C++: IR: Drop the aliased SSA

[igfoo]

It is expensive, and has little benefit.

The docs check says these are missing documentation:

semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll             IRBlock::IRCfg                                 module
semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll  ValueNumbering                                 file
semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll  ValueNumbering::ValueNumber::getDebugString/0  member-predicate
semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll  ValueNumbering::ValueNumber::getKind/0         member-predicate
semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll  ValueNumbering::ValueNumber::getLocation/0     member-predicate
semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll  ValueNumbering::ValueNumber::toString/0        member-predicate

but those files are identical to their aliased_ssa counterparts, so this is not a regression.

[Copilot]

Pull request overview

Removes the C++ “aliased SSA” IR implementation (and associated tests/outputs) and switches the public-facing IR libraries to use the unaliased SSA implementation by default, updating tests and expected outputs accordingly.

Changes:

• Switch public IR entrypoints (IR, PrintIR, IRConsistency, ValueNumbering) from implementation.aliased_ssa to implementation.unaliased_ssa.
• Delete the cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/** library subtree and aliased-SSA-specific library tests.
• Update numerous IR/dataflow/controlflow/range-analysis tests and .expected outputs to match the new default IR behavior.

Reviewed changes

Copilot reviewed 107 out of 110 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected	Updated expected results to match new IR/dataflow output.
cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp	Adjusted inline expectations/line mappings in test code.
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected	Updated expected results to match new provenance/flow output.
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected	Updated expected results to match new product flow output.
cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.ql	Switched test import to unaliased SSA PrintValueNumbering.
cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ast_ir_gvn.expected	Updated expected value numbering locations/rows.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref	Removed aliased SSA consistency unsound test reference.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.expected	Removed expected output for deleted aliased SSA test.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency.ql	Removed aliased SSA SSAConsistency test query.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_overlap.ql	Removed aliased SSA overlap test query.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref	Removed aliased SSA PrintIR unsound test reference.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.ql	Removed aliased SSA PrintIR test query.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref	Removed aliased SSA IRConsistency unsound test reference.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.ql	Removed aliased SSA IRConsistency test query.
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/range-analysis/test.cpp	Updated inline expectations for range/overflow.
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp	Updated inline expectations to reflect new analysis results/missing cases.
cpp/ql/test/library-tests/ir/points_to/points_to.ql	Dropped unaliased-SSA-specific points-to test module; keep raw test only.
cpp/ql/test/library-tests/ir/no-function-calls/unaliased_ir.ql	Switched to unaliased SSA PrintIR import.
cpp/ql/test/library-tests/ir/no-function-calls/unaliased_ir.expected	Added expected output for unaliased IR dump.
cpp/ql/test/library-tests/ir/no-function-calls/aliased_ir.expected	Removed expected output for aliased IR dump.
cpp/ql/test/library-tests/ir/ir/unaliased_ir.ql	Switched to unaliased SSA PrintIR import.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref	Removed aliased SSA consistency unsound test reference.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency.ql	Removed aliased SSA SSAConsistency test query.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref	Removed aliased SSA IRConsistency unsound test reference.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.ql	Removed aliased SSA IRConsistency test query.
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected	Removed expected output for deleted test.
cpp/ql/test/library-tests/ir/escape/ssa_escape.ql	Updated escape test to use unaliased SSA alias analysis/configuration.
cpp/ql/test/library-tests/ir/escape/ssa_escape.expected	Added expected output for updated escape test.
cpp/ql/test/library-tests/ir/constant_func/constant_func.ql	Switched constant analysis import to unaliased SSA implementation.
cpp/ql/test/library-tests/ir/constant_func/constant_func.expected	Updated expected constants (reflecting changed DCE/const analysis behavior).
cpp/ql/test/library-tests/ir/constant_func/constant_func.cpp	Added explanatory comment about changed constant-analysis behavior.
cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected	Updated expected IR flow rows.
cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp	Updated spurious-flow annotations to include ir.
cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected	Updated expected guard/controlflow outputs.
cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected	Updated expected guard compare outputs.
cpp/ql/test/library-tests/controlflow/controlflow/SsaLt.expected	Updated expected SSA less-than outputs.
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected	Updated expected results.
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected	Updated expected results/edges/subpaths.
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected	Updated expected results/subpaths.
cpp/ql/test/experimental/library-tests/rangeanalysis/signanalysis/SignAnalysis.expected	Updated expected sign analysis output.
cpp/ql/test/experimental/library-tests/rangeanalysis/arraylengthanalysis/ArrayLengthAnalysisTest.expected	Updated expected array length analysis output.
cpp/ql/src/Metrics/Internal/IRConsistency.ql	Switched metrics query imports to unaliased SSA IR/IRConsistency.
cpp/ql/lib/semmle/code/cpp/ir/internal/ASTValueNumbering.qll	Switched internal VN import to unaliased SSA implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll	Removed aliased-SSA operand branches/wrappers from shared operand newtype.
cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstructionInternal.qll	Dropped aliased SSA SSAConstruction import.
cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll	Removed aliased-SSA instruction branches/wrappers from shared instruction newtype.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll	Deleted aliased SSA SSA construction internals.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll	Deleted aliased SSA SSA construction imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistencyImports.qll	Deleted aliased SSA SSA consistency imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll	Deleted aliased SSA SSA consistency implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql	Deleted aliased SSA SSA consistency query wrapper.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll	Deleted aliased SSA SSA debug printing provider.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll	Deleted aliased SSA PrintIR imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll	Deleted aliased SSA alias-analysis dump annotations.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandInternal.qll	Deleted aliased SSA operand internal wrapper.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll	Deleted aliased SSA operand import shim.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll	Deleted aliased SSA instruction import shim.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll	Deleted aliased SSA IR variable import shim.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRInternal.qll	Deleted aliased SSA IR internals.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll	Deleted aliased SSA IR imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll	Deleted aliased SSA IR function imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll	Deleted aliased SSA IR consistency imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll	Deleted aliased SSA IR block imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll	Deleted aliased SSA core aliasing/overlap/locations implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfigurationInternal.qll	Deleted aliased SSA alias configuration internal.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll	Deleted aliased SSA alias configuration API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisInternal.qll	Deleted aliased SSA alias analysis internal.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll	Deleted aliased SSA alias analysis imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll	Deleted aliased SSA alias analysis implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll	Deleted aliased SSA GVN internal implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll	Deleted aliased SSA GVN imports.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll	Deleted aliased SSA GVN public API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll	Deleted aliased SSA GVN dump annotations.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/internal/ConstantAnalysisInternal.qll	Deleted aliased SSA constant-analysis internal.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll	Deleted aliased SSA constant-analysis dump annotations.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll	Deleted aliased SSA constant analysis implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll	Deleted aliased SSA PrintIR implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.ql	Deleted aliased SSA PrintIR query wrapper.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll	Deleted aliased SSA operand API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll	Deleted aliased SSA IRVariable API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll	Deleted aliased SSA IRFunction API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll	Deleted aliased SSA IRConsistency implementation.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.ql	Deleted aliased SSA IRConsistency query wrapper.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll	Deleted aliased SSA IRBlock API.
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll	Deleted aliased SSA IR umbrella module.
cpp/ql/lib/semmle/code/cpp/ir/ValueNumbering.qll	Switched public value numbering entrypoint to unaliased SSA implementation.
cpp/ql/lib/semmle/code/cpp/ir/PrintIR.qll	Switched public PrintIR entrypoint to unaliased SSA implementation.
cpp/ql/lib/semmle/code/cpp/ir/PrintIR.ql	Switched public PrintIR query to unaliased SSA implementation.
cpp/ql/lib/semmle/code/cpp/ir/IRConsistency.ql	Switched public IRConsistency query to unaliased SSA implementation.
cpp/ql/lib/semmle/code/cpp/ir/IR.qll	Switched public IR umbrella module to unaliased SSA implementation.
cpp/ql/lib/change-notes/2026-03-04-remove-aliased-ssa.md	Added breaking change note describing removal of aliased SSA.
config/identical-files.json	Removed aliased SSA entries from “identical files” groups.

[Copilot]

By switching the public semmle.code.cpp.ir.IR to import the unaliased SSA implementation, the documentation check now flags missing QLDoc in the unaliased SSA libraries (e.g. IRBlock::IRCfg module and gvn/ValueNumbering file + public member predicates like getDebugString, getKind, getLocation, toString). Please add the required QLDoc blocks in those unaliased SSA files so CI passes (even if it wasn’t previously enforced for the aliased SSA copies).

[Copilot]

Typo in comment: "placehold branch" should be "placeholder branch".

[MathiasVP]

Super happy that we're actually for real doing this!

(Of course, it's also a bit sad to see all of the hard work put into the aliased IR disappear into the git history 😭)

I'm a bit concerned about the changes in cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected. I'm actually surprised there are so many changes here 🤔

[MathiasVP]

All the VariableGroup stuff was only concerned with aliased SSA, and the UnaliasedSsa::Ssa::VariableGroup class actually has a none in its charpred.

There's loads of stuff related to VariableGroup which can be deleted. See this PR where I introduced it which can basically now be reverted (probably by manually deleting the relevant regions)

[MathiasVP]

There's also some more now-dead predicates which I introduced in this PR. Those predicates should probably also be removed now (rather than later which would require yet another breaking change).

[MathiasVP]

It makes sense that these FPs now show up. Barrier guards has disjunct which uses value numbering to catch stuff like this, and we now lose this feature because we restrict a lot of the power of value numbering.

The ideal follow-up would be to add SSA for fields like C# and Java has.

[MathiasVP]

Aliased SSA vs unaliased SSA was always an internal name that we never communicated outwards. I'd prefer if we phrased this as something like this:

• The C/C++ intermediate representation (IR) has been simplified to perform a more lightweight alias analysis. As a result, end-to-end analysis time is dramatically improved.

  A libraries that relied on the expensive IR alias analysis will now be less precise. In particular, the value numbering library (semmle.code.cpp.valuenumbering.GlobalValueNumbering) will identify fewer expressions, and the guards and barrier guards libraries (semmle.code.cpp.controlflow.Guards) will recognize fewer guards.

I would probably also add something to the effect of "We plan to address these in the future" if you actually believe that to be the case. Personally, I would really like the regressions in the guards and barrier guards libraries fixed in the future

[igfoo]

Is it worth including "aliased" in there somewhere so people with custom queries that import it and break can find this changenote, or will that not be an issue?

[MathiasVP]

Hm. I guess it couldn't hurt if you can find a good way to phrase it 😂 I think it would be the first mention of "aliased IR" in a change note, though.

[jketema]

I'm a bit concerned about the changes in cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected. I'm actually surprised there are so many changes here 🤔

I agree with Mathias here, and I think we should understand why this is happening. There also seem to be quite some alert changes in DCA (see the internal PR), which I think we should try to understand before moving forward with this.