Merge branch 'main' into 51-2cppnon-constant-format-alter-not-const-source

cpp/ql/lib/change-notes/2024-02-06-flow-out-barrier-function.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added an abstract class `FlowOutBarrierFunction` that can be used to block flow out of a function.

cpp/ql/lib/semmle/code/cpp/exprs/Assignment.qll

@@ -244,9 +244,15 @@ class ConditionDeclExpr extends Expr, @condition_decl {
 
   /**
    * Gets the compiler-generated variable access that conceptually occurs after
-   * the initialization of the declared variable.
+   * the initialization of the declared variable, if any.
    */
-  VariableAccess getVariableAccess() { result = this.getChild(0) }
+  VariableAccess getVariableAccess() { result = this.getExpr() }
+
+  /**
+   * Gets the expression that is evaluated after the initialization of the declared
+   * variable.
+   */
+  Expr getExpr() { result = this.getChild(0) }
 
   /**
    * Gets the expression that initializes the declared variable. This predicate

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -2,8 +2,11 @@ private import codeql.ssa.Ssa as SsaImplCommon
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+private import semmle.code.cpp.models.interfaces.FlowOutBarrier as FOB
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import DataFlowPrivate
 private import ssa0.SsaInternals as SsaInternals0
@@ -784,10 +787,30 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) {
   )
 }
 
+/**
+ * Holds if there should not be use-use flow out of `n` (or a conversion that
+ * flows to `n`).
+ */
+private predicate modeledFlowBarrier(Node n) {
+  exists(FIO::FunctionInput input, CallInstruction call |
+    call.getStaticCallTarget().(FOB::FlowOutBarrierFunction).isFlowOutBarrier(input) and
+    n = callInput(call, input)
+  )
+  or
+  exists(Operand operand, Instruction instr, Node n0, int indirectionIndex |
+    modeledFlowBarrier(n0) and
+    nodeHasInstruction(n0, instr, indirectionIndex) and
+    conversionFlow(operand, instr, false, _) and
+    nodeHasOperand(n, operand, indirectionIndex)
+  )
+}
+
 /** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
 predicate ssaFlow(Node nodeFrom, Node nodeTo) {
   exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse |
-    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo
+    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and
+    not modeledFlowBarrier(nFrom) and
+    nodeFrom != nodeTo
   |
     if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom
   )

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -233,20 +233,6 @@ private module Cached {
     )
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBitOffset, int endBitOffset) {
-    exists(Alias::MemoryLocation location, OldInstruction oldInstruction |
-      oldInstruction = getOldInstruction(chi.getPartial()) and
-      location = Alias::getResultMemoryLocation(oldInstruction) and
-      startBitOffset = Alias::getStartBitOffset(location) and
-      endBitOffset = Alias::getEndBitOffset(location)
-    )
-  }
-
   /**
    * Holds if `operand` totally overlaps with its definition and consumes the bit range
    * `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -202,12 +202,6 @@ Instruction getMemoryOperandDefinition(
   none()
 }
 
-/**
- * Holds if the partial operand of this `ChiInstruction` updates the bit range
- * `[startBitOffset, endBitOffset)` of the total operand.
- */
-predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBit, int endBit) { none() }
-
 /**
  * Holds if the operand totally overlaps with its definition and consumes the
  * bit range `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -3173,7 +3173,7 @@ class TranslatedConditionDeclExpr extends TranslatedNonConstantExpr {
   private TranslatedConditionDecl getDecl() { result = getTranslatedConditionDecl(expr) }
 
   private TranslatedExpr getConditionExpr() {
-    result = getTranslatedExpr(expr.getVariableAccess().getFullyConverted())
+    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -233,20 +233,6 @@ private module Cached {
     )
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBitOffset, int endBitOffset) {
-    exists(Alias::MemoryLocation location, OldInstruction oldInstruction |
-      oldInstruction = getOldInstruction(chi.getPartial()) and
-      location = Alias::getResultMemoryLocation(oldInstruction) and
-      startBitOffset = Alias::getStartBitOffset(location) and
-      endBitOffset = Alias::getEndBitOffset(location)
-    )
-  }
-
   /**
    * Holds if `operand` totally overlaps with its definition and consumes the bit range
    * `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -1,6 +1,7 @@
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.FlowOutBarrier
 
 /**
  * The standard function `swap`. A use of `swap` looks like this:
@@ -8,7 +9,7 @@ import semmle.code.cpp.models.interfaces.Alias
  * std::swap(obj1, obj2)
  * ```
  */
-private class Swap extends DataFlowFunction {
+private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
   Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -18,6 +19,8 @@ private class Swap extends DataFlowFunction {
     input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
+
+  override predicate isFlowOutBarrier(FunctionInput input) { input.isParameterDeref([0, 1]) }
 }
 
 /**
@@ -26,7 +29,9 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
+  FlowOutBarrierFunction
+{
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -47,4 +52,8 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
   override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
 
   override predicate parameterIsAlwaysReturned(int index) { index = 0 }
+
+  override predicate isFlowOutBarrier(FunctionInput input) {
+    input.isQualifierObject() or input.isParameterDeref(0)
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowOutBarrier.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides an abstract class for blocking flow out of functions. To use this
+ * QL library, create a QL class extending `FlowOutBarrierFunction` with a
+ * characteristic predicate that selects the function or set of functions you
+ * are modeling. Within that class, override the predicates provided by
+ * `FlowOutBarrierFunction` to match the flow within that function.
+ */
+
+import semmle.code.cpp.Function
+import FunctionInputsAndOutputs
+
+/**
+ * A library function for which flow should not continue after reaching one
+ * of its inputs.
+ *
+ * For example, since `std::swap(a, b)` swaps the values pointed to by `a`
+ * and `b` there should not be use-use flow out of `a` or `b`.
+ */
+abstract class FlowOutBarrierFunction extends Function {
+  /**
+   * Holds if use-use flow should not continue onwards after reaching
+   * the argument, qualifier, or buffer represented by `input`.
+   */
+  pragma[nomagic]
+  abstract predicate isFlowOutBarrier(FunctionInput input);
+}

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -71,11 +71,11 @@ void test_pair()
 	sink(i.second); // $ MISSING: ast,ir
 	sink(i); // $ ast,ir
 	sink(j.first);
-	sink(j.second); // $ SPURIOUS: ast,ir
-	sink(j); // $ SPURIOUS: ast,ir
+	sink(j.second); // $ SPURIOUS: ast
+	sink(j); // $ SPURIOUS: ast
 	sink(k.first);
-	sink(k.second); // $ SPURIOUS: ast,ir
-	sink(k); // $ SPURIOUS: ast,ir
+	sink(k.second); // $ SPURIOUS: ast
+	sink(k); // $ SPURIOUS: ast
 	sink(l.first);
 	sink(l.second); // $ MISSING: ast,ir
 	sink(l); // $ ast,ir
@@ -196,10 +196,10 @@ void test_map()
 	sink(m18); // $ ast,ir
 	m15.swap(m16);
 	m17.swap(m18);
-	sink(m15); // $ SPURIOUS: ast,ir
+	sink(m15); // $ SPURIOUS: ast
 	sink(m16); // $ ast,ir
 	sink(m17); // $ ast,ir
-	sink(m18); // $ SPURIOUS: ast,ir
+	sink(m18); // $ SPURIOUS: ast
 
 	// merge
 	std::map<char *, char *> m19, m20, m21, m22;
@@ -345,10 +345,10 @@ void test_unordered_map()
 	sink(m18); // $ ast,ir
 	m15.swap(m16);
 	m17.swap(m18);
-	sink(m15); // $ SPURIOUS: ast,ir
+	sink(m15); // $ SPURIOUS: ast
 	sink(m16); // $ ast,ir
 	sink(m17); // $ ast,ir
-	sink(m18); // $ SPURIOUS: ast,ir
+	sink(m18); // $ SPURIOUS: ast
 
 	// merge
 	std::unordered_map<char *, char *> m19, m20, m21, m22;

cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp

@@ -81,10 +81,10 @@ void test_set()
 	sink(s15); // $ ast,ir
 	s12.swap(s13);
 	s14.swap(s15);
-	sink(s12); // $ SPURIOUS: ast,ir
+	sink(s12); // $ SPURIOUS: ast
 	sink(s13); // $ ast,ir
 	sink(s14); // $ ast,ir
-	sink(s15); // $ SPURIOUS: ast,ir
+	sink(s15); // $ SPURIOUS: ast
 
 	// merge
 	std::set<char *> s16, s17, s18, s19;
@@ -193,10 +193,10 @@ void test_unordered_set()
 	sink(s15); // $ ast,ir
 	s12.swap(s13);
 	s14.swap(s15);
-	sink(s12); // $ SPURIOUS: ast,ir
+	sink(s12); // $ SPURIOUS: ast
 	sink(s13); // $ ast,ir
 	sink(s14); // $ ast,ir
-	sink(s15); // $ SPURIOUS: ast,ir
+	sink(s15); // $ SPURIOUS: ast
 
 	// merge
 	std::unordered_set<char *> s16, s17, s18, s19;

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

@@ -280,9 +280,9 @@ void test_string_swap() {
 	s4.swap(s3);
 
 	sink(s1); // $ ast,ir
-	sink(s2); // $ SPURIOUS: ast,ir
+	sink(s2); // $ SPURIOUS: ast
 	sink(s3); // $ ast,ir
-	sink(s4); // $ SPURIOUS: ast,ir
+	sink(s4); // $ SPURIOUS: ast
 }
 
 void test_string_clear() {

cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp

@@ -118,9 +118,9 @@ void test_stringstream_swap()
 	ss4.swap(ss3);
 
 	sink(ss1); // $ ast,ir
-	sink(ss2); // $ SPURIOUS: ast,ir
+	sink(ss2); // $ SPURIOUS: ast
 	sink(ss3); // $ ast,ir
-	sink(ss4); // $ SPURIOUS: ast,ir
+	sink(ss4); // $ SPURIOUS: ast
 }
 
 void test_stringstream_in()

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -212,7 +212,7 @@ void test_swap() {
 
 	std::swap(x, y);
 
-	sink(x); // $ SPURIOUS: ast,ir
+	sink(x); // $ SPURIOUS: ast
 	sink(y); // $ ast,ir
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -114,10 +114,10 @@ void test_vector_swap() {
 	v1.swap(v2);
 	v3.swap(v4);
 
-	sink(v1); // $ SPURIOUS: ast,ir
+	sink(v1); // $ SPURIOUS: ast
 	sink(v2); // $ ast,ir
 	sink(v3); // $ ast,ir
-	sink(v4); // $ SPURIOUS: ast,ir
+	sink(v4); // $ SPURIOUS: ast
 }
 
 void test_vector_clear() {

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -16132,6 +16132,31 @@ ir.cpp:
 # 2112|       getExpr(): [VariableAccess] end
 # 2112|           Type = [CharPointerType] char *
 # 2112|           ValueCategory = prvalue(load)
+# 2115| [CopyAssignmentOperator] HasOperatorBool& HasOperatorBool::operator=(HasOperatorBool const&)
+# 2115|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const HasOperatorBool &
+# 2115| [MoveAssignmentOperator] HasOperatorBool& HasOperatorBool::operator=(HasOperatorBool&&)
+# 2115|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] HasOperatorBool &&
+# 2116| [ConversionOperator] bool HasOperatorBool::operator bool()
+# 2116|   <params>: 
+# 2119| [TopLevelFunction] void call_as_child_of_ConditionDeclExpr()
+# 2119|   <params>: 
+# 2119|   getEntryPoint(): [BlockStmt] { ... }
+# 2120|     getStmt(0): [IfStmt] if (...) ... 
+# 2120|       getCondition(): [ConditionDeclExpr] (condition decl)
+# 2120|           Type = [BoolType] bool
+# 2120|           ValueCategory = prvalue
+# 2120|         getChild(0): [FunctionCall] call to operator bool
+# 2120|             Type = [BoolType] bool
+# 2120|             ValueCategory = prvalue
+# 2120|           getQualifier(): [VariableAccess] b
+# 2120|               Type = [Struct] HasOperatorBool
+# 2120|               ValueCategory = prvalue(load)
+# 2120|       getThen(): [BlockStmt] { ... }
+# 2121|     getStmt(1): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -12441,6 +12441,38 @@ ir.cpp:
 # 2109|     v2109_12(void)          = AliasedUse                     : m2109_3
 # 2109|     v2109_13(void)          = ExitFunction                   : 
 
+# 2119| void call_as_child_of_ConditionDeclExpr()
+# 2119|   Block 0
+# 2119|     v2119_1(void)                   = EnterFunction                   : 
+# 2119|     m2119_2(unknown)                = AliasedDefinition               : 
+# 2119|     m2119_3(unknown)                = InitializeNonLocal              : 
+# 2119|     m2119_4(unknown)                = Chi                             : total:m2119_2, partial:m2119_3
+# 2120|     r2120_1(glval<HasOperatorBool>) = VariableAddress[b]              : 
+# 2120|     r2120_2(HasOperatorBool)        = Constant[0]                     : 
+# 2120|     m2120_3(HasOperatorBool)        = Store[b]                        : &:r2120_1, r2120_2
+# 2120|     r2120_4(glval<HasOperatorBool>) = VariableAddress[b]              : 
+# 2120|     r2120_5(glval<unknown>)         = FunctionAddress[operator bool]  : 
+# 2120|     r2120_6(bool)                   = Call[operator bool]             : func:r2120_5, this:r2120_4
+# 2120|     m2120_7(unknown)                = ^CallSideEffect                 : ~m2119_4
+# 2120|     m2120_8(unknown)                = Chi                             : total:m2119_4, partial:m2120_7
+# 2120|     v2120_9(void)                   = ^IndirectReadSideEffect[-1]     : &:r2120_4, m2120_3
+# 2120|     m2120_10(HasOperatorBool)       = ^IndirectMayWriteSideEffect[-1] : &:r2120_4
+# 2120|     m2120_11(HasOperatorBool)       = Chi                             : total:m2120_3, partial:m2120_10
+# 2120|     r2120_12(bool)                  = CopyValue                       : r2120_6
+# 2120|     v2120_13(void)                  = ConditionalBranch               : r2120_12
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 2120|   Block 1
+# 2120|     v2120_14(void) = NoOp : 
+#-----|   Goto -> Block 2
+
+# 2121|   Block 2
+# 2121|     v2121_1(void) = NoOp         : 
+# 2119|     v2119_5(void) = ReturnVoid   : 
+# 2119|     v2119_6(void) = AliasedUse   : ~m2120_8
+# 2119|     v2119_7(void) = ExitFunction : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -12,7 +12,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -24,8 +28,4 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -12,7 +12,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -24,8 +28,4 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -2112,4 +2112,12 @@ char* test_strtod(char *s) {
   return end;
 }
 
+struct HasOperatorBool {
+    operator bool();
+};
+
+void call_as_child_of_ConditionDeclExpr() {
+  if(HasOperatorBool b = HasOperatorBool()) {}
+}
+
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -10070,6 +10070,23 @@
 | ir.cpp:2112:10:2112:12 | Address | &:r2112_2 |
 | ir.cpp:2112:10:2112:12 | Load | m2111_11 |
 | ir.cpp:2112:10:2112:12 | StoreValue | r2112_3 |
+| ir.cpp:2119:6:2119:39 | ChiPartial | partial:m2119_3 |
+| ir.cpp:2119:6:2119:39 | ChiTotal | total:m2119_2 |
+| ir.cpp:2119:6:2119:39 | SideEffect | ~m2120_8 |
+| ir.cpp:2120:6:2120:42 | Address | &:r2120_1 |
+| ir.cpp:2120:6:2120:42 | Condition | r2120_12 |
+| ir.cpp:2120:22:2120:22 | Address | &:r2120_4 |
+| ir.cpp:2120:22:2120:22 | Address | &:r2120_4 |
+| ir.cpp:2120:22:2120:22 | Arg(this) | this:r2120_4 |
+| ir.cpp:2120:22:2120:22 | CallTarget | func:r2120_5 |
+| ir.cpp:2120:22:2120:22 | ChiPartial | partial:m2120_7 |
+| ir.cpp:2120:22:2120:22 | ChiPartial | partial:m2120_10 |
+| ir.cpp:2120:22:2120:22 | ChiTotal | total:m2119_4 |
+| ir.cpp:2120:22:2120:22 | ChiTotal | total:m2120_3 |
+| ir.cpp:2120:22:2120:22 | SideEffect | m2120_3 |
+| ir.cpp:2120:22:2120:22 | SideEffect | ~m2119_4 |
+| ir.cpp:2120:22:2120:22 | Unary | r2120_6 |
+| ir.cpp:2120:25:2120:42 | StoreValue | r2120_2 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -11647,6 +11647,35 @@ ir.cpp:
 # 2109|     v2109_11(void)          = AliasedUse                     : ~m?
 # 2109|     v2109_12(void)          = ExitFunction                   : 
 
+# 2119| void call_as_child_of_ConditionDeclExpr()
+# 2119|   Block 0
+# 2119|     v2119_1(void)                   = EnterFunction                   : 
+# 2119|     mu2119_2(unknown)               = AliasedDefinition               : 
+# 2119|     mu2119_3(unknown)               = InitializeNonLocal              : 
+# 2120|     r2120_1(glval<HasOperatorBool>) = VariableAddress[b]              : 
+# 2120|     r2120_2(HasOperatorBool)        = Constant[0]                     : 
+# 2120|     mu2120_3(HasOperatorBool)       = Store[b]                        : &:r2120_1, r2120_2
+# 2120|     r2120_4(glval<HasOperatorBool>) = VariableAddress[b]              : 
+# 2120|     r2120_5(glval<unknown>)         = FunctionAddress[operator bool]  : 
+# 2120|     r2120_6(bool)                   = Call[operator bool]             : func:r2120_5, this:r2120_4
+# 2120|     mu2120_7(unknown)               = ^CallSideEffect                 : ~m?
+# 2120|     v2120_8(void)                   = ^IndirectReadSideEffect[-1]     : &:r2120_4, ~m?
+# 2120|     mu2120_9(HasOperatorBool)       = ^IndirectMayWriteSideEffect[-1] : &:r2120_4
+# 2120|     r2120_10(bool)                  = CopyValue                       : r2120_6
+# 2120|     v2120_11(void)                  = ConditionalBranch               : r2120_10
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 2120|   Block 1
+# 2120|     v2120_12(void) = NoOp : 
+#-----|   Goto -> Block 2
+
+# 2121|   Block 2
+# 2121|     v2121_1(void) = NoOp         : 
+# 2119|     v2119_4(void) = ReturnVoid   : 
+# 2119|     v2119_5(void) = AliasedUse   : ~m?
+# 2119|     v2119_6(void) = ExitFunction : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected

@@ -12,7 +12,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -24,8 +28,4 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected

@@ -12,7 +12,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -24,8 +28,4 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.expected

@@ -8,10 +8,6 @@ duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 | VacuousDestructorCall.cpp:2:29:2:29 | InitializeIndirection: y | Instruction 'InitializeIndirection: y' has no successors in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
-| condition_decls.cpp:16:19:16:20 | Chi: call to BoxedInt | Instruction 'Chi: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:15:6:15:17 | void if_decl_bind(int) | void if_decl_bind(int) |
-| condition_decls.cpp:26:23:26:24 | Chi: call to BoxedInt | Instruction 'Chi: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:25:6:25:21 | void switch_decl_bind(int) | void switch_decl_bind(int) |
-| condition_decls.cpp:41:22:41:23 | Chi: call to BoxedInt | Instruction 'Chi: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:40:6:40:20 | void while_decl_bind(int) | void while_decl_bind(int) |
-| condition_decls.cpp:48:52:48:53 | Chi: call to BoxedInt | Instruction 'Chi: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:47:6:47:18 | void for_decl_bind(int) | void for_decl_bind(int) |
 | ms_try_mix.cpp:35:13:35:19 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
 | ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
 | stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
@@ -21,7 +17,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -36,8 +36,4 @@ thisArgumentIsNonPointer
 | pointer_to_member.cpp:23:5:23:54 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 | pointer_to_member.cpp:24:5:24:49 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected

@@ -1,8 +1,4 @@
 missingOperand
-| condition_decls.cpp:16:6:16:20 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:15:6:15:17 | void if_decl_bind(int) | void if_decl_bind(int) |
-| condition_decls.cpp:26:10:26:24 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:25:6:25:21 | void switch_decl_bind(int) | void switch_decl_bind(int) |
-| condition_decls.cpp:41:9:41:23 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:40:6:40:20 | void while_decl_bind(int) | void while_decl_bind(int) |
-| condition_decls.cpp:48:39:48:53 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:47:6:47:18 | void for_decl_bind(int) | void for_decl_bind(int) |
 | misc.c:125:5:125:11 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:97:6:97:10 | void misc3() | void misc3() |
 | try_catch.cpp:23:5:23:18 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | try_catch.cpp:19:6:19:23 | void throw_from_nonstmt(int) | void throw_from_nonstmt(int) |
 unexpectedOperand
@@ -15,14 +11,6 @@ instructionWithoutSuccessor
 | VacuousDestructorCall.cpp:2:29:2:29 | InitializeIndirection: y | Instruction 'InitializeIndirection: y' has no successors in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
 | VacuousDestructorCall.cpp:3:3:3:3 | VariableAddress: x | Instruction 'VariableAddress: x' has no successors in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
 | VacuousDestructorCall.cpp:4:3:4:3 | Load: y | Instruction 'Load: y' has no successors in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
-| condition_decls.cpp:16:19:16:20 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:15:6:15:17 | void if_decl_bind(int) | void if_decl_bind(int) |
-| condition_decls.cpp:26:19:26:20 | IndirectMayWriteSideEffect: bi | Instruction 'IndirectMayWriteSideEffect: bi' has no successors in function '$@'. | condition_decls.cpp:25:6:25:21 | void switch_decl_bind(int) | void switch_decl_bind(int) |
-| condition_decls.cpp:26:23:26:24 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:25:6:25:21 | void switch_decl_bind(int) | void switch_decl_bind(int) |
-| condition_decls.cpp:41:22:41:23 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:40:6:40:20 | void while_decl_bind(int) | void while_decl_bind(int) |
-| condition_decls.cpp:48:52:48:53 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:47:6:47:18 | void for_decl_bind(int) | void for_decl_bind(int) |
-| file://:0:0:0:0 | CompareNE: (bool)... | Instruction 'CompareNE: (bool)...' has no successors in function '$@'. | condition_decls.cpp:15:6:15:17 | void if_decl_bind(int) | void if_decl_bind(int) |
-| file://:0:0:0:0 | CompareNE: (bool)... | Instruction 'CompareNE: (bool)...' has no successors in function '$@'. | condition_decls.cpp:40:6:40:20 | void while_decl_bind(int) | void while_decl_bind(int) |
-| file://:0:0:0:0 | CompareNE: (bool)... | Instruction 'CompareNE: (bool)...' has no successors in function '$@'. | condition_decls.cpp:47:6:47:18 | void for_decl_bind(int) | void for_decl_bind(int) |
 | ms_try_mix.cpp:35:13:35:19 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
 | ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
 | stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |

cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.expected

@@ -8,10 +8,6 @@ duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 | VacuousDestructorCall.cpp:2:29:2:29 | InitializeIndirection: y | Instruction 'InitializeIndirection: y' has no successors in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
-| condition_decls.cpp:16:19:16:20 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:15:6:15:17 | void if_decl_bind(int) | void if_decl_bind(int) |
-| condition_decls.cpp:26:23:26:24 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:25:6:25:21 | void switch_decl_bind(int) | void switch_decl_bind(int) |
-| condition_decls.cpp:41:22:41:23 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:40:6:40:20 | void while_decl_bind(int) | void while_decl_bind(int) |
-| condition_decls.cpp:48:52:48:53 | IndirectMayWriteSideEffect: call to BoxedInt | Instruction 'IndirectMayWriteSideEffect: call to BoxedInt' has no successors in function '$@'. | condition_decls.cpp:47:6:47:18 | void for_decl_bind(int) | void for_decl_bind(int) |
 | ms_try_mix.cpp:35:13:35:19 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
 | ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
 | stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
@@ -21,7 +17,11 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
@@ -36,8 +36,4 @@ thisArgumentIsNonPointer
 | pointer_to_member.cpp:23:5:23:54 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 | pointer_to_member.cpp:24:5:24:49 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType

csharp/codeql-extractor.yml

@@ -6,6 +6,9 @@ version: 1.22.1
 column_kind: "utf16"
 extra_env_vars:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
+build_modes:
+  - autobuild
+  - manual
 github_api_languages:
   - C#
 scc_languages:

csharp/downgrades/c9ee11bd1ee96e925a35cedff000be924634447f/upgrade.properties

@@ -0,0 +1,3 @@
+description: Remove `compilation_info`.
+compatibility: backwards
+compilation_info.rel: delete

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -133,6 +133,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             logger.LogInfo($"{conflictedReferences,align} resolved assembly conflicts");
             logger.LogInfo($"{dotnetFrameworkVersionVariantCount,align} restored .NET framework variants");
             logger.LogInfo($"Build analysis completed in {DateTime.Now - startTime}");
+
+            CompilationInfos.AddRange([
+                ("Source files on filesystem", nonGeneratedSources.Count.ToString()),
+                ("Source files generated", generatedSources.Count.ToString()),
+                ("Solution files on filesystem", allSolutions.Count.ToString()),
+                ("Project files on filesystem", allProjects.Count.ToString()),
+                ("Resolved references", usedReferences.Keys.Count.ToString()),
+                ("Unresolved references", unresolvedReferences.Count.ToString()),
+                ("Resolved assembly conflicts", conflictedReferences.ToString()),
+                ("Restored .NET framework variants", dotnetFrameworkVersionVariantCount.ToString()),
+            ]);
         }
 
         private HashSet<string> AddFrameworkDlls(HashSet<string> dllPaths)
@@ -151,7 +162,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             try
             {
                 var nuget = new NugetPackages(sourceDir.FullName, legacyPackageDirectory, logger);
-                nuget.InstallPackages();
+                var count = nuget.InstallPackages();
+
+                if (nuget.PackageCount > 0)
+                {
+                    CompilationInfos.Add(("packages.config files", nuget.PackageCount.ToString()));
+                    CompilationInfos.Add(("Successfully restored packages.config files", count.ToString()));
+                }
 
                 var nugetPackageDlls = legacyPackageDirectory.DirInfo.GetFiles("*.dll", new EnumerationOptions { RecurseSubdirectories = true });
                 var nugetPackageDllPaths = nugetPackageDlls.Select(f => f.FullName).ToHashSet();
@@ -629,6 +646,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         public IEnumerable<string> UnresolvedReferences => unresolvedReferences.Select(r => r.Key);
 
+        /// <summary>
+        /// List of `(key, value)` tuples, that are stored in the DB for telemetry purposes.
+        /// </summary>
+        public List<(string, string)> CompilationInfos { get; } = new List<(string, string)>();
+
         /// <summary>
         /// Record that a particular reference couldn't be resolved.
         /// Note that this records at most one project file per missing reference.
@@ -699,15 +721,22 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// <param name="solutions">A list of paths to solution files.</param>
         private IEnumerable<string> RestoreSolutions(IEnumerable<string> solutions, out IEnumerable<string> assets)
         {
+            var successCount = 0;
             var assetFiles = new List<string>();
             var projects = solutions.SelectMany(solution =>
                 {
                     logger.LogInfo($"Restoring solution {solution}...");
                     var res = dotnet.Restore(new(solution, packageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true));
+                    if (res.Success)
+                    {
+                        successCount++;
+                    }
                     assetFiles.AddRange(res.AssetsFilePaths);
                     return res.RestoredProjects;
-                });
+                }).ToList();
             assets = assetFiles;
+            CompilationInfos.Add(("Successfully restored solution files", successCount.ToString()));
+            CompilationInfos.Add(("Restored projects through solution files", projects.Count.ToString()));
             return projects;
         }
 
@@ -719,14 +748,24 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// <param name="projects">A list of paths to project files.</param>
         private void RestoreProjects(IEnumerable<string> projects, out IEnumerable<string> assets)
         {
+            var successCount = 0;
             var assetFiles = new List<string>();
+            var sync = new object();
             Parallel.ForEach(projects, new ParallelOptions { MaxDegreeOfParallelism = options.Threads }, project =>
             {
                 logger.LogInfo($"Restoring project {project}...");
                 var res = dotnet.Restore(new(project, packageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true));
+                lock (sync)
+                {
+                    if (res.Success)
+                    {
+                        successCount++;
+                    }
                     assetFiles.AddRange(res.AssetsFilePaths);
+                }
             });
             assets = assetFiles;
+            CompilationInfos.Add(("Successfully restored project files", successCount.ToString()));
         }
 
         private void DownloadMissingPackages(List<FileInfo> allFiles, ISet<string> dllPaths)
@@ -767,6 +806,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 logger.LogInfo($"Using nuget.config file {nugetConfig}.");
             }
 
+            CompilationInfos.Add(("Fallback nuget restore", notYetDownloadedPackages.Count.ToString()));
+
+            var successCount = 0;
+            var sync = new object();
+
             Parallel.ForEach(notYetDownloadedPackages, new ParallelOptions { MaxDegreeOfParallelism = options.Threads }, package =>
             {
                 logger.LogInfo($"Restoring package {package}...");
@@ -797,10 +841,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     if (!res.Success)
                     {
                         logger.LogInfo($"Failed to restore nuget package {package}");
+                        return;
                     }
                 }
+
+                lock (sync)
+                {
+                    successCount++;
+                }
             });
 
+            CompilationInfos.Add(("Successfully ran fallback nuget restore", successCount.ToString()));
+
             dllPaths.Add(missingPackageDirectory.DirInfo.FullName);
         }
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackages.cs

@@ -22,6 +22,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         private readonly FileInfo[] packageFiles;
 
+        public int PackageCount => packageFiles.Length;
+
         /// <summary>
         /// The computed packages directory.
         /// This will be in the Temp location
@@ -105,7 +107,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// Restore all files in a specified package.
         /// </summary>
         /// <param name="package">The package file.</param>
-        private void RestoreNugetPackage(string package)
+        private bool TryRestoreNugetPackage(string package)
         {
             logger.LogInfo($"Restoring file {package}...");
 
@@ -141,22 +143,21 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             if (exitCode != 0)
             {
                 logger.LogError($"Command {pi.FileName} {pi.Arguments} failed with exit code {exitCode}");
+                return false;
             }
             else
             {
                 logger.LogInfo($"Restored file {package}");
+                return true;
             }
         }
 
         /// <summary>
         /// Download the packages to the temp folder.
         /// </summary>
-        public void InstallPackages()
+        public int InstallPackages()
         {
-            foreach (var package in packageFiles)
-            {
-                RestoreNugetPackage(package.FullName);
-            }
+            return packageFiles.Count(package => TryRestoreNugetPackage(package.FullName));
         }
     }
 }

csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs

@@ -5,6 +5,7 @@ using System.Diagnostics;
 using System.Linq;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
+using Semmle.Extraction.CSharp.DependencyFetching;
 using Semmle.Util;
 using Semmle.Util.Logging;
 
@@ -12,7 +13,6 @@ namespace Semmle.Extraction.CSharp.Standalone
 {
     public static class Extractor
     {
-
         private static IEnumerable<Action> GetResolvedReferencesStandalone(IEnumerable<string> referencePaths, BlockingCollection<MetadataReference> references)
         {
             return referencePaths.Select<string, Action>(path => () =>
@@ -24,8 +24,7 @@ namespace Semmle.Extraction.CSharp.Standalone
 
         private static void AnalyseStandalone(
             StandaloneAnalyser analyser,
-            IEnumerable<string> sources,
-            IEnumerable<string> referencePaths,
+            ExtractionInput extractionInput,
             CommonOptions options,
             IProgressMonitor progressMonitor,
             Stopwatch stopwatch)
@@ -35,12 +34,12 @@ namespace Semmle.Extraction.CSharp.Standalone
             try
             {
                 CSharp.Extractor.Analyse(stopwatch, analyser, options,
-                    references => GetResolvedReferencesStandalone(referencePaths, references),
-                    (analyser, syntaxTrees) => CSharp.Extractor.ReadSyntaxTrees(sources, analyser, null, null, syntaxTrees),
+                    references => GetResolvedReferencesStandalone(extractionInput.References, references),
+                    (analyser, syntaxTrees) => CSharp.Extractor.ReadSyntaxTrees(extractionInput.Sources, analyser, null, null, syntaxTrees),
                     (syntaxTrees, references) => CSharpCompilation.Create(
                         output.Name, syntaxTrees, references, new CSharpCompilationOptions(OutputKind.ConsoleApplication, allowUnsafe: true)
                         ),
-                    (compilation, options) => analyser.Initialize(output.FullName, compilation, options),
+                    (compilation, options) => analyser.Initialize(output.FullName, extractionInput.CompilationInfos, compilation, options),
                     _ => { },
                     () =>
                     {
@@ -73,8 +72,7 @@ namespace Semmle.Extraction.CSharp.Standalone
         }
 
         private static void ExtractStandalone(
-            IEnumerable<string> sources,
-            IEnumerable<string> referencePaths,
+            ExtractionInput extractionInput,
             IProgressMonitor pm,
             ILogger logger,
             CommonOptions options)
@@ -88,7 +86,7 @@ namespace Semmle.Extraction.CSharp.Standalone
             using var analyser = new StandaloneAnalyser(pm, logger, false, pathTransformer);
             try
             {
-                AnalyseStandalone(analyser, sources, referencePaths, options, pm, stopwatch);
+                AnalyseStandalone(analyser, extractionInput, options, pm, stopwatch);
             }
             catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
             {
@@ -131,6 +129,8 @@ namespace Semmle.Extraction.CSharp.Standalone
             }
         }
 
+        public record ExtractionInput(IEnumerable<string> Sources, IEnumerable<string> References, IEnumerable<(string, string)> CompilationInfos);
+
         public static ExitCode Run(Options options)
         {
             var stopwatch = new Stopwatch();
@@ -138,10 +138,9 @@ namespace Semmle.Extraction.CSharp.Standalone
 
             using var logger = new ConsoleLogger(options.Verbosity, logThreadId: true);
             logger.Log(Severity.Info, "Extracting C# in buildless mode");
-            using var a = new Analysis(logger, options);
-            var sourceFileCount = a.Extraction.Sources.Count;
+            using var dependencyManager = new DependencyManager(options.SrcDir, options.Dependencies, logger);
 
-            if (sourceFileCount == 0)
+            if (!dependencyManager.AllSourceFiles.Any())
             {
                 logger.Log(Severity.Error, "No source files found");
                 return ExitCode.Errors;
@@ -152,8 +151,7 @@ namespace Semmle.Extraction.CSharp.Standalone
             logger.Log(Severity.Info, "");
             logger.Log(Severity.Info, "Extracting...");
             ExtractStandalone(
-                a.Extraction.Sources,
-                a.References,
+                new ExtractionInput(dependencyManager.AllSourceFiles, dependencyManager.ReferenceFiles, dependencyManager.CompilationInfos),
                 new ExtractionProgress(logger),
                 fileLogger,
                 options);

csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs

@@ -5,48 +5,6 @@ using Semmle.Extraction.CSharp.DependencyFetching;
 
 namespace Semmle.Extraction.CSharp.Standalone
 {
-    /// <summary>
-    ///     One independent run of the extractor.
-    /// </summary>
-    internal class Extraction
-    {
-        public Extraction(string directory)
-        {
-            Directory = directory;
-        }
-
-        public string Directory { get; }
-        public List<string> Sources { get; } = new List<string>();
-    };
-
-    /// <summary>
-    ///     Searches for source/references and creates separate extractions.
-    /// </summary>
-    internal sealed class Analysis : IDisposable
-    {
-        public Analysis(ILogger logger, Options options)
-        {
-            dependencyManager = new DependencyManager(options.SrcDir, options.Dependencies, logger);
-            References = dependencyManager.ReferenceFiles;
-            Extraction = new Extraction(options.SrcDir);
-            Extraction.Sources.AddRange(dependencyManager.AllSourceFiles);
-        }
-
-        public IEnumerable<string> References { get; }
-
-        /// <summary>
-        /// The extraction configuration.
-        /// </summary>
-        public Extraction Extraction { get; }
-
-        private readonly DependencyManager dependencyManager;
-
-        public void Dispose()
-        {
-            dependencyManager.Dispose();
-        }
-    };
-
     public class Program
     {
         public static int Main(string[] args)

csharp/extractor/Semmle.Extraction.CSharp/Extractor/Analyser.cs

@@ -6,6 +6,7 @@ using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
+using Semmle.Util;
 using Semmle.Util.Logging;
 using Semmle.Extraction.CSharp.Populators;
 
@@ -240,6 +241,8 @@ namespace Semmle.Extraction.CSharp
                 var cx = new Context(extractor, compilation.Clone(), trapWriter, new AssemblyScope(assembly, assemblyPath), addAssemblyTrapPrefix);
 
                 compilationEntity = Entities.Compilation.Create(cx);
+
+                extractor.CompilationInfos.ForEach(ci => trapWriter.Writer.compilation_info(compilationEntity, ci.key, ci.value));
             }
             catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
             {

csharp/extractor/Semmle.Extraction.CSharp/Extractor/StandaloneAnalyser.cs

@@ -13,10 +13,10 @@ namespace Semmle.Extraction.CSharp
         {
         }
 
-        public void Initialize(string outputPath, CSharpCompilation compilationIn, CommonOptions options)
+        public void Initialize(string outputPath, IEnumerable<(string, string)> compilationInfos, CSharpCompilation compilationIn, CommonOptions options)
         {
             compilation = compilationIn;
-            extractor = new StandaloneExtractor(outputPath, Logger, PathTransformer, options);
+            extractor = new StandaloneExtractor(outputPath, compilationInfos, Logger, PathTransformer, options);
             this.options = options;
             LogExtractorInfo(Extraction.Extractor.Version);
             SetReferencePaths();

csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs

@@ -71,6 +71,9 @@ namespace Semmle.Extraction.CSharp
         internal static void compilation_expanded_args(this TextWriter trapFile, Compilation compilation, int index, string arg) =>
             trapFile.WriteTuple("compilation_expanded_args", compilation, index, arg);
 
+        internal static void compilation_info(this TextWriter trapFile, Compilation compilation, string infoKey, string infoValue) =>
+            trapFile.WriteTuple("compilation_info", compilation, infoKey, infoValue);
+
         internal static void compilation_compiling_files(this TextWriter trapFile, Compilation compilation, int index, Extraction.Entities.File file) =>
             trapFile.WriteTuple("compilation_compiling_files", compilation, index, file);
 

csharp/extractor/Semmle.Extraction/Extractor/Extractor.cs

@@ -1,6 +1,8 @@
 using System.Collections.Generic;
 using Semmle.Util.Logging;
 
+using CompilationInfo = (string key, string value);
+
 namespace Semmle.Extraction
 {
     /// <summary>
@@ -10,17 +12,19 @@ namespace Semmle.Extraction
     {
         public abstract ExtractorMode Mode { get; }
         public string OutputPath { get; }
+        public IEnumerable<CompilationInfo> CompilationInfos { get; }
 
         /// <summary>
         /// Creates a new extractor instance for one compilation unit.
         /// </summary>
         /// <param name="logger">The object used for logging.</param>
         /// <param name="pathTransformer">The object used for path transformations.</param>
-        protected Extractor(string outputPath, ILogger logger, PathTransformer pathTransformer)
+        protected Extractor(string outputPath, IEnumerable<CompilationInfo> compilationInfos, ILogger logger, PathTransformer pathTransformer)
         {
             OutputPath = outputPath;
             Logger = logger;
             PathTransformer = pathTransformer;
+            CompilationInfos = compilationInfos;
         }
 
         // Limit the number of error messages in the log file

csharp/extractor/Semmle.Extraction/Extractor/StandaloneExtractor.cs

@@ -1,3 +1,4 @@
+using System.Collections.Generic;
 using Semmle.Util.Logging;
 
 namespace Semmle.Extraction
@@ -11,7 +12,7 @@ namespace Semmle.Extraction
         /// </summary>
         /// <param name="logger">The object used for logging.</param>
         /// <param name="pathTransformer">The object used for path transformations.</param>
-        public StandaloneExtractor(string outputPath, ILogger logger, PathTransformer pathTransformer, CommonOptions options) : base(outputPath, logger, pathTransformer)
+        public StandaloneExtractor(string outputPath, IEnumerable<(string, string)> compilationInfos, ILogger logger, PathTransformer pathTransformer, CommonOptions options) : base(outputPath, compilationInfos, logger, pathTransformer)
         {
             Mode = ExtractorMode.Standalone;
             if (options.QlTest)

csharp/extractor/Semmle.Extraction/Extractor/TracingExtractor.cs

@@ -1,3 +1,4 @@
+using System.Linq;
 using Semmle.Util.Logging;
 
 namespace Semmle.Extraction
@@ -12,7 +13,7 @@ namespace Semmle.Extraction
         /// <param name="outputPath">The name of the output DLL/EXE, or null if not specified (standalone extraction).</param>
         /// <param name="logger">The object used for logging.</param>
         /// <param name="pathTransformer">The object used for path transformations.</param>
-        public TracingExtractor(string outputPath, ILogger logger, PathTransformer pathTransformer, CommonOptions options) : base(outputPath, logger, pathTransformer)
+        public TracingExtractor(string outputPath, ILogger logger, PathTransformer pathTransformer, CommonOptions options) : base(outputPath, Enumerable.Empty<(string, string)>(), logger, pathTransformer)
         {
             Mode = ExtractorMode.None;
             if (options.QlTest)

csharp/ql/lib/change-notes/2024-02-05-compilation-info.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Added a new database relation to store key-value pairs corresponding to compilations. The new relation is used in
+buildless mode to surface information related to dependency fetching.
+

csharp/ql/lib/ext/System.Collections.Immutable.model.yml

@@ -12,6 +12,8 @@ extensions:
       - ["System.Collections.Immutable", "IImmutableSet<T>", True, "Add", "(T)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
       - ["System.Collections.Immutable", "IImmutableSet<T>", True, "Clear", "()", "", "Argument[this].WithoutElement", "ReturnValue", "value", "manual"]
       - ["System.Collections.Immutable", "IImmutableStack<T>", True, "Clear", "()", "", "Argument[this].WithoutElement", "ReturnValue", "value", "manual"]
+      - ["System.Collections.Immutable", "ImmutableArray", False, "ToImmutableArray<T>", "(System.Span<T>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Collections.Immutable", "ImmutableArray", False, "ToImmutableArray<T>", "(System.ReadOnlySpan<T>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Collections.Immutable", "ImmutableArray<T>+Builder", False, "AddRange", "(System.Collections.Generic.IEnumerable<T>)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
       - ["System.Collections.Immutable", "ImmutableArray<T>+Builder", False, "AddRange", "(System.Collections.Immutable.ImmutableArray<T>)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
       - ["System.Collections.Immutable", "ImmutableArray<T>+Builder", False, "AddRange", "(System.Collections.Immutable.ImmutableArray<T>+Builder)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]

csharp/ql/lib/ext/System.Linq.model.yml

@@ -29,15 +29,15 @@ extensions:
       - ["System.Linq", "Enumerable", False, "Concat<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "Concat<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[1].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "Count<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
-      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,TSource)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Enumerable", False, "DefaultIfEmpty<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,TSource)", "", "Argument[1]", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "Distinct<TSource>", "(System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "Distinct<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "ElementAt<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "ElementAtOrDefault<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Enumerable", False, "Except<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Enumerable", False, "Except<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "Enumerable", False, "Except<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Enumerable", False, "Except<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "First<TSource>", "(System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "First<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
       - ["System.Linq", "Enumerable", False, "First<TSource>", "(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
@@ -250,17 +250,17 @@ extensions:
       - ["System.Linq", "ParallelEnumerable", False, "Concat<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "Concat<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>)", "", "Argument[1].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "Count<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>,TSource)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "DefaultIfEmpty<TSource>", "(System.Linq.ParallelQuery<TSource>,TSource)", "", "Argument[1]", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "Distinct<TSource>", "(System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "Distinct<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "ElementAt<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "ElementAtOrDefault<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "ParallelEnumerable", False, "Except<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "First<TSource>", "(System.Linq.ParallelQuery<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "First<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
       - ["System.Linq", "ParallelEnumerable", False, "First<TSource>", "(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
@@ -496,15 +496,15 @@ extensions:
       - ["System.Linq", "Queryable", False, "Concat<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "Concat<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[1].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "Count<TSource>", "(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
-      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>,TSource)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>,TSource)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Queryable", False, "DefaultIfEmpty<TSource>", "(System.Linq.IQueryable<TSource>,TSource)", "", "Argument[1]", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "Distinct<TSource>", "(System.Linq.IQueryable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "Distinct<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "ElementAt<TSource>", "(System.Linq.IQueryable<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "Queryable", False, "ElementAtOrDefault<TSource>", "(System.Linq.IQueryable<TSource>,System.Int32)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Queryable", False, "Except<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
-      - ["System.Linq", "Queryable", False, "Except<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
+      - ["System.Linq", "Queryable", False, "Except<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System.Linq", "Queryable", False, "Except<TSource>", "(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>)", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
       - ["System.Linq", "Queryable", False, "First<TSource>", "(System.Linq.IQueryable<TSource>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
       - ["System.Linq", "Queryable", False, "First<TSource>", "(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"]
       - ["System.Linq", "Queryable", False, "First<TSource>", "(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>)", "", "Argument[0].Element", "ReturnValue", "value", "manual"]

csharp/ql/lib/ext/System.model.yml

@@ -374,12 +374,37 @@ extensions:
       - ["System", "Lazy<T>", False, "Lazy", "(System.Func<T>,System.Boolean)", "", "Argument[0].ReturnValue", "Argument[this].Property[System.Lazy`1.Value]", "value", "manual"]
       - ["System", "Lazy<T>", False, "Lazy", "(System.Func<T>,System.Threading.LazyThreadSafetyMode)", "", "Argument[0].ReturnValue", "Argument[this].Property[System.Lazy`1.Value]", "value", "manual"]
       - ["System", "Lazy<T>", False, "get_Value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["System", "MemoryExtensions", False, "Replace<T>", "(System.Span<T>,T,T)", "", "Argument[2]", "Argument[0].Element", "value", "manual"]
+      - ["System", "MemoryExtensions", False, "Replace<T>", "(System.ReadOnlySpan<T>,System.Span<T>,T,T)", "", "Argument[0].Element", "Argument[1].Element", "value", "manual"]
+      - ["System", "MemoryExtensions", False, "Replace<T>", "(System.ReadOnlySpan<T>,System.Span<T>,T,T)", "", "Argument[3]", "Argument[1].Element", "value", "manual"]
       - ["System", "Nullable<T>", False, "GetValueOrDefault", "()", "", "Argument[this].Property[System.Nullable`1.Value]", "ReturnValue", "value", "manual"]
       - ["System", "Nullable<T>", False, "GetValueOrDefault", "(T)", "", "Argument[0]", "ReturnValue", "value", "manual"]
       - ["System", "Nullable<T>", False, "GetValueOrDefault", "(T)", "", "Argument[this].Property[System.Nullable`1.Value]", "ReturnValue", "value", "manual"]
       - ["System", "Nullable<T>", False, "Nullable", "(T)", "", "Argument[0]", "Argument[this].Property[System.Nullable`1.Value]", "value", "manual"]
       - ["System", "Nullable<T>", False, "get_HasValue", "()", "", "Argument[this].Property[System.Nullable`1.Value]", "ReturnValue", "taint", "manual"]
       - ["System", "Nullable<T>", False, "get_Value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "CopyTo", "(System.Span<T>)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "GetPinnableReference", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "Slice", "(System.Int32)", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "Slice", "(System.Int32,System.Int32)", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "ReadOnlySpan", "(T)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "ReadOnlySpan", "(T[])", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "ReadOnlySpan", "(T[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "ToArray", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "ReadOnlySpan<T>", False, "TryCopyTo", "(System.Span<T>)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
+      - ["System", "Span<T>", False, "CopyTo", "(System.Span<T>)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Fill", "(T)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["System", "Span<T>", False, "GetPinnableReference", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["System", "Span<T>", False, "Slice", "(System.Int32)", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Slice", "(System.Int32,System.Int32)", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Span", "(T)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Span", "(T[])", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "Span", "(T[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
+      - ["System", "Span<T>", False, "ToArray", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["System", "Span<T>", False, "TryCopyTo", "(System.Span<T>)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
       - ["System", "String", False, "Clone", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System", "String", False, "Concat", "(System.Collections.Generic.IEnumerable<System.String>)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
       - ["System", "String", False, "Concat", "(System.Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

csharp/ql/lib/semmle/code/csharp/commons/Compilation.qll

@@ -83,4 +83,9 @@ class Compilation extends @compilation {
 
   /** Gets the elapsed seconds for the entire extractor process. */
   float getElapsedSeconds() { compilation_finished(this, _, result) }
+
+  /**
+   * Gets the piece of compilation information with the given key, if any.
+   */
+  string getInfo(string key) { compilation_info(this, key, result) }
 }

csharp/ql/lib/semmlecode.csharp.dbscheme

@@ -24,6 +24,12 @@ compilations(
     string cwd : string ref
 );
 
+compilation_info(
+  int id : @compilation ref,
+  string info_key: string ref,
+  string info_value: string ref
+)
+
 /**
  * The arguments that were passed to the extractor for a compiler
  * invocation. If `id` is for the compiler invocation

csharp/ql/lib/upgrades/f145a9a7275c8f457b392b2ebc9f8e07960a0ed2/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add `compilation_info`.
+compatibility: backwards

csharp/ql/src/Telemetry/ExtractorInformation.ql

@@ -9,6 +9,17 @@
 import csharp
 import semmle.code.csharp.commons.Diagnostics
 
+predicate compilationInfo(string key, float value) {
+  exists(Compilation c, string infoKey, string infoValue | infoValue = c.getInfo(infoKey) |
+    key = infoKey and
+    value = infoValue.toFloat()
+    or
+    not exists(infoValue.toFloat()) and
+    key = infoKey + ": " + infoValue and
+    value = 1
+  )
+}
+
 predicate fileCount(string key, int value) {
   key = "Number of files" and
   value = strictcount(File f)
@@ -177,6 +188,7 @@ predicate analyzerAssemblies(string key, float value) {
 from string key, float value
 where
   (
+    compilationInfo(key, value) or
     fileCount(key, value) or
     fileCountByExtension(key, value) or
     totalNumberOfLines(key, value) or

csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll

@@ -216,13 +216,6 @@ private module Cached {
     result = getMemoryOperandDefinition(instr, _, _)
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBit, int endBit) { none() }
-
   /**
    * Holds if the operand totally overlaps with its definition and consumes the
    * bit range `[startBitOffset, endBitOffset)`.

csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -233,20 +233,6 @@ private module Cached {
     )
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBitOffset, int endBitOffset) {
-    exists(Alias::MemoryLocation location, OldInstruction oldInstruction |
-      oldInstruction = getOldInstruction(chi.getPartial()) and
-      location = Alias::getResultMemoryLocation(oldInstruction) and
-      startBitOffset = Alias::getStartBitOffset(location) and
-      endBitOffset = Alias::getEndBitOffset(location)
-    )
-  }
-
   /**
    * Holds if `operand` totally overlaps with its definition and consumes the bit range
    * `[startBitOffset, endBitOffset)`.

csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.cs

@@ -481,4 +481,40 @@ public class CollectionFlow
         IntegerCollection ic1 = [.. ic0];
         Sink(ic1.Payload); // No flow
     }
+
+    public void SpanConstructorFlow()
+    {
+        var a = new A();
+        Span<A> span = new Span<A>(ref a);
+        Sink(span[0]); // flow
+    }
+
+    public void SpanToArrayFlow()
+    {
+        var a = new A();
+        Span<A> span = new Span<A>(ref a);
+        var arr = span.ToArray();
+        Sink(arr[0]); // flow
+    }
+
+    public void SpanFillFlow(Span<A> target)
+    {
+        var a = new A();
+        target.Fill(a);
+        Sink(target[0]); // flow
+    }
+
+    public void SpanCopyToFlow(Span<A> target)
+    {
+        var source = new Span<A>(new[] { new A() });
+        source.CopyTo(target);
+        Sink(target[0]); // flow
+    }
+
+    public void ReadOnlySpanConstructorFlow()
+    {
+        var a = new A();
+        ReadOnlySpan<A> span = new ReadOnlySpan<A>(new[] { a });
+        Sink(span[0]); // flow
+    }
 }

csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected

@@ -246,6 +246,33 @@ edges
 | CollectionFlow.cs:448:21:448:21 | access to local variable a : A | CollectionFlow.cs:448:20:448:22 | [...] : A[] [element] : A |
 | CollectionFlow.cs:449:22:449:28 | .. access to local variable temp : A[] [element] : A | CollectionFlow.cs:450:14:450:18 | access to local variable array : A[] [element] : A |
 | CollectionFlow.cs:450:14:450:18 | access to local variable array : A[] [element] : A | CollectionFlow.cs:450:14:450:21 | access to array element |
+| CollectionFlow.cs:487:17:487:23 | object creation of type A : A | CollectionFlow.cs:488:40:488:40 | access to local variable a : A |
+| CollectionFlow.cs:488:24:488:41 | object creation of type Span<A> : Span<T> [element] : A | CollectionFlow.cs:489:14:489:17 | access to local variable span : Span<T> [element] : A |
+| CollectionFlow.cs:488:40:488:40 | access to local variable a : A | CollectionFlow.cs:488:24:488:41 | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:489:14:489:17 | access to local variable span : Span<T> [element] : A | CollectionFlow.cs:489:14:489:20 | access to indexer |
+| CollectionFlow.cs:494:17:494:23 | object creation of type A : A | CollectionFlow.cs:495:40:495:40 | access to local variable a : A |
+| CollectionFlow.cs:495:24:495:41 | object creation of type Span<A> : Span<T> [element] : A | CollectionFlow.cs:496:19:496:22 | access to local variable span : Span<T> [element] : A |
+| CollectionFlow.cs:495:40:495:40 | access to local variable a : A | CollectionFlow.cs:495:24:495:41 | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:496:19:496:22 | access to local variable span : Span<T> [element] : A | CollectionFlow.cs:496:19:496:32 | call to method ToArray : T[] [element] : A |
+| CollectionFlow.cs:496:19:496:32 | call to method ToArray : T[] [element] : A | CollectionFlow.cs:497:14:497:16 | access to local variable arr : T[] [element] : A |
+| CollectionFlow.cs:497:14:497:16 | access to local variable arr : T[] [element] : A | CollectionFlow.cs:497:14:497:19 | access to array element |
+| CollectionFlow.cs:502:17:502:23 | object creation of type A : A | CollectionFlow.cs:503:21:503:21 | access to local variable a : A |
+| CollectionFlow.cs:503:9:503:14 | [post] access to parameter target : Span<T> [element] : A | CollectionFlow.cs:504:14:504:19 | access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:503:21:503:21 | access to local variable a : A | CollectionFlow.cs:503:9:503:14 | [post] access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:504:14:504:19 | access to parameter target : Span<T> [element] : A | CollectionFlow.cs:504:14:504:22 | access to indexer |
+| CollectionFlow.cs:509:22:509:51 | object creation of type Span<A> : Span<T> [element] : A | CollectionFlow.cs:510:9:510:14 | access to local variable source : Span<T> [element] : A |
+| CollectionFlow.cs:509:34:509:50 | array creation of type A[] : null [element] : A | CollectionFlow.cs:509:22:509:51 | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:509:40:509:50 | { ..., ... } : null [element] : A | CollectionFlow.cs:509:34:509:50 | array creation of type A[] : null [element] : A |
+| CollectionFlow.cs:509:42:509:48 | object creation of type A : A | CollectionFlow.cs:509:40:509:50 | { ..., ... } : null [element] : A |
+| CollectionFlow.cs:510:9:510:14 | access to local variable source : Span<T> [element] : A | CollectionFlow.cs:510:23:510:28 | [post] access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:510:23:510:28 | [post] access to parameter target : Span<T> [element] : A | CollectionFlow.cs:511:14:511:19 | access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:511:14:511:19 | access to parameter target : Span<T> [element] : A | CollectionFlow.cs:511:14:511:22 | access to indexer |
+| CollectionFlow.cs:516:17:516:23 | object creation of type A : A | CollectionFlow.cs:517:60:517:60 | access to local variable a : A |
+| CollectionFlow.cs:517:32:517:63 | object creation of type ReadOnlySpan<A> : ReadOnlySpan<T> [element] : A | CollectionFlow.cs:518:14:518:17 | access to local variable span : ReadOnlySpan<T> [element] : A |
+| CollectionFlow.cs:517:52:517:62 | array creation of type A[] : null [element] : A | CollectionFlow.cs:517:32:517:63 | object creation of type ReadOnlySpan<A> : ReadOnlySpan<T> [element] : A |
+| CollectionFlow.cs:517:58:517:62 | { ..., ... } : null [element] : A | CollectionFlow.cs:517:52:517:62 | array creation of type A[] : null [element] : A |
+| CollectionFlow.cs:517:60:517:60 | access to local variable a : A | CollectionFlow.cs:517:58:517:62 | { ..., ... } : null [element] : A |
+| CollectionFlow.cs:518:14:518:17 | access to local variable span : ReadOnlySpan<T> [element] : A | CollectionFlow.cs:518:14:518:20 | access to indexer |
 nodes
 | CollectionFlow.cs:14:40:14:41 | ts : A[] [element] : A | semmle.label | ts : A[] [element] : A |
 | CollectionFlow.cs:14:40:14:41 | ts : null [element] : A | semmle.label | ts : null [element] : A |
@@ -497,6 +524,38 @@ nodes
 | CollectionFlow.cs:449:22:449:28 | .. access to local variable temp : A[] [element] : A | semmle.label | .. access to local variable temp : A[] [element] : A |
 | CollectionFlow.cs:450:14:450:18 | access to local variable array : A[] [element] : A | semmle.label | access to local variable array : A[] [element] : A |
 | CollectionFlow.cs:450:14:450:21 | access to array element | semmle.label | access to array element |
+| CollectionFlow.cs:487:17:487:23 | object creation of type A : A | semmle.label | object creation of type A : A |
+| CollectionFlow.cs:488:24:488:41 | object creation of type Span<A> : Span<T> [element] : A | semmle.label | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:488:40:488:40 | access to local variable a : A | semmle.label | access to local variable a : A |
+| CollectionFlow.cs:489:14:489:17 | access to local variable span : Span<T> [element] : A | semmle.label | access to local variable span : Span<T> [element] : A |
+| CollectionFlow.cs:489:14:489:20 | access to indexer | semmle.label | access to indexer |
+| CollectionFlow.cs:494:17:494:23 | object creation of type A : A | semmle.label | object creation of type A : A |
+| CollectionFlow.cs:495:24:495:41 | object creation of type Span<A> : Span<T> [element] : A | semmle.label | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:495:40:495:40 | access to local variable a : A | semmle.label | access to local variable a : A |
+| CollectionFlow.cs:496:19:496:22 | access to local variable span : Span<T> [element] : A | semmle.label | access to local variable span : Span<T> [element] : A |
+| CollectionFlow.cs:496:19:496:32 | call to method ToArray : T[] [element] : A | semmle.label | call to method ToArray : T[] [element] : A |
+| CollectionFlow.cs:497:14:497:16 | access to local variable arr : T[] [element] : A | semmle.label | access to local variable arr : T[] [element] : A |
+| CollectionFlow.cs:497:14:497:19 | access to array element | semmle.label | access to array element |
+| CollectionFlow.cs:502:17:502:23 | object creation of type A : A | semmle.label | object creation of type A : A |
+| CollectionFlow.cs:503:9:503:14 | [post] access to parameter target : Span<T> [element] : A | semmle.label | [post] access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:503:21:503:21 | access to local variable a : A | semmle.label | access to local variable a : A |
+| CollectionFlow.cs:504:14:504:19 | access to parameter target : Span<T> [element] : A | semmle.label | access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:504:14:504:22 | access to indexer | semmle.label | access to indexer |
+| CollectionFlow.cs:509:22:509:51 | object creation of type Span<A> : Span<T> [element] : A | semmle.label | object creation of type Span<A> : Span<T> [element] : A |
+| CollectionFlow.cs:509:34:509:50 | array creation of type A[] : null [element] : A | semmle.label | array creation of type A[] : null [element] : A |
+| CollectionFlow.cs:509:40:509:50 | { ..., ... } : null [element] : A | semmle.label | { ..., ... } : null [element] : A |
+| CollectionFlow.cs:509:42:509:48 | object creation of type A : A | semmle.label | object creation of type A : A |
+| CollectionFlow.cs:510:9:510:14 | access to local variable source : Span<T> [element] : A | semmle.label | access to local variable source : Span<T> [element] : A |
+| CollectionFlow.cs:510:23:510:28 | [post] access to parameter target : Span<T> [element] : A | semmle.label | [post] access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:511:14:511:19 | access to parameter target : Span<T> [element] : A | semmle.label | access to parameter target : Span<T> [element] : A |
+| CollectionFlow.cs:511:14:511:22 | access to indexer | semmle.label | access to indexer |
+| CollectionFlow.cs:516:17:516:23 | object creation of type A : A | semmle.label | object creation of type A : A |
+| CollectionFlow.cs:517:32:517:63 | object creation of type ReadOnlySpan<A> : ReadOnlySpan<T> [element] : A | semmle.label | object creation of type ReadOnlySpan<A> : ReadOnlySpan<T> [element] : A |
+| CollectionFlow.cs:517:52:517:62 | array creation of type A[] : null [element] : A | semmle.label | array creation of type A[] : null [element] : A |
+| CollectionFlow.cs:517:58:517:62 | { ..., ... } : null [element] : A | semmle.label | { ..., ... } : null [element] : A |
+| CollectionFlow.cs:517:60:517:60 | access to local variable a : A | semmle.label | access to local variable a : A |
+| CollectionFlow.cs:518:14:518:17 | access to local variable span : ReadOnlySpan<T> [element] : A | semmle.label | access to local variable span : ReadOnlySpan<T> [element] : A |
+| CollectionFlow.cs:518:14:518:20 | access to indexer | semmle.label | access to indexer |
 subpaths
 | CollectionFlow.cs:44:20:44:22 | access to local variable as : null [element] : A | CollectionFlow.cs:22:34:22:35 | ts : null [element] : A | CollectionFlow.cs:22:41:22:45 | access to array element : A | CollectionFlow.cs:44:14:44:23 | call to method First<A> |
 | CollectionFlow.cs:62:20:62:23 | access to field As : A[] [element] : A | CollectionFlow.cs:22:34:22:35 | ts : A[] [element] : A | CollectionFlow.cs:22:41:22:45 | access to array element : A | CollectionFlow.cs:62:14:62:24 | call to method First<A> |
@@ -581,3 +640,8 @@ subpaths
 | CollectionFlow.cs:427:17:427:23 | object creation of type A : A | CollectionFlow.cs:427:17:427:23 | object creation of type A : A | CollectionFlow.cs:429:14:429:21 | access to array element | $@ | CollectionFlow.cs:429:14:429:21 | access to array element | access to array element |
 | CollectionFlow.cs:434:17:434:23 | object creation of type A : A | CollectionFlow.cs:434:17:434:23 | object creation of type A : A | CollectionFlow.cs:436:14:436:17 | access to indexer | $@ | CollectionFlow.cs:436:14:436:17 | access to indexer | access to indexer |
 | CollectionFlow.cs:447:17:447:23 | object creation of type A : A | CollectionFlow.cs:447:17:447:23 | object creation of type A : A | CollectionFlow.cs:450:14:450:21 | access to array element | $@ | CollectionFlow.cs:450:14:450:21 | access to array element | access to array element |
+| CollectionFlow.cs:487:17:487:23 | object creation of type A : A | CollectionFlow.cs:487:17:487:23 | object creation of type A : A | CollectionFlow.cs:489:14:489:20 | access to indexer | $@ | CollectionFlow.cs:489:14:489:20 | access to indexer | access to indexer |
+| CollectionFlow.cs:494:17:494:23 | object creation of type A : A | CollectionFlow.cs:494:17:494:23 | object creation of type A : A | CollectionFlow.cs:497:14:497:19 | access to array element | $@ | CollectionFlow.cs:497:14:497:19 | access to array element | access to array element |
+| CollectionFlow.cs:502:17:502:23 | object creation of type A : A | CollectionFlow.cs:502:17:502:23 | object creation of type A : A | CollectionFlow.cs:504:14:504:22 | access to indexer | $@ | CollectionFlow.cs:504:14:504:22 | access to indexer | access to indexer |
+| CollectionFlow.cs:509:42:509:48 | object creation of type A : A | CollectionFlow.cs:509:42:509:48 | object creation of type A : A | CollectionFlow.cs:511:14:511:22 | access to indexer | $@ | CollectionFlow.cs:511:14:511:22 | access to indexer | access to indexer |
+| CollectionFlow.cs:516:17:516:23 | object creation of type A : A | CollectionFlow.cs:516:17:516:23 | object creation of type A : A | CollectionFlow.cs:518:14:518:20 | access to indexer | $@ | CollectionFlow.cs:518:14:518:20 | access to indexer | access to indexer |

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -5137,6 +5137,8 @@ summary
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TArg,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Int32,System.Int32,System.Func<TSource,TArg,TResult>,TArg);;Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Func<TSource,TResult>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Int32,System.Int32,System.Func<TSource,TResult>);;Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
+| System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<T>;(System.ReadOnlySpan<T>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<T>;(System.Span<T>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System.Collections.Immutable;ImmutableArray<T>+Builder;false;Add;(T);;Argument[0];Argument[this].Element;value;manual |
 | System.Collections.Immutable;ImmutableArray<T>+Builder;false;AddRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[this].Element;value;manual |
@@ -9803,9 +9805,9 @@ summary
 | System.Linq;Enumerable;false;Concat<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Count<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;Enumerable;false;Count<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Distinct<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Distinct<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;DistinctBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,TKey>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
@@ -9814,8 +9816,8 @@ summary
 | System.Linq;Enumerable;false;ElementAt<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;Enumerable;false;ElementAtOrDefault<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Index);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System.Linq;Enumerable;false;ElementAtOrDefault<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;ExceptBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Func<TSource,TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Enumerable;false;ExceptBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Func<TSource,TKey>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Enumerable;false;First<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
@@ -10238,17 +10240,17 @@ summary
 | System.Linq;ParallelEnumerable;false;Concat<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Count<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;ParallelEnumerable;false;Count<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Distinct<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Distinct<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;ElementAt<TSource>;(System.Linq.ParallelQuery<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;ParallelEnumerable;false;ElementAtOrDefault<TSource>;(System.Linq.ParallelQuery<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;ReturnValue;value;manual |
@@ -10624,17 +10626,17 @@ summary
 | System.Linq;Queryable;false;Concat<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Count<TSource>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;Queryable;false;Count<TSource>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Distinct<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Distinct<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;DistinctBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;DistinctBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;ElementAt<TSource>;(System.Linq.IQueryable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;Queryable;false;ElementAtOrDefault<TSource>;(System.Linq.IQueryable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;ExceptBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;ExceptBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;First<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
@@ -17709,6 +17711,9 @@ summary
 | System;MemoryExtensions;false;AsMemory<T>;(T[],System.Range);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System;MemoryExtensions;false;EnumerateLines;(System.ReadOnlySpan<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
 | System;MemoryExtensions;false;EnumerateRunes;(System.ReadOnlySpan<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
+| System;MemoryExtensions;false;Replace<T>;(System.ReadOnlySpan<T>,System.Span<T>,T,T);;Argument[0].Element;Argument[1].Element;value;manual |
+| System;MemoryExtensions;false;Replace<T>;(System.ReadOnlySpan<T>,System.Span<T>,T,T);;Argument[3];Argument[1].Element;value;manual |
+| System;MemoryExtensions;false;Replace<T>;(System.Span<T>,T,T);;Argument[2];Argument[0].Element;value;manual |
 | System;MemoryExtensions;false;Sort<T>;(System.Span<T>,System.Comparison<T>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System;MemoryExtensions;false;Sort<TKey,TValue>;(System.Span<TKey>,System.Span<TValue>,System.Comparison<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System;MemoryExtensions;false;Trim;(System.Memory<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
@@ -17785,7 +17790,17 @@ summary
 | System;ReadOnlyMemory<T>;false;Slice;(System.Int32);;Argument[this];ReturnValue;taint;df-generated |
 | System;ReadOnlyMemory<T>;false;Slice;(System.Int32,System.Int32);;Argument[this];ReturnValue;taint;df-generated |
 | System;ReadOnlyMemory<T>;false;ToString;();;Argument[this];ReturnValue;taint;df-generated |
+| System;ReadOnlySpan<T>;false;CopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
 | System;ReadOnlySpan<T>;false;GetEnumerator;();;Argument[this];ReturnValue;taint;df-generated |
+| System;ReadOnlySpan<T>;false;GetPinnableReference;();;Argument[this].Element;ReturnValue;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T);;Argument[0];Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T[]);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;Slice;(System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;Slice;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;ToArray;();;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;TryCopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;ReadOnlySpan<T>;false;get_Item;(System.Int32);;Argument[this].Element;ReturnValue;value;manual |
 | System;ResolveEventHandler;false;BeginInvoke;(System.Object,System.ResolveEventArgs,System.AsyncCallback,System.Object);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System;RuntimeFieldHandle;false;FromIntPtr;(System.IntPtr);;Argument[0];ReturnValue;taint;df-generated |
 | System;RuntimeFieldHandle;false;ToIntPtr;(System.RuntimeFieldHandle);;Argument[0];ReturnValue;taint;df-generated |
@@ -17833,7 +17848,19 @@ summary
 | System;Single;false;ToString;(System.IFormatProvider);;Argument[0];ReturnValue;taint;df-generated |
 | System;Single;false;ToString;(System.String,System.IFormatProvider);;Argument[1];ReturnValue;taint;df-generated |
 | System;Single;false;ToType;(System.Type,System.IFormatProvider);;Argument[1];ReturnValue;taint;df-generated |
+| System;Span<T>;false;Clear;();;Argument[this].WithoutElement;Argument[this];value;manual |
+| System;Span<T>;false;CopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;Span<T>;false;Fill;(T);;Argument[0];Argument[this].Element;value;manual |
 | System;Span<T>;false;GetEnumerator;();;Argument[this];ReturnValue;taint;df-generated |
+| System;Span<T>;false;GetPinnableReference;();;Argument[this].Element;ReturnValue;value;manual |
+| System;Span<T>;false;Slice;(System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;Slice;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;Span;(T);;Argument[0];Argument[this].Element;value;manual |
+| System;Span<T>;false;Span;(T[]);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;Span<T>;false;Span;(T[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;Span<T>;false;ToArray;();;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;TryCopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;Span<T>;false;get_Item;(System.Int32);;Argument[this].Element;ReturnValue;value;manual |
 | System;String;false;Clone;();;Argument[this];ReturnValue;value;manual |
 | System;String;false;Concat;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;taint;manual |
 | System;String;false;Concat;(System.Object);;Argument[0];ReturnValue;taint;manual |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -4425,6 +4425,8 @@ summary
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TArg,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Int32,System.Int32,System.Func<TSource,TArg,TResult>,TArg);;Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Func<TSource,TResult>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Collections.Immutable;ImmutableArray;false;CreateRange<TSource,TResult>;(System.Collections.Immutable.ImmutableArray<TSource>,System.Int32,System.Int32,System.Func<TSource,TResult>);;Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
+| System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<T>;(System.ReadOnlySpan<T>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<T>;(System.Span<T>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Collections.Immutable;ImmutableArray;false;ToImmutableArray<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System.Collections.Immutable;ImmutableArray<T>+Builder;false;AddRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[this].Element;value;manual |
 | System.Collections.Immutable;ImmutableArray<T>+Builder;false;AddRange;(System.Collections.Immutable.ImmutableArray<T>);;Argument[0].Element;Argument[this].Element;value;manual |
@@ -8181,9 +8183,9 @@ summary
 | System.Linq;Enumerable;false;Concat<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Count<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;Enumerable;false;Count<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,System.Boolean>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;DefaultIfEmpty<TSource>;(System.Collections.Generic.IEnumerable<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Distinct<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;Distinct<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;DistinctBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Func<TSource,TKey>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
@@ -8192,8 +8194,8 @@ summary
 | System.Linq;Enumerable;false;ElementAt<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;Enumerable;false;ElementAtOrDefault<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Index);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System.Linq;Enumerable;false;ElementAtOrDefault<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Enumerable;false;Except<TSource>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Enumerable;false;ExceptBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Func<TSource,TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Enumerable;false;ExceptBy<TSource,TKey>;(System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Func<TSource,TKey>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Enumerable;false;First<TSource>;(System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
@@ -8613,17 +8615,17 @@ summary
 | System.Linq;ParallelEnumerable;false;Concat<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Count<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;ParallelEnumerable;false;Count<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;DefaultIfEmpty<TSource>;(System.Linq.ParallelQuery<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Distinct<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;Distinct<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;ElementAt<TSource>;(System.Linq.ParallelQuery<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;ParallelEnumerable;false;ElementAtOrDefault<TSource>;(System.Linq.ParallelQuery<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;ParallelEnumerable;false;Except<TSource>;(System.Linq.ParallelQuery<TSource>,System.Linq.ParallelQuery<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;ParallelEnumerable;false;First<TSource>;(System.Linq.ParallelQuery<TSource>,System.Func<TSource,System.Boolean>);;Argument[0].Element;ReturnValue;value;manual |
@@ -8997,17 +8999,17 @@ summary
 | System.Linq;Queryable;false;Concat<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[1].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Count<TSource>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>);;Argument[0].Element;Argument[1].Parameter[0];value;manual |
 | System.Linq;Queryable;false;Count<TSource>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,System.Boolean>>);;Argument[1];Argument[1].Parameter[delegate-self];value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[1];ReturnValue;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;DefaultIfEmpty<TSource>;(System.Linq.IQueryable<TSource>,TSource);;Argument[1];ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Distinct<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;Distinct<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;DistinctBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;DistinctBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;ElementAt<TSource>;(System.Linq.IQueryable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
 | System.Linq;Queryable;false;ElementAtOrDefault<TSource>;(System.Linq.IQueryable<TSource>,System.Int32);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
-| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue;value;manual |
+| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
+| System.Linq;Queryable;false;Except<TSource>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TSource>,System.Collections.Generic.IEqualityComparer<TSource>);;Argument[0].Element;ReturnValue.Element;value;manual |
 | System.Linq;Queryable;false;ExceptBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;ExceptBy<TSource,TKey>;(System.Linq.IQueryable<TSource>,System.Collections.Generic.IEnumerable<TKey>,System.Linq.Expressions.Expression<System.Func<TSource,TKey>>,System.Collections.Generic.IEqualityComparer<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System.Linq;Queryable;false;First<TSource>;(System.Linq.IQueryable<TSource>);;Argument[0].Element;ReturnValue;value;manual |
@@ -15265,6 +15267,9 @@ summary
 | System;MemoryExtensions;false;AsMemory<T>;(T[],System.Range);;Argument[0].Element;ReturnValue;taint;df-generated |
 | System;MemoryExtensions;false;EnumerateLines;(System.ReadOnlySpan<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
 | System;MemoryExtensions;false;EnumerateRunes;(System.ReadOnlySpan<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
+| System;MemoryExtensions;false;Replace<T>;(System.ReadOnlySpan<T>,System.Span<T>,T,T);;Argument[0].Element;Argument[1].Element;value;manual |
+| System;MemoryExtensions;false;Replace<T>;(System.ReadOnlySpan<T>,System.Span<T>,T,T);;Argument[3];Argument[1].Element;value;manual |
+| System;MemoryExtensions;false;Replace<T>;(System.Span<T>,T,T);;Argument[2];Argument[0].Element;value;manual |
 | System;MemoryExtensions;false;Sort<T>;(System.Span<T>,System.Comparison<T>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
 | System;MemoryExtensions;false;Sort<TKey,TValue>;(System.Span<TKey>,System.Span<TValue>,System.Comparison<TKey>);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System;MemoryExtensions;false;Trim;(System.Memory<System.Char>);;Argument[0];ReturnValue;taint;df-generated |
@@ -15338,7 +15343,17 @@ summary
 | System;ReadOnlyMemory<T>;false;Slice;(System.Int32);;Argument[this];ReturnValue;taint;df-generated |
 | System;ReadOnlyMemory<T>;false;Slice;(System.Int32,System.Int32);;Argument[this];ReturnValue;taint;df-generated |
 | System;ReadOnlyMemory<T>;false;ToString;();;Argument[this];ReturnValue;taint;df-generated |
+| System;ReadOnlySpan<T>;false;CopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
 | System;ReadOnlySpan<T>;false;GetEnumerator;();;Argument[this];ReturnValue;taint;df-generated |
+| System;ReadOnlySpan<T>;false;GetPinnableReference;();;Argument[this].Element;ReturnValue;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T);;Argument[0];Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T[]);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;ReadOnlySpan;(T[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;ReadOnlySpan<T>;false;Slice;(System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;Slice;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;ToArray;();;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;ReadOnlySpan<T>;false;TryCopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;ReadOnlySpan<T>;false;get_Item;(System.Int32);;Argument[this].Element;ReturnValue;value;manual |
 | System;ResolveEventHandler;false;BeginInvoke;(System.Object,System.ResolveEventArgs,System.AsyncCallback,System.Object);;Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | System;RuntimeFieldHandle;false;FromIntPtr;(System.IntPtr);;Argument[0];ReturnValue;taint;df-generated |
 | System;RuntimeFieldHandle;false;ToIntPtr;(System.RuntimeFieldHandle);;Argument[0];ReturnValue;taint;df-generated |
@@ -15354,7 +15369,19 @@ summary
 | System;Single;false;ToString;(System.IFormatProvider);;Argument[0];ReturnValue;taint;df-generated |
 | System;Single;false;ToString;(System.String,System.IFormatProvider);;Argument[1];ReturnValue;taint;df-generated |
 | System;Single;false;ToType;(System.Type,System.IFormatProvider);;Argument[1];ReturnValue;taint;df-generated |
+| System;Span<T>;false;Clear;();;Argument[this].WithoutElement;Argument[this];value;manual |
+| System;Span<T>;false;CopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;Span<T>;false;Fill;(T);;Argument[0];Argument[this].Element;value;manual |
 | System;Span<T>;false;GetEnumerator;();;Argument[this];ReturnValue;taint;df-generated |
+| System;Span<T>;false;GetPinnableReference;();;Argument[this].Element;ReturnValue;value;manual |
+| System;Span<T>;false;Slice;(System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;Slice;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;Span;(T);;Argument[0];Argument[this].Element;value;manual |
+| System;Span<T>;false;Span;(T[]);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;Span<T>;false;Span;(T[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
+| System;Span<T>;false;ToArray;();;Argument[this].Element;ReturnValue.Element;value;manual |
+| System;Span<T>;false;TryCopyTo;(System.Span<T>);;Argument[this].Element;Argument[0].Element;value;manual |
+| System;Span<T>;false;get_Item;(System.Int32);;Argument[this].Element;ReturnValue;value;manual |
 | System;String;false;Clone;();;Argument[this];ReturnValue;value;manual |
 | System;String;false;Concat;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;taint;manual |
 | System;String;false;Concat;(System.Object);;Argument[0];ReturnValue;taint;manual |

go/codeql-extractor.yml

@@ -6,6 +6,9 @@ pull_request_triggers:
   - "**/glide.yaml"
   - "**/Gopkg.toml"
 column_kind: "utf8"
+build_modes:
+  - autobuild
+  - manual
 github_api_languages:
   - Go
 scc_languages:

go/extractor/go.mod

@@ -3,6 +3,6 @@ module github.com/github/codeql-go/extractor
 go 1.21
 
 require (
-	golang.org/x/mod v0.14.0
+	golang.org/x/mod v0.15.0
 	golang.org/x/tools v0.17.0
 )

go/extractor/go.sum

@@ -1,5 +1,5 @@
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=

go/extractor/vendor/modules.txt

@@ -1,4 +1,4 @@
-# golang.org/x/mod v0.14.0
+# golang.org/x/mod v0.15.0
 ## explicit; go 1.18
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/modfile

java/documentation/library-coverage/coverage.csv

@@ -77,7 +77,7 @@ jakarta.xml.bind.attachment,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,
 java.awt,1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,3
 java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 java.io,50,1,46,,,,,,,,,22,,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,,,,,,1,,44,2
-java.lang,33,3,103,,13,,,,,,1,,,,,,,,,,,,8,,,,6,,,4,,,1,,,,,,,,,,,,,,3,,,60,43
+java.lang,33,3,101,,13,,,,,,1,,,,,,,,,,,,8,,,,6,,,4,,,1,,,,,,,,,,,,,,3,,,58,43
 java.net,21,3,23,,,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,,,,3,23,
 java.nio,49,,36,,,,,,,,,5,,,,,,,,,,,,,,,43,,,,,,,,,1,,,,,,,,,,,,,,36,
 java.security,21,,,,,11,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

java/documentation/library-coverage/coverage.rst

@@ -18,10 +18,10 @@ Java framework & library support
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,43,9,,,,,
    JBoss Logging,``org.jboss.logging``,,,324,,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
-   Java Standard Library,``java.*``,10,733,237,79,,9,,,24
+   Java Standard Library,``java.*``,10,731,237,79,,9,,,24
    Java extensions,"``javax.*``, ``jakarta.*``",67,688,80,5,4,2,1,1,4
    Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,38,481,118,5,,28,14,,35
    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",131,10516,889,121,6,22,18,,208
-   Totals,,308,18947,2551,331,16,128,33,1,407
+   Totals,,308,18945,2551,331,16,128,33,1,407
 

java/ql/lib/semmle/code/java/frameworks/android/Layout.qll

@@ -0,0 +1,65 @@
+/** Provides classes and predicates for working with Android layouts and UI elements. */
+
+import java
+import semmle.code.xml.AndroidManifest
+private import semmle.code.java.dataflow.DataFlow
+
+/** An Android Layout XML file. */
+class AndroidLayoutXmlFile extends XmlFile {
+  AndroidLayoutXmlFile() { this.getRelativePath().matches("%/res/layout/%.xml") }
+}
+
+/** A component declared in an Android layout file. */
+class AndroidLayoutXmlElement extends XmlElement {
+  AndroidLayoutXmlElement() { this.getFile() instanceof AndroidLayoutXmlFile }
+
+  /** Gets the ID of this component, if any. */
+  string getId() { result = this.getAttribute("id").getValue() }
+
+  /** Gets the class of this component. */
+  Class getClass() {
+    this.getName() = "view" and
+    this.getAttribute("class").getValue() = result.getQualifiedName()
+    or
+    this.getName() = result.getQualifiedName()
+    or
+    result.hasQualifiedName(["android.widget", "android.view"], this.getName())
+  }
+}
+
+/** An XML element that represents an editable text field. */
+class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
+  AndroidEditableXmlElement() {
+    this.getClass().getASourceSupertype*().hasQualifiedName("android.widget", "EditText")
+  }
+
+  /** Gets the input type of this field, if any. */
+  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
+}
+
+/** A `findViewById` or `requireViewById` method on `Activity` or `View`. */
+private class FindViewMethod extends Method {
+  FindViewMethod() {
+    exists(Method m | this.getAnOverride*() = m |
+      m.hasQualifiedName("android.app", "Activity", ["findViewById", "requireViewById"])
+      or
+      m.hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"])
+      or
+      m.hasQualifiedName("android.app", "Dialog", ["findViewById", "requireViewById"])
+    )
+  }
+}
+
+/** Gets a use of the view that has the given id. (that is, from a call to a method like `findViewById`) */
+MethodCall getAUseOfViewWithId(string id) {
+  exists(string name, NestedClass r_id, Field id_field |
+    id = ["@+id/", "@id/"] + name and
+    result.getMethod() instanceof FindViewMethod and
+    r_id.getEnclosingType().hasName("R") and
+    r_id.hasName("id") and
+    id_field.getDeclaringType() = r_id and
+    id_field.hasName(name)
+  |
+    DataFlow::localExprFlow(id_field.getAnAccess(), result.getArgument(0))
+  )
+}

java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll

@@ -3,71 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.SensitiveActions
-import semmle.code.xml.AndroidManifest
-
-/** An Android Layout XML file. */
-private class AndroidLayoutXmlFile extends XmlFile {
-  AndroidLayoutXmlFile() { this.getRelativePath().matches("%/res/layout/%.xml") }
-}
-
-/** A component declared in an Android layout file. */
-class AndroidLayoutXmlElement extends XmlElement {
-  AndroidXmlAttribute id;
-
-  AndroidLayoutXmlElement() {
-    this.getFile() instanceof AndroidLayoutXmlFile and
-    id = this.getAttribute("id")
-  }
-
-  /** Gets the ID of this component. */
-  string getId() { result = id.getValue() }
-
-  /** Gets the class of this component. */
-  Class getClass() {
-    this.getName() = "view" and
-    this.getAttribute("class").getValue() = result.getQualifiedName()
-    or
-    this.getName() = result.getQualifiedName()
-    or
-    result.hasQualifiedName(["android.widget", "android.view"], this.getName())
-  }
-}
-
-/** An XML element that represents an editable text field. */
-class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
-  AndroidEditableXmlElement() {
-    this.getClass().getASourceSupertype*().hasQualifiedName("android.widget", "EditText")
-  }
-
-  /** Gets the input type of this field, if any. */
-  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
-}
-
-/** A `findViewById` or `requireViewById` method on `Activity` or `View`. */
-private class FindViewMethod extends Method {
-  FindViewMethod() {
-    this.hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"])
-    or
-    exists(Method m |
-      m.hasQualifiedName("android.app", "Activity", ["findViewById", "requireViewById"]) and
-      this = m.getAnOverride*()
-    )
-  }
-}
-
-/** Gets a use of the view that has the given id. */
-private MethodCall getAUseOfViewWithId(string id) {
-  exists(string name, NestedClass r_id, Field id_field |
-    id = "@+id/" + name and
-    result.getMethod() instanceof FindViewMethod and
-    r_id.getEnclosingType().hasName("R") and
-    r_id.hasName("id") and
-    id_field.getDeclaringType() = r_id and
-    id_field.hasName(name)
-  |
-    DataFlow::localExprFlow(id_field.getAnAccess(), result.getArgument(0))
-  )
-}
+import semmle.code.java.frameworks.android.Layout
 
 /** Gets the argument of a use of `setInputType` called on the view with the given id. */
 private Argument setInputTypeForId(string id) {

java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll

@@ -4,6 +4,8 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.SensitiveActions
+private import semmle.code.java.frameworks.android.Layout
+private import semmle.code.java.security.Sanitizers
 
 /** A configuration for tracking sensitive information to system notifications. */
 private module NotificationTrackingConfig implements DataFlow::ConfigSig {
@@ -20,3 +22,94 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {
 
 /** Taint tracking flow for sensitive data flowing to system notifications. */
 module NotificationTracking = TaintTracking::Global<NotificationTrackingConfig>;
+
+/** A call to a method that sets the text of a `TextView`. */
+private class SetTextCall extends MethodCall {
+  SetTextCall() {
+    this.getMethod()
+        .getAnOverride*()
+        .hasQualifiedName("android.widget", "TextView", ["append", "setText", "setHint"]) and
+    (
+      this.getMethod()
+          .getParameter(0)
+          .getType()
+          .(RefType)
+          .hasQualifiedName("java.lang", "CharSequence")
+      or
+      this.getMethod().getParameter(0).getType().(Array).getElementType() instanceof CharacterType
+    )
+  }
+
+  /** Gets the string argument of this call. */
+  Expr getStringArgument() { result = this.getArgument(0) }
+}
+
+/** A call to a method indicating that the contents of a UI element are safely masked. */
+private class MaskCall extends MethodCall {
+  MaskCall() {
+    this.getMethod().getAnOverride*().hasQualifiedName("android.widget", "TextView", "setInputType")
+    or
+    this.getMethod().getAnOverride*().hasQualifiedName("android.view", "View", "setVisibility")
+  }
+}
+
+/** A configuration for tracking sensitive information to text fields. */
+private module TextFieldTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(SetTextCall call |
+      sink.asExpr() = call.getStringArgument() and
+      not setTextCallIsMasked(call)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+}
+
+/** A local flow step that also flows through access to fields containing `View`s */
+private predicate localViewFieldFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  DataFlow::localFlowStep(node1, node2)
+  or
+  exists(Field f |
+    f.getType().(Class).getASupertype*().hasQualifiedName("android.view", "View") and
+    node1.asExpr() = f.getAnAccess().(FieldWrite).getASource() and
+    node2.asExpr() = f.getAnAccess().(FieldRead)
+  )
+}
+
+/** Holds if data can flow from `node1` to `node2` with local flow steps as well as flow through fields containing `View`s */
+private predicate localViewFieldFlow(DataFlow::Node node1, DataFlow::Node node2) {
+  localViewFieldFlowStep*(node1, node2)
+}
+
+/** Holds if data can flow from `e1` to `e2` with local flow steps as well as flow through fields containing `View`s */
+private predicate localViewFieldExprFlow(Expr e1, Expr e2) {
+  localViewFieldFlow(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
+/** Holds if the given view may be properly masked. */
+private predicate viewIsMasked(AndroidLayoutXmlElement view) {
+  localViewFieldExprFlow(getAUseOfViewWithId(view.getId()), any(MaskCall mcall).getQualifier())
+  or
+  view.getAttribute("inputType")
+      .(AndroidXmlAttribute)
+      .getValue()
+      .regexpMatch("(?i).*(text|number)(web)?password.*")
+  or
+  view.getAttribute("visibility").(AndroidXmlAttribute).getValue().toLowerCase() =
+    ["invisible", "gone"]
+}
+
+/** Holds if the qualifier of `call` may be properly masked. */
+private predicate setTextCallIsMasked(SetTextCall call) {
+  exists(AndroidLayoutXmlElement view |
+    localViewFieldExprFlow(getAUseOfViewWithId(view.getId()), call.getQualifier()) and
+    viewIsMasked(view.getParent*())
+  )
+}
+
+/** Taint tracking flow for sensitive data flowing to text fields. */
+module TextFieldTracking = TaintTracking::Global<TextFieldTrackingConfig>;

java/ql/src/Security/CWE/CWE-074/JndiInjection.qhelp

@@ -13,7 +13,7 @@ code execution.</p>
 <recommendation>
 <p>The general recommendation is to avoid passing untrusted data to the <code>InitialContext.lookup
 </code> method. If the name being used to look up the object must be provided by the user, make
-sure that it's not in the form of an absolute URL or that it's the URL pointing to a trused server.
+sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.
 </p>
 </recommendation>
 

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java

@@ -0,0 +1,2 @@
+TextView pwView = getViewById(R.id.pw_text);
+pwView.setText("Your password is: " + password);

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+    For editable text fields containing sensitive information, the <code>inputType</code> should be set to <code>textPassword</code> or similar to ensure it is properly masked.
+    Otherwise, sensitive data that must be displayed should be hidden by default, and only revealed based on an explicit user action.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+    In the following (bad) case, sensitive information in <code>password</code> is exposed to the <code>TextView</code>.
+    </p>
+
+    <sample src="AndroidSensitiveTextBad.java"/>
+
+    <p>
+    In the following (good) case, the user must press a button to reveal sensitive information.
+    </p>
+
+    <sample src="AndroidSensitiveTextGood.java"/>
+  </example>
+
+  <references>
+    <li>
+      OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#ui-components">Android Data Storage - UI Components</a> 
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Exposure of sensitive information to UI text views.
+ * @id java/android/sensitive-text
+ * @kind path-problem
+ * @description Sensitive information displayed in UI text views should be properly masked.
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import java
+import semmle.code.java.security.SensitiveUiQuery
+import TextFieldTracking::PathGraph
+
+from TextFieldTracking::PathNode source, TextFieldTracking::PathNode sink
+where TextFieldTracking::flowPath(source, sink)
+select sink, source, sink, "This $@ is exposed in a text view.", source, "sensitive information"

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java

@@ -0,0 +1,10 @@
+TextView pwView = findViewById(R.id.pw_text);
+pwView.setVisibility(View.INVISIBLE);
+pwView.setText("Your password is: " + password);
+
+Button showButton = findViewById(R.id.show_pw_button);
+showButton.setOnClickListener(new View.OnClickListener() {
+    public void onClick(View v) {
+      pwView.setVisibility(View.VISIBLE);
+    }
+});

java/ql/src/change-notes/2024-01-29-android-sensitive-text-field-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/sensitive-text` to detect instances of sensitive data being exposed through text fields without being properly masked. 

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/AndroidManifest.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.test">
+</manifest>

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/R.java

@@ -0,0 +1,24 @@
+package com.example.test;
+
+public final class R {
+    public static final class id {
+        public static final int test1 = 1;
+        public static final int test2 = 2;
+        public static final int test3 = 3;
+        public static final int test4 = 4;
+        public static final int test5 = 5;
+        public static final int test6 = 6;
+        public static final int test7 = 7;
+        public static final int test8 = 8;
+        public static final int test9 = 9;
+        public static final int test10 = 10;
+        public static final int test11 = 11;
+        public static final int test12 = 12;
+        public static final int test13 = 13;
+        public static final int test14 = 14;
+    }
+
+    public static final class string {
+        public static final int password_prompt = 0;
+    }
+}

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/Test.java

@@ -0,0 +1,77 @@
+package com.example.test;
+
+import android.app.Activity;
+import android.widget.EditText;
+import android.widget.TextView;
+import android.widget.LinearLayout;
+import android.view.View;
+import android.text.InputType;
+
+class Test extends Activity {
+    void test(String password) {
+        EditText test1 = findViewById(R.id.test1);
+        // BAD: Exposing sensitive data to text view
+        test1.setText(password); // $sensitive-text
+        test1.setHint(password); // $sensitive-text
+        test1.append(password); // $sensitive-text
+        // GOOD: resource constant is not sensitive info
+        test1.setText(R.string.password_prompt); 
+
+        // GOOD: Visibility is dynamically set
+        TextView test2 = findViewById(R.id.test2);
+        test2.setVisibility(View.INVISIBLE);
+        test2.setText(password);
+
+        // GOOD: Input type is dynamically set
+        EditText test3 = findViewById(R.id.test3);
+        test3.setInputType(InputType.TYPE_CLASS_TEXT | InputType.TYPE_TEXT_VARIATION_PASSWORD);
+        test3.setText(password);
+
+        // GOOD: Visibility of parent is dynamically set
+        LinearLayout test4 = findViewById(R.id.test4);
+        TextView test5 = findViewById(R.id.test5);
+        test4.setVisibility(View.INVISIBLE);
+        test5.setText(password);
+
+        // GOOD: Input type set to textPassword in XML
+        EditText test6 = findViewById(R.id.test6);
+        test6.setText(password);
+
+        // GOOD: Input type set to textWebPassword in XML
+        EditText test7 = findViewById(R.id.test7);
+        test7.setText(password);
+
+        // GOOD: Input type set to numberPassword in XML
+        EditText test8 = findViewById(R.id.test8);
+        test8.setText(password);
+
+        // BAD: Input type set to textVisiblePassword in XML, which is not hidden
+        EditText test9 = findViewById(R.id.test9);
+        test9.setText(password); // $sensitive-text
+
+        // GOOD: Visibility set to invisible in XML
+        EditText test10 = findViewById(R.id.test10);
+        test10.setText(password);
+
+        // GOOD: Visibility set to gone in XML
+        EditText test11 = findViewById(R.id.test11);
+        test11.setText(password);
+
+        // GOOD: Visibility of parent set to invisible in XML
+        EditText test12 = findViewById(R.id.test12);
+        test12.setText(password);
+
+        // GOOD: Input type set to textPassword in XML
+        EditText test13 = findViewById(R.id.test13);
+        test13.setText(password);
+
+        test14 = findViewById(R.id.test14);
+    }
+
+    EditText test14;
+
+    void test2(String password) {
+        // GOOD: Input type set to textPassword in XML
+        test14.setText(password);
+    }
+}

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/res/layout/Test.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto">
+
+
+    <EditText
+        android:id="@+id/test1"
+        android:inputType="text"/>
+
+    <TextView
+        android:id="@+id/test2"/>
+
+    <EditText
+        android:id="@+id/test3"/>
+
+    <LinearLayout
+        android:id="@+id/test4">
+        <TextView
+            android:id="@+id/test5"/>
+    </LinearLayout>
+
+    <EditText
+        android:id="@+id/test6"
+        android:inputType="textPassword"/>
+
+    <EditText
+        android:id="@+id/test7"
+        android:inputType="textWebPassword"/>
+
+    <EditText
+        android:id="@+id/test8"
+        android:inputType="numberPassword"/>
+
+    <EditText
+        android:id="@+id/test9"
+        android:inputType="textVisiblePassword"/>
+
+    <EditText
+        android:id="@+id/test10"
+        android:visibility="invisible"/>
+
+    <EditText
+        android:id="@+id/test11"
+        android:visibility="gone"/>
+
+    <LinearLayout
+        android:visibility="invisible">
+        <TextView
+            android:id="@+id/test12"/>
+    </LinearLayout>
+
+    <EditText
+        android:id="@id/test13"
+        android:inputType="textPassword"/>
+
+    <EditText
+        android:id="@+id/test14"
+        android:inputType="textPassword"/>
+
+</LinearLayout>

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/test.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/test.ql

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.SensitiveUiQuery
+
+module SensitiveTextTest implements TestSig {
+  string getARelevantTag() { result = "sensitive-text" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "sensitive-text" and
+    exists(DataFlow::Node sink | TextFieldTracking::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<SensitiveTextTest>

java/ql/test/stubs/google-android-9.0.0/android/widget/LinearLayout.java

@@ -0,0 +1,68 @@
+// Generated automatically from android.widget.LinearLayout for testing purposes
+
+package android.widget;
+
+import android.content.Context;
+import android.graphics.Canvas;
+import android.graphics.drawable.Drawable;
+import android.util.AttributeSet;
+import android.view.ViewGroup;
+
+public class LinearLayout extends ViewGroup
+{
+    protected LinearLayout() {}
+    protected LinearLayout.LayoutParams generateDefaultLayoutParams(){ return null; }
+    protected LinearLayout.LayoutParams generateLayoutParams(ViewGroup.LayoutParams p0){ return null; }
+    protected boolean checkLayoutParams(ViewGroup.LayoutParams p0){ return false; }
+    protected void onDraw(Canvas p0){}
+    protected void onLayout(boolean p0, int p1, int p2, int p3, int p4){}
+    protected void onMeasure(int p0, int p1){}
+    public CharSequence getAccessibilityClassName(){ return null; }
+    public Drawable getDividerDrawable(){ return null; }
+    public LinearLayout(Context p0){}
+    public LinearLayout(Context p0, AttributeSet p1){}
+    public LinearLayout(Context p0, AttributeSet p1, int p2){}
+    public LinearLayout(Context p0, AttributeSet p1, int p2, int p3){}
+    public LinearLayout.LayoutParams generateLayoutParams(AttributeSet p0){ return null; }
+    public boolean isBaselineAligned(){ return false; }
+    public boolean isMeasureWithLargestChildEnabled(){ return false; }
+    public boolean shouldDelayChildPressedState(){ return false; }
+    public float getWeightSum(){ return 0; }
+    public int getBaseline(){ return 0; }
+    public int getBaselineAlignedChildIndex(){ return 0; }
+    public int getDividerPadding(){ return 0; }
+    public int getGravity(){ return 0; }
+    public int getOrientation(){ return 0; }
+    public int getShowDividers(){ return 0; }
+    public static int HORIZONTAL = 0;
+    public static int SHOW_DIVIDER_BEGINNING = 0;
+    public static int SHOW_DIVIDER_END = 0;
+    public static int SHOW_DIVIDER_MIDDLE = 0;
+    public static int SHOW_DIVIDER_NONE = 0;
+    public static int VERTICAL = 0;
+    public void onRtlPropertiesChanged(int p0){}
+    public void setBaselineAligned(boolean p0){}
+    public void setBaselineAlignedChildIndex(int p0){}
+    public void setDividerDrawable(Drawable p0){}
+    public void setDividerPadding(int p0){}
+    public void setGravity(int p0){}
+    public void setHorizontalGravity(int p0){}
+    public void setMeasureWithLargestChildEnabled(boolean p0){}
+    public void setOrientation(int p0){}
+    public void setShowDividers(int p0){}
+    public void setVerticalGravity(int p0){}
+    public void setWeightSum(float p0){}
+    static public class LayoutParams extends ViewGroup.MarginLayoutParams
+    {
+        protected LayoutParams() {}
+        public LayoutParams(Context p0, AttributeSet p1){}
+        public LayoutParams(LinearLayout.LayoutParams p0){}
+        public LayoutParams(ViewGroup.LayoutParams p0){}
+        public LayoutParams(ViewGroup.MarginLayoutParams p0){}
+        public LayoutParams(int p0, int p1){}
+        public LayoutParams(int p0, int p1, float p2){}
+        public String debug(String p0){ return null; }
+        public float weight = 0;
+        public int gravity = 0;
+    }
+}

javascript/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

python/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

ql/codeql-extractor.yml

@@ -3,6 +3,8 @@ display_name: "QL"
 version: 0.0.1
 column_kind: "utf8"
 legacy_qltest_extraction: true
+build_modes:
+  - none
 github_api_languages:
   - CodeQL
 scc_languages:

ruby/codeql-extractor.yml

@@ -3,6 +3,8 @@ display_name: "Ruby"
 version: 0.1.0
 column_kind: "utf8"
 legacy_qltest_extraction: true
+build_modes:
+  - none
 github_api_languages:
   - Ruby
 scc_languages:

ruby/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

ruby/ql/src/utils/modeleditor/FrameworkModeAccessPaths.ql

@@ -0,0 +1,89 @@
+/**
+ * @name Fetch a subset of valid access paths of input and output parameters of a method (framework mode).
+ * @description A list of access paths for input and output parameters of a method. Excludes test and generated code.
+ * @kind table
+ * @id ruby/utils/modeleditor/framework-mode-access-paths
+ * @tags modeleditor access-paths framework-mode
+ */
+
+private import ruby
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import queries.modeling.internal.Util as Util
+
+predicate simpleParameters(string type, string path, string value, DataFlow::Node node) {
+  exists(DataFlow::MethodNode methodNode, DataFlow::ParameterNode paramNode |
+    methodNode.getLocation().getFile() instanceof Util::RelevantFile and
+    (
+      // Check that this parameter belongs to this method
+      // Block parameter explicitly excluded because it's already included
+      // as part of the blockArguments predicate
+      paramNode = Util::getAnyParameter(methodNode) and
+      paramNode != methodNode.getBlockParameter()
+    )
+  |
+    Util::pathToMethod(methodNode, type, path) and
+    value = Util::getArgumentPath(paramNode) and
+    node = paramNode
+  )
+}
+
+predicate blockArguments(string type, string path, string value, DataFlow::Node node) {
+  exists(DataFlow::MethodNode methodNode, DataFlow::CallNode callNode |
+    methodNode.getLocation().getFile() instanceof Util::RelevantFile and
+    callNode = methodNode.getABlockCall()
+  |
+    (
+      exists(DataFlow::VariableAccessNode argNode, int i |
+        argNode = callNode.getPositionalArgument(i)
+      |
+        value = "Argument[block].Parameter[" + i + "]" and
+        node = argNode
+      )
+      or
+      exists(DataFlow::ExprNode argNode, string keyword |
+        argNode = callNode.getKeywordArgument(keyword)
+      |
+        value = "Argument[block].Parameter[" + keyword + ":]" and
+        node = argNode
+      )
+      or
+      value = "Argument[block]" and
+      node = callNode
+    ) and
+    Util::pathToMethod(methodNode, type, path)
+  )
+}
+
+predicate returnValue(string type, string path, string value, DataFlow::Node node) {
+  exists(DataFlow::MethodNode methodNode, DataFlow::Node returnNode |
+    methodNode.getLocation().getFile() instanceof Util::RelevantFile and
+    returnNode = methodNode.getAReturnNode()
+  |
+    Util::pathToMethod(methodNode, type, path) and
+    value = "ReturnValue" and
+    node = returnNode
+  )
+}
+
+predicate inputAccessPaths(
+  string type, string path, string value, DataFlow::Node node, string defType
+) {
+  simpleParameters(type, path, value, node) and defType = "parameter"
+  or
+  blockArguments(type, path, value, node) and defType = "parameter"
+}
+
+predicate outputAccessPaths(
+  string type, string path, string value, DataFlow::Node node, string defType
+) {
+  simpleParameters(type, path, value, node) and defType = "parameter"
+  or
+  blockArguments(type, path, value, node) and defType = "parameter"
+  or
+  returnValue(type, path, value, node) and defType = "return"
+}
+
+query predicate input = inputAccessPaths/5;
+
+query predicate output = outputAccessPaths/5;

ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.expected

@@ -0,0 +1,75 @@
+input
+| A | Method[bar] | Argument[0] | lib/mylib.rb:13:11:13:11 | x | parameter |
+| A | Method[bar] | Argument[self] | lib/mylib.rb:13:3:14:5 | self in bar | parameter |
+| A | Method[foo] | Argument[0] | lib/mylib.rb:7:11:7:11 | x | parameter |
+| A | Method[foo] | Argument[1] | lib/mylib.rb:7:14:7:14 | y | parameter |
+| A | Method[foo] | Argument[2] | lib/mylib.rb:7:17:7:20 | key1 | parameter |
+| A | Method[foo] | Argument[block] | lib/mylib.rb:8:5:8:32 | call to call | parameter |
+| A | Method[foo] | Argument[block] | lib/mylib.rb:10:5:10:26 | yield ... | parameter |
+| A | Method[foo] | Argument[block].Parameter[0] | lib/mylib.rb:8:16:8:16 | x | parameter |
+| A | Method[foo] | Argument[block].Parameter[0] | lib/mylib.rb:10:11:10:11 | x | parameter |
+| A | Method[foo] | Argument[block].Parameter[1] | lib/mylib.rb:8:19:8:19 | y | parameter |
+| A | Method[foo] | Argument[block].Parameter[1] | lib/mylib.rb:10:14:10:14 | y | parameter |
+| A | Method[foo] | Argument[block].Parameter[key2:] | lib/mylib.rb:8:28:8:31 | key1 | parameter |
+| A | Method[foo] | Argument[block].Parameter[key2:] | lib/mylib.rb:10:23:10:26 | key1 | parameter |
+| A | Method[foo] | Argument[key1:] | lib/mylib.rb:7:17:7:20 | key1 | parameter |
+| A | Method[foo] | Argument[self] | lib/mylib.rb:7:3:11:5 | self in foo | parameter |
+| A! | Method[new] | Argument[0] | lib/mylib.rb:4:18:4:18 | x | parameter |
+| A! | Method[new] | Argument[1] | lib/mylib.rb:4:21:4:21 | y | parameter |
+| A! | Method[new] | Argument[self] | lib/mylib.rb:4:3:5:5 | self in initialize | parameter |
+| A! | Method[self_foo] | Argument[0] | lib/mylib.rb:16:21:16:21 | x | parameter |
+| A! | Method[self_foo] | Argument[1] | lib/mylib.rb:16:24:16:24 | y | parameter |
+| A! | Method[self_foo] | Argument[self] | lib/mylib.rb:16:3:17:5 | self in self_foo | parameter |
+| A::ANested | Method[foo] | Argument[0] | lib/mylib.rb:25:13:25:13 | x | parameter |
+| A::ANested | Method[foo] | Argument[1] | lib/mylib.rb:25:16:25:16 | y | parameter |
+| A::ANested | Method[foo] | Argument[self] | lib/mylib.rb:25:5:26:7 | self in foo | parameter |
+| B | Method[foo] | Argument[0] | lib/other.rb:6:11:6:11 | x | parameter |
+| B | Method[foo] | Argument[1] | lib/other.rb:6:14:6:14 | y | parameter |
+| B | Method[foo] | Argument[self] | lib/other.rb:6:3:7:5 | self in foo | parameter |
+| M1 | Method[foo] | Argument[0] | lib/module.rb:2:11:2:11 | x | parameter |
+| M1 | Method[foo] | Argument[1] | lib/module.rb:2:14:2:14 | y | parameter |
+| M1 | Method[foo] | Argument[self] | lib/module.rb:2:3:3:5 | self in foo | parameter |
+| M1! | Method[self_foo] | Argument[0] | lib/module.rb:5:21:5:21 | x | parameter |
+| M1! | Method[self_foo] | Argument[1] | lib/module.rb:5:24:5:24 | y | parameter |
+| M1! | Method[self_foo] | Argument[self] | lib/module.rb:5:3:6:5 | self in self_foo | parameter |
+| OtherLib::A | Method[foo] | Argument[0] | other_lib/lib/other_gem.rb:3:17:3:17 | x | parameter |
+| OtherLib::A | Method[foo] | Argument[1] | other_lib/lib/other_gem.rb:3:20:3:20 | y | parameter |
+| OtherLib::A | Method[foo] | Argument[self] | other_lib/lib/other_gem.rb:3:9:4:11 | self in foo | parameter |
+output
+| A | Method[bar] | Argument[0] | lib/mylib.rb:13:11:13:11 | x | parameter |
+| A | Method[bar] | Argument[self] | lib/mylib.rb:13:3:14:5 | self in bar | parameter |
+| A | Method[foo] | Argument[0] | lib/mylib.rb:7:11:7:11 | x | parameter |
+| A | Method[foo] | Argument[1] | lib/mylib.rb:7:14:7:14 | y | parameter |
+| A | Method[foo] | Argument[2] | lib/mylib.rb:7:17:7:20 | key1 | parameter |
+| A | Method[foo] | Argument[block] | lib/mylib.rb:8:5:8:32 | call to call | parameter |
+| A | Method[foo] | Argument[block] | lib/mylib.rb:10:5:10:26 | yield ... | parameter |
+| A | Method[foo] | Argument[block].Parameter[0] | lib/mylib.rb:8:16:8:16 | x | parameter |
+| A | Method[foo] | Argument[block].Parameter[0] | lib/mylib.rb:10:11:10:11 | x | parameter |
+| A | Method[foo] | Argument[block].Parameter[1] | lib/mylib.rb:8:19:8:19 | y | parameter |
+| A | Method[foo] | Argument[block].Parameter[1] | lib/mylib.rb:10:14:10:14 | y | parameter |
+| A | Method[foo] | Argument[block].Parameter[key2:] | lib/mylib.rb:8:28:8:31 | key1 | parameter |
+| A | Method[foo] | Argument[block].Parameter[key2:] | lib/mylib.rb:10:23:10:26 | key1 | parameter |
+| A | Method[foo] | Argument[key1:] | lib/mylib.rb:7:17:7:20 | key1 | parameter |
+| A | Method[foo] | Argument[self] | lib/mylib.rb:7:3:11:5 | self in foo | parameter |
+| A | Method[foo] | ReturnValue | lib/mylib.rb:10:5:10:26 | yield ... | return |
+| A! | Method[new] | Argument[0] | lib/mylib.rb:4:18:4:18 | x | parameter |
+| A! | Method[new] | Argument[1] | lib/mylib.rb:4:21:4:21 | y | parameter |
+| A! | Method[new] | Argument[self] | lib/mylib.rb:4:3:5:5 | self in initialize | parameter |
+| A! | Method[self_foo] | Argument[0] | lib/mylib.rb:16:21:16:21 | x | parameter |
+| A! | Method[self_foo] | Argument[1] | lib/mylib.rb:16:24:16:24 | y | parameter |
+| A! | Method[self_foo] | Argument[self] | lib/mylib.rb:16:3:17:5 | self in self_foo | parameter |
+| A::ANested | Method[foo] | Argument[0] | lib/mylib.rb:25:13:25:13 | x | parameter |
+| A::ANested | Method[foo] | Argument[1] | lib/mylib.rb:25:16:25:16 | y | parameter |
+| A::ANested | Method[foo] | Argument[self] | lib/mylib.rb:25:5:26:7 | self in foo | parameter |
+| B | Method[foo] | Argument[0] | lib/other.rb:6:11:6:11 | x | parameter |
+| B | Method[foo] | Argument[1] | lib/other.rb:6:14:6:14 | y | parameter |
+| B | Method[foo] | Argument[self] | lib/other.rb:6:3:7:5 | self in foo | parameter |
+| M1 | Method[foo] | Argument[0] | lib/module.rb:2:11:2:11 | x | parameter |
+| M1 | Method[foo] | Argument[1] | lib/module.rb:2:14:2:14 | y | parameter |
+| M1 | Method[foo] | Argument[self] | lib/module.rb:2:3:3:5 | self in foo | parameter |
+| M1! | Method[self_foo] | Argument[0] | lib/module.rb:5:21:5:21 | x | parameter |
+| M1! | Method[self_foo] | Argument[1] | lib/module.rb:5:24:5:24 | y | parameter |
+| M1! | Method[self_foo] | Argument[self] | lib/module.rb:5:3:6:5 | self in self_foo | parameter |
+| OtherLib::A | Method[foo] | Argument[0] | other_lib/lib/other_gem.rb:3:17:3:17 | x | parameter |
+| OtherLib::A | Method[foo] | Argument[1] | other_lib/lib/other_gem.rb:3:20:3:20 | y | parameter |
+| OtherLib::A | Method[foo] | Argument[self] | other_lib/lib/other_gem.rb:3:9:4:11 | self in foo | parameter |

ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.qlref

@@ -0,0 +1 @@
+utils/modeleditor/FrameworkModeAccessPaths.ql

ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeEndpoints.expected

@@ -1,13 +1,13 @@
 | lib/module.rb:1:1:7:3 | M1 | mylib | M1 |  |  | false | module.rb |  |
 | lib/module.rb:2:3:3:5 | foo | mylib | M1 | foo | (x,y) | false | module.rb |  |
 | lib/module.rb:5:3:6:5 | self_foo | mylib | M1! | self_foo | (x,y) | false | module.rb |  |
-| lib/mylib.rb:3:1:30:3 | A | mylib | A |  |  | false | mylib.rb |  |
+| lib/mylib.rb:3:1:33:3 | A | mylib | A |  |  | false | mylib.rb |  |
 | lib/mylib.rb:4:3:5:5 | initialize | mylib | A! | new | (x,y) | false | mylib.rb |  |
-| lib/mylib.rb:7:3:8:5 | foo | mylib | A | foo | (x,y,key1:) | false | mylib.rb |  |
-| lib/mylib.rb:10:3:11:5 | bar | mylib | A | bar | (x) | false | mylib.rb |  |
-| lib/mylib.rb:13:3:14:5 | self_foo | mylib | A! | self_foo | (x,y) | false | mylib.rb |  |
-| lib/mylib.rb:21:3:29:5 | ANested | mylib | A::ANested |  |  | false | mylib.rb |  |
-| lib/mylib.rb:22:5:23:7 | foo | mylib | A::ANested | foo | (x,y) | false | mylib.rb |  |
+| lib/mylib.rb:7:3:11:5 | foo | mylib | A | foo | (x,y,key1:) | false | mylib.rb |  |
+| lib/mylib.rb:13:3:14:5 | bar | mylib | A | bar | (x) | false | mylib.rb |  |
+| lib/mylib.rb:16:3:17:5 | self_foo | mylib | A! | self_foo | (x,y) | false | mylib.rb |  |
+| lib/mylib.rb:24:3:32:5 | ANested | mylib | A::ANested |  |  | false | mylib.rb |  |
+| lib/mylib.rb:25:5:26:7 | foo | mylib | A::ANested | foo | (x,y) | false | mylib.rb |  |
 | lib/other.rb:3:1:8:3 | B | mylib | B |  |  | false | other.rb |  |
 | lib/other.rb:6:3:7:5 | foo | mylib | B | foo | (x,y) | false | other.rb |  |
 | lib/other.rb:10:1:12:3 | C | mylib | C |  |  | false | other.rb |  |

ruby/ql/test/query-tests/utils/modeleditor/lib/mylib.rb

@@ -5,6 +5,9 @@ class A
   end
 
   def foo(x, y, key1:, **kwargs, &block)
+    block.call(x, y, key2: key1)
+
+    yield x, y, key2: key1
   end
 
   def bar(x, *args)

swift/codeql-extractor.yml

@@ -3,6 +3,9 @@ display_name: "Swift"
 version: 0.1.0
 column_kind: "utf8"
 legacy_qltest_extraction: true
+build_modes:
+  - autobuild
+  - manual
 github_api_languages:
   - Swift
 scc_languages: