github
diff --git a/‎Cargo.toml‎
Lines changed: 0 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎MODULE.bazel‎
Lines changed: 3 additions & 3 deletions b/‎MODULE.bazel‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll‎
Lines changed: 7 additions & 5 deletions b/‎cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected‎
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎csharp/ql/lib/change-notes/2025-10-03-nullness.md‎
Lines changed: 4 additions & 0 deletions b/‎csharp/ql/lib/change-notes/2025-10-03-nullness.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowElement.qll‎
Lines changed: 6 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowElement.qll‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 3 additions & 6 deletions b/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll‎
Lines changed: 57 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll‎
Lines changed: 57 additions & 0 deletions
@@ -10,4 +10,3 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-exclude = ["mad-generation-build"]
@@ -19,16 +19,16 @@ bazel_dep(name = "rules_go", version = "0.56.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.3.0")
-bazel_dep(name = "bazel_skylib", version = "1.7.1")
+bazel_dep(name = "rules_shell", version = "0.5.0")
+bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.63.0")
+bazel_dep(name = "rules_rust", version = "0.66.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
@@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+  override Crypto::EllipticCurveType getEllipticCurveType() {
     if
       Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
         _)
 
@@ -72,7 +72,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override Crypto::THashType getHashFamily() {
+  override Crypto::THashType getHashType() {
     knownOpenSslConstantToHashFamilyType(this, result)
     or
     not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
 
@@ -380,18 +380,20 @@ private module LogicInput_v1 implements GuardsImpl::LogicInputSig {
     GuardsInput::Expr getARead() { result = this.getAUse().getDef() }
   }
 
-  class SsaWriteDefinition extends SsaDefinition instanceof ExplicitDefinition {
-    GuardsInput::Expr getDefinition() { result = super.getAssignedInstruction() }
+  class SsaExplicitWrite extends SsaDefinition instanceof ExplicitDefinition {
+    GuardsInput::Expr getValue() { result = super.getAssignedInstruction() }
   }
 
-  class SsaPhiNode extends SsaDefinition instanceof PhiNode {
+  class SsaPhiDefinition extends SsaDefinition instanceof PhiNode {
     predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {
       super.hasInputFromBlock(inp, bb)
     }
   }
 
-  predicate parameterDefinition(GuardsInput::Parameter p, SsaDefinition def) {
-    def.isParameterDefinition(p)
+  class SsaParameterInit extends SsaDefinition {
+    SsaParameterInit() { this.isParameterDefinition(_) }
+
+    GuardsInput::Parameter getParameter() { this.isParameterDefinition(result) }
   }
 
   predicate additionalImpliesStep(
 
@@ -115,7 +115,6 @@
 | test.c:127:9:127:9 | 1 | not 0 | test.c:131:10:132:16 | { ... } |
 | test.c:131:7:131:7 | b | not 0 | test.c:131:10:132:16 | { ... } |
 | test.c:131:7:131:7 | b | true | test.c:131:10:132:16 | { ... } |
-| test.c:137:7:137:7 | 0 | 0 | test.c:142:3:136:10 | return ... |
 | test.c:137:7:137:7 | 0 | false | test.c:142:3:136:10 | return ... |
 | test.c:145:16:145:16 | x | 0 | test.c:146:11:147:9 | { ... } |
 | test.c:146:7:146:8 | ! ... | true | test.c:146:11:147:9 | { ... } |
 
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
@@ -40,6 +40,12 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
    */
   Nodes::ElementNode getAControlFlowNode() { result.getAstNode() = this }
 
+  /** Gets the control flow node for this element. */
+  ControlFlow::Node getControlFlowNode() { result.getAstNode() = this }
+
+  /** Gets the basic block in which this element occurs. */
+  BasicBlock getBasicBlock() { result = this.getAControlFlowNode().getBasicBlock() }
+
   /**
    * Gets a first control flow node executed within this element.
    */
 
@@ -251,6 +251,9 @@ module ControlFlow {
       }
     }
 
+    /** A control flow node indicating normal termination of a callable. */
+    class NormalExitNode extends AnnotatedExitNode instanceof Impl::NormalExitNode { }
+
     /** A node for a callable exit point. */
     class ExitNode extends Node instanceof Impl::ExitNode {
       /** Gets the callable that this exit applies to. */
@@ -292,13 +295,7 @@ module ControlFlow {
 
     class Split = Splitting::Split;
 
-    class FinallySplit = Splitting::FinallySplitting::FinallySplit;
-
     class ExceptionHandlerSplit = Splitting::ExceptionHandlerSplitting::ExceptionHandlerSplit;
-
-    class BooleanSplit = Splitting::BooleanSplitting::BooleanSplit;
-
-    class LoopSplit = Splitting::LoopSplitting::LoopSplit;
   }
 
   class BasicBlock = BBs::BasicBlock;
 
@@ -0,0 +1,57 @@
+/**
+ * Provides an implementation of local (intraprocedural) control flow reachability.
+ */
+
+import csharp
+private import codeql.controlflow.ControlFlowReachability
+private import semmle.code.csharp.controlflow.BasicBlocks
+private import semmle.code.csharp.controlflow.Guards as Guards
+private import semmle.code.csharp.ExprOrStmtParent
+
+private module ControlFlowInput implements
+  InputSig<Location, ControlFlow::Node, ControlFlow::BasicBlock>
+{
+  private import csharp as CS
+
+  AstNode getEnclosingAstNode(ControlFlow::Node node) {
+    node.getAstNode() = result
+    or
+    not exists(node.getAstNode()) and result = node.getEnclosingCallable()
+  }
+
+  class AstNode = ExprOrStmtParent;
+
+  AstNode getParent(AstNode node) { result = node.getParent() }
+
+  class FinallyBlock extends AstNode {
+    FinallyBlock() { any(TryStmt try).getFinally() = this }
+  }
+
+  class Expr = CS::Expr;
+
+  class SourceVariable = Ssa::SourceVariable;
+
+  class SsaDefinition = Ssa::Definition;
+
+  class SsaExplicitWrite extends SsaDefinition instanceof Ssa::ExplicitDefinition {
+    Expr getValue() { result = super.getADefinition().getSource() }
+  }
+
+  class SsaPhiDefinition = Ssa::PhiNode;
+
+  class SsaUncertainWrite = Ssa::UncertainDefinition;
+
+  class GuardValue = Guards::GuardValue;
+
+  predicate ssaControlsBranchEdge(SsaDefinition def, BasicBlock bb1, BasicBlock bb2, GuardValue v) {
+    Guards::Guards::ssaControlsBranchEdge(def, bb1, bb2, v)
+  }
+
+  predicate ssaControls(SsaDefinition def, BasicBlock bb, GuardValue v) {
+    Guards::Guards::ssaControls(def, bb, v)
+  }
+
+  import Guards::Guards::InternalUtil
+}
+
+module ControlFlowReachability = Make<Location, Cfg, ControlFlowInput>;
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,3 @@ members = [`
`10`	`10`	`"rust/ast-generator",`
`11`	`11`	`"rust/autobuild",`
`12`	`12`	`]`
`13`		`-exclude = ["mad-generation-build"]`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith`
`40`	`40`	`result = this.(Call).getTarget().getName()`
`41`	`41`	`}`
`42`	`42`
`43`		`- override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {`
	`43`	`+ override Crypto::EllipticCurveType getEllipticCurveType() {`
`44`	`44`	`if`
`45`	`45`	`Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,`
`46`	`46`	`_)`
Original file line number	Diff line number	Diff line change
`@@ -380,18 +380,20 @@ private module LogicInput_v1 implements GuardsImpl::LogicInputSig {`
`380`	`380`	`GuardsInput::Expr getARead() { result = this.getAUse().getDef() }`
`381`	`381`	`}`
`382`	`382`
`383`		`- class SsaWriteDefinition extends SsaDefinition instanceof ExplicitDefinition {`
`384`		`- GuardsInput::Expr getDefinition() { result = super.getAssignedInstruction() }`
	`383`	`+ class SsaExplicitWrite extends SsaDefinition instanceof ExplicitDefinition {`
	`384`	`+ GuardsInput::Expr getValue() { result = super.getAssignedInstruction() }`
`385`	`385`	`}`
`386`	`386`
`387`		`- class SsaPhiNode extends SsaDefinition instanceof PhiNode {`
	`387`	`+ class SsaPhiDefinition extends SsaDefinition instanceof PhiNode {`
`388`	`388`	`predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {`
`389`	`389`	`super.hasInputFromBlock(inp, bb)`
`390`	`390`	`}`
`391`	`391`	`}`
`392`	`392`
`393`		`- predicate parameterDefinition(GuardsInput::Parameter p, SsaDefinition def) {`
`394`		`- def.isParameterDefinition(p)`
	`393`	`+ class SsaParameterInit extends SsaDefinition {`
	`394`	`+ SsaParameterInit() { this.isParameterDefinition(_) }`
	`395`	`+`
	`396`	`+ GuardsInput::Parameter getParameter() { this.isParameterDefinition(result) }`
`395`	`397`	`}`
`396`	`398`
`397`	`399`	`predicate additionalImpliesStep(`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: majorAnalysis
 +---
 +* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,9 @@ module ControlFlow {`
`251`	`251`	`}`
`252`	`252`	`}`
`253`	`253`
	`254`	`+ /** A control flow node indicating normal termination of a callable. */`
	`255`	`+ class NormalExitNode extends AnnotatedExitNode instanceof Impl::NormalExitNode { }`
	`256`	`+`
`254`	`257`	`/** A node for a callable exit point. */`
`255`	`258`	`class ExitNode extends Node instanceof Impl::ExitNode {`
`256`	`259`	`/** Gets the callable that this exit applies to. */`
`@@ -292,13 +295,7 @@ module ControlFlow {`
`292`	`295`
`293`	`296`	`class Split = Splitting::Split;`
`294`	`297`
`295`		`- class FinallySplit = Splitting::FinallySplitting::FinallySplit;`
`296`		`-`
`297`	`298`	`class ExceptionHandlerSplit = Splitting::ExceptionHandlerSplitting::ExceptionHandlerSplit;`
`298`		`-`
`299`		`- class BooleanSplit = Splitting::BooleanSplitting::BooleanSplit;`
`300`		`-`
`301`		`- class LoopSplit = Splitting::LoopSplitting::LoopSplit;`
`302`	`299`	`}`
`303`	`300`
`304`	`301`	`class BasicBlock = BBs::BasicBlock;`