diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml
index d6884627794b..f29904e14c56 100644
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -23,3 +23,4 @@ dataExtensions:
   - ext/generated/*.model.yml
   - ext/experimental/*.model.yml
 warnOnImplicitThis: true
+compileForOverlayEval: true
diff --git a/java/ql/lib/semmle/code/java/Type.qll b/java/ql/lib/semmle/code/java/Type.qll
index c30dd7012bfb..aa1cc5fdc7f7 100644
--- a/java/ql/lib/semmle/code/java/Type.qll
+++ b/java/ql/lib/semmle/code/java/Type.qll
@@ -422,6 +422,7 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
    * This does not include itself, unless this type is part of a cycle
    * in the type hierarchy.
    */
+  overlay[caller?]
   RefType getAStrictAncestor() { result = this.getASupertype().getAnAncestor() }
 
   /**
diff --git a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
index 877a62fb9455..edd634a84c6d 100644
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -36,6 +36,7 @@ Callable exactCallable(Call c) {
 private predicate implCount(MethodCall m, int c) { strictcount(viableImpl(m)) = c }
 
 /** Gets a viable implementation of the target of the given `Call`. */
+overlay[local]
 Callable viableCallable(Call c) {
   result = viableImpl(c)
   or
diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
index 97ae75988b3b..1caadd3f8acd 100644
--- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
@@ -203,6 +203,7 @@ module TempDirSystemGetPropertyDirectlyToMkdir =
 /**
  * A `MethodCall` against a method that creates a temporary file or directory in a shared temporary directory.
  */
+overlay[local?]
 abstract class MethodCallInsecureFileCreation extends MethodCall {
   /**
    * Gets the type of entity created (e.g. `file`, `directory`, ...).
@@ -218,6 +219,7 @@ abstract class MethodCallInsecureFileCreation extends MethodCall {
 /**
  * An insecure call to `java.io.File.createTempFile`.
  */
+overlay[local?]
 class MethodCallInsecureFileCreateTempFile extends MethodCallInsecureFileCreation {
   MethodCallInsecureFileCreateTempFile() {
     this.getMethod() instanceof MethodFileCreateTempFile and
@@ -246,6 +248,7 @@ class MethodGuavaFilesCreateTempFile extends Method {
 /**
  * A call to the `com.google.common.io.Files.createTempDir` method.
  */
+overlay[local?]
 class MethodCallInsecureGuavaFilesCreateTempFile extends MethodCallInsecureFileCreation {
   MethodCallInsecureGuavaFilesCreateTempFile() {
     this.getMethod() instanceof MethodGuavaFilesCreateTempFile
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
index fb7a40052f0b..9257808dce49 100644
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -16,6 +16,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 
+overlay[local?]
 abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
   int vulnerableArgumentIndex;
 
@@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
   abstract string splittingType();
 }
 
+overlay[local?]
 abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Request splitting or response splitting" }
@@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext
 /**
  * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
  */
+overlay[local?]
 abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Request splitting" }
@@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec
 /**
  * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
  */
+overlay[local?]
 abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Response splitting" }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpHeadersClassInstantiation() {
@@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
   }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpResponseClassInstantiation() {
@@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli
   }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpRequestClassInstantiation() {
@@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt
   }
 }
 
+overlay[local?]
 private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultFullHttpResponseClassInstantiation() {
@@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response
   }
 }
 
+overlay[local?]
 private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultFullHttpRequestClassInstantiation() {