Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths

Variable capture: Avoid overlapping and false-positive data flow paths

csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected

@@ -1,27 +1,17 @@
 edges
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:61:36:61:42 | access to parameter tainted : String | provenance |  |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | Capture.cs:12:19:12:24 | access to local variable sink27 | provenance |  |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | Capture.cs:11:17:11:22 | access to local variable sink27 : String | provenance |  |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | Capture.cs:11:26:11:32 | access to parameter tainted : String | provenance |  |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | Capture.cs:21:23:21:28 | access to local variable sink28 | provenance |  |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | Capture.cs:20:21:20:26 | access to local variable sink28 : String | provenance |  |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | Capture.cs:20:30:20:36 | access to parameter tainted : String | provenance |  |
-| Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | provenance |  |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | Capture.cs:30:19:30:24 | access to local variable sink29 | provenance |  |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -37,28 +27,18 @@ edges
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | Capture.cs:124:15:124:20 | access to local variable sink40 | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:170:25:170:31 | access to parameter tainted : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:196:25:196:31 | access to parameter tainted : String | provenance |  |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | Capture.cs:135:15:135:20 | access to local variable sink33 | provenance |  |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | provenance |  |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | Capture.cs:147:15:147:20 | access to local variable sink34 | provenance |  |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | provenance |  |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | Capture.cs:162:13:162:18 | access to local variable sink36 : String | provenance |  |
@@ -66,19 +46,13 @@ edges
 | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | Capture.cs:171:15:171:20 | access to local variable sink37 | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:166:37:166:37 | p : String | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | provenance |  |
-| Capture.cs:190:26:190:26 | s : String | Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | provenance |  |
 | Capture.cs:190:26:190:26 | s : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | Capture.cs:193:20:193:22 | call to local function M : String | provenance |  |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | Capture.cs:197:15:197:20 | access to local variable sink38 | provenance |  |
 | Capture.cs:196:22:196:32 | call to local function Id : String | Capture.cs:196:13:196:18 | access to local variable sink38 : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:190:26:190:26 | s : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:196:22:196:32 | call to local function Id : String | provenance |  |
-| Capture.cs:202:20:202:20 | s : String | Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:202:20:202:20 | s : String | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | provenance |  |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:211:21:211:34 | "taint source" : String | Capture.cs:202:20:202:20 | s : String | provenance |  |
 | Capture.cs:213:22:213:22 | s : String | Capture.cs:215:16:218:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
@@ -93,17 +67,13 @@ edges
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | Capture.cs:246:19:246:25 | access to field Field | provenance |  |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:247:23:247:36 | "taint source" : String | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:21 | access to field Field | provenance |  |
 | Capture.cs:264:13:264:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:266:9:266:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
@@ -112,52 +82,30 @@ edges
 | Capture.cs:268:15:268:15 | access to local variable c : Capture [field Field] : String | Capture.cs:268:15:268:21 | access to field Field | provenance |  |
 | Capture.cs:273:19:273:19 | x : String | Capture.cs:273:30:273:30 | access to parameter x | provenance |  |
 | Capture.cs:273:34:273:47 | "taint source" : String | Capture.cs:355:45:355:45 | x : String | provenance |  |
-| Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:285:21:285:34 | "taint source" : String | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:297:22:297:35 | "taint source" : String | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | Capture.cs:301:19:301:28 | access to field Field | provenance |  |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:302:26:302:39 | "taint source" : String | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | Capture.cs:306:15:306:24 | access to field Field | provenance |  |
 | Capture.cs:311:17:311:30 | "taint source" : String | Capture.cs:312:15:312:15 | access to local variable x | provenance |  |
 | Capture.cs:318:17:318:30 | "taint source" : String | Capture.cs:319:19:319:19 | access to local variable x | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance |  |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance |  |
@@ -519,24 +467,18 @@ edges
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:48:13:48:13 | access to local variable s : String | provenance |  |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | semmle.label | CaptureIn1(...) : CaptureIn1 [captured tainted] : String |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | semmle.label | access to local variable sink27 : String |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | semmle.label | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | semmle.label | CaptureIn2(...) : CaptureIn2 [captured tainted] : String |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | semmle.label | M(...) : M [captured tainted] : String |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | semmle.label | access to local variable sink28 : String |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | semmle.label | access to local variable sink28 |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | semmle.label | access to local function M : M [captured tainted] : String |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | semmle.label | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | semmle.label | access to local variable sink29 : String |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:30:19:30:24 | access to local variable sink29 | semmle.label | access to local variable sink29 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureIn3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:50:50:50:55 | sink39 : String | semmle.label | sink39 : String |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | semmle.label | (...) => ... : (...) => ... [captured sink39] : String |
@@ -558,21 +500,15 @@ nodes
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | semmle.label | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String |
 | Capture.cs:124:15:124:20 | access to local variable sink40 | semmle.label | access to local variable sink40 |
 | Capture.cs:127:25:127:31 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | semmle.label | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | semmle.label | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | semmle.label | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:135:15:135:20 | access to local variable sink33 | semmle.label | access to local variable sink33 |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | semmle.label | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | semmle.label | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | semmle.label | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:147:15:147:20 | access to local variable sink34 | semmle.label | access to local variable sink34 |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | semmle.label | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:156:15:156:20 | access to local variable sink35 | semmle.label | access to local variable sink35 |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | semmle.label | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | semmle.label | access to local variable sink36 : String |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | semmle.label | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | semmle.label | call to local function CaptureThrough4 : String |
@@ -583,7 +519,6 @@ nodes
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:171:15:171:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
 | Capture.cs:190:26:190:26 | s : String | semmle.label | s : String |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | semmle.label | M(...) : M [captured s] : String |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | semmle.label | access to local function M : M [captured s] : String |
 | Capture.cs:193:20:193:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | semmle.label | access to local variable sink38 : String |
@@ -591,10 +526,7 @@ nodes
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:197:15:197:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
 | Capture.cs:202:20:202:20 | s : String | semmle.label | s : String |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | semmle.label | (...) => ... : (...) => ... [captured s] : String |
 | Capture.cs:206:19:206:19 | access to parameter s | semmle.label | access to parameter s |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | semmle.label | access to local variable a : Action [captured s] : String |
 | Capture.cs:211:21:211:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:213:22:213:22 | s : String | semmle.label | s : String |
@@ -612,14 +544,11 @@ nodes
 | Capture.cs:234:15:234:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:242:19:242:32 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured c, field Field] : String |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:246:19:246:25 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:247:23:247:36 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | semmle.label | access to local variable a : Action [captured c, field Field] : String |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:251:15:251:21 | access to field Field | semmle.label | access to field Field |
@@ -632,29 +561,20 @@ nodes
 | Capture.cs:273:30:273:30 | access to parameter x | semmle.label | access to parameter x |
 | Capture.cs:273:34:273:47 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:278:17:278:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:284:23:284:23 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:285:21:285:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | semmle.label | [post] access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | semmle.label | access to local variable inner : Action [captured x] : String |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | semmle.label | [post] access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | semmle.label | access to local variable middle : Action [captured x] : String |
 | Capture.cs:292:15:292:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:297:22:297:35 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:301:19:301:28 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:302:26:302:39 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | semmle.label | access to local variable a : Action [captured this in M10, field Field] : String |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:306:15:306:24 | access to field Field | semmle.label | access to field Field |
@@ -663,19 +583,13 @@ nodes
 | Capture.cs:318:17:318:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:319:19:319:19 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:328:17:328:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | semmle.label | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String |
 | Capture.cs:330:47:330:47 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | semmle.label | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | semmle.label | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String |
 | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String |

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

@@ -1,27 +1,17 @@
 edges
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:7:20:7:26 | tainted : String | Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | provenance |  |
 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:61:36:61:42 | access to parameter tainted : String | provenance |  |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | provenance |  |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | Capture.cs:12:19:12:24 | access to local variable sink27 | provenance |  |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | Capture.cs:11:17:11:22 | access to local variable sink27 : String | provenance |  |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | Capture.cs:11:26:11:32 | access to parameter tainted : String | provenance |  |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | provenance |  |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | Capture.cs:21:23:21:28 | access to local variable sink28 | provenance |  |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | Capture.cs:20:21:20:26 | access to local variable sink28 : String | provenance |  |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | Capture.cs:20:30:20:36 | access to parameter tainted : String | provenance |  |
-| Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | provenance |  |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | provenance |  |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | Capture.cs:30:19:30:24 | access to local variable sink29 | provenance |  |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | Capture.cs:29:17:29:22 | access to local variable sink29 : String | provenance |  |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | Capture.cs:29:26:29:32 | access to parameter tainted : String | provenance |  |
 | Capture.cs:50:50:50:55 | sink39 : String | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | provenance |  |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | provenance |  |
@@ -37,28 +27,18 @@ edges
 | Capture.cs:114:23:117:13 | [post] (...) => ... : (...) => ... [captured sink40] : String | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | provenance |  |
 | Capture.cs:116:26:116:39 | "taint source" : String | Capture.cs:352:9:352:9 | [post] access to parameter a : (...) => ... [captured sink40] : String | provenance |  |
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | Capture.cs:124:15:124:20 | access to local variable sink40 | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | provenance |  |
-| Capture.cs:127:25:127:31 | tainted : String | Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:170:25:170:31 | access to parameter tainted : String | provenance |  |
 | Capture.cs:127:25:127:31 | tainted : String | Capture.cs:196:25:196:31 | access to parameter tainted : String | provenance |  |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | provenance |  |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | Capture.cs:135:15:135:20 | access to local variable sink33 | provenance |  |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | provenance |  |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | provenance |  |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | Capture.cs:147:15:147:20 | access to local variable sink34 | provenance |  |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | provenance |  |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | provenance |  |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | Capture.cs:156:15:156:20 | access to local variable sink35 | provenance |  |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | provenance |  |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | provenance |  |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | Capture.cs:163:15:163:20 | access to local variable sink36 | provenance |  |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | provenance |  |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | Capture.cs:162:13:162:18 | access to local variable sink36 : String | provenance |  |
@@ -66,19 +46,13 @@ edges
 | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | Capture.cs:171:15:171:20 | access to local variable sink37 | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:166:37:166:37 | p : String | provenance |  |
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | Capture.cs:170:9:170:23 | [post] access to local function CaptureThrough5 : CaptureThrough5 [captured sink37] : String | provenance |  |
-| Capture.cs:190:26:190:26 | s : String | Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | provenance |  |
 | Capture.cs:190:26:190:26 | s : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | provenance |  |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | Capture.cs:193:20:193:22 | call to local function M : String | provenance |  |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | Capture.cs:197:15:197:20 | access to local variable sink38 | provenance |  |
 | Capture.cs:196:22:196:32 | call to local function Id : String | Capture.cs:196:13:196:18 | access to local variable sink38 : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:190:26:190:26 | s : String | provenance |  |
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | Capture.cs:196:22:196:32 | call to local function Id : String | provenance |  |
-| Capture.cs:202:20:202:20 | s : String | Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:202:20:202:20 | s : String | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | provenance |  |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | provenance |  |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | Capture.cs:206:19:206:19 | access to parameter s | provenance |  |
 | Capture.cs:211:21:211:34 | "taint source" : String | Capture.cs:202:20:202:20 | s : String | provenance |  |
 | Capture.cs:213:22:213:22 | s : String | Capture.cs:215:16:218:9 | (...) => ... : (...) => ... [captured s] : String | provenance |  |
@@ -93,17 +67,13 @@ edges
 | Capture.cs:229:20:233:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:231:19:231:19 | access to local variable x | provenance |  |
 | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | Capture.cs:234:15:234:15 | access to local variable x | provenance |  |
 | Capture.cs:232:17:232:30 | "taint source" : String | Capture.cs:229:20:233:9 | [post] (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | provenance |  |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:242:19:242:32 | "taint source" : String | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | Capture.cs:246:19:246:25 | access to field Field | provenance |  |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
 | Capture.cs:247:23:247:36 | "taint source" : String | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | provenance |  |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | provenance |  |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | Capture.cs:251:15:251:21 | access to field Field | provenance |  |
 | Capture.cs:264:13:264:13 | [post] access to local variable c : Capture [field Field] : String | Capture.cs:266:9:266:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | provenance |  |
@@ -112,52 +82,30 @@ edges
 | Capture.cs:268:15:268:15 | access to local variable c : Capture [field Field] : String | Capture.cs:268:15:268:21 | access to field Field | provenance |  |
 | Capture.cs:273:19:273:19 | x : String | Capture.cs:273:30:273:30 | access to parameter x | provenance |  |
 | Capture.cs:273:34:273:47 | "taint source" : String | Capture.cs:355:45:355:45 | x : String | provenance |  |
-| Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | provenance |  |
 | Capture.cs:278:17:278:30 | "taint source" : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:285:21:285:34 | "taint source" : String | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | Capture.cs:284:23:284:23 | access to local variable x | provenance |  |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | Capture.cs:292:15:292:15 | access to local variable x | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | provenance |  |
-| Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:297:22:297:35 | "taint source" : String | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | Capture.cs:301:19:301:28 | access to field Field | provenance |  |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | provenance |  |
 | Capture.cs:302:26:302:39 | "taint source" : String | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | provenance |  |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | provenance |  |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | Capture.cs:306:15:306:24 | access to field Field | provenance |  |
 | Capture.cs:311:17:311:30 | "taint source" : String | Capture.cs:312:15:312:15 | access to local variable x | provenance |  |
 | Capture.cs:318:17:318:30 | "taint source" : String | Capture.cs:319:19:319:19 | access to local variable x | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:328:17:328:30 | "taint source" : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | provenance |  |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | Capture.cs:330:47:330:47 | access to local variable x | provenance |  |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | provenance |  |
 | Capture.cs:339:17:339:30 | "taint source" : String | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | provenance |  |
-| Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | provenance |  |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | Capture.cs:341:45:341:45 | access to local variable x | provenance |  |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured s] : String | provenance |  |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | Capture.cs:352:9:352:9 | access to parameter a : (...) => ... [captured sink39] : String | provenance |  |
@@ -569,24 +517,18 @@ edges
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:48:13:48:13 | access to local variable s : String | provenance |  |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:9:9:13:9 | CaptureIn1(...) : CaptureIn1 [captured tainted] : String | semmle.label | CaptureIn1(...) : CaptureIn1 [captured tainted] : String |
 | Capture.cs:11:17:11:22 | access to local variable sink27 : String | semmle.label | access to local variable sink27 : String |
 | Capture.cs:11:26:11:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
 | Capture.cs:14:9:14:18 | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String | semmle.label | access to local function CaptureIn1 : CaptureIn1 [captured tainted] : String |
-| Capture.cs:16:9:24:9 | CaptureIn2(...) : CaptureIn2 [captured tainted] : String | semmle.label | CaptureIn2(...) : CaptureIn2 [captured tainted] : String |
-| Capture.cs:18:13:22:13 | M(...) : M [captured tainted] : String | semmle.label | M(...) : M [captured tainted] : String |
 | Capture.cs:20:21:20:26 | access to local variable sink28 : String | semmle.label | access to local variable sink28 : String |
 | Capture.cs:20:30:20:36 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | semmle.label | access to local variable sink28 |
 | Capture.cs:23:13:23:13 | access to local function M : M [captured tainted] : String | semmle.label | access to local function M : M [captured tainted] : String |
 | Capture.cs:25:9:25:18 | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String | semmle.label | access to local function CaptureIn2 : CaptureIn2 [captured tainted] : String |
-| Capture.cs:27:30:27:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
-| Capture.cs:27:43:32:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:29:17:29:22 | access to local variable sink29 : String | semmle.label | access to local variable sink29 : String |
 | Capture.cs:29:26:29:32 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:30:19:30:24 | access to local variable sink29 | semmle.label | access to local variable sink29 |
-| Capture.cs:33:30:33:39 | access to local variable captureIn3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureIn3 : (...) => ... [captured tainted] : String |
 | Capture.cs:33:30:33:39 | access to local variable captureIn3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureIn3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:50:50:50:55 | sink39 : String | semmle.label | sink39 : String |
 | Capture.cs:52:23:59:13 | (...) => ... : (...) => ... [captured sink39] : String | semmle.label | (...) => ... : (...) => ... [captured sink39] : String |
@@ -608,21 +550,15 @@ nodes
 | Capture.cs:123:9:123:33 | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String | semmle.label | [post] access to local function CaptureOutMultipleLambdas : CaptureOutMultipleLambdas [captured sink40] : String |
 | Capture.cs:124:15:124:20 | access to local variable sink40 | semmle.label | access to local variable sink40 |
 | Capture.cs:127:25:127:31 | tainted : String | semmle.label | tainted : String |
-| Capture.cs:130:9:133:9 | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String | semmle.label | CaptureThrough1(...) : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:134:9:134:23 | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String | semmle.label | [post] access to local function CaptureThrough1 : CaptureThrough1 [captured sink33] : String |
 | Capture.cs:134:9:134:23 | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String | semmle.label | access to local function CaptureThrough1 : CaptureThrough1 [captured tainted] : String |
 | Capture.cs:135:15:135:20 | access to local variable sink33 | semmle.label | access to local variable sink33 |
-| Capture.cs:138:9:145:9 | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String | semmle.label | CaptureThrough2(...) : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:146:9:146:23 | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String | semmle.label | [post] access to local function CaptureThrough2 : CaptureThrough2 [captured sink34] : String |
 | Capture.cs:146:9:146:23 | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String | semmle.label | access to local function CaptureThrough2 : CaptureThrough2 [captured tainted] : String |
 | Capture.cs:147:15:147:20 | access to local variable sink34 | semmle.label | access to local variable sink34 |
-| Capture.cs:150:30:150:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
-| Capture.cs:150:48:154:9 | (...) => ... : (...) => ... [captured tainted] : String | semmle.label | (...) => ... : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String | semmle.label | [post] access to local variable captureThrough3 : (...) => ... [captured sink35] : String |
-| Capture.cs:155:30:155:44 | access to local variable captureThrough3 : (...) => ... [captured tainted] : String | semmle.label | access to local variable captureThrough3 : (...) => ... [captured tainted] : String |
 | Capture.cs:155:30:155:44 | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String | semmle.label | access to local variable captureThrough3 : Func<String,String> [captured tainted] : String |
 | Capture.cs:156:15:156:20 | access to local variable sink35 | semmle.label | access to local variable sink35 |
-| Capture.cs:158:9:161:9 | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String | semmle.label | CaptureThrough4(...) : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:13:162:18 | access to local variable sink36 : String | semmle.label | access to local variable sink36 : String |
 | Capture.cs:162:22:162:36 | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String | semmle.label | access to local function CaptureThrough4 : CaptureThrough4 [captured tainted] : String |
 | Capture.cs:162:22:162:38 | call to local function CaptureThrough4 : String | semmle.label | call to local function CaptureThrough4 : String |
@@ -633,7 +569,6 @@ nodes
 | Capture.cs:170:25:170:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:171:15:171:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
 | Capture.cs:190:26:190:26 | s : String | semmle.label | s : String |
-| Capture.cs:192:13:192:28 | M(...) : M [captured s] : String | semmle.label | M(...) : M [captured s] : String |
 | Capture.cs:193:20:193:20 | access to local function M : M [captured s] : String | semmle.label | access to local function M : M [captured s] : String |
 | Capture.cs:193:20:193:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:196:13:196:18 | access to local variable sink38 : String | semmle.label | access to local variable sink38 : String |
@@ -641,10 +576,7 @@ nodes
 | Capture.cs:196:25:196:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:197:15:197:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
 | Capture.cs:202:20:202:20 | s : String | semmle.label | s : String |
-| Capture.cs:204:16:204:16 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
-| Capture.cs:204:20:207:9 | (...) => ... : (...) => ... [captured s] : String | semmle.label | (...) => ... : (...) => ... [captured s] : String |
 | Capture.cs:206:19:206:19 | access to parameter s | semmle.label | access to parameter s |
-| Capture.cs:208:9:208:9 | access to local variable a : (...) => ... [captured s] : String | semmle.label | access to local variable a : (...) => ... [captured s] : String |
 | Capture.cs:208:9:208:9 | access to local variable a : Action [captured s] : String | semmle.label | access to local variable a : Action [captured s] : String |
 | Capture.cs:211:21:211:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:213:22:213:22 | s : String | semmle.label | s : String |
@@ -662,14 +594,11 @@ nodes
 | Capture.cs:234:15:234:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:242:9:242:9 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:242:19:242:32 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:244:16:244:16 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:244:20:248:9 | (...) => ... : (...) => ... [captured c, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured c, field Field] : String |
 | Capture.cs:246:19:246:19 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:246:19:246:25 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:247:13:247:13 | [post] access to local variable c : Capture [field Field] : String | semmle.label | [post] access to local variable c : Capture [field Field] : String |
 | Capture.cs:247:23:247:36 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:249:9:249:9 | [post] access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured c, field Field] : String |
-| Capture.cs:249:9:249:9 | access to local variable a : (...) => ... [captured c, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured c, field Field] : String |
 | Capture.cs:249:9:249:9 | access to local variable a : Action [captured c, field Field] : String | semmle.label | access to local variable a : Action [captured c, field Field] : String |
 | Capture.cs:251:15:251:15 | access to local variable c : Capture [field Field] : String | semmle.label | access to local variable c : Capture [field Field] : String |
 | Capture.cs:251:15:251:21 | access to field Field | semmle.label | access to field Field |
@@ -682,29 +611,20 @@ nodes
 | Capture.cs:273:30:273:30 | access to parameter x | semmle.label | access to parameter x |
 | Capture.cs:273:34:273:47 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:278:17:278:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:280:16:280:21 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:280:25:288:9 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
-| Capture.cs:282:20:282:24 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:282:28:286:13 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:284:23:284:23 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:285:21:285:34 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:287:13:287:17 | [post] access to local variable inner : (...) => ... [captured x] : String | semmle.label | [post] access to local variable inner : (...) => ... [captured x] : String |
-| Capture.cs:287:13:287:17 | access to local variable inner : (...) => ... [captured x] : String | semmle.label | access to local variable inner : (...) => ... [captured x] : String |
 | Capture.cs:287:13:287:17 | access to local variable inner : Action [captured x] : String | semmle.label | access to local variable inner : Action [captured x] : String |
 | Capture.cs:290:9:290:14 | [post] access to local variable middle : (...) => ... [captured x] : String | semmle.label | [post] access to local variable middle : (...) => ... [captured x] : String |
-| Capture.cs:290:9:290:14 | access to local variable middle : (...) => ... [captured x] : String | semmle.label | access to local variable middle : (...) => ... [captured x] : String |
 | Capture.cs:290:9:290:14 | access to local variable middle : Action [captured x] : String | semmle.label | access to local variable middle : Action [captured x] : String |
 | Capture.cs:292:15:292:15 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:297:9:297:12 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:297:22:297:35 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:299:16:299:16 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:299:20:303:9 | (...) => ... : (...) => ... [captured this in M10, field Field] : String | semmle.label | (...) => ... : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:301:19:301:22 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:301:19:301:28 | access to field Field | semmle.label | access to field Field |
 | Capture.cs:302:13:302:16 | [post] this access : Capture [field Field] : String | semmle.label | [post] this access : Capture [field Field] : String |
 | Capture.cs:302:26:302:39 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:304:9:304:9 | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | [post] access to local variable a : (...) => ... [captured this in M10, field Field] : String |
-| Capture.cs:304:9:304:9 | access to local variable a : (...) => ... [captured this in M10, field Field] : String | semmle.label | access to local variable a : (...) => ... [captured this in M10, field Field] : String |
 | Capture.cs:304:9:304:9 | access to local variable a : Action [captured this in M10, field Field] : String | semmle.label | access to local variable a : Action [captured this in M10, field Field] : String |
 | Capture.cs:306:15:306:18 | this access : Capture [field Field] : String | semmle.label | this access : Capture [field Field] : String |
 | Capture.cs:306:15:306:24 | access to field Field | semmle.label | access to field Field |
@@ -713,19 +633,13 @@ nodes
 | Capture.cs:318:17:318:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:319:19:319:19 | access to local variable x | semmle.label | access to local variable x |
 | Capture.cs:328:17:328:30 | "taint source" : String | semmle.label | "taint source" : String |
-| Capture.cs:330:9:330:49 | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String | semmle.label | CapturedLocalFunction(...) : CapturedLocalFunction [captured x] : String |
 | Capture.cs:330:47:330:47 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:332:9:332:65 | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String | semmle.label | CapturingLocalFunction(...) : CapturingLocalFunction [captured x] : String |
-| Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:332:42:332:62 | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String | semmle.label | access to local function CapturedLocalFunction : CapturedLocalFunction [captured x] : String |
 | Capture.cs:334:9:334:30 | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String | semmle.label | access to local function CapturingLocalFunction : CapturingLocalFunction [captured x] : String |
 | Capture.cs:339:17:339:30 | "taint source" : String | semmle.label | "taint source" : String |
 | Capture.cs:341:33:341:46 | (...) => ... : (...) => ... [captured x] : String | semmle.label | (...) => ... : (...) => ... [captured x] : String |
 | Capture.cs:341:45:341:45 | access to local variable x | semmle.label | access to local variable x |
-| Capture.cs:343:16:343:30 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
-| Capture.cs:343:34:343:55 | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | (...) => ... : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:343:40:343:53 | access to local variable capturedLambda : (...) => ... [captured x] : String | semmle.label | access to local variable capturedLambda : (...) => ... [captured x] : String |
-| Capture.cs:345:9:345:23 | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : (...) => ... [captured capturedLambda, captured x] : String |
 | Capture.cs:345:9:345:23 | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String | semmle.label | access to local variable capturingLambda : Action [captured capturedLambda, captured x] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured s] : String | semmle.label | a : (...) => ... [captured s] : String |
 | Capture.cs:350:34:350:34 | a : (...) => ... [captured sink39] : String | semmle.label | a : (...) => ... [captured sink39] : String |

python/ql/test/experimental/dataflow/variable-capture/by_value.py

@@ -34,7 +34,7 @@ def by_value1():
     a = SOURCE
     def inner(a_val=a):
         SINK(a_val) #$ captured
-        SINK_F(a) #$ SPURIOUS: captured
+        SINK_F(a)
     a = NONSOURCE
     inner()
 

ruby/ql/test/library-tests/dataflow/global/Flow.expected

@@ -1,10 +1,7 @@
 testFailures
 edges
 | blocks.rb:14:12:14:20 | call to source | blocks.rb:8:10:8:14 | yield ... | provenance |  |
-| captured_variables.rb:9:24:9:24 | x | captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:9:24:9:24 | x | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance |  |
-| captured_variables.rb:10:5:10:6 | fn [captured x] | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance |  |
-| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | captured_variables.rb:10:5:10:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:11:5:11:6 | fn [captured x] | captured_variables.rb:10:20:10:20 | x | provenance |  |
 | captured_variables.rb:13:20:13:29 | call to taint | captured_variables.rb:9:24:9:24 | x | provenance |  |
 | captured_variables.rb:15:28:15:28 | x | captured_variables.rb:16:5:18:5 | -> { ... } [captured x] | provenance |  |
@@ -16,18 +13,12 @@ edges
 | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | captured_variables.rb:24:14:24:14 | x | provenance |  |
 | captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:22:28:22:28 | x | provenance |  |
 | captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | provenance |  |
-| captured_variables.rb:29:33:29:33 | x | captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:29:33:29:33 | x | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance |  |
-| captured_variables.rb:30:5:30:6 | fn [captured x] | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance |  |
-| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | captured_variables.rb:30:5:30:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:33:29:33:30 | fn [captured x] | captured_variables.rb:31:14:31:14 | x | provenance |  |
 | captured_variables.rb:35:29:35:38 | call to taint | captured_variables.rb:29:33:29:33 | x | provenance |  |
 | captured_variables.rb:37:13:37:14 | fn [captured x] | captured_variables.rb:38:5:38:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:38:5:38:6 | fn [captured x] | captured_variables.rb:42:14:42:14 | x | provenance |  |
-| captured_variables.rb:40:31:40:31 | x | captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:40:31:40:31 | x | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance |  |
-| captured_variables.rb:41:5:41:6 | fn [captured x] | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance |  |
-| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | captured_variables.rb:41:5:41:6 | fn [captured x] | provenance |  |
 | captured_variables.rb:44:13:44:14 | fn [captured x] | captured_variables.rb:37:13:37:14 | fn [captured x] | provenance |  |
 | captured_variables.rb:46:27:46:36 | call to taint | captured_variables.rb:40:31:40:31 | x | provenance |  |
 | captured_variables.rb:48:5:48:12 | call to taint | captured_variables.rb:49:16:52:3 | do ... end [captured x] | provenance |  |
@@ -65,11 +56,8 @@ edges
 | captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:60:5:62:7 | self in get_field [@field] | provenance |  |
 | captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:83:6:83:18 | call to get_field | provenance |  |
 | captured_variables.rb:83:6:83:8 | foo [@field] | instance_variables.rb:13:5:15:7 | self in get_field [@field] | provenance |  |
-| captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | provenance |  |
 | captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance |  |
 | captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:91:6:91:6 | y | provenance |  |
-| captured_variables.rb:86:1:86:2 | fn [captured y] | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance |  |
-| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | captured_variables.rb:86:1:86:2 | fn [captured y] | provenance |  |
 | captured_variables.rb:88:9:88:16 | call to taint | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | provenance |  |
 | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | captured_variables.rb:91:6:91:6 | y | provenance |  |
 | captured_variables.rb:90:1:90:2 | fn [captured y] | captured_variables.rb:87:10:87:10 | y | provenance |  |
@@ -81,18 +69,12 @@ edges
 | captured_variables.rb:101:11:101:11 | x | captured_variables.rb:104:31:104:31 | x | provenance |  |
 | captured_variables.rb:104:17:104:24 | call to taint | captured_variables.rb:100:21:100:21 | x | provenance |  |
 | captured_variables.rb:104:31:104:31 | x | captured_variables.rb:105:10:105:10 | x | provenance |  |
-| captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance |  |
 | captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:118:10:118:10 | x | provenance |  |
-| captured_variables.rb:110:5:110:10 | middle [captured x] | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance |  |
-| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | captured_variables.rb:110:5:110:10 | middle [captured x] | provenance |  |
-| captured_variables.rb:111:9:111:13 | inner [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance |  |
-| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | captured_variables.rb:111:9:111:13 | inner [captured x] | provenance |  |
 | captured_variables.rb:113:17:113:25 | call to taint | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | provenance |  |
 | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | captured_variables.rb:117:5:117:10 | [post] middle [captured x] | provenance |  |
 | captured_variables.rb:115:9:115:13 | inner [captured x] | captured_variables.rb:112:18:112:18 | x | provenance |  |
 | captured_variables.rb:117:5:117:10 | [post] middle [captured x] | captured_variables.rb:118:10:118:10 | x | provenance |  |
-| captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance |  |
 | captured_variables.rb:147:5:147:6 | [post] self [@x] | captured_variables.rb:153:14:155:7 | do ... end [captured self, @x] | provenance |  |
 | captured_variables.rb:147:10:147:18 | call to taint | captured_variables.rb:147:5:147:6 | [post] self [@x] | provenance |  |
@@ -116,10 +98,7 @@ edges
 | captured_variables.rb:194:1:194:1 | c [@x] | captured_variables.rb:185:5:189:7 | self in baz [@x] | provenance |  |
 | captured_variables.rb:197:9:197:17 | call to taint | captured_variables.rb:199:10:199:10 | x | provenance |  |
 | captured_variables.rb:206:13:206:21 | call to taint | captured_variables.rb:208:14:208:14 | x | provenance |  |
-| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | provenance |  |
 | captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
-| captured_variables.rb:222:5:222:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
-| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | captured_variables.rb:222:5:222:7 | fn1 [captured x] | provenance |  |
 | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | captured_variables.rb:227:10:227:10 | y | provenance |  |
 | captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | provenance |  |
 | instance_variables.rb:10:19:10:19 | x | instance_variables.rb:11:18:11:18 | x | provenance |  |
@@ -264,8 +243,6 @@ nodes
 | blocks.rb:8:10:8:14 | yield ... | semmle.label | yield ... |
 | blocks.rb:14:12:14:20 | call to source | semmle.label | call to source |
 | captured_variables.rb:9:24:9:24 | x | semmle.label | x |
-| captured_variables.rb:10:5:10:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:10:20:10:20 | x | semmle.label | x |
 | captured_variables.rb:11:5:11:6 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:13:20:13:29 | call to taint | semmle.label | call to taint |
@@ -281,16 +258,12 @@ nodes
 | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | semmle.label | call to capture_escape_return2 [captured x] |
 | captured_variables.rb:27:48:27:57 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:29:33:29:33 | x | semmle.label | x |
-| captured_variables.rb:30:5:30:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:31:14:31:14 | x | semmle.label | x |
 | captured_variables.rb:33:29:33:30 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:35:29:35:38 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:37:13:37:14 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:38:5:38:6 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:40:31:40:31 | x | semmle.label | x |
-| captured_variables.rb:41:5:41:6 | fn [captured x] | semmle.label | fn [captured x] |
-| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:42:14:42:14 | x | semmle.label | x |
 | captured_variables.rb:44:13:44:14 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:46:27:46:36 | call to taint | semmle.label | call to taint |
@@ -323,8 +296,6 @@ nodes
 | captured_variables.rb:83:6:83:8 | foo [@field] | semmle.label | foo [@field] |
 | captured_variables.rb:83:6:83:18 | call to get_field | semmle.label | call to get_field |
 | captured_variables.rb:85:5:85:12 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:86:1:86:2 | fn [captured y] | semmle.label | fn [captured y] |
-| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | semmle.label | -> { ... } [captured y] |
 | captured_variables.rb:87:10:87:10 | y | semmle.label | y |
 | captured_variables.rb:88:9:88:16 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | semmle.label | [post] fn [captured y] |
@@ -341,10 +312,6 @@ nodes
 | captured_variables.rb:104:31:104:31 | x | semmle.label | x |
 | captured_variables.rb:105:10:105:10 | x | semmle.label | x |
 | captured_variables.rb:109:9:109:17 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:110:5:110:10 | middle [captured x] | semmle.label | middle [captured x] |
-| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
-| captured_variables.rb:111:9:111:13 | inner [captured x] | semmle.label | inner [captured x] |
-| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:112:18:112:18 | x | semmle.label | x |
 | captured_variables.rb:113:17:113:25 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | semmle.label | [post] inner [captured x] |
@@ -380,8 +347,6 @@ nodes
 | captured_variables.rb:206:13:206:21 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:208:14:208:14 | x | semmle.label | x |
 | captured_variables.rb:219:9:219:17 | call to taint | semmle.label | call to taint |
-| captured_variables.rb:222:5:222:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
-| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
 | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | semmle.label | [post] fn1 [captured y] |
 | captured_variables.rb:226:5:226:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
 | captured_variables.rb:227:10:227:10 | y | semmle.label | y |

ruby/ql/test/library-tests/dataflow/global/captured_variables.rb

@@ -228,3 +228,17 @@ def multi_capture
 end
 
 multi_capture
+
+def m1
+    x = taint(19)
+    
+    fn1 = -> {
+        sink x
+    }
+
+    x = nil
+
+    fn1.call()
+end
+
+m1

shared/dataflow/codeql/dataflow/VariableCapture.qll

@@ -601,16 +601,22 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
    * observed in a similarly synthesized post-update node for this read of `v`.
    */
   private predicate synthRead(
-    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure
+    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure, boolean alias
   ) {
     exists(ClosureExpr ce | closureCaptures(ce, v) |
-      ce.hasCfgNode(bb, i) and ce = closure
+      ce.hasCfgNode(bb, i) and ce = closure and alias = false
       or
-      localOrNestedClosureAccess(ce, closure, bb, i)
+      localOrNestedClosureAccess(ce, closure, bb, i) and alias = true
     ) and
     if v.getCallable() != bb.getEnclosingCallable() then topScope = false else topScope = true
   }
 
+  private predicate synthRead(
+    CapturedVariable v, BasicBlock bb, int i, boolean topScope, Expr closure
+  ) {
+    synthRead(v, bb, i, topScope, closure, _)
+  }
+
   /**
    * Holds if there is an access of a captured variable inside a closure in the
    * `i`th node of `bb`, such that we need to synthesize a `this.` qualifier.
@@ -919,16 +925,22 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
     )
   }
 
-  predicate storeStep(ClosureNode node1, CapturedVariable v, ClosureNode node2) {
-    // store v in the closure or in the malloc in case of a relevant constructor call
+  private predicate storeStepClosure(
+    ClosureNode node1, CapturedVariable v, ClosureNode node2, boolean alias
+  ) {
     exists(BasicBlock bb, int i, Expr closure |
-      synthRead(v, bb, i, _, closure) and
+      synthRead(v, bb, i, _, closure, alias) and
       node1 = TSynthRead(v, bb, i, false)
     |
       node2 = TExprNode(closure, false)
       or
       node2 = TMallocNode(closure) and hasConstructorCapture(closure, v)
     )
+  }
+
+  predicate storeStep(ClosureNode node1, CapturedVariable v, ClosureNode node2) {
+    // store v in the closure or in the malloc in case of a relevant constructor call
+    storeStepClosure(node1, v, node2, _)
     or
     // write to v inside the closure body
     exists(BasicBlock bb, int i, VariableWrite vw |
@@ -964,6 +976,62 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
   }
 
   predicate clearsContent(ClosureNode node, CapturedVariable v) {
+    /*
+     * Stores into closure aliases block flow from previous stores, both to
+     * avoid overlapping data flow paths, but also to avoid false positive
+     * flow.
+     *
+     * Example 1 (overlapping paths):
+     *
+     * ```rb
+     * def m
+     *     x = taint
+     *
+     *     fn = -> { # (1)
+     *        sink x
+     *     }
+     *
+     *     fn.call # (2)
+     * ```
+     *
+     * If we don't clear `x` at `fn` (2), we will have two overlapping paths:
+     *
+     * ```
+     * taint -> fn (2) [captured x]
+     * taint -> fn (1) [captured x] -> fn (2) [captured x]
+     * ```
+     *
+     * where the step `fn (1) [captured x] -> fn [captured x]` arises from normal
+     * use-use flow for `fn`. Clearing `x` at `fn` (2) removes the second path above.
+     *
+     * Example 2 (false positive flow):
+     *
+     * ```rb
+     * def m
+     *     x = taint
+     *
+     *     fn = -> { # (1)
+     *        sink x
+     *     }
+     *
+     *     x = nil # (2)
+     *
+     *     fn.call # (3)
+     * end
+     * ```
+     *
+     * If we don't clear `x` at `fn` (3), we will have the following false positive
+     * flow path:
+     *
+     * ```
+     * taint -> fn (1) [captured x] -> fn (3) [captured x]
+     * ```
+     *
+     * since normal use-use flow for `fn` does not take the overwrite at (2) into account.
+     */
+
+    storeStepClosure(_, v, node, true)
+    or
     exists(BasicBlock bb, int i |
       captureWrite(v, bb, i, false, _) and
       node = TSynthThisQualifier(bb, i, false)