Merge branch 'main' into python-add-typetracker

2026-05-01 03:35:13 +02:00 · 2020-08-27 17:05:26 +02:00
parent cec3694c89 e7322d114f
commit 7112aa2e9a
708 changed files with 33214 additions and 5768 deletions
--- a/python/ql/test/experimental/CWE-074/AirspeedSsti.py
+++ b/python/ql/test/experimental/CWE-074/AirspeedSsti.py
@@ -0,0 +1,11 @@
+import airspeed
+from flask import Flask, request
+
+
+app = Flask(__name__)
+
+
+@route('/other')
+def a():
+    template = request.args.get('template')
+    return airspeed.Template(template)
--- a/python/ql/test/experimental/CWE-074/BottleSsti.py
+++ b/python/ql/test/experimental/CWE-074/BottleSsti.py
@@ -0,0 +1,20 @@
+from bottle import Bottle, route, request, redirect, response, SimpleTemplate
+from bottle import template as temp
+
+
+app = Bottle()
+
+
+@route('/other')
+def a():
+    template = request.query.template
+    tpl = SimpleTemplate(template)
+    tpl.render(name='World')
+    return tmp
+
+
+@route('/other2')
+def b():
+    template = request.query.template
+    temp(template, name='World')
+    return tmp
--- a/python/ql/test/experimental/CWE-074/Chameleon.py
+++ b/python/ql/test/experimental/CWE-074/Chameleon.py
@@ -0,0 +1,10 @@
+from chameleon import PageTemplate
+from django.urls import path
+from django.http import HttpResponse
+
+
+def chameleon(request):
+    template = request.GET['template']
+    tmpl = PageTemplate(template)
+    return HttpResponse(tmpl)
+
--- a/python/ql/test/experimental/CWE-074/ChevronSsti.py
+++ b/python/ql/test/experimental/CWE-074/ChevronSsti.py
@@ -0,0 +1,24 @@
+from flask import Flask, request
+import chevron
+
+
+app = Flask(__name__)
+
+
+@route('/other')
+def a():
+    template = request.args.get('template')
+    return chevron.render(template, {"key": "value"})
+
+
+@route('/other2')
+def b():
+    template = request.args.get('template')
+    args = {
+        'template': template,
+
+        'data': {
+            'key': 'value'
+        }
+    }
+    return chevron.render(**args)
--- a/python/ql/test/experimental/CWE-074/DjangoTemplates.py
+++ b/python/ql/test/experimental/CWE-074/DjangoTemplates.py
@@ -0,0 +1,41 @@
+from django.urls import path
+from django.http import HttpResponse
+from django.template import Template, Context, Engine, engines
+
+
+def dj(request):
+    # Load the template
+    template = request.GET['template']
+    t = Template(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+def djEngine(request):
+    # Load the template
+    template = request.GET['template']
+
+    django_engine = engines['django']
+    t = django_engine.from_string(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+def djEngineJinja(request):
+    # Load the template
+    template = request.GET['template']
+
+    django_engine = engines['jinja']
+    t = django_engine.from_string(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('', dj),
+    path('', djEngine),
+    path('', djEngineJinja),
+]
--- a/python/ql/test/experimental/CWE-074/FlaskTemplate.py
+++ b/python/ql/test/experimental/CWE-074/FlaskTemplate.py
@@ -0,0 +1,22 @@
+from flask import Flask, request
+
+
+app = Flask(__name__)
+
+
+@app.route("/")
+def home():
+    from flask import render_template_string
+    if request.args.get('template'):
+        return render_template_string(request.args.get('template'))
+
+
+@app.route("/a")
+def a(): 
+    import flask   
+    return flask.render_template_string(request.args.get('template'))
+    
+
+
+if __name__ == "__main__":
+    app.run(debug=True)
--- a/python/ql/test/experimental/CWE-074/Genshi.py
+++ b/python/ql/test/experimental/CWE-074/Genshi.py
@@ -0,0 +1,18 @@
+from django.urls import path
+from django.http import HttpResponse
+from genshi.template import TextTemplate,MarkupTemplate
+
+def genshi1():    
+    template = request.GET['template']
+    tmpl = MarkupTemplate(template)
+    return HttpResponse(tmpl)
+
+def genshi2():
+    template = request.GET['template']
+    tmpl = TextTemplate(template)
+    return HttpResponse(tmpl)
+
+urlpatterns = [
+    path('', genshi1),
+    path('', genshi2)
+]
--- a/python/ql/test/experimental/CWE-074/JinjaSsti.py
+++ b/python/ql/test/experimental/CWE-074/JinjaSsti.py
@@ -0,0 +1,30 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import Template as Jinja2_Template
+from jinja2 import Environment, DictLoader, escape
+
+
+def a(request):
+    # Load the template
+    template = request.GET['template']
+    t = Jinja2_Template(template)
+    name = request.GET['name']
+    # Render the template with the context data
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+def b(request):
+    import jinja2
+    # Load the template
+    template = request.GET['template']
+    t = jinja2.from_string(template)
+    name = request.GET['name']
+    # Render the template with the context data
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+    path('b', b)
+]
--- a/python/ql/test/experimental/CWE-074/MakoSsti.py
+++ b/python/ql/test/experimental/CWE-074/MakoSsti.py
@@ -0,0 +1,15 @@
+from django.urls import path
+from django.http import HttpResponse
+from mako.template import Template
+
+
+def mako(request):
+    # Load the template
+    template = request.GET['template']
+    mytemplate = Template(template)
+    return HttpResponse(mytemplate)
+
+
+urlpatterns = [
+    path('', mako)
+]
--- a/python/ql/test/experimental/CWE-074/TRender.py
+++ b/python/ql/test/experimental/CWE-074/TRender.py
@@ -0,0 +1,12 @@
+from django.urls import path
+from django.http import HttpResponse
+from trender import TRender
+
+def trender(request):
+    template = request.GET['template']
+    compiled = TRender(template)
+    return HttpResponse(compiled)
+    
+urlpatterns = [
+    path('', trender)
+]
--- a/python/ql/test/experimental/CWE-074/TemplateInjection.expected
+++ b/python/ql/test/experimental/CWE-074/TemplateInjection.expected
@@ -0,0 +1,60 @@
+edges
+| AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:10:16:10:43 | externally controlled string |
+| AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:10:16:10:43 | externally controlled string |
+| AirspeedSsti.py:10:16:10:43 | externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string |
+| AirspeedSsti.py:10:16:10:43 | externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string |
+| ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:10:16:10:43 | externally controlled string |
+| ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:10:16:10:43 | externally controlled string |
+| ChevronSsti.py:10:16:10:43 | externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string |
+| ChevronSsti.py:10:16:10:43 | externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string |
+| DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest |
+| DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest |
+| DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict |
+| DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict |
+| DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict | DjangoTemplates.py:8:16:8:38 | externally controlled string |
+| DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict | DjangoTemplates.py:8:16:8:38 | externally controlled string |
+| DjangoTemplates.py:8:16:8:38 | externally controlled string | DjangoTemplates.py:9:18:9:25 | externally controlled string |
+| DjangoTemplates.py:8:16:8:38 | externally controlled string | DjangoTemplates.py:9:18:9:25 | externally controlled string |
+| FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string |
+| FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string |
+| JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:9:16:9:22 | django.request.HttpRequest |
+| JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:9:16:9:22 | django.request.HttpRequest |
+| JinjaSsti.py:9:16:9:22 | django.request.HttpRequest | JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict |
+| JinjaSsti.py:9:16:9:22 | django.request.HttpRequest | JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict |
+| JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict | JinjaSsti.py:9:16:9:38 | externally controlled string |
+| JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict | JinjaSsti.py:9:16:9:38 | externally controlled string |
+| JinjaSsti.py:9:16:9:38 | externally controlled string | JinjaSsti.py:10:25:10:32 | externally controlled string |
+| JinjaSsti.py:9:16:9:38 | externally controlled string | JinjaSsti.py:10:25:10:32 | externally controlled string |
+| JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:19:16:19:22 | django.request.HttpRequest |
+| JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:19:16:19:22 | django.request.HttpRequest |
+| JinjaSsti.py:19:16:19:22 | django.request.HttpRequest | JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict |
+| JinjaSsti.py:19:16:19:22 | django.request.HttpRequest | JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict |
+| JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict | JinjaSsti.py:19:16:19:38 | externally controlled string |
+| JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict | JinjaSsti.py:19:16:19:38 | externally controlled string |
+| JinjaSsti.py:19:16:19:38 | externally controlled string | JinjaSsti.py:20:28:20:35 | externally controlled string |
+| JinjaSsti.py:19:16:19:38 | externally controlled string | JinjaSsti.py:20:28:20:35 | externally controlled string |
+| MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:8:16:8:22 | django.request.HttpRequest |
+| MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:8:16:8:22 | django.request.HttpRequest |
+| MakoSsti.py:8:16:8:22 | django.request.HttpRequest | MakoSsti.py:8:16:8:26 | django.http.request.QueryDict |
+| MakoSsti.py:8:16:8:22 | django.request.HttpRequest | MakoSsti.py:8:16:8:26 | django.http.request.QueryDict |
+| MakoSsti.py:8:16:8:26 | django.http.request.QueryDict | MakoSsti.py:8:16:8:38 | externally controlled string |
+| MakoSsti.py:8:16:8:26 | django.http.request.QueryDict | MakoSsti.py:8:16:8:38 | externally controlled string |
+| MakoSsti.py:8:16:8:38 | externally controlled string | MakoSsti.py:9:27:9:34 | externally controlled string |
+| MakoSsti.py:8:16:8:38 | externally controlled string | MakoSsti.py:9:27:9:34 | externally controlled string |
+| TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:6:16:6:22 | django.request.HttpRequest |
+| TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:6:16:6:22 | django.request.HttpRequest |
+| TRender.py:6:16:6:22 | django.request.HttpRequest | TRender.py:6:16:6:26 | django.http.request.QueryDict |
+| TRender.py:6:16:6:22 | django.request.HttpRequest | TRender.py:6:16:6:26 | django.http.request.QueryDict |
+| TRender.py:6:16:6:26 | django.http.request.QueryDict | TRender.py:6:16:6:38 | externally controlled string |
+| TRender.py:6:16:6:26 | django.http.request.QueryDict | TRender.py:6:16:6:38 | externally controlled string |
+| TRender.py:6:16:6:38 | externally controlled string | TRender.py:7:24:7:31 | externally controlled string |
+| TRender.py:6:16:6:38 | externally controlled string | TRender.py:7:24:7:31 | externally controlled string |
+#select
+| AirspeedSsti.py:11:30:11:37 | template | AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string | This Template depends on $@. | AirspeedSsti.py:10:16:10:27 | Attribute | a user-provided value |
+| ChevronSsti.py:11:27:11:34 | template | ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string | This Template depends on $@. | ChevronSsti.py:10:16:10:27 | Attribute | a user-provided value |
+| DjangoTemplates.py:9:18:9:25 | template | DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:9:18:9:25 | externally controlled string | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | request | a user-provided value |
+| FlaskTemplate.py:17:41:17:68 | Attribute() | FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string | This Template depends on $@. | FlaskTemplate.py:17:41:17:52 | Attribute | a user-provided value |
+| JinjaSsti.py:10:25:10:32 | template | JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:10:25:10:32 | externally controlled string | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | request | a user-provided value |
+| JinjaSsti.py:20:28:20:35 | template | JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:20:28:20:35 | externally controlled string | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | request | a user-provided value |
+| MakoSsti.py:9:27:9:34 | template | MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:9:27:9:34 | externally controlled string | This Template depends on $@. | MakoSsti.py:6:10:6:16 | request | a user-provided value |
+| TRender.py:7:24:7:31 | template | TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:7:24:7:31 | externally controlled string | This Template depends on $@. | TRender.py:5:13:5:19 | request | a user-provided value |
--- a/python/ql/test/experimental/CWE-074/TemplateInjection.qlref
+++ b/python/ql/test/experimental/CWE-074/TemplateInjection.qlref
@@ -0,0 +1 @@
+experimental/CWE-074/TemplateInjection.ql
--- a/python/ql/test/experimental/CWE-074/options
+++ b/python/ql/test/experimental/CWE-074/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=3 -p ../../query-tests/Security/lib/
--- a/python/ql/test/experimental/dataflow/basic/callGraph.ql
+++ b/python/ql/test/experimental/dataflow/basic/callGraph.ql
@@ -1,4 +1,4 @@
-import callGraphConfig
+import experimental.dataflow.callGraphConfig

 from DataFlow::Node source, DataFlow::Node sink
 where exists(CallGraphConfig cfg | cfg.hasFlow(source, sink))
--- a/python/ql/test/experimental/dataflow/basic/callGraphSinks.ql
+++ b/python/ql/test/experimental/dataflow/basic/callGraphSinks.ql
@@ -1,4 +1,4 @@
-import callGraphConfig
+import experimental.dataflow.callGraphConfig

 from DataFlow::Node sink
 where exists(CallGraphConfig cfg | cfg.isSink(sink))
--- a/python/ql/test/experimental/dataflow/basic/callGraphSources.ql
+++ b/python/ql/test/experimental/dataflow/basic/callGraphSources.ql
@@ -1,4 +1,4 @@
-import callGraphConfig
+import experimental.dataflow.callGraphConfig

 from DataFlow::Node source
 where exists(CallGraphConfig cfg | cfg.isSource(source))
--- a/python/ql/test/experimental/dataflow/basic/global.expected
+++ b/python/ql/test/experimental/dataflow/basic/global.expected
@@ -1,23 +1,16 @@
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:0:0:0:0 | GSSA Variable b | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:1:19:1:19 | SSA variable x | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:3:2:3 | SSA variable y |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:7:2:7 | ControlFlowNode for x |
 | test.py:1:19:1:19 | SSA variable x | test.py:3:3:3:3 | SSA variable z |
@@ -25,37 +18,26 @@
 | test.py:1:19:1:19 | SSA variable x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:1:19:1:19 | SSA variable x | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:1:19:1:19 | SSA variable x | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:2:3:2:3 | SSA variable y | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:3:2:3 | SSA variable y | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:3:2:3 | SSA variable y | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:2:3:2:3 | SSA variable y | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:3:3:3:3 | SSA variable z | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:3:3:3:3 | SSA variable z | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:4:10:4:10 | ControlFlowNode for z | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:1:19:1:19 | SSA variable x |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:2:3:2:3 | SSA variable y |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:2:7:2:7 | ControlFlowNode for x |
@@ -66,8 +48,6 @@
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:1:19:1:19 | SSA variable x |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:2:3:2:3 | SSA variable y |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:2:7:2:7 | ControlFlowNode for x |
@@ -79,12 +59,7 @@
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:19:7:19 | ControlFlowNode for a |
-| test.py:7:1:7:1 | GSSA Variable b | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
-| test.py:7:5:7:20 | GSSA Variable a | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:7:19:7:19 | ControlFlowNode for a | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:7:19:7:19 | ControlFlowNode for a | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:1:19:1:19 | SSA variable x |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:2:3:2:3 | SSA variable y |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:2:7:2:7 | ControlFlowNode for x |
--- a/python/ql/test/experimental/dataflow/basic/globalStep.expected
+++ b/python/ql/test/experimental/dataflow/basic/globalStep.expected
@@ -1,25 +1,15 @@
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
-| test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:3:2:3 | SSA variable y |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:3:2:3 | SSA variable y |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:3:2:3 | SSA variable y |
@@ -40,10 +30,6 @@
 | test.py:1:19:1:19 | SSA variable x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:1:19:1:19 | SSA variable x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:1:19:1:19 | SSA variable x | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:3:3:3 | SSA variable z |
@@ -56,10 +42,6 @@
 | test.py:2:3:2:3 | SSA variable y | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:3:2:3 | SSA variable y | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:3:2:3 | SSA variable y | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
@@ -76,18 +58,10 @@
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
@@ -106,12 +80,8 @@
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
-| test.py:7:1:7:1 | GSSA Variable b | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:7:1:7:1 | GSSA Variable b | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
-| test.py:7:5:7:20 | GSSA Variable a | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:7:5:7:20 | GSSA Variable a | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:1:19:1:19 | SSA variable x |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:1:19:1:19 | SSA variable x |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
--- a/python/ql/test/experimental/dataflow/basic/local.expected
+++ b/python/ql/test/experimental/dataflow/basic/local.expected
@@ -1,17 +1,11 @@
-| test.py:0:0:0:0 | Entry node for Module test | test.py:0:0:0:0 | Entry node for Module test |
-| test.py:0:0:0:0 | Exit node for Module test | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | GSSA Variable __name__ |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | GSSA Variable __package__ |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:0:0:0:0 | GSSA Variable b |
-| test.py:0:0:0:0 | SSA variable $ | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | SSA variable $ | test.py:0:0:0:0 | SSA variable $ |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr |
-| test.py:1:1:1:21 | Entry node for Function obfuscated_id | test.py:1:1:1:21 | Entry node for Function obfuscated_id |
-| test.py:1:1:1:21 | Exit node for Function obfuscated_id | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:5:1:17 | ControlFlowNode for obfuscated_id | test.py:1:5:1:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:19:1:19 | ControlFlowNode for x | test.py:1:19:1:19 | ControlFlowNode for x |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:19:1:19 | SSA variable x | test.py:1:19:1:19 | SSA variable x |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:3:2:3 | SSA variable y |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:7:2:7 | ControlFlowNode for x |
@@ -19,26 +13,21 @@
 | test.py:1:19:1:19 | SSA variable x | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:1:19:1:19 | SSA variable x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:2:3:2:3 | ControlFlowNode for y | test.py:2:3:2:3 | ControlFlowNode for y |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:3:2:3 | SSA variable y | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:2:7:2:7 | ControlFlowNode for x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:7:2:7 | ControlFlowNode for x |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:3:3:3:3 | SSA variable z |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | ControlFlowNode for z | test.py:3:3:3:3 | ControlFlowNode for z |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:3:7:3:7 | ControlFlowNode for y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:4:10:4:10 | ControlFlowNode for z |
-| test.py:4:3:4:10 | ControlFlowNode for Return | test.py:4:3:4:10 | ControlFlowNode for Return |
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | ControlFlowNode for a | test.py:6:1:6:1 | ControlFlowNode for a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:6:1:6:1 | GSSA Variable a |
--- a/python/ql/test/experimental/dataflow/basic/localStep.expected
+++ b/python/ql/test/experimental/dataflow/basic/localStep.expected
@@ -1,9 +1,5 @@
-| test.py:0:0:0:0 | SSA variable $ | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:1:19:1:19 | SSA variable x | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:19:1:19 | SSA variable x | test.py:2:7:2:7 | ControlFlowNode for x |
-| test.py:2:3:2:3 | SSA variable y | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
-| test.py:3:3:3:3 | SSA variable z | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
--- a/python/ql/test/experimental/dataflow/basic/sinks.expected
+++ b/python/ql/test/experimental/dataflow/basic/sinks.expected
@@ -1,12 +1,8 @@
-| test.py:0:0:0:0 | Entry node for Module test |
-| test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __name__ |
 | test.py:0:0:0:0 | GSSA Variable __package__ |
 | test.py:0:0:0:0 | GSSA Variable b |
 | test.py:0:0:0:0 | SSA variable $ |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr |
-| test.py:1:1:1:21 | Entry node for Function obfuscated_id |
-| test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:5:1:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:19:1:19 | ControlFlowNode for x |
@@ -17,7 +13,6 @@
 | test.py:3:3:3:3 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y |
-| test.py:4:3:4:10 | ControlFlowNode for Return |
 | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | ControlFlowNode for a |
 | test.py:6:1:6:1 | GSSA Variable a |
--- a/python/ql/test/experimental/dataflow/basic/sources.expected
+++ b/python/ql/test/experimental/dataflow/basic/sources.expected
@@ -1,12 +1,8 @@
-| test.py:0:0:0:0 | Entry node for Module test |
-| test.py:0:0:0:0 | Exit node for Module test |
 | test.py:0:0:0:0 | GSSA Variable __name__ |
 | test.py:0:0:0:0 | GSSA Variable __package__ |
 | test.py:0:0:0:0 | GSSA Variable b |
 | test.py:0:0:0:0 | SSA variable $ |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr |
-| test.py:1:1:1:21 | Entry node for Function obfuscated_id |
-| test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:5:1:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:19:1:19 | ControlFlowNode for x |
@@ -17,7 +13,6 @@
 | test.py:3:3:3:3 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y |
-| test.py:4:3:4:10 | ControlFlowNode for Return |
 | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | ControlFlowNode for a |
 | test.py:6:1:6:1 | GSSA Variable a |
--- a/python/ql/test/experimental/dataflow/basic/callGraphConfig.qll
+++ b/python/ql/test/experimental/dataflow/basic/callGraphConfig.qll
--- a/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected
+++ b/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected
@@ -1,12 +1,10 @@
 uniqueEnclosingCallable
-| test.py:0:0:0:0 | Exit node for Module test | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable __name__ | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable __package__ | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable test23 | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable test24 | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable test_truth | Node should have one enclosing callable but has 0. |
 | test.py:0:0:0:0 | GSSA Variable test_update_extend | Node should have one enclosing callable but has 0. |
-| test.py:0:0:0:0 | SSA variable $ | Node should have one enclosing callable but has 0. |
 | test.py:6:1:6:12 | ControlFlowNode for FunctionExpr | Node should have one enclosing callable but has 0. |
 | test.py:6:5:6:9 | GSSA Variable test1 | Node should have one enclosing callable but has 0. |
 | test.py:9:1:9:12 | ControlFlowNode for FunctionExpr | Node should have one enclosing callable but has 0. |
@@ -88,6 +86,8 @@ uniquePostUpdate
 postIsInSameCallable
 reverseRead
 storeIsPostUpdate
+| test.py:152:9:152:16 | ControlFlowNode for List | Store targets should be PostUpdateNodes. |
+| test.py:153:9:153:24 | ControlFlowNode for Dict | Store targets should be PostUpdateNodes. |
 argHasPostUpdate
 | test.py:25:10:25:10 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
 | test.py:29:10:29:10 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
@@ -101,3 +101,5 @@ argHasPostUpdate
 | test.py:74:17:74:17 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
 | test.py:81:13:81:13 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
 | test.py:86:13:86:13 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
+| test.py:158:15:158:15 | ControlFlowNode for l | ArgumentNode is missing PostUpdateNode. |
+| test.py:159:15:159:15 | ControlFlowNode for d | ArgumentNode is missing PostUpdateNode. |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
@@ -0,0 +1,16 @@
+| classes.py:620:5:620:16 | SSA variable with_getitem | classes.py:614:15:614:18 | ControlFlowNode for self |
+| classes.py:637:5:637:16 | SSA variable with_setitem | classes.py:632:15:632:18 | ControlFlowNode for self |
+| classes.py:654:5:654:16 | SSA variable with_delitem | classes.py:649:15:649:18 | ControlFlowNode for self |
+| classes.py:735:5:735:12 | SSA variable with_add | classes.py:729:15:729:18 | ControlFlowNode for self |
+| classes.py:752:5:752:12 | SSA variable with_sub | classes.py:746:15:746:18 | ControlFlowNode for self |
+| classes.py:769:5:769:12 | SSA variable with_mul | classes.py:763:15:763:18 | ControlFlowNode for self |
+| classes.py:786:5:786:15 | SSA variable with_matmul | classes.py:780:15:780:18 | ControlFlowNode for self |
+| classes.py:803:5:803:16 | SSA variable with_truediv | classes.py:797:15:797:18 | ControlFlowNode for self |
+| classes.py:820:5:820:17 | SSA variable with_floordiv | classes.py:814:15:814:18 | ControlFlowNode for self |
+| classes.py:837:5:837:12 | SSA variable with_mod | classes.py:831:15:831:18 | ControlFlowNode for self |
+| classes.py:877:5:877:12 | SSA variable with_pow | classes.py:865:15:865:18 | ControlFlowNode for self |
+| classes.py:894:5:894:15 | SSA variable with_lshift | classes.py:888:15:888:18 | ControlFlowNode for self |
+| classes.py:911:5:911:15 | SSA variable with_rshift | classes.py:905:15:905:18 | ControlFlowNode for self |
+| classes.py:928:5:928:12 | SSA variable with_and | classes.py:922:15:922:18 | ControlFlowNode for self |
+| classes.py:945:5:945:12 | SSA variable with_xor | classes.py:939:15:939:18 | ControlFlowNode for self |
+| classes.py:962:5:962:11 | SSA variable with_or | classes.py:956:15:956:18 | ControlFlowNode for self |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.ql
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.ql
@@ -0,0 +1,31 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(AssignmentDefinition def, DataFlow::DataFlowCall call |
+      def.getVariable() = node.(DataFlow::EssaNode).getVar() and
+      def.getValue() = call.getNode() and
+      call.getCallable().getName().matches("With\\_%")
+    ) and
+    node.(DataFlow::EssaNode).getVar().getName().matches("with\\_%")
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK1" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
@@ -0,0 +1,16 @@
+| classes.py:622:18:622:21 | ControlFlowNode for arg2 | classes.py:613:15:613:17 | ControlFlowNode for key |
+| classes.py:640:18:640:21 | ControlFlowNode for arg2 | classes.py:631:15:631:17 | ControlFlowNode for key |
+| classes.py:656:22:656:25 | ControlFlowNode for arg2 | classes.py:648:15:648:17 | ControlFlowNode for key |
+| classes.py:737:16:737:19 | ControlFlowNode for arg2 | classes.py:728:15:728:19 | ControlFlowNode for other |
+| classes.py:754:16:754:19 | ControlFlowNode for arg2 | classes.py:745:15:745:19 | ControlFlowNode for other |
+| classes.py:771:16:771:19 | ControlFlowNode for arg2 | classes.py:762:15:762:19 | ControlFlowNode for other |
+| classes.py:788:19:788:22 | ControlFlowNode for arg2 | classes.py:779:15:779:19 | ControlFlowNode for other |
+| classes.py:805:20:805:23 | ControlFlowNode for arg2 | classes.py:796:15:796:19 | ControlFlowNode for other |
+| classes.py:822:22:822:25 | ControlFlowNode for arg2 | classes.py:813:15:813:19 | ControlFlowNode for other |
+| classes.py:839:16:839:19 | ControlFlowNode for arg2 | classes.py:830:15:830:19 | ControlFlowNode for other |
+| classes.py:879:17:879:20 | ControlFlowNode for arg2 | classes.py:864:15:864:19 | ControlFlowNode for other |
+| classes.py:896:20:896:23 | ControlFlowNode for arg2 | classes.py:887:15:887:19 | ControlFlowNode for other |
+| classes.py:913:20:913:23 | ControlFlowNode for arg2 | classes.py:904:15:904:19 | ControlFlowNode for other |
+| classes.py:930:16:930:19 | ControlFlowNode for arg2 | classes.py:921:15:921:19 | ControlFlowNode for other |
+| classes.py:947:16:947:19 | ControlFlowNode for arg2 | classes.py:938:15:938:19 | ControlFlowNode for other |
+| classes.py:964:15:964:18 | ControlFlowNode for arg2 | classes.py:955:15:955:19 | ControlFlowNode for other |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting2.ql
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting2.ql
@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg2"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK2" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
@@ -0,0 +1 @@
+| classes.py:640:26:640:29 | ControlFlowNode for arg3 | classes.py:630:15:630:19 | ControlFlowNode for value |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting3.ql
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting3.ql
@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg3"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK3" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting4.ql
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting4.ql
@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg4"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK4" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink
--- a/python/ql/test/experimental/dataflow/coverage/classes.py
+++ b/python/ql/test/experimental/dataflow/coverage/classes.py
--- a/python/ql/test/experimental/dataflow/coverage/classesCallGraph.expected
+++ b/python/ql/test/experimental/dataflow/coverage/classesCallGraph.expected
@@ -0,0 +1,39 @@
+| classes.py:41:16:41:35 | ControlFlowNode for Attribute() | classes.py:41:16:41:35 | ControlFlowNode for Attribute() |
+| classes.py:264:9:264:24 | ControlFlowNode for set() | classes.py:264:9:264:24 | ControlFlowNode for set() |
+| classes.py:269:9:269:30 | ControlFlowNode for frozenset() | classes.py:269:9:269:30 | ControlFlowNode for frozenset() |
+| classes.py:274:9:274:28 | ControlFlowNode for dict() | classes.py:274:9:274:28 | ControlFlowNode for dict() |
+| classes.py:454:29:454:52 | ControlFlowNode for dict() | classes.py:454:29:454:52 | ControlFlowNode for dict() |
+| classes.py:622:5:622:16 | ControlFlowNode for with_getitem | classes.py:612:21:612:24 | SSA variable self |
+| classes.py:622:18:622:21 | ControlFlowNode for arg2 | classes.py:612:27:612:29 | SSA variable key |
+| classes.py:640:5:640:16 | ControlFlowNode for with_setitem | classes.py:629:21:629:24 | SSA variable self |
+| classes.py:640:18:640:21 | ControlFlowNode for arg2 | classes.py:629:27:629:29 | SSA variable key |
+| classes.py:640:26:640:29 | ControlFlowNode for arg3 | classes.py:629:32:629:36 | SSA variable value |
+| classes.py:656:9:656:20 | ControlFlowNode for with_delitem | classes.py:647:21:647:24 | SSA variable self |
+| classes.py:656:22:656:25 | ControlFlowNode for arg2 | classes.py:647:27:647:29 | SSA variable key |
+| classes.py:683:16:683:28 | ControlFlowNode for Attribute() | classes.py:683:16:683:28 | ControlFlowNode for Attribute() |
+| classes.py:737:5:737:12 | ControlFlowNode for with_add | classes.py:727:17:727:20 | SSA variable self |
+| classes.py:737:16:737:19 | ControlFlowNode for arg2 | classes.py:727:23:727:27 | SSA variable other |
+| classes.py:754:5:754:12 | ControlFlowNode for with_sub | classes.py:744:17:744:20 | SSA variable self |
+| classes.py:754:16:754:19 | ControlFlowNode for arg2 | classes.py:744:23:744:27 | SSA variable other |
+| classes.py:771:5:771:12 | ControlFlowNode for with_mul | classes.py:761:17:761:20 | SSA variable self |
+| classes.py:771:16:771:19 | ControlFlowNode for arg2 | classes.py:761:23:761:27 | SSA variable other |
+| classes.py:788:5:788:15 | ControlFlowNode for with_matmul | classes.py:778:20:778:23 | SSA variable self |
+| classes.py:788:19:788:22 | ControlFlowNode for arg2 | classes.py:778:26:778:30 | SSA variable other |
+| classes.py:805:5:805:16 | ControlFlowNode for with_truediv | classes.py:795:21:795:24 | SSA variable self |
+| classes.py:805:20:805:23 | ControlFlowNode for arg2 | classes.py:795:27:795:31 | SSA variable other |
+| classes.py:822:5:822:17 | ControlFlowNode for with_floordiv | classes.py:812:22:812:25 | SSA variable self |
+| classes.py:822:22:822:25 | ControlFlowNode for arg2 | classes.py:812:28:812:32 | SSA variable other |
+| classes.py:839:5:839:12 | ControlFlowNode for with_mod | classes.py:829:17:829:20 | SSA variable self |
+| classes.py:839:16:839:19 | ControlFlowNode for arg2 | classes.py:829:23:829:27 | SSA variable other |
+| classes.py:879:5:879:12 | ControlFlowNode for with_pow | classes.py:863:17:863:20 | SSA variable self |
+| classes.py:879:17:879:20 | ControlFlowNode for arg2 | classes.py:863:23:863:27 | SSA variable other |
+| classes.py:896:5:896:15 | ControlFlowNode for with_lshift | classes.py:886:20:886:23 | SSA variable self |
+| classes.py:896:20:896:23 | ControlFlowNode for arg2 | classes.py:886:26:886:30 | SSA variable other |
+| classes.py:913:5:913:15 | ControlFlowNode for with_rshift | classes.py:903:20:903:23 | SSA variable self |
+| classes.py:913:20:913:23 | ControlFlowNode for arg2 | classes.py:903:26:903:30 | SSA variable other |
+| classes.py:930:5:930:12 | ControlFlowNode for with_and | classes.py:920:17:920:20 | SSA variable self |
+| classes.py:930:16:930:19 | ControlFlowNode for arg2 | classes.py:920:23:920:27 | SSA variable other |
+| classes.py:947:5:947:12 | ControlFlowNode for with_xor | classes.py:937:17:937:20 | SSA variable self |
+| classes.py:947:16:947:19 | ControlFlowNode for arg2 | classes.py:937:23:937:27 | SSA variable other |
+| classes.py:964:5:964:11 | ControlFlowNode for with_or | classes.py:954:16:954:19 | SSA variable self |
+| classes.py:964:15:964:18 | ControlFlowNode for arg2 | classes.py:954:22:954:26 | SSA variable other |
--- a/python/ql/test/experimental/dataflow/coverage/classesCallGraph.ql
+++ b/python/ql/test/experimental/dataflow/coverage/classesCallGraph.ql
@@ -0,0 +1,36 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to find the call graph edges.
+ */
+class CallGraphConfig extends DataFlow::Configuration {
+  CallGraphConfig() { this = "CallGraphConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node instanceof DataFlow::ReturnNode
+    or
+    // These sources should allow for the non-standard call syntax
+    node instanceof DataFlow::ArgumentNode
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    node instanceof DataFlow::OutNode
+    or
+    node instanceof DataFlow::ParameterNode and
+    // exclude parameters to the SINK-functions
+    not exists(DataFlow::DataFlowCallable c |
+      node.(DataFlow::ParameterNode).isParameterOf(c, _) and
+      c.getName().matches("SINK_")
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(CallGraphConfig cfg | cfg.hasFlow(source, sink))
+select source, sink
+// Ideally, we would just have 1-step paths either from argument to parameter
+// or from return to call. This gives a bit more, so should be rewritten.
+// We should also consider splitting this into two, one for each direction.
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -1,6 +1,303 @@
-| test.py:20:9:20:14 | ControlFlowNode for SOURCE | test.py:21:10:21:10 | ControlFlowNode for x |
-| test.py:25:9:25:16 | ControlFlowNode for Str | test.py:26:10:26:10 | ControlFlowNode for x |
-| test.py:29:9:29:17 | ControlFlowNode for Str | test.py:30:10:30:10 | ControlFlowNode for x |
-| test.py:33:9:33:10 | ControlFlowNode for IntegerLiteral | test.py:34:10:34:10 | ControlFlowNode for x |
-| test.py:37:9:37:12 | ControlFlowNode for FloatLiteral | test.py:38:10:38:10 | ControlFlowNode for x |
-| test.py:46:10:46:15 | ControlFlowNode for SOURCE | test.py:47:10:47:10 | ControlFlowNode for x |
+edges
+| datamodel.py:13:1:13:6 | GSSA Variable SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() |
+| datamodel.py:13:1:13:6 | GSSA Variable SOURCE | datamodel.py:38:6:38:17 | GSSA Variable SOURCE |
+| datamodel.py:13:1:13:6 | GSSA Variable SOURCE | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE |
+| datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:13:1:13:6 | GSSA Variable SOURCE |
+| datamodel.py:38:6:38:17 | GSSA Variable SOURCE | datamodel.py:65:5:65:7 | ControlFlowNode for C() |
+| datamodel.py:38:6:38:17 | GSSA Variable SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() |
+| datamodel.py:38:6:38:17 | GSSA Variable SOURCE | datamodel.py:71:6:71:24 | GSSA Variable SOURCE |
+| datamodel.py:38:6:38:17 | GSSA Variable SOURCE | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE |
+| datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() |
+| datamodel.py:65:1:65:1 | GSSA Variable c | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() |
+| datamodel.py:65:1:65:1 | GSSA Variable c | datamodel.py:71:6:71:24 | GSSA Variable c |
+| datamodel.py:65:5:65:7 | ControlFlowNode for C() | datamodel.py:65:1:65:1 | GSSA Variable c |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:73:6:73:27 | ControlFlowNode for func_obj() |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:80:6:80:26 | GSSA Variable SOURCE |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE |
+| datamodel.py:71:6:71:24 | GSSA Variable c | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() |
+| datamodel.py:71:6:71:24 | GSSA Variable c | datamodel.py:72:6:72:27 | GSSA Variable c |
+| datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() |
+| datamodel.py:72:6:72:27 | GSSA Variable c | datamodel.py:73:6:73:27 | ControlFlowNode for func_obj() |
+| datamodel.py:72:6:72:27 | GSSA Variable c | datamodel.py:73:6:73:27 | GSSA Variable c |
+| datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() |
+| datamodel.py:73:6:73:27 | GSSA Variable c | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() |
+| datamodel.py:73:6:73:27 | GSSA Variable c | datamodel.py:80:6:80:26 | GSSA Variable c |
+| datamodel.py:80:6:80:26 | GSSA Variable SOURCE | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() |
+| datamodel.py:80:6:80:26 | GSSA Variable SOURCE | datamodel.py:81:6:81:26 | GSSA Variable SOURCE |
+| datamodel.py:80:6:80:26 | GSSA Variable SOURCE | datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:82:6:82:26 | ControlFlowNode for c_func_obj() |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:92:8:92:21 | ControlFlowNode for gen() |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:96:9:96:24 | ControlFlowNode for Attribute() |
+| datamodel.py:80:6:80:26 | GSSA Variable c | datamodel.py:96:9:96:24 | GSSA Variable c |
+| datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() |
+| datamodel.py:81:6:81:26 | GSSA Variable SOURCE | datamodel.py:82:6:82:26 | ControlFlowNode for c_func_obj() |
+| datamodel.py:81:6:81:26 | GSSA Variable SOURCE | datamodel.py:92:8:92:21 | ControlFlowNode for gen() |
+| datamodel.py:81:6:81:26 | GSSA Variable SOURCE | datamodel.py:92:8:92:21 | GSSA Variable SOURCE |
+| datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() |
+| datamodel.py:92:1:92:4 | GSSA Variable iter | datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() |
+| datamodel.py:92:1:92:4 | GSSA Variable iter | datamodel.py:93:6:93:20 | GSSA Variable iter |
+| datamodel.py:92:8:92:21 | ControlFlowNode for gen() | datamodel.py:92:1:92:4 | GSSA Variable iter |
+| datamodel.py:92:8:92:21 | GSSA Variable SOURCE | datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() |
+| datamodel.py:92:8:92:21 | GSSA Variable SOURCE | datamodel.py:96:9:96:24 | ControlFlowNode for Attribute() |
+| datamodel.py:92:8:92:21 | GSSA Variable SOURCE | datamodel.py:96:9:96:24 | GSSA Variable SOURCE |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | datamodel.py:96:9:96:24 | ControlFlowNode for Attribute() |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
+| datamodel.py:96:1:96:5 | GSSA Variable oiter | datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() |
+| datamodel.py:96:1:96:5 | GSSA Variable oiter | datamodel.py:97:6:97:21 | GSSA Variable oiter |
+| datamodel.py:96:9:96:24 | ControlFlowNode for Attribute() | datamodel.py:96:1:96:5 | GSSA Variable oiter |
+| datamodel.py:96:9:96:24 | GSSA Variable SOURCE | datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() |
+| datamodel.py:96:9:96:24 | GSSA Variable SOURCE | datamodel.py:106:18:106:29 | GSSA Variable SOURCE |
+| datamodel.py:96:9:96:24 | GSSA Variable c | datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() |
+| datamodel.py:96:9:96:24 | GSSA Variable c | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() |
+| datamodel.py:96:9:96:24 | GSSA Variable c | datamodel.py:107:18:107:31 | GSSA Variable c |
+| datamodel.py:97:6:97:21 | GSSA Variable oiter | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() |
+| datamodel.py:97:6:97:21 | GSSA Variable oiter | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() |
+| datamodel.py:97:6:97:21 | GSSA Variable oiter | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
+| datamodel.py:106:18:106:29 | GSSA Variable SOURCE | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() |
+| datamodel.py:106:18:106:29 | GSSA Variable SOURCE | datamodel.py:107:18:107:31 | GSSA Variable SOURCE |
+| datamodel.py:107:18:107:31 | GSSA Variable SOURCE | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() |
+| datamodel.py:107:18:107:31 | GSSA Variable SOURCE | datamodel.py:119:18:119:29 | GSSA Variable SOURCE |
+| datamodel.py:107:18:107:31 | GSSA Variable c | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() |
+| datamodel.py:107:18:107:31 | GSSA Variable c | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
+| datamodel.py:119:18:119:29 | GSSA Variable SOURCE | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
+| test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] | test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] |
+| test.py:32:21:32:26 | ControlFlowNode for SOURCE | test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] |
+| test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] | test.py:33:9:33:12 | ControlFlowNode for Subscript |
+| test.py:33:9:33:12 | ControlFlowNode for Subscript | test.py:34:10:34:10 | ControlFlowNode for y |
+| test.py:43:9:43:14 | ControlFlowNode for SOURCE | test.py:44:10:44:10 | ControlFlowNode for x |
+| test.py:48:9:48:16 | ControlFlowNode for Str | test.py:49:10:49:10 | ControlFlowNode for x |
+| test.py:52:9:52:17 | ControlFlowNode for Str | test.py:53:10:53:10 | ControlFlowNode for x |
+| test.py:56:9:56:10 | ControlFlowNode for IntegerLiteral | test.py:57:10:57:10 | ControlFlowNode for x |
+| test.py:60:9:60:12 | ControlFlowNode for FloatLiteral | test.py:61:10:61:10 | ControlFlowNode for x |
+| test.py:69:10:69:15 | ControlFlowNode for SOURCE | test.py:70:10:70:10 | ControlFlowNode for x |
+| test.py:74:9:74:16 | ControlFlowNode for List [List element] | test.py:75:10:75:10 | ControlFlowNode for x [List element] |
+| test.py:74:10:74:15 | ControlFlowNode for SOURCE | test.py:74:9:74:16 | ControlFlowNode for List [List element] |
+| test.py:75:10:75:10 | ControlFlowNode for x [List element] | test.py:75:10:75:13 | ControlFlowNode for Subscript |
+| test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] | test.py:83:10:83:10 | ControlFlowNode for x [List element] |
+| test.py:82:10:82:15 | ControlFlowNode for SOURCE | test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] |
+| test.py:83:10:83:10 | ControlFlowNode for x [List element] | test.py:83:10:83:13 | ControlFlowNode for Subscript |
+| test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] | test.py:87:10:87:10 | ControlFlowNode for x [List element] |
+| test.py:86:10:86:10 | ControlFlowNode for y | test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] |
+| test.py:86:16:86:16 | SSA variable y | test.py:86:10:86:10 | ControlFlowNode for y |
+| test.py:86:21:86:28 | ControlFlowNode for List [List element] | test.py:86:16:86:16 | SSA variable y |
+| test.py:86:22:86:27 | ControlFlowNode for SOURCE | test.py:86:21:86:28 | ControlFlowNode for List [List element] |
+| test.py:87:10:87:10 | ControlFlowNode for x [List element] | test.py:87:10:87:13 | ControlFlowNode for Subscript |
+| test.py:90:9:90:16 | ControlFlowNode for List [List element] | test.py:91:21:91:21 | ControlFlowNode for l [List element] |
+| test.py:90:10:90:15 | ControlFlowNode for SOURCE | test.py:90:9:90:16 | ControlFlowNode for List [List element] |
+| test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] | test.py:92:10:92:10 | ControlFlowNode for x [List element] |
+| test.py:91:10:91:10 | ControlFlowNode for y | test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] |
+| test.py:91:16:91:16 | SSA variable y | test.py:91:10:91:10 | ControlFlowNode for y |
+| test.py:91:21:91:21 | ControlFlowNode for l [List element] | test.py:91:16:91:16 | SSA variable y |
+| test.py:92:10:92:10 | ControlFlowNode for x [List element] | test.py:92:10:92:13 | ControlFlowNode for Subscript |
+| test.py:100:9:100:16 | ControlFlowNode for Set [List element] | test.py:101:10:101:10 | ControlFlowNode for x [List element] |
+| test.py:100:10:100:15 | ControlFlowNode for SOURCE | test.py:100:9:100:16 | ControlFlowNode for Set [List element] |
+| test.py:101:10:101:10 | ControlFlowNode for x [List element] | test.py:101:10:101:16 | ControlFlowNode for Attribute() |
+| test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] | test.py:105:10:105:10 | ControlFlowNode for x [Set element] |
+| test.py:104:10:104:15 | ControlFlowNode for SOURCE | test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] |
+| test.py:105:10:105:10 | ControlFlowNode for x [Set element] | test.py:105:10:105:16 | ControlFlowNode for Attribute() |
+| test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] | test.py:109:10:109:10 | ControlFlowNode for x [Set element] |
+| test.py:108:10:108:10 | ControlFlowNode for y | test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] |
+| test.py:108:16:108:16 | SSA variable y | test.py:108:10:108:10 | ControlFlowNode for y |
+| test.py:108:21:108:28 | ControlFlowNode for List [List element] | test.py:108:16:108:16 | SSA variable y |
+| test.py:108:22:108:27 | ControlFlowNode for SOURCE | test.py:108:21:108:28 | ControlFlowNode for List [List element] |
+| test.py:109:10:109:10 | ControlFlowNode for x [Set element] | test.py:109:10:109:16 | ControlFlowNode for Attribute() |
+| test.py:112:9:112:16 | ControlFlowNode for Set [List element] | test.py:113:21:113:21 | ControlFlowNode for l [List element] |
+| test.py:112:10:112:15 | ControlFlowNode for SOURCE | test.py:112:9:112:16 | ControlFlowNode for Set [List element] |
+| test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] | test.py:114:10:114:10 | ControlFlowNode for x [Set element] |
+| test.py:113:10:113:10 | ControlFlowNode for y | test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] |
+| test.py:113:16:113:16 | SSA variable y | test.py:113:10:113:10 | ControlFlowNode for y |
+| test.py:113:21:113:21 | ControlFlowNode for l [List element] | test.py:113:16:113:16 | SSA variable y |
+| test.py:114:10:114:10 | ControlFlowNode for x [Set element] | test.py:114:10:114:16 | ControlFlowNode for Attribute() |
+| test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:122:15:122:20 | ControlFlowNode for SOURCE | test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] | test.py:123:10:123:15 | ControlFlowNode for Subscript |
+| test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:126:15:126:20 | ControlFlowNode for SOURCE | test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] | test.py:127:10:127:19 | ControlFlowNode for Attribute() |
+| test.py:252:11:252:16 | ControlFlowNode for SOURCE | test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:252:10:252:21 | ControlFlowNode for Subscript |
+| test.py:255:10:255:17 | ControlFlowNode for List [List element] | test.py:255:10:255:20 | ControlFlowNode for Subscript |
+| test.py:255:11:255:16 | ControlFlowNode for SOURCE | test.py:255:10:255:17 | ControlFlowNode for List [List element] |
+| test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:258:10:258:26 | ControlFlowNode for Subscript |
+| test.py:258:15:258:20 | ControlFlowNode for SOURCE | test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:276:28:276:33 | ControlFlowNode for SOURCE | test.py:276:10:276:34 | ControlFlowNode for second() |
+| test.py:335:12:335:17 | ControlFlowNode for SOURCE | test.py:335:10:335:18 | ControlFlowNode for f() |
+| test.py:339:28:339:33 | ControlFlowNode for SOURCE | test.py:339:10:339:34 | ControlFlowNode for second() |
+nodes
+| datamodel.py:13:1:13:6 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:13:10:13:17 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
+| datamodel.py:38:6:38:17 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
+| datamodel.py:38:6:38:17 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:65:1:65:1 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:65:5:65:7 | ControlFlowNode for C() | semmle.label | ControlFlowNode for C() |
+| datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:71:6:71:24 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:71:6:71:24 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:72:6:72:27 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:73:6:73:27 | ControlFlowNode for func_obj() | semmle.label | ControlFlowNode for func_obj() |
+| datamodel.py:73:6:73:27 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:80:6:80:26 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:80:6:80:26 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:81:6:81:26 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:82:6:82:26 | ControlFlowNode for c_func_obj() | semmle.label | ControlFlowNode for c_func_obj() |
+| datamodel.py:92:1:92:4 | GSSA Variable iter | semmle.label | GSSA Variable iter |
+| datamodel.py:92:8:92:21 | ControlFlowNode for gen() | semmle.label | ControlFlowNode for gen() |
+| datamodel.py:92:8:92:21 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:93:6:93:20 | GSSA Variable iter | semmle.label | GSSA Variable iter |
+| datamodel.py:96:1:96:5 | GSSA Variable oiter | semmle.label | GSSA Variable oiter |
+| datamodel.py:96:9:96:24 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:96:9:96:24 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:96:9:96:24 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:97:6:97:21 | GSSA Variable oiter | semmle.label | GSSA Variable oiter |
+| datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:106:18:106:29 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:107:18:107:31 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| datamodel.py:107:18:107:31 | GSSA Variable c | semmle.label | GSSA Variable c |
+| datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| datamodel.py:119:18:119:29 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 1] |
+| test.py:32:21:32:26 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] | semmle.label | ControlFlowNode for x [Tuple element at index 1] |
+| test.py:33:9:33:12 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:34:10:34:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:43:9:43:14 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:44:10:44:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:48:9:48:16 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
+| test.py:49:10:49:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:52:9:52:17 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
+| test.py:53:10:53:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:56:9:56:10 | ControlFlowNode for IntegerLiteral | semmle.label | ControlFlowNode for IntegerLiteral |
+| test.py:57:10:57:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:60:9:60:12 | ControlFlowNode for FloatLiteral | semmle.label | ControlFlowNode for FloatLiteral |
+| test.py:61:10:61:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:69:10:69:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:70:10:70:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:74:9:74:16 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:74:10:74:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:75:10:75:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:75:10:75:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:82:10:82:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:83:10:83:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:83:10:83:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:86:10:86:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:86:16:86:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:86:21:86:28 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:86:22:86:27 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:87:10:87:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:87:10:87:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:90:9:90:16 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:90:10:90:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:91:10:91:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:91:16:91:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:91:21:91:21 | ControlFlowNode for l [List element] | semmle.label | ControlFlowNode for l [List element] |
+| test.py:92:10:92:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:92:10:92:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:100:9:100:16 | ControlFlowNode for Set [List element] | semmle.label | ControlFlowNode for Set [List element] |
+| test.py:100:10:100:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:101:10:101:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:101:10:101:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:104:10:104:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:105:10:105:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:105:10:105:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:108:10:108:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:108:16:108:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:108:21:108:28 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:108:22:108:27 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:109:10:109:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:109:10:109:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:112:9:112:16 | ControlFlowNode for Set [List element] | semmle.label | ControlFlowNode for Set [List element] |
+| test.py:112:10:112:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:113:10:113:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:113:16:113:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:113:21:113:21 | ControlFlowNode for l [List element] | semmle.label | ControlFlowNode for l [List element] |
+| test.py:114:10:114:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:114:10:114:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:122:15:122:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] | semmle.label | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:123:10:123:15 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:126:15:126:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] | semmle.label | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:127:10:127:19 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:252:10:252:21 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:252:11:252:16 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:255:10:255:17 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:255:10:255:20 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:255:11:255:16 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:258:10:258:26 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:258:15:258:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:276:10:276:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
+| test.py:276:28:276:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:335:10:335:18 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
+| test.py:335:12:335:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:339:10:339:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
+| test.py:339:28:339:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+#select
+| datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:38:6:38:17 | ControlFlowNode for f() | <message> |
+| datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() | <message> |
+| datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:73:6:73:27 | ControlFlowNode for func_obj() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:73:6:73:27 | ControlFlowNode for func_obj() | <message> |
+| datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() | datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() | datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:82:6:82:26 | ControlFlowNode for c_func_obj() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:82:6:82:26 | ControlFlowNode for c_func_obj() | <message> |
+| datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:93:6:93:20 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:97:6:97:21 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() | <message> |
+| datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | <message> |
+| test.py:34:10:34:10 | ControlFlowNode for y | test.py:32:21:32:26 | ControlFlowNode for SOURCE | test.py:34:10:34:10 | ControlFlowNode for y | <message> |
+| test.py:44:10:44:10 | ControlFlowNode for x | test.py:43:9:43:14 | ControlFlowNode for SOURCE | test.py:44:10:44:10 | ControlFlowNode for x | <message> |
+| test.py:49:10:49:10 | ControlFlowNode for x | test.py:48:9:48:16 | ControlFlowNode for Str | test.py:49:10:49:10 | ControlFlowNode for x | <message> |
+| test.py:53:10:53:10 | ControlFlowNode for x | test.py:52:9:52:17 | ControlFlowNode for Str | test.py:53:10:53:10 | ControlFlowNode for x | <message> |
+| test.py:57:10:57:10 | ControlFlowNode for x | test.py:56:9:56:10 | ControlFlowNode for IntegerLiteral | test.py:57:10:57:10 | ControlFlowNode for x | <message> |
+| test.py:61:10:61:10 | ControlFlowNode for x | test.py:60:9:60:12 | ControlFlowNode for FloatLiteral | test.py:61:10:61:10 | ControlFlowNode for x | <message> |
+| test.py:70:10:70:10 | ControlFlowNode for x | test.py:69:10:69:15 | ControlFlowNode for SOURCE | test.py:70:10:70:10 | ControlFlowNode for x | <message> |
+| test.py:75:10:75:13 | ControlFlowNode for Subscript | test.py:74:10:74:15 | ControlFlowNode for SOURCE | test.py:75:10:75:13 | ControlFlowNode for Subscript | <message> |
+| test.py:83:10:83:13 | ControlFlowNode for Subscript | test.py:82:10:82:15 | ControlFlowNode for SOURCE | test.py:83:10:83:13 | ControlFlowNode for Subscript | <message> |
+| test.py:87:10:87:13 | ControlFlowNode for Subscript | test.py:86:22:86:27 | ControlFlowNode for SOURCE | test.py:87:10:87:13 | ControlFlowNode for Subscript | <message> |
+| test.py:92:10:92:13 | ControlFlowNode for Subscript | test.py:90:10:90:15 | ControlFlowNode for SOURCE | test.py:92:10:92:13 | ControlFlowNode for Subscript | <message> |
+| test.py:101:10:101:16 | ControlFlowNode for Attribute() | test.py:100:10:100:15 | ControlFlowNode for SOURCE | test.py:101:10:101:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:105:10:105:16 | ControlFlowNode for Attribute() | test.py:104:10:104:15 | ControlFlowNode for SOURCE | test.py:105:10:105:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:109:10:109:16 | ControlFlowNode for Attribute() | test.py:108:22:108:27 | ControlFlowNode for SOURCE | test.py:109:10:109:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:114:10:114:16 | ControlFlowNode for Attribute() | test.py:112:10:112:15 | ControlFlowNode for SOURCE | test.py:114:10:114:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:123:10:123:15 | ControlFlowNode for Subscript | test.py:122:15:122:20 | ControlFlowNode for SOURCE | test.py:123:10:123:15 | ControlFlowNode for Subscript | <message> |
+| test.py:127:10:127:19 | ControlFlowNode for Attribute() | test.py:126:15:126:20 | ControlFlowNode for SOURCE | test.py:127:10:127:19 | ControlFlowNode for Attribute() | <message> |
+| test.py:252:10:252:21 | ControlFlowNode for Subscript | test.py:252:11:252:16 | ControlFlowNode for SOURCE | test.py:252:10:252:21 | ControlFlowNode for Subscript | <message> |
+| test.py:255:10:255:20 | ControlFlowNode for Subscript | test.py:255:11:255:16 | ControlFlowNode for SOURCE | test.py:255:10:255:20 | ControlFlowNode for Subscript | <message> |
+| test.py:258:10:258:26 | ControlFlowNode for Subscript | test.py:258:15:258:20 | ControlFlowNode for SOURCE | test.py:258:10:258:26 | ControlFlowNode for Subscript | <message> |
+| test.py:276:10:276:34 | ControlFlowNode for second() | test.py:276:28:276:33 | ControlFlowNode for SOURCE | test.py:276:10:276:34 | ControlFlowNode for second() | <message> |
+| test.py:335:10:335:18 | ControlFlowNode for f() | test.py:335:12:335:17 | ControlFlowNode for SOURCE | test.py:335:10:335:18 | ControlFlowNode for f() | <message> |
+| test.py:339:10:339:34 | ControlFlowNode for second() | test.py:339:28:339:33 | ControlFlowNode for SOURCE | test.py:339:10:339:34 | ControlFlowNode for second() | <message> |
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.ql
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.ql
@@ -1,5 +1,10 @@
-import experimental.dataflow.testConfig
+/**
+ * @kind path-problem
+ */

-from DataFlow::Node source, DataFlow::Node sink
-where exists(TestConfiguration cfg | cfg.hasFlow(source, sink))
-select source, sink
+import experimental.dataflow.testConfig
+import DataFlow::PathGraph
+
+from TestConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "<message>"
--- a/python/ql/test/experimental/dataflow/coverage/datamodel.py
+++ b/python/ql/test/experimental/dataflow/coverage/datamodel.py
@@ -0,0 +1,159 @@
+# User-defined methods, both instance methods and class methods, can be called in many non-standard ways
+# i.e. differently from simply `c.f()` or `C.f()`. For example, a user-defined `__await__` method on a
+# class `C` will be called by the syntactic construct `await c` when `c` is an instance of `C`.
+#
+# These tests are based on the first part of https://docs.python.org/3/reference/datamodel.html.
+# A thorough covering of methods in that document is found in classes.py.
+#
+# Intended sources should be the variable `SOURCE` and intended sinks should be
+# arguments to the function `SINK` (see python/ql/test/experimental/dataflow/testConfig.qll).
+
+# These are defined so that we can evaluate the test code.
+NONSOURCE = "not a source"
+SOURCE = "source"
+
+def is_source(x):
+    return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
+
+def SINK(x):
+    if is_source(x):
+        print("OK")
+    else:
+        print("Unexpected flow", x)
+
+def SINK_F(x):
+    if is_source(x):
+        print("Unexpected flow", x)
+    else:
+        print("OK")
+
+# Callable types
+# These are the types to which the function call operation (see section Calls) can be applied:
+
+# User-defined functions
+# A user-defined function object is created by a function definition (see section Function definitions). It should be called with an argument list containing the same number of items as the function's formal parameter list.
+def f(a, b):
+  return a
+
+SINK(f(SOURCE, 3))
+
+# Instance methods
+# An instance method object combines a class, a class instance and any callable object (normally a user-defined function).
+class C(object):
+
+    def method(self, x, cls):
+        assert cls is self.__class__
+        return x
+
+    @classmethod
+    def classmethod(cls, x):
+        return x
+
+    @staticmethod
+    def staticmethod(x):
+        return x
+
+    def gen(self, x, count):
+      n = count
+      while n > 0:
+        yield x
+        n -= 1
+
+    async def coro(self, x):
+      return x
+
+c = C()
+
+# When an instance method object is created by retrieving a user-defined function object from a class via one of its instances, its __self__ attribute is the instance, and the method object is said to be bound. The new method’s __func__ attribute is the original function object.
+func_obj = c.method.__func__
+
+# When an instance method object is called, the underlying function (__func__) is called, inserting the class instance (__self__) in front of the argument list. For instance, when C is a class which contains a definition for a function f(), and x is an instance of C, calling x.f(1) is equivalent to calling C.f(x, 1).
+SINK(c.method(SOURCE, C))
+SINK(C.method(c, SOURCE, C))
+SINK(func_obj(c, SOURCE, C))
+
+
+# When an instance method object is created by retrieving a class method object from a class or instance, its __self__ attribute is the class itself, and its __func__ attribute is the function object underlying the class method.
+c_func_obj = C.classmethod.__func__
+
+# When an instance method object is derived from a class method object, the “class instance” stored in __self__ will actually be the class itself, so that calling either x.f(1) or C.f(1) is equivalent to calling f(C,1) where f is the underlying function.
+SINK(c.classmethod(SOURCE))
+SINK(C.classmethod(SOURCE))
+SINK(c_func_obj(C, SOURCE))
+
+# Generator functions
+# A function or method which uses the yield statement (see section The yield statement) is called a generator function. Such a function, when called, always returns an iterator object which can be used to execute the body of the function: calling the iterator’s iterator.__next__() method will cause the function to execute until it provides a value using the yield statement. When the function executes a return statement or falls off the end, a StopIteration exception is raised and the iterator will have reached the end of the set of values to be returned.
+def gen(x, count):
+  n = count
+  while n > 0:
+    yield x
+    n -= 1
+
+iter = gen(SOURCE, 1)
+SINK(iter.__next__())
+# SINK_F(iter.__next__()) # throws StopIteration, FP
+
+oiter = c.gen(SOURCE, 1)
+SINK(oiter.__next__())
+# SINK_F(oiter.__next__()) # throws StopIteration, FP
+
+# Coroutine functions
+# A function or method which is defined using async def is called a coroutine function. Such a function, when called, returns a coroutine object. It may contain await expressions, as well as async with and async for statements. See also the Coroutine Objects section.
+async def coro(x):
+  return x
+
+import asyncio
+SINK(asyncio.run(coro(SOURCE)))
+SINK(asyncio.run(c.coro(SOURCE)))
+
+class A:
+
+  def __await__(self):
+    # yield SOURCE  -- see https://groups.google.com/g/dev-python/c/_lrrc-vp9TI?pli=1
+    return (yield from asyncio.coroutine(lambda: SOURCE)())
+
+async def agen(x):
+  a = A()
+  return await a
+
+SINK(asyncio.run(agen(SOURCE)))
+
+# Asynchronous generator functions
+# A function or method which is defined using async def and which uses the yield statement is called a asynchronous generator function. Such a function, when called, returns an asynchronous iterator object which can be used in an async for statement to execute the body of the function.
+
+# Calling the asynchronous iterator’s aiterator.__anext__() method will return an awaitable which when awaited will execute until it provides a value using the yield expression. When the function executes an empty return statement or falls off the end, a StopAsyncIteration exception is raised and the asynchronous iterator will have reached the end of the set of values to be yielded.
+
+# Built-in functions
+# A built-in function object is a wrapper around a C function. Examples of built-in functions are len() and math.sin() (math is a standard built-in module). The number and type of the arguments are determined by the C function. Special read-only attributes: __doc__ is the function’s documentation string, or None if unavailable; __name__ is the function’s name; __self__ is set to None (but see the next item); __module__ is the name of the module the function was defined in or None if unavailable.
+
+# Built-in methods
+# This is really a different disguise of a built-in function, this time containing an object passed to the C function as an implicit extra argument. An example of a built-in method is alist.append(), assuming alist is a list object. In this case, the special read-only attribute __self__ is set to the object denoted by alist.
+
+# Classes
+# Classes are callable. These objects normally act as factories for new instances of themselves, but variations are possible for class types that override __new__(). The arguments of the call are passed to __new__() and, in the typical case, to __init__() to initialize the new instance.
+
+# Class Instances
+# Instances of arbitrary classes can be made callable by defining a __call__() method in their class.
+
+# If a class sets __iter__() to None, calling iter() on its instances will raise a TypeError (without falling back to __getitem__()).
+
+# 3.3.1. Basic customization
+
+class Customized:
+
+  a = NONSOURCE
+  b = NONSOURCE
+
+  def __new__(cls):
+    cls.a = SOURCE
+    return super().__new__(cls)
+
+  def __init__(self):
+    self.b = SOURCE
+
+# testing __new__ and __init__
+customized = Customized()
+SINK(Customized.a)
+SINK_F(Customized.b)
+SINK(customized.a)
+SINK(customized.b)
--- a/python/ql/test/experimental/dataflow/coverage/localFlow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/localFlow.expected
@@ -1,7 +1,5 @@
-| test.py:13:5:13:5 | SSA variable x | test.py:12:1:12:33 | Exit node for Function test_tuple_with_local_flow |
-| test.py:13:5:13:5 | SSA variable x | test.py:14:9:14:9 | ControlFlowNode for x |
-| test.py:13:10:13:18 | ControlFlowNode for Tuple | test.py:13:5:13:5 | SSA variable x |
-| test.py:14:5:14:5 | SSA variable y | test.py:15:5:15:11 | SSA variable y |
-| test.py:14:5:14:5 | SSA variable y | test.py:15:10:15:10 | ControlFlowNode for y |
-| test.py:14:9:14:12 | ControlFlowNode for Subscript | test.py:14:5:14:5 | SSA variable y |
-| test.py:15:5:15:11 | SSA variable y | test.py:12:1:12:33 | Exit node for Function test_tuple_with_local_flow |
+| test.py:32:5:32:5 | SSA variable x | test.py:33:9:33:9 | ControlFlowNode for x |
+| test.py:32:10:32:26 | ControlFlowNode for Tuple | test.py:32:5:32:5 | SSA variable x |
+| test.py:33:5:33:5 | SSA variable y | test.py:34:5:34:11 | SSA variable y |
+| test.py:33:5:33:5 | SSA variable y | test.py:34:10:34:10 | ControlFlowNode for y |
+| test.py:33:9:33:12 | ControlFlowNode for Subscript | test.py:33:5:33:5 | SSA variable y |
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -1,20 +1,43 @@
-# This should cover all the syntactical constructs that we hope to support
+# This should cover all the syntactical constructs that we hope to support.
+# Headings refer to https://docs.python.org/3/reference/expressions.html,
+# and are selected whenever they incur dataflow.
 # Intended sources should be the variable `SOURCE` and intended sinks should be
 # arguments to the function `SINK` (see python/ql/test/experimental/dataflow/testConfig.qll).
 #
 # Functions whose name ends with "_with_local_flow" will also be tested for local flow.
+#
+# All functions starting with "test_" should run and print `"OK"`.
+# This can be checked by running validTest.py.

-# These are included so that we can easily evaluate the test code
+# These are defined so that we can evaluate the test code.
+NONSOURCE = "not a source"
 SOURCE = "source"
+
+def is_source(x):
+    return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
+
 def SINK(x):
-    print(x)
+    if is_source(x):
+        print("OK")
+    else:
+        print("Unexpected flow", x)
+
+def SINK_F(x):
+    if is_source(x):
+        print("Unexpected flow", x)
+    else:
+        print("OK")

 def test_tuple_with_local_flow():
-    x = (3, SOURCE)
+    x = (NONSOURCE, SOURCE)
    y = x[1]
    SINK(y)

-# List taken from https://docs.python.org/3/reference/expressions.html
+def test_tuple_negative():
+    x = (NONSOURCE, SOURCE)
+    y = x[0]
+    SINK_F(y)
+
 # 6.2.1. Identifiers (Names)
 def test_names():
    x = SOURCE
@@ -39,7 +62,7 @@ def test_floatnumber_literal():

 def test_imagnumber_literal():
    x = 42j
-    SINK(x)
+    SINK(x) # Flow missing

 # 6.2.3. Parenthesized forms
 def test_parenthesized_form():
@@ -51,13 +74,26 @@ def test_list_display():
    x = [SOURCE]
    SINK(x[0])

+def test_list_display_negative():
+    x = [SOURCE]
+    SINK_F(x)
+
 def test_list_comprehension():
-    x = [SOURCE for y in [3]]
+    x = [SOURCE for y in [NONSOURCE]]
+    SINK(x[0])
+
+def test_list_comprehension_flow():
+    x = [y for y in [SOURCE]]
+    SINK(x[0])
+
+def test_list_comprehension_inflow():
+    l = [SOURCE]
+    x = [y for y in l]
    SINK(x[0])

 def test_nested_list_display():
    x = [* [SOURCE]]
-    SINK(x[0])
+    SINK(x[0]) # Flow missing

 # 6.2.6. Set displays
 def test_set_display():
@@ -65,67 +101,268 @@ def test_set_display():
    SINK(x.pop())

 def test_set_comprehension():
-    x = {SOURCE for y in [3]}
+    x = {SOURCE for y in [NONSOURCE]}
+    SINK(x.pop())
+
+def test_set_comprehension_flow():
+    x = {y for y in [SOURCE]}
+    SINK(x.pop())
+
+def test_set_comprehension_inflow():
+    l = {SOURCE}
+    x = {y for y in l}
    SINK(x.pop())

 def test_nested_set_display():
    x = {* {SOURCE}}
-    SINK(x.pop())
+    SINK(x.pop()) # Flow missing

 # 6.2.7. Dictionary displays
 def test_dict_display():
    x = {"s": SOURCE}
    SINK(x["s"])

+def test_dict_display_pop():
+    x = {"s": SOURCE}
+    SINK(x.pop("s"))
+
 def test_dict_comprehension():
    x = {y: SOURCE for y in ["s"]}
-    SINK(x["s"])
+    SINK(x["s"]) # Flow missing
+
+def test_dict_comprehension_pop():
+    x = {y: SOURCE for y in ["s"]}
+    SINK(x.pop("s")) # Flow missing

 def test_nested_dict_display():
    x = {** {"s": SOURCE}}
-    SINK(x["s"])
+    SINK(x["s"]) # Flow missing
+
+def test_nested_dict_display_pop():
+    x = {** {"s": SOURCE}}
+    SINK(x.pop("s")) # Flow missing

 # 6.2.8. Generator expressions
 def test_generator():
-    x = (SOURCE for y in [3])
-    SINK([*x][0])
+    x = (SOURCE for y in [NONSOURCE])
+    SINK([*x][0]) # Flow missing

-# List taken from https://docs.python.org/3/reference/expressions.html
-# 6. Expressions
-# 6.1. Arithmetic conversions
-# 6.2. Atoms
-# 6.2.1. Identifiers (Names)
-# 6.2.2. Literals
-# 6.2.3. Parenthesized forms
-# 6.2.4. Displays for lists, sets and dictionaries
-# 6.2.5. List displays
-# 6.2.6. Set displays
-# 6.2.7. Dictionary displays
-# 6.2.8. Generator expressions
 # 6.2.9. Yield expressions
+def gen(x):
+    yield x
+
+def test_yield():
+    g = gen(SOURCE)
+    SINK(next(g)) # Flow missing
+
+def gen_from(x):
+    yield from gen(x)
+
+def test_yield_from():
+    g = gen_from(SOURCE)
+    SINK(next(g)) # Flow missing
+
+# a statement rather than an expression, but related to generators
+def test_for():
+    for x in gen(SOURCE):
+        SINK(x) # Flow missing
+
 # 6.2.9.1. Generator-iterator methods
-# 6.2.9.2. Examples
+def test___next__():
+    g = gen(SOURCE)
+    SINK(g.__next__()) # Flow missing
+
+def gen2(x):
+    m = yield x # argument of `send` has to flow to value of `yield x` (and so to `m`)
+    yield m
+
+def test_send():
+    g = gen2(NONSOURCE)
+    n = next(g)
+    SINK(g.send(SOURCE)) # Flow missing
+
+def gen_ex(x):
+    try:
+        yield NONSOURCE
+    except:
+        yield x # `x` has to flow to call to `throw`
+
+def test_throw():
+    g = gen_ex(SOURCE)
+    n = next(g)
+    SINK(g.throw(TypeError)) # Flow missing
+
+# no `test_close` as `close` involves no data flow
+
 # 6.2.9.3. Asynchronous generator functions
+async def agen(x):
+    yield x
+
 # 6.2.9.4. Asynchronous generator-iterator methods
-# 6.3. Primaries
+
+# helper to run async test functions
+def runa(a):
+    import asyncio
+    asyncio.run(a)
+
+async def atest___anext__():
+    g = agen(SOURCE)
+    SINK(await g.__anext__()) # Flow missing
+
+def test___anext__():
+    runa(atest___anext__())
+
+async def agen2(x):
+    m = yield x # argument of `send` has to flow to value of `yield x` (and so to `m`)
+    yield m
+
+async def atest_asend():
+    g = agen2(NONSOURCE)
+    n = await g.__anext__()
+    SINK(await g.asend(SOURCE)) # Flow missing
+
+def test_asend():
+    runa(atest_asend())
+
+async def agen_ex(x):
+    try:
+        yield NONSOURCE
+    except:
+        yield x # `x` has to flow to call to `athrow`
+
+async def atest_athrow():
+    g = agen_ex(SOURCE)
+    n = await g.__anext__()
+    SINK(await g.athrow(TypeError)) # Flow missing
+
+def test_athrow():
+    runa(atest_athrow())
+
 # 6.3.1. Attribute references
+class C:
+    a = SOURCE
+
+def test_attribute_reference():
+    SINK(C.a) # Flow missing
+
+# overriding __getattr__ should be tested by the class coverage tests
+
 # 6.3.2. Subscriptions
+def test_subscription_tuple():
+    SINK((SOURCE,)[0])
+
+def test_subscription_list():
+    SINK([SOURCE][0])
+
+def test_subscription_mapping():
+    SINK({"s":SOURCE}["s"])
+
+# overriding __getitem__ should be tested by the class coverage tests
+
 # 6.3.3. Slicings
+l = [SOURCE]
+
+def test_slicing():
+    s = l[0:1:1]
+    SINK(s[0]) # Flow missing
+
+# The grammar seems to allow `l[0:1:1, 0:1]`, but the interpreter does not like it
+
 # 6.3.4. Calls
-# 6.4. Await expression
-# 6.5. The power operator
-# 6.6. Unary arithmetic and bitwise operations
-# 6.7. Binary arithmetic operations
-# 6.8. Shifting operations
-# 6.9. Binary bitwise operations
-# 6.10. Comparisons
-# 6.10.1. Value comparisons
-# 6.10.2. Membership test operations
-# 6.10.3. Identity comparisons
-# 6.11. Boolean operations
+def second(a, b):
+    return b
+
+def test_call_positional():
+    SINK(second(NONSOURCE, SOURCE))
+
+def test_call_positional_negative():
+    SINK_F(second(SOURCE, NONSOURCE))
+
+def test_call_keyword():
+    SINK(second(NONSOURCE, b=SOURCE)) # Flow missing
+
+def test_call_unpack_iterable():
+    SINK(second(NONSOURCE, *[SOURCE])) # Flow missing
+
+def test_call_unpack_mapping():
+    SINK(second(NONSOURCE, **{"b": SOURCE})) # Flow missing
+
+def f_extra_pos(a, *b):
+    return b[0]
+
+def test_call_extra_pos():
+    SINK(f_extra_pos(NONSOURCE, SOURCE)) # Flow missing
+
+def f_extra_keyword(a, **b):
+    return b["b"]
+
+def test_call_extra_keyword():
+    SINK(f_extra_keyword(NONSOURCE, b=SOURCE)) # Flow missing
+
+# return the name of the first extra keyword argument
+def f_extra_keyword_flow(**a):
+    return [*a][0]
+
+# call the function with our source as the name of the keyword arguemnt
+def test_call_extra_keyword_flow():
+    SINK(f_extra_keyword_flow(**{SOURCE: None})) # Flow missing
+
 # 6.12. Assignment expressions
+def test_assignment_expression():
+    x = NONSOURCE
+    SINK(x := SOURCE) # Flow missing
+
 # 6.13. Conditional expressions
+def test_conditional_true():
+    SINK(SOURCE if True else NONSOURCE) # Flow missing
+
+def test_conditional_false():
+    SINK(NONSOURCE if False else SOURCE) # Flow missing
+
+# Condition is evaluated first, so x is SOURCE once chosen
+def test_conditional_evaluation_true():
+    x = NONSOURCE
+    SINK(x if (SOURCE == (x := SOURCE)) else NONSOURCE) # Flow missing
+
+# Condition is evaluated first, so x is SOURCE once chosen
+def test_conditional_evaluation_false():
+    x = NONSOURCE
+    SINK(NONSOURCE if (NONSOURCE == (x := SOURCE)) else x) # Flow missing
+
 # 6.14. Lambdas
-# 6.15. Expression lists
-# 6.16. Evaluation order
-# 6.17. Operator precedence
+def test_lambda():
+    f = lambda x : x
+    SINK(f(SOURCE))
+
+def test_lambda_positional():
+    second = lambda a, b : b
+    SINK(second(NONSOURCE, SOURCE))
+
+def test_lambda_positional_negative():
+    second = lambda a, b : b
+    SINK_F(second(SOURCE, NONSOURCE))
+
+def test_lambda_keyword():
+    second = lambda a, b : b
+    SINK(second(NONSOURCE, b=SOURCE)) # Flow missing
+
+def test_lambda_unpack_iterable():
+    second = lambda a, b : b
+    SINK(second(NONSOURCE, *[SOURCE])) # Flow missing
+
+def test_lambda_unpack_mapping():
+    second = lambda a, b : b
+    SINK(second(NONSOURCE, **{"b": SOURCE})) # Flow missing
+
+def test_lambda_extra_pos():
+    f_extra_pos = lambda a, *b : b[0]
+    SINK(f_extra_pos(NONSOURCE, SOURCE)) # Flow missing
+
+def test_lambda_extra_keyword():
+    f_extra_keyword = lambda a, **b : b["b"]
+    SINK(f_extra_keyword(NONSOURCE, b=SOURCE)) # Flow missing
+
+# call the function with our source as the name of the keyword arguemnt
+def test_lambda_extra_keyword_flow():
+    f_extra_keyword_flow = lambda **a : [*a][0] # return the name of the first extra keyword argument
+    SINK(f_extra_keyword_flow(**{SOURCE: None})) # Flow missing
--- a/python/ql/test/experimental/dataflow/coverage/validTest.py
+++ b/python/ql/test/experimental/dataflow/coverage/validTest.py
@@ -0,0 +1,49 @@
+def check_output(s, f):
+    if s == "OK\n":
+        pass
+    else:
+        raise RuntimeError("Function failed", s, f)
+
+def check_test_function(f):
+    from io import StringIO
+    import sys
+
+    capturer = StringIO()
+    old_stdout = sys.stdout
+    sys.stdout = capturer
+    f()
+    sys.stdout = old_stdout
+    check_output(capturer.getvalue(), f)
+
+def check_async_test_function(f):
+    from io import StringIO
+    import sys
+    import asyncio
+
+    capturer = StringIO()
+    old_stdout = sys.stdout
+    sys.stdout = capturer
+    asyncio.run(f())
+    sys.stdout = old_stdout
+    check_output(capturer.getvalue(), f)
+
+def check_tests_valid(testFile):
+    import importlib
+    tests = importlib.import_module(testFile)
+    for i in dir(tests):
+        # print("Considering", i)
+        if i.startswith("test_"):
+            item = getattr(tests,i)
+            if callable(item):
+                print("Checking", testFile, item)
+                check_test_function(item)
+
+        elif i.startswith("atest_"):
+            item = getattr(tests,i)
+            if callable(item):
+                print("Checking", testFile, item)
+                check_async_test_function(item)
+
+if __name__ == '__main__':
+    check_tests_valid("classes")
+    check_tests_valid("test")
--- a/python/ql/test/experimental/dataflow/options
+++ b/python/ql/test/experimental/dataflow/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1
--- a/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
+++ b/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
@@ -0,0 +1,72 @@
+import python
+import experimental.dataflow.TaintTracking
+import experimental.dataflow.DataFlow
+
+class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
+  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CfgNode).getNode().(NameNode).getId() in ["TAINTED_STRING", "TAINTED_BYTES"]
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() in ["ensure_tainted", "ensure_not_tainted"] and
+      sink.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+private string repr(Expr e) {
+  not e instanceof Num and
+  not e instanceof StrConst and
+  not e instanceof Subscript and
+  not e instanceof Call and
+  not e instanceof Attribute and
+  result = e.toString()
+  or
+  result = e.(Num).getN()
+  or
+  result =
+    e.(StrConst).getPrefix() + e.(StrConst).getText() +
+      e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
+  or
+  result = repr(e.(Subscript).getObject()) + "[" + repr(e.(Subscript).getIndex()) + "]"
+  or
+  (
+    if exists(e.(Call).getAnArg()) or exists(e.(Call).getANamedArg())
+    then result = repr(e.(Call).getFunc()) + "(..)"
+    else result = repr(e.(Call).getFunc()) + "()"
+  )
+  or
+  result = repr(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
+}
+
+query predicate test_taint(string arg_location, string test_res, string function_name, string repr) {
+  exists(Call call, Expr arg, boolean expected_taint, boolean has_taint |
+    call.getLocation().getFile().getShortName() = "test.py" and
+    (
+      call.getFunc().(Name).getId() = "ensure_tainted" and
+      expected_taint = true
+      or
+      call.getFunc().(Name).getId() = "ensure_not_tainted" and
+      expected_taint = false
+    ) and
+    arg = call.getAnArg() and
+    (
+      // TODO: Replace with `hasFlowToExpr` once that is working
+      if
+        exists(TaintTracking::Configuration c |
+          c.hasFlowTo(any(DataFlow::Node n | n.(DataFlow::CfgNode).getNode() = arg.getAFlowNode()))
+        )
+      then has_taint = true
+      else has_taint = false
+    ) and
+    (if expected_taint = has_taint then test_res = "ok  " else test_res = "fail") and
+    // select
+    arg_location = arg.getLocation().toString() and
+    test_res = test_res and
+    function_name = call.getScope().(Function).getName() and
+    repr = repr(arg)
+  )
+}
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.expected
@@ -0,0 +1,2 @@
+| test.py:3:11:3:16 | ControlFlowNode for SOURCE | test.py:4:6:4:12 | ControlFlowNode for tainted |
+| test.py:7:20:7:25 | ControlFlowNode for SOURCE | test.py:8:10:8:21 | ControlFlowNode for also_tainted |
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.ql
@@ -0,0 +1,22 @@
+import python
+import experimental.dataflow.TaintTracking
+import experimental.dataflow.DataFlow
+
+class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
+  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK" and
+      sink.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from TestTaintTrackingConfiguration config, DataFlow::Node source, DataFlow::Node sink
+where config.hasFlow(source, sink)
+select source, sink
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.expected
@@ -0,0 +1,3 @@
+| test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:5:8:22 | SSA variable also_tainted |
+| test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:10:8:21 | ControlFlowNode for also_tainted |
+| test.py:7:20:7:25 | ControlFlowNode for SOURCE | test.py:7:5:7:16 | SSA variable also_tainted |
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.ql
@@ -0,0 +1,7 @@
+import python
+import experimental.dataflow.TaintTracking
+import experimental.dataflow.DataFlow
+
+from DataFlow::Node nodeFrom, DataFlow::Node nodeTo
+where TaintTracking::localTaintStep(nodeFrom, nodeTo)
+select nodeFrom, nodeTo
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/test.py
@@ -0,0 +1,8 @@
+# Module level taint is different from inside functions, since shared dataflow library
+# relies on `getEnclosingCallable`
+tainted = SOURCE
+SINK(tainted)
+
+def func():
+    also_tainted = SOURCE
+    SINK(also_tainted)
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.expected
@@ -0,0 +1,10 @@
+| test.py:26 | ok   | str_methods | ts.casefold() |
+| test.py:28 | ok   | str_methods | ts.format_map(..) |
+| test.py:29 | fail | str_methods | "{unsafe}".format_map(..) |
+| test.py:40 | fail | binary_decode_encode | base64.a85encode(..) |
+| test.py:41 | fail | binary_decode_encode | base64.a85decode(..) |
+| test.py:44 | fail | binary_decode_encode | base64.b85encode(..) |
+| test.py:45 | fail | binary_decode_encode | base64.b85decode(..) |
+| test.py:48 | fail | binary_decode_encode | base64.encodebytes(..) |
+| test.py:49 | fail | binary_decode_encode | base64.decodebytes(..) |
+| test.py:57 | ok   | f_strings | Fstring |
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.ql
@@ -0,0 +1 @@
+import experimental.dataflow.tainttracking.TestTaintLib
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/options
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/test.py
@@ -0,0 +1,64 @@
+# Python 3 specific taint tracking for string
+
+TAINTED_STRING = "TAINTED_STRING"
+TAINTED_BYTES = b"TAINTED_BYTES"
+
+
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+def ensure_not_tainted(*args):
+    print("- ensure_not_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+# Actual tests
+
+def str_methods():
+    print("\n# str_methods")
+    ts = TAINTED_STRING
+    tb = TAINTED_BYTES
+    ensure_tainted(
+        ts.casefold(),
+
+        ts.format_map({}),
+        "{unsafe}".format_map({"unsafe": ts}),
+    )
+
+
+def binary_decode_encode():
+    print("\n#percent_fmt")
+    tb = TAINTED_BYTES
+    import base64
+
+    ensure_tainted(
+        # New in Python 3.4
+        base64.a85encode(tb),
+        base64.a85decode(base64.a85encode(tb)),
+
+        # New in Python 3.4
+        base64.b85encode(tb),
+        base64.b85decode(base64.b85encode(tb)),
+
+        # New in Python 3.1
+        base64.encodebytes(tb),
+        base64.decodebytes(base64.encodebytes(tb)),
+    )
+
+
+def f_strings():
+    print("\n#f_strings")
+    ts = TAINTED_STRING
+
+    ensure_tainted(f"foo {ts} bar")
+
+
+# Make tests runable
+
+str_methods()
+binary_decode_encode()
+f_strings()
--- a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -0,0 +1,62 @@
+| test.py:32 | ok   | str_operations | ts |
+| test.py:33 | ok   | str_operations | BinaryExpr |
+| test.py:34 | ok   | str_operations | BinaryExpr |
+| test.py:35 | ok   | str_operations | BinaryExpr |
+| test.py:36 | ok   | str_operations | ts[Slice] |
+| test.py:37 | ok   | str_operations | ts[Slice] |
+| test.py:38 | ok   | str_operations | ts[Slice] |
+| test.py:39 | ok   | str_operations | ts[0] |
+| test.py:40 | ok   | str_operations | str(..) |
+| test.py:41 | ok   | str_operations | bytes(..) |
+| test.py:42 | ok   | str_operations | unicode(..) |
+| test.py:51 | ok   | str_methods | ts.capitalize() |
+| test.py:52 | ok   | str_methods | ts.center(..) |
+| test.py:53 | ok   | str_methods | ts.expandtabs() |
+| test.py:55 | ok   | str_methods | ts.format() |
+| test.py:56 | ok   | str_methods | "{}".format(..) |
+| test.py:57 | ok   | str_methods | "{unsafe}".format(..) |
+| test.py:59 | ok   | str_methods | ts.join(..) |
+| test.py:60 | fail | str_methods | "".join(..) |
+| test.py:62 | ok   | str_methods | ts.ljust(..) |
+| test.py:63 | ok   | str_methods | ts.lstrip() |
+| test.py:64 | ok   | str_methods | ts.lower() |
+| test.py:66 | ok   | str_methods | ts.replace(..) |
+| test.py:67 | ok   | str_methods | "safe".replace(..) |
+| test.py:69 | ok   | str_methods | ts.rjust(..) |
+| test.py:70 | ok   | str_methods | ts.rstrip() |
+| test.py:71 | ok   | str_methods | ts.strip() |
+| test.py:72 | ok   | str_methods | ts.swapcase() |
+| test.py:73 | ok   | str_methods | ts.title() |
+| test.py:74 | ok   | str_methods | ts.upper() |
+| test.py:75 | ok   | str_methods | ts.zfill(..) |
+| test.py:77 | ok   | str_methods | ts.encode(..) |
+| test.py:78 | ok   | str_methods | ts.encode(..).decode(..) |
+| test.py:80 | ok   | str_methods | tb.decode(..) |
+| test.py:81 | ok   | str_methods | tb.decode(..).encode(..) |
+| test.py:84 | ok   | str_methods | ts.partition(..) |
+| test.py:85 | ok   | str_methods | ts.rpartition(..) |
+| test.py:86 | ok   | str_methods | ts.rsplit(..) |
+| test.py:87 | ok   | str_methods | ts.split(..) |
+| test.py:88 | ok   | str_methods | ts.splitlines() |
+| test.py:93 | ok   | str_methods | "safe".replace(..) |
+| test.py:95 | fail | str_methods | ts.join(..) |
+| test.py:96 | fail | str_methods | ts.join(..) |
+| test.py:106 | fail | non_syntactic | meth() |
+| test.py:107 | fail | non_syntactic | _str(..) |
+| test.py:116 | ok   | percent_fmt | BinaryExpr |
+| test.py:117 | ok   | percent_fmt | BinaryExpr |
+| test.py:118 | fail | percent_fmt | BinaryExpr |
+| test.py:128 | fail | binary_decode_encode | base64.b64encode(..) |
+| test.py:129 | fail | binary_decode_encode | base64.b64decode(..) |
+| test.py:131 | fail | binary_decode_encode | base64.standard_b64encode(..) |
+| test.py:132 | fail | binary_decode_encode | base64.standard_b64decode(..) |
+| test.py:134 | fail | binary_decode_encode | base64.urlsafe_b64encode(..) |
+| test.py:135 | fail | binary_decode_encode | base64.urlsafe_b64decode(..) |
+| test.py:137 | fail | binary_decode_encode | base64.b32encode(..) |
+| test.py:138 | fail | binary_decode_encode | base64.b32decode(..) |
+| test.py:140 | fail | binary_decode_encode | base64.b16encode(..) |
+| test.py:141 | fail | binary_decode_encode | base64.b16decode(..) |
+| test.py:156 | fail | binary_decode_encode | base64.encodestring(..) |
+| test.py:157 | fail | binary_decode_encode | base64.decodestring(..) |
+| test.py:162 | fail | binary_decode_encode | quopri.encodestring(..) |
+| test.py:163 | fail | binary_decode_encode | quopri.decodestring(..) |
--- a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.ql
@@ -0,0 +1 @@
+import experimental.dataflow.tainttracking.TestTaintLib
--- a/python/ql/test/experimental/dataflow/tainttracking/string/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -0,0 +1,173 @@
+import sys
+
+if sys.version_info[0] == 3:
+    unicode = str
+
+
+TAINTED_STRING = "TAINTED_STRING"
+TAINTED_BYTES = b"TAINTED_BYTES"
+
+
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+def ensure_not_tainted(*args):
+    print("- ensure_not_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+# Actual tests
+
+
+def str_operations():
+    print("\n# str_operations")
+    ts = TAINTED_STRING
+    tb = TAINTED_BYTES
+
+    ensure_tainted(
+        ts,
+        ts + "foo",
+        "foo" + ts,
+        ts * 5,
+        ts[0 : len(ts)],
+        ts[:],
+        ts[0:1000],
+        ts[0],
+        str(ts),
+        bytes(tb),
+        unicode(ts),
+    )
+
+
+def str_methods():
+    print("\n# str_methods")
+    ts = TAINTED_STRING
+    tb = TAINTED_BYTES
+    ensure_tainted(
+        ts.capitalize(),
+        ts.center(100),
+        ts.expandtabs(),
+
+        ts.format(),
+        "{}".format(ts),
+        "{unsafe}".format(unsafe=ts),
+
+        ts.join(["", ""]),
+        "".join([ts]),
+
+        ts.ljust(100),
+        ts.lstrip(),
+        ts.lower(),
+
+        ts.replace("old", "new"),
+        "safe".replace("safe", ts),
+
+        ts.rjust(100),
+        ts.rstrip(),
+        ts.strip(),
+        ts.swapcase(),
+        ts.title(),
+        ts.upper(),
+        ts.zfill(100),
+
+        ts.encode("utf-8"),
+        ts.encode("utf-8").decode("utf-8"),
+
+        tb.decode("utf-8"),
+        tb.decode("utf-8").encode("utf-8"),
+
+        # string methods that return a list
+        ts.partition("_"),
+        ts.rpartition("_"),
+        ts.rsplit("_"),
+        ts.split("_"),
+        ts.splitlines(),
+    )
+
+    ensure_not_tainted(
+        # Intuitively I think this should be safe, but better discuss it
+        "safe".replace(ts, "also-safe"),
+
+        ts.join([]),  # FP due to separator not being used with zero/one elements
+        ts.join(["safe"]),  # FP due to separator not being used with zero/one elements
+    )
+
+
+def non_syntactic():
+    print("\n# non_syntactic")
+    ts = TAINTED_STRING
+    meth = ts.upper
+    _str = str
+    ensure_tainted(
+        meth(),
+        _str(ts),
+    )
+
+
+def percent_fmt():
+    print("\n#percent_fmt")
+    ts = TAINTED_STRING
+    tainted_fmt = ts + " %s %s"
+    ensure_tainted(
+        tainted_fmt % (1, 2),
+        "%s foo bar" % ts,
+        "%s %s %s" % (1, 2, ts),
+    )
+
+
+def binary_decode_encode():
+    print("\n#percent_fmt")
+    tb = TAINTED_BYTES
+    import base64
+
+    ensure_tainted(
+        base64.b64encode(tb),
+        base64.b64decode(base64.b64encode(tb)),
+
+        base64.standard_b64encode(tb),
+        base64.standard_b64decode(base64.standard_b64encode(tb)),
+
+        base64.urlsafe_b64encode(tb),
+        base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)),
+
+        base64.b32encode(tb),
+        base64.b32decode(base64.b32encode(tb)),
+
+        base64.b16encode(tb),
+        base64.b16decode(base64.b16encode(tb)),
+
+        # # New in Python 3.4
+        # base64.a85encode(tb),
+        # base64.a85decode(base64.a85encode(tb)),
+
+        # # New in Python 3.4
+        # base64.b85encode(tb),
+        # base64.b85decode(base64.b85encode(tb)),
+
+        # # New in Python 3.1
+        # base64.encodebytes(tb),
+        # base64.decodebytes(base64.encodebytes(tb)),
+
+        # deprecated since Python 3.1, but still works
+        base64.encodestring(tb),
+        base64.decodestring(base64.encodestring(tb)),
+    )
+
+    import quopri
+    ensure_tainted(
+        quopri.encodestring(tb),
+        quopri.decodestring(quopri.encodestring(tb)),
+    )
+
+
+# Make tests runable
+
+str_operations()
+str_methods()
+non_syntactic()
+percent_fmt()
+binary_decode_encode()
--- a/python/ql/test/experimental/library-tests/CallGraph-xfail/CallGraphTest.qll
+++ b/python/ql/test/experimental/library-tests/CallGraph-xfail/CallGraphTest.qll
@@ -1 +0,0 @@
-../CallGraph/CallGraphTest.qll
--- a/python/ql/test/experimental/library-tests/CallGraph-xfail/PointsTo.ql
+++ b/python/ql/test/experimental/library-tests/CallGraph-xfail/PointsTo.ql
@@ -1 +0,0 @@
-../CallGraph/PointsTo.ql
--- a/python/ql/test/experimental/library-tests/CallGraph-xfail/PointsTo.qlref
+++ b/python/ql/test/experimental/library-tests/CallGraph-xfail/PointsTo.qlref
@@ -0,0 +1 @@
+../CallGraph/PointsTo.ql
--- a/python/ql/test/experimental/semmle/python/templates/Airspeed.py
+++ b/python/ql/test/experimental/semmle/python/templates/Airspeed.py
@@ -0,0 +1,10 @@
+from bottle import Bottle, route, request, redirect, response
+import airspeed
+
+
+app = Bottle()
+
+
+@route('/other')
+def a():
+    return airspeed.Template("sink")
--- a/python/ql/test/experimental/semmle/python/templates/AirspeedSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/AirspeedSSTISinks.expected
@@ -0,0 +1 @@
+| Airspeed.py:10:30:10:35 | argument to airspeed.Template() |
--- a/python/ql/test/experimental/semmle/python/templates/AirspeedSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/AirspeedSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Airspeed
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/Bottle.py
+++ b/python/ql/test/experimental/semmle/python/templates/Bottle.py
@@ -0,0 +1,17 @@
+from bottle import Bottle, route, request, redirect, response, SimpleTemplate
+from bottle import template as temp
+
+
+app = Bottle()
+
+
+@route('/other')
+def a():
+    template = "test"
+    tpl = SimpleTemplate(template)
+
+
+@route('/other2')
+def b():
+    template = "test"
+    return temp(template, name='World')
--- a/python/ql/test/experimental/semmle/python/templates/BottleSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/BottleSSTISinks.expected
@@ -0,0 +1,2 @@
+| Bottle.py:11:26:11:33 | argument to bottle.SimpleTemplate() |
+| Bottle.py:17:17:17:24 | argument to bottle.template() |
--- a/python/ql/test/experimental/semmle/python/templates/BottleSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/BottleSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Bottle
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/Chameleon.py
+++ b/python/ql/test/experimental/semmle/python/templates/Chameleon.py
@@ -0,0 +1,5 @@
+from chameleon import PageTemplate
+
+
+def chameleon():
+    template = PageTemplate("sink")
--- a/python/ql/test/experimental/semmle/python/templates/ChameleonSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/ChameleonSSTISinks.expected
@@ -0,0 +1 @@
+| Chameleon.py:5:29:5:34 | argument to Chameleon.PageTemplate() |
--- a/python/ql/test/experimental/semmle/python/templates/ChameleonSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/ChameleonSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Chameleon
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/CheetahSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/CheetahSSTISinks.expected
@@ -0,0 +1,2 @@
+| CheetahSinks.py:10:21:10:26 | argument to Cheetah.Template.Template() |
+| CheetahSinks.py:20:20:20:25 | argument to Cheetah.Template.Template() |
--- a/python/ql/test/experimental/semmle/python/templates/CheetahSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/CheetahSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Cheetah
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/CheetahSinks.py
+++ b/python/ql/test/experimental/semmle/python/templates/CheetahSinks.py
@@ -0,0 +1,20 @@
+from bottle import Bottle, route, request, redirect, response, SimpleTemplate
+from Cheetah.Template import Template
+
+
+app = Bottle()
+
+
+@route('/other')
+def a():
+    return Template("sink")
+
+
+class Template3(Template):
+    title = 'Hello World Example!'
+    contents = 'Hello World!'
+
+
+@route('/other2')
+def b():
+    t3 = Template3("sink")
--- a/python/ql/test/experimental/semmle/python/templates/ChevronSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/ChevronSSTISinks.expected
@@ -0,0 +1 @@
+| ChevronSinks.py:10:27:10:32 | argument to chevron.render() |
--- a/python/ql/test/experimental/semmle/python/templates/ChevronSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/ChevronSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Chevron
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/ChevronSinks.py
+++ b/python/ql/test/experimental/semmle/python/templates/ChevronSinks.py
@@ -0,0 +1,22 @@
+from bottle import Bottle, route, request, redirect, response, SimpleTemplate
+import chevron
+
+
+app = Bottle()
+
+
+@route('/other')
+def a():
+    return chevron.render("sink", {"key": "value"})
+
+
+@route('/other2')
+def b():
+    sink = {
+        'template': "template",
+
+        'data': {
+            'key': 'value'
+        }
+    }
+    return chevron.render(**sink)
--- a/python/ql/test/experimental/semmle/python/templates/DjangoSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/DjangoSSTISinks.expected
@@ -0,0 +1 @@
+| DjangoTemplates.py:9:18:9:25 | argument to Django.template() |
--- a/python/ql/test/experimental/semmle/python/templates/DjangoSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/DjangoSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.DjangoTemplate
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/DjangoTemplates.py
+++ b/python/ql/test/experimental/semmle/python/templates/DjangoTemplates.py
@@ -0,0 +1,39 @@
+from django.urls import path
+from django.http import HttpResponse
+from django.template import Template, Context, Engine, engines
+
+
+def dj(request):
+    # Load the template
+    template = request.GET['template']
+    t = Template(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+def djEngine(request):
+    # Load the template
+    template = request.GET['template']
+
+    django_engine = engines['django']
+    t = django_engine.from_string(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+def djEngineJinja(request):
+    # Load the template
+    template = request.GET['template']
+
+    django_engine = engines['jinja']
+    t = django_engine.from_string(template)
+    ctx = Context(locals())
+    html = t.render(ctx)
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('', dj)
+]
--- a/python/ql/test/experimental/semmle/python/templates/Genshi.py
+++ b/python/ql/test/experimental/semmle/python/templates/Genshi.py
@@ -0,0 +1,10 @@
+
+
+def genshi1():
+    from genshi.template import MarkupTemplate
+    tmpl = MarkupTemplate('sink')
+
+
+def genshi2():
+    from genshi.template import TextTemplate
+    tmpl = TextTemplate('sink')
--- a/python/ql/test/experimental/semmle/python/templates/GenshiSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/GenshiSSTISinks.expected
@@ -0,0 +1,2 @@
+| Genshi.py:5:27:5:32 | argument to genshi.template.MarkupTemplate() |
+| Genshi.py:10:25:10:30 | argument to genshi.template.TextTemplate() |
--- a/python/ql/test/experimental/semmle/python/templates/GenshiSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/GenshiSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Genshi
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/Jinja2Templates.py
+++ b/python/ql/test/experimental/semmle/python/templates/Jinja2Templates.py
@@ -0,0 +1,17 @@
+from jinja2 import Template as Jinja2_Template
+from jinja2 import Environment, DictLoader, escape
+
+
+def jinja():
+    t = Jinja2_Template("sink")
+
+
+def jinja2():
+    random = "esdad" + "asdad"
+    t = Jinja2_Template(random)
+
+
+def jinja3():
+    random = 1234
+    t = Jinja2_Template("sink"+random)
+
--- a/python/ql/test/experimental/semmle/python/templates/JinjaSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/JinjaSSTISinks.expected
@@ -0,0 +1,3 @@
+| Jinja2Templates.py:6:25:6:30 | argument to jinja2.Template() |
+| Jinja2Templates.py:11:25:11:30 | argument to jinja2.Template() |
+| Jinja2Templates.py:16:25:16:37 | argument to jinja2.Template() |
--- a/python/ql/test/experimental/semmle/python/templates/JinjaSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/JinjaSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Jinja
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/Mako.py
+++ b/python/ql/test/experimental/semmle/python/templates/Mako.py
@@ -0,0 +1,5 @@
+
+
+def mako():
+    from mako.template import Template
+    mytemplate = Template("sink")
--- a/python/ql/test/experimental/semmle/python/templates/MakoSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/MakoSSTISinks.expected
@@ -0,0 +1 @@
+| Mako.py:5:27:5:32 | argument to mako.template.Template() |
--- a/python/ql/test/experimental/semmle/python/templates/MakoSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/MakoSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.Mako
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/TRender.py
+++ b/python/ql/test/experimental/semmle/python/templates/TRender.py
@@ -0,0 +1,6 @@
+
+
+def trender():
+    from trender import TRender
+    template = '@greet world!'
+    compiled = TRender(template)
--- a/python/ql/test/experimental/semmle/python/templates/TRenderSSTISinks.expected
+++ b/python/ql/test/experimental/semmle/python/templates/TRenderSSTISinks.expected
@@ -0,0 +1 @@
+| TRender.py:6:24:6:31 | argument to trender.TRender() |
--- a/python/ql/test/experimental/semmle/python/templates/TRenderSSTISinks.ql
+++ b/python/ql/test/experimental/semmle/python/templates/TRenderSSTISinks.ql
@@ -0,0 +1,5 @@
+import python
+import experimental.semmle.python.templates.TRender
+
+from SSTISink s
+select s
--- a/python/ql/test/experimental/semmle/python/templates/options
+++ b/python/ql/test/experimental/semmle/python/templates/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3 --max-import-depth=3 -p ../../../../../query-tests/Security/lib/
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=3 -p ../../query-tests/Security/lib/`
				`@@ -0,0 +1 @@`
				`\| classes.py:640:26:640:29 \| ControlFlowNode for arg3 \| classes.py:630:15:630:19 \| ControlFlowNode for value \|`
				`@@ -0,0 +1 @@`
				`import experimental.dataflow.tainttracking.TestTaintLib`
				`@@ -0,0 +1 @@`
				`\| Airspeed.py:10:30:10:35 \| argument to airspeed.Template() \|`
				`@@ -0,0 +1 @@`
				`\| Chameleon.py:5:29:5:34 \| argument to Chameleon.PageTemplate() \|`
				`@@ -0,0 +1 @@`
				`\| ChevronSinks.py:10:27:10:32 \| argument to chevron.render() \|`
				`@@ -0,0 +1 @@`
				`\| DjangoTemplates.py:9:18:9:25 \| argument to Django.template() \|`
				`@@ -0,0 +1 @@`
				`\| Mako.py:5:27:5:32 \| argument to mako.template.Template() \|`
				`@@ -0,0 +1 @@`
				`\| TRender.py:6:24:6:31 \| argument to trender.TRender() \|`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --lang=3 --max-import-depth=3 -p ../../../../../query-tests/Security/lib/`