Merge branch 'main' into 38-cpp-generalize-use-after-free-libraries

2026-04-24 00:05:14 +02:00 · 2024-01-17 08:05:41 -08:00
parent 39dafd6f6a 2d71294f61
commit 67e43ecc44
228 changed files with 2753 additions and 4568 deletions
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
+
 ## 0.12.2

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2022-11-21-ir-guards-replacement.md
+++ b/cpp/ql/lib/change-notes/2022-11-21-ir-guards-replacement.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
--- a/cpp/ql/lib/change-notes/2023-11-25-default-taint-tracking-removal.md
+++ b/cpp/ql/lib/change-notes/2023-11-25-default-taint-tracking-removal.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The deprecated `DefaultTaintTracking` library has been removed.
--- a/cpp/ql/lib/change-notes/2023-11-30-as-definition.md
+++ b/cpp/ql/lib/change-notes/2023-11-30-as-definition.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
--- a/cpp/ql/lib/change-notes/2023-12-08-ususerinput-deprecation.md
+++ b/cpp/ql/lib/change-notes/2023-12-08-ususerinput-deprecation.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
--- a/cpp/ql/lib/change-notes/2023-12-14-dataflow-tostring.md
+++ b/cpp/ql/lib/change-notes/2023-12-14-dataflow-tostring.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
--- a/cpp/ql/lib/change-notes/2023-12-22-unique-function.md
+++ b/cpp/ql/lib/change-notes/2023-12-22-unique-function.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
--- a/cpp/ql/lib/change-notes/2024-01-02-function-types.md
+++ b/cpp/ql/lib/change-notes/2024-01-02-function-types.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
--- a/cpp/ql/lib/change-notes/released/0.12.3.md
+++ b/cpp/ql/lib/change-notes/released/0.12.3.md
@@ -0,0 +1,20 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.2
+lastReleaseVersion: 0.12.3
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.3-dev
+version: 0.12.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -7,7 +7,6 @@ import semmle.code.cpp.Location
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
 private import semmle.code.cpp.internal.ResolveGlobalVariable
-private import semmle.code.cpp.internal.ResolveFunction

 /**
 * Get the `Element` that represents this `@element`.
@@ -31,14 +30,11 @@ pragma[inline]
@element unresolveElement(Element e) {
  not result instanceof @usertype and
  not result instanceof @variable and
-  not result instanceof @function and
  result = e
  or
  e = resolveClass(result)
  or
  e = resolveGlobalVariable(result)
-  or
-  e = resolveFunction(result)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -9,7 +9,6 @@ import semmle.code.cpp.exprs.Call
 import semmle.code.cpp.metrics.MetricFunction
 import semmle.code.cpp.Linkage
 private import semmle.code.cpp.internal.ResolveClass
-private import semmle.code.cpp.internal.ResolveFunction

 /**
 * A C/C++ function [N4140 8.3.5]. Both member functions and non-member
@@ -26,8 +25,6 @@ private import semmle.code.cpp.internal.ResolveFunction
 * in more detail in `Declaration.qll`.
 */
 class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
-  Function() { isFunction(underlyingElement(this)) }
-
  override string getName() { functions(underlyingElement(this), result, _) }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/internal/ResolveFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/ResolveFunction.qll
@@ -1,57 +0,0 @@
-private predicate hasDefinition(@function f) {
-  exists(@fun_decl fd | fun_decls(fd, f, _, _, _) | fun_def(fd))
-}
-
-private predicate onlyOneCompleteFunctionExistsWithMangledName(@mangledname name) {
-  strictcount(@function f | hasDefinition(f) and mangled_name(f, name)) = 1
-}
-
-/** Holds if `f` is a unique function with a definition named `name`. */
-private predicate isFunctionWithMangledNameAndWithDefinition(@mangledname name, @function f) {
-  hasDefinition(f) and
-  mangled_name(f, name) and
-  onlyOneCompleteFunctionExistsWithMangledName(name)
-}
-
-/** Holds if `f` is a function without a definition named `name`. */
-private predicate isFunctionWithMangledNameAndWithoutDefinition(@mangledname name, @function f) {
-  not hasDefinition(f) and
-  mangled_name(f, name)
-}
-
-/**
- * Holds if `incomplete` is a function without a definition, and there exists
- * a unique function `complete` with the same name that does have a definition.
- */
-private predicate hasTwinWithDefinition(@function incomplete, @function complete) {
-  not function_instantiation(incomplete, complete) and
-  (
-    not compgenerated(incomplete) or
-    not compgenerated(complete)
-  ) and
-  exists(@mangledname name |
-    isFunctionWithMangledNameAndWithoutDefinition(name, incomplete) and
-    isFunctionWithMangledNameAndWithDefinition(name, complete)
-  )
-}
-
-import Cached
-
-cached
-private module Cached {
-  /**
-   * If `f` is a function without a definition, and there exists a unique
-   * function with the same name that does have a definition, then the
-   * result is that unique function. Otherwise, the result is `f`.
-   */
-  cached
-  @function resolveFunction(@function f) {
-    hasTwinWithDefinition(f, result)
-    or
-    not hasTwinWithDefinition(f, _) and
-    result = f
-  }
-
-  cached
-  predicate isFunction(@function f) { f = resolveFunction(_) }
-}
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 0.9.2
+
+### New Queries
+
+* Added a new query, `cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
+* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.
+
+### Minor Analysis Improvements
+
+* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.
+
 ## 0.9.1

 No user-facing changes.
--- a/cpp/ql/src/change-notes/2023-12-04-incorrectly-checked-scanf.md
+++ b/cpp/ql/src/change-notes/2023-12-04-incorrectly-checked-scanf.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.
--- a/cpp/ql/src/change-notes/2023-12-12-use-of-unique-pointer-after-lifetime-ends.md
+++ b/cpp/ql/src/change-notes/2023-12-12-use-of-unique-pointer-after-lifetime-ends.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* Added a new query, `cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
--- a/cpp/ql/src/change-notes/2023-12-15-badly-bounded-write.md
+++ b/cpp/ql/src/change-notes/2023-12-15-badly-bounded-write.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.
--- a/cpp/ql/src/change-notes/released/0.9.2.md
+++ b/cpp/ql/src/change-notes/released/0.9.2.md
@@ -0,0 +1,10 @@
+## 0.9.2
+
+### New Queries
+
+* Added a new query, `cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
+* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.
+
+### Minor Analysis Improvements
+
+* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.9.2
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.9.2-dev
+version: 0.9.3-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/c++_exceptions/graphable.expected
+++ b/cpp/ql/test/library-tests/c++_exceptions/graphable.expected
@@ -1,384 +1,388 @@
-| C::C | false | 493 | 493 | C |
-| C::C | false | 682 | 682 | C |
-| C::operator= | false | 675 | 675 | operator= |
-| C::~C | false | 614 | 614 | ~C |
-| Error::Error | false | 259 | 259 | Error |
-| Error::Error | false | 272 | 272 | Error |
-| Error::Error | false | 277 | 277 | return ... |
-| Error::Error | false | 279 | 279 | { ... } |
-| Error::Error | true | 277 | 272 |  |
-| Error::Error | true | 279 | 277 |  |
-| Error::operator= | false | 253 | 253 | operator= |
-| Error::~Error | false | 263 | 263 | ~Error |
-| Error::~Error | false | 268 | 268 | return ... |
-| Error::~Error | false | 270 | 270 | { ... } |
-| Error::~Error | true | 268 | 263 |  |
-| Error::~Error | true | 270 | 268 |  |
-| __va_list_tag::operator= | false | 140 | 140 | operator= |
-| __va_list_tag::operator= | false | 147 | 147 | operator= |
-| f | false | 477 | 477 | f |
-| f | false | 488 | 488 | declaration |
-| f | false | 491 | 491 | call to C |
-| f | false | 496 | 496 | 102 |
-| f | false | 497 | 497 | initializer for c102 |
-| f | false | 501 | 501 | call to C |
-| f | false | 505 | 505 | 103 |
-| f | false | 506 | 506 | initializer for c103 |
-| f | false | 509 | 509 | declaration |
-| f | false | 511 | 511 | b1 |
-| f | false | 513 | 513 | (bool)... |
-| f | false | 516 | 516 | 1 |
-| f | false | 517 | 517 | throw ... |
-| f | false | 519 | 519 | ExprStmt |
-| f | false | 521 | 521 | { ... } |
-| f | false | 523 | 523 | if (...) ...  |
-| f | false | 525 | 525 | declaration |
-| f | false | 527 | 527 | { ... } |
-| f | false | 534 | 534 | 1 |
-| f | false | 536 | 536 | call to C |
-| f | false | 540 | 540 | 104 |
-| f | false | 541 | 541 | initializer for c104 |
-| f | false | 544 | 544 | declaration |
-| f | false | 546 | 546 | { ... } |
-| f | false | 548 | 548 | __try { ... } __except( ... ) { ... } |
-| f | false | 550 | 550 | declaration |
+| C::C | false | 499 | 499 | C |
+| C::C | false | 690 | 690 | C |
+| C::operator= | false | 681 | 681 | operator= |
+| C::~C | false | 647 | 647 | ~C |
+| Error::Error | false | 205 | 205 | Error |
+| Error::Error | false | 219 | 219 | Error |
+| Error::Error | false | 224 | 224 | return ... |
+| Error::Error | false | 226 | 226 | { ... } |
+| Error::Error | true | 224 | 219 |  |
+| Error::Error | true | 226 | 224 |  |
+| Error::operator= | false | 197 | 197 | operator= |
+| Error::~Error | false | 209 | 209 | ~Error |
+| Error::~Error | false | 215 | 215 | return ... |
+| Error::~Error | false | 217 | 217 | { ... } |
+| Error::~Error | true | 215 | 209 |  |
+| Error::~Error | true | 217 | 215 |  |
+| __va_list_tag::operator= | false | 66 | 66 | operator= |
+| __va_list_tag::operator= | false | 72 | 72 | operator= |
+| f | false | 483 | 483 | f |
+| f | false | 494 | 494 | declaration |
+| f | false | 497 | 497 | call to C |
+| f | false | 502 | 502 | 101 |
+| f | false | 503 | 503 | initializer for c101 |
+| f | false | 506 | 506 | __try { ... } __except( ... ) { ... } |
+| f | false | 509 | 509 | call to C |
+| f | false | 513 | 513 | 102 |
+| f | false | 514 | 514 | initializer for c102 |
+| f | false | 518 | 518 | call to C |
+| f | false | 522 | 522 | 103 |
+| f | false | 523 | 523 | initializer for c103 |
+| f | false | 526 | 526 | declaration |
+| f | false | 528 | 528 | if (...) ...  |
+| f | false | 530 | 530 | b1 |
+| f | false | 532 | 532 | (bool)... |
+| f | false | 533 | 533 | ExprStmt |
+| f | false | 537 | 537 | 1 |
+| f | false | 538 | 538 | throw ... |
+| f | false | 540 | 540 | { ... } |
+| f | false | 542 | 542 | declaration |
+| f | false | 544 | 544 | { ... } |
+| f | false | 551 | 551 | 1 |
 | f | false | 553 | 553 | call to C |
-| f | false | 557 | 557 | 106 |
-| f | false | 558 | 558 | initializer for c106 |
-| f | false | 562 | 562 | call to C |
-| f | false | 566 | 566 | 107 |
-| f | false | 567 | 567 | initializer for c107 |
-| f | false | 570 | 570 | declaration |
-| f | false | 572 | 572 | b2 |
-| f | false | 574 | 574 | (bool)... |
-| f | false | 577 | 577 | 2 |
-| f | false | 578 | 578 | throw ... |
-| f | false | 580 | 580 | ExprStmt |
-| f | false | 582 | 582 | { ... } |
-| f | false | 584 | 584 | if (...) ...  |
-| f | false | 586 | 586 | declaration |
-| f | false | 588 | 588 | { ... } |
-| f | false | 591 | 591 | call to C |
-| f | false | 595 | 595 | 108 |
-| f | false | 596 | 596 | initializer for c108 |
-| f | false | 599 | 599 | declaration |
-| f | false | 601 | 601 | { ... } |
-| f | false | 603 | 603 | __try { ... } __finally { ... } |
-| f | false | 605 | 605 | declaration |
-| f | false | 607 | 607 | return ... |
-| f | false | 609 | 609 | { ... } |
-| f | false | 611 | 611 | c101 |
-| f | false | 613 | 613 | call to c101.~C |
-| f | false | 615 | 615 | c105 |
-| f | false | 616 | 616 | call to c105.~C |
-| f | false | 617 | 617 | c109 |
-| f | false | 618 | 618 | call to c109.~C |
-| f | false | 619 | 619 | c101 |
-| f | false | 620 | 620 | call to c101.~C |
-| f | false | 621 | 621 | c105 |
-| f | false | 622 | 622 | call to c105.~C |
-| f | false | 623 | 623 | c108 |
-| f | false | 625 | 625 | call to c108.~C |
-| f | false | 626 | 626 | c106 |
-| f | false | 628 | 628 | call to c106.~C |
-| f | false | 629 | 629 | c107 |
-| f | false | 630 | 630 | call to c107.~C |
-| f | false | 631 | 631 | c106 |
-| f | false | 632 | 632 | call to c106.~C |
-| f | false | 633 | 633 | c104 |
-| f | false | 635 | 635 | call to c104.~C |
-| f | false | 636 | 636 | c102 |
-| f | false | 638 | 638 | call to c102.~C |
-| f | false | 639 | 639 | c103 |
-| f | false | 640 | 640 | call to c103.~C |
-| f | false | 641 | 641 | c102 |
-| f | false | 642 | 642 | call to c102.~C |
-| f | false | 644 | 644 | call to C |
-| f | false | 648 | 648 | 101 |
-| f | false | 649 | 649 | initializer for c101 |
-| f | false | 653 | 653 | call to C |
-| f | false | 657 | 657 | 105 |
-| f | false | 658 | 658 | initializer for c105 |
-| f | false | 662 | 662 | call to C |
-| f | false | 666 | 666 | 109 |
-| f | false | 667 | 667 | initializer for c109 |
-| f | true | 488 | 649 |  |
-| f | true | 491 | 523 |  |
-| f | true | 496 | 491 |  |
-| f | true | 497 | 496 |  |
-| f | true | 501 | 639 |  |
-| f | true | 505 | 501 |  |
-| f | true | 506 | 505 |  |
-| f | true | 509 | 497 |  |
-| f | true | 511 | 521 | T |
-| f | true | 511 | 525 | F |
-| f | true | 516 | 517 |  |
-| f | true | 517 | 641 |  |
-| f | true | 519 | 516 |  |
-| f | true | 521 | 519 |  |
-| f | true | 523 | 511 |  |
-| f | true | 525 | 506 |  |
-| f | true | 527 | 509 |  |
-| f | true | 534 | 546 | T |
-| f | true | 536 | 633 |  |
-| f | true | 540 | 536 |  |
-| f | true | 541 | 540 |  |
-| f | true | 544 | 541 |  |
-| f | true | 546 | 544 |  |
-| f | true | 548 | 527 |  |
-| f | true | 550 | 658 |  |
-| f | true | 553 | 584 |  |
+| f | false | 557 | 557 | 104 |
+| f | false | 558 | 558 | initializer for c104 |
+| f | false | 561 | 561 | declaration |
+| f | false | 563 | 563 | { ... } |
+| f | false | 565 | 565 | declaration |
+| f | false | 568 | 568 | call to C |
+| f | false | 572 | 572 | 105 |
+| f | false | 573 | 573 | initializer for c105 |
+| f | false | 576 | 576 | __try { ... } __finally { ... } |
+| f | false | 579 | 579 | call to C |
+| f | false | 583 | 583 | 106 |
+| f | false | 584 | 584 | initializer for c106 |
+| f | false | 588 | 588 | call to C |
+| f | false | 592 | 592 | 107 |
+| f | false | 593 | 593 | initializer for c107 |
+| f | false | 596 | 596 | declaration |
+| f | false | 598 | 598 | if (...) ...  |
+| f | false | 600 | 600 | b2 |
+| f | false | 602 | 602 | (bool)... |
+| f | false | 603 | 603 | ExprStmt |
+| f | false | 607 | 607 | 2 |
+| f | false | 608 | 608 | throw ... |
+| f | false | 610 | 610 | { ... } |
+| f | false | 612 | 612 | declaration |
+| f | false | 614 | 614 | { ... } |
+| f | false | 617 | 617 | call to C |
+| f | false | 621 | 621 | 108 |
+| f | false | 622 | 622 | initializer for c108 |
+| f | false | 625 | 625 | declaration |
+| f | false | 627 | 627 | { ... } |
+| f | false | 629 | 629 | declaration |
+| f | false | 632 | 632 | call to C |
+| f | false | 636 | 636 | 109 |
+| f | false | 637 | 637 | initializer for c109 |
+| f | false | 640 | 640 | return ... |
+| f | false | 642 | 642 | { ... } |
+| f | false | 644 | 644 | c104 |
+| f | false | 646 | 646 | call to c104.~C |
+| f | false | 648 | 648 | c101 |
+| f | false | 650 | 650 | call to c101.~C |
+| f | false | 651 | 651 | c102 |
+| f | false | 653 | 653 | call to c102.~C |
+| f | false | 654 | 654 | c103 |
+| f | false | 655 | 655 | call to c103.~C |
+| f | false | 656 | 656 | c102 |
+| f | false | 657 | 657 | call to c102.~C |
+| f | false | 658 | 658 | c101 |
+| f | false | 659 | 659 | call to c101.~C |
+| f | false | 660 | 660 | c105 |
+| f | false | 661 | 661 | call to c105.~C |
+| f | false | 662 | 662 | c108 |
+| f | false | 664 | 664 | call to c108.~C |
+| f | false | 665 | 665 | c106 |
+| f | false | 667 | 667 | call to c106.~C |
+| f | false | 668 | 668 | c107 |
+| f | false | 669 | 669 | call to c107.~C |
+| f | false | 670 | 670 | c106 |
+| f | false | 671 | 671 | call to c106.~C |
+| f | false | 672 | 672 | c101 |
+| f | false | 673 | 673 | call to c101.~C |
+| f | false | 674 | 674 | c105 |
+| f | false | 675 | 675 | call to c105.~C |
+| f | false | 676 | 676 | c109 |
+| f | false | 677 | 677 | call to c109.~C |
+| f | true | 494 | 503 |  |
+| f | true | 497 | 506 |  |
+| f | true | 502 | 497 |  |
+| f | true | 503 | 502 |  |
+| f | true | 506 | 544 |  |
+| f | true | 509 | 528 |  |
+| f | true | 513 | 509 |  |
+| f | true | 514 | 513 |  |
+| f | true | 518 | 654 |  |
+| f | true | 522 | 518 |  |
+| f | true | 523 | 522 |  |
+| f | true | 526 | 514 |  |
+| f | true | 528 | 530 |  |
+| f | true | 530 | 540 | T |
+| f | true | 530 | 542 | F |
+| f | true | 533 | 537 |  |
+| f | true | 537 | 538 |  |
+| f | true | 538 | 656 |  |
+| f | true | 540 | 533 |  |
+| f | true | 542 | 523 |  |
+| f | true | 544 | 526 |  |
+| f | true | 551 | 563 | T |
+| f | true | 553 | 644 |  |
 | f | true | 557 | 553 |  |
 | f | true | 558 | 557 |  |
-| f | true | 562 | 629 |  |
-| f | true | 566 | 562 |  |
-| f | true | 567 | 566 |  |
-| f | true | 570 | 558 |  |
-| f | true | 572 | 582 | T |
-| f | true | 572 | 586 | F |
-| f | true | 577 | 578 |  |
-| f | true | 578 | 631 |  |
-| f | true | 580 | 577 |  |
-| f | true | 582 | 580 |  |
-| f | true | 584 | 572 |  |
-| f | true | 586 | 567 |  |
-| f | true | 588 | 570 |  |
-| f | true | 591 | 623 |  |
-| f | true | 595 | 591 |  |
-| f | true | 596 | 595 |  |
-| f | true | 599 | 596 |  |
-| f | true | 601 | 599 |  |
-| f | true | 603 | 588 |  |
-| f | true | 605 | 667 |  |
-| f | true | 607 | 617 |  |
-| f | true | 609 | 488 |  |
-| f | true | 611 | 613 |  |
-| f | true | 613 | 477 |  |
-| f | true | 615 | 616 |  |
-| f | true | 616 | 611 |  |
-| f | true | 617 | 618 |  |
-| f | true | 618 | 615 |  |
-| f | true | 619 | 620 |  |
-| f | true | 620 | 477 |  |
-| f | true | 621 | 622 |  |
-| f | true | 622 | 619 |  |
-| f | true | 623 | 625 |  |
-| f | true | 625 | 605 |  |
-| f | true | 625 | 621 |  |
-| f | true | 626 | 628 |  |
-| f | true | 628 | 601 |  |
-| f | true | 629 | 630 |  |
-| f | true | 630 | 626 |  |
-| f | true | 631 | 632 |  |
-| f | true | 632 | 601 |  |
-| f | true | 633 | 635 |  |
-| f | true | 635 | 550 |  |
-| f | true | 636 | 638 |  |
-| f | true | 638 | 550 |  |
-| f | true | 639 | 640 |  |
-| f | true | 640 | 636 |  |
-| f | true | 641 | 642 |  |
-| f | true | 642 | 534 |  |
-| f | true | 644 | 548 |  |
-| f | true | 648 | 644 |  |
-| f | true | 649 | 648 |  |
-| f | true | 653 | 603 |  |
-| f | true | 657 | 653 |  |
-| f | true | 658 | 657 |  |
-| f | true | 662 | 607 |  |
-| f | true | 666 | 662 |  |
-| f | true | 667 | 666 |  |
-| f1 | false | 292 | 292 | f1 |
-| f2 | false | 299 | 299 | f2 |
-| f3 | false | 304 | 304 | f3 |
-| f4 | false | 309 | 309 | f4 |
-| f4 | false | 433 | 433 | return ... |
-| f4 | false | 435 | 435 | { ... } |
-| f4 | true | 433 | 309 |  |
-| f4 | true | 435 | 433 |  |
-| f5 | false | 314 | 314 | f5 |
-| f5 | false | 422 | 422 | 3 |
-| f5 | false | 423 | 423 | throw ... |
-| f5 | false | 425 | 425 | ExprStmt |
-| f5 | false | 427 | 427 | { ... } |
-| f5 | true | 422 | 423 |  |
-| f5 | true | 423 | 314 |  |
-| f5 | true | 425 | 422 |  |
-| f5 | true | 427 | 425 |  |
-| fun | false | 287 | 287 | fun |
-| fun | false | 295 | 295 | call to f1 |
+| f | true | 561 | 558 |  |
+| f | true | 563 | 561 |  |
+| f | true | 565 | 573 |  |
+| f | true | 568 | 576 |  |
+| f | true | 572 | 568 |  |
+| f | true | 573 | 572 |  |
+| f | true | 576 | 614 |  |
+| f | true | 579 | 598 |  |
+| f | true | 583 | 579 |  |
+| f | true | 584 | 583 |  |
+| f | true | 588 | 668 |  |
+| f | true | 592 | 588 |  |
+| f | true | 593 | 592 |  |
+| f | true | 596 | 584 |  |
+| f | true | 598 | 600 |  |
+| f | true | 600 | 610 | T |
+| f | true | 600 | 612 | F |
+| f | true | 603 | 607 |  |
+| f | true | 607 | 608 |  |
+| f | true | 608 | 670 |  |
+| f | true | 610 | 603 |  |
+| f | true | 612 | 593 |  |
+| f | true | 614 | 596 |  |
+| f | true | 617 | 662 |  |
+| f | true | 621 | 617 |  |
+| f | true | 622 | 621 |  |
+| f | true | 625 | 622 |  |
+| f | true | 627 | 625 |  |
+| f | true | 629 | 637 |  |
+| f | true | 632 | 640 |  |
+| f | true | 636 | 632 |  |
+| f | true | 637 | 636 |  |
+| f | true | 640 | 676 |  |
+| f | true | 642 | 494 |  |
+| f | true | 644 | 646 |  |
+| f | true | 646 | 565 |  |
+| f | true | 648 | 650 |  |
+| f | true | 650 | 483 |  |
+| f | true | 651 | 653 |  |
+| f | true | 653 | 565 |  |
+| f | true | 654 | 655 |  |
+| f | true | 655 | 651 |  |
+| f | true | 656 | 657 |  |
+| f | true | 657 | 551 |  |
+| f | true | 658 | 659 |  |
+| f | true | 659 | 483 |  |
+| f | true | 660 | 661 |  |
+| f | true | 661 | 658 |  |
+| f | true | 662 | 664 |  |
+| f | true | 664 | 629 |  |
+| f | true | 664 | 660 |  |
+| f | true | 665 | 667 |  |
+| f | true | 667 | 627 |  |
+| f | true | 668 | 669 |  |
+| f | true | 669 | 665 |  |
+| f | true | 670 | 671 |  |
+| f | true | 671 | 627 |  |
+| f | true | 672 | 673 |  |
+| f | true | 673 | 483 |  |
+| f | true | 674 | 675 |  |
+| f | true | 675 | 672 |  |
+| f | true | 676 | 677 |  |
+| f | true | 677 | 674 |  |
+| f1 | false | 287 | 287 | f1 |
+| f2 | false | 294 | 294 | f2 |
+| f3 | false | 299 | 299 | f3 |
+| f4 | false | 304 | 304 | f4 |
+| f4 | false | 422 | 422 | return ... |
+| f4 | false | 424 | 424 | { ... } |
+| f4 | true | 422 | 304 |  |
+| f4 | true | 424 | 422 |  |
+| f5 | false | 309 | 309 | f5 |
+| f5 | false | 409 | 409 | ExprStmt |
+| f5 | false | 413 | 413 | 3 |
+| f5 | false | 414 | 414 | throw ... |
+| f5 | false | 416 | 416 | { ... } |
+| f5 | true | 409 | 413 |  |
+| f5 | true | 413 | 414 |  |
+| f5 | true | 414 | 309 |  |
+| f5 | true | 416 | 409 |  |
+| fun | false | 276 | 276 | fun |
+| fun | false | 281 | 281 | try { ... } |
+| fun | false | 283 | 283 | try { ... } |
+| fun | false | 285 | 285 | ExprStmt |
+| fun | false | 290 | 290 | call to f1 |
+| fun | false | 292 | 292 | ExprStmt |
+| fun | false | 295 | 295 | call to f2 |
 | fun | false | 297 | 297 | ExprStmt |
-| fun | false | 300 | 300 | call to f2 |
+| fun | false | 300 | 300 | call to f3 |
 | fun | false | 302 | 302 | ExprStmt |
-| fun | false | 305 | 305 | call to f3 |
+| fun | false | 305 | 305 | call to f4 |
 | fun | false | 307 | 307 | ExprStmt |
-| fun | false | 310 | 310 | call to f4 |
+| fun | false | 310 | 310 | call to f5 |
 | fun | false | 312 | 312 | ExprStmt |
-| fun | false | 315 | 315 | call to f5 |
-| fun | false | 317 | 317 | ExprStmt |
-| fun | false | 321 | 321 | 5 |
-| fun | false | 322 | 322 | throw ... |
-| fun | false | 324 | 324 | ExprStmt |
-| fun | false | 327 | 327 | call to g |
+| fun | false | 316 | 316 | 5 |
+| fun | false | 317 | 317 | throw ... |
+| fun | false | 319 | 319 | ExprStmt |
+| fun | false | 322 | 322 | call to g |
+| fun | false | 324 | 324 | { ... } |
 | fun | false | 329 | 329 | ExprStmt |
-| fun | false | 331 | 331 | { ... } |
-| fun | false | 337 | 337 | call to h |
-| fun | false | 339 | 339 | ExprStmt |
-| fun | false | 341 | 341 | { ... } |
-| fun | false | 343 | 343 | <handler> |
-| fun | false | 344 | 344 | try { ... } |
-| fun | false | 346 | 346 | { ... } |
-| fun | false | 352 | 352 | call to i |
-| fun | false | 354 | 354 | ExprStmt |
-| fun | false | 356 | 356 | { ... } |
-| fun | false | 362 | 362 | call to j |
-| fun | false | 364 | 364 | ExprStmt |
-| fun | false | 366 | 366 | { ... } |
-| fun | false | 368 | 368 | <handler> |
-| fun | false | 369 | 369 | <handler> |
-| fun | false | 370 | 370 | try { ... } |
-| fun | false | 373 | 373 | call to k |
-| fun | false | 375 | 375 | ExprStmt |
-| fun | false | 379 | 379 | 7 |
-| fun | false | 380 | 380 | throw ... |
-| fun | false | 382 | 382 | ExprStmt |
-| fun | false | 384 | 384 | { ... } |
-| fun | false | 390 | 390 | call to l |
-| fun | false | 392 | 392 | ExprStmt |
-| fun | false | 394 | 394 | { ... } |
-| fun | false | 397 | 397 | call to m |
-| fun | false | 399 | 399 | ExprStmt |
-| fun | false | 401 | 401 | { ... } |
-| fun | false | 403 | 403 | <handler> |
-| fun | false | 404 | 404 | <handler> |
-| fun | false | 405 | 405 | try { ... } |
-| fun | false | 408 | 408 | call to n |
-| fun | false | 410 | 410 | ExprStmt |
-| fun | false | 412 | 412 | return ... |
-| fun | false | 414 | 414 | { ... } |
-| fun | true | 295 | 302 |  |
-| fun | true | 297 | 295 |  |
-| fun | true | 300 | 307 |  |
-| fun | true | 302 | 300 |  |
-| fun | true | 305 | 312 |  |
-| fun | true | 307 | 305 |  |
-| fun | true | 310 | 317 |  |
-| fun | true | 312 | 310 |  |
-| fun | true | 317 | 315 |  |
-| fun | true | 321 | 322 |  |
-| fun | true | 322 | 343 |  |
-| fun | true | 324 | 321 |  |
-| fun | true | 327 | 375 |  |
-| fun | true | 329 | 327 |  |
-| fun | true | 331 | 297 |  |
-| fun | true | 337 | 375 |  |
-| fun | true | 339 | 337 |  |
-| fun | true | 341 | 339 |  |
-| fun | true | 343 | 341 |  |
-| fun | true | 343 | 368 |  |
-| fun | true | 344 | 331 |  |
-| fun | true | 346 | 344 |  |
-| fun | true | 352 | 375 |  |
-| fun | true | 354 | 352 |  |
-| fun | true | 356 | 354 |  |
-| fun | true | 362 | 375 |  |
-| fun | true | 364 | 362 |  |
-| fun | true | 366 | 364 |  |
-| fun | true | 368 | 356 |  |
-| fun | true | 368 | 369 |  |
-| fun | true | 369 | 287 |  |
-| fun | true | 369 | 366 |  |
-| fun | true | 370 | 346 |  |
-| fun | true | 373 | 405 |  |
-| fun | true | 375 | 373 |  |
-| fun | true | 379 | 380 |  |
-| fun | true | 380 | 403 |  |
-| fun | true | 382 | 379 |  |
-| fun | true | 384 | 382 |  |
-| fun | true | 390 | 410 |  |
-| fun | true | 392 | 390 |  |
-| fun | true | 394 | 392 |  |
-| fun | true | 397 | 410 |  |
-| fun | true | 399 | 397 |  |
-| fun | true | 401 | 399 |  |
-| fun | true | 403 | 394 |  |
-| fun | true | 403 | 404 |  |
-| fun | true | 404 | 401 |  |
-| fun | true | 405 | 384 |  |
-| fun | true | 408 | 412 |  |
-| fun | true | 410 | 408 |  |
-| fun | true | 412 | 287 |  |
-| fun | true | 414 | 370 |  |
-| fun2 | false | 204 | 204 | fun2 |
-| fun2 | false | 215 | 215 | fun2 |
-| fun2 | false | 218 | 218 | { ... } |
-| fun2 | false | 223 | 223 | re-throw exception  |
-| fun2 | false | 225 | 225 | ExprStmt |
-| fun2 | false | 227 | 227 | { ... } |
-| fun2 | false | 231 | 231 | 1 |
-| fun2 | false | 232 | 232 | return ... |
-| fun2 | false | 234 | 234 | { ... } |
-| fun2 | false | 236 | 236 | <handler> |
-| fun2 | false | 237 | 237 | <handler> |
-| fun2 | false | 238 | 238 | try { ... } |
-| fun2 | false | 242 | 242 | 0 |
-| fun2 | false | 243 | 243 | return ... |
-| fun2 | false | 245 | 245 | { ... } |
-| fun2 | false | 702 | 702 | { ... } |
-| fun2 | false | 707 | 707 | re-throw exception  |
-| fun2 | false | 708 | 708 | ExprStmt |
-| fun2 | false | 709 | 709 | { ... } |
-| fun2 | false | 711 | 711 | 1 |
-| fun2 | false | 712 | 712 | return ... |
-| fun2 | false | 713 | 713 | { ... } |
-| fun2 | false | 714 | 714 | <handler> |
-| fun2 | false | 715 | 715 | <handler> |
-| fun2 | false | 716 | 716 | try { ... } |
-| fun2 | false | 718 | 718 | 0 |
-| fun2 | false | 719 | 719 | return ... |
-| fun2 | false | 720 | 720 | { ... } |
-| fun2 | true | 218 | 243 |  |
-| fun2 | true | 223 | 215 |  |
-| fun2 | true | 225 | 223 |  |
-| fun2 | true | 227 | 225 |  |
-| fun2 | true | 231 | 215 |  |
-| fun2 | true | 232 | 231 |  |
-| fun2 | true | 234 | 232 |  |
-| fun2 | true | 236 | 227 |  |
-| fun2 | true | 236 | 237 |  |
-| fun2 | true | 237 | 234 |  |
-| fun2 | true | 238 | 218 |  |
-| fun2 | true | 242 | 215 |  |
-| fun2 | true | 243 | 242 |  |
-| fun2 | true | 245 | 238 |  |
-| fun2 | true | 702 | 719 |  |
-| fun2 | true | 707 | 204 |  |
-| fun2 | true | 708 | 707 |  |
-| fun2 | true | 709 | 708 |  |
-| fun2 | true | 711 | 204 |  |
-| fun2 | true | 712 | 711 |  |
-| fun2 | true | 713 | 712 |  |
-| fun2 | true | 714 | 709 |  |
-| fun2 | true | 714 | 715 |  |
-| fun2 | true | 715 | 713 |  |
-| fun2 | true | 716 | 702 |  |
-| fun2 | true | 718 | 204 |  |
-| fun2 | true | 719 | 718 |  |
-| fun2 | true | 720 | 716 |  |
-| g | false | 326 | 326 | g |
-| h | false | 336 | 336 | h |
-| i | false | 351 | 351 | i |
-| j | false | 361 | 361 | j |
-| k | false | 372 | 372 | k |
-| l | false | 389 | 389 | l |
-| m | false | 396 | 396 | m |
-| n | false | 407 | 407 | n |
-| run_fun2 | false | 199 | 199 | run_fun2 |
-| run_fun2 | false | 207 | 207 | call to fun2 |
-| run_fun2 | false | 209 | 209 | ExprStmt |
-| run_fun2 | false | 211 | 211 | return ... |
-| run_fun2 | false | 213 | 213 | { ... } |
-| run_fun2 | true | 207 | 211 |  |
-| run_fun2 | true | 209 | 207 |  |
-| run_fun2 | true | 211 | 199 |  |
-| run_fun2 | true | 213 | 209 |  |
+| fun | false | 332 | 332 | call to h |
+| fun | false | 334 | 334 | { ... } |
+| fun | false | 336 | 336 | <handler> |
+| fun | false | 337 | 337 | { ... } |
+| fun | false | 342 | 342 | ExprStmt |
+| fun | false | 345 | 345 | call to i |
+| fun | false | 347 | 347 | { ... } |
+| fun | false | 352 | 352 | ExprStmt |
+| fun | false | 355 | 355 | call to j |
+| fun | false | 357 | 357 | { ... } |
+| fun | false | 359 | 359 | <handler> |
+| fun | false | 360 | 360 | <handler> |
+| fun | false | 361 | 361 | ExprStmt |
+| fun | false | 364 | 364 | call to k |
+| fun | false | 366 | 366 | try { ... } |
+| fun | false | 368 | 368 | ExprStmt |
+| fun | false | 372 | 372 | 7 |
+| fun | false | 373 | 373 | throw ... |
+| fun | false | 375 | 375 | { ... } |
+| fun | false | 380 | 380 | ExprStmt |
+| fun | false | 383 | 383 | call to l |
+| fun | false | 385 | 385 | { ... } |
+| fun | false | 387 | 387 | ExprStmt |
+| fun | false | 390 | 390 | call to m |
+| fun | false | 392 | 392 | { ... } |
+| fun | false | 394 | 394 | <handler> |
+| fun | false | 395 | 395 | <handler> |
+| fun | false | 396 | 396 | ExprStmt |
+| fun | false | 399 | 399 | call to n |
+| fun | false | 401 | 401 | return ... |
+| fun | false | 403 | 403 | { ... } |
+| fun | true | 281 | 337 |  |
+| fun | true | 283 | 324 |  |
+| fun | true | 285 | 290 |  |
+| fun | true | 290 | 292 |  |
+| fun | true | 292 | 295 |  |
+| fun | true | 295 | 297 |  |
+| fun | true | 297 | 300 |  |
+| fun | true | 300 | 302 |  |
+| fun | true | 302 | 305 |  |
+| fun | true | 305 | 307 |  |
+| fun | true | 307 | 310 |  |
+| fun | true | 312 | 316 |  |
+| fun | true | 316 | 317 |  |
+| fun | true | 317 | 336 |  |
+| fun | true | 319 | 322 |  |
+| fun | true | 322 | 361 |  |
+| fun | true | 324 | 285 |  |
+| fun | true | 329 | 332 |  |
+| fun | true | 332 | 361 |  |
+| fun | true | 334 | 329 |  |
+| fun | true | 336 | 334 |  |
+| fun | true | 336 | 359 |  |
+| fun | true | 337 | 283 |  |
+| fun | true | 342 | 345 |  |
+| fun | true | 345 | 361 |  |
+| fun | true | 347 | 342 |  |
+| fun | true | 352 | 355 |  |
+| fun | true | 355 | 361 |  |
+| fun | true | 357 | 352 |  |
+| fun | true | 359 | 347 |  |
+| fun | true | 359 | 360 |  |
+| fun | true | 360 | 276 |  |
+| fun | true | 360 | 357 |  |
+| fun | true | 361 | 364 |  |
+| fun | true | 364 | 366 |  |
+| fun | true | 366 | 375 |  |
+| fun | true | 368 | 372 |  |
+| fun | true | 372 | 373 |  |
+| fun | true | 373 | 394 |  |
+| fun | true | 375 | 368 |  |
+| fun | true | 380 | 383 |  |
+| fun | true | 383 | 396 |  |
+| fun | true | 385 | 380 |  |
+| fun | true | 387 | 390 |  |
+| fun | true | 390 | 396 |  |
+| fun | true | 392 | 387 |  |
+| fun | true | 394 | 385 |  |
+| fun | true | 394 | 395 |  |
+| fun | true | 395 | 392 |  |
+| fun | true | 396 | 399 |  |
+| fun | true | 399 | 401 |  |
+| fun | true | 401 | 276 |  |
+| fun | true | 403 | 281 |  |
+| fun2 | false | 149 | 149 | fun2 |
+| fun2 | false | 159 | 159 | fun2 |
+| fun2 | false | 162 | 162 | try { ... } |
+| fun2 | false | 164 | 164 | { ... } |
+| fun2 | false | 172 | 172 | ExprStmt |
+| fun2 | false | 174 | 174 | re-throw exception  |
+| fun2 | false | 176 | 176 | { ... } |
+| fun2 | false | 178 | 178 | return ... |
+| fun2 | false | 182 | 182 | 1 |
+| fun2 | false | 183 | 183 | { ... } |
+| fun2 | false | 185 | 185 | <handler> |
+| fun2 | false | 186 | 186 | <handler> |
+| fun2 | false | 187 | 187 | return ... |
+| fun2 | false | 191 | 191 | 0 |
+| fun2 | false | 192 | 192 | { ... } |
+| fun2 | false | 257 | 257 | try { ... } |
+| fun2 | false | 258 | 258 | { ... } |
+| fun2 | false | 261 | 261 | ExprStmt |
+| fun2 | false | 262 | 262 | re-throw exception  |
+| fun2 | false | 263 | 263 | { ... } |
+| fun2 | false | 264 | 264 | return ... |
+| fun2 | false | 266 | 266 | 1 |
+| fun2 | false | 267 | 267 | { ... } |
+| fun2 | false | 268 | 268 | <handler> |
+| fun2 | false | 269 | 269 | <handler> |
+| fun2 | false | 270 | 270 | return ... |
+| fun2 | false | 272 | 272 | 0 |
+| fun2 | false | 273 | 273 | { ... } |
+| fun2 | true | 162 | 164 |  |
+| fun2 | true | 164 | 187 |  |
+| fun2 | true | 172 | 174 |  |
+| fun2 | true | 174 | 159 |  |
+| fun2 | true | 176 | 172 |  |
+| fun2 | true | 178 | 182 |  |
+| fun2 | true | 182 | 159 |  |
+| fun2 | true | 183 | 178 |  |
+| fun2 | true | 185 | 176 |  |
+| fun2 | true | 185 | 186 |  |
+| fun2 | true | 186 | 183 |  |
+| fun2 | true | 187 | 191 |  |
+| fun2 | true | 191 | 159 |  |
+| fun2 | true | 192 | 162 |  |
+| fun2 | true | 257 | 258 |  |
+| fun2 | true | 258 | 270 |  |
+| fun2 | true | 261 | 262 |  |
+| fun2 | true | 262 | 149 |  |
+| fun2 | true | 263 | 261 |  |
+| fun2 | true | 264 | 266 |  |
+| fun2 | true | 266 | 149 |  |
+| fun2 | true | 267 | 264 |  |
+| fun2 | true | 268 | 263 |  |
+| fun2 | true | 268 | 269 |  |
+| fun2 | true | 269 | 267 |  |
+| fun2 | true | 270 | 272 |  |
+| fun2 | true | 272 | 149 |  |
+| fun2 | true | 273 | 257 |  |
+| g | false | 321 | 321 | g |
+| h | false | 331 | 331 | h |
+| i | false | 344 | 344 | i |
+| j | false | 354 | 354 | j |
+| k | false | 363 | 363 | k |
+| l | false | 382 | 382 | l |
+| m | false | 389 | 389 | m |
+| n | false | 398 | 398 | n |
+| run_fun2 | false | 142 | 142 | run_fun2 |
+| run_fun2 | false | 147 | 147 | ExprStmt |
+| run_fun2 | false | 152 | 152 | call to fun2 |
+| run_fun2 | false | 154 | 154 | return ... |
+| run_fun2 | false | 156 | 156 | { ... } |
+| run_fun2 | true | 147 | 152 |  |
+| run_fun2 | true | 152 | 154 |  |
+| run_fun2 | true | 154 | 142 |  |
+| run_fun2 | true | 156 | 147 |  |
--- a/cpp/ql/test/library-tests/c++_exceptions/unreachable.expected
+++ b/cpp/ql/test/library-tests/c++_exceptions/unreachable.expected
@@ -1,2 +1,3 @@
 | exceptions.cpp:25:13:25:19 | ExprStmt |
 | exceptions.cpp:26:13:26:13 | ExprStmt |
+| ms.cpp:38:1:38:1 | c101 |
--- a/cpp/ql/test/library-tests/destructors/cfg.expected
+++ b/cpp/ql/test/library-tests/destructors/cfg.expected
@@ -1,255 +1,263 @@
-| C::C | false | 197 | 197 | C |
-| C::C | false | 398 | 398 | C |
-| C::operator= | false | 391 | 391 | operator= |
-| C::~C | false | 331 | 331 | ~C |
-| Class2::Class2 | false | 538 | 538 | Class2 |
-| Class2::Class2 | false | 544 | 544 | return ... |
-| Class2::Class2 | false | 546 | 546 | { ... } |
+| C::C | false | 181 | 181 | C |
+| C::C | false | 384 | 384 | C |
+| C::operator= | false | 375 | 375 | operator= |
+| C::~C | false | 333 | 333 | ~C |
 | Class2::Class2 | false | 547 | 547 | Class2 |
-| Class2::Class2 | true | 544 | 538 |  |
-| Class2::Class2 | true | 546 | 544 |  |
-| Class2::operator= | false | 532 | 532 | operator= |
-| Class2::~Class2 | false | 467 | 467 | ~Class2 |
-| Outer::Inner::Inner | false | 488 | 488 | Inner |
-| Outer::Inner::Inner | false | 509 | 509 | Inner |
-| Outer::Inner::Inner | false | 528 | 528 | return ... |
-| Outer::Inner::Inner | false | 530 | 530 | { ... } |
-| Outer::Inner::Inner | true | 528 | 488 |  |
-| Outer::Inner::Inner | true | 530 | 528 |  |
-| Outer::Inner::operator= | false | 502 | 502 | operator= |
-| Outer::Inner::~Inner | false | 470 | 470 | ~Inner |
-| Outer::Inner::~Inner | false | 517 | 517 | return ... |
-| Outer::Inner::~Inner | false | 519 | 519 | { ... } |
-| Outer::Inner::~Inner | true | 517 | 470 |  |
-| Outer::Inner::~Inner | true | 519 | 517 |  |
-| Outer::f2 | false | 439 | 439 | f2 |
-| Outer::f2 | false | 447 | 447 | declaration |
-| Outer::f2 | false | 449 | 449 | i |
-| Outer::f2 | false | 451 | 451 | (bool)... |
-| Outer::f2 | false | 452 | 452 | return ... |
-| Outer::f2 | false | 454 | 454 | { ... } |
-| Outer::f2 | false | 456 | 456 | if (...) ...  |
-| Outer::f2 | false | 458 | 458 | declaration |
-| Outer::f2 | false | 460 | 460 | return ... |
-| Outer::f2 | false | 462 | 462 | { ... } |
-| Outer::f2 | false | 464 | 464 | c |
-| Outer::f2 | false | 466 | 466 | call to c.~Class2 |
-| Outer::f2 | false | 468 | 468 | inner |
-| Outer::f2 | false | 469 | 469 | call to inner.~Inner |
-| Outer::f2 | false | 474 | 474 | call to getClass2 |
-| Outer::f2 | false | 476 | 476 | initializer for c |
-| Outer::f2 | false | 481 | 481 | call to Inner |
-| Outer::f2 | false | 490 | 490 | c |
-| Outer::f2 | false | 492 | 492 | (const Class2)... |
-| Outer::f2 | false | 493 | 493 | (reference to) |
-| Outer::f2 | false | 494 | 494 | initializer for inner |
-| Outer::f2 | true | 447 | 476 |  |
-| Outer::f2 | true | 449 | 454 | T |
-| Outer::f2 | true | 449 | 458 | F |
-| Outer::f2 | true | 452 | 464 |  |
-| Outer::f2 | true | 454 | 452 |  |
-| Outer::f2 | true | 456 | 449 |  |
-| Outer::f2 | true | 458 | 494 |  |
-| Outer::f2 | true | 460 | 468 |  |
-| Outer::f2 | true | 462 | 447 |  |
+| Class2::Class2 | false | 554 | 554 | return ... |
+| Class2::Class2 | false | 556 | 556 | { ... } |
+| Class2::Class2 | false | 557 | 557 | Class2 |
+| Class2::Class2 | true | 554 | 547 |  |
+| Class2::Class2 | true | 556 | 554 |  |
+| Class2::operator= | false | 541 | 541 | operator= |
+| Class2::~Class2 | false | 499 | 499 | ~Class2 |
+| Outer::Inner::Inner | false | 481 | 481 | Inner |
+| Outer::Inner::Inner | false | 517 | 517 | Inner |
+| Outer::Inner::Inner | false | 537 | 537 | return ... |
+| Outer::Inner::Inner | false | 539 | 539 | { ... } |
+| Outer::Inner::Inner | true | 537 | 481 |  |
+| Outer::Inner::Inner | true | 539 | 537 |  |
+| Outer::Inner::operator= | false | 508 | 508 | operator= |
+| Outer::Inner::~Inner | false | 504 | 504 | ~Inner |
+| Outer::Inner::~Inner | false | 526 | 526 | return ... |
+| Outer::Inner::~Inner | false | 528 | 528 | { ... } |
+| Outer::Inner::~Inner | true | 526 | 504 |  |
+| Outer::Inner::~Inner | true | 528 | 526 |  |
+| Outer::f2 | false | 444 | 444 | f2 |
+| Outer::f2 | false | 453 | 453 | declaration |
+| Outer::f2 | false | 458 | 458 | call to getClass2 |
+| Outer::f2 | false | 460 | 460 | initializer for c |
+| Outer::f2 | false | 464 | 464 | if (...) ...  |
+| Outer::f2 | false | 466 | 466 | i |
+| Outer::f2 | false | 468 | 468 | (bool)... |
+| Outer::f2 | false | 469 | 469 | return ... |
+| Outer::f2 | false | 471 | 471 | { ... } |
+| Outer::f2 | false | 473 | 473 | declaration |
+| Outer::f2 | false | 476 | 476 | call to Inner |
+| Outer::f2 | false | 482 | 482 | c |
+| Outer::f2 | false | 485 | 485 | (const Class2)... |
+| Outer::f2 | false | 488 | 488 | (reference to) |
+| Outer::f2 | false | 489 | 489 | initializer for inner |
+| Outer::f2 | false | 492 | 492 | return ... |
+| Outer::f2 | false | 494 | 494 | { ... } |
+| Outer::f2 | false | 496 | 496 | c |
+| Outer::f2 | false | 498 | 498 | call to c.~Class2 |
+| Outer::f2 | false | 500 | 500 | c |
+| Outer::f2 | false | 501 | 501 | call to c.~Class2 |
+| Outer::f2 | false | 502 | 502 | inner |
+| Outer::f2 | false | 503 | 503 | call to inner.~Inner |
+| Outer::f2 | true | 453 | 460 |  |
+| Outer::f2 | true | 458 | 464 |  |
+| Outer::f2 | true | 460 | 458 |  |
 | Outer::f2 | true | 464 | 466 |  |
-| Outer::f2 | true | 466 | 439 |  |
-| Outer::f2 | true | 468 | 469 |  |
-| Outer::f2 | true | 469 | 464 |  |
-| Outer::f2 | true | 474 | 456 |  |
-| Outer::f2 | true | 476 | 474 |  |
-| Outer::f2 | true | 481 | 460 |  |
-| Outer::f2 | true | 490 | 481 |  |
-| Outer::f2 | true | 494 | 490 |  |
-| Outer::operator= | false | 424 | 424 | operator= |
-| Outer::operator= | false | 435 | 435 | operator= |
-| __va_list_tag::operator= | false | 93 | 93 | operator= |
-| __va_list_tag::operator= | false | 100 | 100 | operator= |
-| f | false | 181 | 181 | f |
-| f | false | 192 | 192 | declaration |
-| f | false | 195 | 195 | call to C |
-| f | false | 200 | 200 | 120 |
-| f | false | 201 | 201 | initializer for c20 |
-| f | false | 205 | 205 | call to C |
-| f | false | 209 | 209 | 121 |
-| f | false | 210 | 210 | initializer for c21 |
-| f | false | 213 | 213 | declaration |
-| f | false | 216 | 216 | call to C |
-| f | false | 220 | 220 | 130 |
-| f | false | 221 | 221 | initializer for c30 |
-| f | false | 224 | 224 | declaration |
-| f | false | 226 | 226 | { ... } |
-| f | false | 229 | 229 | call to C |
-| f | false | 233 | 233 | 131 |
-| f | false | 234 | 234 | initializer for c31 |
-| f | false | 238 | 238 | call to C |
-| f | false | 242 | 242 | 132 |
-| f | false | 243 | 243 | initializer for c32 |
-| f | false | 247 | 247 | call to C |
-| f | false | 251 | 251 | 133 |
-| f | false | 252 | 252 | initializer for c33 |
-| f | false | 255 | 255 | declaration |
-| f | false | 257 | 257 | b1 |
-| f | false | 259 | 259 | (bool)... |
-| f | false | 260 | 260 | goto ... |
-| f | false | 262 | 262 | if (...) ...  |
-| f | false | 264 | 264 | declaration |
-| f | false | 266 | 266 | b2 |
-| f | false | 268 | 268 | (bool)... |
-| f | false | 269 | 269 | return ... |
-| f | false | 271 | 271 | if (...) ...  |
-| f | false | 273 | 273 | declaration |
-| f | false | 275 | 275 | { ... } |
-| f | false | 278 | 278 | call to C |
-| f | false | 282 | 282 | 134 |
-| f | false | 283 | 283 | initializer for c34 |
-| f | false | 286 | 286 | declaration |
-| f | false | 288 | 288 | { ... } |
-| f | false | 290 | 290 | declaration |
-| f | false | 292 | 292 | { ... } |
-| f | false | 295 | 295 | call to C |
-| f | false | 299 | 299 | 122 |
-| f | false | 300 | 300 | initializer for c22 |
-| f | false | 303 | 303 | declaration |
-| f | false | 305 | 305 | { ... } |
-| f | false | 308 | 308 | call to C |
-| f | false | 312 | 312 | 123 |
-| f | false | 313 | 313 | initializer for c23 |
-| f | false | 316 | 316 | label ...: |
-| f | false | 318 | 318 | declaration |
-| f | false | 320 | 320 | { ... } |
-| f | false | 322 | 322 | declaration |
-| f | false | 324 | 324 | return ... |
-| f | false | 326 | 326 | { ... } |
-| f | false | 328 | 328 | c10 |
-| f | false | 330 | 330 | call to c10.~C |
-| f | false | 332 | 332 | c11 |
-| f | false | 333 | 333 | call to c11.~C |
-| f | false | 334 | 334 | c23 |
-| f | false | 336 | 336 | call to c23.~C |
-| f | false | 337 | 337 | c22 |
-| f | false | 339 | 339 | call to c22.~C |
-| f | false | 340 | 340 | c20 |
-| f | false | 342 | 342 | call to c20.~C |
-| f | false | 343 | 343 | c21 |
-| f | false | 344 | 344 | call to c21.~C |
-| f | false | 345 | 345 | c34 |
-| f | false | 347 | 347 | call to c34.~C |
+| Outer::f2 | true | 466 | 471 | T |
+| Outer::f2 | true | 466 | 473 | F |
+| Outer::f2 | true | 469 | 496 |  |
+| Outer::f2 | true | 471 | 469 |  |
+| Outer::f2 | true | 473 | 489 |  |
+| Outer::f2 | true | 476 | 492 |  |
+| Outer::f2 | true | 482 | 476 |  |
+| Outer::f2 | true | 489 | 482 |  |
+| Outer::f2 | true | 492 | 502 |  |
+| Outer::f2 | true | 494 | 453 |  |
+| Outer::f2 | true | 496 | 498 |  |
+| Outer::f2 | true | 498 | 444 |  |
+| Outer::f2 | true | 500 | 501 |  |
+| Outer::f2 | true | 501 | 444 |  |
+| Outer::f2 | true | 502 | 503 |  |
+| Outer::f2 | true | 503 | 500 |  |
+| Outer::operator= | false | 428 | 428 | operator= |
+| Outer::operator= | false | 438 | 438 | operator= |
+| __va_list_tag::operator= | false | 66 | 66 | operator= |
+| __va_list_tag::operator= | false | 72 | 72 | operator= |
+| f | false | 165 | 165 | f |
+| f | false | 176 | 176 | declaration |
+| f | false | 179 | 179 | call to C |
+| f | false | 184 | 184 | 110 |
+| f | false | 185 | 185 | initializer for c10 |
+| f | false | 189 | 189 | call to C |
+| f | false | 193 | 193 | 120 |
+| f | false | 194 | 194 | initializer for c20 |
+| f | false | 198 | 198 | call to C |
+| f | false | 202 | 202 | 121 |
+| f | false | 203 | 203 | initializer for c21 |
+| f | false | 206 | 206 | declaration |
+| f | false | 209 | 209 | call to C |
+| f | false | 213 | 213 | 130 |
+| f | false | 214 | 214 | initializer for c30 |
+| f | false | 217 | 217 | declaration |
+| f | false | 219 | 219 | { ... } |
+| f | false | 222 | 222 | call to C |
+| f | false | 226 | 226 | 131 |
+| f | false | 227 | 227 | initializer for c31 |
+| f | false | 231 | 231 | call to C |
+| f | false | 235 | 235 | 132 |
+| f | false | 236 | 236 | initializer for c32 |
+| f | false | 240 | 240 | call to C |
+| f | false | 244 | 244 | 133 |
+| f | false | 245 | 245 | initializer for c33 |
+| f | false | 248 | 248 | declaration |
+| f | false | 250 | 250 | if (...) ...  |
+| f | false | 252 | 252 | b1 |
+| f | false | 254 | 254 | (bool)... |
+| f | false | 255 | 255 | goto ... |
+| f | false | 257 | 257 | declaration |
+| f | false | 259 | 259 | if (...) ...  |
+| f | false | 261 | 261 | b2 |
+| f | false | 263 | 263 | (bool)... |
+| f | false | 264 | 264 | return ... |
+| f | false | 266 | 266 | declaration |
+| f | false | 268 | 268 | { ... } |
+| f | false | 271 | 271 | call to C |
+| f | false | 275 | 275 | 134 |
+| f | false | 276 | 276 | initializer for c34 |
+| f | false | 279 | 279 | declaration |
+| f | false | 281 | 281 | { ... } |
+| f | false | 283 | 283 | declaration |
+| f | false | 285 | 285 | { ... } |
+| f | false | 288 | 288 | call to C |
+| f | false | 292 | 292 | 122 |
+| f | false | 293 | 293 | initializer for c22 |
+| f | false | 296 | 296 | declaration |
+| f | false | 298 | 298 | { ... } |
+| f | false | 301 | 301 | call to C |
+| f | false | 305 | 305 | 123 |
+| f | false | 306 | 306 | initializer for c23 |
+| f | false | 309 | 309 | label ...: |
+| f | false | 311 | 311 | declaration |
+| f | false | 313 | 313 | { ... } |
+| f | false | 315 | 315 | declaration |
+| f | false | 318 | 318 | call to C |
+| f | false | 322 | 322 | 111 |
+| f | false | 323 | 323 | initializer for c11 |
+| f | false | 326 | 326 | return ... |
+| f | false | 328 | 328 | { ... } |
+| f | false | 330 | 330 | c20 |
+| f | false | 332 | 332 | call to c20.~C |
+| f | false | 334 | 334 | c21 |
+| f | false | 335 | 335 | call to c21.~C |
+| f | false | 336 | 336 | c30 |
+| f | false | 338 | 338 | call to c30.~C |
+| f | false | 339 | 339 | c31 |
+| f | false | 341 | 341 | call to c31.~C |
+| f | false | 342 | 342 | c32 |
+| f | false | 343 | 343 | call to c32.~C |
+| f | false | 344 | 344 | c33 |
+| f | false | 345 | 345 | call to c33.~C |
+| f | false | 346 | 346 | c20 |
+| f | false | 347 | 347 | call to c20.~C |
 | f | false | 348 | 348 | c31 |
-| f | false | 350 | 350 | call to c31.~C |
-| f | false | 351 | 351 | c32 |
-| f | false | 352 | 352 | call to c32.~C |
-| f | false | 353 | 353 | c33 |
-| f | false | 354 | 354 | call to c33.~C |
-| f | false | 355 | 355 | c20 |
-| f | false | 356 | 356 | call to c20.~C |
-| f | false | 357 | 357 | c31 |
-| f | false | 358 | 358 | call to c31.~C |
-| f | false | 359 | 359 | c32 |
-| f | false | 360 | 360 | call to c32.~C |
-| f | false | 361 | 361 | c20 |
-| f | false | 362 | 362 | call to c20.~C |
-| f | false | 363 | 363 | c31 |
-| f | false | 364 | 364 | call to c31.~C |
-| f | false | 365 | 365 | c30 |
-| f | false | 367 | 367 | call to c30.~C |
-| f | false | 369 | 369 | call to C |
-| f | false | 373 | 373 | 110 |
-| f | false | 374 | 374 | initializer for c10 |
-| f | false | 378 | 378 | call to C |
-| f | false | 382 | 382 | 111 |
-| f | false | 383 | 383 | initializer for c11 |
-| f | true | 192 | 374 |  |
-| f | true | 195 | 226 |  |
-| f | true | 200 | 195 |  |
-| f | true | 201 | 200 |  |
-| f | true | 205 | 343 |  |
-| f | true | 209 | 205 |  |
-| f | true | 210 | 209 |  |
-| f | true | 213 | 201 |  |
-| f | true | 216 | 365 |  |
-| f | true | 220 | 216 |  |
-| f | true | 221 | 220 |  |
-| f | true | 224 | 221 |  |
-| f | true | 226 | 224 |  |
-| f | true | 229 | 262 |  |
-| f | true | 233 | 229 |  |
-| f | true | 234 | 233 |  |
-| f | true | 238 | 271 |  |
-| f | true | 242 | 238 |  |
-| f | true | 243 | 242 |  |
-| f | true | 247 | 353 |  |
-| f | true | 251 | 247 |  |
-| f | true | 252 | 251 |  |
-| f | true | 255 | 234 |  |
-| f | true | 257 | 260 | T |
-| f | true | 257 | 264 | F |
-| f | true | 260 | 363 |  |
-| f | true | 262 | 257 |  |
-| f | true | 264 | 243 |  |
-| f | true | 266 | 269 | T |
-| f | true | 266 | 273 | F |
-| f | true | 269 | 359 |  |
-| f | true | 271 | 266 |  |
-| f | true | 273 | 252 |  |
-| f | true | 275 | 255 |  |
-| f | true | 278 | 345 |  |
-| f | true | 282 | 278 |  |
-| f | true | 283 | 282 |  |
-| f | true | 286 | 283 |  |
-| f | true | 288 | 286 |  |
-| f | true | 290 | 210 |  |
-| f | true | 292 | 213 |  |
-| f | true | 295 | 337 |  |
-| f | true | 299 | 295 |  |
-| f | true | 300 | 299 |  |
-| f | true | 303 | 300 |  |
-| f | true | 305 | 303 |  |
-| f | true | 308 | 334 |  |
-| f | true | 312 | 308 |  |
-| f | true | 313 | 312 |  |
-| f | true | 316 | 318 |  |
-| f | true | 318 | 313 |  |
-| f | true | 320 | 316 |  |
-| f | true | 322 | 383 |  |
-| f | true | 324 | 332 |  |
-| f | true | 326 | 192 |  |
-| f | true | 328 | 330 |  |
-| f | true | 330 | 181 |  |
-| f | true | 332 | 333 |  |
-| f | true | 333 | 328 |  |
-| f | true | 334 | 336 |  |
-| f | true | 336 | 322 |  |
-| f | true | 337 | 339 |  |
-| f | true | 339 | 320 |  |
-| f | true | 340 | 342 |  |
-| f | true | 342 | 305 |  |
-| f | true | 343 | 344 |  |
-| f | true | 344 | 340 |  |
-| f | true | 345 | 347 |  |
-| f | true | 347 | 290 |  |
-| f | true | 348 | 350 |  |
-| f | true | 350 | 288 |  |
-| f | true | 351 | 352 |  |
-| f | true | 352 | 348 |  |
+| f | false | 349 | 349 | call to c31.~C |
+| f | false | 350 | 350 | c10 |
+| f | false | 352 | 352 | call to c10.~C |
+| f | false | 353 | 353 | c20 |
+| f | false | 354 | 354 | call to c20.~C |
+| f | false | 355 | 355 | c31 |
+| f | false | 356 | 356 | call to c31.~C |
+| f | false | 357 | 357 | c32 |
+| f | false | 358 | 358 | call to c32.~C |
+| f | false | 359 | 359 | c34 |
+| f | false | 361 | 361 | call to c34.~C |
+| f | false | 362 | 362 | c22 |
+| f | false | 364 | 364 | call to c22.~C |
+| f | false | 365 | 365 | c23 |
+| f | false | 367 | 367 | call to c23.~C |
+| f | false | 368 | 368 | c10 |
+| f | false | 369 | 369 | call to c10.~C |
+| f | false | 370 | 370 | c11 |
+| f | false | 371 | 371 | call to c11.~C |
+| f | true | 176 | 185 |  |
+| f | true | 179 | 285 |  |
+| f | true | 184 | 179 |  |
+| f | true | 185 | 184 |  |
+| f | true | 189 | 219 |  |
+| f | true | 193 | 189 |  |
+| f | true | 194 | 193 |  |
+| f | true | 198 | 334 |  |
+| f | true | 202 | 198 |  |
+| f | true | 203 | 202 |  |
+| f | true | 206 | 194 |  |
+| f | true | 209 | 336 |  |
+| f | true | 213 | 209 |  |
+| f | true | 214 | 213 |  |
+| f | true | 217 | 214 |  |
+| f | true | 219 | 217 |  |
+| f | true | 222 | 250 |  |
+| f | true | 226 | 222 |  |
+| f | true | 227 | 226 |  |
+| f | true | 231 | 259 |  |
+| f | true | 235 | 231 |  |
+| f | true | 236 | 235 |  |
+| f | true | 240 | 344 |  |
+| f | true | 244 | 240 |  |
+| f | true | 245 | 244 |  |
+| f | true | 248 | 227 |  |
+| f | true | 250 | 252 |  |
+| f | true | 252 | 255 | T |
+| f | true | 252 | 257 | F |
+| f | true | 255 | 348 |  |
+| f | true | 257 | 236 |  |
+| f | true | 259 | 261 |  |
+| f | true | 261 | 264 | T |
+| f | true | 261 | 266 | F |
+| f | true | 264 | 357 |  |
+| f | true | 266 | 245 |  |
+| f | true | 268 | 248 |  |
+| f | true | 271 | 359 |  |
+| f | true | 275 | 271 |  |
+| f | true | 276 | 275 |  |
+| f | true | 279 | 276 |  |
+| f | true | 281 | 279 |  |
+| f | true | 283 | 203 |  |
+| f | true | 285 | 206 |  |
+| f | true | 288 | 362 |  |
+| f | true | 292 | 288 |  |
+| f | true | 293 | 292 |  |
+| f | true | 296 | 293 |  |
+| f | true | 298 | 296 |  |
+| f | true | 301 | 365 |  |
+| f | true | 305 | 301 |  |
+| f | true | 306 | 305 |  |
+| f | true | 309 | 311 |  |
+| f | true | 311 | 306 |  |
+| f | true | 313 | 309 |  |
+| f | true | 315 | 323 |  |
+| f | true | 318 | 326 |  |
+| f | true | 322 | 318 |  |
+| f | true | 323 | 322 |  |
+| f | true | 326 | 370 |  |
+| f | true | 328 | 176 |  |
+| f | true | 330 | 332 |  |
+| f | true | 332 | 298 |  |
+| f | true | 334 | 335 |  |
+| f | true | 335 | 330 |  |
+| f | true | 336 | 338 |  |
+| f | true | 338 | 268 |  |
+| f | true | 339 | 341 |  |
+| f | true | 341 | 281 |  |
+| f | true | 342 | 343 |  |
+| f | true | 343 | 339 |  |
+| f | true | 344 | 345 |  |
+| f | true | 345 | 342 |  |
+| f | true | 346 | 347 |  |
+| f | true | 347 | 309 |  |
+| f | true | 348 | 349 |  |
+| f | true | 349 | 346 |  |
+| f | true | 350 | 352 |  |
+| f | true | 352 | 165 |  |
 | f | true | 353 | 354 |  |
-| f | true | 354 | 351 |  |
+| f | true | 354 | 350 |  |
 | f | true | 355 | 356 |  |
-| f | true | 356 | 328 |  |
+| f | true | 356 | 353 |  |
 | f | true | 357 | 358 |  |
 | f | true | 358 | 355 |  |
-| f | true | 359 | 360 |  |
-| f | true | 360 | 357 |  |
-| f | true | 361 | 362 |  |
-| f | true | 362 | 316 |  |
-| f | true | 363 | 364 |  |
-| f | true | 364 | 361 |  |
+| f | true | 359 | 361 |  |
+| f | true | 361 | 283 |  |
+| f | true | 362 | 364 |  |
+| f | true | 364 | 313 |  |
 | f | true | 365 | 367 |  |
-| f | true | 367 | 275 |  |
-| f | true | 369 | 292 |  |
-| f | true | 373 | 369 |  |
-| f | true | 374 | 373 |  |
-| f | true | 378 | 324 |  |
-| f | true | 382 | 378 |  |
-| f | true | 383 | 382 |  |
-| getClass2 | false | 420 | 420 | getClass2 |
+| f | true | 367 | 315 |  |
+| f | true | 368 | 369 |  |
+| f | true | 369 | 165 |  |
+| f | true | 370 | 371 |  |
+| f | true | 371 | 368 |  |
+| getClass2 | false | 425 | 425 | getClass2 |
--- a/cpp/ql/test/library-tests/destructors/jump_destructs.expected
+++ b/cpp/ql/test/library-tests/destructors/jump_destructs.expected
@@ -1,14 +1,14 @@
 | destructors2.cpp:5:7:5:7 | Class2 | 5 | return ... | 3 | 5 | Class2 |
 | destructors2.cpp:17:9:17:13 | Inner | 17 | return ... | 3 | 17 | Inner |
 | destructors2.cpp:18:9:18:14 | ~Inner | 18 | return ... | 3 | 18 | ~Inner |
-| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 16 | 27 | c |
-| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 17 | 27 | call to ~Class2 |
-| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 18 | 21 | f2 |
+| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 9 | 27 | c |
+| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 10 | 27 | call to ~Class2 |
+| destructors2.cpp:21:10:21:11 | f2 | 24 | return ... | 20 | 21 | f2 |
 | destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 12 | 27 | inner |
 | destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 13 | 27 | call to ~Inner |
-| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 16 | 27 | c |
-| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 17 | 27 | call to ~Class2 |
-| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 18 | 21 | f2 |
+| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 14 | 27 | c |
+| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 15 | 27 | call to ~Class2 |
+| destructors2.cpp:21:10:21:11 | f2 | 27 | return ... | 20 | 21 | f2 |
 | destructors.cpp:8:6:8:6 | f | 17 | goto ... | 26 | 21 | c31 |
 | destructors.cpp:8:6:8:6 | f | 17 | goto ... | 27 | 21 | call to ~C |
 | destructors.cpp:8:6:8:6 | f | 17 | goto ... | 28 | 26 | c20 |
@@ -19,11 +19,11 @@
 | destructors.cpp:8:6:8:6 | f | 19 | return ... | 35 | 21 | call to ~C |
 | destructors.cpp:8:6:8:6 | f | 19 | return ... | 36 | 26 | c20 |
 | destructors.cpp:8:6:8:6 | f | 19 | return ... | 37 | 26 | call to ~C |
-| destructors.cpp:8:6:8:6 | f | 19 | return ... | 90 | 35 | c10 |
-| destructors.cpp:8:6:8:6 | f | 19 | return ... | 91 | 35 | call to ~C |
-| destructors.cpp:8:6:8:6 | f | 19 | return ... | 92 | 8 | f |
+| destructors.cpp:8:6:8:6 | f | 19 | return ... | 38 | 35 | c10 |
+| destructors.cpp:8:6:8:6 | f | 19 | return ... | 39 | 35 | call to ~C |
+| destructors.cpp:8:6:8:6 | f | 19 | return ... | 94 | 8 | f |
 | destructors.cpp:8:6:8:6 | f | 35 | return ... | 81 | 35 | c11 |
 | destructors.cpp:8:6:8:6 | f | 35 | return ... | 82 | 35 | call to ~C |
-| destructors.cpp:8:6:8:6 | f | 35 | return ... | 90 | 35 | c10 |
-| destructors.cpp:8:6:8:6 | f | 35 | return ... | 91 | 35 | call to ~C |
-| destructors.cpp:8:6:8:6 | f | 35 | return ... | 92 | 8 | f |
+| destructors.cpp:8:6:8:6 | f | 35 | return ... | 83 | 35 | c10 |
+| destructors.cpp:8:6:8:6 | f | 35 | return ... | 84 | 35 | call to ~C |
+| destructors.cpp:8:6:8:6 | f | 35 | return ... | 94 | 8 | f |
--- a/cpp/ql/test/successor-tests/stackvariables/stackvariables/graphable.expected
+++ b/cpp/ql/test/successor-tests/stackvariables/stackvariables/graphable.expected
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.6
+
+No user-facing changes.
+
 ## 1.7.5

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.6.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.6.md
@@ -0,0 +1,3 @@
+## 1.7.6
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.5
+lastReleaseVersion: 1.7.6
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.6-dev
+version: 1.7.7-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.6
+
+No user-facing changes.
+
 ## 1.7.5

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.6.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.6.md
@@ -0,0 +1,3 @@
+## 1.7.6
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.5
+lastReleaseVersion: 1.7.6
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.6-dev
+version: 1.7.7-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.8.6
+
+### Minor Analysis Improvements
+
+* The `Call::getArgumentForParameter` predicate has been reworked to add support for arguments passed to `params` parameters.
+* The dataflow models for the `System.Text.StringBuilder` class have been reworked. New summaries have been added for `Append` and `AppendLine`. With the changes, we expect queries that use taint tracking to find more results when interpolated strings or `StringBuilder` instances are passed to `Append` or `AppendLine`.
+* Additional support for `Amazon.Lambda` SDK
+
 ## 0.8.5

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2023-06-22-aws-lambda-models.md
+++ b/csharp/ql/lib/change-notes/2023-06-22-aws-lambda-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Additional support for `Amazon.Lambda` SDK
--- a/csharp/ql/lib/change-notes/2023-12-20-arg-param-mapping.md
+++ b/csharp/ql/lib/change-notes/2023-12-20-arg-param-mapping.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-
-* The `Call::getArgumentForParameter` predicate has been reworked to add support for arguments passed to `params` parameters.
--- a/csharp/ql/lib/change-notes/2023-12-07-stringbuilder.md
+++ b/csharp/ql/lib/change-notes/2023-12-07-stringbuilder.md
@@ -1,5 +1,7 @@
---
-category: minorAnalysis
---
+## 0.8.6

-* The dataflow models for the `System.Text.StringBuilder` class have been reworked. New summaries have been added for `Append` and `AppendLine`. With the changes, we expect queries that use taint tracking to find more results when interpolated strings or `StringBuilder` instances are passed to `Append` or `AppendLine`.
+### Minor Analysis Improvements
+
+* The `Call::getArgumentForParameter` predicate has been reworked to add support for arguments passed to `params` parameters.
+* The dataflow models for the `System.Text.StringBuilder` class have been reworked. New summaries have been added for `Append` and `AppendLine`. With the changes, we expect queries that use taint tracking to find more results when interpolated strings or `StringBuilder` instances are passed to `Append` or `AppendLine`.
+* Additional support for `Amazon.Lambda` SDK
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.5
+lastReleaseVersion: 0.8.6
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.6-dev
+version: 0.8.7-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.8.6
+
+### Minor Analysis Improvements
+
+* Fixed a Log forging false positive when using `String.Replace` to sanitize the input.    
+* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`
+
 ## 0.8.5

 No user-facing changes.
--- a/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md
+++ b/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`
--- a/csharp/ql/src/change-notes/2024-01-03-logforging-false-positive.md
+++ b/csharp/ql/src/change-notes/2024-01-03-logforging-false-positive.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed a Log forging false positive when using `String.Replace` to sanitize the input.    
--- a/csharp/ql/src/change-notes/released/0.8.6.md
+++ b/csharp/ql/src/change-notes/released/0.8.6.md
@@ -0,0 +1,6 @@
+## 0.8.6
+
+### Minor Analysis Improvements
+
+* Fixed a Log forging false positive when using `String.Replace` to sanitize the input.    
+* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.5
+lastReleaseVersion: 0.8.6
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.6-dev
+version: 0.8.7-dev
 groups:
  - csharp
  - queries
--- a/docs/codeql/codeql-for-visual-studio-code/about-telemetry-in-codeql-for-visual-studio-code.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/about-telemetry-in-codeql-for-visual-studio-code.rst
@@ -30,6 +30,7 @@ If you opt in, GitHub collects the following information related to the usage of
 - Randomly generated GUID that uniquely identifies a CodeQL extension installation. (Discarded before aggregation.)
 - IP address of the client sending the telemetry data. (Discarded before aggregation.)
 - Whether or not the ``codeQL.canary`` setting is enabled and set to ``true``.
+- Whether any :doc:`CodeQL extension settings <customizing-settings>` are configured.

 How long data is retained
 --------------------------
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.5
+
+No user-facing changes.
+
 ## 0.0.4

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/0.0.5.md
+++ b/go/ql/consistency-queries/change-notes/released/0.0.5.md
@@ -0,0 +1,3 @@
+## 0.0.5
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.4
+lastReleaseVersion: 0.0.5
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 0.0.5-dev
+version: 0.0.6-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.7.6
+
+### Minor Analysis Improvements
+
+* The diagnostic query `go/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Go files, now considers any Go file seen during extraction, even one with some errors, to be extracted / scanned.
+* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.
+* `CallNode::getACallee` and related predicates now recognise more callees accessed via a function variable, in particular when the callee is stored into a global variable or is captured by an anonymous function. This may lead to new alerts where data-flow into such a callee is relevant.
+
 ## 0.7.5

 No user-facing changes.
--- a/go/ql/lib/change-notes/2023-12-08-find-more-callees-for-captured-functions.md
+++ b/go/ql/lib/change-notes/2023-12-08-find-more-callees-for-captured-functions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `CallNode::getACallee` and related predicates now recognise more callees accessed via a function variable, in particular when the callee is stored into a global variable or is captured by an anonymous function. This may lead to new alerts where data-flow into such a callee is relevant.
--- a/go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md
+++ b/go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.
--- a/go/ql/lib/change-notes/2024-01-02-go-successfully-extracted.md
+++ b/go/ql/lib/change-notes/2024-01-02-go-successfully-extracted.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The diagnostic query `go/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Go files, now considers any Go file seen during extraction, even one with some errors, to be extracted / scanned.
--- a/go/ql/lib/change-notes/released/0.7.6.md
+++ b/go/ql/lib/change-notes/released/0.7.6.md
@@ -0,0 +1,7 @@
+## 0.7.6
+
+### Minor Analysis Improvements
+
+* The diagnostic query `go/diagnostics/successfully-extracted-files`, and therefore the Code Scanning UI measure of scanned Go files, now considers any Go file seen during extraction, even one with some errors, to be extracted / scanned.
+* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.
+* `CallNode::getACallee` and related predicates now recognise more callees accessed via a function variable, in particular when the callee is stored into a global variable or is captured by an anonymous function. This may lead to new alerts where data-flow into such a callee is relevant.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.5
+lastReleaseVersion: 0.7.6
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.7.6-dev
+version: 0.7.7-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.7.6
+
+### Minor Analysis Improvements
+
+* There was a bug in the query `go/incorrect-integer-conversion` which meant that upper bound checks using a strict inequality (`<`) and comparing against `math.MaxInt` or `math.MaxUint` were not considered correctly, which led to false positives. This has now been fixed.
+
 ## 0.7.5

 No user-facing changes.
--- a/go/ql/src/change-notes/2023-12-17-incorrect-integer-conversion-fix.md
+++ b/go/ql/src/change-notes/2023-12-17-incorrect-integer-conversion-fix.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.7.6
+
+### Minor Analysis Improvements
+
 * There was a bug in the query `go/incorrect-integer-conversion` which meant that upper bound checks using a strict inequality (`<`) and comparing against `math.MaxInt` or `math.MaxUint` were not considered correctly, which led to false positives. This has now been fixed.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.5
+lastReleaseVersion: 0.7.6
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.7.6-dev
+version: 0.7.7-dev
 groups:
  - go
  - queries
--- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
@@ -1,303 +1,3 @@
-| file://:0:0:0:0 | [summary param] 0 in Append | file://:0:0:0:0 | [summary] to write: ReturnValue in Append |
-| file://:0:0:0:0 | [summary param] 0 in AppendQuote | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuote |
-| file://:0:0:0:0 | [summary param] 0 in AppendQuoteToASCII | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToASCII |
-| file://:0:0:0:0 | [summary param] 0 in AppendQuoteToGraphic | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToGraphic |
-| file://:0:0:0:0 | [summary param] 0 in AppendSlice | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendSlice |
-| file://:0:0:0:0 | [summary param] 0 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
-| file://:0:0:0:0 | [summary param] 0 in Appendln | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendln |
-| file://:0:0:0:0 | [summary param] 0 in As | file://:0:0:0:0 | [summary] to write: Argument[1] in As |
-| file://:0:0:0:0 | [summary param] 0 in Base | file://:0:0:0:0 | [summary] to write: ReturnValue in Base |
-| file://:0:0:0:0 | [summary param] 0 in BytePtrFromString | file://:0:0:0:0 | [summary] to write: ReturnValue in BytePtrFromString |
-| file://:0:0:0:0 | [summary param] 0 in ByteSliceFromString | file://:0:0:0:0 | [summary] to write: ReturnValue in ByteSliceFromString |
-| file://:0:0:0:0 | [summary param] 0 in Clean | file://:0:0:0:0 | [summary] to write: ReturnValue in Clean |
-| file://:0:0:0:0 | [summary param] 0 in Dir | file://:0:0:0:0 | [summary] to write: ReturnValue in Dir |
-| file://:0:0:0:0 | [summary param] 0 in Expand | file://:0:0:0:0 | [summary] to write: ReturnValue in Expand |
-| file://:0:0:0:0 | [summary param] 0 in ExpandEnv | file://:0:0:0:0 | [summary] to write: ReturnValue in ExpandEnv |
-| file://:0:0:0:0 | [summary param] 0 in Ext | file://:0:0:0:0 | [summary] to write: ReturnValue in Ext |
-| file://:0:0:0:0 | [summary param] 0 in Fields | file://:0:0:0:0 | [summary] to write: ReturnValue in Fields |
-| file://:0:0:0:0 | [summary param] 0 in FieldsFunc | file://:0:0:0:0 | [summary] to write: ReturnValue in FieldsFunc |
-| file://:0:0:0:0 | [summary param] 0 in FileInfoToDirEntry | file://:0:0:0:0 | [summary] to write: ReturnValue in FileInfoToDirEntry |
-| file://:0:0:0:0 | [summary param] 0 in Glob | file://:0:0:0:0 | [summary] to write: ReturnValue in Glob |
-| file://:0:0:0:0 | [summary param] 0 in Indirect | file://:0:0:0:0 | [summary] to write: ReturnValue in Indirect |
-| file://:0:0:0:0 | [summary param] 0 in Join | file://:0:0:0:0 | [summary] to write: ReturnValue in Join |
-| file://:0:0:0:0 | [summary param] 0 in LimitReader | file://:0:0:0:0 | [summary] to write: ReturnValue in LimitReader |
-| file://:0:0:0:0 | [summary param] 0 in LoadOrStore | file://:0:0:0:0 | [summary] to write: Argument[-1] in LoadOrStore |
-| file://:0:0:0:0 | [summary param] 0 in LoadOrStore | file://:0:0:0:0 | [summary] to write: ReturnValue in LoadOrStore |
-| file://:0:0:0:0 | [summary param] 0 in LoadPointer | file://:0:0:0:0 | [summary] to write: ReturnValue in LoadPointer |
-| file://:0:0:0:0 | [summary param] 0 in LoadUintptr | file://:0:0:0:0 | [summary] to write: ReturnValue in LoadUintptr |
-| file://:0:0:0:0 | [summary param] 0 in New | file://:0:0:0:0 | [summary] to write: ReturnValue in New |
-| file://:0:0:0:0 | [summary param] 0 in NewFile | file://:0:0:0:0 | [summary] to write: ReturnValue in NewFile |
-| file://:0:0:0:0 | [summary param] 0 in NewReader | file://:0:0:0:0 | [summary] to write: ReturnValue in NewReader |
-| file://:0:0:0:0 | [summary param] 0 in NewSectionReader | file://:0:0:0:0 | [summary] to write: ReturnValue in NewSectionReader |
-| file://:0:0:0:0 | [summary param] 0 in NopCloser | file://:0:0:0:0 | [summary] to write: ReturnValue in NopCloser |
-| file://:0:0:0:0 | [summary param] 0 in Parse | file://:0:0:0:0 | [summary] to write: ReturnValue in Parse |
-| file://:0:0:0:0 | [summary param] 0 in Parse | file://:0:0:0:0 | [summary] to write: ReturnValue in Parse |
-| file://:0:0:0:0 | [summary param] 0 in ParseQuery | file://:0:0:0:0 | [summary] to write: ReturnValue in ParseQuery |
-| file://:0:0:0:0 | [summary param] 0 in ParseRequestURI | file://:0:0:0:0 | [summary] to write: ReturnValue in ParseRequestURI |
-| file://:0:0:0:0 | [summary param] 0 in PathEscape | file://:0:0:0:0 | [summary] to write: ReturnValue in PathEscape |
-| file://:0:0:0:0 | [summary param] 0 in PathUnescape | file://:0:0:0:0 | [summary] to write: ReturnValue in PathUnescape |
-| file://:0:0:0:0 | [summary param] 0 in Put | file://:0:0:0:0 | [summary] to write: Argument[-1] in Put |
-| file://:0:0:0:0 | [summary param] 0 in QueryEscape | file://:0:0:0:0 | [summary] to write: ReturnValue in QueryEscape |
-| file://:0:0:0:0 | [summary param] 0 in QueryUnescape | file://:0:0:0:0 | [summary] to write: ReturnValue in QueryUnescape |
-| file://:0:0:0:0 | [summary param] 0 in Quote | file://:0:0:0:0 | [summary] to write: ReturnValue in Quote |
-| file://:0:0:0:0 | [summary param] 0 in QuoteToASCII | file://:0:0:0:0 | [summary] to write: ReturnValue in QuoteToASCII |
-| file://:0:0:0:0 | [summary param] 0 in QuoteToGraphic | file://:0:0:0:0 | [summary] to write: ReturnValue in QuoteToGraphic |
-| file://:0:0:0:0 | [summary param] 0 in QuotedPrefix | file://:0:0:0:0 | [summary] to write: ReturnValue in QuotedPrefix |
-| file://:0:0:0:0 | [summary param] 0 in ReadAll | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadAll |
-| file://:0:0:0:0 | [summary param] 0 in ReadAtLeast | file://:0:0:0:0 | [summary] to write: Argument[1] in ReadAtLeast |
-| file://:0:0:0:0 | [summary param] 0 in ReadDir | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadDir |
-| file://:0:0:0:0 | [summary param] 0 in ReadFile | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadFile |
-| file://:0:0:0:0 | [summary param] 0 in ReadFrom | file://:0:0:0:0 | [summary] to write: Argument[-1] in ReadFrom |
-| file://:0:0:0:0 | [summary param] 0 in ReadFrom | file://:0:0:0:0 | [summary] to write: Argument[-1] in ReadFrom |
-| file://:0:0:0:0 | [summary param] 0 in ReadFrom | file://:0:0:0:0 | [summary] to write: Argument[-1] in ReadFrom |
-| file://:0:0:0:0 | [summary param] 0 in ReadFull | file://:0:0:0:0 | [summary] to write: Argument[1] in ReadFull |
-| file://:0:0:0:0 | [summary param] 0 in Repeat | file://:0:0:0:0 | [summary] to write: ReturnValue in Repeat |
-| file://:0:0:0:0 | [summary param] 0 in Replace | file://:0:0:0:0 | [summary] to write: ReturnValue in Replace |
-| file://:0:0:0:0 | [summary param] 0 in Replace | file://:0:0:0:0 | [summary] to write: ReturnValue in Replace |
-| file://:0:0:0:0 | [summary param] 0 in ReplaceAll | file://:0:0:0:0 | [summary] to write: ReturnValue in ReplaceAll |
-| file://:0:0:0:0 | [summary param] 0 in Reset | file://:0:0:0:0 | [summary] to write: Argument[-1] in Reset |
-| file://:0:0:0:0 | [summary param] 0 in ResolveReference | file://:0:0:0:0 | [summary] to write: ReturnValue in ResolveReference |
-| file://:0:0:0:0 | [summary param] 0 in Reverse | file://:0:0:0:0 | [summary] to write: ReturnValue in Reverse |
-| file://:0:0:0:0 | [summary param] 0 in Send | file://:0:0:0:0 | [summary] to write: Argument[-1] in Send |
-| file://:0:0:0:0 | [summary param] 0 in Set | file://:0:0:0:0 | [summary] to write: Argument[-1] in Set |
-| file://:0:0:0:0 | [summary param] 0 in SetBytes | file://:0:0:0:0 | [summary] to write: Argument[-1] in SetBytes |
-| file://:0:0:0:0 | [summary param] 0 in SetMapIndex | file://:0:0:0:0 | [summary] to write: Argument[-1] in SetMapIndex |
-| file://:0:0:0:0 | [summary param] 0 in SetPointer | file://:0:0:0:0 | [summary] to write: Argument[-1] in SetPointer |
-| file://:0:0:0:0 | [summary param] 0 in SetString | file://:0:0:0:0 | [summary] to write: Argument[-1] in SetString |
-| file://:0:0:0:0 | [summary param] 0 in Split | file://:0:0:0:0 | [summary] to write: ReturnValue in Split |
-| file://:0:0:0:0 | [summary param] 0 in Split | file://:0:0:0:0 | [summary] to write: ReturnValue in Split |
-| file://:0:0:0:0 | [summary param] 0 in Split | file://:0:0:0:0 | [summary] to write: ReturnValue[1] in Split |
-| file://:0:0:0:0 | [summary param] 0 in SplitAfter | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitAfter |
-| file://:0:0:0:0 | [summary param] 0 in SplitAfterN | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitAfterN |
-| file://:0:0:0:0 | [summary param] 0 in SplitN | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitN |
-| file://:0:0:0:0 | [summary param] 0 in Sprintf | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintf |
-| file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
-| file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
-| file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
-| file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
-| file://:0:0:0:0 | [summary param] 0 in StringBytePtr | file://:0:0:0:0 | [summary] to write: ReturnValue in StringBytePtr |
-| file://:0:0:0:0 | [summary param] 0 in StringByteSlice | file://:0:0:0:0 | [summary] to write: ReturnValue in StringByteSlice |
-| file://:0:0:0:0 | [summary param] 0 in Sub | file://:0:0:0:0 | [summary] to write: ReturnValue in Sub |
-| file://:0:0:0:0 | [summary param] 0 in Swap | file://:0:0:0:0 | [summary] to write: Argument[-1] in Swap |
-| file://:0:0:0:0 | [summary param] 0 in Swap | file://:0:0:0:0 | [summary] to write: Argument[-1] in Swap |
-| file://:0:0:0:0 | [summary param] 0 in Swap | file://:0:0:0:0 | [summary] to write: Argument[-1] in Swap |
-| file://:0:0:0:0 | [summary param] 0 in Swap | file://:0:0:0:0 | [summary] to write: Argument[-1] in Swap |
-| file://:0:0:0:0 | [summary param] 0 in SwapPointer | file://:0:0:0:0 | [summary] to write: ReturnValue in SwapPointer |
-| file://:0:0:0:0 | [summary param] 0 in SwapUintptr | file://:0:0:0:0 | [summary] to write: ReturnValue in SwapUintptr |
-| file://:0:0:0:0 | [summary param] 0 in TeeReader | file://:0:0:0:0 | [summary] to write: Argument[1] in TeeReader |
-| file://:0:0:0:0 | [summary param] 0 in TeeReader | file://:0:0:0:0 | [summary] to write: ReturnValue in TeeReader |
-| file://:0:0:0:0 | [summary param] 0 in Title | file://:0:0:0:0 | [summary] to write: ReturnValue in Title |
-| file://:0:0:0:0 | [summary param] 0 in ToLower | file://:0:0:0:0 | [summary] to write: ReturnValue in ToLower |
-| file://:0:0:0:0 | [summary param] 0 in ToTitle | file://:0:0:0:0 | [summary] to write: ReturnValue in ToTitle |
-| file://:0:0:0:0 | [summary param] 0 in ToUpper | file://:0:0:0:0 | [summary] to write: ReturnValue in ToUpper |
-| file://:0:0:0:0 | [summary param] 0 in ToValidUTF8 | file://:0:0:0:0 | [summary] to write: ReturnValue in ToValidUTF8 |
-| file://:0:0:0:0 | [summary param] 0 in Trim | file://:0:0:0:0 | [summary] to write: ReturnValue in Trim |
-| file://:0:0:0:0 | [summary param] 0 in TrimFunc | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimFunc |
-| file://:0:0:0:0 | [summary param] 0 in TrimLeft | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimLeft |
-| file://:0:0:0:0 | [summary param] 0 in TrimLeftFunc | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimLeftFunc |
-| file://:0:0:0:0 | [summary param] 0 in TrimPrefix | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimPrefix |
-| file://:0:0:0:0 | [summary param] 0 in TrimRight | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimRight |
-| file://:0:0:0:0 | [summary param] 0 in TrimRightFunc | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimRightFunc |
-| file://:0:0:0:0 | [summary param] 0 in TrimSpace | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimSpace |
-| file://:0:0:0:0 | [summary param] 0 in TrimSuffix | file://:0:0:0:0 | [summary] to write: ReturnValue in TrimSuffix |
-| file://:0:0:0:0 | [summary param] 0 in TrySend | file://:0:0:0:0 | [summary] to write: Argument[-1] in TrySend |
-| file://:0:0:0:0 | [summary param] 0 in Unquote | file://:0:0:0:0 | [summary] to write: ReturnValue in Unquote |
-| file://:0:0:0:0 | [summary param] 0 in UnquoteChar | file://:0:0:0:0 | [summary] to write: ReturnValue[2] in UnquoteChar |
-| file://:0:0:0:0 | [summary param] 0 in Unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in Unwrap |
-| file://:0:0:0:0 | [summary param] 0 in User | file://:0:0:0:0 | [summary] to write: ReturnValue in User |
-| file://:0:0:0:0 | [summary param] 0 in UserPassword | file://:0:0:0:0 | [summary] to write: ReturnValue in UserPassword |
-| file://:0:0:0:0 | [summary param] 0 in ValueOf | file://:0:0:0:0 | [summary] to write: ReturnValue in ValueOf |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
-| file://:0:0:0:0 | [summary param] 0 in WriteAt | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteAt |
-| file://:0:0:0:0 | [summary param] 0 in WriteAt | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteAt |
-| file://:0:0:0:0 | [summary param] 0 in WriteAt | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteAt |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 0 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[-1] in WriteString |
-| file://:0:0:0:0 | [summary param] 1 in AddUintptr | file://:0:0:0:0 | [summary] to write: Argument[0] in AddUintptr |
-| file://:0:0:0:0 | [summary param] 1 in AddUintptr | file://:0:0:0:0 | [summary] to write: ReturnValue in AddUintptr |
-| file://:0:0:0:0 | [summary param] 1 in AppendQuote | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuote |
-| file://:0:0:0:0 | [summary param] 1 in AppendQuoteToASCII | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToASCII |
-| file://:0:0:0:0 | [summary param] 1 in AppendQuoteToGraphic | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToGraphic |
-| file://:0:0:0:0 | [summary param] 1 in AppendSlice | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendSlice |
-| file://:0:0:0:0 | [summary param] 1 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
-| file://:0:0:0:0 | [summary param] 1 in Copy | file://:0:0:0:0 | [summary] to write: Argument[0] in Copy |
-| file://:0:0:0:0 | [summary param] 1 in Copy | file://:0:0:0:0 | [summary] to write: Argument[0] in Copy |
-| file://:0:0:0:0 | [summary param] 1 in CopyBuffer | file://:0:0:0:0 | [summary] to write: Argument[0] in CopyBuffer |
-| file://:0:0:0:0 | [summary param] 1 in CopyN | file://:0:0:0:0 | [summary] to write: Argument[0] in CopyN |
-| file://:0:0:0:0 | [summary param] 1 in Join | file://:0:0:0:0 | [summary] to write: ReturnValue in Join |
-| file://:0:0:0:0 | [summary param] 1 in LoadOrStore | file://:0:0:0:0 | [summary] to write: Argument[-1] in LoadOrStore |
-| file://:0:0:0:0 | [summary param] 1 in LoadOrStore | file://:0:0:0:0 | [summary] to write: ReturnValue in LoadOrStore |
-| file://:0:0:0:0 | [summary param] 1 in Map | file://:0:0:0:0 | [summary] to write: ReturnValue in Map |
-| file://:0:0:0:0 | [summary param] 1 in SetMapIndex | file://:0:0:0:0 | [summary] to write: Argument[-1] in SetMapIndex |
-| file://:0:0:0:0 | [summary param] 1 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
-| file://:0:0:0:0 | [summary param] 1 in StorePointer | file://:0:0:0:0 | [summary] to write: Argument[0] in StorePointer |
-| file://:0:0:0:0 | [summary param] 1 in StoreUintptr | file://:0:0:0:0 | [summary] to write: Argument[0] in StoreUintptr |
-| file://:0:0:0:0 | [summary param] 1 in Swap | file://:0:0:0:0 | [summary] to write: Argument[-1] in Swap |
-| file://:0:0:0:0 | [summary param] 1 in SwapPointer | file://:0:0:0:0 | [summary] to write: Argument[0] in SwapPointer |
-| file://:0:0:0:0 | [summary param] 1 in SwapUintptr | file://:0:0:0:0 | [summary] to write: Argument[0] in SwapUintptr |
-| file://:0:0:0:0 | [summary param] 1 in ToLowerSpecial | file://:0:0:0:0 | [summary] to write: ReturnValue in ToLowerSpecial |
-| file://:0:0:0:0 | [summary param] 1 in ToTitleSpecial | file://:0:0:0:0 | [summary] to write: ReturnValue in ToTitleSpecial |
-| file://:0:0:0:0 | [summary param] 1 in ToUpperSpecial | file://:0:0:0:0 | [summary] to write: ReturnValue in ToUpperSpecial |
-| file://:0:0:0:0 | [summary param] 1 in ToValidUTF8 | file://:0:0:0:0 | [summary] to write: ReturnValue in ToValidUTF8 |
-| file://:0:0:0:0 | [summary param] 1 in UserPassword | file://:0:0:0:0 | [summary] to write: ReturnValue in UserPassword |
-| file://:0:0:0:0 | [summary param] 1 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteString |
-| file://:0:0:0:0 | [summary param] 1 in WriteString | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteString |
-| file://:0:0:0:0 | [summary param] 2 in CompareAndSwap | file://:0:0:0:0 | [summary] to write: Argument[-1] in CompareAndSwap |
-| file://:0:0:0:0 | [summary param] 2 in CompareAndSwapPointer | file://:0:0:0:0 | [summary] to write: Argument[0] in CompareAndSwapPointer |
-| file://:0:0:0:0 | [summary param] 2 in CompareAndSwapUintptr | file://:0:0:0:0 | [summary] to write: Argument[0] in CompareAndSwapUintptr |
-| file://:0:0:0:0 | [summary param] 2 in Replace | file://:0:0:0:0 | [summary] to write: ReturnValue in Replace |
-| file://:0:0:0:0 | [summary param] 2 in ReplaceAll | file://:0:0:0:0 | [summary] to write: ReturnValue in ReplaceAll |
-| file://:0:0:0:0 | [summary param] -1 in Addr | file://:0:0:0:0 | [summary] to write: ReturnValue in Addr |
-| file://:0:0:0:0 | [summary param] -1 in Bytes | file://:0:0:0:0 | [summary] to write: ReturnValue in Bytes |
-| file://:0:0:0:0 | [summary param] -1 in Convert | file://:0:0:0:0 | [summary] to write: ReturnValue in Convert |
-| file://:0:0:0:0 | [summary param] -1 in Elem | file://:0:0:0:0 | [summary] to write: ReturnValue in Elem |
-| file://:0:0:0:0 | [summary param] -1 in Encode | file://:0:0:0:0 | [summary] to write: ReturnValue in Encode |
-| file://:0:0:0:0 | [summary param] -1 in EscapedPath | file://:0:0:0:0 | [summary] to write: ReturnValue in EscapedPath |
-| file://:0:0:0:0 | [summary param] -1 in Fd | file://:0:0:0:0 | [summary] to write: ReturnValue in Fd |
-| file://:0:0:0:0 | [summary param] -1 in Field | file://:0:0:0:0 | [summary] to write: ReturnValue in Field |
-| file://:0:0:0:0 | [summary param] -1 in FieldByIndex | file://:0:0:0:0 | [summary] to write: ReturnValue in FieldByIndex |
-| file://:0:0:0:0 | [summary param] -1 in FieldByName | file://:0:0:0:0 | [summary] to write: ReturnValue in FieldByName |
-| file://:0:0:0:0 | [summary param] -1 in FieldByNameFunc | file://:0:0:0:0 | [summary] to write: ReturnValue in FieldByNameFunc |
-| file://:0:0:0:0 | [summary param] -1 in Get | file://:0:0:0:0 | [summary] to write: ReturnValue in Get |
-| file://:0:0:0:0 | [summary param] -1 in Get | file://:0:0:0:0 | [summary] to write: ReturnValue in Get |
-| file://:0:0:0:0 | [summary param] -1 in Get | file://:0:0:0:0 | [summary] to write: ReturnValue in Get |
-| file://:0:0:0:0 | [summary param] -1 in Glob | file://:0:0:0:0 | [summary] to write: ReturnValue in Glob |
-| file://:0:0:0:0 | [summary param] -1 in Glob | file://:0:0:0:0 | [summary] to write: ReturnValue in Glob |
-| file://:0:0:0:0 | [summary param] -1 in GoString | file://:0:0:0:0 | [summary] to write: ReturnValue in GoString |
-| file://:0:0:0:0 | [summary param] -1 in GoString | file://:0:0:0:0 | [summary] to write: ReturnValue in GoString |
-| file://:0:0:0:0 | [summary param] -1 in Hostname | file://:0:0:0:0 | [summary] to write: ReturnValue in Hostname |
-| file://:0:0:0:0 | [summary param] -1 in Index | file://:0:0:0:0 | [summary] to write: ReturnValue in Index |
-| file://:0:0:0:0 | [summary param] -1 in Info | file://:0:0:0:0 | [summary] to write: ReturnValue in Info |
-| file://:0:0:0:0 | [summary param] -1 in Info | file://:0:0:0:0 | [summary] to write: ReturnValue in Info |
-| file://:0:0:0:0 | [summary param] -1 in Info | file://:0:0:0:0 | [summary] to write: ReturnValue in Info |
-| file://:0:0:0:0 | [summary param] -1 in Interface | file://:0:0:0:0 | [summary] to write: ReturnValue in Interface |
-| file://:0:0:0:0 | [summary param] -1 in InterfaceData | file://:0:0:0:0 | [summary] to write: ReturnValue in InterfaceData |
-| file://:0:0:0:0 | [summary param] -1 in Key | file://:0:0:0:0 | [summary] to write: ReturnValue in Key |
-| file://:0:0:0:0 | [summary param] -1 in Load | file://:0:0:0:0 | [summary] to write: ReturnValue in Load |
-| file://:0:0:0:0 | [summary param] -1 in Load | file://:0:0:0:0 | [summary] to write: ReturnValue in Load |
-| file://:0:0:0:0 | [summary param] -1 in Load | file://:0:0:0:0 | [summary] to write: ReturnValue in Load |
-| file://:0:0:0:0 | [summary param] -1 in Load | file://:0:0:0:0 | [summary] to write: ReturnValue in Load |
-| file://:0:0:0:0 | [summary param] -1 in LoadOrStore | file://:0:0:0:0 | [summary] to write: ReturnValue in LoadOrStore |
-| file://:0:0:0:0 | [summary param] -1 in Lookup | file://:0:0:0:0 | [summary] to write: ReturnValue in Lookup |
-| file://:0:0:0:0 | [summary param] -1 in MapIndex | file://:0:0:0:0 | [summary] to write: ReturnValue in MapIndex |
-| file://:0:0:0:0 | [summary param] -1 in MapKeys | file://:0:0:0:0 | [summary] to write: ReturnValue in MapKeys |
-| file://:0:0:0:0 | [summary param] -1 in MapRange | file://:0:0:0:0 | [summary] to write: ReturnValue in MapRange |
-| file://:0:0:0:0 | [summary param] -1 in MarshalBinary | file://:0:0:0:0 | [summary] to write: ReturnValue in MarshalBinary |
-| file://:0:0:0:0 | [summary param] -1 in Method | file://:0:0:0:0 | [summary] to write: ReturnValue in Method |
-| file://:0:0:0:0 | [summary param] -1 in MethodByName | file://:0:0:0:0 | [summary] to write: ReturnValue in MethodByName |
-| file://:0:0:0:0 | [summary param] -1 in Name | file://:0:0:0:0 | [summary] to write: ReturnValue in Name |
-| file://:0:0:0:0 | [summary param] -1 in Name | file://:0:0:0:0 | [summary] to write: ReturnValue in Name |
-| file://:0:0:0:0 | [summary param] -1 in Name | file://:0:0:0:0 | [summary] to write: ReturnValue in Name |
-| file://:0:0:0:0 | [summary param] -1 in Open | file://:0:0:0:0 | [summary] to write: ReturnValue in Open |
-| file://:0:0:0:0 | [summary param] -1 in Open | file://:0:0:0:0 | [summary] to write: ReturnValue in Open |
-| file://:0:0:0:0 | [summary param] -1 in Open | file://:0:0:0:0 | [summary] to write: ReturnValue in Open |
-| file://:0:0:0:0 | [summary param] -1 in Parse | file://:0:0:0:0 | [summary] to write: ReturnValue in Parse |
-| file://:0:0:0:0 | [summary param] -1 in Password | file://:0:0:0:0 | [summary] to write: ReturnValue in Password |
-| file://:0:0:0:0 | [summary param] -1 in Pointer | file://:0:0:0:0 | [summary] to write: ReturnValue in Pointer |
-| file://:0:0:0:0 | [summary param] -1 in Port | file://:0:0:0:0 | [summary] to write: ReturnValue in Port |
-| file://:0:0:0:0 | [summary param] -1 in Query | file://:0:0:0:0 | [summary] to write: ReturnValue in Query |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
-| file://:0:0:0:0 | [summary param] -1 in ReadAt | file://:0:0:0:0 | [summary] to write: Argument[0] in ReadAt |
-| file://:0:0:0:0 | [summary param] -1 in ReadAt | file://:0:0:0:0 | [summary] to write: Argument[0] in ReadAt |
-| file://:0:0:0:0 | [summary param] -1 in ReadAt | file://:0:0:0:0 | [summary] to write: Argument[0] in ReadAt |
-| file://:0:0:0:0 | [summary param] -1 in ReadAt | file://:0:0:0:0 | [summary] to write: Argument[0] in ReadAt |
-| file://:0:0:0:0 | [summary param] -1 in ReadDir | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadDir |
-| file://:0:0:0:0 | [summary param] -1 in ReadDir | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadDir |
-| file://:0:0:0:0 | [summary param] -1 in ReadDir | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadDir |
-| file://:0:0:0:0 | [summary param] -1 in ReadFile | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadFile |
-| file://:0:0:0:0 | [summary param] -1 in ReadFile | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadFile |
-| file://:0:0:0:0 | [summary param] -1 in ReadFile | file://:0:0:0:0 | [summary] to write: ReturnValue in ReadFile |
-| file://:0:0:0:0 | [summary param] -1 in Recv | file://:0:0:0:0 | [summary] to write: ReturnValue in Recv |
-| file://:0:0:0:0 | [summary param] -1 in RequestURI | file://:0:0:0:0 | [summary] to write: ReturnValue in RequestURI |
-| file://:0:0:0:0 | [summary param] -1 in ResolveReference | file://:0:0:0:0 | [summary] to write: ReturnValue in ResolveReference |
-| file://:0:0:0:0 | [summary param] -1 in Slice | file://:0:0:0:0 | [summary] to write: ReturnValue in Slice |
-| file://:0:0:0:0 | [summary param] -1 in Slice3 | file://:0:0:0:0 | [summary] to write: ReturnValue in Slice3 |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
-| file://:0:0:0:0 | [summary param] -1 in Sub | file://:0:0:0:0 | [summary] to write: ReturnValue in Sub |
-| file://:0:0:0:0 | [summary param] -1 in Sub | file://:0:0:0:0 | [summary] to write: ReturnValue in Sub |
-| file://:0:0:0:0 | [summary param] -1 in Swap | file://:0:0:0:0 | [summary] to write: ReturnValue in Swap |
-| file://:0:0:0:0 | [summary param] -1 in Swap | file://:0:0:0:0 | [summary] to write: ReturnValue in Swap |
-| file://:0:0:0:0 | [summary param] -1 in Swap | file://:0:0:0:0 | [summary] to write: ReturnValue in Swap |
-| file://:0:0:0:0 | [summary param] -1 in Swap | file://:0:0:0:0 | [summary] to write: ReturnValue in Swap |
-| file://:0:0:0:0 | [summary param] -1 in SyscallConn | file://:0:0:0:0 | [summary] to write: ReturnValue in SyscallConn |
-| file://:0:0:0:0 | [summary param] -1 in SyscallConn | file://:0:0:0:0 | [summary] to write: ReturnValue in SyscallConn |
-| file://:0:0:0:0 | [summary param] -1 in Token | file://:0:0:0:0 | [summary] to write: ReturnValue in Token |
-| file://:0:0:0:0 | [summary param] -1 in Token | file://:0:0:0:0 | [summary] to write: ReturnValue in Token |
-| file://:0:0:0:0 | [summary param] -1 in TryRecv | file://:0:0:0:0 | [summary] to write: ReturnValue in TryRecv |
-| file://:0:0:0:0 | [summary param] -1 in UnsafeAddr | file://:0:0:0:0 | [summary] to write: ReturnValue in UnsafeAddr |
-| file://:0:0:0:0 | [summary param] -1 in Username | file://:0:0:0:0 | [summary] to write: ReturnValue in Username |
-| file://:0:0:0:0 | [summary param] -1 in Value | file://:0:0:0:0 | [summary] to write: ReturnValue in Value |
-| file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
-| file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
-| file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
-| file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
-| file://:0:0:0:0 | [summary] read: Argument[0].ArrayElement in Sprint | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprint |
-| file://:0:0:0:0 | [summary] read: Argument[0].ArrayElement in Sprintln | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintln |
-| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Append | file://:0:0:0:0 | [summary] to write: ReturnValue in Append |
-| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Appendln | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendln |
-| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Sprintf | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintf |
-| file://:0:0:0:0 | [summary] read: Argument[2].ArrayElement in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[0] |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[1] |
 | main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal |
--- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.ql
@@ -1,20 +1,11 @@
 import go
+import semmle.go.dataflow.internal.DataFlowPrivate

 from DataFlow::Node nd, DataFlow::Node succ
 where
  TaintTracking::localTaintStep(nd, succ) and
  // exclude data-flow steps
  not DataFlow::localFlowStep(nd, succ) and
-  // Exclude results which only appear on unix to avoid platform-specific results
-  not exists(string pkg, string name |
-    nd.(DataFlow::SummarizedParameterNode)
-        .getCallable()
-        .asSummarizedCallable()
-        .asFunction()
-        .hasQualifiedName(pkg, name)
-  |
-    pkg = "syscall" and name = "StringSlicePtr"
-    or
-    pkg = ["os.dirEntry", "os.unixDirent"] and name = ["Info", "Name"]
-  )
+  // Exclude results from libraries
+  not nd instanceof FlowSummaryNode
 select nd, succ
--- a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
--- a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.ql
+++ b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.ql
@@ -1,41 +1,12 @@
 // This test finds taint tracking steps which are not data flow steps
 // to illustrate which steps are added specifically by taint tracking
 import go
+import semmle.go.dataflow.internal.DataFlowPrivate

-predicate hasLocation(DataFlow::Node node, string loc) {
-  node.hasLocationInfo(loc, _, _, _, _) and loc != ""
-  or
-  exists(string pkg, string name |
-    node.(DataFlow::SummarizedParameterNode)
-        .getCallable()
-        .asSummarizedCallable()
-        .asFunction()
-        .hasQualifiedName(pkg, name) and
-    loc = pkg + "." + name
-  )
-}
-
-from string predLoc, DataFlow::Node pred, DataFlow::Node succ
+from DataFlow::Node pred, DataFlow::Node succ
 where
  TaintTracking::localTaintStep(pred, succ) and
  not DataFlow::localFlowStep(pred, succ) and
-  // Exclude results which only appear on unix to avoid platform-specific results
-  not exists(string pkg, string name |
-    pred.(DataFlow::SummarizedParameterNode)
-        .getCallable()
-        .asSummarizedCallable()
-        .asFunction()
-        .hasQualifiedName(pkg, name)
-  |
-    pkg = "syscall" and name = "StringSlicePtr"
-    or
-    pkg.matches("crypto/rand.%") and
-    name = "Read"
-    or
-    pkg = ["os.dirEntry", "os.unixDirent"] and name = ["Info", "Name", "String"]
-    or
-    // Not available on arm64
-    pkg = "vendor/golang.org/x/crypto/internal/poly1305.mac" and name = "Write"
-  ) and
-  hasLocation(pred, predLoc)
-select predLoc, pred, succ
+  // Exclude results from libraries
+  not pred instanceof FlowSummaryNode
+select pred, succ
--- a/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
@@ -15,7 +15,6 @@ private import semmle.code.java.security.QueryInjection
 private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
 private import AutomodelJavaUtil as AutomodelJavaUtil
 private import semmle.code.java.security.PathSanitizer as PathSanitizer
-private import AutomodelSharedGetCallable as AutomodelSharedGetCallable
 import AutomodelSharedCharacteristics as SharedCharacteristics
 import AutomodelEndpointTypes as AutomodelEndpointTypes

@@ -64,8 +63,6 @@ abstract private class ApplicationModeEndpoint extends TApplicationModeEndpoint
   */
  abstract Callable getCallable();

-  abstract Call getCall();
-
  /**
   * Gets the input (if any) for this endpoint, eg.: `Argument[0]`.
   *
@@ -99,50 +96,50 @@ abstract private class ApplicationModeEndpoint extends TApplicationModeEndpoint
  abstract string toString();
 }

+class TCallArgument = TExplicitArgument or TInstanceArgument or TImplicitVarargsArray;
+
 /**
- * A class representing nodes that are arguments to calls.
+ * An endpoint that represents an "argument" to a call in a broad sense, including
+ * both explicit arguments and the instance argument.
 */
-class ExplicitArgument extends ApplicationModeEndpoint, TExplicitArgument {
+abstract class CallArgument extends ApplicationModeEndpoint, TCallArgument {
  Call call;
  DataFlow::Node arg;

-  ExplicitArgument() { this = TExplicitArgument(call, arg) }
-
  override Callable getCallable() { result = call.getCallee().getSourceDeclaration() }

-  override Call getCall() { result = call }
+  override string getMaDOutput() { none() }
+
+  override DataFlow::Node asNode() { result = arg }
+
+  Call getCall() { result = call }
+
+  override string toString() { result = arg.toString() }
+}
+
+/**
+ * An endpoint that represents an explicit argument to a call.
+ */
+class ExplicitArgument extends CallArgument, TExplicitArgument {
+  ExplicitArgument() { this = TExplicitArgument(call, arg) }

  private int getArgIndex() { this.asTop() = call.getArgument(result) }

  override string getMaDInput() { result = "Argument[" + this.getArgIndex() + "]" }

-  override string getMaDOutput() { none() }
-
  override Top asTop() { result = arg.asExpr() }
-
-  override DataFlow::Node asNode() { result = arg }
-
-  override string toString() { result = arg.toString() }
 }

-class InstanceArgument extends ApplicationModeEndpoint, TInstanceArgument {
-  Call call;
-  DataFlow::Node arg;
-
+/**
+ * An endpoint that represents the instance argument to a call.
+ */
+class InstanceArgument extends CallArgument, TInstanceArgument {
  InstanceArgument() { this = TInstanceArgument(call, arg) }

-  override Callable getCallable() { result = call.getCallee().getSourceDeclaration() }
-
-  override Call getCall() { result = call }
-
  override string getMaDInput() { result = "Argument[this]" }

-  override string getMaDOutput() { none() }
-
  override Top asTop() { if exists(arg.asExpr()) then result = arg.asExpr() else result = call }

-  override DataFlow::Node asNode() { result = arg }
-
  override string toString() { result = arg.toString() }
 }

@@ -155,26 +152,14 @@ class InstanceArgument extends ApplicationModeEndpoint, TInstanceArgument {
 * In order to be able to distinguish between varargs endpoints and regular endpoints, we export the `isVarargsArray`
 * meta data field in the extraction queries.
 */
-class ImplicitVarargsArray extends ApplicationModeEndpoint, TImplicitVarargsArray {
-  Call call;
-  DataFlow::Node vararg;
+class ImplicitVarargsArray extends CallArgument, TImplicitVarargsArray {
  int idx;

-  ImplicitVarargsArray() { this = TImplicitVarargsArray(call, vararg, idx) }
-
-  override Callable getCallable() { result = call.getCallee().getSourceDeclaration() }
-
-  override Call getCall() { result = call }
+  ImplicitVarargsArray() { this = TImplicitVarargsArray(call, arg, idx) }

  override string getMaDInput() { result = "Argument[" + idx + "]" }

-  override string getMaDOutput() { none() }
-
  override Top asTop() { result = call }
-
-  override DataFlow::Node asNode() { result = vararg }
-
-  override string toString() { result = vararg.toString() }
 }

 /**
@@ -188,8 +173,6 @@ class MethodReturnValue extends ApplicationModeEndpoint, TMethodReturnValue {

  override Callable getCallable() { result = call.getCallee().getSourceDeclaration() }

-  override Call getCall() { result = call }
-
  override string getMaDInput() { none() }

  override string getMaDOutput() { result = "ReturnValue" }
@@ -219,8 +202,6 @@ class OverriddenParameter extends ApplicationModeEndpoint, TOverriddenParameter
    result = overriddenMethod.getSourceDeclaration()
  }

-  override Call getCall() { none() }
-
  private int getArgIndex() { p.getCallable().getParameter(result) = p }

  override string getMaDInput() { none() }
@@ -247,7 +228,9 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig

  class EndpointType = AutomodelEndpointTypes::EndpointType;

-  class NegativeEndpointType = AutomodelEndpointTypes::NegativeSinkType;
+  class SinkType = AutomodelEndpointTypes::SinkType;
+
+  class SourceType = AutomodelEndpointTypes::SourceType;

  class RelatedLocation = Location::Top;

@@ -324,7 +307,7 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
   */
  RelatedLocation getRelatedLocation(Endpoint e, RelatedLocationType type) {
    type = CallContext() and
-    result = e.getCall()
+    result = e.(CallArgument).getCall()
    or
    type = MethodDoc() and
    result = e.getCallable().(Documentable).getJavadoc()
@@ -334,22 +317,6 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
  }
 }

-private class JavaCallable = Callable;
-
-private module ApplicationModeGetCallable implements AutomodelSharedGetCallable::GetCallableSig {
-  class Callable = JavaCallable;
-
-  class Endpoint = ApplicationCandidatesImpl::Endpoint;
-
-  /**
-   * Returns the API callable being modeled.
-   *
-   * We usually want to use `.getSourceDeclaration()` instead of just 'the' callable,
-   * because the source declaration callable has erased generic type parameters.
-   */
-  Callable getCallable(Endpoint e) { result = e.getCall().getCallee() }
-}
-
 /**
 * Contains endpoints that are defined in QL code rather than as a MaD model. Ideally this predicate
 * should be empty.
@@ -377,10 +344,10 @@ class ApplicationModeMetadataExtractor extends string {

  predicate hasMetadata(
    Endpoint e, string package, string type, string subtypes, string name, string signature,
-    string input, string output, string isVarargsArray
+    string input, string output, string isVarargsArray, string alreadyAiModeled,
+    string extensibleType
  ) {
-    exists(Callable callable |
-      e.getCallable() = callable and
+    exists(Callable callable | e.getCallable() = callable |
      (if exists(e.getMaDInput()) then input = e.getMaDInput() else input = "") and
      (if exists(e.getMaDOutput()) then output = e.getMaDOutput() else output = "") and
      package = callable.getDeclaringType().getPackage().getName() and
@@ -390,9 +357,17 @@ class ApplicationModeMetadataExtractor extends string {
      subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
      name = callable.getName() and
      signature = ExternalFlow::paramsString(callable) and
-      if e instanceof ImplicitVarargsArray
-      then isVarargsArray = "true"
-      else isVarargsArray = "false"
+      (
+        if e instanceof ImplicitVarargsArray
+        then isVarargsArray = "true"
+        else isVarargsArray = "false"
+      ) and
+      extensibleType = e.getExtensibleType()
+    ) and
+    (
+      not CharacteristicsImpl::isModeled(e, _, extensibleType, _) and alreadyAiModeled = ""
+      or
+      CharacteristicsImpl::isModeled(e, _, extensibleType, alreadyAiModeled)
    )
  }
 }
@@ -402,7 +377,8 @@ class ApplicationModeMetadataExtractor extends string {
 */

 /**
- * A negative characteristic that indicates that an is-style boolean method is unexploitable even if it is a sink.
+ * A negative characteristic that indicates that parameters of an is-style boolean method should not be considered sinks,
+ * and its return value should not be considered a source.
 *
 * A sink is highly unlikely to be exploitable if its callable's name starts with `is` and the callable has a boolean return
 * type (e.g. `isDirectory`). These kinds of calls normally do only checks, and appear before the proper call that does
@@ -410,46 +386,70 @@ class ApplicationModeMetadataExtractor extends string {
 *
 * TODO: this might filter too much, it's possible that methods with more than one parameter contain interesting sinks
 */
-private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
+private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
  UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not ApplicationCandidatesImpl::isSink(e, _, _) and
    e.getCallable().getName().matches("is%") and
-    e.getCallable().getReturnType() instanceof BooleanType
-  }
-}
-
-/**
- * A negative characteristic that indicates that an existence-checking boolean method is unexploitable even if it is a
- * sink.
- *
- * A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
- * boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
- * dangerous/interesting thing, so we want the latter to be modeled as the sink.
- */
-private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
-  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
-
-  override predicate appliesToEndpoint(Endpoint e) {
-    not ApplicationCandidatesImpl::isSink(e, _, _) and
-    exists(Callable callable |
-      callable = ApplicationModeGetCallable::getCallable(e) and
-      callable.getName().toLowerCase() = ["exists", "notexists"] and
-      callable.getReturnType() instanceof BooleanType
+    e.getCallable().getReturnType() instanceof BooleanType and
+    (
+      e.getExtensibleType() = "sinkModel" and
+      not ApplicationCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not ApplicationCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
    )
  }
 }

 /**
- * A negative characteristic that indicates that an endpoint is an argument to an exception, which is not a sink.
+ * A negative characteristic that indicates that parameters of an existence-checking boolean method should not be
+ * considered sinks, and its return value should not be considered a source.
+ *
+ * A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
+ * boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
+ * dangerous/interesting thing, so we want the latter to be modeled as the sink.
 */
-private class ExceptionCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
+private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
+  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
+
+  override predicate appliesToEndpoint(Endpoint e) {
+    exists(Callable callable |
+      callable = e.getCallable() and
+      callable.getName().toLowerCase() = ["exists", "notexists"] and
+      callable.getReturnType() instanceof BooleanType
+    |
+      e.getExtensibleType() = "sinkModel" and
+      not ApplicationCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not ApplicationCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
+    )
+  }
+}
+
+/**
+ * A negative characteristic that indicates that parameters of an exception method or constructor should not be considered sinks,
+ * and its return value should not be considered a source.
+ */
+private class ExceptionCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
  ExceptionCharacteristic() { this = "exception" }

  override predicate appliesToEndpoint(Endpoint e) {
-    ApplicationModeGetCallable::getCallable(e).getDeclaringType().getASupertype*() instanceof
-      TypeThrowable
+    e.getCallable().getDeclaringType().getASupertype*() instanceof TypeThrowable and
+    (
+      e.getExtensibleType() = "sinkModel" and
+      not ApplicationCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not ApplicationCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
+    )
  }
 }

@@ -462,7 +462,6 @@ private class IsMaDTaintStepCharacteristic extends CharacteristicsImpl::NotASink
  IsMaDTaintStepCharacteristic() { this = "taint step" }

  override predicate appliesToEndpoint(Endpoint e) {
-    e.getExtensibleType() = "sinkModel" and
    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(e.asNode(), _, _)
    or
    FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(e.asNode(), _, _)
@@ -483,18 +482,20 @@ private class LocalCall extends CharacteristicsImpl::UninterestingToModelCharact
  LocalCall() { this = "local call" }

  override predicate appliesToEndpoint(Endpoint e) {
-    ApplicationModeGetCallable::getCallable(e).fromSource()
+    e.(CallArgument).getCallable().fromSource()
+    or
+    e.(MethodReturnValue).getCallable().fromSource()
  }
 }

 /**
- * A Characteristic that marks endpoints as uninteresting to model, according to the Java ModelExclusions module.
+ * A characteristic that marks endpoints as uninteresting to model, according to the Java ModelExclusions module.
 */
 private class ExcludedFromModeling extends CharacteristicsImpl::UninterestingToModelCharacteristic {
  ExcludedFromModeling() { this = "excluded from modeling" }

  override predicate appliesToEndpoint(Endpoint e) {
-    ModelExclusions::isUninterestingForModels(ApplicationModeGetCallable::getCallable(e))
+    ModelExclusions::isUninterestingForModels(e.getCallable())
  }
 }

@@ -507,8 +508,7 @@ private class NonPublicMethodCharacteristic extends CharacteristicsImpl::Uninter
  NonPublicMethodCharacteristic() { this = "non-public method" }

  override predicate appliesToEndpoint(Endpoint e) {
-    e.getExtensibleType() = "sinkModel" and
-    not ApplicationModeGetCallable::getCallable(e).isPublic()
+    exists(Callable c | c = e.getCallable() | not c.isPublic())
  }
 }

@@ -530,11 +530,10 @@ private class OtherArgumentToModeledMethodCharacteristic extends Characteristics
  }

  override predicate appliesToEndpoint(Endpoint e) {
-    e.getExtensibleType() = "sinkModel" and
    not ApplicationCandidatesImpl::isSink(e, _, _) and
-    exists(Endpoint otherSink |
+    exists(CallArgument otherSink |
      ApplicationCandidatesImpl::isSink(otherSink, _, "manual") and
-      e.getCall() = otherSink.getCall() and
+      e.(CallArgument).getCall() = otherSink.getCall() and
      e != otherSink
    )
  }
@@ -548,10 +547,7 @@ private class OtherArgumentToModeledMethodCharacteristic extends Characteristics
 private class FunctionValueCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic {
  FunctionValueCharacteristic() { this = "function value" }

-  override predicate appliesToEndpoint(Endpoint e) {
-    e.getExtensibleType() = "sinkModel" and
-    e.asNode().asExpr() instanceof FunctionalExpr
-  }
+  override predicate appliesToEndpoint(Endpoint e) { e.asNode().asExpr() instanceof FunctionalExpr }
 }

 /**
@@ -565,10 +561,7 @@ private class CannotBeTaintedCharacteristic extends CharacteristicsImpl::LikelyN
 {
  CannotBeTaintedCharacteristic() { this = "cannot be tainted" }

-  override predicate appliesToEndpoint(Endpoint e) {
-    e.getExtensibleType() = "sinkModel" and
-    not this.isKnownOutNodeForStep(e)
-  }
+  override predicate appliesToEndpoint(Endpoint e) { not this.isKnownOutNodeForStep(e) }

  /**
   * Holds if the node `n` is known as the predecessor in a modeled flow step.
--- a/java/ql/automodel/src/AutomodelApplicationModeExtractCandidates.ql
+++ b/java/ql/automodel/src/AutomodelApplicationModeExtractCandidates.ql
@@ -25,20 +25,20 @@ private import AutomodelJavaUtil
 bindingset[limit]
 private Endpoint getSampleForSignature(
  int limit, string package, string type, string subtypes, string name, string signature,
-  string input, string output, string isVarargs, string extensibleType
+  string input, string output, string isVarargs, string extensibleType, string alreadyAiModeled
 ) {
  exists(int n, int num_endpoints, ApplicationModeMetadataExtractor meta |
    num_endpoints =
      count(Endpoint e |
-        e.getExtensibleType() = extensibleType and
-        meta.hasMetadata(e, package, type, subtypes, name, signature, input, output, isVarargs)
+        meta.hasMetadata(e, package, type, subtypes, name, signature, input, output, isVarargs,
+          alreadyAiModeled, extensibleType)
      )
  |
    result =
      rank[n](Endpoint e, Location loc |
        loc = e.asTop().getLocation() and
-        e.getExtensibleType() = extensibleType and
-        meta.hasMetadata(e, package, type, subtypes, name, signature, input, output, isVarargs)
+        meta.hasMetadata(e, package, type, subtypes, name, signature, input, output, isVarargs,
+          alreadyAiModeled, extensibleType)
      |
        e
        order by
@@ -63,22 +63,18 @@ where
  not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
    u.appliesToEndpoint(endpoint)
  ) and
-  CharacteristicsImpl::isSinkCandidate(endpoint, _) and
+  CharacteristicsImpl::isCandidate(endpoint, _) and
  endpoint =
    getSampleForSignature(9, package, type, subtypes, name, signature, input, output,
-      isVarargsArray, extensibleType) and
+      isVarargsArray, extensibleType, alreadyAiModeled) and
+  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output,
+    isVarargsArray, alreadyAiModeled, extensibleType) and
  // If a node is already modeled in MaD, we don't include it as a candidate. Otherwise, we might include it as a
  // candidate for query A, but the model will label it as a sink for one of the sink types of query B, for which it's
  // already a known sink. This would result in overlap between our detected sinks and the pre-existing modeling. We
  // assume that, if a sink has already been modeled in a MaD model, then it doesn't belong to any additional sink
  // types, and we don't need to reexamine it.
-  (
-    not CharacteristicsImpl::isModeled(endpoint, _, _, _) and alreadyAiModeled = ""
-    or
-    alreadyAiModeled.matches("%ai-%") and
-    CharacteristicsImpl::isModeled(endpoint, _, _, alreadyAiModeled)
-  ) and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
+  alreadyAiModeled.matches(["", "%ai-%"]) and
  includeAutomodelCandidate(package, type, name, signature)
 select endpoint.asNode(),
  "Related locations: $@, $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
--- a/java/ql/automodel/src/AutomodelApplicationModeExtractNegativeExamples.ql
+++ b/java/ql/automodel/src/AutomodelApplicationModeExtractNegativeExamples.ql
@@ -40,27 +40,45 @@ Endpoint getSampleForCharacteristic(EndpointCharacteristic c, int limit) {
  )
 }

-from
-  Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string message,
-  ApplicationModeMetadataExtractor meta, DollarAtString package, DollarAtString type,
-  DollarAtString subtypes, DollarAtString name, DollarAtString signature, DollarAtString input,
-  DollarAtString output, DollarAtString isVarargsArray, DollarAtString extensibleType
-where
-  endpoint = getSampleForCharacteristic(characteristic, 100) and
-  extensibleType = endpoint.getExtensibleType() and
+predicate candidate(
+  Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string package,
+  string type, string subtypes, string name, string signature, string input, string output,
+  string isVarargsArray, string extensibleType
+) {
+  // the node is known not to be an endpoint of any appropriate type
+  forall(EndpointType tp | tp = CharacteristicsImpl::getAPotentialType(endpoint) |
+    characteristic.hasImplications(tp, false, _)
+  ) and
+  // the lowest confidence across all endpoint types should be at least highConfidence
+  confidence =
+    min(float c |
+      characteristic.hasImplications(CharacteristicsImpl::getAPotentialType(endpoint), false, c)
+    ) and
  confidence >= SharedCharacteristics::highConfidence() and
-  characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
-  // It's valid for a node to satisfy the logic for both `isSink` and `isSanitizer`, but in that case it will be
-  // treated by the actual query as a sanitizer, since the final logic is something like
-  // `isSink(n) and not isSanitizer(n)`. We don't want to include such nodes as negative examples in the prompt, because
-  // they're ambiguous and might confuse the model, so we explicitly exclude all known sinks from the negative examples.
-  not exists(EndpointCharacteristic characteristic2, float confidence2, SinkType positiveType |
-    not positiveType instanceof NegativeSinkType and
+  any(ApplicationModeMetadataExtractor meta)
+      .hasMetadata(endpoint, package, type, subtypes, name, signature, input, output,
+        isVarargsArray, _, extensibleType) and
+  // It's valid for a node to be both a potential source/sanitizer and a sink. We don't want to include such nodes
+  // as negative examples in the prompt, because they're ambiguous and might confuse the model, so we explicitly exclude them here.
+  not exists(EndpointCharacteristic characteristic2, float confidence2 |
+    characteristic2 != characteristic
+  |
    characteristic2.appliesToEndpoint(endpoint) and
    confidence2 >= SharedCharacteristics::maximalConfidence() and
-    characteristic2.hasImplications(positiveType, true, confidence2)
-  ) and
+    characteristic2
+        .hasImplications(CharacteristicsImpl::getAPotentialType(endpoint), true, confidence2)
+  )
+}
+
+from
+  Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string message,
+  DollarAtString package, DollarAtString type, DollarAtString subtypes, DollarAtString name,
+  DollarAtString signature, DollarAtString input, DollarAtString output,
+  DollarAtString isVarargsArray, DollarAtString extensibleType
+where
+  endpoint = getSampleForCharacteristic(characteristic, 100) and
+  candidate(endpoint, characteristic, confidence, package, type, subtypes, name, signature, input,
+    output, isVarargsArray, extensibleType) and
  message = characteristic
 select endpoint.asNode(),
  message + "\nrelated locations: $@, $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
--- a/java/ql/automodel/src/AutomodelApplicationModeExtractPositiveExamples.ql
+++ b/java/ql/automodel/src/AutomodelApplicationModeExtractPositiveExamples.ql
@@ -18,9 +18,8 @@ from
  DollarAtString signature, DollarAtString input, DollarAtString output,
  DollarAtString isVarargsArray, DollarAtString extensibleType
 where
-  extensibleType = endpoint.getExtensibleType() and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
-  // Extract positive examples of sinks belonging to the existing ATM query configurations.
+  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output,
+    isVarargsArray, _, extensibleType) and
  CharacteristicsImpl::isKnownAs(endpoint, endpointType, _) and
  exists(CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, CallContext()))
 select endpoint.asNode(),
--- a/java/ql/automodel/src/AutomodelEndpointTypes.qll
+++ b/java/ql/automodel/src/AutomodelEndpointTypes.qll
@@ -30,11 +30,6 @@ abstract class SinkType extends EndpointType {
  SinkType() { any() }
 }

-/** The `Negative` class for non-sinks. */
-class NegativeSinkType extends SinkType {
-  NegativeSinkType() { this = "non-sink" }
-}
-
 /** A sink relevant to the SQL injection query */
 class SqlInjectionSinkType extends SinkType {
  SqlInjectionSinkType() { this = "sql-injection" }
--- a/java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll
@@ -15,7 +15,6 @@ private import semmle.code.java.security.QueryInjection
 private import semmle.code.java.security.RequestForgery
 private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
 private import AutomodelJavaUtil as AutomodelJavaUtil
-private import AutomodelSharedGetCallable as AutomodelSharedGetCallable
 import AutomodelSharedCharacteristics as SharedCharacteristics
 import AutomodelEndpointTypes as AutomodelEndpointTypes

@@ -84,7 +83,7 @@ abstract class FrameworkModeEndpoint extends TFrameworkModeEndpoint {
  /**
   * Returns the callable that contains the endpoint.
   */
-  abstract Callable getEnclosingCallable();
+  abstract Callable getCallable();

  abstract Top asTop();

@@ -106,7 +105,7 @@ class ExplicitParameterEndpoint extends FrameworkModeEndpoint, TExplicitParamete

  override string getParamName() { result = param.getName() }

-  override Callable getEnclosingCallable() { result = param.getCallable() }
+  override Callable getCallable() { result = param.getCallable() }

  override Top asTop() { result = param }

@@ -126,7 +125,7 @@ class QualifierEndpoint extends FrameworkModeEndpoint, TQualifier {

  override string getParamName() { result = "this" }

-  override Callable getEnclosingCallable() { result = callable }
+  override Callable getCallable() { result = callable }

  override Top asTop() { result = callable }

@@ -144,7 +143,7 @@ class ReturnValue extends FrameworkModeEndpoint, TReturnValue {

  override string getParamName() { none() }

-  override Callable getEnclosingCallable() { result = callable }
+  override Callable getCallable() { result = callable }

  override Top asTop() { result = callable }

@@ -163,7 +162,7 @@ class OverridableParameter extends FrameworkModeEndpoint, TOverridableParameter

  override string getParamName() { result = param.getName() }

-  override Callable getEnclosingCallable() { result = method }
+  override Callable getCallable() { result = method }

  override Top asTop() { result = param }

@@ -181,7 +180,7 @@ class OverridableQualifier extends FrameworkModeEndpoint, TOverridableQualifier

  override string getParamName() { result = "this" }

-  override Callable getEnclosingCallable() { result = m }
+  override Callable getCallable() { result = m }

  override Top asTop() { result = m }

@@ -202,7 +201,9 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {

  class EndpointType = AutomodelEndpointTypes::EndpointType;

-  class NegativeEndpointType = AutomodelEndpointTypes::NegativeSinkType;
+  class SinkType = AutomodelEndpointTypes::SinkType;
+
+  class SourceType = AutomodelEndpointTypes::SourceType;

  class RelatedLocation = Location::Top;

@@ -244,8 +245,8 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
  additional predicate sinkSpec(
    Endpoint e, string package, string type, string name, string signature, string ext, string input
  ) {
-    e.getEnclosingCallable().hasQualifiedName(package, type, name) and
-    signature = ExternalFlow::paramsString(e.getEnclosingCallable()) and
+    e.getCallable().hasQualifiedName(package, type, name) and
+    signature = ExternalFlow::paramsString(e.getCallable()) and
    ext = "" and
    input = e.getMaDInput()
  }
@@ -254,8 +255,8 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
    Endpoint e, string package, string type, string name, string signature, string ext,
    string output
  ) {
-    e.getEnclosingCallable().hasQualifiedName(package, type, name) and
-    signature = ExternalFlow::paramsString(e.getEnclosingCallable()) and
+    e.getCallable().hasQualifiedName(package, type, name) and
+    signature = ExternalFlow::paramsString(e.getCallable()) and
    ext = "" and
    output = e.getMaDOutput()
  }
@@ -267,10 +268,10 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
   */
  RelatedLocation getRelatedLocation(Endpoint e, RelatedLocationType type) {
    type = MethodDoc() and
-    result = e.getEnclosingCallable().(Documentable).getJavadoc()
+    result = e.getCallable().(Documentable).getJavadoc()
    or
    type = ClassDoc() and
-    result = e.getEnclosingCallable().getDeclaringType().(Documentable).getJavadoc()
+    result = e.getCallable().getDeclaringType().(Documentable).getJavadoc()
  }
 }

@@ -292,16 +293,27 @@ class FrameworkModeMetadataExtractor extends string {

  predicate hasMetadata(
    Endpoint e, string package, string type, string subtypes, string name, string signature,
-    string input, string output, string parameterName
+    string input, string output, string parameterName, string alreadyAiModeled,
+    string extensibleType
  ) {
-    (if exists(e.getParamName()) then parameterName = e.getParamName() else parameterName = "") and
-    name = e.getEnclosingCallable().getName() and
-    (if exists(e.getMaDInput()) then input = e.getMaDInput() else input = "") and
-    (if exists(e.getMaDOutput()) then output = e.getMaDOutput() else output = "") and
-    package = e.getEnclosingCallable().getDeclaringType().getPackage().getName() and
-    type = e.getEnclosingCallable().getDeclaringType().getErasure().(RefType).nestedName() and
-    subtypes = AutomodelJavaUtil::considerSubtypes(e.getEnclosingCallable()).toString() and
-    signature = ExternalFlow::paramsString(e.getEnclosingCallable())
+    exists(Callable callable | e.getCallable() = callable |
+      (if exists(e.getMaDInput()) then input = e.getMaDInput() else input = "") and
+      (if exists(e.getMaDOutput()) then output = e.getMaDOutput() else output = "") and
+      package = callable.getDeclaringType().getPackage().getName() and
+      // we're using the erased types because the MaD convention is to not specify type parameters.
+      // Whether something is or isn't a sink doesn't usually depend on the type parameters.
+      type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
+      subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
+      name = callable.getName() and
+      signature = ExternalFlow::paramsString(callable) and
+      (if exists(e.getParamName()) then parameterName = e.getParamName() else parameterName = "") and
+      e.getExtensibleType() = extensibleType
+    ) and
+    (
+      not CharacteristicsImpl::isModeled(e, _, extensibleType, _) and alreadyAiModeled = ""
+      or
+      CharacteristicsImpl::isModeled(e, _, extensibleType, alreadyAiModeled)
+    )
  }
 }

@@ -310,7 +322,8 @@ class FrameworkModeMetadataExtractor extends string {
 */

 /**
- * A negative characteristic that indicates that an is-style boolean method is unexploitable even if it is a sink.
+ * A negative characteristic that indicates that parameters of an is-style boolean method should not be considered sinks,
+ * and its return value should not be considered a source.
 *
 * A sink is highly unlikely to be exploitable if its callable's name starts with `is` and the callable has a boolean return
 * type (e.g. `isDirectory`). These kinds of calls normally do only checks, and appear before the proper call that does
@@ -318,45 +331,70 @@ class FrameworkModeMetadataExtractor extends string {
 *
 * TODO: this might filter too much, it's possible that methods with more than one parameter contain interesting sinks
 */
-private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
+private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
  UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not FrameworkCandidatesImpl::isSink(e, _, _) and
-    e.getEnclosingCallable().getName().matches("is%") and
-    e.getEnclosingCallable().getReturnType() instanceof BooleanType
-  }
-}
-
-/**
- * A negative characteristic that indicates that an existence-checking boolean method is unexploitable even if it is a
- * sink.
- *
- * A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
- * boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
- * dangerous/interesting thing, so we want the latter to be modeled as the sink.
- */
-private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
-  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
-
-  override predicate appliesToEndpoint(Endpoint e) {
-    not FrameworkCandidatesImpl::isSink(e, _, _) and
-    exists(Callable callable |
-      callable = e.getEnclosingCallable() and
-      callable.getName().toLowerCase() = ["exists", "notexists"] and
-      callable.getReturnType() instanceof BooleanType
+    e.getCallable().getName().matches("is%") and
+    e.getCallable().getReturnType() instanceof BooleanType and
+    (
+      e.getExtensibleType() = "sinkModel" and
+      not FrameworkCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not FrameworkCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
    )
  }
 }

 /**
- * A negative characteristic that indicates that an endpoint is an argument to an exception, which is not a sink.
+ * A negative characteristic that indicates that parameters of an existence-checking boolean method should not be
+ * considered sinks, and its return value should not be considered a source.
+ *
+ * A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
+ * boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
+ * dangerous/interesting thing, so we want the latter to be modeled as the sink.
 */
-private class ExceptionCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
+private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
+  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
+
+  override predicate appliesToEndpoint(Endpoint e) {
+    exists(Callable callable |
+      callable = e.getCallable() and
+      callable.getName().toLowerCase() = ["exists", "notexists"] and
+      callable.getReturnType() instanceof BooleanType
+    |
+      e.getExtensibleType() = "sinkModel" and
+      not FrameworkCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not FrameworkCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
+    )
+  }
+}
+
+/**
+ * A negative characteristic that indicates that parameters of an exception method or constructor should not be considered sinks,
+ * and its return value should not be considered a source.
+ */
+private class ExceptionCharacteristic extends CharacteristicsImpl::NeitherSourceNorSinkCharacteristic
+{
  ExceptionCharacteristic() { this = "exception" }

  override predicate appliesToEndpoint(Endpoint e) {
-    e.getEnclosingCallable().getDeclaringType().getASupertype*() instanceof TypeThrowable
+    e.getCallable().getDeclaringType().getASupertype*() instanceof TypeThrowable and
+    (
+      e.getExtensibleType() = "sinkModel" and
+      not FrameworkCandidatesImpl::isSink(e, _, _)
+      or
+      e.getExtensibleType() = "sourceModel" and
+      not FrameworkCandidatesImpl::isSource(e, _, _) and
+      e.getMaDOutput() = "ReturnValue"
+    )
  }
 }

@@ -368,6 +406,6 @@ private class NotAModelApi extends CharacteristicsImpl::UninterestingToModelChar
  NotAModelApi() { this = "not a model API" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not e.getEnclosingCallable() instanceof ModelExclusions::ModelApi
+    not e.getCallable() instanceof ModelExclusions::ModelApi
  }
 }
--- a/java/ql/automodel/src/AutomodelFrameworkModeExtractCandidates.ql
+++ b/java/ql/automodel/src/AutomodelFrameworkModeExtractCandidates.ql
@@ -21,23 +21,18 @@ from
  DollarAtString input, DollarAtString output, DollarAtString parameterName,
  DollarAtString alreadyAiModeled, DollarAtString extensibleType
 where
-  endpoint.getExtensibleType() = extensibleType and
  not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
    u.appliesToEndpoint(endpoint)
  ) and
-  CharacteristicsImpl::isSinkCandidate(endpoint, _) and
-  // If a node is already a known sink for any of our existing ATM queries and is already modeled as a MaD sink, we
-  // don't include it as a candidate. Otherwise, we might include it as a candidate for query A, but the model will
-  // label it as a sink for one of the sink types of query B, for which it's already a known sink. This would result in
-  // overlap between our detected sinks and the pre-existing modeling. We assume that, if a sink has already been
-  // modeled in a MaD model, then it doesn't belong to any additional sink types, and we don't need to reexamine it.
-  (
-    not CharacteristicsImpl::isSink(endpoint, _, _) and alreadyAiModeled = ""
-    or
-    alreadyAiModeled.matches("%ai-%") and
-    CharacteristicsImpl::isSink(endpoint, _, alreadyAiModeled)
-  ) and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName) and
+  CharacteristicsImpl::isCandidate(endpoint, _) and
+  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName,
+    alreadyAiModeled, extensibleType) and
+  // If a node is already modeled in MaD, we don't include it as a candidate. Otherwise, we might include it as a
+  // candidate for query A, but the model will label it as a sink for one of the sink types of query B, for which it's
+  // already a known sink. This would result in overlap between our detected sinks and the pre-existing modeling. We
+  // assume that, if a sink has already been modeled in a MaD model, then it doesn't belong to any additional sink
+  // types, and we don't need to reexamine it.
+  alreadyAiModeled.matches(["", "%ai-%"]) and
  includeAutomodelCandidate(package, type, name, signature)
 select endpoint,
  "Related locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
--- a/java/ql/automodel/src/AutomodelFrameworkModeExtractNegativeExamples.ql
+++ b/java/ql/automodel/src/AutomodelFrameworkModeExtractNegativeExamples.ql
@@ -19,20 +19,28 @@ from
  DollarAtString input, DollarAtString output, DollarAtString parameterName,
  DollarAtString extensibleType
 where
-  endpoint.getExtensibleType() = extensibleType and
  characteristic.appliesToEndpoint(endpoint) and
+  // the node is known not to be an endpoint of any appropriate type
+  forall(EndpointType tp | tp = CharacteristicsImpl::getAPotentialType(endpoint) |
+    characteristic.hasImplications(tp, false, _)
+  ) and
+  // the lowest confidence across all endpoint types should be at least highConfidence
+  confidence =
+    min(float c |
+      characteristic.hasImplications(CharacteristicsImpl::getAPotentialType(endpoint), false, c)
+    ) and
  confidence >= SharedCharacteristics::highConfidence() and
-  characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName) and
-  // It's valid for a node to satisfy the logic for both `isSink` and `isSanitizer`, but in that case it will be
-  // treated by the actual query as a sanitizer, since the final logic is something like
-  // `isSink(n) and not isSanitizer(n)`. We don't want to include such nodes as negative examples in the prompt, because
-  // they're ambiguous and might confuse the model, so we explicitly exclude all known sinks from the negative examples.
-  not exists(EndpointCharacteristic characteristic2, float confidence2, SinkType positiveType |
-    not positiveType instanceof NegativeSinkType and
+  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName,
+    _, extensibleType) and
+  // It's valid for a node to be both a potential source/sanitizer and a sink. We don't want to include such nodes
+  // as negative examples in the prompt, because they're ambiguous and might confuse the model, so we explicitly exclude them here.
+  not exists(EndpointCharacteristic characteristic2, float confidence2 |
+    characteristic2 != characteristic
+  |
    characteristic2.appliesToEndpoint(endpoint) and
    confidence2 >= SharedCharacteristics::maximalConfidence() and
-    characteristic2.hasImplications(positiveType, true, confidence2)
+    characteristic2
+        .hasImplications(CharacteristicsImpl::getAPotentialType(endpoint), true, confidence2)
  ) and
  message = characteristic
 select endpoint,
--- a/java/ql/automodel/src/AutomodelFrameworkModeExtractPositiveExamples.ql
+++ b/java/ql/automodel/src/AutomodelFrameworkModeExtractPositiveExamples.ql
@@ -18,9 +18,8 @@ from
  DollarAtString signature, DollarAtString input, DollarAtString output,
  DollarAtString parameterName, DollarAtString extensibleType
 where
-  endpoint.getExtensibleType() = extensibleType and
-  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName) and
-  // Extract positive examples of sinks belonging to the existing ATM query configurations.
+  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, parameterName,
+    _, extensibleType) and
  CharacteristicsImpl::isKnownAs(endpoint, endpointType, _)
 select endpoint,
  endpointType + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
--- a/java/ql/automodel/src/AutomodelSharedCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelSharedCharacteristics.qll
@@ -16,7 +16,12 @@ signature module CandidateSig {
   * An endpoint is a potential candidate for modeling. This will typically be bound to the language's
   * DataFlow node class, or a subtype thereof.
   */
-  class Endpoint;
+  class Endpoint {
+    /**
+     * Gets the kind of this endpoint, either "sourceModel" or "sinkModel".
+     */
+    string getExtensibleType();
+  }

  /**
   * A related location for an endpoint. This will typically be bound to the supertype of all AST nodes (eg., `Top`).
@@ -31,14 +36,19 @@ signature module CandidateSig {
  class RelatedLocationType;

  /**
-   * A class kind for an endpoint.
+   * An endpoint type considered by this specification.
   */
  class EndpointType extends string;

  /**
-   * An EndpointType that denotes the absence of any sink.
+   * A sink endpoint type considered by this specification.
   */
-  class NegativeEndpointType extends EndpointType;
+  class SinkType extends EndpointType;
+
+  /**
+   * A source endpoint type considered by this specification.
+   */
+  class SourceType extends EndpointType;

  /**
   * Gets the endpoint as a location.
@@ -103,7 +113,7 @@ module SharedCharacteristics<CandidateSig Candidate> {
  }

  /**
-   * Holds if `endpoint` is modeled as `endpointType` (endpoint type must not be negative).
+   * Holds if `endpoint` is modeled as `endpointType`.
   */
  predicate isKnownAs(
    Candidate::Endpoint endpoint, Candidate::EndpointType endpointType,
@@ -111,19 +121,31 @@ module SharedCharacteristics<CandidateSig Candidate> {
  ) {
    // If the list of characteristics includes positive indicators with maximal confidence for this class, then it's a
    // known sink for the class.
-    not endpointType instanceof Candidate::NegativeEndpointType and
    characteristic.appliesToEndpoint(endpoint) and
    characteristic.hasImplications(endpointType, true, maximalConfidence())
  }

  /**
-   * Holds if the candidate sink `candidateSink` should be considered as a possible sink of type `sinkType`, and
-   * classified by the ML model. A candidate sink is a node that cannot be excluded from `sinkType` based on its
-   * characteristics.
+   * Gets a potential type of this endpoint to make sure that sources are
+   * associated with source types and sinks with sink types.
   */
-  predicate isSinkCandidate(Candidate::Endpoint candidateSink, Candidate::EndpointType sinkType) {
-    not sinkType instanceof Candidate::NegativeEndpointType and
-    not exists(getAReasonSinkExcluded(candidateSink, sinkType))
+  Candidate::EndpointType getAPotentialType(Candidate::Endpoint endpoint) {
+    endpoint.getExtensibleType() = "sourceModel" and
+    result instanceof Candidate::SourceType
+    or
+    endpoint.getExtensibleType() = "sinkModel" and
+    result instanceof Candidate::SinkType
+  }
+
+  /**
+   * Holds if the given `endpoint` should be considered as a candidate for type `endpointType`,
+   * and classified by the ML model.
+   *
+   * A candidate is an endpoint that cannot be excluded from `endpointType` based on its characteristics.
+   */
+  predicate isCandidate(Candidate::Endpoint endpoint, Candidate::EndpointType endpointType) {
+    endpointType = getAPotentialType(endpoint) and
+    not exists(getAnExcludingCharacteristic(endpoint, endpointType))
  }

  /**
@@ -139,27 +161,16 @@ module SharedCharacteristics<CandidateSig Candidate> {
  }

  /**
-   * Gets the list of characteristics that cause `candidateSink` to be excluded as an effective sink for a given sink
-   * type.
+   * Gets a characteristics that disbar `endpoint` from being a candidate for `endpointType`
+   * with at least medium confidence.
   */
-  EndpointCharacteristic getAReasonSinkExcluded(
-    Candidate::Endpoint candidateSink, Candidate::EndpointType sinkType
+  EndpointCharacteristic getAnExcludingCharacteristic(
+    Candidate::Endpoint endpoint, Candidate::EndpointType endpointType
  ) {
-    // An endpoint is a sink candidate if none of its characteristics give much indication whether or not it is a sink.
-    not sinkType instanceof Candidate::NegativeEndpointType and
-    result.appliesToEndpoint(candidateSink) and
-    (
-      // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type.
-      exists(float confidence |
-        confidence >= mediumConfidence() and
-        result.hasImplications(any(Candidate::NegativeEndpointType t), true, confidence)
-      )
-      or
-      // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type.
-      exists(float confidence |
-        confidence >= mediumConfidence() and
-        result.hasImplications(sinkType, false, confidence)
-      )
+    result.appliesToEndpoint(endpoint) and
+    exists(float confidence |
+      confidence >= mediumConfidence() and
+      result.hasImplications(endpointType, false, confidence)
    )
  }

@@ -250,12 +261,46 @@ module SharedCharacteristics<CandidateSig Candidate> {
    override predicate hasImplications(
      Candidate::EndpointType endpointType, boolean isPositiveIndicator, float confidence
    ) {
-      endpointType instanceof Candidate::NegativeEndpointType and
-      isPositiveIndicator = true and
+      endpointType instanceof Candidate::SinkType and
+      isPositiveIndicator = false and
      confidence = highConfidence()
    }
  }

+  /**
+   * A high-confidence characteristic that indicates that an endpoint is not a source of any type. These endpoints can be
+   * used as negative samples for training or for a few-shot prompt.
+   */
+  abstract class NotASourceCharacteristic extends EndpointCharacteristic {
+    bindingset[this]
+    NotASourceCharacteristic() { any() }
+
+    override predicate hasImplications(
+      Candidate::EndpointType endpointType, boolean isPositiveIndicator, float confidence
+    ) {
+      endpointType instanceof Candidate::SourceType and
+      isPositiveIndicator = false and
+      confidence = highConfidence()
+    }
+  }
+
+  /**
+   * A high-confidence characteristic that indicates that an endpoint is neither a source nor a sink of any type.
+   */
+  abstract class NeitherSourceNorSinkCharacteristic extends NotASinkCharacteristic,
+    NotASourceCharacteristic
+  {
+    bindingset[this]
+    NeitherSourceNorSinkCharacteristic() { any() }
+
+    final override predicate hasImplications(
+      Candidate::EndpointType endpointType, boolean isPositiveIndicator, float confidence
+    ) {
+      NotASinkCharacteristic.super.hasImplications(endpointType, isPositiveIndicator, confidence) or
+      NotASourceCharacteristic.super.hasImplications(endpointType, isPositiveIndicator, confidence)
+    }
+  }
+
  /**
   * A medium-confidence characteristic that indicates that an endpoint is unlikely to be a sink of any type. These
   * endpoints can be excluded from scoring at inference time, both to save time and to avoid false positives. They should
@@ -269,8 +314,8 @@ module SharedCharacteristics<CandidateSig Candidate> {
    override predicate hasImplications(
      Candidate::EndpointType endpointType, boolean isPositiveIndicator, float confidence
    ) {
-      endpointType instanceof Candidate::NegativeEndpointType and
-      isPositiveIndicator = true and
+      endpointType instanceof Candidate::SinkType and
+      isPositiveIndicator = false and
      confidence = mediumConfidence()
    }
  }
@@ -290,8 +335,8 @@ module SharedCharacteristics<CandidateSig Candidate> {
    override predicate hasImplications(
      Candidate::EndpointType endpointType, boolean isPositiveIndicator, float confidence
    ) {
-      endpointType instanceof Candidate::NegativeEndpointType and
-      isPositiveIndicator = true and
+      endpointType instanceof Candidate::SinkType and
+      isPositiveIndicator = false and
      confidence = mediumConfidence()
    }
  }
@@ -344,17 +389,16 @@ module SharedCharacteristics<CandidateSig Candidate> {
    /**
     * A negative characteristic that indicates that an endpoint was manually modeled as a neutral model.
     */
-    private class NeutralModelCharacteristic extends NotASinkCharacteristic {
+    private class NeutralModelCharacteristic extends NeitherSourceNorSinkCharacteristic {
      NeutralModelCharacteristic() { this = "known non-sink" }

      override predicate appliesToEndpoint(Candidate::Endpoint e) { Candidate::isNeutral(e) }
    }

    /**
-     * A negative characteristic that indicates that an endpoint is not part of the source code for the project being
-     * analyzed.
+     * A negative characteristic that indicates that an endpoint is a sanitizer, and thus not a source.
     */
-    private class IsSanitizerCharacteristic extends NotASinkCharacteristic {
+    private class IsSanitizerCharacteristic extends NotASourceCharacteristic {
      IsSanitizerCharacteristic() { this = "known sanitizer" }

      override predicate appliesToEndpoint(Candidate::Endpoint e) { Candidate::isSanitizer(e, _) }
--- a/java/ql/automodel/src/AutomodelSharedGetCallable.qll
+++ b/java/ql/automodel/src/AutomodelSharedGetCallable.qll
@@ -1,21 +0,0 @@
-/**
- * An automodel extraction mode instantiates this interface to define how to access
- * the callable that's associated with an endpoint.
- */
-signature module GetCallableSig {
-  /**
-   * A callable is the definition of a method, function, etc. - something that can be called.
-   */
-  class Callable;
-
-  /**
-   * An endpoint is a potential candidate for modeling. This will typically be bound to the language's
-   * DataFlow node class, or a subtype thereof.
-   */
-  class Endpoint;
-
-  /**
-   * Gets the callable that's associated with the given endpoint.
-   */
-  Callable getCallable(Endpoint endpoint);
-}
--- a/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractCandidates.expected
+++ b/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractCandidates.expected
@@ -11,3 +11,5 @@
 | Test.java:56:4:56:4 | o | Related locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:54:3:59:3 | walk(...) | CallContext | Test.java:54:3:59:3 | walk(...) | MethodDoc | Test.java:54:3:59:3 | walk(...) | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://:1:1:1:1 |  | output | file://true:1:1:1:1 | true | isVarargsArray | file://:1:1:1:1 |  | alreadyAiModeled | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | Test.java:63:3:63:3 | c | Related locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:63:3:63:20 | getInputStream(...) | CallContext | Test.java:63:3:63:3 | c | MethodDoc | Test.java:63:3:63:3 | c | ClassDoc | file://java.net:1:1:1:1 | java.net | package | file://URLConnection:1:1:1:1 | URLConnection | type | file://true:1:1:1:1 | true | subtypes | file://getInputStream:1:1:1:1 | getInputStream | name | file://():1:1:1:1 | () | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://:1:1:1:1 |  | output | file://false:1:1:1:1 | false | isVarargsArray | file://:1:1:1:1 |  | alreadyAiModeled | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | Test.java:68:30:68:47 | writer | Related locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:68:30:68:47 | writer | CallContext | Test.java:68:30:68:47 | writer | MethodDoc | Test.java:68:30:68:47 | writer | ClassDoc | file://java.lang:1:1:1:1 | java.lang | package | file://Throwable:1:1:1:1 | Throwable | type | file://true:1:1:1:1 | true | subtypes | file://printStackTrace:1:1:1:1 | printStackTrace | name | file://(PrintWriter):1:1:1:1 | (PrintWriter) | signature | file://:1:1:1:1 |  | input | file://Parameter[0]:1:1:1:1 | Parameter[0] | output | file://false:1:1:1:1 | false | isVarargsArray | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
+| Test.java:86:3:88:3 | list(...) | Related locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:86:3:88:3 | list(...) | CallContext | Test.java:86:3:88:3 | list(...) | MethodDoc | Test.java:86:3:88:3 | list(...) | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://list:1:1:1:1 | list | name | file://(Path):1:1:1:1 | (Path) | signature | file://:1:1:1:1 |  | input | file://ReturnValue:1:1:1:1 | ReturnValue | output | file://false:1:1:1:1 | false | isVarargsArray | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
+| Test.java:87:4:87:29 | createDirectories(...) | Related locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:87:4:87:29 | createDirectories(...) | CallContext | Test.java:87:4:87:29 | createDirectories(...) | MethodDoc | Test.java:87:4:87:29 | createDirectories(...) | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://createDirectories:1:1:1:1 | createDirectories | name | file://(Path,FileAttribute[]):1:1:1:1 | (Path,FileAttribute[]) | signature | file://:1:1:1:1 |  | input | file://ReturnValue:1:1:1:1 | ReturnValue | output | file://false:1:1:1:1 | false | isVarargsArray | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
--- a/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractPositiveExamples.expected
+++ b/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractPositiveExamples.expected
@@ -2,3 +2,4 @@
 | Test.java:30:4:30:9 | target | path-injection\nrelated locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:28:3:32:3 | copy(...) | CallContext | Test.java:30:4:30:9 | target | MethodDoc | Test.java:30:4:30:9 | target | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://copy:1:1:1:1 | copy | name | file://(Path,Path,CopyOption[]):1:1:1:1 | (Path,Path,CopyOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://:1:1:1:1 |  | output | file://false:1:1:1:1 | false | isVarargsArray | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | Test.java:37:4:37:11 | openPath | path-injection\nrelated locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:36:10:38:3 | newInputStream(...) | CallContext | Test.java:37:4:37:11 | openPath | MethodDoc | Test.java:37:4:37:11 | openPath | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://newInputStream:1:1:1:1 | newInputStream | name | file://(Path,OpenOption[]):1:1:1:1 | (Path,OpenOption[]) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://:1:1:1:1 |  | output | file://false:1:1:1:1 | false | isVarargsArray | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | Test.java:63:3:63:20 | getInputStream(...) | remote\nrelated locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:63:3:63:20 | getInputStream(...) | CallContext | Test.java:63:3:63:20 | getInputStream(...) | MethodDoc | Test.java:63:3:63:20 | getInputStream(...) | ClassDoc | file://java.net:1:1:1:1 | java.net | package | file://URLConnection:1:1:1:1 | URLConnection | type | file://true:1:1:1:1 | true | subtypes | file://getInputStream:1:1:1:1 | getInputStream | name | file://():1:1:1:1 | () | signature | file://:1:1:1:1 |  | input | file://ReturnValue:1:1:1:1 | ReturnValue | output | file://false:1:1:1:1 | false | isVarargsArray | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
+| Test.java:87:28:87:28 | p | path-injection\nrelated locations: $@, $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | Test.java:87:4:87:29 | createDirectories(...) | CallContext | Test.java:87:28:87:28 | p | MethodDoc | Test.java:87:28:87:28 | p | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://createDirectories:1:1:1:1 | createDirectories | name | file://(Path,FileAttribute[]):1:1:1:1 | (Path,FileAttribute[]) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://:1:1:1:1 |  | output | file://false:1:1:1:1 | false | isVarargsArray | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
--- a/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java
+++ b/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java
@@ -52,7 +52,7 @@ class Test {

 	public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception {
 		Files.walk( // the call is a source candidate
-			p, // negative example (modeled as a taint step)
+			p, // negative sink example (modeled as a taint step)
 			o, // the implicit varargs array is a candidate
 			o // not a candidate (only the first arg corresponding to a varargs array
 			  // is extracted)
@@ -80,3 +80,11 @@ class TaskUtils {
 		return ft;
 	}
 }
+
+class MoreTests {
+	public static void FilesListExample(Path p) throws Exception {
+		Files.list( // the call is a source candidate
+			Files.createDirectories(p) // the call is a source candidate, but not a sink candidate (modeled as a taint step)
+		);
+	}
+}
--- a/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractCandidates.expected
+++ b/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractCandidates.expected
@@ -9,6 +9,8 @@
 | com/github/codeql/test/PublicClass.java:13:33:13:42 | arg | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:13:33:13:42 | arg | MethodDoc | com/github/codeql/test/PublicClass.java:13:33:13:42 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://nonPublicStuff:1:1:1:1 | nonPublicStuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://:1:1:1:1 |  | output | file://arg:1:1:1:1 | arg | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | com/github/codeql/test/PublicClass.java:22:10:22:20 | PublicClass | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:22:10:22:20 | PublicClass | MethodDoc | com/github/codeql/test/PublicClass.java:22:10:22:20 | PublicClass | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://PublicClass:1:1:1:1 | PublicClass | name | file://(Object):1:1:1:1 | (Object) | signature | file://:1:1:1:1 |  | input | file://ReturnValue:1:1:1:1 | ReturnValue | output | file://:1:1:1:1 |  | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
 | com/github/codeql/test/PublicClass.java:22:22:22:33 | input | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:22:22:22:33 | input | MethodDoc | com/github/codeql/test/PublicClass.java:22:22:22:33 | input | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://PublicClass:1:1:1:1 | PublicClass | name | file://(Object):1:1:1:1 | (Object) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://:1:1:1:1 |  | output | file://input:1:1:1:1 | input | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
+| com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | MethodDoc | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://isIgnored:1:1:1:1 | isIgnored | name | file://(Object):1:1:1:1 | (Object) | signature | file://:1:1:1:1 |  | input | file://Parameter[this]:1:1:1:1 | Parameter[this] | output | file://this:1:1:1:1 | this | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
+| com/github/codeql/test/PublicClass.java:26:28:26:39 | input | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:26:28:26:39 | input | MethodDoc | com/github/codeql/test/PublicClass.java:26:28:26:39 | input | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://isIgnored:1:1:1:1 | isIgnored | name | file://(Object):1:1:1:1 | (Object) | signature | file://:1:1:1:1 |  | input | file://Parameter[0]:1:1:1:1 | Parameter[0] | output | file://input:1:1:1:1 | input | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
 | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | MethodDoc | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://:1:1:1:1 |  | input | file://Parameter[this]:1:1:1:1 | Parameter[this] | output | file://this:1:1:1:1 | this | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
 | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | MethodDoc | com/github/codeql/test/PublicInterface.java:4:16:4:20 | stuff | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://:1:1:1:1 |  | output | file://this:1:1:1:1 | this | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | com/github/codeql/test/PublicInterface.java:4:22:4:31 | arg | Related locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicInterface.java:4:22:4:31 | arg | MethodDoc | com/github/codeql/test/PublicInterface.java:4:22:4:31 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://:1:1:1:1 |  | input | file://Parameter[0]:1:1:1:1 | Parameter[0] | output | file://arg:1:1:1:1 | arg | parameterName | file://:1:1:1:1 |  | alreadyAiModeled | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
--- a/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractNegativeExamples.expected
+++ b/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractNegativeExamples.expected
@@ -1,3 +1,6 @@
+| com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | unexploitable (is-style boolean method)\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | MethodDoc | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://isIgnored:1:1:1:1 | isIgnored | name | file://(Object):1:1:1:1 | (Object) | signature | file://:1:1:1:1 |  | input | file://ReturnValue:1:1:1:1 | ReturnValue | output | file://:1:1:1:1 |  | parameterName | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
+| com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | unexploitable (is-style boolean method)\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | MethodDoc | com/github/codeql/test/PublicClass.java:26:18:26:26 | isIgnored | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://isIgnored:1:1:1:1 | isIgnored | name | file://(Object):1:1:1:1 | (Object) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://:1:1:1:1 |  | output | file://this:1:1:1:1 | this | parameterName | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
+| com/github/codeql/test/PublicClass.java:26:28:26:39 | input | unexploitable (is-style boolean method)\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:26:28:26:39 | input | MethodDoc | com/github/codeql/test/PublicClass.java:26:28:26:39 | input | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://isIgnored:1:1:1:1 | isIgnored | name | file://(Object):1:1:1:1 | (Object) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://:1:1:1:1 |  | output | file://input:1:1:1:1 | input | parameterName | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | java/io/File.java:4:16:4:24 | compareTo | known non-sink\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | java/io/File.java:4:16:4:24 | compareTo | MethodDoc | java/io/File.java:4:16:4:24 | compareTo | ClassDoc | file://java.io:1:1:1:1 | java.io | package | file://File:1:1:1:1 | File | type | file://true:1:1:1:1 | true | subtypes | file://compareTo:1:1:1:1 | compareTo | name | file://(File):1:1:1:1 | (File) | signature | file://:1:1:1:1 |  | input | file://Parameter[this]:1:1:1:1 | Parameter[this] | output | file://this:1:1:1:1 | this | parameterName | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
 | java/io/File.java:4:16:4:24 | compareTo | known non-sink\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | java/io/File.java:4:16:4:24 | compareTo | MethodDoc | java/io/File.java:4:16:4:24 | compareTo | ClassDoc | file://java.io:1:1:1:1 | java.io | package | file://File:1:1:1:1 | File | type | file://true:1:1:1:1 | true | subtypes | file://compareTo:1:1:1:1 | compareTo | name | file://(File):1:1:1:1 | (File) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://:1:1:1:1 |  | output | file://this:1:1:1:1 | this | parameterName | file://sinkModel:1:1:1:1 | sinkModel | extensibleType |
 | java/io/File.java:5:9:5:21 | pathname | known non-sink\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@. | java/io/File.java:5:9:5:21 | pathname | MethodDoc | java/io/File.java:5:9:5:21 | pathname | ClassDoc | file://java.io:1:1:1:1 | java.io | package | file://File:1:1:1:1 | File | type | file://true:1:1:1:1 | true | subtypes | file://compareTo:1:1:1:1 | compareTo | name | file://(File):1:1:1:1 | (File) | signature | file://:1:1:1:1 |  | input | file://Parameter[0]:1:1:1:1 | Parameter[0] | output | file://pathname:1:1:1:1 | pathname | parameterName | file://sourceModel:1:1:1:1 | sourceModel | extensibleType |
--- a/java/ql/automodel/test/AutomodelFrameworkModeExtraction/com/github/codeql/test/PublicClass.java
+++ b/java/ql/automodel/test/AutomodelFrameworkModeExtraction/com/github/codeql/test/PublicClass.java
@@ -5,7 +5,7 @@ public class PublicClass {
    System.out.println(arg);
  }

-  public static void staticStuff(String arg) { // `arg` is a candidate, `this` is not a candidate (static method), `arg` is not a source candidate (static methods can not be overloaded)
+  public static void staticStuff(String arg) { // `arg` is a sink candidate, but not a source candidate (not overrideabe); `this` is not a candidate (static method)
    System.out.println(arg);
  }

@@ -22,4 +22,8 @@ public class PublicClass {
  public PublicClass(Object input) {
    // the `this` qualifier is not a candidate
  }
+
+  public Boolean isIgnored(Object input) { // `input` is a source candidate, but not a sink candidate (is-style method); `this` is not a candidate
+    return false;
+  }
 }
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,38 @@
+## 0.8.6
+
+### Deprecated APIs
+
+* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
+
+### Minor Analysis Improvements
+
+* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
+* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
+* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
+* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
+* Added models for the following packages:
+
+  * com.google.common.io
+  * hudson
+  * hudson.console
+  * java.lang
+  * java.net
+  * java.util.logging
+  * javax.imageio.stream
+  * org.apache.commons.io
+  * org.apache.hadoop.hive.ql.exec
+  * org.apache.hadoop.hive.ql.metadata
+  * org.apache.tools.ant.taskdefs
+* Added models for the following packages:
+
+  * com.alibaba.druid.sql.repository
+  * jakarta.persistence
+  * jakarta.persistence.criteria
+  * liquibase.database.jvm
+  * liquibase.statement.core
+  * org.apache.ibatis.mapping
+  * org.keycloak.models.map.storage
+
 ## 0.8.5

 No user-facing changes.
--- a/java/ql/lib/change-notes/2023-10-24-new-models.md
+++ b/java/ql/lib/change-notes/2023-10-24-new-models.md
@@ -1,12 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the following packages:
-
-  * com.alibaba.druid.sql.repository
-  * jakarta.persistence
-  * jakarta.persistence.criteria
-  * liquibase.database.jvm
-  * liquibase.statement.core
-  * org.apache.ibatis.mapping
-  * org.keycloak.models.map.storage
--- a/java/ql/lib/change-notes/2023-10-31-new-models.md
+++ b/java/ql/lib/change-notes/2023-10-31-new-models.md
@@ -1,16 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the following packages:
-
-  * com.google.common.io
-  * hudson
-  * hudson.console
-  * java.lang
-  * java.net
-  * java.util.logging
-  * javax.imageio.stream
-  * org.apache.commons.io
-  * org.apache.hadoop.hive.ql.exec
-  * org.apache.hadoop.hive.ql.metadata
-  * org.apache.tools.ant.taskdefs
--- a/java/ql/lib/change-notes/2023-11-29-new-spring-models.md
+++ b/java/ql/lib/change-notes/2023-11-29-new-spring-models.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
-* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
--- a/java/ql/lib/change-notes/2023-12-05-kotlin-array-get-set.md
+++ b/java/ql/lib/change-notes/2023-12-05-kotlin-array-get-set.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
--- a/java/ql/lib/change-notes/2023-12-08-deprecate-reexport-of-old-dataflow-libraries.md
+++ b/java/ql/lib/change-notes/2023-12-08-deprecate-reexport-of-old-dataflow-libraries.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
--- a/java/ql/lib/change-notes/2023-12-19-add-replace-methods-to-mapmutator.md
+++ b/java/ql/lib/change-notes/2023-12-19-add-replace-methods-to-mapmutator.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
--- a/java/ql/lib/change-notes/released/0.8.6.md
+++ b/java/ql/lib/change-notes/released/0.8.6.md
@@ -0,0 +1,34 @@
+## 0.8.6
+
+### Deprecated APIs
+
+* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
+
+### Minor Analysis Improvements
+
+* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
+* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
+* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
+* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
+* Added models for the following packages:
+
+  * com.google.common.io
+  * hudson
+  * hudson.console
+  * java.lang
+  * java.net
+  * java.util.logging
+  * javax.imageio.stream
+  * org.apache.commons.io
+  * org.apache.hadoop.hive.ql.exec
+  * org.apache.hadoop.hive.ql.metadata
+  * org.apache.tools.ant.taskdefs
+* Added models for the following packages:
+
+  * com.alibaba.druid.sql.repository
+  * jakarta.persistence
+  * jakarta.persistence.criteria
+  * liquibase.database.jvm
+  * liquibase.statement.core
+  * org.apache.ibatis.mapping
+  * org.keycloak.models.map.storage
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.5
+lastReleaseVersion: 0.8.6
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.8.6-dev
+version: 0.8.7-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 0.8.6
+
+### Deprecated Queries
+
+* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
+
+### New Queries
+
+* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations. 
+
+### Minor Analysis Improvements
+
+* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
+* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
+* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
+
 ## 0.8.5

 No user-facing changes.
--- a/java/ql/src/change-notes/2023-11-08-weak-randomness-query.md
+++ b/java/ql/src/change-notes/2023-11-08-weak-randomness-query.md
@@ -1,5 +0,0 @@
---
-category: newQuery
---
-* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations. 
-
--- a/java/ql/src/change-notes/2023-12-12-android-certificate-pinning-precision.md
+++ b/java/ql/src/change-notes/2023-12-12-android-certificate-pinning-precision.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
--- a/java/ql/src/change-notes/2023-12-12-ognl-invalid-sinks.md
+++ b/java/ql/src/change-notes/2023-12-12-ognl-invalid-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
--- a/java/ql/src/change-notes/2023-12-14-flowstatestring-deprecated.md
+++ b/java/ql/src/change-notes/2023-12-14-flowstatestring-deprecated.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
--- a/java/ql/src/change-notes/2023-12-15-weak-cryptographic-algorithm-from-properties-file.md
+++ b/java/ql/src/change-notes/2023-12-15-weak-cryptographic-algorithm-from-properties-file.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
--- a/java/ql/src/change-notes/released/0.8.6.md
+++ b/java/ql/src/change-notes/released/0.8.6.md
@@ -0,0 +1,15 @@
+## 0.8.6
+
+### Deprecated Queries
+
+* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
+
+### New Queries
+
+* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations. 
+
+### Minor Analysis Improvements
+
+* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
+* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
+* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
--- a/Show More
+++ b/Show More