Merge branch 'main' into experimental-surprising-lifetimes-for-range-based-for-loop

2025-12-21 19:26:31 +01:00 · 2024-03-18 11:11:32 +00:00
parent e23e3d7fb4 1d12e0c9d9
commit 575af1a5f9
23 changed files with 28960 additions and 28524 deletions
--- a/cpp/ql/lib/change-notes/2024-03-15-switches-in-guard-conditions.md
+++ b/cpp/ql/lib/change-notes/2024-03-15-switches-in-guard-conditions.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -20,6 +20,44 @@ private predicate isUnreachedBlock(IRBlock block) {
  block.getFirstInstruction() instanceof UnreachedInstruction
 }

+private newtype TAbstractValue =
+  TBooleanValue(boolean b) { b = true or b = false } or
+  TMatchValue(CaseEdge c)
+
+/**
+ * An abstract value. This is either a boolean value, or a `switch` case.
+ */
+abstract class AbstractValue extends TAbstractValue {
+  /** Gets an abstract value that represents the dual of this value, if any. */
+  abstract AbstractValue getDualValue();
+
+  /** Gets a textual representation of this abstract value. */
+  abstract string toString();
+}
+
+/** A Boolean value. */
+class BooleanValue extends AbstractValue, TBooleanValue {
+  /** Gets the underlying Boolean value. */
+  boolean getValue() { this = TBooleanValue(result) }
+
+  override BooleanValue getDualValue() { result.getValue() = this.getValue().booleanNot() }
+
+  override string toString() { result = this.getValue().toString() }
+}
+
+/** A value that represents a match against a specific `switch` case. */
+class MatchValue extends AbstractValue, TMatchValue {
+  /** Gets the case. */
+  CaseEdge getCase() { this = TMatchValue(result) }
+
+  override MatchValue getDualValue() {
+    // A `MatchValue` has no dual.
+    none()
+  }
+
+  override string toString() { result = this.getCase().toString() }
+}
+
 /**
 * A Boolean condition in the AST that guards one or more basic blocks. This includes
 * operands of logical operators but not switch statements.
@@ -34,6 +72,15 @@ class GuardCondition extends Expr {
    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
  }

+  /**
+   * Holds if this condition controls `controlled`, meaning that `controlled` is only
+   * entered if the value of this condition is `v`.
+   *
+   * For details on what "controls" mean, see the QLDoc for `controls`.
+   */
+  cached
+  predicate valueControls(BasicBlock controlled, AbstractValue v) { none() }
+
  /**
   * Holds if this condition controls `controlled`, meaning that `controlled` is only
   * entered if the value of this condition is `testIsTrue`.
@@ -61,7 +108,9 @@ class GuardCondition extends Expr {
   * true (for `&&`) or false (for `||`) branch.
   */
  cached
-  predicate controls(BasicBlock controlled, boolean testIsTrue) { none() }
+  final predicate controls(BasicBlock controlled, boolean testIsTrue) {
+    this.valueControls(controlled, any(BooleanValue bv | bv.getValue() = testIsTrue))
+  }

  /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
  cached
@@ -98,13 +147,13 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
  }

-  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
+  override predicate valueControls(BasicBlock controlled, AbstractValue v) {
    exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
      this = binop and
      lhs = binop.getLeftOperand() and
      rhs = binop.getRightOperand() and
-      lhs.controls(controlled, testIsTrue) and
-      rhs.controls(controlled, testIsTrue)
+      lhs.valueControls(controlled, v) and
+      rhs.valueControls(controlled, v)
    )
  }

@@ -146,10 +195,10 @@ private class GuardConditionFromIR extends GuardCondition {

  GuardConditionFromIR() { this = ir.getUnconvertedResultExpression() }

-  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
+  override predicate valueControls(BasicBlock controlled, AbstractValue v) {
    // This condition must determine the flow of control; that is, this
    // node must be a top-level condition.
-    this.controlsBlock(controlled, testIsTrue)
+    this.controlsBlock(controlled, v)
  }

  /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
@@ -198,13 +247,13 @@ private class GuardConditionFromIR extends GuardCondition {

  /**
   * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `testIsTrue`. This helper
+   * entered if the value of this condition is `v`. This helper
   * predicate does not necessarily hold for binary logical operations like
   * `&&` and `||`. See the detailed explanation on predicate `controls`.
   */
-  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
+  private predicate controlsBlock(BasicBlock controlled, AbstractValue v) {
    exists(IRBlock irb |
-      ir.controls(irb, testIsTrue) and
+      ir.valueControls(irb, v) and
      nonExcludedIRAndBasicBlock(irb, controlled) and
      not isUnreachedBlock(irb)
    )
@@ -249,10 +298,28 @@ private predicate nonExcludedIRAndBasicBlock(IRBlock irb, BasicBlock controlled)
 */
 cached
 class IRGuardCondition extends Instruction {
-  ConditionalBranchInstruction branch;
+  Instruction branch;

  cached
-  IRGuardCondition() { branch = get_branch_for_condition(this) }
+  IRGuardCondition() { branch = getBranchForCondition(this) }
+
+  /**
+   * Holds if this condition controls `controlled`, meaning that `controlled` is only
+   * entered if the value of this condition is `v`.
+   *
+   * For details on what "controls" mean, see the QLDoc for `controls`.
+   */
+  cached
+  predicate valueControls(IRBlock controlled, AbstractValue v) {
+    // This condition must determine the flow of control; that is, this
+    // node must be a top-level condition.
+    this.controlsBlock(controlled, v)
+    or
+    exists(IRGuardCondition ne |
+      this = ne.(LogicalNotInstruction).getUnary() and
+      ne.valueControls(controlled, v.getDualValue())
+    )
+  }

  /**
   * Holds if this condition controls `controlled`, meaning that `controlled` is only
@@ -282,13 +349,25 @@ class IRGuardCondition extends Instruction {
   */
  cached
  predicate controls(IRBlock controlled, boolean testIsTrue) {
-    // This condition must determine the flow of control; that is, this
-    // node must be a top-level condition.
-    this.controlsBlock(controlled, testIsTrue)
+    this.valueControls(controlled, any(BooleanValue bv | bv.getValue() = testIsTrue))
+  }
+
+  /**
+   * Holds if the control-flow edge `(pred, succ)` may be taken only if
+   * the value of this condition is `v`.
+   */
+  cached
+  predicate valueControlsEdge(IRBlock pred, IRBlock succ, AbstractValue v) {
+    pred.getASuccessor() = succ and
+    this.valueControls(pred, v)
    or
-    exists(IRGuardCondition ne |
-      this = ne.(LogicalNotInstruction).getUnary() and
-      ne.controls(controlled, testIsTrue.booleanNot())
+    succ = this.getBranchSuccessor(v) and
+    (
+      branch.(ConditionalBranchInstruction).getCondition() = this and
+      branch.getBlock() = pred
+      or
+      branch.(SwitchInstruction).getExpression() = this and
+      branch.getBlock() = pred
    )
  }

@@ -297,17 +376,12 @@ class IRGuardCondition extends Instruction {
   * the value of this condition is `testIsTrue`.
   */
  cached
-  predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
-    pred.getASuccessor() = succ and
-    this.controls(pred, testIsTrue)
-    or
-    succ = this.getBranchSuccessor(testIsTrue) and
-    branch.getCondition() = this and
-    branch.getBlock() = pred
+  final predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
+    this.valueControlsEdge(pred, succ, any(BooleanValue bv | bv.getValue() = testIsTrue))
  }

  /**
-   * Gets the block to which `branch` jumps directly when this condition is `testIsTrue`.
+   * Gets the block to which `branch` jumps directly when the value of this condition is `v`.
   *
   * This predicate is intended to help with situations in which an inference can only be made
   * based on an edge between a block with multiple successors and a block with multiple
@@ -321,14 +395,20 @@ class IRGuardCondition extends Instruction {
   * return x;
   * ```
   */
-  private IRBlock getBranchSuccessor(boolean testIsTrue) {
-    branch.getCondition() = this and
-    (
-      testIsTrue = true and
-      result.getFirstInstruction() = branch.getTrueSuccessor()
+  private IRBlock getBranchSuccessor(AbstractValue v) {
+    branch.(ConditionalBranchInstruction).getCondition() = this and
+    exists(BooleanValue bv | bv = v |
+      bv.getValue() = true and
+      result.getFirstInstruction() = branch.(ConditionalBranchInstruction).getTrueSuccessor()
      or
-      testIsTrue = false and
-      result.getFirstInstruction() = branch.getFalseSuccessor()
+      bv.getValue() = false and
+      result.getFirstInstruction() = branch.(ConditionalBranchInstruction).getFalseSuccessor()
+    )
+    or
+    exists(SwitchInstruction switch, CaseEdge kind | switch = branch |
+      switch.getExpression() = this and
+      result.getFirstInstruction() = switch.getSuccessor(kind) and
+      kind = v.(MatchValue).getCase()
    )
  }

@@ -396,11 +476,11 @@ class IRGuardCondition extends Instruction {

  /**
   * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `testIsTrue`. This helper
+   * entered if the value of this condition is `v`. This helper
   * predicate does not necessarily hold for binary logical operations like
   * `&&` and `||`. See the detailed explanation on predicate `controls`.
   */
-  private predicate controlsBlock(IRBlock controlled, boolean testIsTrue) {
+  private predicate controlsBlock(IRBlock controlled, AbstractValue v) {
    not isUnreachedBlock(controlled) and
    //
    // For this block to control the block `controlled` with `testIsTrue` the
@@ -441,7 +521,7 @@ class IRGuardCondition extends Instruction {
    // that `this` strictly dominates `controlled` so that isn't necessary to check
    // directly.
    exists(IRBlock succ |
-      succ = this.getBranchSuccessor(testIsTrue) and
+      succ = this.getBranchSuccessor(v) and
      this.hasDominatingEdgeTo(succ) and
      succ.dominates(controlled)
    )
@@ -476,12 +556,14 @@ class IRGuardCondition extends Instruction {
  private IRBlock getBranchBlock() { result = branch.getBlock() }
 }

-private ConditionalBranchInstruction get_branch_for_condition(Instruction guard) {
-  result.getCondition() = guard
+private Instruction getBranchForCondition(Instruction guard) {
+  result.(ConditionalBranchInstruction).getCondition() = guard
  or
  exists(LogicalNotInstruction cond |
-    result = get_branch_for_condition(cond) and cond.getUnary() = guard
+    result = getBranchForCondition(cond) and cond.getUnary() = guard
  )
+  or
+  result.(SwitchInstruction).getExpression() = guard
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
@@ -9,6 +9,8 @@ import cpp
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Iterator
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect

 /**
 * An instantiation of the `std::iterator_traits` template.
@@ -449,7 +451,7 @@ class BeginOrEndFunction extends MemberFunction {
 }

 private class BeginOrEndFunctionModels extends BeginOrEndFunction, TaintFunction,
-  GetIteratorFunction
+  GetIteratorFunction, AliasFunction, SideEffectFunction
 {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    input.isQualifierObject() and
@@ -460,6 +462,22 @@ private class BeginOrEndFunctionModels extends BeginOrEndFunction, TaintFunction
    input.isQualifierObject() and
    output.isReturnValue()
  }
+
+  override predicate parameterNeverEscapes(int index) { index = -1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    none()
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = -1 and buffer = false
+  }
 }

 /**
--- a/cpp/ql/test/library-tests/controlflow/guards/Guards.expected
+++ b/cpp/ql/test/library-tests/controlflow/guards/Guards.expected
@@ -29,3 +29,6 @@
 | test.cpp:18:8:18:10 | call to get |
 | test.cpp:31:7:31:13 | ... == ... |
 | test.cpp:42:13:42:20 | call to getABool |
+| test.cpp:61:10:61:10 | i |
+| test.cpp:74:10:74:10 | i |
+| test.cpp:84:10:84:10 | i |
--- a/cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected
+++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected
@@ -86,3 +86,7 @@
 | test.cpp:31:7:31:13 | ... == ... | true | 31 | 32 |
 | test.cpp:42:13:42:20 | call to getABool | false | 53 | 53 |
 | test.cpp:42:13:42:20 | call to getABool | true | 43 | 45 |
+| test.cpp:61:10:61:10 | i | Case[0] | 62 | 64 |
+| test.cpp:61:10:61:10 | i | Case[1] | 65 | 66 |
+| test.cpp:74:10:74:10 | i | Case[0..10] | 75 | 77 |
+| test.cpp:74:10:74:10 | i | Case[11..20] | 78 | 79 |
--- a/cpp/ql/test/library-tests/controlflow/guards/GuardsControl.ql
+++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsControl.ql
@@ -7,10 +7,10 @@
 import cpp
 import semmle.code.cpp.controlflow.Guards

-from GuardCondition guard, boolean sense, int start, int end
+from GuardCondition guard, AbstractValue value, int start, int end
 where
  exists(BasicBlock block |
-    guard.controls(block, sense) and
+    guard.valueControls(block, value) and
    block.hasLocationInfo(_, start, _, end, _)
  )
-select guard, sense, start, end
+select guard, value, start, end
--- a/cpp/ql/test/library-tests/controlflow/guards/test.cpp
+++ b/cpp/ql/test/library-tests/controlflow/guards/test.cpp
@@ -52,3 +52,37 @@ bool testWithCatch0(int v)

    return false;
 }
+
+void use1(int);
+void use2(int);
+void use3(int);
+
+void test_switches_simple(int i) {
+  switch(i) {
+    case 0:
+      use1(i);
+      break;
+    case 1:
+      use2(i);
+      /* NOTE: fallthrough */
+    case 2:
+      use3(i);
+  }
+}
+
+void test_switches_range(int i) {
+  switch(i) {
+    case 0 ... 10:
+      use1(i);
+      break;
+    case 11 ... 20:
+      use2(i);
+  }
+}
+
+void test_switches_default(int i) {
+  switch(i) {
+    default:
+      use1(i);
+  }
+}
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1055,28 +1055,75 @@ void Lambda(int x, const String& s) {
  lambda_inits(6);
 }

-template<typename T>
-struct vector {
-    struct iterator {
-        T* p;
-        iterator& operator++();
-        T& operator*() const;
+namespace std {
+    template<class T>
+    struct remove_const { typedef T type; };

-        bool operator!=(iterator right) const;
+    template<class T>
+    struct remove_const<const T> { typedef T type; };
+
+    // `remove_const_t<T>` removes any `const` specifier from `T`
+    template<class T>
+    using remove_const_t = typename remove_const<T>::type;
+
+    struct ptrdiff_t;
+
+    template<class I> struct iterator_traits;
+
+    template <class Category,
+              class value_type,
+              class difference_type = ptrdiff_t,
+              class pointer_type = value_type*,
+              class reference_type = value_type&>
+    struct iterator {
+        typedef Category iterator_category;
+
+        iterator();
+        iterator(iterator<Category, remove_const_t<value_type> > const &other); // non-const -> const conversion constructor
+
+        iterator &operator++();
+        iterator operator++(int);
+        iterator &operator--();
+        iterator operator--(int);
+        bool operator==(iterator other) const;
+        bool operator!=(iterator other) const;
+        reference_type operator*() const;
+        pointer_type operator->() const;
+        iterator operator+(int);
+        iterator operator-(int);
+        iterator &operator+=(int);
+        iterator &operator-=(int);
+        int operator-(iterator);
+        reference_type operator[](int);
    };

+    struct input_iterator_tag {};
+    struct forward_iterator_tag : public input_iterator_tag {};
+    struct bidirectional_iterator_tag : public forward_iterator_tag {};
+    struct random_access_iterator_tag : public bidirectional_iterator_tag {};
+
+    struct output_iterator_tag {};
+
+    template<typename T>
+    struct vector {
        vector(T);
        ~vector();
+
+        using iterator = std::iterator<random_access_iterator_tag, T>;
+        using const_iterator = std::iterator<random_access_iterator_tag, const T>;
+
        iterator begin() const;
        iterator end() const;
-};
+    };

-template<typename T>
-bool operator==(typename vector<T>::iterator left, typename vector<T>::iterator right);
-template<typename T>
-bool operator!=(typename vector<T>::iterator left, typename vector<T>::iterator right);
+    template<typename T>
+    bool operator==(typename vector<T>::iterator left, typename vector<T>::iterator right);
+    template<typename T>
+    bool operator!=(typename vector<T>::iterator left, typename vector<T>::iterator right);

-void RangeBasedFor(const vector<int>& v) {
+}
+
+void RangeBasedFor(const std::vector<int>& v) {
    for (int e : v) {
        if (e > 0) {
            continue;
@@ -2151,21 +2198,21 @@ void initialization_with_destructor(bool b, char c) {
    }

    ClassWithDestructor x;
-    for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys)
+    for(std::vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys)
      y.set_x('a');

-    for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
+    for(std::vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
      y.set_x('a');
      if (y.get_x() == 'b')
        return;
    }

-    for(vector<int> ys(1); int y : ys) {
+    for(std::vector<int> ys(1); int y : ys) {
      if (y == 1)
        return;
    }

-    for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
+    for(std::vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
      ClassWithDestructor z1;
      ClassWithDestructor z2;
    }
@@ -2243,7 +2290,7 @@ void ForDestructors() {
        String s2;
    }

-    for(String s : vector<String>(String("hello"))) {
+    for(String s : std::vector<String>(String("hello"))) {
        String s2;
    }
    
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
--- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
@@ -20,7 +20,7 @@ multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
-| ir.cpp:1488:8:1488:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1488:8:1488:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1535:8:1535:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1535:8:1535:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
 | try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
 | try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
 | try_except.c:39:15:39:15 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -40,6 +40,10 @@ abstract class EnvironmentVariableSource extends LocalFlowSource {
  override string getSourceType() { result = "environment variable" }
 }

+private class ExternalEnvironmentVariableSource extends EnvironmentVariableSource {
+  ExternalEnvironmentVariableSource() { sourceNode(this, "environment") }
+}
+
 /**
 * A dataflow source that represents the access of a command line argument.
 */
@@ -49,6 +53,10 @@ abstract class CommandLineArgumentSource extends LocalFlowSource {
  override string getSourceType() { result = "command line argument" }
 }

+private class ExternalCommandLineArgumentSource extends CommandLineArgumentSource {
+  ExternalCommandLineArgumentSource() { sourceNode(this, "command-line") }
+}
+
 /**
 * A data flow source that represents the parameters of the `Main` method of a program.
 */
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
@@ -73,6 +73,10 @@ deprecated class ORMMappedProperty extends DataFlow::Node {
  }
 }

+private class ExternalDatabaseInputSource extends DatabaseInputSource {
+  ExternalDatabaseInputSource() { sourceNode(this, "database") }
+}
+
 /** A file stream source is considered a stored flow source. */
 class FileStreamStoredFlowSource extends StoredFlowSource {
  FileStreamStoredFlowSource() { sourceNode(this, "file") }
--- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -1,27 +1,17 @@
 edges
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:61:36:61:42 | access to parameter tainted : String | provenance |  |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | Capture.cs:12:19:12:24 | access to local variable sink27 | provenance |  |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | Capture.cs:11:17:11:22 | access to local variable sink27 : String | provenance |  |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | Capture.cs:11:26:11:32 | access to parameter tainted : String | provenance |  |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | Capture.cs:21:23:21:28 | access to local variable sink28 | provenance |  |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | Capture.cs:20:21:20:26 | access to local variable sink28 : String | provenance |  |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | Capture.cs:20:30:20:36 | access to parameter tainted : String | provenance |  |
-| Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | provenance |  |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | Capture.cs:30:19:30:24 | access to local variable sink29 | provenance |  |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -37,28 +27,18 @@ edges
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | Capture.cs:124:15:124:20 | access to local variable sink40 | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:170:25:170:31 | access to parameter tainted : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:196:25:196:31 | access to parameter tainted : String | provenance |  |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | Capture.cs:135:15:135:20 | access to local variable sink33 | provenance |  |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | provenance |  |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | Capture.cs:147:15:147:20 | access to local variable sink34 | provenance |  |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | provenance |  |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | Capture.cs:162:13:162:18 | access to local variable sink36 : String | provenance |  |
@@ -66,19 +46,13 @@ edges
 | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | Capture.cs:171:15:171:20 | access to local variable sink37 | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:166:37:166:37 | p : String | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | provenance |  |
-| Capture.cs:190:26:190:26 | s : String | Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | provenance |  |
 | Capture.cs:190:26:190:26 | s : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | Capture.cs:193:20:193:22 | call to local function M : String | provenance |  |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | Capture.cs:197:15:197:20 | access to local variable sink38 | provenance |  |
 | Capture.cs:196:22:196:32 | call to local function Id : String | Capture.cs:196:13:196:18 | access to local variable sink38 : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:190:26:190:26 | s : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:196:22:196:32 | call to local function Id : String | provenance |  |
-| Capture.cs:202:20:202:20 | s : String | Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:202:20:202:20 | s : String | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | provenance |  |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:211:21:211:34 | "taint source" : String | Capture.cs:202:20:202:20 | s : String | provenance |  |
 | Capture.cs:213:22:213:22 | s : String | Capture.cs:215:16:218:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
@@ -93,17 +67,13 @@ edges
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | Capture.cs:246:19:246:25 | access to field Field | provenance |  |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:247:23:247:36 | "taint source" : String | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:21 | access to field Field | provenance |  |
 | Capture.cs:264:13:264:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:266:9:266:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
@@ -112,52 +82,30 @@ edges
 | Capture.cs:268:15:268:15 | access to local variable c : Capture [field Field] : String | Capture.cs:268:15:268:21 | access to field Field | provenance |  |
 | Capture.cs:273:19:273:19 | x : String | Capture.cs:273:30:273:30 | access to parameter x | provenance |  |
 | Capture.cs:273:34:273:47 | "taint source" : String | Capture.cs:355:45:355:45 | x : String | provenance |  |
-| Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:285:21:285:34 | "taint source" : String | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:297:22:297:35 | "taint source" : String | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | Capture.cs:301:19:301:28 | access to field Field | provenance |  |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:302:26:302:39 | "taint source" : String | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | Capture.cs:306:15:306:24 | access to field Field | provenance |  |
 | Capture.cs:311:17:311:30 | "taint source" : String | Capture.cs:312:15:312:15 | access to local variable x | provenance |  |
 | Capture.cs:318:17:318:30 | "taint source" : String | Capture.cs:319:19:319:19 | access to local variable x | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance |  |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance |  |
@@ -519,24 +467,18 @@ edges
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:48:13:48:13 | access to local variable s : String | provenance |  |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | semmle.label | CaptureIn1(...) : CaptureIn1 [captured tainted] : String |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | semmle.label | access to local variable sink27 : String |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | semmle.label | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | semmle.label | CaptureIn2(...) : CaptureIn2 [captured tainted] : String |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | semmle.label | M(...) : M [captured tainted] : String |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | semmle.label | access to local variable sink28 : String |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | semmle.label | access to local variable sink28 |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | semmle.label | access to local function M : M [captured tainted] : String |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | semmle.label | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | semmle.label | access to local variable sink29 : String |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:30:19:30:24 | access to local variable sink29 | semmle.label | access to local variable sink29 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureIn3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:50:50:50:55 | sink39 : String | semmle.label | sink39 : String |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | semmle.label | (...) => ... : (...) => ... [captured sink39] : String |
@@ -558,21 +500,15 @@ nodes
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | semmle.label | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String |
 | Capture.cs:124:15:124:20 | access to local variable sink40 | semmle.label | access to local variable sink40 |
 | Capture.cs:127:25:127:31 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | semmle.label | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | semmle.label | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | semmle.label | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:135:15:135:20 | access to local variable sink33 | semmle.label | access to local variable sink33 |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | semmle.label | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | semmle.label | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | semmle.label | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:147:15:147:20 | access to local variable sink34 | semmle.label | access to local variable sink34 |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | semmle.label | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:156:15:156:20 | access to local variable sink35 | semmle.label | access to local variable sink35 |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | semmle.label | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | semmle.label | access to local variable sink36 : String |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | semmle.label | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | semmle.label | call to local function CaptureThrough4 : String |
@@ -583,7 +519,6 @@ nodes
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:171:15:171:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
 | Capture.cs:190:26:190:26 | s : String | semmle.label | s : String |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | semmle.label | M(...) : M [captured s] : String |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | semmle.label | access to local function M : M [captured s] : String |
 | Capture.cs:193:20:193:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | semmle.label | access to local variable sink38 : String |
@@ -591,10 +526,7 @@ nodes
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:197:15:197:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
 | Capture.cs:202:20:202:20 | s : String | semmle.label | s : String |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | semmle.label | (...) => ... : (...) => ... [captured s] : String |
 | Capture.cs:206:19:206:19 | access to parameter s | semmle.label | access to parameter s |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | semmle.label | access to local variable a : Action [captured s] : String |
 | Capture.cs:211:21:211:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:213:22:213:22 | s : String | semmle.label | s : String |
@@ -612,14 +544,11 @@ nodes
 | Capture.cs:234:15:234:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:242:19:242:32 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured c, field Field] : String |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:246:19:246:25 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:247:23:247:36 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | semmle.label | access to local variable a : Action [captured c, field Field] : String |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:251:15:251:21 | access to field Field | semmle.label | access to field Field |
@@ -632,29 +561,20 @@ nodes
 | Capture.cs:273:30:273:30 | access to parameter x | semmle.label | access to parameter x |
 | Capture.cs:273:34:273:47 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:278:17:278:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:284:23:284:23 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:285:21:285:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | semmle.label | [post] access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | semmle.label | access to local variable inner : Action [captured x] : String |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | semmle.label | [post] access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | semmle.label | access to local variable middle : Action [captured x] : String |
 | Capture.cs:292:15:292:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:297:22:297:35 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:301:19:301:28 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:302:26:302:39 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | semmle.label | access to local variable a : Action [captured this in M10, field Field] : String |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:306:15:306:24 | access to field Field | semmle.label | access to field Field |
@@ -663,19 +583,13 @@ nodes
 | Capture.cs:318:17:318:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:319:19:319:19 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:328:17:328:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | semmle.label | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String |
 | Capture.cs:330:47:330:47 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | semmle.label | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | semmle.label | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String |
 | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String |
--- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
@@ -1,27 +1,17 @@
 edges
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:61:36:61:42 | access to parameter tainted : String | provenance |  |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | Capture.cs:12:19:12:24 | access to local variable sink27 | provenance |  |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | Capture.cs:11:17:11:22 | access to local variable sink27 : String | provenance |  |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | Capture.cs:11:26:11:32 | access to parameter tainted : String | provenance |  |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | Capture.cs:21:23:21:28 | access to local variable sink28 | provenance |  |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | Capture.cs:20:21:20:26 | access to local variable sink28 : String | provenance |  |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | Capture.cs:20:30:20:36 | access to parameter tainted : String | provenance |  |
-| Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | provenance |  |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | Capture.cs:30:19:30:24 | access to local variable sink29 | provenance |  |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -37,28 +27,18 @@ edges
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | Capture.cs:124:15:124:20 | access to local variable sink40 | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:170:25:170:31 | access to parameter tainted : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:196:25:196:31 | access to parameter tainted : String | provenance |  |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | Capture.cs:135:15:135:20 | access to local variable sink33 | provenance |  |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | provenance |  |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | Capture.cs:147:15:147:20 | access to local variable sink34 | provenance |  |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | provenance |  |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | Capture.cs:162:13:162:18 | access to local variable sink36 : String | provenance |  |
@@ -66,19 +46,13 @@ edges
 | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | Capture.cs:171:15:171:20 | access to local variable sink37 | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:166:37:166:37 | p : String | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | provenance |  |
-| Capture.cs:190:26:190:26 | s : String | Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | provenance |  |
 | Capture.cs:190:26:190:26 | s : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | Capture.cs:193:20:193:22 | call to local function M : String | provenance |  |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | Capture.cs:197:15:197:20 | access to local variable sink38 | provenance |  |
 | Capture.cs:196:22:196:32 | call to local function Id : String | Capture.cs:196:13:196:18 | access to local variable sink38 : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:190:26:190:26 | s : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:196:22:196:32 | call to local function Id : String | provenance |  |
-| Capture.cs:202:20:202:20 | s : String | Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:202:20:202:20 | s : String | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | provenance |  |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:211:21:211:34 | "taint source" : String | Capture.cs:202:20:202:20 | s : String | provenance |  |
 | Capture.cs:213:22:213:22 | s : String | Capture.cs:215:16:218:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
@@ -93,17 +67,13 @@ edges
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | Capture.cs:246:19:246:25 | access to field Field | provenance |  |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:247:23:247:36 | "taint source" : String | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:21 | access to field Field | provenance |  |
 | Capture.cs:264:13:264:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:266:9:266:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
@@ -112,52 +82,30 @@ edges
 | Capture.cs:268:15:268:15 | access to local variable c : Capture [field Field] : String | Capture.cs:268:15:268:21 | access to field Field | provenance |  |
 | Capture.cs:273:19:273:19 | x : String | Capture.cs:273:30:273:30 | access to parameter x | provenance |  |
 | Capture.cs:273:34:273:47 | "taint source" : String | Capture.cs:355:45:355:45 | x : String | provenance |  |
-| Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:285:21:285:34 | "taint source" : String | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:297:22:297:35 | "taint source" : String | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | Capture.cs:301:19:301:28 | access to field Field | provenance |  |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:302:26:302:39 | "taint source" : String | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | Capture.cs:306:15:306:24 | access to field Field | provenance |  |
 | Capture.cs:311:17:311:30 | "taint source" : String | Capture.cs:312:15:312:15 | access to local variable x | provenance |  |
 | Capture.cs:318:17:318:30 | "taint source" : String | Capture.cs:319:19:319:19 | access to local variable x | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance |  |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance |  |
@@ -569,24 +517,18 @@ edges
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:48:13:48:13 | access to local variable s : String | provenance |  |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | semmle.label | CaptureIn1(...) : CaptureIn1 [captured tainted] : String |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | semmle.label | access to local variable sink27 : String |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | semmle.label | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | semmle.label | CaptureIn2(...) : CaptureIn2 [captured tainted] : String |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | semmle.label | M(...) : M [captured tainted] : String |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | semmle.label | access to local variable sink28 : String |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | semmle.label | access to local variable sink28 |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | semmle.label | access to local function M : M [captured tainted] : String |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | semmle.label | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | semmle.label | access to local variable sink29 : String |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:30:19:30:24 | access to local variable sink29 | semmle.label | access to local variable sink29 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureIn3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:50:50:50:55 | sink39 : String | semmle.label | sink39 : String |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | semmle.label | (...) => ... : (...) => ... [captured sink39] : String |
@@ -608,21 +550,15 @@ nodes
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | semmle.label | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String |
 | Capture.cs:124:15:124:20 | access to local variable sink40 | semmle.label | access to local variable sink40 |
 | Capture.cs:127:25:127:31 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | semmle.label | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | semmle.label | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | semmle.label | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:135:15:135:20 | access to local variable sink33 | semmle.label | access to local variable sink33 |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | semmle.label | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | semmle.label | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | semmle.label | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:147:15:147:20 | access to local variable sink34 | semmle.label | access to local variable sink34 |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | semmle.label | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:156:15:156:20 | access to local variable sink35 | semmle.label | access to local variable sink35 |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | semmle.label | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | semmle.label | access to local variable sink36 : String |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | semmle.label | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | semmle.label | call to local function CaptureThrough4 : String |
@@ -633,7 +569,6 @@ nodes
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:171:15:171:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
 | Capture.cs:190:26:190:26 | s : String | semmle.label | s : String |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | semmle.label | M(...) : M [captured s] : String |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | semmle.label | access to local function M : M [captured s] : String |
 | Capture.cs:193:20:193:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | semmle.label | access to local variable sink38 : String |
@@ -641,10 +576,7 @@ nodes
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:197:15:197:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
 | Capture.cs:202:20:202:20 | s : String | semmle.label | s : String |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | semmle.label | (...) => ... : (...) => ... [captured s] : String |
 | Capture.cs:206:19:206:19 | access to parameter s | semmle.label | access to parameter s |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | semmle.label | access to local variable a : Action [captured s] : String |
 | Capture.cs:211:21:211:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:213:22:213:22 | s : String | semmle.label | s : String |
@@ -662,14 +594,11 @@ nodes
 | Capture.cs:234:15:234:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:242:19:242:32 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured c, field Field] : String |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:246:19:246:25 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:247:23:247:36 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | semmle.label | access to local variable a : Action [captured c, field Field] : String |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:251:15:251:21 | access to field Field | semmle.label | access to field Field |
@@ -682,29 +611,20 @@ nodes
 | Capture.cs:273:30:273:30 | access to parameter x | semmle.label | access to parameter x |
 | Capture.cs:273:34:273:47 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:278:17:278:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:284:23:284:23 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:285:21:285:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | semmle.label | [post] access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | semmle.label | access to local variable inner : Action [captured x] : String |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | semmle.label | [post] access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | semmle.label | access to local variable middle : Action [captured x] : String |
 | Capture.cs:292:15:292:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:297:22:297:35 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:301:19:301:28 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:302:26:302:39 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | semmle.label | access to local variable a : Action [captured this in M10, field Field] : String |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:306:15:306:24 | access to field Field | semmle.label | access to field Field |
@@ -713,19 +633,13 @@ nodes
 | Capture.cs:318:17:318:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:319:19:319:19 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:328:17:328:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | semmle.label | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String |
 | Capture.cs:330:47:330:47 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | semmle.label | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | semmle.label | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String |
 | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String |
--- a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.qhelp
+++ b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.qhelp
@@ -41,6 +41,10 @@ domain such as <code>wwwXexample.com</code>.
 Address this vulnerability by escaping <code>.</code> appropriately:
 </p>
 <sample src="IncompleteHostnameRegexpGood.go"/>
+<p>
+You may also want to consider using raw string literals to avoid having to escape backslashes:
+</p>
+<sample src="IncompleteHostnameRegexpGood2.go"/>
 </example>

 <references>
--- a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexpGood2.go
+++ b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexpGood2.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"errors"
+	"net/http"
+	"regexp"
+)
+
+func checkRedirectGood(req *http.Request, via []*http.Request) error {
+	// GOOD: the host of `req.URL` must be `example.com`, `www.example.com` or `beta.example.com`
+	re := `^((www|beta)\.)?example\.com/`
+	if matched, _ := regexp.MatchString(re, req.URL.Host); matched {
+		return nil
+	}
+	return errors.New("Invalid redirect")
+}
--- a/python/ql/test/experimental/dataflow/variable-capture/by_value.py
+++ b/python/ql/test/experimental/dataflow/variable-capture/by_value.py
@@ -34,7 +34,7 @@ def by_value1():
    a = SOURCE
    def inner(a_val=a):
        SINK(a_val) #$ captured
-        SINK_F(a) #$ SPURIOUS: captured
+        SINK_F(a)
    a = NONSOURCE
    inner()

--- a/ruby/ql/test/library-tests/dataflow/global/Flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/global/Flow.expected
@@ -1,10 +1,7 @@
 testFailures
 edges
 | blocks.rb:14:12:14:20 | call to source | blocks.rb:8:10:8:14 | yield ... | provenance |  |
-| captured_variables.rb:9:24:9:24 | x | captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:9:24:9:24 | x | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance |  |
-| captured_variables.rb:10:5:10:6 | fn [captured x] | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance |  |
-| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | captured_variables.rb:10:5:10:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:11:5:11:6 | fn [captured x] | captured_variables.rb:10:20:10:20 | x | provenance |  |
 | captured_variables.rb:13:20:13:29 | call to taint | captured_variables.rb:9:24:9:24 | x | provenance |  |
 | captured_variables.rb:15:28:15:28 | x | captured_variables.rb:16:5:18:5 | -> { ... } [captured x] | provenance |  |
@@ -16,18 +13,12 @@ edges
 | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | captured_variables.rb:24:14:24:14 | x | provenance |  |
 | captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:22:28:22:28 | x | provenance |  |
 | captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | provenance |  |
-| captured_variables.rb:29:33:29:33 | x | captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:29:33:29:33 | x | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance |  |
-| captured_variables.rb:30:5:30:6 | fn [captured x] | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance |  |
-| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | captured_variables.rb:30:5:30:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:33:29:33:30 | fn [captured x] | captured_variables.rb:31:14:31:14 | x | provenance |  |
 | captured_variables.rb:35:29:35:38 | call to taint | captured_variables.rb:29:33:29:33 | x | provenance |  |
 | captured_variables.rb:37:13:37:14 | fn [captured x] | captured_variables.rb:38:5:38:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:38:5:38:6 | fn [captured x] | captured_variables.rb:42:14:42:14 | x | provenance |  |
-| captured_variables.rb:40:31:40:31 | x | captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:40:31:40:31 | x | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance |  |
-| captured_variables.rb:41:5:41:6 | fn [captured x] | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance |  |
-| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | captured_variables.rb:41:5:41:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:44:13:44:14 | fn [captured x] | captured_variables.rb:37:13:37:14 | fn [captured x] | provenance |  |
 | captured_variables.rb:46:27:46:36 | call to taint | captured_variables.rb:40:31:40:31 | x | provenance |  |
 | captured_variables.rb:48:5:48:12 | call to taint | captured_variables.rb:49:16:52:3 | do ... end [captured x] | provenance |  |
@@ -65,11 +56,8 @@ edges
 | captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:60:5:62:7 | self in get_field [@field] | provenance |  |
 | captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:83:6:83:18 | call to get_field | provenance |  |
 | captured_variables.rb:83:6:83:8 | foo [@field] | instance_variables.rb:13:5:15:7 | self in get_field [@field] | provenance |  |
-| captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | provenance |  |
 | captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance |  |
 | captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:91:6:91:6 | y | provenance |  |
-| captured_variables.rb:86:1:86:2 | fn [captured y] | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance |  |
-| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | captured_variables.rb:86:1:86:2 | fn [captured y] | provenance |  |
 | captured_variables.rb:88:9:88:16 | call to taint | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | provenance |  |
 | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | captured_variables.rb:91:6:91:6 | y | provenance |  |
 | captured_variables.rb:90:1:90:2 | fn [captured y] | captured_variables.rb:87:10:87:10 | y | provenance |  |
@@ -81,18 +69,12 @@ edges
 | captured_variables.rb:101:11:101:11 | x | captured_variables.rb:104:31:104:31 | x | provenance |  |
 | captured_variables.rb:104:17:104:24 | call to taint | captured_variables.rb:100:21:100:21 | x | provenance |  |
 | captured_variables.rb:104:31:104:31 | x | captured_variables.rb:105:10:105:10 | x | provenance |  |
-| captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance |  |
 | captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:118:10:118:10 | x | provenance |  |
-| captured_variables.rb:110:5:110:10 | middle [captured x] | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance |  |
-| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | captured_variables.rb:110:5:110:10 | middle [captured x] | provenance |  |
-| captured_variables.rb:111:9:111:13 | inner [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance |  |
-| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | captured_variables.rb:111:9:111:13 | inner [captured x] | provenance |  |
 | captured_variables.rb:113:17:113:25 | call to taint | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | provenance |  |
 | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | captured_variables.rb:117:5:117:10 | [post] middle [captured x] | provenance |  |
 | captured_variables.rb:115:9:115:13 | inner [captured x] | captured_variables.rb:112:18:112:18 | x | provenance |  |
 | captured_variables.rb:117:5:117:10 | [post] middle [captured x] | captured_variables.rb:118:10:118:10 | x | provenance |  |
-| captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance |  |
 | captured_variables.rb:147:5:147:6 | [post] self [@x] | captured_variables.rb:153:14:155:7 | do ... end [captured self, @x] | provenance |  |
 | captured_variables.rb:147:10:147:18 | call to taint | captured_variables.rb:147:5:147:6 | [post] self [@x] | provenance |  |
@@ -116,10 +98,7 @@ edges
 | captured_variables.rb:194:1:194:1 | c [@x] | captured_variables.rb:185:5:189:7 | self in baz [@x] | provenance |  |
 | captured_variables.rb:197:9:197:17 | call to taint | captured_variables.rb:199:10:199:10 | x | provenance |  |
 | captured_variables.rb:206:13:206:21 | call to taint | captured_variables.rb:208:14:208:14 | x | provenance |  |
-| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
-| captured_variables.rb:222:5:222:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
-| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | captured_variables.rb:222:5:222:7 | fn1 [captured x] | provenance |  |
 | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | captured_variables.rb:227:10:227:10 | y | provenance |  |
 | captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | provenance |  |
 | instance_variables.rb:10:19:10:19 | x | instance_variables.rb:11:18:11:18 | x | provenance |  |
@@ -264,8 +243,6 @@ nodes
 | blocks.rb:8:10:8:14 | yield ... | semmle.label | yield ... |
 | blocks.rb:14:12:14:20 | call to source | semmle.label | call to source |
 | captured_variables.rb:9:24:9:24 | x | semmle.label | x |
-| captured_variables.rb:10:5:10:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:10:20:10:20 | x | semmle.label | x |
 | captured_variables.rb:11:5:11:6 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:13:20:13:29 | call to taint | semmle.label | call to taint |
@@ -281,16 +258,12 @@ nodes
 | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | semmle.label | call to capture_escape_return2 [captured x] |
 | captured_variables.rb:27:48:27:57 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:29:33:29:33 | x | semmle.label | x |
-| captured_variables.rb:30:5:30:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:31:14:31:14 | x | semmle.label | x |
 | captured_variables.rb:33:29:33:30 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:35:29:35:38 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:37:13:37:14 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:38:5:38:6 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:40:31:40:31 | x | semmle.label | x |
-| captured_variables.rb:41:5:41:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:42:14:42:14 | x | semmle.label | x |
 | captured_variables.rb:44:13:44:14 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:46:27:46:36 | call to taint | semmle.label | call to taint |
@@ -323,8 +296,6 @@ nodes
 | captured_variables.rb:83:6:83:8 | foo [@field] | semmle.label | foo [@field] |
 | captured_variables.rb:83:6:83:18 | call to get_field | semmle.label | call to get_field |
 | captured_variables.rb:85:5:85:12 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:86:1:86:2 | fn [captured y] | semmle.label | fn [captured y] |
-| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | semmle.label | -> { ... } [captured y] |
 | captured_variables.rb:87:10:87:10 | y | semmle.label | y |
 | captured_variables.rb:88:9:88:16 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | semmle.label | [post] fn [captured y] |
@@ -341,10 +312,6 @@ nodes
 | captured_variables.rb:104:31:104:31 | x | semmle.label | x |
 | captured_variables.rb:105:10:105:10 | x | semmle.label | x |
 | captured_variables.rb:109:9:109:17 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:110:5:110:10 | middle [captured x] | semmle.label | middle [captured x] |
-| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
-| captured_variables.rb:111:9:111:13 | inner [captured x] | semmle.label | inner [captured x] |
-| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:112:18:112:18 | x | semmle.label | x |
 | captured_variables.rb:113:17:113:25 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | semmle.label | [post] inner [captured x] |
@@ -380,8 +347,6 @@ nodes
 | captured_variables.rb:206:13:206:21 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:208:14:208:14 | x | semmle.label | x |
 | captured_variables.rb:219:9:219:17 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:222:5:222:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
-| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | semmle.label | [post] fn1 [captured y] |
 | captured_variables.rb:226:5:226:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
 | captured_variables.rb:227:10:227:10 | y | semmle.label | y |
--- a/ruby/ql/test/library-tests/dataflow/global/captured_variables.rb
+++ b/ruby/ql/test/library-tests/dataflow/global/captured_variables.rb
@@ -228,3 +228,17 @@ def multi_capture
 end

 multi_capture
+
+def m1
+    x = taint(19)
+    
+    fn1 = -> {
+        sink x
+    }
+
+    x = nil
+
+    fn1.call()
+end
+
+m1
--- a/shared/dataflow/codeql/dataflow/VariableCapture.qll
+++ b/shared/dataflow/codeql/dataflow/VariableCapture.qll
@@ -601,16 +601,22 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
   * observed in a similarly synthesized post-update node for this read of `v`.
   */
  private predicate synthRead(
-    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure
+    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure, boolean alias
  ) {
    exists(ClosureExpr ce | closureCaptures(ce, v) |
-      ce.hasCfgNode(bb, i) and ce = closure
+      ce.hasCfgNode(bb, i) and ce = closure and alias = false
      or
-      localOrNestedClosureAccess(ce, closure, bb, i)
+      localOrNestedClosureAccess(ce, closure, bb, i) and alias = true
    ) and
    if v.getCallable() != bb.getEnclosingCallable() then topScope = false else topScope = true
  }

+  private predicate synthRead(
+    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure
+  ) {
+    synthRead(v, bb, i, topScope, closure, _)
+  }
+
  /**
   * Holds if there is an access of a captured variable inside a closure in the
   * `i`th node of `bb`, such that we need to synthesize a `this.` qualifier.
@@ -919,16 +925,22 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
    )
  }

-  predicate storeStep(ClosureNode node1, CapturedVariable v, ClosureNode node2) {
-    // store v in the closure or in the malloc in case of a relevant constructor call
+  private predicate storeStepClosure(
+    ClosureNode node1, CapturedVariable v, ClosureNode node2, boolean alias
+  ) {
    exists(BasicBlock bb, int i, Expr closure |
-      synthRead(v, bb, i, _, closure) and
+      synthRead(v, bb, i, _, closure, alias) and
      node1 = TSynthRead(v, bb, i, false)
    |
      node2 = TExprNode(closure, false)
      or
      node2 = TMallocNode(closure) and hasConstructorCapture(closure, v)
    )
+  }
+
+  predicate storeStep(ClosureNode node1, CapturedVariable v, ClosureNode node2) {
+    // store v in the closure or in the malloc in case of a relevant constructor call
+    storeStepClosure(node1, v, node2, _)
    or
    // write to v inside the closure body
    exists(BasicBlock bb, int i, VariableWrite vw |
@@ -964,6 +976,62 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
  }

  predicate clearsContent(ClosureNode node, CapturedVariable v) {
+    /*
+     * Stores into closure aliases block flow from previous stores, both to
+     * avoid overlapping data flow paths, but also to avoid false positive
+     * flow.
+     *
+     * Example 1 (overlapping paths):
+     *
+     * ```rb
+     * def m
+     *     x = taint
+     *
+     *     fn = -> { # (1)
+     *        sink x
+     *     }
+     *
+     *     fn.call # (2)
+     * ```
+     *
+     * If we don't clear `x` at `fn` (2), we will have two overlapping paths:
+     *
+     * ```
+     * taint -> fn (2) [captured x]
+     * taint -> fn (1) [captured x] -> fn (2) [captured x]
+     * ```
+     *
+     * where the step `fn (1) [captured x] -> fn [captured x]` arises from normal
+     * use-use flow for `fn`. Clearing `x` at `fn` (2) removes the second path above.
+     *
+     * Example 2 (false positive flow):
+     *
+     * ```rb
+     * def m
+     *     x = taint
+     *
+     *     fn = -> { # (1)
+     *        sink x
+     *     }
+     *
+     *     x = nil # (2)
+     *
+     *     fn.call # (3)
+     * end
+     * ```
+     *
+     * If we don't clear `x` at `fn` (3), we will have the following false positive
+     * flow path:
+     *
+     * ```
+     * taint -> fn (1) [captured x] -> fn (3) [captured x]
+     * ```
+     *
+     * since normal use-use flow for `fn` does not take the overwrite at (2) into account.
+     */
+
+    storeStepClosure(_, v, node, true)
+    or
    exists(BasicBlock bb, int i |
      captureWrite(v, bb, i, false, _) and
      node = TSynthThisQualifier(bb, i, false)