Ruby: Handle more splat arg flow

Allow flow from a splat argument to a positional parameter in cases where there are positional arguments left of the splat. For example: def foo(x, y, z); end foo(1, *[2, 3])
2026-04-25 16:55:19 +02:00 · 2023-08-15 17:24:16 +01:00
parent 111227e763
commit 7ebd51163e
6 changed files with 133 additions and 40 deletions
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -472,7 +472,11 @@ private module Cached {
    TSplatParameterPosition(int pos) {
      exists(Parameter p | p.getPosition() = pos and p instanceof SplatParameter)
    } or
-    TSynthSplatParameterPosition() or
+    TSynthSplatParameterPosition(int pos) {
+      // `pos` is the position of the splat _argument_ that is matched to the
+      // `SynthSplatParameterNode` with this position.
+      exists(ArgumentPosition a | a.isSplat(pos))
+    } or
    TSynthArgSplatParameterPosition() or
    TAnyParameterPosition() or
    TAnyKeywordParameterPosition()
@@ -1301,7 +1305,7 @@ class ParameterPosition extends TParameterPosition {

  predicate isSynthHashSplat() { this = TSynthHashSplatParameterPosition() }

-  predicate isSynthSplat() { this = TSynthSplatParameterPosition() }
+  predicate isSynthSplat(int n) { this = TSynthSplatParameterPosition(n) }

  // A fake position to indicate that this parameter node holds content from a synth arg splat node
  predicate isSynthArgSplat() { this = TSynthArgSplatParameterPosition() }
@@ -1339,7 +1343,7 @@ class ParameterPosition extends TParameterPosition {
    or
    this.isAnyNamed() and result = "any-named"
    or
-    this.isSynthSplat() and result = "synthetic *"
+    exists(int pos | this.isSynthSplat(pos) and result = "synthetic * (position " + pos + ")")
    or
    this.isSynthArgSplat() and result = "synthetic * (from *args)"
    or
@@ -1442,7 +1446,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  or
  ppos.isSplat(0) and apos.isSynthSplat()
  or
-  ppos.isSynthSplat() and apos.isSplat(0)
+  exists(int n | ppos.isSynthSplat(n) and apos.isSplat(n))
  or
  apos.isSynthSplat() and ppos.isSynthArgSplat()
  or
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -448,9 +448,11 @@ private module Cached {
    TSynthHashSplatParameterNode(DataFlowCallable c) {
      isParameterNode(_, c, any(ParameterPosition p | p.isKeyword(_)))
    } or
-    TSynthSplatParameterNode(DataFlowCallable c) {
+    TSynthSplatParameterNode(DataFlowCallable c, int n) {
      exists(c.asCallable()) and // exclude library callables
-      isParameterNode(_, c, any(ParameterPosition p | p.isPositional(_)))
+      isParameterNode(_, c, any(ParameterPosition p | p.isPositional(_))) and
+      // `n` is the position of the splat argument that is matched to this node
+      exists(ArgumentPosition pos | pos.isSplat(n))
    } or
    TSynthSplatArgParameterNode(DataFlowCallable c) {
      exists(c.asCallable()) and // exclude library callables
@@ -1037,11 +1039,20 @@ private module ParameterNodes {
   * ```rb
   * foo(a, *[b])
   * ```
+   *
+   * TODO: we do now support the above, but we don't support this case:
+   *
+   * ```rb
+   * foo(a, *[b], c)
+   * ```
+   *
+   * Update this documentation.
   */
  class SynthSplatParameterNode extends ParameterNodeImpl, TSynthSplatParameterNode {
    private DataFlowCallable callable;
+    private int n;

-    SynthSplatParameterNode() { this = TSynthSplatParameterNode(callable) }
+    SynthSplatParameterNode() { this = TSynthSplatParameterNode(callable, n) }

    /**
     * Gets a parameter which will contain the value given by `c`, assuming
@@ -1053,13 +1064,13 @@ private module ParameterNodes {
     * end
     * ```
     *
-     * Then `getAParameter(element 0) = x` and `getAParameter(element 1) = y`.
+     * then `getAParameter(element 0) = x` and `getAParameter(element 1) = y`.
     */
    ParameterNode getAParameter(ContentSet c) {
-      exists(int n |
-        isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(n)))) and
+      exists(int m |
+        isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(m)))) and
        (
-          c = getPositionalContent(n)
+          c = getPositionalContent(m - n)
          or
          c.isSingleton(TUnknownElementContent())
        )
@@ -1069,7 +1080,7 @@ private module ParameterNodes {
    final override Parameter getParameter() { none() }

    final override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-      c = callable and pos.isSynthSplat()
+      c = callable and pos.isSynthSplat(n)
    }

    final override CfgScope getCfgScope() { result = callable.asCallable() }
--- a/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected
+++ b/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected
@@ -2796,7 +2796,6 @@
 | UseUseExplosion.rb:21:3675:21:3680 | call to use | UseUseExplosion.rb:21:3670:21:3680 | else ... |
 | UseUseExplosion.rb:21:3686:21:3696 | else ... | UseUseExplosion.rb:21:9:21:3700 | if ... |
 | UseUseExplosion.rb:21:3691:21:3696 | call to use | UseUseExplosion.rb:21:3686:21:3696 | else ... |
-| UseUseExplosion.rb:24:5:25:7 | synthetic *args | UseUseExplosion.rb:24:13:24:13 | i |
 | UseUseExplosion.rb:24:5:25:7 | use | UseUseExplosion.rb:1:1:26:3 | C |
 | file://:0:0:0:0 | [summary param] position 0 in & | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in & |
 | file://:0:0:0:0 | [summary param] position 0 in + | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in + |
@@ -2841,7 +2840,6 @@
 | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in Hash[] | file://:0:0:0:0 | [summary] read: Argument[0].Element[any].Element[1] in Hash[] |
 | local_dataflow.rb:1:1:7:3 | self (foo) | local_dataflow.rb:3:8:3:10 | self |
 | local_dataflow.rb:1:1:7:3 | self in foo | local_dataflow.rb:1:1:7:3 | self (foo) |
-| local_dataflow.rb:1:1:7:3 | synthetic *args | local_dataflow.rb:1:9:1:9 | a |
 | local_dataflow.rb:1:1:150:3 | <uninitialized> | local_dataflow.rb:10:9:10:9 | x |
 | local_dataflow.rb:1:1:150:3 | self (local_dataflow.rb) | local_dataflow.rb:49:1:53:3 | self |
 | local_dataflow.rb:1:9:1:9 | a | local_dataflow.rb:1:9:1:9 | a |
@@ -2879,7 +2877,6 @@
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | __synth__0__1 |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:9:10:9 | x |
 | local_dataflow.rb:10:5:13:3 | call to each | local_dataflow.rb:10:5:13:3 | ... |
-| local_dataflow.rb:10:5:13:3 | synthetic *args | local_dataflow.rb:10:5:13:3 | __synth__0__1 |
 | local_dataflow.rb:10:9:10:9 | ... = ... | local_dataflow.rb:10:9:10:9 | if ... |
 | local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [false] ! ... |
 | local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [true] ! ... |
@@ -2898,7 +2895,6 @@
 | local_dataflow.rb:15:1:17:3 | __synth__0__1 | local_dataflow.rb:15:1:17:3 | __synth__0__1 |
 | local_dataflow.rb:15:1:17:3 | __synth__0__1 | local_dataflow.rb:15:5:15:5 | x |
 | local_dataflow.rb:15:1:17:3 | call to each | local_dataflow.rb:15:1:17:3 | ... |
-| local_dataflow.rb:15:1:17:3 | synthetic *args | local_dataflow.rb:15:1:17:3 | __synth__0__1 |
 | local_dataflow.rb:15:5:15:5 | ... = ... | local_dataflow.rb:15:5:15:5 | if ... |
 | local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [false] ! ... |
 | local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [true] ! ... |
@@ -2914,7 +2910,6 @@
 | local_dataflow.rb:19:1:21:3 | __synth__0__1 | local_dataflow.rb:19:1:21:3 | __synth__0__1 |
 | local_dataflow.rb:19:1:21:3 | __synth__0__1 | local_dataflow.rb:19:5:19:5 | x |
 | local_dataflow.rb:19:1:21:3 | call to each | local_dataflow.rb:19:1:21:3 | ... |
-| local_dataflow.rb:19:1:21:3 | synthetic *args | local_dataflow.rb:19:1:21:3 | __synth__0__1 |
 | local_dataflow.rb:19:5:19:5 | ... = ... | local_dataflow.rb:19:5:19:5 | if ... |
 | local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [false] ! ... |
 | local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [true] ! ... |
@@ -2933,13 +2928,11 @@
 | local_dataflow.rb:30:14:30:20 | "class" | local_dataflow.rb:30:5:30:24 | C |
 | local_dataflow.rb:32:5:32:25 | bar | local_dataflow.rb:32:1:32:1 | x |
 | local_dataflow.rb:32:5:32:25 | bar | local_dataflow.rb:32:1:32:25 | ... = ... |
-| local_dataflow.rb:34:1:39:3 | synthetic *args | local_dataflow.rb:34:7:34:7 | x |
 | local_dataflow.rb:34:7:34:7 | x | local_dataflow.rb:34:7:34:7 | x |
 | local_dataflow.rb:34:7:34:7 | x | local_dataflow.rb:35:6:35:6 | x |
 | local_dataflow.rb:35:6:35:6 | x | local_dataflow.rb:35:6:35:11 | ... == ... |
 | local_dataflow.rb:35:11:35:11 | 4 | local_dataflow.rb:35:6:35:11 | ... == ... |
 | local_dataflow.rb:36:13:36:13 | 7 | local_dataflow.rb:36:6:36:13 | return |
-| local_dataflow.rb:41:1:47:3 | synthetic *args | local_dataflow.rb:41:7:41:7 | x |
 | local_dataflow.rb:41:7:41:7 | x | local_dataflow.rb:41:7:41:7 | x |
 | local_dataflow.rb:41:7:41:7 | x | local_dataflow.rb:42:6:42:6 | x |
 | local_dataflow.rb:42:6:42:6 | x | local_dataflow.rb:42:6:42:11 | ... == ... |
@@ -2958,10 +2951,8 @@
 | local_dataflow.rb:51:20:51:20 | x | local_dataflow.rb:51:20:51:24 | ... < ... |
 | local_dataflow.rb:51:24:51:24 | 9 | local_dataflow.rb:51:20:51:24 | ... < ... |
 | local_dataflow.rb:55:5:55:13 | Array | local_dataflow.rb:55:5:55:13 | call to [] |
-| local_dataflow.rb:57:1:58:3 | synthetic *args | local_dataflow.rb:57:9:57:9 | x |
 | local_dataflow.rb:60:1:90:3 | self (test_case) | local_dataflow.rb:78:12:78:20 | self |
 | local_dataflow.rb:60:1:90:3 | self in test_case | local_dataflow.rb:60:1:90:3 | self (test_case) |
-| local_dataflow.rb:60:1:90:3 | synthetic *args | local_dataflow.rb:60:15:60:15 | x |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:60:15:60:15 | x |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:61:12:61:12 | x |
 | local_dataflow.rb:61:7:68:5 | SSA phi read(x) | local_dataflow.rb:69:12:69:12 | x |
@@ -3134,7 +3125,6 @@
 | local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap |
 | local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self |
 | local_dataflow.rb:118:17:118:31 | <captured entry> self | local_dataflow.rb:118:23:118:29 | self |
-| local_dataflow.rb:118:17:118:31 | synthetic *args | local_dataflow.rb:118:20:118:20 | x |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x |
 | local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self |
@@ -3149,10 +3139,8 @@
 | local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap |
 | local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup |
 | local_dataflow.rb:123:26:123:45 | <captured entry> self | local_dataflow.rb:123:32:123:43 | self |
-| local_dataflow.rb:123:26:123:45 | synthetic *args | local_dataflow.rb:123:29:123:29 | x |
 | local_dataflow.rb:126:1:128:3 | self (use) | local_dataflow.rb:127:3:127:8 | self |
 | local_dataflow.rb:126:1:128:3 | self in use | local_dataflow.rb:126:1:128:3 | self (use) |
-| local_dataflow.rb:126:1:128:3 | synthetic *args | local_dataflow.rb:126:9:126:9 | x |
 | local_dataflow.rb:130:1:150:3 | self (use_use_madness) | local_dataflow.rb:132:6:132:11 | self |
 | local_dataflow.rb:130:1:150:3 | self in use_use_madness | local_dataflow.rb:130:1:150:3 | self (use_use_madness) |
 | local_dataflow.rb:131:3:131:3 | x | local_dataflow.rb:132:10:132:10 | x |
--- a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
@@ -40,7 +40,11 @@ edges
 | params_flow.rb:41:13:41:21 | call to taint | params_flow.rb:16:18:16:19 | p2 |
 | params_flow.rb:41:24:41:29 | ** ... [element :p1] | params_flow.rb:16:13:16:14 | p1 |
 | params_flow.rb:41:26:41:29 | args [element :p1] | params_flow.rb:41:24:41:29 | ** ... [element :p1] |
+| params_flow.rb:43:1:43:4 | args [element 0] | params_flow.rb:44:24:44:27 | args [element 0] |
+| params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:43:1:43:4 | args [element 0] |
 | params_flow.rb:44:12:44:20 | call to taint | params_flow.rb:9:16:9:17 | p1 |
+| params_flow.rb:44:23:44:27 | * ... [element 0] | params_flow.rb:9:20:9:21 | p2 |
+| params_flow.rb:44:24:44:27 | args [element 0] | params_flow.rb:44:23:44:27 | * ... [element 0] |
 | params_flow.rb:46:1:46:4 | args [element 0] | params_flow.rb:47:13:47:16 | args [element 0] |
 | params_flow.rb:46:1:46:4 | args [element 1] | params_flow.rb:47:13:47:16 | args [element 1] |
 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:46:1:46:4 | args [element 0] |
@@ -78,20 +82,57 @@ edges
 | params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:69:17:69:17 | y |
 | params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:69:24:69:24 | w |
 | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:69:27:69:27 | r |
+| params_flow.rb:80:1:80:4 | args [element 0] | params_flow.rb:81:22:81:25 | args [element 0] |
+| params_flow.rb:80:1:80:4 | args [element 2] | params_flow.rb:81:22:81:25 | args [element 2] |
+| params_flow.rb:80:1:80:4 | args [element 3] | params_flow.rb:81:22:81:25 | args [element 3] |
+| params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:80:1:80:4 | args [element 0] |
+| params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:80:1:80:4 | args [element 2] |
+| params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:80:1:80:4 | args [element 3] |
 | params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:69:14:69:14 | x |
+| params_flow.rb:81:21:81:25 | * ... [element 0] | params_flow.rb:69:17:69:17 | y |
+| params_flow.rb:81:21:81:25 | * ... [element 2] | params_flow.rb:69:24:69:24 | w |
+| params_flow.rb:81:21:81:25 | * ... [element 3] | params_flow.rb:69:27:69:27 | r |
+| params_flow.rb:81:22:81:25 | args [element 0] | params_flow.rb:81:21:81:25 | * ... [element 0] |
+| params_flow.rb:81:22:81:25 | args [element 2] | params_flow.rb:81:21:81:25 | * ... [element 2] |
+| params_flow.rb:81:22:81:25 | args [element 3] | params_flow.rb:81:21:81:25 | * ... [element 3] |
 | params_flow.rb:83:14:83:14 | t | params_flow.rb:84:10:84:10 | t |
 | params_flow.rb:83:17:83:17 | u | params_flow.rb:85:10:85:10 | u |
+| params_flow.rb:83:20:83:20 | v | params_flow.rb:86:10:86:10 | v |
 | params_flow.rb:83:23:83:23 | w | params_flow.rb:87:10:87:10 | w |
+| params_flow.rb:83:26:83:26 | x | params_flow.rb:88:10:88:10 | x |
+| params_flow.rb:83:29:83:29 | y | params_flow.rb:89:10:89:10 | y |
+| params_flow.rb:93:1:93:4 | args [element 0] | params_flow.rb:94:33:94:36 | args [element 0] |
+| params_flow.rb:93:1:93:4 | args [element 1] | params_flow.rb:94:33:94:36 | args [element 1] |
+| params_flow.rb:93:1:93:4 | args [element 2] | params_flow.rb:94:33:94:36 | args [element 2] |
+| params_flow.rb:93:1:93:4 | args [element 3] | params_flow.rb:94:33:94:36 | args [element 3] |
+| params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:93:1:93:4 | args [element 0] |
+| params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:93:1:93:4 | args [element 1] |
+| params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:93:1:93:4 | args [element 2] |
+| params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:93:1:93:4 | args [element 3] |
 | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:83:14:83:14 | t |
 | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:83:17:83:17 | u |
+| params_flow.rb:94:32:94:36 | * ... [element 0] | params_flow.rb:83:20:83:20 | v |
+| params_flow.rb:94:32:94:36 | * ... [element 1] | params_flow.rb:83:23:83:23 | w |
+| params_flow.rb:94:32:94:36 | * ... [element 2] | params_flow.rb:83:26:83:26 | x |
+| params_flow.rb:94:32:94:36 | * ... [element 3] | params_flow.rb:83:29:83:29 | y |
+| params_flow.rb:94:33:94:36 | args [element 0] | params_flow.rb:94:32:94:36 | * ... [element 0] |
+| params_flow.rb:94:33:94:36 | args [element 1] | params_flow.rb:94:32:94:36 | * ... [element 1] |
+| params_flow.rb:94:33:94:36 | args [element 2] | params_flow.rb:94:32:94:36 | * ... [element 2] |
+| params_flow.rb:94:33:94:36 | args [element 3] | params_flow.rb:94:32:94:36 | * ... [element 3] |
 | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:83:23:83:23 | w |
 | params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:69:14:69:14 | x |
 | params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:69:17:69:17 | y |
+| params_flow.rb:96:32:96:65 | * ... [element 1] | params_flow.rb:69:24:69:24 | w |
+| params_flow.rb:96:32:96:65 | * ... [element 2] | params_flow.rb:69:27:69:27 | r |
+| params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 1] |
+| params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 2] |
 | params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:69:24:69:24 | w |
 | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:69:27:69:27 | r |
 | params_flow.rb:98:19:98:19 | a | params_flow.rb:99:10:99:10 | a |
 | params_flow.rb:98:31:98:31 | b | params_flow.rb:102:10:102:10 | b |
 | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:98:19:98:19 | a |
+| params_flow.rb:105:26:105:48 | * ... [element 1] | params_flow.rb:98:31:98:31 | b |
+| params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:105:26:105:48 | * ... [element 1] |
 | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:98:19:98:19 | a |
 | params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:98:31:98:31 | b |
 | params_flow.rb:108:37:108:37 | a | params_flow.rb:109:10:109:10 | a |
@@ -167,7 +208,11 @@ nodes
 | params_flow.rb:41:13:41:21 | call to taint | semmle.label | call to taint |
 | params_flow.rb:41:24:41:29 | ** ... [element :p1] | semmle.label | ** ... [element :p1] |
 | params_flow.rb:41:26:41:29 | args [element :p1] | semmle.label | args [element :p1] |
+| params_flow.rb:43:1:43:4 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:43:9:43:17 | call to taint | semmle.label | call to taint |
 | params_flow.rb:44:12:44:20 | call to taint | semmle.label | call to taint |
+| params_flow.rb:44:23:44:27 | * ... [element 0] | semmle.label | * ... [element 0] |
+| params_flow.rb:44:24:44:27 | args [element 0] | semmle.label | args [element 0] |
 | params_flow.rb:46:1:46:4 | args [element 0] | semmle.label | args [element 0] |
 | params_flow.rb:46:1:46:4 | args [element 1] | semmle.label | args [element 1] |
 | params_flow.rb:46:9:46:17 | call to taint | semmle.label | call to taint |
@@ -212,18 +257,56 @@ nodes
 | params_flow.rb:78:21:78:29 | call to taint | semmle.label | call to taint |
 | params_flow.rb:78:43:78:51 | call to taint | semmle.label | call to taint |
 | params_flow.rb:78:54:78:62 | call to taint | semmle.label | call to taint |
+| params_flow.rb:80:1:80:4 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:80:1:80:4 | args [element 2] | semmle.label | args [element 2] |
+| params_flow.rb:80:1:80:4 | args [element 3] | semmle.label | args [element 3] |
+| params_flow.rb:80:9:80:17 | call to taint | semmle.label | call to taint |
+| params_flow.rb:80:31:80:39 | call to taint | semmle.label | call to taint |
+| params_flow.rb:80:42:80:50 | call to taint | semmle.label | call to taint |
 | params_flow.rb:81:10:81:18 | call to taint | semmle.label | call to taint |
+| params_flow.rb:81:21:81:25 | * ... [element 0] | semmle.label | * ... [element 0] |
+| params_flow.rb:81:21:81:25 | * ... [element 2] | semmle.label | * ... [element 2] |
+| params_flow.rb:81:21:81:25 | * ... [element 3] | semmle.label | * ... [element 3] |
+| params_flow.rb:81:22:81:25 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:81:22:81:25 | args [element 2] | semmle.label | args [element 2] |
+| params_flow.rb:81:22:81:25 | args [element 3] | semmle.label | args [element 3] |
 | params_flow.rb:83:14:83:14 | t | semmle.label | t |
 | params_flow.rb:83:17:83:17 | u | semmle.label | u |
+| params_flow.rb:83:20:83:20 | v | semmle.label | v |
 | params_flow.rb:83:23:83:23 | w | semmle.label | w |
+| params_flow.rb:83:26:83:26 | x | semmle.label | x |
+| params_flow.rb:83:29:83:29 | y | semmle.label | y |
 | params_flow.rb:84:10:84:10 | t | semmle.label | t |
 | params_flow.rb:85:10:85:10 | u | semmle.label | u |
+| params_flow.rb:86:10:86:10 | v | semmle.label | v |
 | params_flow.rb:87:10:87:10 | w | semmle.label | w |
+| params_flow.rb:88:10:88:10 | x | semmle.label | x |
+| params_flow.rb:89:10:89:10 | y | semmle.label | y |
+| params_flow.rb:93:1:93:4 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:93:1:93:4 | args [element 1] | semmle.label | args [element 1] |
+| params_flow.rb:93:1:93:4 | args [element 2] | semmle.label | args [element 2] |
+| params_flow.rb:93:1:93:4 | args [element 3] | semmle.label | args [element 3] |
+| params_flow.rb:93:9:93:17 | call to taint | semmle.label | call to taint |
+| params_flow.rb:93:20:93:28 | call to taint | semmle.label | call to taint |
+| params_flow.rb:93:31:93:39 | call to taint | semmle.label | call to taint |
+| params_flow.rb:93:42:93:50 | call to taint | semmle.label | call to taint |
 | params_flow.rb:94:10:94:18 | call to taint | semmle.label | call to taint |
 | params_flow.rb:94:21:94:29 | call to taint | semmle.label | call to taint |
+| params_flow.rb:94:32:94:36 | * ... [element 0] | semmle.label | * ... [element 0] |
+| params_flow.rb:94:32:94:36 | * ... [element 1] | semmle.label | * ... [element 1] |
+| params_flow.rb:94:32:94:36 | * ... [element 2] | semmle.label | * ... [element 2] |
+| params_flow.rb:94:32:94:36 | * ... [element 3] | semmle.label | * ... [element 3] |
+| params_flow.rb:94:33:94:36 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:94:33:94:36 | args [element 1] | semmle.label | args [element 1] |
+| params_flow.rb:94:33:94:36 | args [element 2] | semmle.label | args [element 2] |
+| params_flow.rb:94:33:94:36 | args [element 3] | semmle.label | args [element 3] |
 | params_flow.rb:94:39:94:47 | call to taint | semmle.label | call to taint |
 | params_flow.rb:96:10:96:18 | call to taint | semmle.label | call to taint |
 | params_flow.rb:96:21:96:29 | call to taint | semmle.label | call to taint |
+| params_flow.rb:96:32:96:65 | * ... [element 1] | semmle.label | * ... [element 1] |
+| params_flow.rb:96:32:96:65 | * ... [element 2] | semmle.label | * ... [element 2] |
+| params_flow.rb:96:45:96:53 | call to taint | semmle.label | call to taint |
+| params_flow.rb:96:56:96:64 | call to taint | semmle.label | call to taint |
 | params_flow.rb:96:68:96:76 | call to taint | semmle.label | call to taint |
 | params_flow.rb:96:79:96:87 | call to taint | semmle.label | call to taint |
 | params_flow.rb:98:19:98:19 | a | semmle.label | a |
@@ -231,6 +314,8 @@ nodes
 | params_flow.rb:99:10:99:10 | a | semmle.label | a |
 | params_flow.rb:102:10:102:10 | b | semmle.label | b |
 | params_flow.rb:105:15:105:23 | call to taint | semmle.label | call to taint |
+| params_flow.rb:105:26:105:48 | * ... [element 1] | semmle.label | * ... [element 1] |
+| params_flow.rb:105:39:105:47 | call to taint | semmle.label | call to taint |
 | params_flow.rb:106:15:106:23 | call to taint | semmle.label | call to taint |
 | params_flow.rb:106:37:106:45 | call to taint | semmle.label | call to taint |
 | params_flow.rb:108:37:108:37 | a | semmle.label | a |
@@ -268,6 +353,7 @@ subpaths
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:46:9:46:17 | call to taint | call to taint |
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint | call to taint |
+| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:43:9:43:17 | call to taint | call to taint |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:46:20:46:28 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:46:20:46:28 | call to taint | call to taint |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint | call to taint |
@@ -295,19 +381,29 @@ subpaths
 | params_flow.rb:70:10:70:10 | x | params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:81:10:81:18 | call to taint | call to taint |
 | params_flow.rb:70:10:70:10 | x | params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:96:10:96:18 | call to taint | call to taint |
 | params_flow.rb:71:10:71:10 | y | params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:78:21:78:29 | call to taint | call to taint |
+| params_flow.rb:71:10:71:10 | y | params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:80:9:80:17 | call to taint | call to taint |
 | params_flow.rb:71:10:71:10 | y | params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:96:21:96:29 | call to taint | call to taint |
 | params_flow.rb:74:10:74:10 | w | params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:78:43:78:51 | call to taint | call to taint |
+| params_flow.rb:74:10:74:10 | w | params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:80:31:80:39 | call to taint | call to taint |
+| params_flow.rb:74:10:74:10 | w | params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:45:96:53 | call to taint | call to taint |
 | params_flow.rb:74:10:74:10 | w | params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:68:96:76 | call to taint | call to taint |
 | params_flow.rb:75:10:75:10 | r | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:78:54:78:62 | call to taint | call to taint |
+| params_flow.rb:75:10:75:10 | r | params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:80:42:80:50 | call to taint | call to taint |
+| params_flow.rb:75:10:75:10 | r | params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:56:96:64 | call to taint | call to taint |
 | params_flow.rb:75:10:75:10 | r | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:79:96:87 | call to taint | call to taint |
 | params_flow.rb:84:10:84:10 | t | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:94:10:94:18 | call to taint | call to taint |
 | params_flow.rb:84:10:84:10 | t | params_flow.rb:130:9:130:17 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:130:9:130:17 | call to taint | call to taint |
 | params_flow.rb:85:10:85:10 | u | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:94:21:94:29 | call to taint | call to taint |
 | params_flow.rb:85:10:85:10 | u | params_flow.rb:130:20:130:28 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:130:20:130:28 | call to taint | call to taint |
 | params_flow.rb:85:10:85:10 | u | params_flow.rb:131:17:131:25 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:131:17:131:25 | call to taint | call to taint |
+| params_flow.rb:86:10:86:10 | v | params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:86:10:86:10 | v | $@ | params_flow.rb:93:9:93:17 | call to taint | call to taint |
+| params_flow.rb:87:10:87:10 | w | params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:93:20:93:28 | call to taint | call to taint |
 | params_flow.rb:87:10:87:10 | w | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:94:39:94:47 | call to taint | call to taint |
+| params_flow.rb:88:10:88:10 | x | params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:88:10:88:10 | x | $@ | params_flow.rb:93:31:93:39 | call to taint | call to taint |
+| params_flow.rb:89:10:89:10 | y | params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:89:10:89:10 | y | $@ | params_flow.rb:93:42:93:50 | call to taint | call to taint |
 | params_flow.rb:99:10:99:10 | a | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:105:15:105:23 | call to taint | call to taint |
 | params_flow.rb:99:10:99:10 | a | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:106:15:106:23 | call to taint | call to taint |
+| params_flow.rb:102:10:102:10 | b | params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:105:39:105:47 | call to taint | call to taint |
 | params_flow.rb:102:10:102:10 | b | params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:106:37:106:45 | call to taint | call to taint |
 | params_flow.rb:109:10:109:10 | a | params_flow.rb:114:33:114:41 | call to taint | params_flow.rb:109:10:109:10 | a | $@ | params_flow.rb:114:33:114:41 | call to taint | call to taint |
 | params_flow.rb:110:10:110:13 | ...[...] | params_flow.rb:114:44:114:52 | call to taint | params_flow.rb:110:10:110:13 | ...[...] | $@ | params_flow.rb:114:44:114:52 | call to taint | call to taint |
--- a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
+++ b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
@@ -8,7 +8,7 @@ end

 def positional(p1, p2)
    sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18 $ hasValueFlow=61
-    sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ MISSING: hasValueFlow=17
+    sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ hasValueFlow=17
 end

 positional(taint(1), taint(2))
@@ -68,11 +68,11 @@ splatstuff(*args)

 def splatmid(x, y, *z, w, r)
    sink x # $ hasValueFlow=27 $ hasValueFlow=32 $ hasValueFlow=45
-    sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ MISSING: hasValueFlow=33
+    sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ hasValueFlow=33
    sink z[0] # MISSING: $ hasValueFlow=47 $ hasValueFlow=29 $ hasValueFlow=34
    sink z[1] # $ MISSING: hasValueFlow=48 $ hasValueFlow=35
-    sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36
-    sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37
+    sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36 $ SPURIOUS: hasValueFlow=35 $ hasValueFlow=48
+    sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37 $ SPURIOUS: hasValueFlow=36 $ hasValueFlow=49
 end

 splatmid(taint(27), taint(28), taint(29), taint(30), taint(31))
@@ -83,10 +83,10 @@ splatmid(taint(32), *args, taint(37))
 def pos_many(t, u, v, w, x, y, z)
    sink t # $ hasValueFlow=38 $ hasValueFlow=66
    sink u # $ hasValueFlow=39 $ hasValueFlow=67 $ SPURIOUS: hasValueFlow=68
-    sink v # $ MISSING: hasValueFlow=40
-    sink w # $ MISSING: hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
-    sink x # $ MISSING: hasValueFlow=42
-    sink y # $ MISSING: hasValueFlow=43
+    sink v # $ hasValueFlow=40
+    sink w # $ hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
+    sink x # $ hasValueFlow=42
+    sink y # $ hasValueFlow=43
    sink z # $ MISSING: hasValueFlow=44
 end

@@ -98,8 +98,8 @@ splatmid(taint(45), taint(46), *[taint(47), taint(48), taint(49)], taint(50), ta
 def splatmidsmall(a, *splats, b)
    sink a # $ hasValueFlow=52 $ hasValueFlow=55
    sink splats[0] # $ MISSING: hasValueFlow=53
-    sink splats[1] # $ MISSING: hasValueFlow=54
-    sink b # $ hasValueFlow=57
+    sink splats[1]
+    sink b # $ hasValueFlow=57 $ hasValueFlow=54
 end

 splatmidsmall(taint(52), *[taint(53), taint(54)])
--- a/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected
+++ b/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected
@@ -7,7 +7,6 @@ track
 | type_tracker.rb:2:5:5:7 | field= | type tracker without call steps | type_tracker.rb:2:5:5:7 | field= |
 | type_tracker.rb:2:5:5:7 | self in field= | type tracker with call steps | type_tracker.rb:7:5:9:7 | self in field |
 | type_tracker.rb:2:5:5:7 | self in field= | type tracker without call steps | type_tracker.rb:2:5:5:7 | self in field= |
-| type_tracker.rb:2:5:5:7 | synthetic *args | type tracker without call steps | type_tracker.rb:2:5:5:7 | synthetic *args |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:3:14:3:23 | call to field |
@@ -58,7 +57,6 @@ track
 | type_tracker.rb:18:1:21:3 | &block | type tracker without call steps | type_tracker.rb:18:1:21:3 | &block |
 | type_tracker.rb:18:1:21:3 | positional | type tracker without call steps | type_tracker.rb:18:1:21:3 | positional |
 | type_tracker.rb:18:1:21:3 | self in positional | type tracker without call steps | type_tracker.rb:18:1:21:3 | self in positional |
-| type_tracker.rb:18:1:21:3 | synthetic *args | type tracker without call steps | type_tracker.rb:18:1:21:3 | synthetic *args |
 | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps | type_tracker.rb:18:16:18:17 | p1 |
 | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps | type_tracker.rb:18:16:18:17 | p1 |
 | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps with content element 0 | type_tracker.rb:19:5:19:11 | * |
@@ -150,7 +148,6 @@ track
 | type_tracker.rb:32:26:32:26 | 8 | type tracker without call steps with content element :p1 | type_tracker.rb:32:1:32:27 | ** |
 | type_tracker.rb:34:1:53:3 | &block | type tracker without call steps | type_tracker.rb:34:1:53:3 | &block |
 | type_tracker.rb:34:1:53:3 | self in throughArray | type tracker without call steps | type_tracker.rb:34:1:53:3 | self in throughArray |
-| type_tracker.rb:34:1:53:3 | synthetic *args | type tracker without call steps | type_tracker.rb:34:1:53:3 | synthetic *args |
 | type_tracker.rb:34:1:53:3 | throughArray | type tracker without call steps | type_tracker.rb:34:1:53:3 | throughArray |
 | type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:34:18:34:20 | obj |
 | type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:34:18:34:20 | obj |
@@ -357,7 +354,6 @@ trackEnd
 | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:7:5:9:7 | self (field) |
 | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:7:5:9:7 | self in field |
 | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:8:9:8:14 | self |
-| type_tracker.rb:2:5:5:7 | synthetic *args | type_tracker.rb:2:5:5:7 | synthetic *args |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
@@ -429,7 +425,6 @@ trackEnd
 | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:18:1:21:3 | self in positional |
 | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:19:5:19:11 | self |
 | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:20:5:20:11 | self |
-| type_tracker.rb:18:1:21:3 | synthetic *args | type_tracker.rb:18:1:21:3 | synthetic *args |
 | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 |
 | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 |
 | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 |
@@ -522,7 +517,6 @@ trackEnd
 | type_tracker.rb:32:26:32:26 | 8 | type_tracker.rb:32:26:32:26 | 8 |
 | type_tracker.rb:34:1:53:3 | &block | type_tracker.rb:34:1:53:3 | &block |
 | type_tracker.rb:34:1:53:3 | self in throughArray | type_tracker.rb:34:1:53:3 | self in throughArray |
-| type_tracker.rb:34:1:53:3 | synthetic *args | type_tracker.rb:34:1:53:3 | synthetic *args |
 | type_tracker.rb:34:1:53:3 | throughArray | type_tracker.rb:34:1:53:3 | throughArray |
 | type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:34:18:34:20 | obj |
 | type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:34:18:34:20 | obj |