github · mbaluda · Mar 6, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 27, 2025
diff --git a/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql b/c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql
@@ -20,7 +20,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Overflow
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 
 /**
  * Gets the maximum size (in bytes) a variable-length array

diff --git a/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql b/c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import NonArrayPointerToArrayIndexingExprFlow::PathGraph
 
 /**

diff --git a/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql b/c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.types.Pointers
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import ScaledIntegerPointerArithmeticFlow::PathGraph
 
 /**
@@ -61,9 +61,11 @@ class ScaledIntegerExpr extends Expr {
   ScaledIntegerExpr() {
     not this.getParent*() instanceof ArrayCountOfExpr and
     (
-      this.(SizeofExprOperator).getExprOperand().getType().getSize() > 1
+      exists(this.getValue()) and
+      this.getAChild*().(SizeofExprOperator).getExprOperand().getType().getSize() > 1
       or
-      this.(SizeofTypeOperator).getTypeOperand().getSize() > 1
+      exists(this.getValue()) and
+      this.getAChild*().(SizeofTypeOperator).getTypeOperand().getSize() > 1
       or
       this instanceof OffsetOfExpr
     )

diff --git a/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql b/c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
@@ -19,18 +19,31 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
+
+newtype Direction =
+  Incoming() or
+  Outgoing()
+
+predicate isSource(DataFlow::Node node, Direction d) {
+  exists(TSSCreateFunctionCall tsc, Expr e |
+    // the only requirement of the source is that at some point
+    // it refers to the key of a create statement
+    e.getParent*() = tsc.getKey()
+  |
+    d = Outgoing() and
+    e = [node.asExpr(), node.asDefiningArgument()]
+    or
+    d = Incoming() and
+    e = [node.asExpr(), node.asIndirectArgument()]
+  )
+}
 
 module TssCreateToTssDeleteConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) {
-    exists(TSSCreateFunctionCall tsc, Expr e |
-      // the only requirement of the source is that at some point
-      // it refers to the key of a create statement
-      e.getParent*() = tsc.getKey() and
-      (e = node.asDefiningArgument() or e = node.asExpr())
-    )
-  }
+  predicate isSource(DataFlow::Node node) { isSource(node, Outgoing()) }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, Incoming()) }
 
   predicate isSink(DataFlow::Node node) {
     exists(TSSDeleteFunctionCall tsd, Expr e |

diff --git a/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql b/c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from ThreadedCFN node
 where

diff --git a/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql b/c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql
@@ -20,8 +20,8 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Objects
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.commons.Alloc
 
 from C11ThreadCreateCall tcc, Expr arg
@@ -53,6 +53,7 @@ where
       not exists(TSSSetFunctionCall tss, DataFlow::Node src |
         // there should be dataflow from somewhere (the same somewhere)
         // into each of the first arguments
+        exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
         DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
         DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
       )

diff --git a/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql b/c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql
@@ -20,8 +20,8 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
-import semmle.code.cpp.dataflow.DataFlow
+import codingstandards.cpp.ConcurrencyNew
+import semmle.code.cpp.dataflow.new.DataFlow
 
 from TSSGetFunctionCall tsg, ThreadedFunction tf
 where
@@ -31,7 +31,8 @@ where
   // however, there does not exist a proper sequencing.
   not exists(TSSSetFunctionCall tss, DataFlow::Node src |
     // there should be dataflow from somewhere (the same somewhere)
-    // into each of the first arguments
+    // into each of the first argument
+    exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
     DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
     DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
   )

diff --git a/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql b/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from FunctionCall fc
 // This should only be applied in the context of a multi-threaded program (since

diff --git a/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql b/c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from MacroInvocation mi, Variable v, Locatable whereFound
 where

diff --git a/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql b/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Concurrency
+import codingstandards.cpp.ConcurrencyNew
 
 from AtomicCompareExchange ace
 where

diff --git a/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql b/c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Objects
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class Source extends Expr {
   ObjectIdentity rootObject;
@@ -34,7 +34,7 @@ class Sink extends DataFlow::Node {
   Sink() {
     //output parameter
     exists(Parameter f |
-      f.getAnAccess() = this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
+      this.isFinalValueOfParameter(f) and
       f.getUnderlyingType() instanceof PointerType
     )
     or

diff --git a/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql b/c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Errno
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * A call to an `OutOfBandErrnoSettingFunction`

diff --git a/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql b/c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
@@ -18,7 +18,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Errno
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class SetlocaleFunctionCall extends FunctionCall {
   SetlocaleFunctionCall() { this.getTarget().hasGlobalName("setlocale") }

diff --git a/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql b/c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql
@@ -20,7 +20,7 @@ import codingstandards.c.cert
 import codingstandards.c.Errno
 import codingstandards.c.Signal
 import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * A check on `signal` call return value

diff --git a/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql b/c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql
@@ -20,7 +20,7 @@ import cpp
 import codingstandards.c.cert
 import semmle.code.cpp.commons.NULL
 import codingstandards.cpp.ReadErrorsAndEOF
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 ComparisonOperation getAValidComparison(string spec) {
   spec = "=0" and result.(EqualityOperation).getAnOperand().getValue() = "0"

diff --git a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
@@ -51,10 +51,11 @@ class ExplicitComparison extends EffectivelyComparison, FinalComparisonOperation
   override FunctionExpr getFunctionExpr() { result = funcExpr }
 }
 
-class ImplicitComparison extends EffectivelyComparison, GuardCondition {
+class ImplicitComparison extends EffectivelyComparison, GuardCondition instanceof Expr {
   ImplicitComparison() {
+    this.valueControlsEdge(_, _, _) and
     this instanceof FunctionExpr and
-    not getParent() instanceof ComparisonOperation
+    not super.getParent() instanceof ComparisonOperation
   }
 
   override string getExplanation() { result = "$@ undergoes implicit constant comparison." }

diff --git a/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql b/c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Alignment
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import ExprWithAlignmentToCStyleCastFlow::PathGraph
 

diff --git a/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql b/c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql
@@ -18,7 +18,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import SuspectFunctionPointerToCallFlow::PathGraph
 
 /**
@@ -61,7 +61,8 @@ where
   not isExcluded(src.getNode().asExpr(),
     ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery()) and
   access = src.getNode().asExpr() and
-  SuspectFunctionPointerToCallFlow::flowPath(src, sink)
+  SuspectFunctionPointerToCallFlow::flowPath(src, sink) and
+  not access.getType() = sink.getNode().asExpr().getFullyConverted().getType()
 select src, src, sink,
   "Incompatible function $@ assigned to function pointer is eventually called through the pointer.",
   access.getTarget(), access.getTarget().getName()
diff --git a/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql b/c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql
@@ -17,7 +17,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import CastFlow::PathGraph
 import codingstandards.cpp.SideEffect
 

diff --git a/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql b/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
@@ -19,7 +19,7 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.FgetsErrorManagement
 import codingstandards.cpp.Dereferenced
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /*
  * CFG nodes that follows a successful call to `fgets`

diff --git a/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql b/c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql
@@ -21,7 +21,7 @@ import cpp
 import codingstandards.cpp.FgetsErrorManagement
 import codingstandards.cpp.Dereferenced
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /*
  * Models calls to `memcpy` `strcpy` `strncpy` and their wrappers

diff --git a/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql b/c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql
@@ -17,7 +17,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class FgetposCall extends FunctionCall {
   FgetposCall() { this.getTarget().hasGlobalOrStdName("fgetpos") }
@@ -30,12 +30,12 @@ class FsetposCall extends FunctionCall {
 module FposDFConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     // source must be the second parameter of a FgetposCall call
-    source = DataFlow::definitionByReferenceNodeFromArgument(any(FgetposCall c).getArgument(1))
+    source.asDefiningArgument() = any(FgetposCall c).getArgument(1)
   }
 
   predicate isSink(DataFlow::Node sink) {
     // sink must be the second parameter of a FsetposCall call
-    sink.asExpr() = any(FsetposCall c).getArgument(1)
+    sink.asIndirectExpr() = any(FsetposCall c).getArgument(1)
   }
 }
 
@@ -45,6 +45,6 @@ from FsetposCall fsetpos
 where
   not isExcluded(fsetpos.getArgument(1),
     IO2Package::onlyUseValuesForFsetposThatAreReturnedFromFgetposQuery()) and
-  not FposDFFlow::flowToExpr(fsetpos.getArgument(1))
+  not exists(DataFlow::Node n | n.asIndirectExpr() = fsetpos.getArgument(1) | FposDFFlow::flowTo(n))
 select fsetpos.getArgument(1),
   "The position argument of a call to `fsetpos()` should be obtained from a call to `fgetpos()`."
diff --git a/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql b/c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.standardlibrary.FileAccess
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**

diff --git a/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql b/c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql
@@ -21,7 +21,7 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Overflow
 import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import semmle.code.cpp.models.Models
 
 /**

diff --git a/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql b/c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql
@@ -20,7 +20,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.Alignment
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 import AlignedAllocToReallocFlow::PathGraph
 
 int getStatedValue(Expr e) {

diff --git a/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql b/c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql
@@ -19,7 +19,7 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * The argument of a call to `asctime`
@@ -29,6 +29,8 @@ class AsctimeArg extends Expr {
     this =
       any(FunctionCall f | f.getTarget().hasGlobalName(["asctime", "asctime_r"])).getArgument(0)
   }
+
+  DataFlow::Node asSink() { this = result.asIndirectExpr() }
 }
 
 /**
@@ -37,20 +39,20 @@ class AsctimeArg extends Expr {
  */
 module TmStructSafeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) {
-    src.asExpr()
+    src.asIndirectExpr()
         .(FunctionCall)
         .getTarget()
         .hasGlobalName(["localtime", "localtime_r", "localtime_s", "gmtime", "gmtime_r", "gmtime_s"])
   }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof AsctimeArg }
+  predicate isSink(DataFlow::Node sink) { exists(AsctimeArg arg | arg.asSink() = sink) }
 }
 
 module TmStructSafeFlow = DataFlow::Global<TmStructSafeConfig>;
 
 from AsctimeArg fc
 where
   not isExcluded(fc, Contracts7Package::doNotPassInvalidDataToTheAsctimeFunctionQuery()) and
-  not TmStructSafeFlow::flowToExpr(fc)
+  not TmStructSafeFlow::flowTo(fc.asSink())
 select fc,
   "The function `asctime` and `asctime_r` should be discouraged. Unsanitized input can overflow the output buffer."
diff --git a/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql b/c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
@@ -19,7 +19,7 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Signal
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 /**
  * Does not access an external variable except