The Query Is a Flashlight. The Eyes Are the Work. Running a CodeQL query against a 3.5-year-stale Firefox database, and what reading the source taught me on top of the query output. Twenty-one hits. I wrote a CodeQL query targeting a single shape: a parent-process IPDL Recv* handler that assigns a content-controlled parameter to a member field with no preceding guard. Compiled it. Ran it against Mozilla's last public CodeQL database for Firefox, version 105, dated September 2022. Six minutes of evaluation. Twenty-one hits across dom/ipc/ , gfx/ , accessible/ , ipc/glue/ , netwerk/dns/ . The query landed on real Firefox code on the first run. I expected the interesting story to be the hits. It wasn't. The interesting story is what the query found, what it missed, and what reading the source taught me on top of it. The query The .ql file is short.…