Add qldoc.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -282,4 +282,8 @@ private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
 
 private predicate iteratorDereference(Call c) { c.getTarget() instanceof IteratorReferenceFunction }
 
+/**
+ * Holds if the additional step from `src` to `sink` should be considered in
+ * speculative taint flow exploration.
+ */
 predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -219,6 +219,10 @@ private module SpeculativeTaintFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as DataFlowDispatch
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowCall call, ArgumentPosition argpos |
       // TODO: exclude neutrals and anything that has QL modeling.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

@@ -185,6 +185,10 @@ private module SpeculativeTaintFlow {
     exists(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.getACall() = call)
   }
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowCall call, Call srcCall, ArgumentPosition argpos |
       not exists(viableCallable(call)) and

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -434,6 +434,10 @@ import SpeculativeTaintFlow
 private module SpeculativeTaintFlow {
   private import semmle.go.dataflow.internal.DataFlowDispatch as DataFlowDispatch
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowPrivate::DataFlowCall call, DataFlowDispatch::ArgumentPosition argpos |
       // TODO: exclude neutrals and anything that has QL modeling.

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -690,6 +690,10 @@ private module SpeculativeTaintFlow {
         .hasName("java.util.function")
   }
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowCall call, Call srcCall, int argpos |
       not hasTarget(srcCall) and

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -226,6 +226,10 @@ private module SpeculativeTaintFlow {
   private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowDispatch
   private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowDispatch::DataFlowCall call, DataFlowDispatch::ArgumentPosition argpos |
       // TODO: exclude neutrals and anything that has QL modeling.

ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll

@@ -155,6 +155,10 @@ private module SpeculativeTaintFlow {
   private import codeql.ruby.dataflow.internal.DataFlowDispatch as DataFlowDispatch
   private import codeql.ruby.dataflow.internal.DataFlowPublic as DataFlowPublic
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(
       DataFlowDispatch::DataFlowCall call, MethodCall srcCall,

shared/dataflow/codeql/dataflow/TaintTracking.qll

@@ -208,6 +208,10 @@ module TaintFlowMake<
     }
   }
 
+  /**
+   * Constructs a global taint tracking computation that also allows a given
+   * maximum number of speculative taint steps.
+   */
   module SpeculativeFlow<DataFlow::ConfigSig Config, speculationLimitSig/0 speculationLimit>
     implements DataFlow::GlobalFlowSig
   {
@@ -229,6 +233,10 @@ module TaintFlowMake<
     import DataFlowInternal::Impl<C>
   }
 
+  /**
+   * Constructs a global taint tracking computation using flow state that also
+   * allows a given maximum number of speculative taint steps.
+   */
   module SpeculativeFlowWithState<
     DataFlow::StateConfigSig Config, speculationLimitSig/0 speculationLimit> implements
     DataFlow::GlobalFlowSig

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

@@ -106,6 +106,10 @@ private module SpeculativeTaintFlow {
   private import codeql.swift.dataflow.internal.DataFlowPublic as DataFlowPublic
   private import codeql.swift.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     exists(DataFlowDispatch::DataFlowCall call, DataFlowDispatch::ArgumentPosition argpos |
       // TODO: exclude neutrals and anything that has QL modeling.