What happens if someone naively models a flow from an argument to itself, without using the partial flow model? Will the model inexplicably fail?

Nothing will inexplicably fail. In fact, nothing will fail at all. Let's assume you have this snippet:

void test() {
  char* p = taint(); // (1)
  foo(p); // (2)
  sink(p); // (3)
}

Let's consider three scenarios:

1. You have no model for foo
2. You have a dataflow model for foo that looks like:

override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
  input.isParameterDeref(0) and
  output.isParameterDeref(0)
}

1. You have a dataflow model for foo that looks like the above, but also has:

override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(0) }

The behavior for each case will be:

You have no model for foo

There will be flow from taint() to p (in // (2)), and from p (in // (2)) to p (in // (3)). See here:

You have a dataflow model for foo, but no isPartialWrite override

There will be flow from taint() to p (in // (2)), and from p (in // (2)) to the output argument of foo, and from the output argument of foo to p (in // (3). See here:

That is, now that the model for foo implicitly blocks flow it means that flow will have to go through foo in order to reach sink.

You have a dataflow model for foo, and you also override isPartialWrite.

Since the flow is now specified as a partial write it means you get both of the flows from before:

I should add: The paths above have some duplication (i.e., there are two *call to taint nodes along the path) since I disable any kind of path compression in my example.

I'm not entirely sure we don't want this to be the default behaviour for qualifiers. I get that, in principle, a qualifier isn't all that different to an argument (at least an "inout" style argument), but typical usage is different and I would expect a partial write to be the norm???

This might be something to think about, but it doesn't need to hold up the PR necessarily.

Yeah, a partial write is probably the norm. There are obvious outliers such as std::string::clear, but I would also expect it to be the norm.

I'm not sure how to structure this best, though. Since we're now "blocking by default" and have thus added a predicate to "disable blocking" there's no now predicate to override for "enabling blocking". If we should make writes to the qualifier non-blocking by default we should also have a "enabling blocking" predicate. I supposed that could simply be a matter of adding an overridable predicate (with a sensible default) to PartialFlowFunction that says that writes to qualifiers are always non-blocking.

But I'd like to leave that as a follow-up like you suggested.