandFlow = DataFlow::Global<ArrayToPointerDiffOperandConfig>;
diff --git a/cpp/common/src/codingstandards/cpp/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.qll b/cpp/common/src/codingstandards/cpp/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.qll
index adb9785814..16f9638294 100644
--- a/cpp/common/src/codingstandards/cpp/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import ArrayToPointerDiffOperandFlow::PathGraph
 
 module ArrayToPointerDiffOperandConfig implements DataFlow::ConfigSig {
@@ -25,6 +25,8 @@ module ArrayToPointerDiffOperandConfig implements DataFlow::ConfigSig {
     // Add a flow step from the base to the array expression to track pointers to elements of the array.
     exists(ArrayExpr e | e.getArrayBase() = pred.asExpr() and e = succ.asExpr())
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 module ArrayToPointerDiffOperandFlow = DataFlow::Global<ArrayToPointerDiffOperandConfig>;
diff --git a/cpp/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected b/cpp/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
index 2d293e6928..89f6cec56a 100644
--- a/cpp/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
+++ b/cpp/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected
@@ -4,19 +4,27 @@ problems
 | test.cpp:13:10:13:11 | p4 | test.cpp:5:14:5:15 | l2 | test.cpp:13:10:13:11 | p4 | Subtraction between left operand pointing to array $@ and other operand pointing to array $@. | test.cpp:3:7:3:8 | l2 | l2 | test.cpp:2:7:2:8 | l1 | l1 |
 | test.cpp:13:15:13:16 | l1 | test.cpp:13:15:13:16 | l1 | test.cpp:13:15:13:16 | l1 | Subtraction between right operand pointing to array $@ and other operand pointing to array $@. | test.cpp:2:7:2:8 | l1 | l1 | test.cpp:3:7:3:8 | l2 | l2 |
 edges
-| test.cpp:4:14:4:15 | l1 | test.cpp:4:14:4:18 | access to array | provenance | Config |
-| test.cpp:4:14:4:18 | access to array | test.cpp:10:10:10:11 | p1 | provenance |  |
-| test.cpp:4:14:4:18 | access to array | test.cpp:12:10:12:11 | p1 | provenance |  |
-| test.cpp:5:14:5:15 | l2 | test.cpp:5:14:5:19 | access to array | provenance | Config |
-| test.cpp:5:14:5:19 | access to array | test.cpp:11:10:11:11 | p2 | provenance |  |
-| test.cpp:5:14:5:19 | access to array | test.cpp:12:15:12:16 | p2 | provenance |  |
-| test.cpp:5:14:5:19 | access to array | test.cpp:13:10:13:11 | p4 | provenance |  |
-| test.cpp:5:14:5:19 | access to array | test.cpp:14:10:14:11 | p4 | provenance |  |
+| test.cpp:4:13:4:18 | & ... | test.cpp:4:13:4:18 | & ... | provenance |  |
+| test.cpp:4:13:4:18 | & ... | test.cpp:10:10:10:11 | p1 | provenance |  |
+| test.cpp:4:13:4:18 | & ... | test.cpp:12:10:12:11 | p1 | provenance |  |
+| test.cpp:4:14:4:15 | l1 | test.cpp:4:13:4:18 | & ... | provenance | Config |
+| test.cpp:5:13:5:19 | & ... | test.cpp:5:13:5:19 | & ... | provenance |  |
+| test.cpp:5:13:5:19 | & ... | test.cpp:6:13:6:14 | p2 | provenance |  |
+| test.cpp:5:13:5:19 | & ... | test.cpp:11:10:11:11 | p2 | provenance |  |
+| test.cpp:5:13:5:19 | & ... | test.cpp:12:15:12:16 | p2 | provenance |  |
+| test.cpp:5:14:5:15 | l2 | test.cpp:5:13:5:19 | & ... | provenance | Config |
+| test.cpp:6:13:6:14 | p2 | test.cpp:7:13:7:14 | p3 | provenance |  |
+| test.cpp:7:13:7:14 | p3 | test.cpp:13:10:13:11 | p4 | provenance |  |
+| test.cpp:7:13:7:14 | p3 | test.cpp:14:10:14:11 | p4 | provenance |  |
 nodes
+| test.cpp:4:13:4:18 | & ... | semmle.label | & ... |
+| test.cpp:4:13:4:18 | & ... | semmle.label | & ... |
 | test.cpp:4:14:4:15 | l1 | semmle.label | l1 |
-| test.cpp:4:14:4:18 | access to array | semmle.label | access to array |
+| test.cpp:5:13:5:19 | & ... | semmle.label | & ... |
+| test.cpp:5:13:5:19 | & ... | semmle.label | & ... |
 | test.cpp:5:14:5:15 | l2 | semmle.label | l2 |
-| test.cpp:5:14:5:19 | access to array | semmle.label | access to array |
+| test.cpp:6:13:6:14 | p2 | semmle.label | p2 |
+| test.cpp:7:13:7:14 | p3 | semmle.label | p3 |
 | test.cpp:10:10:10:11 | p1 | semmle.label | p1 |
 | test.cpp:10:15:10:16 | l1 | semmle.label | l1 |
 | test.cpp:11:10:11:11 | p2 | semmle.label | p2 |

From 8c05d42195930b82a22eed136fcbbc6e09dd15cb Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 17:55:39 +0200
Subject: [PATCH 30/88] Remove unused dataflow import from
 IOFstreamMissingPositioning

---
 .../iofstreammissingpositioning/IOFstreamMissingPositioning.qll  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/iofstreammissingpositioning/IOFstreamMissingPositioning.qll b/cpp/common/src/codingstandards/cpp/rules/iofstreammissingpositioning/IOFstreamMissingPositioning.qll
index b26421c72c..b11050e491 100644
--- a/cpp/common/src/codingstandards/cpp/rules/iofstreammissingpositioning/IOFstreamMissingPositioning.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/iofstreammissingpositioning/IOFstreamMissingPositioning.qll
@@ -5,7 +5,6 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.TaintTracking
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.standardlibrary.FileStreams
 import codingstandards.cpp.standardlibrary.FileAccess

From b18c7b4625d35af8e4411b3d5a3531eee81b4f90 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 18:01:38 +0200
Subject: [PATCH 31/88] Convert DanglingCaptureWhenReturningLambdaObject to use
 new dataflow library

---
 .../DanglingCaptureWhenReturningLambdaObject.qll                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
index 4ab01520f6..412a571fe4 100644
--- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
@@ -5,7 +5,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 

From 8ee97ba65fd8b477162d4d01fe0865b6025eb41e Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 8 Jul 2025 20:11:27 +0200
Subject: [PATCH 32/88] Revert "Convert
 DanglingCaptureWhenReturningLambdaObject to use new dataflow library"

This reverts commit b18c7b4625d35af8e4411b3d5a3531eee81b4f90. This change broke some
tests.
---
 .../DanglingCaptureWhenReturningLambdaObject.qll                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
index 412a571fe4..4ab01520f6 100644
--- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
@@ -5,7 +5,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.DataFlow
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 

From 405c43e64a3af4b681cb05291a18f7296790fec3 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 13:25:22 +0200
Subject: [PATCH 33/88] Fix FIO40-C regression after incorrectly solving a
 merge conflict

---
 c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql b/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql
index 9b0882ac66..b853adba99 100644
--- a/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql
+++ b/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql
@@ -21,7 +21,7 @@ import cpp
 import codingstandards.cpp.FgetsErrorManagement
 import codingstandards.cpp.Dereferenced
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /*
  * Models calls to `memcpy` `strcpy` `strncpy` and their wrappers

From 7c7d6f65240cd174e24a4fbaf58b578f41f2962d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 14:19:35 +0200
Subject: [PATCH 34/88] Conver ARR32-C to use the new dataflow library

---
 .../src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql | 2 +-
 .../ARR32-C/VariableLengthArraySizeNotInValidRange.expected     | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql b/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql
index 1356777e5f..9fd4aae3b4 100644
--- a/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql
+++ b/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql
@@ -20,7 +20,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Overflow
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 
 /**
  * Gets the maximum size (in bytes) a variable-length array
diff --git a/c/cert/test/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.expected b/c/cert/test/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.expected
index 1617571bbe..25153f195b 100644
--- a/c/cert/test/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.expected
+++ b/c/cert/test/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.expected
@@ -1,5 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (VariableLengthArraySizeNotInValidRange.ql:110,11-19)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (VariableLengthArraySizeNotInValidRange.ql:93,5-18)
 | test.c:14:8:14:8 | VLA declaration | Variable-length array dimension size may be in an invalid range. |
 | test.c:15:8:15:8 | VLA declaration | Variable-length array dimension size may be in an invalid range. |
 | test.c:16:8:16:8 | VLA declaration | Variable-length array dimension size may be in an invalid range. |

From 1d30fd5527aaa0f7b1cd3448cb9802fed27c4ed9 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 16:07:39 +0200
Subject: [PATCH 35/88] Convert DCL30-C to the new dataflow library

Observe that this change moves the alert location from the last
assignment of an output parameter to the paramter itself, which
seems a non-critical change.
---
 .../DCL30-C/AppropriateStorageDurationsFunctionReturn.ql   | 4 ++--
 .../AppropriateStorageDurationsFunctionReturn.expected     | 7 +------
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql b/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql
index 2e1064ee9d..3cbcb30113 100644
--- a/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql
+++ b/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Objects
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class Source extends Expr {
   ObjectIdentity rootObject;
@@ -34,7 +34,7 @@ class Sink extends DataFlow::Node {
   Sink() {
     //output parameter
     exists(Parameter f |
-      f.getAnAccess() = this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
+      this.isFinalValueOfParameter(f) and
       f.getUnderlyingType() instanceof PointerType
     )
     or
diff --git a/c/cert/test/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.expected b/c/cert/test/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.expected
index a4359d7000..e193e8c8eb 100644
--- a/c/cert/test/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.expected
+++ b/c/cert/test/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.expected
@@ -1,7 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateStorageDurationsFunctionReturn.ql:33,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateStorageDurationsFunctionReturn.ql:37,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateStorageDurationsFunctionReturn.ql:50,6-14)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateStorageDurationsFunctionReturn.ql:50,26-34)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AppropriateStorageDurationsFunctionReturn.ql:56,3-11)
 | test.c:3:10:3:10 | a | $@ with automatic storage may be accessible outside of its lifetime. | test.c:3:10:3:10 | a | a |
-| test.c:15:4:15:8 | param [inner post update] | $@ with automatic storage may be accessible outside of its lifetime. | test.c:15:12:15:13 | a2 | a2 |
+| test.c:12:16:12:20 | *param | $@ with automatic storage may be accessible outside of its lifetime. | test.c:15:12:15:13 | a2 | a2 |

From 43c96a71117894cc77b34f213861d4c788c3330a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 16:11:43 +0200
Subject: [PATCH 36/88] Convert ERR32-C to use the new dataflow library

---
 .../rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql    | 2 +-
 .../ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected    | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql b/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql
index 146d0cb30f..3686895c79 100644
--- a/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql
+++ b/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql
@@ -20,7 +20,7 @@ import codingstandards.c.cert
 import codingstandards.c.Errno
 import codingstandards.c.Signal
 import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * A check on `signal` call return value
diff --git a/c/cert/test/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected b/c/cert/test/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected
index b79a17ca35..da9122cfd4 100644
--- a/c/cert/test/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected
+++ b/c/cert/test/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected
@@ -1,7 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotRelyOnIndeterminateValuesOfErrno.ql:56,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotRelyOnIndeterminateValuesOfErrno.ql:56,27-35)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotRelyOnIndeterminateValuesOfErrno.ql:57,9-17)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotRelyOnIndeterminateValuesOfErrno.ql:60,9-17)
 | test.c:12:5:12:10 | call to perror | `errno` has indeterminate value after this $@. | test.c:10:21:10:26 | call to signal | call to signal |
 | test.c:30:5:30:10 | call to perror | `errno` has indeterminate value after this $@. | test.c:26:21:26:26 | call to signal | call to signal |
 | test.c:49:5:49:10 | call to perror | `errno` has indeterminate value after this $@. | test.c:45:21:45:26 | call to signal | call to signal |

From 15b9143fb5908ce8916549d7b40222dde757c64b Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 16:14:21 +0200
Subject: [PATCH 37/88] Convert ERR33-C to use the new dataflow library

---
 .../src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql   | 2 +-
 .../rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql b/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql
index 5e473b226e..f41222999c 100644
--- a/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql
+++ b/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql
@@ -20,7 +20,7 @@ import cpp
 import codingstandards.c.cert
 import semmle.code.cpp.commons.NULL
 import codingstandards.cpp.ReadErrorsAndEOF
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 ComparisonOperation getAValidComparison(string spec) {
   spec = "=0" and result.(EqualityOperation).getAnOperand().getValue() = "0"
diff --git a/c/cert/test/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected b/c/cert/test/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected
index f4006c013e..fbcc44b856 100644
--- a/c/cert/test/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected
+++ b/c/cert/test/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleStandardLibraryErrors.ql:459,5-13)
 | test.c:18:3:18:11 | call to setlocale | Missing error detection for the call to function `setlocale`. |
 | test.c:24:23:24:31 | call to setlocale | Missing error detection for the call to function `setlocale`. |
 | test.c:29:22:29:27 | call to calloc | Missing error detection for the call to function `calloc`. |

From 9ca601abcdb604bf678cda278b8ea0800a1a4eb2 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 16:52:08 +0200
Subject: [PATCH 38/88] Convert EXP37-C to the new dataflow library

---
 ...CallFunctionPointerWithIncompatibleType.ql |  5 +-
 ...nctionPointerWithIncompatibleType.expected | 48 ++++++++++++-------
 2 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql b/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
index 6d223dab72..b7f751b6bf 100644
--- a/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
+++ b/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import SuspectFunctionPointerToCallFlow::PathGraph
 
 /**
@@ -61,7 +61,8 @@ where
   not isExcluded(src.getNode().asExpr(),
     ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery()) and
   access = src.getNode().asExpr() and
-  SuspectFunctionPointerToCallFlow::flowPath(src, sink)
+  SuspectFunctionPointerToCallFlow::flowPath(src, sink) and
+  not src.getNode().asExpr().getType() = sink.getNode().asExpr().getFullyConverted().getType()
 select src, src, sink,
   "Incompatible function $@ assigned to function pointer is eventually called through the pointer.",
   access.getTarget(), access.getTarget().getName()
diff --git a/c/cert/test/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.expected b/c/cert/test/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.expected
index 8daaf8361a..aa5018cdb9 100644
--- a/c/cert/test/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.expected
+++ b/c/cert/test/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.expected
@@ -1,28 +1,40 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCallFunctionPointerWithIncompatibleType.ql:45,54-62)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCallFunctionPointerWithIncompatibleType.ql:46,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCallFunctionPointerWithIncompatibleType.ql:50,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotCallFunctionPointerWithIncompatibleType.ql:55,43-51)
 edges
-| test.c:48:68:48:70 | fns [f1] | test.c:49:3:49:5 | fns [f1] | provenance |  |
-| test.c:49:3:49:5 | fns [f1] | test.c:49:8:49:9 | f1 | provenance |  |
-| test.c:61:28:61:29 | f2 | test.c:62:3:62:11 | v1_called | provenance |  |
-| test.c:73:3:73:5 | fns [post update] [f1] | test.c:75:45:75:48 | & ... [f1] | provenance |  |
-| test.c:73:3:73:13 | ... = ... | test.c:73:3:73:5 | fns [post update] [f1] | provenance |  |
+| test.c:48:68:48:70 | *fns [f1] | test.c:49:3:49:5 | *fns [f1] | provenance |  |
+| test.c:48:68:48:70 | *fns [f2] | test.c:50:3:50:5 | *fns [f2] | provenance |  |
+| test.c:49:3:49:5 | *fns [f1] | test.c:49:8:49:9 | f1 | provenance |  |
+| test.c:50:3:50:5 | *fns [f2] | test.c:50:8:50:9 | f2 | provenance |  |
+| test.c:61:3:61:29 | ... = ... | test.c:62:3:62:11 | v1_called | provenance |  |
+| test.c:61:15:61:29 | f2 | test.c:61:3:61:29 | ... = ... | provenance |  |
+| test.c:73:3:73:5 | *fns [post update] [f1] | test.c:74:3:74:5 | *fns [f1] | provenance |  |
+| test.c:73:3:73:13 | ... = ... | test.c:73:3:73:5 | *fns [post update] [f1] | provenance |  |
 | test.c:73:12:73:13 | v2 | test.c:73:3:73:13 | ... = ... | provenance |  |
-| test.c:75:45:75:48 | & ... [f1] | test.c:48:68:48:70 | fns [f1] | provenance |  |
+| test.c:73:12:73:13 | v2 | test.c:74:3:74:13 | ... = ... | provenance |  |
+| test.c:74:3:74:5 | *fns [f1] | test.c:75:45:75:48 | *& ... [f1] | provenance |  |
+| test.c:74:3:74:5 | *fns [post update] [f2] | test.c:75:45:75:48 | *& ... [f2] | provenance |  |
+| test.c:74:3:74:13 | ... = ... | test.c:74:3:74:5 | *fns [post update] [f2] | provenance |  |
+| test.c:75:45:75:48 | *& ... [f1] | test.c:48:68:48:70 | *fns [f1] | provenance |  |
+| test.c:75:45:75:48 | *& ... [f2] | test.c:48:68:48:70 | *fns [f2] | provenance |  |
 nodes
-| test.c:48:68:48:70 | fns [f1] | semmle.label | fns [f1] |
-| test.c:49:3:49:5 | fns [f1] | semmle.label | fns [f1] |
+| test.c:48:68:48:70 | *fns [f1] | semmle.label | *fns [f1] |
+| test.c:48:68:48:70 | *fns [f2] | semmle.label | *fns [f2] |
+| test.c:49:3:49:5 | *fns [f1] | semmle.label | *fns [f1] |
 | test.c:49:8:49:9 | f1 | semmle.label | f1 |
-| test.c:61:28:61:29 | f2 | semmle.label | f2 |
+| test.c:50:3:50:5 | *fns [f2] | semmle.label | *fns [f2] |
+| test.c:50:8:50:9 | f2 | semmle.label | f2 |
+| test.c:61:3:61:29 | ... = ... | semmle.label | ... = ... |
+| test.c:61:15:61:29 | f2 | semmle.label | f2 |
 | test.c:62:3:62:11 | v1_called | semmle.label | v1_called |
-| test.c:70:9:70:17 | v3_called | semmle.label | v3_called |
-| test.c:73:3:73:5 | fns [post update] [f1] | semmle.label | fns [post update] [f1] |
+| test.c:70:4:70:17 | v3_called | semmle.label | v3_called |
+| test.c:73:3:73:5 | *fns [post update] [f1] | semmle.label | *fns [post update] [f1] |
 | test.c:73:3:73:13 | ... = ... | semmle.label | ... = ... |
 | test.c:73:12:73:13 | v2 | semmle.label | v2 |
-| test.c:75:45:75:48 | & ... [f1] | semmle.label | & ... [f1] |
+| test.c:74:3:74:5 | *fns [f1] | semmle.label | *fns [f1] |
+| test.c:74:3:74:5 | *fns [post update] [f2] | semmle.label | *fns [post update] [f2] |
+| test.c:74:3:74:13 | ... = ... | semmle.label | ... = ... |
+| test.c:75:45:75:48 | *& ... [f1] | semmle.label | *& ... [f1] |
+| test.c:75:45:75:48 | *& ... [f2] | semmle.label | *& ... [f2] |
 subpaths
 #select
-| test.c:61:28:61:29 | f2 | test.c:61:28:61:29 | f2 | test.c:62:3:62:11 | v1_called | Incompatible function $@ assigned to function pointer is eventually called through the pointer. | test.c:41:13:41:14 | f2 | f2 |
-| test.c:70:9:70:17 | v3_called | test.c:70:9:70:17 | v3_called | test.c:70:9:70:17 | v3_called | Incompatible function $@ assigned to function pointer is eventually called through the pointer. | test.c:58:7:58:15 | v3_called | v3_called |
+| test.c:61:15:61:29 | f2 | test.c:61:15:61:29 | f2 | test.c:62:3:62:11 | v1_called | Incompatible function $@ assigned to function pointer is eventually called through the pointer. | test.c:41:13:41:14 | f2 | f2 |
+| test.c:70:4:70:17 | v3_called | test.c:70:4:70:17 | v3_called | test.c:70:4:70:17 | v3_called | Incompatible function $@ assigned to function pointer is eventually called through the pointer. | test.c:58:7:58:15 | v3_called | v3_called |
 | test.c:73:12:73:13 | v2 | test.c:73:12:73:13 | v2 | test.c:49:8:49:9 | f1 | Incompatible function $@ assigned to function pointer is eventually called through the pointer. | test.c:56:7:56:8 | v2 | v2 |

From 1309e18b8f6f808cdbea761b4b797a6101475d58 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 23:46:19 +0200
Subject: [PATCH 39/88] Convert EXP40-C to the new dataflow library

---
 .../EXP40-C/DoNotModifyConstantObjects.ql     |  2 +-
 .../DoNotModifyConstantObjects.expected       | 45 +++++++++++--------
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql b/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql
index 9d8e4b16d4..49b65091f1 100644
--- a/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql
+++ b/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql
@@ -17,7 +17,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import CastFlow::PathGraph
 import codingstandards.cpp.SideEffect
 
diff --git a/c/cert/test/rules/EXP40-C/DoNotModifyConstantObjects.expected b/c/cert/test/rules/EXP40-C/DoNotModifyConstantObjects.expected
index 2ac874e770..9c668408a5 100644
--- a/c/cert/test/rules/EXP40-C/DoNotModifyConstantObjects.expected
+++ b/c/cert/test/rules/EXP40-C/DoNotModifyConstantObjects.expected
@@ -1,33 +1,40 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyConstantObjects.ql:40,30-38)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyConstantObjects.ql:41,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyConstantObjects.ql:47,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyConstantObjects.ql:52,19-27)
 edges
-| test.c:5:8:5:9 | & ... | test.c:6:4:6:5 | aa | provenance |  |
-| test.c:26:15:26:15 | a | test.c:27:4:27:4 | a | provenance |  |
+| test.c:5:3:5:9 | ... = ... | test.c:6:3:6:5 | * ... | provenance |  |
+| test.c:5:8:5:9 | & ... | test.c:5:3:5:9 | ... = ... | provenance |  |
+| test.c:26:15:26:15 | a | test.c:27:3:27:4 | * ... | provenance |  |
+| test.c:34:13:34:14 | & ... | test.c:34:13:34:14 | & ... | provenance |  |
+| test.c:34:13:34:14 | & ... | test.c:37:3:37:10 | ... = ... | provenance |  |
 | test.c:34:13:34:14 | & ... | test.c:39:7:39:8 | p1 | provenance |  |
+| test.c:37:3:37:10 | ... = ... | test.c:40:7:40:9 | * ... | provenance |  |
 | test.c:39:7:39:8 | p1 | test.c:26:15:26:15 | a | provenance |  |
 | test.c:40:7:40:9 | * ... | test.c:26:15:26:15 | a | provenance |  |
-| test.c:59:7:59:8 | & ... | test.c:60:4:60:4 | p | provenance |  |
-| test.c:79:11:79:16 | call to strchr | test.c:81:6:81:12 | ... ++ | provenance |  |
+| test.c:59:3:59:8 | ... = ... | test.c:60:3:60:4 | * ... | provenance |  |
+| test.c:59:7:59:8 | & ... | test.c:59:3:59:8 | ... = ... | provenance |  |
+| test.c:79:3:79:31 | ... = ... | test.c:81:5:81:12 | * ... | provenance |  |
+| test.c:79:11:79:16 | call to strchr | test.c:79:3:79:31 | ... = ... | provenance |  |
 nodes
+| test.c:5:3:5:9 | ... = ... | semmle.label | ... = ... |
 | test.c:5:8:5:9 | & ... | semmle.label | & ... |
-| test.c:6:4:6:5 | aa | semmle.label | aa |
+| test.c:6:3:6:5 | * ... | semmle.label | * ... |
 | test.c:26:15:26:15 | a | semmle.label | a |
-| test.c:27:4:27:4 | a | semmle.label | a |
+| test.c:27:3:27:4 | * ... | semmle.label | * ... |
 | test.c:34:13:34:14 | & ... | semmle.label | & ... |
+| test.c:34:13:34:14 | & ... | semmle.label | & ... |
+| test.c:37:3:37:10 | ... = ... | semmle.label | ... = ... |
 | test.c:39:7:39:8 | p1 | semmle.label | p1 |
 | test.c:40:7:40:9 | * ... | semmle.label | * ... |
+| test.c:59:3:59:8 | ... = ... | semmle.label | ... = ... |
 | test.c:59:7:59:8 | & ... | semmle.label | & ... |
-| test.c:60:4:60:4 | p | semmle.label | p |
-| test.c:74:12:74:12 | s | semmle.label | s |
+| test.c:60:3:60:4 | * ... | semmle.label | * ... |
+| test.c:74:3:74:12 | * ... | semmle.label | * ... |
+| test.c:79:3:79:31 | ... = ... | semmle.label | ... = ... |
 | test.c:79:11:79:16 | call to strchr | semmle.label | call to strchr |
-| test.c:81:6:81:12 | ... ++ | semmle.label | ... ++ |
+| test.c:81:5:81:12 | * ... | semmle.label | * ... |
 subpaths
 #select
-| test.c:6:4:6:5 | aa | test.c:5:8:5:9 | & ... | test.c:6:4:6:5 | aa | Const variable assigned with non const-value. |
-| test.c:27:4:27:4 | a | test.c:34:13:34:14 | & ... | test.c:27:4:27:4 | a | Const variable assigned with non const-value. |
-| test.c:27:4:27:4 | a | test.c:40:7:40:9 | * ... | test.c:27:4:27:4 | a | Const variable assigned with non const-value. |
-| test.c:60:4:60:4 | p | test.c:59:7:59:8 | & ... | test.c:60:4:60:4 | p | Const variable assigned with non const-value. |
-| test.c:74:12:74:12 | s | test.c:74:12:74:12 | s | test.c:74:12:74:12 | s | Const variable assigned with non const-value. |
-| test.c:81:6:81:12 | ... ++ | test.c:79:11:79:16 | call to strchr | test.c:81:6:81:12 | ... ++ | Const variable assigned with non const-value. |
+| test.c:6:3:6:5 | * ... | test.c:5:8:5:9 | & ... | test.c:6:3:6:5 | * ... | Const variable assigned with non const-value. |
+| test.c:27:3:27:4 | * ... | test.c:34:13:34:14 | & ... | test.c:27:3:27:4 | * ... | Const variable assigned with non const-value. |
+| test.c:27:3:27:4 | * ... | test.c:40:7:40:9 | * ... | test.c:27:3:27:4 | * ... | Const variable assigned with non const-value. |
+| test.c:60:3:60:4 | * ... | test.c:59:7:59:8 | & ... | test.c:60:3:60:4 | * ... | Const variable assigned with non const-value. |
+| test.c:74:3:74:12 | * ... | test.c:74:3:74:12 | * ... | test.c:74:3:74:12 | * ... | Const variable assigned with non const-value. |
+| test.c:81:5:81:12 | * ... | test.c:79:11:79:16 | call to strchr | test.c:81:5:81:12 | * ... | Const variable assigned with non const-value. |

From 25571ec3b49f04b2020fd7d275c7dddb286e26f9 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 10 Jul 2025 23:57:15 +0200
Subject: [PATCH 40/88] Convert FIO44-C to the new dataflow library

---
 .../OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql  | 8 ++++----
 ...UseValuesForFsetposThatAreReturnedFromFgetpos.expected | 5 -----
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql b/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql
index bc0a417bd0..700aaf2cf5 100644
--- a/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql
+++ b/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql
@@ -17,7 +17,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class FgetposCall extends FunctionCall {
   FgetposCall() { this.getTarget().hasGlobalOrStdName("fgetpos") }
@@ -30,12 +30,12 @@ class FsetposCall extends FunctionCall {
 module FposDFConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     // source must be the second parameter of a FgetposCall call
-    source = DataFlow::definitionByReferenceNodeFromArgument(any(FgetposCall c).getArgument(1))
+    source.asDefiningArgument() = any(FgetposCall c).getArgument(1)
   }
 
   predicate isSink(DataFlow::Node sink) {
     // sink must be the second parameter of a FsetposCall call
-    sink.asExpr() = any(FsetposCall c).getArgument(1)
+    sink.asIndirectExpr() = any(FsetposCall c).getArgument(1)
   }
 }
 
@@ -45,6 +45,6 @@ from FsetposCall fsetpos
 where
   not isExcluded(fsetpos.getArgument(1),
     IO2Package::onlyUseValuesForFsetposThatAreReturnedFromFgetposQuery()) and
-  not FposDFFlow::flowToExpr(fsetpos.getArgument(1))
+  not exists(DataFlow::Node n | n.asIndirectExpr() = fsetpos.getArgument(1) | FposDFFlow::flowTo(n))
 select fsetpos.getArgument(1),
   "The position argument of a call to `fsetpos()` should be obtained from a call to `fgetpos()`."
diff --git a/c/cert/test/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.expected b/c/cert/test/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.expected
index ec05727161..8074710738 100644
--- a/c/cert/test/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.expected
+++ b/c/cert/test/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.expected
@@ -1,7 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql:30,32-40)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql:31,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql:33,14-22)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql:36,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql:42,21-29)
 | test.c:7:24:7:30 | & ... | The position argument of a call to `fsetpos()` should be obtained from a call to `fgetpos()`. |
 | test.c:33:24:33:30 | & ... | The position argument of a call to `fsetpos()` should be obtained from a call to `fgetpos()`. |

From 3cb8899d4d30c0b8d05d87e751b69083cd7cc307 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 00:03:28 +0200
Subject: [PATCH 41/88] Convert MEM35-C to the new dataflow library

---
 .../src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql   | 2 +-
 .../rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql b/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql
index 06fd267560..2f937607e3 100644
--- a/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql
+++ b/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql
@@ -21,7 +21,7 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Overflow
 import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import semmle.code.cpp.models.Models
 
 /**
diff --git a/c/cert/test/rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected b/c/cert/test/rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected
index 86bdeedf5f..30dece9299 100644
--- a/c/cert/test/rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected
+++ b/c/cert/test/rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected
@@ -1,5 +1,3 @@
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (InsufficientMemoryAllocatedForObject.ql:90,5-18)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (InsufficientMemoryAllocatedForObject.ql:148,5-18)
 | test.c:12:19:12:24 | call to malloc | Allocation size (32 bytes) is not a multiple of the size of 'S1' (36 bytes). | test.c:12:26:12:32 | 32 |  |
 | test.c:15:19:15:24 | call to malloc | Allocation size calculated from the size of a different type ($@). | test.c:15:26:15:35 | sizeof(<expr>) | sizeof(S1 *) |
 | test.c:20:19:20:24 | call to malloc | Allocation size (128 bytes) is not a multiple of the size of 'S1' (36 bytes). | test.c:20:26:20:36 | ... * ... |  |

From f8daf8cf87bd7c0497259e57d0132a988fd245de Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 00:08:38 +0200
Subject: [PATCH 42/88] Convert MEM36-C to the new dataflow library

---
 ...DoNotModifyAlignmentOfMemoryWithRealloc.ql |  2 +-
 ...odifyAlignmentOfMemoryWithRealloc.expected | 19 +++++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql b/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql
index 90c34a44a2..e6d7cfe07d 100644
--- a/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql
+++ b/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql
@@ -20,7 +20,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Alignment
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import AlignedAllocToReallocFlow::PathGraph
 
 int getStatedValue(Expr e) {
diff --git a/c/cert/test/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.expected b/c/cert/test/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.expected
index 587ae786d1..6b71a8a76c 100644
--- a/c/cert/test/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.expected
+++ b/c/cert/test/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.expected
@@ -1,20 +1,23 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyAlignmentOfMemoryWithRealloc.ql:31,36-44)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyAlignmentOfMemoryWithRealloc.ql:45,47-55)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyAlignmentOfMemoryWithRealloc.ql:46,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyAlignmentOfMemoryWithRealloc.ql:50,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotModifyAlignmentOfMemoryWithRealloc.ql:55,36-44)
 edges
-| test.c:5:10:5:22 | call to aligned_alloc | test.c:15:8:15:28 | call to aligned_alloc_wrapper | provenance |  |
+| test.c:4:7:4:27 | *aligned_alloc_wrapper | test.c:15:8:15:28 | call to aligned_alloc_wrapper | provenance |  |
+| test.c:5:10:5:22 | call to aligned_alloc | test.c:4:7:4:27 | *aligned_alloc_wrapper | provenance |  |
+| test.c:5:10:5:22 | call to aligned_alloc | test.c:5:10:5:22 | call to aligned_alloc | provenance |  |
 | test.c:8:29:8:31 | ptr | test.c:8:64:8:66 | ptr | provenance |  |
-| test.c:15:8:15:28 | call to aligned_alloc_wrapper | test.c:16:24:16:25 | v1 | provenance |  |
+| test.c:15:3:15:36 | ... = ... | test.c:16:24:16:25 | v1 | provenance |  |
+| test.c:15:8:15:28 | call to aligned_alloc_wrapper | test.c:15:3:15:36 | ... = ... | provenance |  |
 | test.c:16:24:16:25 | v1 | test.c:8:29:8:31 | ptr | provenance |  |
-| test.c:22:8:22:20 | call to aligned_alloc | test.c:23:16:23:17 | v3 | provenance |  |
+| test.c:22:3:22:28 | ... = ... | test.c:23:16:23:17 | v3 | provenance |  |
+| test.c:22:8:22:20 | call to aligned_alloc | test.c:22:3:22:28 | ... = ... | provenance |  |
 nodes
+| test.c:4:7:4:27 | *aligned_alloc_wrapper | semmle.label | *aligned_alloc_wrapper |
+| test.c:5:10:5:22 | call to aligned_alloc | semmle.label | call to aligned_alloc |
 | test.c:5:10:5:22 | call to aligned_alloc | semmle.label | call to aligned_alloc |
 | test.c:8:29:8:31 | ptr | semmle.label | ptr |
 | test.c:8:64:8:66 | ptr | semmle.label | ptr |
+| test.c:15:3:15:36 | ... = ... | semmle.label | ... = ... |
 | test.c:15:8:15:28 | call to aligned_alloc_wrapper | semmle.label | call to aligned_alloc_wrapper |
 | test.c:16:24:16:25 | v1 | semmle.label | v1 |
+| test.c:22:3:22:28 | ... = ... | semmle.label | ... = ... |
 | test.c:22:8:22:20 | call to aligned_alloc | semmle.label | call to aligned_alloc |
 | test.c:23:16:23:17 | v3 | semmle.label | v3 |
 subpaths

From 892413781ee5dd50e2c0a54dc6c66862de119e7e Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 00:17:33 +0200
Subject: [PATCH 43/88] Convert SIG30-C to the new dataflow library

---
 .../SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql  | 2 +-
 .../CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected    | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql b/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
index 4cc0f9e32c..dfa0e5d199 100644
--- a/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
+++ b/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Signal
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * Does not access an external variable except
diff --git a/c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected b/c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected
index 4898448814..a601fe63f4 100644
--- a/c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected
+++ b/c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected
@@ -1,6 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql:110,11-19)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql:110,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql:111,9-17)
 | test.c:10:3:10:18 | call to log_local_unsafe | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:16:7:16:12 | call to signal | signal handler |
 | test.c:11:3:11:6 | call to free | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:16:7:16:12 | call to signal | signal handler |
 | test.c:46:3:46:9 | call to longjmp | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:50:7:50:12 | call to signal | signal handler |

From 686507849bcca93fc6d5baa4bf0bb9ad6470aff7 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 00:26:46 +0200
Subject: [PATCH 44/88] Convert SIG35-C to the new dataflow library

---
 .../SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql    | 2 +-
 .../DoNotReturnFromAComputationalExceptionHandler.expected      | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/c/cert/src/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql b/c/cert/src/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql
index bd65019f98..b00fb33844 100644
--- a/c/cert/src/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql
+++ b/c/cert/src/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Signal
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * CFG nodes preceeding a `ReturnStmt`
diff --git a/c/cert/test/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.expected b/c/cert/test/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.expected
index fb78049d25..31412c466a 100644
--- a/c/cert/test/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.expected
+++ b/c/cert/test/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.expected
@@ -1,2 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotReturnFromAComputationalExceptionHandler.ql:44,5-13)
 | test.c:10:1:10:1 | return ... | Do not return from a $@ signal handler. | test.c:13:10:13:15 | SIGFPE | computational exception |

From 0910b4f3b28fc0555bdee1d0f0c6209701d20a7b Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 00:30:06 +0200
Subject: [PATCH 45/88] Convert Signal library to the new data flow library

The `getReassertingCall` predicate is only used by SIG34-C, whose tests
still pass.
---
 c/common/src/codingstandards/c/Signal.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c/common/src/codingstandards/c/Signal.qll b/c/common/src/codingstandards/c/Signal.qll
index 2a570b654f..2f7844ab11 100644
--- a/c/common/src/codingstandards/c/Signal.qll
+++ b/c/common/src/codingstandards/c/Signal.qll
@@ -1,5 +1,5 @@
 import cpp
-private import semmle.code.cpp.dataflow.DataFlow
+private import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * A signal corresponding to a computational exception

From 7b5eba0c0306d8ffe6b2b738964116deda54fd66 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 15:12:37 +0200
Subject: [PATCH 46/88] Convert RULE-13-2 to the new dataflow library

---
 c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql        | 2 +-
 c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql b/c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql
index 86756668a8..b55f5ec16a 100644
--- a/c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql
+++ b/c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql
@@ -13,7 +13,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codingstandards.c.misra
 import codingstandards.c.Ordering
 import codingstandards.c.orderofevaluation.VariableAccessOrdering
diff --git a/c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected b/c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected
index 4fa06eb069..0b8d5daca8 100644
--- a/c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected
+++ b/c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected
@@ -1,5 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UnsequencedAtomicReads.ql:112,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UnsequencedAtomicReads.ql:112,67-75)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (UnsequencedAtomicReads.ql:112,5-18)
 | test.c:44:12:44:18 | ... + ... | Atomic variable $@ has a $@ that is unsequenced with $@. | test.c:42:15:42:16 | a1 | a1 | test.c:44:12:44:13 | a1 | previous read | test.c:44:17:44:18 | a1 | another read |
 | test.c:46:3:46:37 | ... + ... | Atomic variable $@ has a $@ that is unsequenced with $@. | test.c:42:15:42:16 | a1 | a1 | test.c:46:16:46:17 | a1 | previous read | test.c:46:35:46:36 | a1 | another read |

From dc76e3c0388f1bf7e95ccff59bc40d5f4654ef4b Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 17:02:04 +0200
Subject: [PATCH 47/88] Convert RULE-21-14 to the new dataflow library

Observe that the special case for global variables is no longer
needed, as these are properly handled in the new dataflow library.
---
 ...emcmpUsedToCompareNullTerminatedStrings.ql | 22 ++---
 ...sedToCompareNullTerminatedStrings.expected | 88 ++++++++++++-------
 2 files changed, 61 insertions(+), 49 deletions(-)

diff --git a/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql b/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql
index b487f5b9b5..f5f5e134fd 100644
--- a/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql
+++ b/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql
@@ -16,13 +16,13 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.misra.EssentialTypes
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import NullTerminatedStringToMemcmpFlow::PathGraph
 
 // Data flow from a StringLiteral or from an array of characters, to a memcmp call
 module NullTerminatedStringToMemcmpConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof StringLiteral
+    source.asIndirectExpr(1) instanceof StringLiteral
     or
     exists(Variable v, ArrayAggregateLiteral aal |
       aal = v.getInitializer().getExpr() and
@@ -31,26 +31,14 @@ module NullTerminatedStringToMemcmpConfig implements DataFlow::ConfigSig {
       // Includes a null terminator somewhere in the array initializer
       aal.getAnElementExpr(_).getValue().toInt() = 0
     |
-      // For local variables, use the array aggregate literal as the source
       aal = source.asExpr()
-      or
-      // ArrayAggregateLiterals used as initializers for global variables are not viable sources
-      // for global data flow, so we instead report variable accesses as sources, where the variable
-      // is constant or is not assigned in the program
-      v instanceof GlobalVariable and
-      source.asExpr() = v.getAnAccess() and
-      (
-        v.isConst()
-        or
-        not exists(Expr e | e = v.getAnAssignedValue() and not e = aal)
-      )
     )
   }
 
   predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall memcmp |
       memcmp.getTarget().hasGlobalOrStdName("memcmp") and
-      sink.asExpr() = memcmp.getArgument([0, 1])
+      sink.asIndirectExpr() = memcmp.getArgument([0, 1])
     )
   }
 }
@@ -67,8 +55,8 @@ from
 where
   not isExcluded(memcmp, EssentialTypesPackage::memcmpUsedToCompareNullTerminatedStringsQuery()) and
   memcmp.getTarget().hasGlobalOrStdName("memcmp") and
-  arg1.getNode().asExpr() = memcmp.getArgument(0) and
-  arg2.getNode().asExpr() = memcmp.getArgument(1) and
+  arg1.getNode().asIndirectExpr(1) = memcmp.getArgument(0) and
+  arg2.getNode().asIndirectExpr(1) = memcmp.getArgument(1) and
   // There is a path from a null-terminated string to each argument
   NullTerminatedStringToMemcmpFlow::flowPath(source1, arg1) and
   NullTerminatedStringToMemcmpFlow::flowPath(source2, arg2) and
diff --git a/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected b/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
index 5ae49919a9..7fbb4e322a 100644
--- a/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
+++ b/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
@@ -1,38 +1,62 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:23,54-62)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:24,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:50,20-28)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:58,43-56)
 edges
-| test.c:12:13:12:15 | a | test.c:14:10:14:10 | a | provenance |  |
-| test.c:12:13:12:15 | a | test.c:23:13:23:13 | a | provenance |  |
-| test.c:12:13:12:15 | a | test.c:24:10:24:10 | a | provenance |  |
-| test.c:13:13:13:15 | b | test.c:14:13:14:13 | b | provenance |  |
-| test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | e | provenance |  |
-| test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | f | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:6:15:6:17 | 97 | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:16:10:16:10 | *c | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:26:13:26:13 | *c | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:27:10:27:10 | *c | provenance |  |
+| test.c:6:14:6:26 | {...} | test.c:6:6:6:6 | *c | provenance |  |
+| test.c:6:15:6:17 | 97 | test.c:6:20:6:22 | 98 | provenance |  |
+| test.c:6:20:6:22 | 98 | test.c:6:25:6:25 | {...} | provenance |  |
+| test.c:6:25:6:25 | {...} | test.c:6:14:6:26 | {...} | provenance |  |
+| test.c:7:6:7:6 | *d | test.c:7:15:7:17 | 97 | provenance |  |
+| test.c:7:6:7:6 | *d | test.c:16:13:16:13 | *d | provenance |  |
+| test.c:7:14:7:26 | {...} | test.c:7:6:7:6 | *d | provenance |  |
+| test.c:7:15:7:17 | 97 | test.c:7:20:7:22 | 98 | provenance |  |
+| test.c:7:20:7:22 | 98 | test.c:7:25:7:25 | {...} | provenance |  |
+| test.c:7:25:7:25 | {...} | test.c:7:14:7:26 | {...} | provenance |  |
+| test.c:12:13:12:15 | *a | test.c:14:10:14:10 | *a | provenance | DataFlowFunction |
+| test.c:12:13:12:15 | *a | test.c:23:13:23:13 | *a | provenance | DataFlowFunction |
+| test.c:12:13:12:15 | *a | test.c:24:10:24:10 | *a | provenance | DataFlowFunction |
+| test.c:13:13:13:15 | *b | test.c:14:13:14:13 | *b | provenance | DataFlowFunction |
+| test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | *e | provenance |  |
+| test.c:18:27:18:27 | {...} | test.c:18:15:18:28 | {...} | provenance |  |
+| test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | *f | provenance |  |
+| test.c:19:27:19:27 | {...} | test.c:19:15:19:28 | {...} | provenance |  |
 nodes
-| test.c:10:10:10:12 | a | semmle.label | a |
-| test.c:10:15:10:17 | b | semmle.label | b |
-| test.c:12:13:12:15 | a | semmle.label | a |
-| test.c:13:13:13:15 | b | semmle.label | b |
-| test.c:14:10:14:10 | a | semmle.label | a |
-| test.c:14:13:14:13 | b | semmle.label | b |
-| test.c:16:10:16:10 | c | semmle.label | c |
-| test.c:16:13:16:13 | d | semmle.label | d |
+| test.c:6:6:6:6 | *c | semmle.label | *c |
+| test.c:6:14:6:26 | {...} | semmle.label | {...} |
+| test.c:6:15:6:17 | 97 | semmle.label | 97 |
+| test.c:6:20:6:22 | 98 | semmle.label | 98 |
+| test.c:6:25:6:25 | {...} | semmle.label | {...} |
+| test.c:7:6:7:6 | *d | semmle.label | *d |
+| test.c:7:14:7:26 | {...} | semmle.label | {...} |
+| test.c:7:15:7:17 | 97 | semmle.label | 97 |
+| test.c:7:20:7:22 | 98 | semmle.label | 98 |
+| test.c:7:25:7:25 | {...} | semmle.label | {...} |
+| test.c:10:10:10:12 | *a | semmle.label | *a |
+| test.c:10:15:10:17 | *b | semmle.label | *b |
+| test.c:12:13:12:15 | *a | semmle.label | *a |
+| test.c:13:13:13:15 | *b | semmle.label | *b |
+| test.c:14:10:14:10 | *a | semmle.label | *a |
+| test.c:14:13:14:13 | *b | semmle.label | *b |
+| test.c:16:10:16:10 | *c | semmle.label | *c |
+| test.c:16:13:16:13 | *d | semmle.label | *d |
 | test.c:18:15:18:28 | {...} | semmle.label | {...} |
+| test.c:18:27:18:27 | {...} | semmle.label | {...} |
 | test.c:19:15:19:28 | {...} | semmle.label | {...} |
-| test.c:21:10:21:10 | e | semmle.label | e |
-| test.c:21:13:21:13 | f | semmle.label | f |
-| test.c:23:13:23:13 | a | semmle.label | a |
-| test.c:24:10:24:10 | a | semmle.label | a |
-| test.c:26:13:26:13 | c | semmle.label | c |
-| test.c:27:10:27:10 | c | semmle.label | c |
+| test.c:19:27:19:27 | {...} | semmle.label | {...} |
+| test.c:21:10:21:10 | *e | semmle.label | *e |
+| test.c:21:13:21:13 | *f | semmle.label | *f |
+| test.c:23:13:23:13 | *a | semmle.label | *a |
+| test.c:24:10:24:10 | *a | semmle.label | *a |
+| test.c:26:13:26:13 | *c | semmle.label | *c |
+| test.c:27:10:27:10 | *c | semmle.label | *c |
 subpaths
 #select
-| test.c:10:3:10:8 | call to memcmp | test.c:10:10:10:12 | a | test.c:10:10:10:12 | a | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | a | null-terminated string | test.c:10:15:10:17 | b | null-terminated string |
-| test.c:10:3:10:8 | call to memcmp | test.c:10:15:10:17 | b | test.c:10:15:10:17 | b | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | a | null-terminated string | test.c:10:15:10:17 | b | null-terminated string |
-| test.c:14:3:14:8 | call to memcmp | test.c:12:13:12:15 | a | test.c:14:10:14:10 | a | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | a | null-terminated string | test.c:13:13:13:15 | b | null-terminated string |
-| test.c:14:3:14:8 | call to memcmp | test.c:13:13:13:15 | b | test.c:14:13:14:13 | b | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | a | null-terminated string | test.c:13:13:13:15 | b | null-terminated string |
-| test.c:16:3:16:8 | call to memcmp | test.c:16:10:16:10 | c | test.c:16:10:16:10 | c | memcmp used to compare $@ with $@. | test.c:16:10:16:10 | c | null-terminated string | test.c:16:13:16:13 | d | null-terminated string |
-| test.c:16:3:16:8 | call to memcmp | test.c:16:13:16:13 | d | test.c:16:13:16:13 | d | memcmp used to compare $@ with $@. | test.c:16:10:16:10 | c | null-terminated string | test.c:16:13:16:13 | d | null-terminated string |
-| test.c:21:3:21:8 | call to memcmp | test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | e | memcmp used to compare $@ with $@. | test.c:18:15:18:28 | {...} | null-terminated string | test.c:19:15:19:28 | {...} | null-terminated string |
-| test.c:21:3:21:8 | call to memcmp | test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | f | memcmp used to compare $@ with $@. | test.c:18:15:18:28 | {...} | null-terminated string | test.c:19:15:19:28 | {...} | null-terminated string |
+| test.c:10:3:10:8 | call to memcmp | test.c:10:10:10:12 | *a | test.c:10:10:10:12 | *a | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | *a | null-terminated string | test.c:10:15:10:17 | *b | null-terminated string |
+| test.c:10:3:10:8 | call to memcmp | test.c:10:15:10:17 | *b | test.c:10:15:10:17 | *b | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | *a | null-terminated string | test.c:10:15:10:17 | *b | null-terminated string |
+| test.c:14:3:14:8 | call to memcmp | test.c:12:13:12:15 | *a | test.c:14:10:14:10 | *a | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | *a | null-terminated string | test.c:13:13:13:15 | *b | null-terminated string |
+| test.c:14:3:14:8 | call to memcmp | test.c:13:13:13:15 | *b | test.c:14:13:14:13 | *b | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | *a | null-terminated string | test.c:13:13:13:15 | *b | null-terminated string |
+| test.c:16:3:16:8 | call to memcmp | test.c:6:25:6:25 | {...} | test.c:16:10:16:10 | *c | memcmp used to compare $@ with $@. | test.c:6:25:6:25 | {...} | null-terminated string | test.c:7:25:7:25 | {...} | null-terminated string |
+| test.c:16:3:16:8 | call to memcmp | test.c:7:25:7:25 | {...} | test.c:16:13:16:13 | *d | memcmp used to compare $@ with $@. | test.c:6:25:6:25 | {...} | null-terminated string | test.c:7:25:7:25 | {...} | null-terminated string |
+| test.c:21:3:21:8 | call to memcmp | test.c:18:27:18:27 | {...} | test.c:21:10:21:10 | *e | memcmp used to compare $@ with $@. | test.c:18:27:18:27 | {...} | null-terminated string | test.c:19:27:19:27 | {...} | null-terminated string |
+| test.c:21:3:21:8 | call to memcmp | test.c:19:27:19:27 | {...} | test.c:21:13:21:13 | *f | memcmp used to compare $@ with $@. | test.c:18:27:18:27 | {...} | null-terminated string | test.c:19:27:19:27 | {...} | null-terminated string |

From d65bc91d2568f8c3ffeeec9296fbca17c8c7a696 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 17:05:13 +0200
Subject: [PATCH 48/88] Convert RULE-22-7 to the new dataflow library

---
 .../EofShallBeComparedWithUnmodifiedReturnValues.ql       | 2 +-
 .../EofShallBeComparedWithUnmodifiedReturnValues.expected | 8 --------
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/c/misra/src/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.ql b/c/misra/src/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.ql
index 1da495ca28..44bc22620d 100644
--- a/c/misra/src/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.ql
+++ b/c/misra/src/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.ql
@@ -15,7 +15,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.ReadErrorsAndEOF
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * The getchar() return value propagates directly to a check against EOF macro
diff --git a/c/misra/test/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.expected b/c/misra/test/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.expected
index 210a3a9218..709d8b002c 100644
--- a/c/misra/test/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.expected
+++ b/c/misra/test/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.expected
@@ -1,10 +1,2 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:24,28-36)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:25,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:29,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:38,23-31)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:43,17-25)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:52,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:60,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (EofShallBeComparedWithUnmodifiedReturnValues.ql:60,46-54)
 | test.c:6:7:6:20 | ... != ... | The check is not reliable as the type of the return value of $@ is converted. | test.c:5:14:5:20 | call to getchar | call to getchar |
 | test.c:13:7:13:15 | ... != ... | The check is not reliable as the type of the return value of $@ is converted. | test.c:12:14:12:20 | call to getchar | call to getchar |

From fc2ab4b6fa43ed819b820132426ad0752583aca7 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 17:13:29 +0200
Subject: [PATCH 49/88] Convert A13-1-3 to the new dataflow library

---
 ...alsOperatorsShallOnlyPerformConversionOfPassedParameters.ql | 2 +-
 ...ratorsShallOnlyPerformConversionOfPassedParameters.expected | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/autosar/src/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql b/cpp/autosar/src/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql
index 4593065e01..88ac1a7856 100644
--- a/cpp/autosar/src/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql
+++ b/cpp/autosar/src/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql
@@ -14,7 +14,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codingstandards.cpp.autosar
 import codingstandards.cpp.UserDefinedLiteral as udl
 import codingstandards.cpp.SideEffect
diff --git a/cpp/autosar/test/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.expected b/cpp/autosar/test/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.expected
index 5d1d6022b5..53dc884023 100644
--- a/cpp/autosar/test/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.expected
+++ b/cpp/autosar/test/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.expected
@@ -1,4 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql:27,33-41)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql:28,5-13)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql:27,7-20)
 | test.cpp:47:8:47:23 | operator ""_uds5 | User defined literal operator returns $@, which is not converted from a passed parameter | test.cpp:48:10:48:12 | 0.0 | expression |

From 3dae0a62501e90beae09eb226ada33186e823898 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 17:18:23 +0200
Subject: [PATCH 50/88] Convert A13-2-1 to the new dataflow library

---
 cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql   | 2 +-
 .../test/rules/A13-2-1/AssignmentOperatorReturnThis.expected    | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql b/cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql
index 4e6b7d6f0c..c7583373c3 100644
--- a/cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql
+++ b/cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.Operator
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 predicate returnsThisPointer(UserAssignmentOperator o) {
   exists(PointerDereferenceExpr p, ThisExpr t, ReturnStmt r |
diff --git a/cpp/autosar/test/rules/A13-2-1/AssignmentOperatorReturnThis.expected b/cpp/autosar/test/rules/A13-2-1/AssignmentOperatorReturnThis.expected
index 9c0d50ca86..e9929173b0 100644
--- a/cpp/autosar/test/rules/A13-2-1/AssignmentOperatorReturnThis.expected
+++ b/cpp/autosar/test/rules/A13-2-1/AssignmentOperatorReturnThis.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (AssignmentOperatorReturnThis.ql:25,5-13)
 | test.cpp:10:12:10:20 | operator= | User-defined assignment operator $@ does not return *this | test.cpp:10:12:10:20 | operator= |  user defined assignment operator |
 | test.cpp:17:11:17:19 | operator= | User-defined assignment operator $@ does not return *this | test.cpp:17:11:17:19 | operator= |  user defined assignment operator |
 | test.cpp:24:12:24:20 | operator= | User-defined assignment operator $@ does not return *this | test.cpp:24:12:24:20 | operator= |  user defined assignment operator |

From 2cc7388fdbb88f5757889bc0a6e3038363e39105 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 17:22:01 +0200
Subject: [PATCH 51/88] Convert A15-1-3 to the new dataflow library

---
 cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql | 2 +-
 .../test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected  | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql b/cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql
index 97e9133a7a..abcd503670 100644
--- a/cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql
+++ b/cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.exceptions.ExceptionFlow
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.valuenumbering.HashCons
 
 /** Find a value which defines the exception thrown by the `DirectThrowExpr`, if any. */
diff --git a/cpp/autosar/test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected b/cpp/autosar/test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected
index 5db0f83985..b085736659 100644
--- a/cpp/autosar/test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected
+++ b/cpp/autosar/test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ThrownExceptionsShouldBeUnique.ql:24,3-11)
 | test.cpp:6:5:6:26 | throw ... | The $@ thrown here is a possible duplicate of the $@ thrown $@. | test.cpp:6:5:6:26 | call to exception | std::exception exception | test.cpp:14:5:14:26 | call to exception | exception | test.cpp:14:5:14:26 | throw ... | here |
 | test.cpp:8:5:8:53 | throw ... | The $@ thrown here is a possible duplicate of the $@ thrown $@. | test.cpp:8:5:8:53 | call to runtime_error | std::runtime_error exception | test.cpp:16:5:16:53 | call to runtime_error | exception | test.cpp:16:5:16:53 | throw ... | here |
 | test.cpp:14:5:14:26 | throw ... | The $@ thrown here is a possible duplicate of the $@ thrown $@. | test.cpp:14:5:14:26 | call to exception | std::exception exception | test.cpp:6:5:6:26 | call to exception | exception | test.cpp:6:5:6:26 | throw ... | here |

From 88ff74163cce8535688059a29bfb412feac28987 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 11 Jul 2025 19:34:45 +0200
Subject: [PATCH 52/88] Address review comment

---
 .../EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql b/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
index b7f751b6bf..cea415350c 100644
--- a/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
+++ b/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
@@ -62,7 +62,7 @@ where
     ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery()) and
   access = src.getNode().asExpr() and
   SuspectFunctionPointerToCallFlow::flowPath(src, sink) and
-  not src.getNode().asExpr().getType() = sink.getNode().asExpr().getFullyConverted().getType()
+  not access.getType() = sink.getNode().asExpr().getFullyConverted().getType()
 select src, src, sink,
   "Incompatible function $@ assigned to function pointer is eventually called through the pointer.",
   access.getTarget(), access.getTarget().getName()

From 6603c2533be81c2e70b5dd962ed95dbf059c61c7 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 14 Jul 2025 16:44:20 +0100
Subject: [PATCH 53/88] C++: Accept path changes caused by codeql#20040.

---
 .../MemcmpUsedToCompareNullTerminatedStrings.expected  | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected b/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
index 7fbb4e322a..38eeb4b42b 100644
--- a/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
+++ b/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
@@ -1,17 +1,11 @@
 edges
-| test.c:6:6:6:6 | *c | test.c:6:15:6:17 | 97 | provenance |  |
 | test.c:6:6:6:6 | *c | test.c:16:10:16:10 | *c | provenance |  |
 | test.c:6:6:6:6 | *c | test.c:26:13:26:13 | *c | provenance |  |
 | test.c:6:6:6:6 | *c | test.c:27:10:27:10 | *c | provenance |  |
 | test.c:6:14:6:26 | {...} | test.c:6:6:6:6 | *c | provenance |  |
-| test.c:6:15:6:17 | 97 | test.c:6:20:6:22 | 98 | provenance |  |
-| test.c:6:20:6:22 | 98 | test.c:6:25:6:25 | {...} | provenance |  |
 | test.c:6:25:6:25 | {...} | test.c:6:14:6:26 | {...} | provenance |  |
-| test.c:7:6:7:6 | *d | test.c:7:15:7:17 | 97 | provenance |  |
 | test.c:7:6:7:6 | *d | test.c:16:13:16:13 | *d | provenance |  |
 | test.c:7:14:7:26 | {...} | test.c:7:6:7:6 | *d | provenance |  |
-| test.c:7:15:7:17 | 97 | test.c:7:20:7:22 | 98 | provenance |  |
-| test.c:7:20:7:22 | 98 | test.c:7:25:7:25 | {...} | provenance |  |
 | test.c:7:25:7:25 | {...} | test.c:7:14:7:26 | {...} | provenance |  |
 | test.c:12:13:12:15 | *a | test.c:14:10:14:10 | *a | provenance | DataFlowFunction |
 | test.c:12:13:12:15 | *a | test.c:23:13:23:13 | *a | provenance | DataFlowFunction |
@@ -24,13 +18,9 @@ edges
 nodes
 | test.c:6:6:6:6 | *c | semmle.label | *c |
 | test.c:6:14:6:26 | {...} | semmle.label | {...} |
-| test.c:6:15:6:17 | 97 | semmle.label | 97 |
-| test.c:6:20:6:22 | 98 | semmle.label | 98 |
 | test.c:6:25:6:25 | {...} | semmle.label | {...} |
 | test.c:7:6:7:6 | *d | semmle.label | *d |
 | test.c:7:14:7:26 | {...} | semmle.label | {...} |
-| test.c:7:15:7:17 | 97 | semmle.label | 97 |
-| test.c:7:20:7:22 | 98 | semmle.label | 98 |
 | test.c:7:25:7:25 | {...} | semmle.label | {...} |
 | test.c:10:10:10:12 | *a | semmle.label | *a |
 | test.c:10:15:10:17 | *b | semmle.label | *b |

From c1596044a1068c6a375e7cef2c4e84c99fe74b06 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 13:46:07 +0200
Subject: [PATCH 54/88] Convert RULE-17-5 to the new dataflow library

---
 .../RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql    | 8 ++++----
 .../ArrayFunctionArgumentNumberOfElements.expected        | 6 ------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql b/c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql
index 1a142ddb22..279003f6ff 100644
--- a/c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql
+++ b/c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql
@@ -14,7 +14,7 @@
 
 import cpp
 import codingstandards.c.misra
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * Models a function parameter of type array with specified size
@@ -49,7 +49,7 @@ module SmallArrayConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ArrayAggregateLiteral }
 
   predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(ArrayParameter p).getAMatchingArgument()
+    sink.asIndirectExpr() = any(ArrayParameter p).getAMatchingArgument()
   }
 }
 
@@ -68,8 +68,8 @@ where
     or
     // the argument is a pointer and its value does not come from a literal of the correct
     arg.getType() instanceof PointerType and
-    not exists(ArrayAggregateLiteral l |
-      SmallArrayFlow::flow(DataFlow::exprNode(l), DataFlow::exprNode(arg)) and
+    not exists(ArrayAggregateLiteral l, DataFlow::Node arg_node | arg_node.asIndirectExpr() = arg |
+      SmallArrayFlow::flow(DataFlow::exprNode(l), arg_node) and
       countElements(l) >= p.getArraySize()
     )
   )
diff --git a/c/misra/test/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.expected b/c/misra/test/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.expected
index 174c6aa40f..913f6f1c34 100644
--- a/c/misra/test/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.expected
+++ b/c/misra/test/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.expected
@@ -1,9 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:48,36-44)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:49,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:51,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:56,25-33)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:72,28-36)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArrayFunctionArgumentNumberOfElements.ql:72,51-59)
 | test.c:18:6:18:6 | 0 | The function argument does not have a sufficient number or elements declared in the $@. | test.c:1:13:1:14 | ar | parameter |
 | test.c:19:6:19:7 | ar | The function argument does not have a sufficient number or elements declared in the $@. | test.c:1:13:1:14 | ar | parameter |
 | test.c:21:6:21:9 | ar2p | The function argument does not have a sufficient number or elements declared in the $@. | test.c:1:13:1:14 | ar | parameter |

From 36eb3b371627a0117397af3cee999704ddde757d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 15:06:50 +0200
Subject: [PATCH 55/88] Convert A15-2-2 to use the new dataflow library

Observe that field flow requires global flow with the new library, so
a dataflow configuration is introduced.
---
 ...ConstructorErrorLeavesObjectInInvalidState.ql | 16 ++++++++++++++--
 ...uctorErrorLeavesObjectInInvalidState.expected |  9 ---------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/cpp/autosar/src/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.ql b/cpp/autosar/src/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.ql
index 1b3a3cfed2..bf8f76923b 100644
--- a/cpp/autosar/src/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.ql
+++ b/cpp/autosar/src/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.ql
@@ -15,7 +15,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.autosar
 import codingstandards.cpp.exceptions.ExceptionFlow
 import codingstandards.cpp.exceptions.ExceptionSpecifications
@@ -98,6 +98,18 @@ class ExceptionThrownInConstructor extends ExceptionThrowingExpr {
   Constructor getConstructor() { result = c }
 }
 
+module NewDeleteConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof NewAllocationExpr }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof DeletedExpr }
+
+  DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
+  }
+}
+
+module NewDeleteFlow = DataFlow::Global<NewDeleteConfig>;
+
 from
   ExceptionThrowingConstructor c, ExceptionThrownInConstructor throwingExpr,
   NewAllocationExpr newExpr, ExceptionFlowNode exceptionSource,
@@ -127,7 +139,7 @@ where
   not exists(DeletedExpr deletedExpr |
     deletedExpr.getEnclosingFunction() = c and
     // Deletes the same memory location that was new'd
-    DataFlow::localFlow(DataFlow::exprNode(newExpr), DataFlow::exprNode(deletedExpr)) and
+    NewDeleteFlow::flow(DataFlow::exprNode(newExpr), DataFlow::exprNode(deletedExpr)) and
     newExpr.getASuccessor+() = deletedExpr and
     deletedExpr.getASuccessor+() = throwingExpr
   ) and
diff --git a/cpp/autosar/test/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.expected b/cpp/autosar/test/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.expected
index 529a7ccf99..941771dada 100644
--- a/cpp/autosar/test/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.expected
+++ b/cpp/autosar/test/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.expected
@@ -1,12 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:47,12-20)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:48,30-38)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:48,57-65)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:74,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:74,25-33)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:75,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:130,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:130,25-33)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstructorErrorLeavesObjectInInvalidState.ql:130,54-62)
 edges
 | test.cpp:12:16:12:27 | new [bad_alloc] | test.cpp:14:33:16:5 | { ... } [bad_alloc] |
 | test.cpp:13:7:13:28 | throw ... [exception] | test.cpp:14:33:16:5 | { ... } [exception] |

From ba9ebc6d6856014a2fd27c2ede8e08929b5d1d11 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 15:54:57 +0200
Subject: [PATCH 56/88] Convert A18-9-4 to use the new dataflow library

The query seemed to depend on a bug in the old dataflow library
before, where `asDefiningArgument` could return the function call
instead of its argument.
---
 .../src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql    | 4 ++--
 .../rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected  | 3 ---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/cpp/autosar/src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql b/cpp/autosar/src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql
index a3acf916ec..923a024a46 100644
--- a/cpp/autosar/src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql
+++ b/cpp/autosar/src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql
@@ -14,13 +14,13 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.standardlibrary.Utility
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 from StdForwardCall f, Access a
 where
   not isExcluded(a, MoveForwardPackage::movedFromObjectReadAccessedQuery()) and
   exists(DataFlow::DefinitionByReferenceNode def |
-    def.asDefiningArgument() = f and
+    def.asDefiningArgument() = f.getArgument(0) and
     DataFlow::localFlow(def, DataFlow::exprNode(a))
   )
 select a, "The argument $@ of `std::forward` may be indeterminate when accessed at this location.",
diff --git a/cpp/autosar/test/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected b/cpp/autosar/test/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected
index 9e1cf41d3d..1c72dd7bf3 100644
--- a/cpp/autosar/test/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected
+++ b/cpp/autosar/test/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected
@@ -1,4 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArgumentToForwardSubsequentlyUsed.ql:22,10-18)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArgumentToForwardSubsequentlyUsed.ql:24,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ArgumentToForwardSubsequentlyUsed.ql:24,30-38)
 | test.cpp:8:5:8:6 | t2 | The argument $@ of `std::forward` may be indeterminate when accessed at this location. | test.cpp:7:45:7:46 | t2 | t2 |

From f4d7e9f4173cb04ceb3002a38581922b4566717d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 16:19:44 +0200
Subject: [PATCH 57/88] Convert A20-8-4 to use the new dataflow library

---
 .../A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql    | 8 ++++++--
 .../SharedPointerUsedWithNoOwnershipSharing.expected      | 1 -
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/cpp/autosar/src/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql b/cpp/autosar/src/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql
index 0294bfe2e6..47f879a585 100644
--- a/cpp/autosar/src/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql
+++ b/cpp/autosar/src/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.SmartPointers
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /*
  * Finds `std::shared_ptr` local variables which are not copy or move initialized, and are not used in
@@ -44,7 +44,11 @@ from AutosarSharedPointerLocalScopeVariable var, SharedPointerLocalAllocInitiali
 where
   not isExcluded(var, SmartPointers1Package::sharedPointerUsedWithNoOwnershipSharingQuery()) and
   var.getAnAssignedValue() = src and
-  not DataFlow::localExprFlow(src, varOwnershipSharingExpr(var.getType(), var.getFunction()))
+  not exists(DataFlow::Node n |
+    n.asIndirectExpr() = varOwnershipSharingExpr(var.getType(), var.getFunction())
+  |
+    DataFlow::localFlow(DataFlow::exprNode(src), n)
+  )
 select var,
   "The ownership of shared_ptr $@ is not shared within or passed out of the local scope of function $@.",
   var, var.getName(), var.getFunction(), var.getFunction().getQualifiedName()
diff --git a/cpp/autosar/test/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.expected b/cpp/autosar/test/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.expected
index 5b770a1925..f15f142b3b 100644
--- a/cpp/autosar/test/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.expected
+++ b/cpp/autosar/test/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.expected
@@ -1,4 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (SharedPointerUsedWithNoOwnershipSharing.ql:47,7-15)
 | test.cpp:14:24:14:26 | sp3 | The ownership of shared_ptr $@ is not shared within or passed out of the local scope of function $@. | test.cpp:14:24:14:26 | sp3 | sp3 | test.cpp:11:22:11:23 | f1 | f1 |
 | test.cpp:16:24:16:26 | sp5 | The ownership of shared_ptr $@ is not shared within or passed out of the local scope of function $@. | test.cpp:16:24:16:26 | sp5 | sp5 | test.cpp:11:22:11:23 | f1 | f1 |
 | test.cpp:17:24:17:26 | sp6 | The ownership of shared_ptr $@ is not shared within or passed out of the local scope of function $@. | test.cpp:17:24:17:26 | sp6 | sp6 | test.cpp:11:22:11:23 | f1 | f1 |

From 2aceba84c0ed8dd5730573c23f9806c75bc35e35 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 20:56:54 +0200
Subject: [PATCH 58/88] Convert A5-1-7 to use the new dataflow library

---
 .../rules/A5-1-7/LambdaPassedToDecltype.ql    |  2 +-
 .../src/rules/A5-1-7/LambdaPassedToTypeid.ql  |  6 ++++--
 .../A5-1-7/LambdaPassedToDecltype.expected    |  6 ------
 .../A5-1-7/LambdaPassedToTypeid.expected      | 20 +++++++++----------
 4 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/cpp/autosar/src/rules/A5-1-7/LambdaPassedToDecltype.ql b/cpp/autosar/src/rules/A5-1-7/LambdaPassedToDecltype.ql
index 971d3b9259..a2b8bf5608 100644
--- a/cpp/autosar/src/rules/A5-1-7/LambdaPassedToDecltype.ql
+++ b/cpp/autosar/src/rules/A5-1-7/LambdaPassedToDecltype.ql
@@ -15,7 +15,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 module LambdaExpressionToInitializerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof LambdaExpression }
diff --git a/cpp/autosar/src/rules/A5-1-7/LambdaPassedToTypeid.ql b/cpp/autosar/src/rules/A5-1-7/LambdaPassedToTypeid.ql
index 56952dace9..492b352ad1 100644
--- a/cpp/autosar/src/rules/A5-1-7/LambdaPassedToTypeid.ql
+++ b/cpp/autosar/src/rules/A5-1-7/LambdaPassedToTypeid.ql
@@ -14,14 +14,16 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.autosar
 import LambdaExpressionToTypeidFlow::PathGraph
 
 module LambdaExpressionToTypeidConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof LambdaExpression }
 
-  predicate isSink(DataFlow::Node sink) { exists(TypeidOperator op | op.getExpr() = sink.asExpr()) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(TypeidOperator op | op.getExpr() = sink.asIndirectExpr())
+  }
 }
 
 module LambdaExpressionToTypeidFlow = DataFlow::Global<LambdaExpressionToTypeidConfig>;
diff --git a/cpp/autosar/test/rules/A5-1-7/LambdaPassedToDecltype.expected b/cpp/autosar/test/rules/A5-1-7/LambdaPassedToDecltype.expected
index 56896d69fd..8f6447a96b 100644
--- a/cpp/autosar/test/rules/A5-1-7/LambdaPassedToDecltype.expected
+++ b/cpp/autosar/test/rules/A5-1-7/LambdaPassedToDecltype.expected
@@ -1,7 +1 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:20,55-63)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:21,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:23,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:28,44-52)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:39,47-55)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToDecltype.ql:40,9-17)
 | test.cpp:14:23:14:24 | decltype(...) | Lambda $@ passed as operand to decltype. | test.cpp:5:13:5:30 | [...](...){...} | expression |
diff --git a/cpp/autosar/test/rules/A5-1-7/LambdaPassedToTypeid.expected b/cpp/autosar/test/rules/A5-1-7/LambdaPassedToTypeid.expected
index 8f86a87616..dc0f2658a0 100644
--- a/cpp/autosar/test/rules/A5-1-7/LambdaPassedToTypeid.expected
+++ b/cpp/autosar/test/rules/A5-1-7/LambdaPassedToTypeid.expected
@@ -1,16 +1,16 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToTypeid.ql:21,50-58)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToTypeid.ql:22,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToTypeid.ql:24,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (LambdaPassedToTypeid.ql:27,39-47)
 edges
-| test.cpp:5:13:5:30 | [...](...){...} | test.cpp:8:38:8:39 | l1 | provenance |  |
-| test.cpp:6:13:6:30 | [...](...){...} | test.cpp:9:38:9:39 | l2 | provenance |  |
+| test.cpp:5:13:5:30 | [...](...){...} | test.cpp:5:13:5:30 | [...](...){...} | provenance |  |
+| test.cpp:5:13:5:30 | [...](...){...} | test.cpp:8:38:8:39 | *l1 | provenance |  |
+| test.cpp:6:13:6:30 | [...](...){...} | test.cpp:6:13:6:30 | [...](...){...} | provenance |  |
+| test.cpp:6:13:6:30 | [...](...){...} | test.cpp:9:38:9:39 | *l2 | provenance |  |
 nodes
 | test.cpp:5:13:5:30 | [...](...){...} | semmle.label | [...](...){...} |
+| test.cpp:5:13:5:30 | [...](...){...} | semmle.label | [...](...){...} |
+| test.cpp:6:13:6:30 | [...](...){...} | semmle.label | [...](...){...} |
 | test.cpp:6:13:6:30 | [...](...){...} | semmle.label | [...](...){...} |
-| test.cpp:8:38:8:39 | l1 | semmle.label | l1 |
-| test.cpp:9:38:9:39 | l2 | semmle.label | l2 |
+| test.cpp:8:38:8:39 | *l1 | semmle.label | *l1 |
+| test.cpp:9:38:9:39 | *l2 | semmle.label | *l2 |
 subpaths
 #select
-| test.cpp:8:38:8:39 | l1 | test.cpp:5:13:5:30 | [...](...){...} | test.cpp:8:38:8:39 | l1 | Lambda $@ passed as operand to typeid operator. | test.cpp:5:13:5:30 | [...](...){...} | expression |
-| test.cpp:9:38:9:39 | l2 | test.cpp:6:13:6:30 | [...](...){...} | test.cpp:9:38:9:39 | l2 | Lambda $@ passed as operand to typeid operator. | test.cpp:6:13:6:30 | [...](...){...} | expression |
+| test.cpp:8:38:8:39 | *l1 | test.cpp:5:13:5:30 | [...](...){...} | test.cpp:8:38:8:39 | *l1 | Lambda $@ passed as operand to typeid operator. | test.cpp:5:13:5:30 | [...](...){...} | expression |
+| test.cpp:9:38:9:39 | *l2 | test.cpp:6:13:6:30 | [...](...){...} | test.cpp:9:38:9:39 | *l2 | Lambda $@ passed as operand to typeid operator. | test.cpp:6:13:6:30 | [...](...){...} | expression |

From c989403c45d74dc98b8a757ff1a6d5909f38609c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 21:00:26 +0200
Subject: [PATCH 59/88] Convert A8-4-12 to use the new dataflow library

---
 .../A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql   | 2 +-
 .../UniquePtrPassedToFunctionWithImproperSemantics.expected     | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/cpp/autosar/src/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql b/cpp/autosar/src/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql
index 3cd310b59b..b18e89c343 100644
--- a/cpp/autosar/src/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql
+++ b/cpp/autosar/src/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql
@@ -18,7 +18,7 @@ import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.SmartPointers
 import codingstandards.cpp.standardlibrary.Utility
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 Expr underlyingObjectAffectingUniquePointerExpr(Function f) {
   result =
diff --git a/cpp/autosar/test/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.expected b/cpp/autosar/test/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.expected
index 0a8ead4af8..a01b93335d 100644
--- a/cpp/autosar/test/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.expected
+++ b/cpp/autosar/test/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.expected
@@ -1,5 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UniquePtrPassedToFunctionWithImproperSemantics.ql:41,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UniquePtrPassedToFunctionWithImproperSemantics.ql:51,5-13)
 | test.cpp:13:55:13:56 | v1 | Parameter of type std::unique_ptr passed as lvalue reference but not used to modify underlying object. |
 | test.cpp:17:47:17:48 | v1 | Parameter of type std::unique_ptr passed as lvalue reference but not used to modify underlying object. |
 | test.cpp:22:27:22:28 | v1 | Parameter of type std::unique_ptr passed as lvalue reference but not used to modify underlying object. |

From abc8797acf990f337fe308692bd3ee3406801d7a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 21:08:18 +0200
Subject: [PATCH 60/88] Convert CTR52-CPP to the new dataflow library

---
 .../GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql  | 2 +-
 ...anteeGenericCppLibraryFunctionsDoNotOverflow.expected | 9 ---------
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/cpp/cert/src/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql b/cpp/cert/src/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql
index b022869136..188511f7db 100644
--- a/cpp/cert/src/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql
+++ b/cpp/cert/src/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql
@@ -21,7 +21,7 @@ import codingstandards.cpp.cert
 import codingstandards.cpp.Iterators
 import codingstandards.cpp.rules.containeraccesswithoutrangecheck.ContainerAccessWithoutRangeCheck as ContainerAccessWithoutRangeCheck
 import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**
diff --git a/cpp/cert/test/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.expected b/cpp/cert/test/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.expected
index 6be9fd55cc..4e87d1436c 100644
--- a/cpp/cert/test/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.expected
+++ b/cpp/cert/test/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.expected
@@ -1,12 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:93,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:93,27-35)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:94,9-17)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:98,9-17)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:98,29-37)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:99,11-19)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:109,35-43)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:110,11-19)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql:109,9-22)
 | test.cpp:8:42:8:46 | call to begin | Output iterator for $@ is not guaranteed to be large enough for the input iterator. | test.cpp:8:3:8:11 | call to copy | call to copy |
 | test.cpp:17:42:17:46 | call to begin | Output iterator for $@ is not guaranteed to be large enough for the input iterator. | test.cpp:17:3:17:11 | call to copy | call to copy |
 | test.cpp:55:42:55:46 | call to begin | Output iterator for $@ is not guaranteed to be large enough for the input iterator. | test.cpp:55:3:55:11 | call to copy | call to copy |

From 86f055dfb90a7f65e3dcc530dc83176143c3ecbb Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 15 Jul 2025 21:10:55 +0200
Subject: [PATCH 61/88] Convert CTR53-CPP to the new dataflow library

---
 cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql      | 2 +-
 .../test/rules/CTR53-CPP/UseValidIteratorRanges.expected    | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql b/cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql
index 1512a7fd99..58a7d20bed 100644
--- a/cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql
+++ b/cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.cpp.cert
 import codingstandards.cpp.Iterators
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 predicate startEndArgumentsDoNotPointToTheSameContainer(
   IteratorRangeFunctionCall fc, Expr arg, string reason
diff --git a/cpp/cert/test/rules/CTR53-CPP/UseValidIteratorRanges.expected b/cpp/cert/test/rules/CTR53-CPP/UseValidIteratorRanges.expected
index d25d23185a..61260a0579 100644
--- a/cpp/cert/test/rules/CTR53-CPP/UseValidIteratorRanges.expected
+++ b/cpp/cert/test/rules/CTR53-CPP/UseValidIteratorRanges.expected
@@ -1,9 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:29,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:29,25-33)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:30,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:36,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:36,25-33)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (UseValidIteratorRanges.ql:37,7-15)
 | test.cpp:7:3:7:15 | call to for_each | The $@ of iterator range function does not point to the end of an iterator. | test.cpp:7:28:7:32 | call to begin | argument |
 | test.cpp:7:3:7:15 | call to for_each | The $@ of iterator range function does not point to the start of an iterator. | test.cpp:7:19:7:21 | call to end | argument |
 | test.cpp:8:3:8:15 | call to for_each | The $@ of iterator range function does not point to the end of an iterator. | test.cpp:8:30:8:34 | call to begin | argument |

From bfdf262d49e733f11909a194393146293d101bd2 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 25 Jul 2025 17:35:26 +0100
Subject: [PATCH 62/88] C++: Block flow into thread-specific storage creating
 functions (i.e., *almost* the sources of the query) to remove false
 negatives.

---
 .../CON30-C/CleanUpThreadSpecificStorage.ql   | 29 ++++++++++++++-----
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql b/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
index afa664448a..50ed7f0ff3 100644
--- a/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
+++ b/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
@@ -22,15 +22,28 @@ import codingstandards.c.cert
 import codingstandards.cpp.ConcurrencyNew
 import semmle.code.cpp.dataflow.new.DataFlow
 
+newtype Direction =
+  Incoming() or
+  Outgoing()
+
+predicate isSource(DataFlow::Node node, Direction d) {
+  exists(TSSCreateFunctionCall tsc, Expr e |
+    // the only requirement of the source is that at some point
+    // it refers to the key of a create statement
+    e.getParent*() = tsc.getKey()
+  |
+    d = Outgoing() and
+    e = [node.asExpr(), node.asDefiningArgument()]
+    or
+    d = Incoming() and
+    e = [node.asExpr(), node.asIndirectArgument()]
+  )
+}
+
 module TssCreateToTssDeleteConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) {
-    exists(TSSCreateFunctionCall tsc, Expr e |
-      // the only requirement of the source is that at some point
-      // it refers to the key of a create statement
-      e.getParent*() = tsc.getKey() and
-      (e = node.asDefiningArgument() or e = node.asExpr())
-    )
-  }
+  predicate isSource(DataFlow::Node node) { isSource(node, Outgoing()) }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, Incoming()) }
 
   predicate isSink(DataFlow::Node node) {
     exists(TSSDeleteFunctionCall tsd, Expr e |

From 086a4ed76a5122eef27f982f2233469169e56d46 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 25 Jul 2025 17:36:05 +0100
Subject: [PATCH 63/88] C++: Accept test changes to another query.

---
 ...TimedlockOnInappropriateMutexType.expected | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/c/misra/test/rules/RULE-21-26/TimedlockOnInappropriateMutexType.expected b/c/misra/test/rules/RULE-21-26/TimedlockOnInappropriateMutexType.expected
index 0a4c0a496a..34b92fee9e 100644
--- a/c/misra/test/rules/RULE-21-26/TimedlockOnInappropriateMutexType.expected
+++ b/c/misra/test/rules/RULE-21-26/TimedlockOnInappropriateMutexType.expected
@@ -1,11 +1,25 @@
 edges
+| test.c:3:7:3:8 | *g1 | test.c:3:7:3:8 | *g1 | provenance |  |
+| test.c:3:7:3:8 | *g1 | test.c:14:17:14:19 | *& ... | provenance |  |
+| test.c:3:7:3:8 | *g1 | test.c:15:14:15:16 | *& ... | provenance |  |
+| test.c:4:7:4:8 | *g2 | test.c:4:7:4:8 | *g2 | provenance |  |
+| test.c:4:7:4:8 | *g2 | test.c:18:17:18:19 | *& ... | provenance |  |
+| test.c:4:7:4:8 | *g2 | test.c:19:14:19:16 | *& ... | provenance |  |
+| test.c:10:24:10:24 | *m | test.c:10:24:10:24 | *m | provenance |  |
 | test.c:10:24:10:24 | *m | test.c:10:43:10:43 | *m | provenance |  |
+| test.c:10:24:10:24 | *m | test.c:10:43:10:43 | *m | provenance |  |
+| test.c:13:12:13:14 | mtx_init output argument | test.c:3:7:3:8 | *g1 | provenance |  |
 | test.c:13:12:13:14 | mtx_init output argument | test.c:14:17:14:19 | *& ... | provenance |  |
 | test.c:13:12:13:14 | mtx_init output argument | test.c:15:14:15:16 | *& ... | provenance |  |
 | test.c:15:14:15:16 | *& ... | test.c:10:24:10:24 | *m | provenance |  |
+| test.c:15:14:15:16 | *& ... | test.c:15:14:15:16 | doTimeLock output argument | provenance |  |
+| test.c:15:14:15:16 | doTimeLock output argument | test.c:3:7:3:8 | *g1 | provenance |  |
+| test.c:17:12:17:14 | mtx_init output argument | test.c:4:7:4:8 | *g2 | provenance |  |
 | test.c:17:12:17:14 | mtx_init output argument | test.c:18:17:18:19 | *& ... | provenance |  |
 | test.c:17:12:17:14 | mtx_init output argument | test.c:19:14:19:16 | *& ... | provenance |  |
 | test.c:19:14:19:16 | *& ... | test.c:10:24:10:24 | *m | provenance |  |
+| test.c:19:14:19:16 | *& ... | test.c:19:14:19:16 | doTimeLock output argument | provenance |  |
+| test.c:19:14:19:16 | doTimeLock output argument | test.c:4:7:4:8 | *g2 | provenance |  |
 | test.c:30:12:30:14 | mtx_init output argument | test.c:31:17:31:19 | *& ... | provenance |  |
 | test.c:30:12:30:14 | mtx_init output argument | test.c:32:14:32:16 | *& ... | provenance |  |
 | test.c:32:14:32:16 | *& ... | test.c:10:24:10:24 | *m | provenance |  |
@@ -16,14 +30,20 @@ edges
 | test.c:44:14:44:18 | *& ... | test.c:10:24:10:24 | *m | provenance |  |
 | test.c:44:15:44:16 | *l3 [m] | test.c:44:14:44:18 | *& ... | provenance |  |
 nodes
+| test.c:3:7:3:8 | *g1 | semmle.label | *g1 |
+| test.c:4:7:4:8 | *g2 | semmle.label | *g2 |
+| test.c:10:24:10:24 | *m | semmle.label | *m |
+| test.c:10:24:10:24 | *m | semmle.label | *m |
 | test.c:10:24:10:24 | *m | semmle.label | *m |
 | test.c:10:43:10:43 | *m | semmle.label | *m |
 | test.c:13:12:13:14 | mtx_init output argument | semmle.label | mtx_init output argument |
 | test.c:14:17:14:19 | *& ... | semmle.label | *& ... |
 | test.c:15:14:15:16 | *& ... | semmle.label | *& ... |
+| test.c:15:14:15:16 | doTimeLock output argument | semmle.label | doTimeLock output argument |
 | test.c:17:12:17:14 | mtx_init output argument | semmle.label | mtx_init output argument |
 | test.c:18:17:18:19 | *& ... | semmle.label | *& ... |
 | test.c:19:14:19:16 | *& ... | semmle.label | *& ... |
+| test.c:19:14:19:16 | doTimeLock output argument | semmle.label | doTimeLock output argument |
 | test.c:30:12:30:14 | mtx_init output argument | semmle.label | mtx_init output argument |
 | test.c:31:17:31:19 | *& ... | semmle.label | *& ... |
 | test.c:32:14:32:16 | *& ... | semmle.label | *& ... |
@@ -34,6 +54,8 @@ nodes
 | test.c:44:14:44:18 | *& ... | semmle.label | *& ... |
 | test.c:44:15:44:16 | *l3 [m] | semmle.label | *l3 [m] |
 subpaths
+| test.c:15:14:15:16 | *& ... | test.c:10:24:10:24 | *m | test.c:10:24:10:24 | *m | test.c:15:14:15:16 | doTimeLock output argument |
+| test.c:19:14:19:16 | *& ... | test.c:10:24:10:24 | *m | test.c:10:24:10:24 | *m | test.c:19:14:19:16 | doTimeLock output argument |
 #select
 | test.c:10:43:10:43 | *m | test.c:13:12:13:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:13:12:13:14 | mtx_init output argument | initialized |
 | test.c:10:43:10:43 | *m | test.c:17:12:17:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:17:12:17:14 | mtx_init output argument | initialized |

From f0d46940e090beb226fb9919d3b4eea0d2fae665 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Aug 2025 16:41:41 +0200
Subject: [PATCH 64/88] Convert `ThrowingOperatorNewReturnsNull` to the new
 dataflow library

---
 .../ThrowingOperatorNewReturnsNull.qll                    | 2 +-
 .../ThrowingOperatorNewReturnsNull.expected               | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll b/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll
index e28ef7ab07..827bfc7c7e 100644
--- a/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll
@@ -4,7 +4,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.allocations.CustomOperatorNewDelete
 import codingstandards.cpp.exceptions.ExceptionSpecifications
 import codingstandards.cpp.Customizations
diff --git a/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected b/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected
index 5e047a77da..5b77245dbd 100644
--- a/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected
+++ b/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected
@@ -3,10 +3,16 @@ problems
 | test.cpp:12:5:12:19 | return ... | test.cpp:12:12:12:18 | 0 | test.cpp:12:12:12:18 | 0 | operator new(size_t) may return null instead of throwing a std::bad_alloc exception. |
 | test.cpp:14:5:14:33 | return ... | test.cpp:4:10:4:23 | call to operator new | test.cpp:14:12:14:26 | call to can_return_null | operator new(size_t) may return null instead of throwing a std::bad_alloc exception. |
 edges
-| test.cpp:4:10:4:23 | call to operator new | test.cpp:14:12:14:26 | call to can_return_null | provenance |  |
+| test.cpp:3:7:3:21 | *can_return_null | test.cpp:14:12:14:26 | call to can_return_null | provenance |  |
+| test.cpp:4:10:4:23 | call to operator new | test.cpp:3:7:3:21 | *can_return_null | provenance |  |
+| test.cpp:4:10:4:23 | call to operator new | test.cpp:4:10:4:23 | call to operator new | provenance |  |
+| test.cpp:8:23:8:23 | 0 | test.cpp:8:23:8:23 | 0 | provenance |  |
 | test.cpp:8:23:8:23 | 0 | test.cpp:10:12:10:24 | localVariable | provenance |  |
 nodes
+| test.cpp:3:7:3:21 | *can_return_null | semmle.label | *can_return_null |
 | test.cpp:4:10:4:23 | call to operator new | semmle.label | call to operator new |
+| test.cpp:4:10:4:23 | call to operator new | semmle.label | call to operator new |
+| test.cpp:8:23:8:23 | 0 | semmle.label | 0 |
 | test.cpp:8:23:8:23 | 0 | semmle.label | 0 |
 | test.cpp:10:12:10:24 | localVariable | semmle.label | localVariable |
 | test.cpp:12:12:12:18 | 0 | semmle.label | 0 |

From b6a4ae9d8188b15a300b8a6421a8b4b662da00e2 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Aug 2025 16:43:04 +0200
Subject: [PATCH 65/88] Convert `PredicateFunctionObjectsShouldNotBeMutable` to
 the new dataflow library

---
 .../PredicateFunctionObjectsShouldNotBeMutable.qll              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll b/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll
index ba2f6ed82a..7e3732fab0 100644
--- a/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll
@@ -9,7 +9,7 @@ import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.SideEffect
 import codingstandards.cpp.sideeffect.DefaultEffects
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 abstract class PredicateFunctionObjectsShouldNotBeMutableSharedQuery extends Query { }
 

From ca1667f16396a64dcf6c7635555da111dc06f993 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Aug 2025 16:43:45 +0200
Subject: [PATCH 66/88] Remove redundant dataflow import

---
 .../PlacementNewInsufficientStorage.qll                          | 1 -
 .../PlacementNewNotProperlyAligned.qll                           | 1 -
 2 files changed, 2 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll b/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll
index 6b2c6c87c9..6eda89ed0b 100644
--- a/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll
@@ -7,7 +7,6 @@ import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.allocations.PlacementNew
-import semmle.code.cpp.dataflow.DataFlow
 import PlacementNewOriginFlow::PathGraph
 
 abstract class PlacementNewInsufficientStorageSharedQuery extends Query { }
diff --git a/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll b/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll
index d250061a23..edbb5b8979 100644
--- a/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll
@@ -7,7 +7,6 @@ import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.allocations.PlacementNew
-import semmle.code.cpp.dataflow.DataFlow
 import PlacementNewOriginFlow::PathGraph
 
 abstract class PlacementNewNotProperlyAlignedSharedQuery extends Query { }

From e643526184c5439d85a3c100965386257732a198 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Aug 2025 16:44:54 +0200
Subject: [PATCH 67/88] Convert `OnlyFreeMemoryAllocatedDynamicallyShared` to
 the new dataflow library

---
 .../OnlyFreeMemoryAllocatedDynamicallyShared.expected       | 6 +++++-
 .../OnlyFreeMemoryAllocatedDynamicallyShared.qll            | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected b/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected
index a6c41a6d75..cdfabea26c 100644
--- a/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected
+++ b/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected
@@ -7,8 +7,10 @@ problems
 | test.c:26:8:26:8 | p | test.c:25:13:25:14 | & ... | test.c:26:8:26:8 | p | Free expression frees memory which was not dynamically allocated. |
 edges
 | test.c:18:24:18:26 | ptr | test.c:18:36:18:38 | ptr | provenance |  |
+| test.c:25:13:25:14 | & ... | test.c:25:13:25:14 | & ... | provenance |  |
 | test.c:25:13:25:14 | & ... | test.c:26:8:26:8 | p | provenance |  |
-| test.c:27:7:27:8 | & ... | test.c:28:15:28:15 | p | provenance |  |
+| test.c:27:3:27:8 | ... = ... | test.c:28:15:28:15 | p | provenance |  |
+| test.c:27:7:27:8 | & ... | test.c:27:3:27:8 | ... = ... | provenance |  |
 | test.c:28:15:28:15 | p | test.c:18:24:18:26 | ptr | provenance |  |
 nodes
 | test.c:8:8:8:10 | g_p | semmle.label | g_p |
@@ -18,7 +20,9 @@ nodes
 | test.c:18:24:18:26 | ptr | semmle.label | ptr |
 | test.c:18:36:18:38 | ptr | semmle.label | ptr |
 | test.c:25:13:25:14 | & ... | semmle.label | & ... |
+| test.c:25:13:25:14 | & ... | semmle.label | & ... |
 | test.c:26:8:26:8 | p | semmle.label | p |
+| test.c:27:3:27:8 | ... = ... | semmle.label | ... = ... |
 | test.c:27:7:27:8 | & ... | semmle.label | & ... |
 | test.c:28:15:28:15 | p | semmle.label | p |
 subpaths
diff --git a/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll b/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll
index 89c732ff5a..d89755c999 100644
--- a/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll
@@ -7,7 +7,7 @@ import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.Allocations
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import NonDynamicPointerToFreeFlow::PathGraph
 
 /**

From 0f50470feabd73615dc2a00a9f06bc55143a9d11 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Aug 2025 16:45:40 +0200
Subject: [PATCH 68/88] Convert `InvalidatedEnvStringPointers` to the new
 dataflow library

---
 .../InvalidatedEnvStringPointers.qll                            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll b/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll
index 50b27d819d..38215c602f 100644
--- a/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 abstract class InvalidatedEnvStringPointersSharedQuery extends Query { }
 

From 493a4c152065e1c92685a9c4fab99d7f4a65d57c Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 18 Aug 2025 11:20:34 +0200
Subject: [PATCH 69/88] Convert `FunctionErroneousReturnValueNotTested` to the
 new dataflow library

---
 .../FunctionErroneousReturnValueNotTested.qll                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
index 93177e4f46..e7e25cf7b0 100644
--- a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
@@ -4,7 +4,7 @@
 
 import cpp
 import codingstandards.cpp.Customizations
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.controlflow.Guards
 import codingstandards.cpp.Exclusions
 

From 8a672b1978a3acf7f4ae5976a832df20d9cc6baa Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 18 Aug 2025 11:33:39 +0200
Subject: [PATCH 70/88] Update
 `DoNotPassAliasedPointerToRestrictQualifiedParamShared` to the new dataflow
 library

---
 .../DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll b/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll
index 79eda7714d..edd3e8305e 100644
--- a/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll
@@ -7,7 +7,7 @@ import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.types.Pointers
 import codingstandards.cpp.Variable
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.pointsto.PointsTo
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 

From 3bfaf5b9733572bb55bf5f753372063d61a2a7b0 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 11:42:36 +0200
Subject: [PATCH 71/88] Convert M9-3-1 to the new dataflow library

---
 .../ConstMemberFunctionReturnsNonConstPointer.ql   | 14 ++++++++------
 ...stMemberFunctionReturnsNonConstPointer.expected |  2 --
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql b/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql
index 559b41527c..322430fa5b 100644
--- a/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql
+++ b/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class ReferenceTypeWithNonConstBaseType extends ReferenceType {
   ReferenceTypeWithNonConstBaseType() { not this.getBaseType().isConst() }
@@ -46,14 +46,16 @@ class ConstMemberFunctionWithRetNonConst extends ConstMemberFunction {
 from ConstMemberFunctionWithRetNonConst fun, Locatable f
 where
   not isExcluded(fun, ConstPackage::constMemberFunctionReturnsNonConstPointerQuery()) and
-  exists(ReturnStmt ret |
+  exists(ReturnStmt ret, DataFlow::Node vaNode, DataFlow::Node retNode |
     ret.getEnclosingFunction() = fun and
+    retNode.asIndirectExpr() = ret.getExpr() and
     (
-      f.(MemberVariable).getDeclaringType() = fun.getDeclaringType() and
-      DataFlow::localExprFlow(f.(MemberVariable).getAnAccess(), ret.getExpr())
+      vaNode.asIndirectExpr() = f.(MemberVariable).getAnAccess() and
+      f.(MemberVariable).getDeclaringType() = fun.getDeclaringType()
       or
-      DataFlow::localExprFlow(f.(ThisExpr), ret.getExpr())
-    )
+      vaNode.asIndirectExpr() = f.(ThisExpr)
+    ) and
+    DataFlow::localFlow(vaNode, retNode)
   )
 select fun, "Const member function returns a " + fun.getReturnTypeCategory() + " to class data $@.",
   f, f.toString()
diff --git a/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected b/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected
index af7e9efc36..ee9652f505 100644
--- a/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected
+++ b/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected
@@ -1,5 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstMemberFunctionReturnsNonConstPointer.ql:53,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstMemberFunctionReturnsNonConstPointer.ql:55,7-15)
 | test.cpp:8:8:8:11 | getA | Const member function returns a pointer to class data $@. | test.cpp:3:8:3:8 | a | a |
 | test.cpp:9:8:9:11 | getB | Const member function returns a pointer to class data $@. | test.cpp:4:8:4:8 | b | b |
 | test.cpp:11:6:11:12 | getThis | Const member function returns a pointer to class data $@. | test.cpp:11:36:11:39 | this | this |

From 56cc4553da1bc4e20c9cdc026d501f33dfc473d6 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 11:46:25 +0200
Subject: [PATCH 72/88] Convert A8-4-9 to the new dataflow library

---
 .../src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql   | 2 +-
 .../rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql b/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql
index 3b30eb676a..a6df2fd5e5 100644
--- a/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql
+++ b/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql
@@ -21,7 +21,7 @@ import codingstandards.cpp.autosar
 import codingstandards.cpp.FunctionParameter
 import codingstandards.cpp.ConstHelpers
 import codingstandards.cpp.Operator
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * Non-const T& `Parameter`s to `Function`s
diff --git a/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected b/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected
index 25fe77d9a5..e3cfa71bb7 100644
--- a/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected
+++ b/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected
@@ -1,5 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (InOutParametersDeclaredAsTNotModified.ql:50,7-15)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (InOutParametersDeclaredAsTNotModified.ql:64,7-15)
 | test.cpp:4:13:4:13 | i | In-out parameter i that is not written to. |
 | test.cpp:7:22:7:24 | str | In-out parameter str that is not read from. |
 | test.cpp:18:14:18:14 | i | In-out parameter i that is not read from. |

From 6384dbd64783d86cf0e9c0997f474881c6c8c403 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 11:50:04 +0200
Subject: [PATCH 73/88] Conver A8-4-11 to the new dataflow library

---
 .../A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql  | 2 +-
 .../SmartPointerAsParameterWithoutLifetimeSemantics.expected    | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql b/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql
index 0bf42ce4ca..83c73902db 100644
--- a/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql
+++ b/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql
@@ -16,7 +16,7 @@
 import cpp
 import codingstandards.cpp.autosar
 import codingstandards.cpp.SmartPointers
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.standardlibrary.Utility
 
 Expr lifetimeAffectingSmartPointerExpr(Function f) {
diff --git a/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected b/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected
index 2ce56fdce9..b751d81835 100644
--- a/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected
+++ b/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected
@@ -1,5 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (SmartPointerAsParameterWithoutLifetimeSemantics.ql:47,3-11)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (SmartPointerAsParameterWithoutLifetimeSemantics.ql:56,5-13)
 | test.cpp:7:41:7:43 | up1 | Function $@ takes smart pointer parameter 'up1' but does not implement any lifetime-affecting operations. | test.cpp:7:6:7:18 | smart_ptr_get | smart_ptr_get |
 | test.cpp:16:53:16:55 | sp1 | Function $@ takes smart pointer parameter 'sp1' but does not implement any lifetime-affecting operations. | test.cpp:16:6:16:29 | smart_ptr_ref_assign_ref | smart_ptr_ref_assign_ref |
 | test.cpp:28:55:28:57 | sp1 | Function $@ takes smart pointer parameter 'sp1' but does not implement any lifetime-affecting operations. | test.cpp:28:6:28:31 | smart_ptr_ref_noncompliant | smart_ptr_ref_noncompliant |

From 113c121660dbd44f04e3298680a9f36143f5d567 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 13:41:50 +0200
Subject: [PATCH 74/88] Convert STR31-C to the new dataflow library

---
 .../StringsHasSufficientSpaceForTheNullTerminator.ql        | 2 +-
 .../StringsHasSufficientSpaceForTheNullTerminator.expected  | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql b/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql
index 437b13f7f9..15d895c1f0 100644
--- a/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql
+++ b/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql
@@ -20,7 +20,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codingstandards.cpp.PossiblyUnsafeStringOperation
 
 /**
diff --git a/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected b/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected
index 9a87a6775b..71e713d120 100644
--- a/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected
+++ b/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected
@@ -1,9 +1,3 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,55-63)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,54-62)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,5-18)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,5-18)
 | test.c:10:20:10:24 | Cod | Expression produces or consumes a string that may not have sufficient space for a null-terminator. |
 | test.c:16:3:16:9 | call to strncpy | Expression produces or consumes a string that may not have sufficient space for a null-terminator. |
 | test.c:26:3:26:10 | call to snprintf | Expression produces or consumes a string that may not have sufficient space for a null-terminator. |

From f265690c83a97734dbdedfb4781bca0040302f4d Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 19:59:53 +0200
Subject: [PATCH 75/88] Convert `FileStreams.qll` to the new dataflow library

---
 .../src/codingstandards/cpp/standardlibrary/FileStreams.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll b/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll
index 99eec1f5e0..4714fde6a2 100644
--- a/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll
+++ b/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll
@@ -10,8 +10,8 @@
  */
 
 import cpp
-private import semmle.code.cpp.dataflow.DataFlow
-private import semmle.code.cpp.dataflow.TaintTracking
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import semmle.code.cpp.dataflow.new.TaintTracking
 private import codingstandards.cpp.Operator
 
 /**

From 146d85a95b44d094e7c886cae802d55cf8d0f517 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Aug 2025 20:00:30 +0200
Subject: [PATCH 76/88] Convert `DoNotAccessAClosedFile` to the new dataflow
 library

---
 .../donotaccessaclosedfile/DoNotAccessAClosedFile.qll      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll b/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll
index 83266ed524..86f50c7538 100644
--- a/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll
@@ -6,7 +6,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.standardlibrary.FileAccess
 import semmle.code.cpp.controlflow.SubBasicBlocks
 
@@ -40,9 +40,10 @@ SubBasicBlock followsFileClose(SubBasicBlock source, Expr closedFile) {
 
 // the argument of a call to function `fclose(FILE*)` is subsequently accessed
 predicate closedFileAccess(Expr closedFile, Expr fileAccess) {
-  exists(DataFlow::DefinitionByReferenceNode def |
+  exists(DataFlow::DefinitionByReferenceNode def, DataFlow::Node va |
+    va.asIndirectExpr() = fileAccess.(VariableAccess) and
     def.asDefiningArgument() = closedFile and
-    DataFlow::localFlow(def, DataFlow::exprNode(fileAccess.(VariableAccess)))
+    DataFlow::localFlow(def, va)
   )
 }
 

From 4d16b3b90813cd38be12c794962e7092cd44de8f Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 11:36:51 +0200
Subject: [PATCH 77/88] Update `OwnedPointerValueStoredInUnrelatedSmartPointer`
 to the new dataflow library

Note this introduces some new results. This seems to be correct, as before the
update the query seemed to have missed problems with code like the following:
```cpp
void f3(int *v1) {
  int *v2 = v1;
  std::shared_ptr<int> p1(v1);        // NON_COMPLIANT
  new std::shared_ptr<int>(p1.get()); // NON_COMPLIANT
  new std::shared_ptr<int>(v2);       // NON_COMPLIANT
}

void f4() {
  f3(new int(0));
}
```
---
 ...nterValueStoredInUnrelatedSmartPointer.qll |  2 +-
 ...alueStoredInUnrelatedSmartPointer.expected | 42 ++++++++++++++-----
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll b/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll
index 2ee92b1611..677271db44 100644
--- a/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll
@@ -8,7 +8,7 @@ import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.SmartPointers
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import PointerToSmartPointerConstructorFlowFlow::PathGraph
 
 abstract class OwnedPointerValueStoredInUnrelatedSmartPointerSharedQuery extends Query { }
diff --git a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
index 7790582443..00f3128a8b 100644
--- a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
+++ b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
@@ -1,44 +1,64 @@
 problems
+| test.cpp:5:27:5:28 | v1 | test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:5:27:5:28 | v1 | test.cpp:16:13:16:22 | new | test.cpp:5:27:5:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. |
+| test.cpp:6:31:6:33 | call to get | test.cpp:4:13:4:14 | v1 | test.cpp:6:31:6:33 | call to get | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:6:31:6:33 | call to get | test.cpp:16:13:16:22 | new | test.cpp:6:31:6:33 | call to get | Raw pointer flows to initialize multiple unrelated smart pointers. |
+| test.cpp:7:28:7:29 | v2 | test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:7:28:7:29 | v2 | test.cpp:16:13:16:22 | new | test.cpp:7:28:7:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:11:28:11:29 | v2 | test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:12:28:12:29 | v2 | test.cpp:10:8:10:17 | new | test.cpp:12:28:12:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 | test.cpp:17:27:17:28 | v1 | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. |
 edges
+| test.cpp:3:14:3:15 | v1 | test.cpp:4:13:4:14 | v1 | provenance |  |
 | test.cpp:3:14:3:15 | v1 | test.cpp:5:27:5:28 | v1 | provenance |  |
 | test.cpp:3:14:3:15 | v1 | test.cpp:5:27:5:28 | v1 | provenance |  |
-| test.cpp:3:14:3:15 | v1 | test.cpp:7:28:7:29 | v2 | provenance |  |
+| test.cpp:4:13:4:14 | v1 | test.cpp:4:13:4:14 | v1 | provenance |  |
+| test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | provenance |  |
+| test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | provenance |  |
 | test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | provenance |  |
-| test.cpp:5:27:5:28 | v1 | test.cpp:5:27:5:29 | call to shared_ptr | provenance |  |
-| test.cpp:5:27:5:28 | v1 | test.cpp:5:27:5:29 | call to shared_ptr | provenance | Config |
-| test.cpp:5:27:5:29 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance |  |
-| test.cpp:5:27:5:29 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance |  |
+| test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | provenance |  |
+| test.cpp:5:24:5:25 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance |  |
+| test.cpp:5:24:5:25 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance |  |
+| test.cpp:5:27:5:28 | v1 | test.cpp:5:24:5:25 | call to shared_ptr | provenance | Config |
+| test.cpp:5:27:5:28 | v1 | test.cpp:5:24:5:25 | call to shared_ptr | provenance | Config |
 | test.cpp:6:28:6:29 | p1 | test.cpp:6:31:6:33 | call to get | provenance | Config |
 | test.cpp:6:28:6:29 | p1 | test.cpp:6:31:6:33 | call to get | provenance | Config |
-| test.cpp:8:8:8:14 | 0 | test.cpp:9:28:9:29 | v2 | provenance |  |
-| test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 | provenance |  |
-| test.cpp:10:8:10:17 | new | test.cpp:12:28:12:29 | v2 | provenance |  |
+| test.cpp:8:3:8:14 | ... = ... | test.cpp:9:28:9:29 | v2 | provenance |  |
+| test.cpp:8:8:8:14 | 0 | test.cpp:8:3:8:14 | ... = ... | provenance |  |
+| test.cpp:10:3:10:17 | ... = ... | test.cpp:11:28:11:29 | v2 | provenance |  |
+| test.cpp:10:3:10:17 | ... = ... | test.cpp:11:28:11:29 | v2 | provenance |  |
+| test.cpp:10:8:10:17 | new | test.cpp:10:3:10:17 | ... = ... | provenance |  |
+| test.cpp:11:28:11:29 | v2 | test.cpp:12:28:12:29 | v2 | provenance |  |
+| test.cpp:16:13:16:22 | new | test.cpp:16:13:16:22 | new | provenance |  |
+| test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | provenance |  |
 | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | provenance |  |
-| test.cpp:16:13:16:22 | new | test.cpp:19:6:19:7 | v1 | provenance |  |
+| test.cpp:17:27:17:28 | v1 | test.cpp:19:6:19:7 | v1 | provenance |  |
 | test.cpp:19:6:19:7 | v1 | test.cpp:3:14:3:15 | v1 | provenance |  |
 nodes
 | test.cpp:3:14:3:15 | v1 | semmle.label | v1 |
 | test.cpp:4:13:4:14 | v1 | semmle.label | v1 |
+| test.cpp:4:13:4:14 | v1 | semmle.label | v1 |
+| test.cpp:4:13:4:14 | v1 | semmle.label | v1 |
+| test.cpp:5:24:5:25 | call to shared_ptr | semmle.label | call to shared_ptr |
+| test.cpp:5:24:5:25 | call to shared_ptr | semmle.label | call to shared_ptr |
+| test.cpp:5:27:5:28 | v1 | semmle.label | v1 |
 | test.cpp:5:27:5:28 | v1 | semmle.label | v1 |
 | test.cpp:5:27:5:28 | v1 | semmle.label | v1 |
-| test.cpp:5:27:5:29 | call to shared_ptr | semmle.label | call to shared_ptr |
-| test.cpp:5:27:5:29 | call to shared_ptr | semmle.label | call to shared_ptr |
 | test.cpp:6:28:6:29 | p1 | semmle.label | p1 |
 | test.cpp:6:28:6:29 | p1 | semmle.label | p1 |
 | test.cpp:6:31:6:33 | call to get | semmle.label | call to get |
 | test.cpp:7:28:7:29 | v2 | semmle.label | v2 |
+| test.cpp:8:3:8:14 | ... = ... | semmle.label | ... = ... |
 | test.cpp:8:8:8:14 | 0 | semmle.label | 0 |
 | test.cpp:9:28:9:29 | v2 | semmle.label | v2 |
+| test.cpp:10:3:10:17 | ... = ... | semmle.label | ... = ... |
 | test.cpp:10:8:10:17 | new | semmle.label | new |
 | test.cpp:11:28:11:29 | v2 | semmle.label | v2 |
+| test.cpp:11:28:11:29 | v2 | semmle.label | v2 |
 | test.cpp:12:28:12:29 | v2 | semmle.label | v2 |
 | test.cpp:16:13:16:22 | new | semmle.label | new |
+| test.cpp:16:13:16:22 | new | semmle.label | new |
+| test.cpp:17:27:17:28 | v1 | semmle.label | v1 |
 | test.cpp:17:27:17:28 | v1 | semmle.label | v1 |
 | test.cpp:19:6:19:7 | v1 | semmle.label | v1 |
 subpaths

From 3b05adcb15a67e3a31f964989afbc1006860107a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 13:44:22 +0200
Subject: [PATCH 78/88] Update `MovedFromObjectsUnspecifiedState` to the new
 dataflow library

---
 .../MovedFromObjectsUnspecifiedState.qll                 | 9 +++++----
 .../MovedFromObjectsUnspecifiedState.expected            | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll b/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll
index f17da7e457..ad1d9f009f 100644
--- a/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll
@@ -4,7 +4,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.standardlibrary.Utility
 
@@ -75,9 +75,10 @@ query predicate problems(Expr e, string message, StdMoveCall f, string argDesc)
   not e instanceof ReassignedExpression and
   // object moved to safe functions are preserved
   not exists(SafeRead safe | f = safe.getArgument(0)) and
-  exists(DataFlow::DefinitionByReferenceNode def |
-    def.asDefiningArgument() = f and
-    DataFlow::localFlow(def, DataFlow::exprNode(e))
+  exists(DataFlow::DefinitionByReferenceNode def, DataFlow::Node n |
+    f.getArgument(0) = def.getArgument() and
+    n.asIndirectExpr() = e and
+    DataFlow::localFlow(def, n)
   ) and
   message = "The argument of the $@ may be indeterminate when accessed at this location." and
   argDesc = f.toString()
diff --git a/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected b/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected
index 7f8c6b9a50..48cce53ea6 100644
--- a/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected
+++ b/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected
@@ -1,5 +1,5 @@
 | test.cpp:9:16:9:17 | s1 | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:7:18:7:26 | call to move | call to move |
 | test.cpp:30:5:30:5 | s | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move |
-| test.cpp:31:11:31:22 | call to basic_string | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move |
+| test.cpp:31:11:31:19 | call to move | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move |
 | test.cpp:31:21:31:21 | s | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move |
 | test.cpp:79:16:79:23 | s_global | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:78:18:78:26 | call to move | call to move |

From ab5a471496e2eb7471cc4a6729b7ae67cfa84d87 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 13:54:43 +0200
Subject: [PATCH 79/88] Update `DoNotUseRelationalOperatorsWithDifferingArrays`
 to the new dataflow library

---
 ...ionalOperatorsWithDifferingArrays.expected | 38 +++++++++++--------
 ...RelationalOperatorsWithDifferingArrays.qll |  4 +-
 ...ionalOperatorsWithDifferingArrays.expected | 38 +++++++++++--------
 3 files changed, 49 insertions(+), 31 deletions(-)

diff --git a/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected b/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
index bda6c7ad05..8625b9793d 100644
--- a/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
+++ b/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
@@ -10,27 +10,35 @@ problems
 | test.c:25:7:25:14 | ... >= ... | test.c:7:14:7:15 | l1 | test.c:25:7:25:8 | p1 | Compare operation >= comparing left operand pointing to array $@ and other operand pointing to array $@. | test.c:2:7:2:8 | l1 | l1 | test.c:4:7:4:8 | l3 | l3 |
 | test.c:25:7:25:14 | ... >= ... | test.c:25:13:25:14 | l3 | test.c:25:13:25:14 | l3 | Compare operation >= comparing right operand pointing to array $@ and other operand pointing to array $@. | test.c:4:7:4:8 | l3 | l3 | test.c:2:7:2:8 | l1 | l1 |
 edges
+| test.c:6:13:6:14 | l1 | test.c:6:13:6:14 | l1 | provenance |  |
 | test.c:6:13:6:14 | l1 | test.c:13:12:13:13 | p0 | provenance |  |
-| test.c:7:14:7:15 | l1 | test.c:7:14:7:18 | access to array | provenance | Config |
-| test.c:7:14:7:18 | access to array | test.c:11:7:11:8 | p1 | provenance |  |
-| test.c:7:14:7:18 | access to array | test.c:13:7:13:8 | p1 | provenance |  |
-| test.c:7:14:7:18 | access to array | test.c:15:13:15:14 | p1 | provenance |  |
-| test.c:7:14:7:18 | access to array | test.c:17:7:17:8 | p1 | provenance |  |
-| test.c:7:14:7:18 | access to array | test.c:23:13:23:14 | p1 | provenance |  |
-| test.c:7:14:7:18 | access to array | test.c:25:7:25:8 | p1 | provenance |  |
-| test.c:8:14:8:15 | l1 | test.c:8:14:8:18 | access to array | provenance | Config |
-| test.c:8:14:8:18 | access to array | test.c:11:12:11:13 | p2 | provenance |  |
-| test.c:8:14:8:18 | access to array | test.c:21:7:21:8 | p2 | provenance |  |
-| test.c:9:14:9:15 | l2 | test.c:9:14:9:18 | access to array | provenance | Config |
-| test.c:9:14:9:18 | access to array | test.c:21:12:21:13 | p3 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:7:13:7:18 | & ... | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:11:7:11:8 | p1 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:13:7:13:8 | p1 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:15:13:15:14 | p1 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:17:7:17:8 | p1 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:23:13:23:14 | p1 | provenance |  |
+| test.c:7:13:7:18 | & ... | test.c:25:7:25:8 | p1 | provenance |  |
+| test.c:7:14:7:15 | l1 | test.c:7:13:7:18 | & ... | provenance | Config |
+| test.c:8:13:8:18 | & ... | test.c:8:13:8:18 | & ... | provenance |  |
+| test.c:8:13:8:18 | & ... | test.c:11:12:11:13 | p2 | provenance |  |
+| test.c:8:13:8:18 | & ... | test.c:21:7:21:8 | p2 | provenance |  |
+| test.c:8:14:8:15 | l1 | test.c:8:13:8:18 | & ... | provenance | Config |
+| test.c:9:13:9:18 | & ... | test.c:9:13:9:18 | & ... | provenance |  |
+| test.c:9:13:9:18 | & ... | test.c:21:12:21:13 | p3 | provenance |  |
+| test.c:9:14:9:15 | l2 | test.c:9:13:9:18 | & ... | provenance | Config |
 nodes
 | test.c:6:13:6:14 | l1 | semmle.label | l1 |
+| test.c:6:13:6:14 | l1 | semmle.label | l1 |
+| test.c:7:13:7:18 | & ... | semmle.label | & ... |
+| test.c:7:13:7:18 | & ... | semmle.label | & ... |
 | test.c:7:14:7:15 | l1 | semmle.label | l1 |
-| test.c:7:14:7:18 | access to array | semmle.label | access to array |
+| test.c:8:13:8:18 | & ... | semmle.label | & ... |
+| test.c:8:13:8:18 | & ... | semmle.label | & ... |
 | test.c:8:14:8:15 | l1 | semmle.label | l1 |
-| test.c:8:14:8:18 | access to array | semmle.label | access to array |
+| test.c:9:13:9:18 | & ... | semmle.label | & ... |
+| test.c:9:13:9:18 | & ... | semmle.label | & ... |
 | test.c:9:14:9:15 | l2 | semmle.label | l2 |
-| test.c:9:14:9:18 | access to array | semmle.label | access to array |
 | test.c:11:7:11:8 | p1 | semmle.label | p1 |
 | test.c:11:12:11:13 | p2 | semmle.label | p2 |
 | test.c:13:7:13:8 | p1 | semmle.label | p1 |
diff --git a/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll b/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll
index aa8fa29bfd..ca0aeb8618 100644
--- a/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll
@@ -7,7 +7,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import ArrayToRelationalOperationOperandFlow::PathGraph
 
 abstract class DoNotUseRelationalOperatorsWithDifferingArraysSharedQuery extends Query { }
@@ -43,6 +43,8 @@ module ArrayToRelationalOperationOperandConfig implements DataFlow::ConfigSig {
     // Add a flow step from the base to the array expression to track pointers to elements of the array.
     exists(ArrayExpr e | e.getArrayBase() = pred.asExpr() and e = succ.asExpr())
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 module ArrayToRelationalOperationOperandFlow =
diff --git a/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected b/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
index cab80e0fe0..94210200fc 100644
--- a/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
+++ b/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected
@@ -10,27 +10,35 @@ problems
 | test.cpp:25:7:25:14 | ... >= ... | test.cpp:7:14:7:15 | l1 | test.cpp:25:7:25:8 | p1 | Compare operation >= comparing left operand pointing to array $@ and other operand pointing to array $@. | test.cpp:2:7:2:8 | l1 | l1 | test.cpp:4:7:4:8 | l3 | l3 |
 | test.cpp:25:7:25:14 | ... >= ... | test.cpp:25:13:25:14 | l3 | test.cpp:25:13:25:14 | l3 | Compare operation >= comparing right operand pointing to array $@ and other operand pointing to array $@. | test.cpp:4:7:4:8 | l3 | l3 | test.cpp:2:7:2:8 | l1 | l1 |
 edges
+| test.cpp:6:13:6:14 | l1 | test.cpp:6:13:6:14 | l1 | provenance |  |
 | test.cpp:6:13:6:14 | l1 | test.cpp:13:12:13:13 | p0 | provenance |  |
-| test.cpp:7:14:7:15 | l1 | test.cpp:7:14:7:18 | access to array | provenance | Config |
-| test.cpp:7:14:7:18 | access to array | test.cpp:11:7:11:8 | p1 | provenance |  |
-| test.cpp:7:14:7:18 | access to array | test.cpp:13:7:13:8 | p1 | provenance |  |
-| test.cpp:7:14:7:18 | access to array | test.cpp:15:13:15:14 | p1 | provenance |  |
-| test.cpp:7:14:7:18 | access to array | test.cpp:17:7:17:8 | p1 | provenance |  |
-| test.cpp:7:14:7:18 | access to array | test.cpp:23:13:23:14 | p1 | provenance |  |
-| test.cpp:7:14:7:18 | access to array | test.cpp:25:7:25:8 | p1 | provenance |  |
-| test.cpp:8:14:8:15 | l1 | test.cpp:8:14:8:18 | access to array | provenance | Config |
-| test.cpp:8:14:8:18 | access to array | test.cpp:11:12:11:13 | p2 | provenance |  |
-| test.cpp:8:14:8:18 | access to array | test.cpp:21:7:21:8 | p2 | provenance |  |
-| test.cpp:9:14:9:15 | l2 | test.cpp:9:14:9:18 | access to array | provenance | Config |
-| test.cpp:9:14:9:18 | access to array | test.cpp:21:12:21:13 | p3 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:7:13:7:18 | & ... | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:11:7:11:8 | p1 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:13:7:13:8 | p1 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:15:13:15:14 | p1 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:17:7:17:8 | p1 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:23:13:23:14 | p1 | provenance |  |
+| test.cpp:7:13:7:18 | & ... | test.cpp:25:7:25:8 | p1 | provenance |  |
+| test.cpp:7:14:7:15 | l1 | test.cpp:7:13:7:18 | & ... | provenance | Config |
+| test.cpp:8:13:8:18 | & ... | test.cpp:8:13:8:18 | & ... | provenance |  |
+| test.cpp:8:13:8:18 | & ... | test.cpp:11:12:11:13 | p2 | provenance |  |
+| test.cpp:8:13:8:18 | & ... | test.cpp:21:7:21:8 | p2 | provenance |  |
+| test.cpp:8:14:8:15 | l1 | test.cpp:8:13:8:18 | & ... | provenance | Config |
+| test.cpp:9:13:9:18 | & ... | test.cpp:9:13:9:18 | & ... | provenance |  |
+| test.cpp:9:13:9:18 | & ... | test.cpp:21:12:21:13 | p3 | provenance |  |
+| test.cpp:9:14:9:15 | l2 | test.cpp:9:13:9:18 | & ... | provenance | Config |
 nodes
 | test.cpp:6:13:6:14 | l1 | semmle.label | l1 |
+| test.cpp:6:13:6:14 | l1 | semmle.label | l1 |
+| test.cpp:7:13:7:18 | & ... | semmle.label | & ... |
+| test.cpp:7:13:7:18 | & ... | semmle.label | & ... |
 | test.cpp:7:14:7:15 | l1 | semmle.label | l1 |
-| test.cpp:7:14:7:18 | access to array | semmle.label | access to array |
+| test.cpp:8:13:8:18 | & ... | semmle.label | & ... |
+| test.cpp:8:13:8:18 | & ... | semmle.label | & ... |
 | test.cpp:8:14:8:15 | l1 | semmle.label | l1 |
-| test.cpp:8:14:8:18 | access to array | semmle.label | access to array |
+| test.cpp:9:13:9:18 | & ... | semmle.label | & ... |
+| test.cpp:9:13:9:18 | & ... | semmle.label | & ... |
 | test.cpp:9:14:9:15 | l2 | semmle.label | l2 |
-| test.cpp:9:14:9:18 | access to array | semmle.label | access to array |
 | test.cpp:11:7:11:8 | p1 | semmle.label | p1 |
 | test.cpp:11:12:11:13 | p2 | semmle.label | p2 |
 | test.cpp:13:7:13:8 | p1 | semmle.label | p1 |

From 590cd5adc03f536a761fdd328dd2fb2de4c5f2ec Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 15:19:27 +0200
Subject: [PATCH 80/88] Convert `DanglingCaptureWhenReturningLambdaObject` to
 the new dataflow library

Note that this removes - what seems to be - a duplicated test result.
---
 .../DanglingCaptureWhenReturningLambdaObject.qll      | 11 +++++++++--
 .../DanglingCaptureWhenReturningLambdaObject.expected |  1 -
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
index 4ab01520f6..85fc15c565 100644
--- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll
@@ -5,7 +5,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 
@@ -48,7 +48,14 @@ query predicate problems(
   not isExcluded(returnStmt, getQuery()) and
   lambda.getACapture() = danglingCapture and
   (
-    DataFlow::localExprFlow(lambda, returnStmt.getExpr())
+    returnStmt.getExpr() = lambda
+    or
+    exists(DataFlow::Node lambdaNode, DataFlow::Node returnNode |
+      lambdaNode.asExpr() = lambda and
+      returnNode.asIndirectExpr() = returnStmt.getExpr()
+    |
+      DataFlow::localFlow(lambdaNode, returnNode)
+    )
     or
     // implement a rough heuristic to catch the results of constructors (such as std::function's)
     // which take an argument that has a dangling capture and flow to a return statement
diff --git a/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected b/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected
index 15fe8afa2f..a85d60399f 100644
--- a/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected
+++ b/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected
@@ -1,7 +1,6 @@
 | test.cpp:6:3:6:12 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:5:12:5:27 | [...](...){...} | object | test.cpp:5:21:5:21 | l1 | l1 |
 | test.cpp:17:5:17:36 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:17:5:17:36 | [...](...){...} | object | test.cpp:17:27:17:27 | (captured this) | this |
 | test.cpp:27:5:27:17 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:26:17:26:42 | [...](...){...} | object | test.cpp:26:33:26:33 | val | val |
-| test.cpp:27:5:27:17 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:26:18:26:42 | [...](...){...} | object | test.cpp:26:33:26:33 | val | val |
 | test.cpp:33:3:33:33 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:33:3:33:33 | [...](...){...} | object | test.cpp:33:25:33:25 | i | i |
 | test.cpp:37:3:37:33 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:37:3:37:33 | [...](...){...} | object | test.cpp:37:25:37:25 | i | i |
 | test.cpp:46:3:46:45 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:46:11:46:43 | [...](...){...} | object | test.cpp:46:13:46:16 | data | data |

From 42838bf6c81dbecc9c998812107e0ba9daeb5412 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 15:36:33 +0200
Subject: [PATCH 81/88] Update `DanglingCaptureWhenMovingLambdaObject` to the
 new dataflow library

---
 .../DanglingCaptureWhenMovingLambdaObject.qll                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll
index 902d0ecf1f..b81e41f256 100644
--- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll
@@ -5,7 +5,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import codingstandards.cpp.Expr

From a11320c1287d727eae7b059386355f1a3cbec33b Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 20:36:03 +0200
Subject: [PATCH 82/88] Update `ConstLikeReturnValue` to the new dataflow
 library

Note that there's a small issue here where the dataflow library causes one of
the results to get duplicated.
---
 .../ConstLikeReturnValue.expected             | 19 ++++++++++++++-----
 .../ConstLikeReturnValue.qll                  |  2 +-
 .../ConstLikeReturnValue.expected             | 19 ++++++++++++++-----
 3 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected b/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
index d7dfc6c13f..afbb275c6c 100644
--- a/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
+++ b/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
@@ -1,20 +1,29 @@
 problems
-| test.c:11:8:11:12 | c_str | test.c:18:16:18:21 | call to getenv | test.c:11:8:11:12 | c_str | The object returned by the function getenv should not be modified. |
+| test.c:11:7:11:12 | * ... | test.c:18:16:18:21 | call to getenv | test.c:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. |
+| test.c:11:8:11:12 | c_str | test.c:18:16:18:21 | call to getenv | test.c:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. |
 | test.c:67:5:67:9 | conv4 | test.c:64:11:64:20 | call to localeconv | test.c:67:5:67:9 | conv4 | The object returned by the function localeconv should not be modified. |
 | test.c:76:5:76:8 | conv | test.c:72:25:72:34 | call to localeconv | test.c:76:5:76:8 | conv | The object returned by the function localeconv should not be modified. |
 edges
-| test.c:8:18:8:22 | c_str | test.c:11:8:11:12 | c_str | provenance |  |
+| test.c:8:18:8:22 | c_str | test.c:11:7:11:12 | * ... | provenance |  |
+| test.c:18:16:18:21 | call to getenv | test.c:18:16:18:21 | call to getenv | provenance |  |
 | test.c:18:16:18:21 | call to getenv | test.c:24:9:24:12 | env1 | provenance |  |
 | test.c:24:9:24:12 | env1 | test.c:8:18:8:22 | c_str | provenance |  |
-| test.c:64:11:64:20 | call to localeconv | test.c:67:5:67:9 | conv4 | provenance |  |
-| test.c:72:25:72:34 | call to localeconv | test.c:76:5:76:8 | conv | provenance |  |
+| test.c:64:3:64:22 | ... = ... | test.c:67:5:67:9 | conv4 | provenance |  |
+| test.c:64:11:64:20 | call to localeconv | test.c:64:3:64:22 | ... = ... | provenance |  |
+| test.c:72:25:72:34 | call to localeconv | test.c:72:25:72:34 | call to localeconv | provenance |  |
+| test.c:72:25:72:34 | call to localeconv | test.c:73:24:73:28 | conv4 | provenance |  |
+| test.c:73:24:73:28 | conv4 | test.c:76:5:76:8 | conv | provenance |  |
 nodes
 | test.c:8:18:8:22 | c_str | semmle.label | c_str |
-| test.c:11:8:11:12 | c_str | semmle.label | c_str |
+| test.c:11:7:11:12 | * ... | semmle.label | * ... |
+| test.c:18:16:18:21 | call to getenv | semmle.label | call to getenv |
 | test.c:18:16:18:21 | call to getenv | semmle.label | call to getenv |
 | test.c:24:9:24:12 | env1 | semmle.label | env1 |
+| test.c:64:3:64:22 | ... = ... | semmle.label | ... = ... |
 | test.c:64:11:64:20 | call to localeconv | semmle.label | call to localeconv |
 | test.c:67:5:67:9 | conv4 | semmle.label | conv4 |
 | test.c:72:25:72:34 | call to localeconv | semmle.label | call to localeconv |
+| test.c:72:25:72:34 | call to localeconv | semmle.label | call to localeconv |
+| test.c:73:24:73:28 | conv4 | semmle.label | conv4 |
 | test.c:76:5:76:8 | conv | semmle.label | conv |
 subpaths
diff --git a/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll b/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll
index a366991714..d17cd560bb 100644
--- a/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll
@@ -8,7 +8,7 @@
 import cpp
 import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import DFFlow::PathGraph
 
 abstract class ConstLikeReturnValueSharedQuery extends Query { }
diff --git a/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected b/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
index 2caa0d197c..dbbff59c9f 100644
--- a/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
+++ b/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected
@@ -1,20 +1,29 @@
 problems
-| test.cpp:11:8:11:12 | c_str | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:8:11:12 | c_str | The object returned by the function getenv should not be modified. |
+| test.cpp:11:7:11:12 | * ... | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. |
+| test.cpp:11:8:11:12 | c_str | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. |
 | test.cpp:67:5:67:9 | conv4 | test.cpp:64:11:64:20 | call to localeconv | test.cpp:67:5:67:9 | conv4 | The object returned by the function localeconv should not be modified. |
 | test.cpp:76:5:76:8 | conv | test.cpp:72:25:72:34 | call to localeconv | test.cpp:76:5:76:8 | conv | The object returned by the function localeconv should not be modified. |
 edges
-| test.cpp:8:18:8:22 | c_str | test.cpp:11:8:11:12 | c_str | provenance |  |
+| test.cpp:8:18:8:22 | c_str | test.cpp:11:7:11:12 | * ... | provenance |  |
+| test.cpp:18:16:18:21 | call to getenv | test.cpp:18:16:18:21 | call to getenv | provenance |  |
 | test.cpp:18:16:18:21 | call to getenv | test.cpp:24:9:24:12 | env1 | provenance |  |
 | test.cpp:24:9:24:12 | env1 | test.cpp:8:18:8:22 | c_str | provenance |  |
-| test.cpp:64:11:64:20 | call to localeconv | test.cpp:67:5:67:9 | conv4 | provenance |  |
-| test.cpp:72:25:72:34 | call to localeconv | test.cpp:76:5:76:8 | conv | provenance |  |
+| test.cpp:64:3:64:22 | ... = ... | test.cpp:67:5:67:9 | conv4 | provenance |  |
+| test.cpp:64:11:64:20 | call to localeconv | test.cpp:64:3:64:22 | ... = ... | provenance |  |
+| test.cpp:72:25:72:34 | call to localeconv | test.cpp:72:25:72:34 | call to localeconv | provenance |  |
+| test.cpp:72:25:72:34 | call to localeconv | test.cpp:73:24:73:28 | conv4 | provenance |  |
+| test.cpp:73:24:73:28 | conv4 | test.cpp:76:5:76:8 | conv | provenance |  |
 nodes
 | test.cpp:8:18:8:22 | c_str | semmle.label | c_str |
-| test.cpp:11:8:11:12 | c_str | semmle.label | c_str |
+| test.cpp:11:7:11:12 | * ... | semmle.label | * ... |
+| test.cpp:18:16:18:21 | call to getenv | semmle.label | call to getenv |
 | test.cpp:18:16:18:21 | call to getenv | semmle.label | call to getenv |
 | test.cpp:24:9:24:12 | env1 | semmle.label | env1 |
+| test.cpp:64:3:64:22 | ... = ... | semmle.label | ... = ... |
 | test.cpp:64:11:64:20 | call to localeconv | semmle.label | call to localeconv |
 | test.cpp:67:5:67:9 | conv4 | semmle.label | conv4 |
 | test.cpp:72:25:72:34 | call to localeconv | semmle.label | call to localeconv |
+| test.cpp:72:25:72:34 | call to localeconv | semmle.label | call to localeconv |
+| test.cpp:73:24:73:28 | conv4 | semmle.label | conv4 |
 | test.cpp:76:5:76:8 | conv | semmle.label | conv |
 subpaths

From 99b45ad8a2f51190719ad8dcfe37f014672448e2 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 20:45:26 +0200
Subject: [PATCH 83/88] Remove redundant dataflow import

---
 .../BasicStringMayNotBeNullTerminated.qll                        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
index e27f09fd98..c73e77ef2a 100644
--- a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
@@ -8,7 +8,6 @@ import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.commons.Buffer
-import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.dataflow.TaintTracking
 import codingstandards.cpp.PossiblyUnsafeStringOperation
 

From 5e701b5921f812b2e77dd736cdb292825c187108 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 21 Aug 2025 22:47:05 +0200
Subject: [PATCH 84/88] Convert `BasicStringMayNotBeNullTerminated` to the new
 dataflow library

---
 .../BasicStringMayNotBeNullTerminated.qll             | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
index c73e77ef2a..ad24101379 100644
--- a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll
@@ -8,7 +8,7 @@ import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.commons.Buffer
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codingstandards.cpp.PossiblyUnsafeStringOperation
 
 abstract class BasicStringMayNotBeNullTerminatedSharedQuery extends Query { }
@@ -39,8 +39,13 @@ query predicate problems(BasicStringConstructorCall cc, string message) {
     // a) is not a string literal
     not arg instanceof StringLiteral and
     // b) may exist in a dataflow from an unsafe usage of a string function
-    exists(PossiblyUnsafeStringOperation op |
-      TaintTracking::localTaint(DataFlow::exprNode(op.getAnArgument()), DataFlow::exprNode(arg))
+    exists(
+      PossiblyUnsafeStringOperation op, DataFlow::DefinitionByReferenceNode opNode,
+      DataFlow::Node argNode
+    |
+      opNode.asDefiningArgument() = op.getAnArgument() and argNode.asIndirectExpr() = arg
+    |
+      TaintTracking::localTaint(opNode, argNode)
     ) and
     message = "Construction of string object with possibly non-null terminated C-style string."
   )

From 1f68a2f4c75829a8f0731c978d83c68b356256ed Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 18 Sep 2025 12:08:35 +0100
Subject: [PATCH 85/88] C++: Fix up queries after github/codeql#20485.

---
 .../EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql   | 2 +-
 .../rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql | 4 ++--
 .../rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql  | 2 +-
 .../FunctionErroneousReturnValueNotTested.qll                 | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
index 5f347d817a..812d4d910b 100644
--- a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
+++ b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
@@ -51,7 +51,7 @@ class ExplicitComparison extends EffectivelyComparison, FinalComparisonOperation
   override FunctionExpr getFunctionExpr() { result = funcExpr }
 }
 
-class ImplicitComparison extends EffectivelyComparison, GuardCondition {
+class ImplicitComparison extends EffectivelyComparison, GuardCondition instanceof Expr {
   ImplicitComparison() {
     this instanceof FunctionExpr and
     not getParent() instanceof ComparisonOperation
diff --git a/cpp/cert/src/rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql b/cpp/cert/src/rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql
index c6ea2c4518..1fdbbcb84e 100644
--- a/cpp/cert/src/rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql
+++ b/cpp/cert/src/rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql
@@ -78,8 +78,8 @@ predicate isUpperBoundEndCheckedIteratorAccess(IteratorSource source, ContainerI
     basicBlockOfIteratorAccess.contains(it) and
     //guard is comprised of end check and an iterator access
     DataFlow::localFlow(DataFlow::exprNode(referenceToOnePassedTheEndElement),
-      DataFlow::exprNode(upperBoundCheck.getChild(_))) and
-    upperBoundCheck.getChild(_) = checkedIteratorAccess and
+      DataFlow::exprNode(upperBoundCheck.(Expr).getChild(_))) and
+    upperBoundCheck.(Expr).getChild(_) = checkedIteratorAccess and
     //make sure its the same iterator being checked in the guard as accessed
     checkedIteratorAccess.getOwningContainer() = it.getOwningContainer() and
     //if its the end call itself (or its parts), make sure its the same container providing its end as giving the iterator
diff --git a/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql b/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
index 90685f1c96..ac9281ee9d 100644
--- a/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
+++ b/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
@@ -63,7 +63,7 @@ class NoThrowAllocExprWrapperFunction extends Function {
     n.getEnclosingFunction() = this and
     DataFlow::localExprFlow(n, any(ReturnStmt rs).getExpr()) and
     // Not checked in this wrapper function
-    not exists(GuardCondition gc | DataFlow::localExprFlow(n, gc.getAChild*()))
+    not exists(GuardCondition gc | DataFlow::localExprFlow(n, gc.(Expr).getAChild*()))
   }
 
   /** Gets the underlying nothrow allocation ultimately being wrapped. */
diff --git a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
index e7e25cf7b0..83907c609a 100644
--- a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
@@ -56,7 +56,7 @@ query predicate problems(FunctionCall fc, string message) {
           "vsnwprintf_s"
         ]) and
   not exists(GuardCondition gc |
-    DataFlow::localFlow(DataFlow::exprNode(fc), DataFlow::exprNode(gc.getAChild*()))
+    DataFlow::localFlow(DataFlow::exprNode(fc), DataFlow::exprNode(gc.(Expr).getAChild*()))
   ) and
   message = "Return value from " + fc.getTarget().getName() + " is not tested for errors."
 }

From ff90ac764085929338b1e469e39f8fc64d68fb80 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 2 Oct 2025 16:19:43 +0100
Subject: [PATCH 86/88] C++: Fix queries I forgot after merging
 github/codeql#20485.

---
 .../DoNotCompareFunctionPointersToConstantValues.ql |  3 ++-
 .../rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql |  2 +-
 .../DetectAndHandleMemoryAllocationErrors.ql        | 13 ++++++++++---
 .../DetectAndHandleMemoryAllocationErrors.expected  | 11 +++++------
 .../FunctionErroneousReturnValueNotTested.qll       |  4 +---
 .../UnsignedOperationWithConstantOperandsWraps.qll  |  2 +-
 6 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
index 812d4d910b..a74d88edbc 100644
--- a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
+++ b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
@@ -53,8 +53,9 @@ class ExplicitComparison extends EffectivelyComparison, FinalComparisonOperation
 
 class ImplicitComparison extends EffectivelyComparison, GuardCondition instanceof Expr {
   ImplicitComparison() {
+    this.valueControlsEdge(_, _, _) and
     this instanceof FunctionExpr and
-    not getParent() instanceof ComparisonOperation
+    not super.getParent() instanceof ComparisonOperation
   }
 
   override string getExplanation() { result = "$@ undergoes implicit constant comparison." }
diff --git a/cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql b/cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql
index a6d7abc456..a93796e150 100644
--- a/cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql
+++ b/cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql
@@ -23,7 +23,7 @@ from InterestingOverflowingOperation e
 where
   not isExcluded(e, IntegerConversionPackage::integerExpressionLeadToDataLossQuery()) and
   // Not within a guard condition
-  not exists(GuardCondition gc | gc.getAChild*() = e) and
+  not e.getParent*().(GuardCondition).valueControlsEdge(_, _, _) and
   // Not guarded by a check, where the check is not an invalid overflow check
   not e.hasValidPreCheck() and
   // Covered by `IntMultToLong.ql` instead
diff --git a/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql b/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
index ac9281ee9d..79ff7a08a2 100644
--- a/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
+++ b/cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql
@@ -62,8 +62,13 @@ class NoThrowAllocExprWrapperFunction extends Function {
   NoThrowAllocExprWrapperFunction() {
     n.getEnclosingFunction() = this and
     DataFlow::localExprFlow(n, any(ReturnStmt rs).getExpr()) and
-    // Not checked in this wrapper function
-    not exists(GuardCondition gc | DataFlow::localExprFlow(n, gc.(Expr).getAChild*()))
+    // Not checked in this wrapper function. That is, the allocation is not a
+    // guard condition which guards something inside the function.
+    not exists(BasicBlock bb |
+      pragma[only_bind_out](bb.getEnclosingFunction()) =
+        pragma[only_bind_out](n.getEnclosingFunction()) and
+      n.(GuardCondition).valueControlsEdge(bb, _, _)
+    )
   }
 
   /** Gets the underlying nothrow allocation ultimately being wrapped. */
@@ -84,7 +89,9 @@ module NoThrowNewErrorCheckConfig implements DataFlow::ConfigSig {
     source.asExpr() instanceof NotWrappedNoThrowAllocExpr
   }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(GuardCondition gc).getAChild*() }
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr().(GuardCondition).valueControlsEdge(_, _, _)
+  }
 }
 
 module NoThrowNewErrorCheckFlow = DataFlow::Global<NoThrowNewErrorCheckConfig>;
diff --git a/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected b/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
index 41fa58045f..45b75e6123 100644
--- a/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
+++ b/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
@@ -1,9 +1,8 @@
 WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:64,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:66,36-44)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:82,46-54)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:83,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:87,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:90,35-43)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:95,38-46)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:86,46-54)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:87,22-30)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:91,20-28)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:96,35-43)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:101,38-46)
 | test.cpp:24:7:24:34 | new | nothrow new allocation of $@ returns here without a subsequent check to see whether the pointer is valid. | test.cpp:24:7:24:34 | new | StructA * |
 | test.cpp:40:17:40:38 | call to allocate_without_check | nothrow new allocation of $@ returns here without a subsequent check to see whether the pointer is valid. | test.cpp:35:17:35:44 | new | StructA * |
diff --git a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
index 83907c609a..1b130dc187 100644
--- a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll
@@ -55,8 +55,6 @@ query predicate problems(FunctionCall fc, string message) {
           "vwprintf", "vfwprintf", "vswprintf", "vwprintf_s", "vfwprintf_s", "vswprintf_s",
           "vsnwprintf_s"
         ]) and
-  not exists(GuardCondition gc |
-    DataFlow::localFlow(DataFlow::exprNode(fc), DataFlow::exprNode(gc.(Expr).getAChild*()))
-  ) and
+  not fc.(GuardCondition).valueControlsEdge(_, _, _) and
   message = "Return value from " + fc.getTarget().getName() + " is not tested for errors."
 }
diff --git a/cpp/common/src/codingstandards/cpp/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.qll b/cpp/common/src/codingstandards/cpp/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.qll
index bc0c6d8fc1..98171b4e16 100644
--- a/cpp/common/src/codingstandards/cpp/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.qll
+++ b/cpp/common/src/codingstandards/cpp/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.qll
@@ -18,7 +18,7 @@ query predicate problems(InterestingOverflowingOperation op, string message) {
   not isExcluded(op, getQuery()) and
   op.getType().getUnderlyingType().(IntegralType).isUnsigned() and
   // Not within a guard condition
-  not exists(GuardCondition gc | gc.getAChild*() = op) and
+  not op.getParent*().(GuardCondition).valueControlsEdge(_, _, _) and
   // Not guarded by a check, where the check is not an invalid overflow check
   not op.hasValidPreCheck() and
   // Is not checked after the operation

From 6d4dd9d4054aba974b6648810c84c954ef1526b0 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 2 Oct 2025 16:40:35 +0100
Subject: [PATCH 87/88] C++: Accept line number changes in .expected file.

---
 .../DetectAndHandleMemoryAllocationErrors.expected     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected b/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
index 45b75e6123..ec11edcd2b 100644
--- a/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
+++ b/cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected
@@ -1,8 +1,8 @@
 WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:64,5-13)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:86,46-54)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:87,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:91,20-28)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:96,35-43)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:101,38-46)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:87,46-54)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:88,22-30)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:92,20-28)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:97,35-43)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (DetectAndHandleMemoryAllocationErrors.ql:102,38-46)
 | test.cpp:24:7:24:34 | new | nothrow new allocation of $@ returns here without a subsequent check to see whether the pointer is valid. | test.cpp:24:7:24:34 | new | StructA * |
 | test.cpp:40:17:40:38 | call to allocate_without_check | nothrow new allocation of $@ returns here without a subsequent check to see whether the pointer is valid. | test.cpp:35:17:35:44 | new | StructA * |

From c60552788903973d7385cef35b5286f86d3d1458 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Sat, 8 Nov 2025 16:19:03 +0100
Subject: [PATCH 88/88] Update expected test results

With CodeQL 2.23.4 we recognize that the instantiation type was `uintptr_t`.
---
 cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected | 1 -
 cpp/misra/test/rules/RULE-8-2-8/test.cpp                       | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected b/cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected
index dd85d003c2..09911f0a7e 100644
--- a/cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected
+++ b/cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected
@@ -10,4 +10,3 @@
 | test.cpp:77:13:77:46 | reinterpret_cast<int64_t>... | Cast of object pointer type to integral type 'int64_t' instead of 'std::uintptr_t' or 'std::intptr_t'. | test.cpp:77:13:77:46 | reinterpret_cast<int64_t>... |  |
 | test.cpp:84:15:84:37 | reinterpret_cast<unsigned long>... | Cast of object pointer type to integral type inside $@. | test.cpp:95:48:95:48 | definition of x | instantiation of class TestNonCompliantTemplateCast<unsigned long> |
 | test.cpp:86:15:86:49 | reinterpret_cast<uint64_t>... | Cast of object pointer type to integral type 'uint64_t' instead of 'std::uintptr_t' or 'std::intptr_t'. | test.cpp:86:15:86:49 | reinterpret_cast<uint64_t>... |  |
-| test.cpp:91:23:91:45 | reinterpret_cast<unsigned long>... | Cast of object pointer type to integral type inside $@. | test.cpp:96:3:96:35 | variable_template | reference to instantiated template variable variable_template |
diff --git a/cpp/misra/test/rules/RULE-8-2-8/test.cpp b/cpp/misra/test/rules/RULE-8-2-8/test.cpp
index 6b3dbd7685..8b11744add 100644
--- a/cpp/misra/test/rules/RULE-8-2-8/test.cpp
+++ b/cpp/misra/test/rules/RULE-8-2-8/test.cpp
@@ -88,7 +88,7 @@ template <typename T> class TestNonCompliantTemplateCast {
 };
 
 template <class T>
-T variable_template = reinterpret_cast<T>(g1); // NON_COMPLIANT
+T variable_template = reinterpret_cast<T>(g1); // COMPLIANT
 
 void test_instantiate_template() {
   test_non_compliant_template_cast<std::uintptr_t>();