From ead687da06543861b465ab110aad13d5a995b15c Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Tue, 21 Jan 2020 15:28:01 +0100
Subject: [PATCH 001/429] Python: Add false positive test example for issue
 #2652.

---
 .../Variables/unused/UnusedLocalVariable.expected     |  1 +
 .../Variables/unused/type_annotation_fp.py            | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 python/ql/test/query-tests/Variables/unused/type_annotation_fp.py

diff --git a/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected b/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected
index a902cad04cb..339a74432bc 100644
--- a/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected
+++ b/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected
@@ -1,3 +1,4 @@
+| type_annotation_fp.py:5:5:5:7 | foo | The value assigned to local variable 'foo' is never used. |
 | variables_test.py:29:5:29:5 | x | The value assigned to local variable 'x' is never used. |
 | variables_test.py:89:5:89:5 | a | The value assigned to local variable 'a' is never used. |
 | variables_test.py:89:7:89:7 | b | The value assigned to local variable 'b' is never used. |
diff --git a/python/ql/test/query-tests/Variables/unused/type_annotation_fp.py b/python/ql/test/query-tests/Variables/unused/type_annotation_fp.py
new file mode 100644
index 00000000000..72293f232e5
--- /dev/null
+++ b/python/ql/test/query-tests/Variables/unused/type_annotation_fp.py
@@ -0,0 +1,11 @@
+# FP Type annotation counts as redefinition
+# See https://github.com/Semmle/ql/issues/2652
+
+def type_annotation(x):
+    foo = 5
+    if x:
+        foo : int
+        do_stuff_with(foo)
+    else:
+        foo : float
+        do_other_stuff_with(foo)

From 4ec78d04f8cc8f869af959556e9537bf651fd7e5 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 21 Dec 2020 00:15:15 +0000
Subject: [PATCH 002/429] Insecure LDAP authentication

---
 .../CWE/CWE-522/InsecureLdapAuth.java         |  24 +++
 .../CWE/CWE-522/InsecureLdapAuth.qhelp        |  32 ++++
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 153 ++++++++++++++++++
 .../CWE-522/InsecureLdapAuth.expected         |  15 ++
 .../security/CWE-522/InsecureLdapAuth.java    |  92 +++++++++++
 .../security/CWE-522/InsecureLdapAuth.qlref   |   1 +
 6 files changed, 317 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
new file mode 100644
index 00000000000..33764506a1b
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
@@ -0,0 +1,24 @@
+public class InsecureLdapAuth {
+	/** LDAP authentication */	
+	public DirContext ldapAuth(String ldapUserName, String password) {
+		{
+			// BAD: LDAP authentication in cleartext
+			String ldapUrl = "ldap://ad.your-server.com:389";
+		}
+
+		{
+			// GOOD: LDAPS authentication over SSL
+			String ldapUrl = "ldaps://ad.your-server.com:636";
+		}
+
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		env.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+		return dirContext;
+	}
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
new file mode 100644
index 00000000000..9b7193bf52f
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>When using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.</p>
+  </overview>
+
+  <recommendation>
+    <p>Use LDAPS to send credentials through SSL or use SASL authentication.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of using LDAP authentication. In the 'BAD' case, the credentials are transmitted in cleartext. In the 'GOOD' case, the credentials are transmitted over SSL.</p>
+    <sample src="InsecureLDAPAuth.java" />
+  </example>
+
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/522">CWE-522: Insufficiently Protected Credentials</a>
+      <a href="https://cwe.mitre.org/data/definitions/319">CWE-319: Cleartext Transmission of Sensitive Information</a>
+    </li>
+    <li>
+      Oracle:
+      <a href="https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html">LDAP and LDAPS URLs</a>
+    </li>
+    <li>
+      Oracle:
+      <a href="https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html">Simple authentication consists of sending the LDAP server the fully qualified DN of the client (user) and the client's clear-text password</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
new file mode 100644
index 00000000000..663f4110524
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -0,0 +1,153 @@
+/**
+ * @name Insecure LDAP authentication
+ * @description LDAP authentication with credentials sent in cleartext.
+ * @kind path-problem
+ * @id java/insecure-ldap-auth
+ * @tags security
+ *       external/cwe-522
+ *       external/cwe-319
+ */
+
+import java
+import semmle.code.java.frameworks.Jndi
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * Gets a regular expression for matching private hosts, which only matches the host portion therefore checking for port is not necessary.
+ */
+private string getPrivateHostRegex() {
+  result =
+    "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
+}
+
+/**
+ * String of LDAP connections not in private domains.
+ */
+class LdapStringLiteral extends StringLiteral {
+  LdapStringLiteral() {
+    // Match connection strings with the LDAP protocol and without private IP addresses to reduce false positives.
+    exists(string s | this.getRepresentedString() = s |
+      s.regexpMatch("(?i)ldap://[\\[a-zA-Z0-9].*") and
+      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
+    )
+  }
+}
+
+/** The interface `javax.naming.Context`. */
+class TypeNamingContext extends Interface {
+  TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") }
+}
+
+/** The class `java.util.Hashtable`. */
+class TypeHashtable extends Class {
+  TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }
+}
+
+/**
+ * Holds if a non-private LDAP string is concatenated from both protocol and host.
+ */
+predicate concatLdapString(Expr protocol, Expr host) {
+  (
+    protocol.(CompileTimeConstantExpr).getStringValue().regexpMatch("(?i)ldap(://)?") or
+    protocol
+        .(VarAccess)
+        .getVariable()
+        .getAnAssignedValue()
+        .(CompileTimeConstantExpr)
+        .getStringValue()
+        .regexpMatch("(?i)ldap(://)?")
+  ) and
+  not exists(string hostString |
+    hostString = host.(CompileTimeConstantExpr).getStringValue() or
+    hostString =
+      host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
+  |
+    hostString.length() = 0 or // Empty host is loopback address
+    hostString.regexpMatch(getPrivateHostRegex())
+  )
+}
+
+/** Gets the leftmost operand in a concatenated string */
+Expr getLeftmostConcatOperand(Expr expr) {
+  if expr instanceof AddExpr
+  then result = getLeftmostConcatOperand(expr.(AddExpr).getLeftOperand())
+  else result = expr
+}
+
+/**
+ * String concatenated with `LdapStringLiteral`.
+ */
+class LdapString extends Expr {
+  LdapString() {
+    this instanceof LdapStringLiteral
+    or
+    concatLdapString(this.(AddExpr).getLeftOperand(),
+      getLeftmostConcatOperand(this.(AddExpr).getRightOperand()))
+  }
+}
+
+/**
+ * Tainted value passed to env `Hashtable` as the provider URL, i.e.
+ * `env.put(Context.PROVIDER_URL, tainted)` or `env.setProperty(Context.PROVIDER_URL, tainted)`.
+ */
+predicate isProviderUrlEnv(MethodAccess ma) {
+  ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
+  (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
+  (
+    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "java.naming.provider.url"
+    or
+    exists(Field f |
+      ma.getArgument(0) = f.getAnAccess() and
+      f.hasName("PROVIDER_URL") and
+      f.getDeclaringType() instanceof TypeNamingContext
+    )
+  )
+}
+
+/**
+ * Holds if the value "simple" is passed to env `Hashtable` as the authentication mechanism, i.e.
+ * `env.put(Context.SECURITY_AUTHENTICATION, "simple")` or `env.setProperty(Context.SECURITY_AUTHENTICATION, "simple")`.
+ */
+predicate isSimpleAuthEnv(MethodAccess ma) {
+  ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
+  (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
+  (
+    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() =
+      "java.naming.security.authentication"
+    or
+    exists(Field f |
+      ma.getArgument(0) = f.getAnAccess() and
+      f.hasName("SECURITY_AUTHENTICATION") and
+      f.getDeclaringType() instanceof TypeNamingContext
+    )
+  ) and
+  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "simple"
+}
+
+/**
+ * A taint-tracking configuration for cleartext credentials in LDAP authentication.
+ */
+class LdapAuthFlowConfig extends TaintTracking::Configuration {
+  LdapAuthFlowConfig() { this = "InsecureLdapAuth:LdapAuthFlowConfig" }
+
+  /** Source of non-private LDAP connection string */
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof LdapString }
+
+  /** Sink of provider URL with simple authentication */
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess pma |
+      sink.asExpr() = pma.getArgument(1) and
+      isProviderUrlEnv(pma) and
+      exists(MethodAccess sma |
+        sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
+        isSimpleAuthEnv(sma)
+      )
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, LdapAuthFlowConfig config
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Insecure LDAP authentication from $@.", source.getNode(),
+  "LDAP connection string"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
new file mode 100644
index 00000000000..65abcef0a9b
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -0,0 +1,15 @@
+edges
+| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
+| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
+| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl |
+nodes
+| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
+| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | semmle.label | ldapUrl |
+#select
+| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
+| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
new file mode 100644
index 00000000000..236880a1e8e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -0,0 +1,92 @@
+import java.util.Hashtable;
+
+import javax.naming.Context;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.ldap.InitialLdapContext;
+
+public class InsecureLdapAuth {
+	// BAD - Test LDAP authentication in cleartext using `DirContext`.
+	public void testCleartextLdapAuth(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
+	// BAD - Test LDAP authentication in cleartext using `DirContext`.
+	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) {
+		String ldapUrl = "ldap://"+serverName+":389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
+	// GOOD - Test LDAP authentication over SSL.
+	public void testSslLdapAuth(String ldapUserName, String password) {
+		String ldapUrl = "ldaps://ad.your-server.com:636";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
+	// GOOD - Test LDAP authentication with SASL authentication.
+	public void testSaslLdapAuth(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 GSSAPI");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
+	// GOOD - Test LDAP authentication in cleartext connecting to local LDAP server.
+	public void testCleartextLdapAuth2(String ldapUserName, String password) {
+		String ldapUrl = "ldap://localhost:389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
+	// BAD - Test LDAP authentication in cleartext using `InitialLdapContext`.
+	public void testCleartextLdapAuth3(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		InitialLdapContext ldapContext = new InitialLdapContext(environment, null);
+	}	
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.qlref b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.qlref
new file mode 100644
index 00000000000..c2baa984177
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql

From c069a5b4c654e06ea669e7cdef0793d5179c9944 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 4 Jan 2021 14:51:32 +0000
Subject: [PATCH 003/429] Factor private host regex into the networking library
 and enhance the query

---
 .../Security/CWE/CWE-522/InsecureBasicAuth.ql | 12 +----
 .../CWE/CWE-522/InsecureLdapAuth.qhelp        |  2 +-
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 54 +++++++------------
 .../code/java/frameworks/Networking.qll       | 10 ++++
 .../CWE-522/InsecureLdapAuth.expected         |  4 ++
 .../security/CWE-522/InsecureLdapAuth.java    | 15 ++++++
 6 files changed, 50 insertions(+), 47 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
index 1fadb5bda69..3ec836a0117 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -14,14 +14,6 @@ import semmle.code.java.frameworks.ApacheHttp
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-/**
- * Gets a regular expression for matching private hosts, which only matches the host portion therefore checking for port is not necessary.
- */
-private string getPrivateHostRegex() {
-  result =
-    "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
-}
-
 /**
  * Class of Java URL constructor.
  */
@@ -76,7 +68,7 @@ class HttpStringLiteral extends StringLiteral {
     // Match URLs with the HTTP protocol and without private IP addresses to reduce false positives.
     exists(string s | this.getRepresentedString() = s |
       s.regexpMatch("(?i)http://[\\[a-zA-Z0-9].*") and
-      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
+      not s.substring(7, s.length()) instanceof PrivateHostName
     )
   }
 }
@@ -101,7 +93,7 @@ predicate concatHttpString(Expr protocol, Expr host) {
       host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
   |
     hostString.length() = 0 or // Empty host is loopback address
-    hostString.regexpMatch(getPrivateHostRegex())
+    hostString instanceof PrivateHostName
   )
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
index 9b7193bf52f..9241b52cf19 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
@@ -11,7 +11,7 @@
 
   <example>
     <p>The following example shows two ways of using LDAP authentication. In the 'BAD' case, the credentials are transmitted in cleartext. In the 'GOOD' case, the credentials are transmitted over SSL.</p>
-    <sample src="InsecureLDAPAuth.java" />
+    <sample src="InsecureLdapAuth.java" />
   </example>
 
   <references>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 663f4110524..37b3057fb2f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -10,26 +10,19 @@
 
 import java
 import semmle.code.java.frameworks.Jndi
+import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
 /**
- * Gets a regular expression for matching private hosts, which only matches the host portion therefore checking for port is not necessary.
+ * Insecure (non-SSL, non-private) LDAP URL string literal.
  */
-private string getPrivateHostRegex() {
-  result =
-    "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
-}
-
-/**
- * String of LDAP connections not in private domains.
- */
-class LdapStringLiteral extends StringLiteral {
-  LdapStringLiteral() {
+class InsecureLdapUrlLiteral extends StringLiteral {
+  InsecureLdapUrlLiteral() {
     // Match connection strings with the LDAP protocol and without private IP addresses to reduce false positives.
     exists(string s | this.getRepresentedString() = s |
       s.regexpMatch("(?i)ldap://[\\[a-zA-Z0-9].*") and
-      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
+      not s.substring(7, s.length()) instanceof PrivateHostName
     )
   }
 }
@@ -47,24 +40,15 @@ class TypeHashtable extends Class {
 /**
  * Holds if a non-private LDAP string is concatenated from both protocol and host.
  */
-predicate concatLdapString(Expr protocol, Expr host) {
-  (
-    protocol.(CompileTimeConstantExpr).getStringValue().regexpMatch("(?i)ldap(://)?") or
-    protocol
-        .(VarAccess)
-        .getVariable()
-        .getAnAssignedValue()
-        .(CompileTimeConstantExpr)
-        .getStringValue()
-        .regexpMatch("(?i)ldap(://)?")
-  ) and
+predicate concatInsecureLdapString(Expr protocol, Expr host) {
+  protocol.(CompileTimeConstantExpr).getStringValue() = "ldap://" and
   not exists(string hostString |
     hostString = host.(CompileTimeConstantExpr).getStringValue() or
     hostString =
       host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
   |
     hostString.length() = 0 or // Empty host is loopback address
-    hostString.regexpMatch(getPrivateHostRegex())
+    hostString instanceof PrivateHostName
   )
 }
 
@@ -76,22 +60,21 @@ Expr getLeftmostConcatOperand(Expr expr) {
 }
 
 /**
- * String concatenated with `LdapStringLiteral`.
+ * String concatenated with `InsecureLdapUrlLiteral`.
  */
-class LdapString extends Expr {
-  LdapString() {
-    this instanceof LdapStringLiteral
+class InsecureLdapUrl extends Expr {
+  InsecureLdapUrl() {
+    this instanceof InsecureLdapUrlLiteral
     or
-    concatLdapString(this.(AddExpr).getLeftOperand(),
+    concatInsecureLdapString(this.(AddExpr).getLeftOperand(),
       getLeftmostConcatOperand(this.(AddExpr).getRightOperand()))
   }
 }
 
 /**
- * Tainted value passed to env `Hashtable` as the provider URL, i.e.
- * `env.put(Context.PROVIDER_URL, tainted)` or `env.setProperty(Context.PROVIDER_URL, tainted)`.
+ * Holds if `ma` writes the `java.naming.provider.url` (also known as `Context.PROVIDER_URL`) key of a `Hashtable`.
  */
-predicate isProviderUrlEnv(MethodAccess ma) {
+predicate isProviderUrlSetter(MethodAccess ma) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
   (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
   (
@@ -106,8 +89,7 @@ predicate isProviderUrlEnv(MethodAccess ma) {
 }
 
 /**
- * Holds if the value "simple" is passed to env `Hashtable` as the authentication mechanism, i.e.
- * `env.put(Context.SECURITY_AUTHENTICATION, "simple")` or `env.setProperty(Context.SECURITY_AUTHENTICATION, "simple")`.
+ * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
  */
 predicate isSimpleAuthEnv(MethodAccess ma) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
@@ -132,13 +114,13 @@ class LdapAuthFlowConfig extends TaintTracking::Configuration {
   LdapAuthFlowConfig() { this = "InsecureLdapAuth:LdapAuthFlowConfig" }
 
   /** Source of non-private LDAP connection string */
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof LdapString }
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }
 
   /** Sink of provider URL with simple authentication */
   override predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess pma |
       sink.asExpr() = pma.getArgument(1) and
-      isProviderUrlEnv(pma) and
+      isProviderUrlSetter(pma) and
       exists(MethodAccess sma |
         sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
         isSimpleAuthEnv(sma)
diff --git a/java/ql/src/semmle/code/java/frameworks/Networking.qll b/java/ql/src/semmle/code/java/frameworks/Networking.qll
index 988510dd2e9..997b8075403 100644
--- a/java/ql/src/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Networking.qll
@@ -129,3 +129,13 @@ class UrlOpenConnectionMethod extends Method {
     this.getName() = "openConnection"
   }
 }
+
+/**
+ * A string matching private host names of IPv4 and IPv6, which only matches the host portion therefore checking for port is not necessary.
+ */
+class PrivateHostName extends string {
+  bindingset[this]
+  PrivateHostName() {
+    this.regexpMatch("(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?")
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
index 65abcef0a9b..c34c8966e0d 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -2,6 +2,7 @@ edges
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
 | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
@@ -9,7 +10,10 @@ nodes
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
 | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
 | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | semmle.label | ldapUrl |
 #select
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
 | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
index 236880a1e8e..cc16047ebf2 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -89,4 +89,19 @@ public class InsecureLdapAuth {
 		environment.put(Context.SECURITY_CREDENTIALS, password);
 		InitialLdapContext ldapContext = new InitialLdapContext(environment, null);
 	}	
+
+
+	// BAD - Test LDAP authentication in cleartext using `DirContext` and string literals.
+	public void testCleartextLdapAuth4(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put("java.naming.factory.initial",
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put("java.naming.provider.url", ldapUrl);
+		environment.put("java.naming.referral", "follow");
+		environment.put("java.naming.security.authentication", "simple");
+		environment.put("java.naming.security.principal", ldapUserName);
+		environment.put("java.naming.security.credentials", password);
+		DirContext dirContext = new InitialDirContext(environment);
+	}
 }

From 9b3070ab7c061b6d61f8e282c4e1272803750c6c Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 12 Jan 2021 14:48:22 +0100
Subject: [PATCH 004/429] Java: Add JXBrowser disabled certificate query.

---
 .../JXBrowserWithoutCertValidation.java       | 23 ++++++
 .../JXBrowserWithoutCertValidation.qhelp      | 31 ++++++++
 .../CWE-295/JXBrowserWithoutCertValidation.ql | 73 +++++++++++++++++++
 3 files changed, 127 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java
new file mode 100644
index 00000000000..e45039e0fef
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java
@@ -0,0 +1,23 @@
+public static void main(String[] args) {
+	{
+		Browser browser = new Browser();
+		browser.loadURL("https://example.com");
+		// no further calls
+		// BAD: The browser ignores any certificate error by default!
+	}
+
+	{
+		Browser browser = new Browser();
+		browser.setLoadHandler(new LoadHandler() {
+			public boolean onLoad(LoadParams params) {
+				return true;
+			}
+
+			public boolean onCertificateError(CertificateErrorParams params){
+				return true; // GOOD: This means that loading will be cancelled on certificate errors
+			}
+		}); // GOOD: A secure `LoadHandler` is used.
+		browser.loadURL("https://example.com");
+
+	}
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
new file mode 100644
index 00000000000..1d9588652c2
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>JXBrowser is a Java library that allows to embed the Chromium browser inside Java applications.
+The version 6.x.x by default ignores any HTTPS certificate errors thereby allowing man-in-the-middle attacks.
+</p>
+</overview>
+
+<recommendation>
+<p>Do either of these:
+<li>Update to version 7.x.x as it now correctly rejects certificate errors by default.</li>
+<li>Add a custom implementation of the <code>LoadHandler</code> interface whose <code>onCertificateError</code> method always returns <b>true</b> indicating that loading should be cancelled.
+Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandler</code> on every <code>Browser</code> you use.</li>
+</p>
+</recommendation>
+
+<example>
+<p>The following two examples show two ways of using a <code>Browser</code>. In the 'BAD' case,
+all certificate errors are ignored. In the 'GOOD' case, certificate errors are rejected.</p>
+<sample src="JXBrowserWithoutCertValidation.java" />
+</example>
+
+<references>
+<li>Teamdev:
+<a href="https://www.teamdev.com/downloads/jxbrowser/javadoc/com/teamdev/jxbrowser/chromium/LoadHandler.html#onCertificateError-com.teamdev.jxbrowser.chromium.CertificateErrorParams-">
+Javadoc for the LoadHandler#onCertificateError method</a>.</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
new file mode 100644
index 00000000000..6e7fe37e668
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
@@ -0,0 +1,73 @@
+/**
+ * @name JXBrowser with disabled certificate validation
+ * @description Insecure configuration of JXBrowser disables certificate validation making the app vulnerable to man-in-the-middle attacks.
+ * @kind problem
+ * @id java/jxbrowser/disabled-certificate-validation
+ * @tags security
+ *       external/cwe-295
+ */
+
+import java
+import semmle.code.java.security.Encryption
+import semmle.code.java.dataflow.TaintTracking
+
+/*
+ * This query is version specific to JXBrowser 6.x.x. The version is indirectly detected.
+ * In version 6.x.x the `Browser` class is in a different package compared to version 7.x.x.
+ */
+
+/** The `com.teamdev.jxbrowser.chromium.Browser` class. */
+private class JXBrowser extends RefType {
+  JXBrowser() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "Browser") }
+}
+
+/** The `setLoadHandler` method on the `com.teamdev.jxbrowser.chromium.Browser` class. */
+private class JXBrowserSetLoadHandler extends Method {
+  JXBrowserSetLoadHandler() {
+    this.hasName("setLoadHandler") and this.getDeclaringType() instanceof JXBrowser
+  }
+}
+
+/** The `com.teamdev.jxbrowser.chromium.LoadHandler` interface. */
+private class JXBrowserLoadHandler extends RefType {
+  JXBrowserLoadHandler() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "LoadHandler") }
+}
+
+private predicate isOnCertificateErrorMethodSafe(Method m) {
+  forex(ReturnStmt rs | rs.getEnclosingCallable() = m |
+    rs.getResult().(CompileTimeConstantExpr).getBooleanValue() = true
+  )
+}
+
+/** A class that securely implements the `com.teamdev.jxbrowser.chromium.LoadHandler` interface. */
+private class JXBrowserSafeLoadHandler extends RefType {
+  JXBrowserSafeLoadHandler() {
+    this.getASupertype() instanceof JXBrowserLoadHandler and
+    exists(Method m | m.hasName("onCertificateError") and m.getDeclaringType() = this |
+      isOnCertificateErrorMethodSafe(m)
+    )
+  }
+}
+
+private class JXBrowserTaintTracking extends TaintTracking::Configuration {
+  JXBrowserTaintTracking() { this = "JXBrowserTaintTracking" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(ClassInstanceExpr newJXBrowser | newJXBrowser.getConstructedType() instanceof JXBrowser |
+      newJXBrowser = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma | ma.getMethod() instanceof JXBrowserSetLoadHandler |
+      ma.getArgument(0).getType() instanceof JXBrowserSafeLoadHandler and
+      ma.getQualifier() = sink.asExpr()
+    )
+  }
+}
+
+from JXBrowserTaintTracking cfg, DataFlow::Node src
+where
+  cfg.isSource(src) and
+  not cfg.hasFlow(src, _)
+select src, "This JXBrowser instance allows man-in-the-middle attacks."

From b30872806dc631f53638f99fc2499fff012c57d8 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 12 Jan 2021 14:49:12 +0100
Subject: [PATCH 005/429] Java: Add tests and test stubs.

---
 .../JXBrowserWithoutCertValidation.expected   |  1 +
 .../JXBrowserWithoutCertValidation.java       | 36 +++++++++++++++++++
 .../JXBrowserWithoutCertValidation.qlref      |  1 +
 .../query-tests/security/CWE-295/options      |  1 +
 .../teamdev/jxbrowser/chromium/Browser.java   |  9 +++++
 .../chromium/CertificateErrorParams.java      |  5 +++
 .../jxbrowser/chromium/LoadHandler.java       |  7 ++++
 .../jxbrowser/chromium/LoadParams.java        |  5 +++
 8 files changed, 65 insertions(+)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/options
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/Browser.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadHandler.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadParams.java

diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
new file mode 100644
index 00000000000..00d43d1e8b7
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
@@ -0,0 +1 @@
+| JXBrowserWithoutCertValidation.java:17:27:17:39 | new Browser(...) | This JXBrowser instance allows man-in-the-middle attacks. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java
new file mode 100644
index 00000000000..97fc8e8770f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java
@@ -0,0 +1,36 @@
+import com.teamdev.jxbrowser.chromium.Browser;
+import com.teamdev.jxbrowser.chromium.LoadHandler;
+import com.teamdev.jxbrowser.chromium.LoadParams;
+import com.teamdev.jxbrowser.chromium.CertificateErrorParams;
+
+public class JXBrowserWithoutCertValidation {
+
+    public static void main(String[] args) {
+
+        badUsage();
+
+        goodUsage();
+
+    }
+
+    private static void badUsage() {
+        Browser browser = new Browser();
+        browser.loadURL("https://example.com");
+        // no further calls
+        // BAD: The browser ignores any certificate error by default!
+    }
+
+    private static void goodUsage() {
+        Browser browser = new Browser();
+        browser.setLoadHandler(new LoadHandler() {
+            public boolean onLoad(LoadParams params) {
+                return true;
+            }
+
+            public boolean onCertificateError(CertificateErrorParams params) {
+                return true; // GOOD: This means that loading will be cancelled on certificate errors
+            }
+        }); // GOOD: A secure `LoadHandler` is used.
+        browser.loadURL("https://example.com");
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
new file mode 100644
index 00000000000..ab2a3f14bb9
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/options b/java/ql/test/experimental/query-tests/security/CWE-295/options
new file mode 100644
index 00000000000..770bbcd38e6
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/options
@@ -0,0 +1 @@
+ //semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jxbrowser-6.23.1
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/Browser.java b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/Browser.java
new file mode 100644
index 00000000000..327a4b4ecd8
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/Browser.java
@@ -0,0 +1,9 @@
+package com.teamdev.jxbrowser.chromium;
+
+public class Browser extends java.lang.Object {
+    public void setLoadHandler(LoadHandler handler) {
+    }
+
+    public void loadURL(String url) {
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
new file mode 100644
index 00000000000..904b98a6c51
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
@@ -0,0 +1,5 @@
+package com.teamdev.jxbrowser.chromium;
+
+public final class CertificateErrorParams extends Object {
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadHandler.java b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadHandler.java
new file mode 100644
index 00000000000..a628d88439c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadHandler.java
@@ -0,0 +1,7 @@
+package com.teamdev.jxbrowser.chromium;
+
+public interface LoadHandler {
+    boolean onCertificateError(CertificateErrorParams params);
+
+    boolean onLoad(LoadParams params);
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadParams.java b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadParams.java
new file mode 100644
index 00000000000..213e54f1dbc
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.23.1/com/teamdev/jxbrowser/chromium/LoadParams.java
@@ -0,0 +1,5 @@
+package com.teamdev.jxbrowser.chromium;
+
+public final class LoadParams extends Object {
+
+}
\ No newline at end of file

From 1ebc9f4d9399b9ec0394d9bc810bef481194d7a1 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 12 Jan 2021 22:39:08 +0100
Subject: [PATCH 006/429] Java: Only detect JxBrowser < 6.24

---
 .../CWE/CWE-295/JXBrowserWithoutCertValidation.ql   | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
index 6e7fe37e668..ab74c78d1e7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
@@ -12,10 +12,18 @@ import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 
 /*
- * This query is version specific to JXBrowser 6.x.x. The version is indirectly detected.
+ * This query is version specific to JXBrowser < 6.24. The version is indirectly detected.
  * In version 6.x.x the `Browser` class is in a different package compared to version 7.x.x.
  */
 
+/**
+ * Holds if a safe JXBrowser 6.x.x version is used, such as version 6.24.
+ * This is detected by the the presence of the `addBoundsListener` in the `Browser` class.
+ */
+private predicate isSafeJXBrowserVersion() {
+  exists(Method m | m.getDeclaringType() instanceof JXBrowser | m.hasName("addBoundsListener"))
+}
+
 /** The `com.teamdev.jxbrowser.chromium.Browser` class. */
 private class JXBrowser extends RefType {
   JXBrowser() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "Browser") }
@@ -69,5 +77,6 @@ private class JXBrowserTaintTracking extends TaintTracking::Configuration {
 from JXBrowserTaintTracking cfg, DataFlow::Node src
 where
   cfg.isSource(src) and
-  not cfg.hasFlow(src, _)
+  not cfg.hasFlow(src, _) and
+  not isSafeJXBrowserVersion()
 select src, "This JXBrowser instance allows man-in-the-middle attacks."

From 5b3086a93a07313d79520a24c36d9b45992fd2d1 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 12 Jan 2021 22:43:41 +0100
Subject: [PATCH 007/429] Java: Fix capitalization of JxBrowser

---
 ...va => JxBrowserWithoutCertValidation.java} |  0
 ...p => JxBrowserWithoutCertValidation.qhelp} | 12 ++---
 ...n.ql => JxBrowserWithoutCertValidation.ql} | 50 +++++++++----------
 .../JXBrowserWithoutCertValidation.expected   |  1 -
 .../JXBrowserWithoutCertValidation.qlref      |  1 -
 .../JxBrowserWithoutCertValidation.expected   |  1 +
 ...va => JxBrowserWithoutCertValidation.java} |  2 +-
 .../JxBrowserWithoutCertValidation.qlref      |  1 +
 8 files changed, 34 insertions(+), 34 deletions(-)
 rename java/ql/src/experimental/Security/CWE/CWE-295/{JXBrowserWithoutCertValidation.java => JxBrowserWithoutCertValidation.java} (100%)
 rename java/ql/src/experimental/Security/CWE/CWE-295/{JXBrowserWithoutCertValidation.qhelp => JxBrowserWithoutCertValidation.qhelp} (58%)
 rename java/ql/src/experimental/Security/CWE/CWE-295/{JXBrowserWithoutCertValidation.ql => JxBrowserWithoutCertValidation.ql} (54%)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
 rename java/ql/test/experimental/query-tests/security/CWE-295/{JXBrowserWithoutCertValidation.java => JxBrowserWithoutCertValidation.java} (95%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.java
rename to java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
similarity index 58%
rename from java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
rename to java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
index 1d9588652c2..27d10c15223 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
@@ -4,14 +4,14 @@
 <qhelp>
 
 <overview>
-<p>JXBrowser is a Java library that allows to embed the Chromium browser inside Java applications.
-The version 6.x.x by default ignores any HTTPS certificate errors thereby allowing man-in-the-middle attacks.
+<p>JxBrowser is a Java library that allows to embed the Chromium browser inside Java applications.
+Versions smaller than 6.24 by default ignore any HTTPS certificate errors thereby allowing man-in-the-middle attacks.
 </p>
 </overview>
 
 <recommendation>
 <p>Do either of these:
-<li>Update to version 7.x.x as it now correctly rejects certificate errors by default.</li>
+<li>Update to version 6.24 or 7.x.x as these correctly reject certificate errors by default.</li>
 <li>Add a custom implementation of the <code>LoadHandler</code> interface whose <code>onCertificateError</code> method always returns <b>true</b> indicating that loading should be cancelled.
 Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandler</code> on every <code>Browser</code> you use.</li>
 </p>
@@ -20,12 +20,12 @@ Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandl
 <example>
 <p>The following two examples show two ways of using a <code>Browser</code>. In the 'BAD' case,
 all certificate errors are ignored. In the 'GOOD' case, certificate errors are rejected.</p>
-<sample src="JXBrowserWithoutCertValidation.java" />
+<sample src="JxBrowserWithoutCertValidation.java" />
 </example>
 
 <references>
 <li>Teamdev:
-<a href="https://www.teamdev.com/downloads/jxbrowser/javadoc/com/teamdev/jxbrowser/chromium/LoadHandler.html#onCertificateError-com.teamdev.jxbrowser.chromium.CertificateErrorParams-">
-Javadoc for the LoadHandler#onCertificateError method</a>.</li>
+<a href="https://jxbrowser.support.teamdev.com/support/discussions/topics/9000051708">
+Changelog of JxBrowser 6.24</a>.</li>
 </references>
 </qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
similarity index 54%
rename from java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
rename to java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
index ab74c78d1e7..0de4290a44e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -1,6 +1,6 @@
 /**
- * @name JXBrowser with disabled certificate validation
- * @description Insecure configuration of JXBrowser disables certificate validation making the app vulnerable to man-in-the-middle attacks.
+ * @name JxBrowser with disabled certificate validation
+ * @description Insecure configuration of JxBrowser disables certificate validation making the app vulnerable to man-in-the-middle attacks.
  * @kind problem
  * @id java/jxbrowser/disabled-certificate-validation
  * @tags security
@@ -12,33 +12,33 @@ import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 
 /*
- * This query is version specific to JXBrowser < 6.24. The version is indirectly detected.
+ * This query is version specific to JxBrowser < 6.24. The version is indirectly detected.
  * In version 6.x.x the `Browser` class is in a different package compared to version 7.x.x.
  */
 
 /**
- * Holds if a safe JXBrowser 6.x.x version is used, such as version 6.24.
+ * Holds if a safe JxBrowser 6.x.x version is used, such as version 6.24.
  * This is detected by the the presence of the `addBoundsListener` in the `Browser` class.
  */
-private predicate isSafeJXBrowserVersion() {
-  exists(Method m | m.getDeclaringType() instanceof JXBrowser | m.hasName("addBoundsListener"))
+private predicate isSafeJxBrowserVersion() {
+  exists(Method m | m.getDeclaringType() instanceof JxBrowser | m.hasName("addBoundsListener"))
 }
 
 /** The `com.teamdev.jxbrowser.chromium.Browser` class. */
-private class JXBrowser extends RefType {
-  JXBrowser() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "Browser") }
+private class JxBrowser extends RefType {
+  JxBrowser() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "Browser") }
 }
 
 /** The `setLoadHandler` method on the `com.teamdev.jxbrowser.chromium.Browser` class. */
-private class JXBrowserSetLoadHandler extends Method {
-  JXBrowserSetLoadHandler() {
-    this.hasName("setLoadHandler") and this.getDeclaringType() instanceof JXBrowser
+private class JxBrowserSetLoadHandler extends Method {
+  JxBrowserSetLoadHandler() {
+    this.hasName("setLoadHandler") and this.getDeclaringType() instanceof JxBrowser
   }
 }
 
 /** The `com.teamdev.jxbrowser.chromium.LoadHandler` interface. */
-private class JXBrowserLoadHandler extends RefType {
-  JXBrowserLoadHandler() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "LoadHandler") }
+private class JxBrowserLoadHandler extends RefType {
+  JxBrowserLoadHandler() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "LoadHandler") }
 }
 
 private predicate isOnCertificateErrorMethodSafe(Method m) {
@@ -48,35 +48,35 @@ private predicate isOnCertificateErrorMethodSafe(Method m) {
 }
 
 /** A class that securely implements the `com.teamdev.jxbrowser.chromium.LoadHandler` interface. */
-private class JXBrowserSafeLoadHandler extends RefType {
-  JXBrowserSafeLoadHandler() {
-    this.getASupertype() instanceof JXBrowserLoadHandler and
+private class JxBrowserSafeLoadHandler extends RefType {
+  JxBrowserSafeLoadHandler() {
+    this.getASupertype() instanceof JxBrowserLoadHandler and
     exists(Method m | m.hasName("onCertificateError") and m.getDeclaringType() = this |
       isOnCertificateErrorMethodSafe(m)
     )
   }
 }
 
-private class JXBrowserTaintTracking extends TaintTracking::Configuration {
-  JXBrowserTaintTracking() { this = "JXBrowserTaintTracking" }
+private class JxBrowserTaintTracking extends TaintTracking::Configuration {
+  JxBrowserTaintTracking() { this = "JxBrowserTaintTracking" }
 
   override predicate isSource(DataFlow::Node src) {
-    exists(ClassInstanceExpr newJXBrowser | newJXBrowser.getConstructedType() instanceof JXBrowser |
-      newJXBrowser = src.asExpr()
+    exists(ClassInstanceExpr newJxBrowser | newJxBrowser.getConstructedType() instanceof JxBrowser |
+      newJxBrowser = src.asExpr()
     )
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma | ma.getMethod() instanceof JXBrowserSetLoadHandler |
-      ma.getArgument(0).getType() instanceof JXBrowserSafeLoadHandler and
+    exists(MethodAccess ma | ma.getMethod() instanceof JxBrowserSetLoadHandler |
+      ma.getArgument(0).getType() instanceof JxBrowserSafeLoadHandler and
       ma.getQualifier() = sink.asExpr()
     )
   }
 }
 
-from JXBrowserTaintTracking cfg, DataFlow::Node src
+from JxBrowserTaintTracking cfg, DataFlow::Node src
 where
   cfg.isSource(src) and
   not cfg.hasFlow(src, _) and
-  not isSafeJXBrowserVersion()
-select src, "This JXBrowser instance allows man-in-the-middle attacks."
+  not isSafeJxBrowserVersion()
+select src, "This JxBrowser instance allows man-in-the-middle attacks."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
deleted file mode 100644
index 00d43d1e8b7..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.expected
+++ /dev/null
@@ -1 +0,0 @@
-| JXBrowserWithoutCertValidation.java:17:27:17:39 | new Browser(...) | This JXBrowser instance allows man-in-the-middle attacks. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
deleted file mode 100644
index ab2a3f14bb9..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
new file mode 100644
index 00000000000..121de8759ac
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
@@ -0,0 +1 @@
+| JxBrowserWithoutCertValidation.java:17:27:17:39 | new Browser(...) | This JxBrowser instance allows man-in-the-middle attacks. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java
similarity index 95%
rename from java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java
rename to java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java
index 97fc8e8770f..b7e2710842f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-295/JXBrowserWithoutCertValidation.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java
@@ -3,7 +3,7 @@ import com.teamdev.jxbrowser.chromium.LoadHandler;
 import com.teamdev.jxbrowser.chromium.LoadParams;
 import com.teamdev.jxbrowser.chromium.CertificateErrorParams;
 
-public class JXBrowserWithoutCertValidation {
+public class JxBrowserWithoutCertValidation {
 
     public static void main(String[] args) {
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref
new file mode 100644
index 00000000000..cab6f2a4962
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql

From babe744a3011a4f7e2216ff5bd95bed241dd4984 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 13 Jan 2021 03:49:08 +0000
Subject: [PATCH 008/429] Add SECURITY_PROTOCOL check

---
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 30 +++++++++++++++----
 .../CWE-522/InsecureLdapAuth.expected         | 14 ++++-----
 .../security/CWE-522/InsecureLdapAuth.java    | 15 ++++++++++
 3 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 37b3057fb2f..1cebfe8bad3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -89,22 +89,36 @@ predicate isProviderUrlSetter(MethodAccess ma) {
 }
 
 /**
- * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
+ * Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue` in some `Hashtable`.
  */
-predicate isSimpleAuthEnv(MethodAccess ma) {
+bindingset[fieldName, fieldValue, envValue]
+predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue, string envValue) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
   (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
   (
-    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() =
-      "java.naming.security.authentication"
+    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue
     or
     exists(Field f |
       ma.getArgument(0) = f.getAnAccess() and
-      f.hasName("SECURITY_AUTHENTICATION") and
+      f.hasName(fieldName) and
       f.getDeclaringType() instanceof TypeNamingContext
     )
   ) and
-  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "simple"
+  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
+ */
+predicate isSimpleAuthEnv(MethodAccess ma) {
+  hasEnvWithValue(ma, "SECURITY_AUTHENTICATION", "java.naming.security.authentication", "simple")
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
+ */
+predicate isSSLEnv(MethodAccess ma) {
+  hasEnvWithValue(ma, "SECURITY_PROTOCOL", "java.naming.security.protocol", "ssl")
 }
 
 /**
@@ -124,6 +138,10 @@ class LdapAuthFlowConfig extends TaintTracking::Configuration {
       exists(MethodAccess sma |
         sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
         isSimpleAuthEnv(sma)
+      ) and
+      not exists(MethodAccess sma |
+        sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
+        isSSLEnv(sma)
       )
     )
   }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
index c34c8966e0d..745fd9c1b75 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,19 +1,19 @@
 edges
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
-| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl |
-| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
-| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | semmle.label | ldapUrl |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | semmle.label | ldapUrl |
 #select
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
-| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
-| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
index cc16047ebf2..4052557d8b0 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -48,6 +48,21 @@ public class InsecureLdapAuth {
 		DirContext dirContext = new InitialDirContext(environment);
 	}
 
+	// GOOD - Test LDAP authentication over SSL.
+	public void testSslLdapAuth2(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:636";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		environment.put(Context.SECURITY_PROTOCOL, "ssl");
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
 	// GOOD - Test LDAP authentication with SASL authentication.
 	public void testSaslLdapAuth(String ldapUserName, String password) {
 		String ldapUrl = "ldap://ad.your-server.com:389";

From f3b8fe2e2ed760301bbf417e94d2738f2d0d5b06 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 13 Jan 2021 13:42:35 +0100
Subject: [PATCH 009/429] Java: Add Member.hasQualifiedName.

---
 java/ql/src/semmle/code/java/Member.qll | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/semmle/code/java/Member.qll b/java/ql/src/semmle/code/java/Member.qll
index e9d4fe82978..a0e988bd386 100755
--- a/java/ql/src/semmle/code/java/Member.qll
+++ b/java/ql/src/semmle/code/java/Member.qll
@@ -23,6 +23,14 @@ class Member extends Element, Annotatable, Modifiable, @member {
   /** Gets the qualified name of this member. */
   string getQualifiedName() { result = getDeclaringType().getName() + "." + getName() }
 
+  /**
+   * Holds if this member has the specified name and is declared in the
+   * specified package and type.
+   */
+  predicate hasQualifiedName(string package, string type, string name) {
+    this.getDeclaringType().hasQualifiedName(package, type) and this.hasName(name)
+  }
+
   /** Holds if this member is package protected, that is, neither public nor private nor protected. */
   predicate isPackageProtected() {
     not isPrivate() and

From b8076481bf353caf6b3a68348144114ebb1d96d7 Mon Sep 17 00:00:00 2001
From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
Date: Wed, 13 Jan 2021 20:32:23 +0100
Subject: [PATCH 010/429] Java: Suggestions from Review

---
 .../Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
index 0de4290a44e..6aee64ed010 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -79,4 +79,4 @@ where
   cfg.isSource(src) and
   not cfg.hasFlow(src, _) and
   not isSafeJxBrowserVersion()
-select src, "This JxBrowser instance allows man-in-the-middle attacks."
+select src, "This JxBrowser instance may not check HTTPS certificates."

From e5a703e49c3fe53aeda8e6ecb9d3766df7683124 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 15 Jan 2021 04:05:11 +0000
Subject: [PATCH 011/429] Revamp the query

---
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 109 +++++++++++++++---
 .../CWE-522/InsecureLdapAuth.expected         |  79 +++++++++++--
 .../security/CWE-522/InsecureLdapAuth.java    |  33 ++++++
 3 files changed, 190 insertions(+), 31 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 1cebfe8bad3..1a38f74092b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -110,7 +110,7 @@ predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue,
 /**
  * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
  */
-predicate isSimpleAuthEnv(MethodAccess ma) {
+predicate isBasicAuthEnv(MethodAccess ma) {
   hasEnvWithValue(ma, "SECURITY_AUTHENTICATION", "java.naming.security.authentication", "simple")
 }
 
@@ -122,32 +122,103 @@ predicate isSSLEnv(MethodAccess ma) {
 }
 
 /**
- * A taint-tracking configuration for cleartext credentials in LDAP authentication.
+ * A taint-tracking configuration for `ldap://` URL in LDAP authentication.
  */
-class LdapAuthFlowConfig extends TaintTracking::Configuration {
-  LdapAuthFlowConfig() { this = "InsecureLdapAuth:LdapAuthFlowConfig" }
+class InsecureUrlFlowConfig extends TaintTracking::Configuration {
+  InsecureUrlFlowConfig() { this = "InsecureLdapAuth:InsecureUrlFlowConfig" }
 
-  /** Source of non-private LDAP connection string */
+  /** Source of `ldap://` connection string. */
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }
 
-  /** Sink of provider URL with simple authentication */
+  /** Sink of directory context creation. */
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess pma |
-      sink.asExpr() = pma.getArgument(1) and
-      isProviderUrlSetter(pma) and
-      exists(MethodAccess sma |
-        sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
-        isSimpleAuthEnv(sma)
-      ) and
-      not exists(MethodAccess sma |
-        sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
-        isSSLEnv(sma)
-      )
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
+  }
+
+  /** Method call of `env.put()`. */
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      pred.asExpr() = ma.getArgument(1) and
+      isProviderUrlSetter(ma) and
+      succ.asExpr() = ma.getQualifier()
     )
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, LdapAuthFlowConfig config
-where config.hasFlowPath(source, sink)
+/**
+ * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
+ */
+class BasicAuthFlowConfig extends TaintTracking::Configuration {
+  BasicAuthFlowConfig() { this = "InsecureLdapAuth:BasicAuthFlowConfig" }
+
+  /** Source of `simple` configuration. */
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr().(CompileTimeConstantExpr).getStringValue() = "simple"
+  }
+
+  /** Sink of directory context creation. */
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
+  }
+
+  /** Method call of `env.put()`. */
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      pred.asExpr() = ma.getArgument(1) and
+      isBasicAuthEnv(ma) and
+      succ.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for `ssl` configuration in LDAP authentication.
+ */
+class SSLFlowConfig extends TaintTracking::Configuration {
+  SSLFlowConfig() { this = "InsecureLdapAuth:SSLFlowConfig" }
+
+  /** Source of `ssl` configuration. */
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr().(CompileTimeConstantExpr).getStringValue() = "ssl"
+  }
+
+  /** Sink of directory context creation. */
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
+  }
+
+  /** Method call of `env.put()`. */
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      pred.asExpr() = ma.getArgument(1) and
+      isSSLEnv(ma) and
+      succ.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureUrlFlowConfig config, VarAccess va
+where
+  config.hasFlowPath(source, sink) and
+  sink.getNode().asExpr() = va and
+  exists(BasicAuthFlowConfig bc, DataFlow::PathNode source2, DataFlow::PathNode sink2 |
+    bc.hasFlowPath(source2, sink2) and
+    source2.getNode().asExpr().(CompileTimeConstantExpr).getStringValue() = "simple" and
+    sink2.getNode().asExpr() = va
+  ) and
+  not exists(SSLFlowConfig sc, DataFlow::PathNode source3, DataFlow::PathNode sink3 |
+    sc.hasFlowPath(source3, sink3) and
+    source3.getNode().asExpr().(CompileTimeConstantExpr).getStringValue() = "ssl" and
+    sink3.getNode().asExpr() = va.getVariable().getAnAccess()
+  )
 select sink.getNode(), source, sink, "Insecure LDAP authentication from $@.", source.getNode(),
   "LDAP connection string"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
index 745fd9c1b75..1af36e67d05 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,19 +1,74 @@
 edges
-| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
-| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
-| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl |
-| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl |
+| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:17:52:17:59 | "simple" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:31:52:31:59 | "simple" : String | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:45:52:45:59 | "simple" : String | InsecureLdapAuth.java:48:49:48:59 | environment |
+| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:59:52:59:59 | "simple" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:62:46:62:50 | "ssl" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
+| InsecureLdapAuth.java:88:52:88:59 | "simple" : String | InsecureLdapAuth.java:91:49:91:59 | environment |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:102:52:102:59 | "simple" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:117:58:117:65 | "simple" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:124:38:124:42 | "ssl" : String | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable |
+| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:128:44:128:51 | "simple" : String | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable |
+| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment |
+| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:17:52:17:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
-| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:31:52:31:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:45:52:45:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
+| InsecureLdapAuth.java:59:52:59:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:62:46:62:50 | "ssl" : String | semmle.label | "ssl" : String |
+| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:88:52:88:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:102:52:102:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:117:58:117:65 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
+| InsecureLdapAuth.java:124:38:124:42 | "ssl" : String | semmle.label | "ssl" : String |
+| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
+| InsecureLdapAuth.java:128:44:128:51 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
+| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String |
+| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
+| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
 #select
-| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
-| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
-| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
-| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:20:49:20:59 | environment | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:34:49:34:59 | environment | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
+| InsecureLdapAuth.java:105:59:105:69 | environment | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:120:49:120:59 | environment | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:153:50:153:60 | environment | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:147:20:147:39 | ... + ... | LDAP connection string |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
index 4052557d8b0..14142d31b21 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -119,4 +119,37 @@ public class InsecureLdapAuth {
 		environment.put("java.naming.security.credentials", password);
 		DirContext dirContext = new InitialDirContext(environment);
 	}
+
+	private void setSSL(Hashtable env) {
+		env.put(Context.SECURITY_PROTOCOL, "ssl");
+	}
+
+	private void setBasicAuth(Hashtable env, String ldapUserName, String password) {
+		env.put(Context.SECURITY_AUTHENTICATION, "simple");
+		env.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		env.put(Context.SECURITY_CREDENTIALS, password);
+	}
+
+	// GOOD - Test LDAP authentication with `ssl` configuration and basic authentication.
+	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) {
+		String ldapUrl = "ldap://"+serverName+":389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		setSSL(environment);
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		setBasicAuth(environment, ldapUserName, password);
+		DirContext dirContext = new InitialLdapContext(environment, null);
+	}
+
+	// BAD - Test LDAP authentication with basic authentication.
+	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) {
+		String ldapUrl = "ldap://"+serverName+":389";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		setBasicAuth(environment, ldapUserName, password);
+		DirContext dirContext = new InitialLdapContext(environment, null);
+	}
 }

From 32c54628f8afc010e4000368d9abdecea6b50f7f Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 15 Jan 2021 12:32:13 +0000
Subject: [PATCH 012/429] Drop fieldName from the function for runtime
 evaluation

---
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 20 +++++--------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 1a38f74092b..602dae21ad7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -91,19 +91,11 @@ predicate isProviderUrlSetter(MethodAccess ma) {
 /**
  * Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue` in some `Hashtable`.
  */
-bindingset[fieldName, fieldValue, envValue]
-predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue, string envValue) {
+bindingset[fieldValue, envValue]
+predicate hasEnvWithValue(MethodAccess ma, string fieldValue, string envValue) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
   (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
-  (
-    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue
-    or
-    exists(Field f |
-      ma.getArgument(0) = f.getAnAccess() and
-      f.hasName(fieldName) and
-      f.getDeclaringType() instanceof TypeNamingContext
-    )
-  ) and
+  ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue and
   ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
 }
 
@@ -111,15 +103,13 @@ predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue,
  * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
  */
 predicate isBasicAuthEnv(MethodAccess ma) {
-  hasEnvWithValue(ma, "SECURITY_AUTHENTICATION", "java.naming.security.authentication", "simple")
+  hasEnvWithValue(ma, "java.naming.security.authentication", "simple")
 }
 
 /**
  * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
  */
-predicate isSSLEnv(MethodAccess ma) {
-  hasEnvWithValue(ma, "SECURITY_PROTOCOL", "java.naming.security.protocol", "ssl")
-}
+predicate isSSLEnv(MethodAccess ma) { hasEnvWithValue(ma, "java.naming.security.protocol", "ssl") }
 
 /**
  * A taint-tracking configuration for `ldap://` URL in LDAP authentication.

From a4cbd7037bd068228bef5448aa11ceeed92d1554 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Fri, 15 Jan 2021 17:18:22 +0100
Subject: [PATCH 013/429] Java: Add tests for different versions.

Adds a test for version 6.24, because that version is not vulnerable.
The other test is for versions < 6.24, because these versions are
vulnerable.
---
 .../JxBrowserWithoutCertValidation.expected   |  1 -
 .../JxBrowserWithoutCertValidation.expected   |  1 +
 .../JxBrowserWithoutCertValidation.qlref      |  0
 ...xBrowserWithoutCertValidationV6_23_1.java} |  2 +-
 .../security/CWE-295/jxbrowser-6.23.1/options |  1 +
 .../JxBrowserWithoutCertValidation.expected   |  0
 .../JxBrowserWithoutCertValidation.qlref      |  1 +
 .../JxBrowserWithoutCertValidationV6_24.java  | 36 +++++++++++++++++++
 .../CWE-295/{ => jxbrowser-6.24}/options      |  2 +-
 .../jxbrowser/chromium/BoundsListener.java    |  5 +++
 .../teamdev/jxbrowser/chromium/Browser.java   | 13 +++++++
 .../chromium/CertificateErrorParams.java      |  5 +++
 .../jxbrowser/chromium/LoadHandler.java       |  7 ++++
 .../jxbrowser/chromium/LoadParams.java        |  5 +++
 14 files changed, 76 insertions(+), 3 deletions(-)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
 rename java/ql/test/experimental/query-tests/security/CWE-295/{ => jxbrowser-6.23.1}/JxBrowserWithoutCertValidation.qlref (100%)
 rename java/ql/test/experimental/query-tests/security/CWE-295/{JxBrowserWithoutCertValidation.java => jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java} (95%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/options
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidationV6_24.java
 rename java/ql/test/experimental/query-tests/security/CWE-295/{ => jxbrowser-6.24}/options (71%)
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/BoundsListener.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/Browser.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadHandler.java
 create mode 100644 java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadParams.java

diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
deleted file mode 100644
index 121de8759ac..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.expected
+++ /dev/null
@@ -1 +0,0 @@
-| JxBrowserWithoutCertValidation.java:17:27:17:39 | new Browser(...) | This JxBrowser instance allows man-in-the-middle attacks. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
new file mode 100644
index 00000000000..9b611b6cfc9
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
@@ -0,0 +1 @@
+| JxBrowserWithoutCertValidationV6_23_1.java:17:27:17:39 | new Browser(...) | This JxBrowser instance allows man-in-the-middle attacks. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.qlref
rename to java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java
similarity index 95%
rename from java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java
rename to java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java
index b7e2710842f..8f7be261413 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-295/JxBrowserWithoutCertValidation.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java
@@ -3,7 +3,7 @@ import com.teamdev.jxbrowser.chromium.LoadHandler;
 import com.teamdev.jxbrowser.chromium.LoadParams;
 import com.teamdev.jxbrowser.chromium.CertificateErrorParams;
 
-public class JxBrowserWithoutCertValidation {
+public class JxBrowserWithoutCertValidationV6_23_1 {
 
     public static void main(String[] args) {
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/options b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/options
new file mode 100644
index 00000000000..37339271f9c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/options
@@ -0,0 +1 @@
+ //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/jxbrowser-6.23.1
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref
new file mode 100644
index 00000000000..cab6f2a4962
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidationV6_24.java b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidationV6_24.java
new file mode 100644
index 00000000000..62057fcb8ef
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidationV6_24.java
@@ -0,0 +1,36 @@
+import com.teamdev.jxbrowser.chromium.Browser;
+import com.teamdev.jxbrowser.chromium.LoadHandler;
+import com.teamdev.jxbrowser.chromium.LoadParams;
+import com.teamdev.jxbrowser.chromium.CertificateErrorParams;
+
+public class JxBrowserWithoutCertValidationV6_24 {
+
+    public static void main(String[] args) {
+
+        goodUsage();
+
+        goodUsage2();
+
+    }
+
+    private static void goodUsage() {
+        Browser browser = new Browser();
+        browser.loadURL("https://example.com");
+        // no further calls
+        // GOOD: On version 6.24 the browser properly validates certificates by default!
+    }
+
+    private static void goodUsage2() {
+        Browser browser = new Browser();
+        browser.setLoadHandler(new LoadHandler() {
+            public boolean onLoad(LoadParams params) {
+                return true;
+            }
+
+            public boolean onCertificateError(CertificateErrorParams params) {
+                return true; // GOOD: This means that loading will be cancelled on certificate errors
+            }
+        }); // GOOD: A secure `LoadHandler` is used.
+        browser.loadURL("https://example.com");
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/options b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/options
similarity index 71%
rename from java/ql/test/experimental/query-tests/security/CWE-295/options
rename to java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/options
index 770bbcd38e6..f001bf777a2 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-295/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/options
@@ -1 +1 @@
- //semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jxbrowser-6.23.1
\ No newline at end of file
+ //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/jxbrowser-6.24
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/BoundsListener.java b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/BoundsListener.java
new file mode 100644
index 00000000000..39bb56e0565
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/BoundsListener.java
@@ -0,0 +1,5 @@
+package com.teamdev.jxbrowser.chromium;
+
+public interface BoundsListener {
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/Browser.java b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/Browser.java
new file mode 100644
index 00000000000..c32656e4228
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/Browser.java
@@ -0,0 +1,13 @@
+package com.teamdev.jxbrowser.chromium;
+
+public class Browser extends java.lang.Object {
+    public void setLoadHandler(LoadHandler handler) {
+    }
+
+    public void loadURL(String url) {
+    }
+
+    public void addBoundsListener(BoundsListener listener) {
+
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
new file mode 100644
index 00000000000..904b98a6c51
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/CertificateErrorParams.java
@@ -0,0 +1,5 @@
+package com.teamdev.jxbrowser.chromium;
+
+public final class CertificateErrorParams extends Object {
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadHandler.java b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadHandler.java
new file mode 100644
index 00000000000..a628d88439c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadHandler.java
@@ -0,0 +1,7 @@
+package com.teamdev.jxbrowser.chromium;
+
+public interface LoadHandler {
+    boolean onCertificateError(CertificateErrorParams params);
+
+    boolean onLoad(LoadParams params);
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadParams.java b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadParams.java
new file mode 100644
index 00000000000..213e54f1dbc
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jxbrowser-6.24/com/teamdev/jxbrowser/chromium/LoadParams.java
@@ -0,0 +1,5 @@
+package com.teamdev.jxbrowser.chromium;
+
+public final class LoadParams extends Object {
+
+}
\ No newline at end of file

From efb872ad1e96bcc703394777e80046ab8b043a79 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 14 Jan 2021 19:15:52 +0100
Subject: [PATCH 014/429] Python: Add HttpRedirectResponse concept

---
 python/ql/src/semmle/python/Concepts.qll | 35 ++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index a79eaa2dc55..b81817d7f10 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -473,5 +473,40 @@ module HTTP {
         }
       }
     }
+
+    /**
+     * A data-flow node that creates a HTTP redirect response on a server.
+     *
+     * Note: we don't require that this redirect must be sent to a client (a kind of
+     * "if a tree falls in a forest and nobody hears it" situation).
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `HttpRedirectResponse::Range` instead.
+     */
+    class HttpRedirectResponse extends HttpResponse {
+      override HttpRedirectResponse::Range range;
+
+      HttpRedirectResponse() { this = range }
+
+      /** Gets the data-flow node that specifies the location of this HTTP redirect response. */
+      DataFlow::Node getRedirectLocation() { result = range.getRedirectLocation() }
+    }
+
+    /** Provides a class for modeling new HTTP redirect response APIs. */
+    module HttpRedirectResponse {
+      /**
+       * A data-flow node that creates a HTTP redirect response on a server.
+       *
+       * Note: we don't require that this redirect must be sent to a client (a kind of
+       * "if a tree falls in a forest and nobody hears it" situation).
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `HttpResponse` instead.
+       */
+      abstract class Range extends HTTP::Server::HttpResponse::Range {
+        /** Gets the data-flow node that specifies the location of this HTTP redirect response. */
+        abstract DataFlow::Node getRedirectLocation();
+      }
+    }
   }
 }

From 501e5106226f4dc8cb287d9db4a099435c41708a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 14:43:25 +0100
Subject: [PATCH 015/429] Python: Add redirect modeling tests (flask/django)

---
 .../frameworks/django-v1/response_test.py     | 30 +++++++++++++++----
 .../frameworks/flask/response_test.py         | 14 ++++++++-
 .../test/experimental/meta/ConceptsTest.qll   | 25 ++++++++++++++++
 3 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
index 1713173d026..b36b1e1822c 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -1,4 +1,4 @@
-from django.http.response import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
+from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
 
 # Not an XSS sink, since the Content-Type is not "text/html"
 # FP reported in https://github.com/github/codeql-python-team/issues/38
@@ -18,15 +18,35 @@ def safe__manual_content_type(request):
 # XSS FP reported in https://github.com/github/codeql/issues/3466
 # Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
-    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype=text/html
+    next = request.GET.get("next")
+    return HttpResponseRedirect(next)  # $HttpResponse mimetype=text/html MISSING: HttpRedirectResponse redirectLocation=next
 
-def information_exposure_through_redirect(request, as_kw=False):
+def information_exposure_through_redirect(request, as_kw=False, perm_redirect=False):
     # This is a contrived example, but possible
     private = "private"
+    next = request.GET.get("next")
     if as_kw:
-        return HttpResponseRedirect(request.GET.get("next"), content=private)  # $HttpResponse mimetype=text/html responseBody=private
+        return HttpResponseRedirect(next, content=private)  # $HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
     else:
-        return HttpResponseRedirect(request.GET.get("next"), private)  # $HttpResponse mimetype=text/html responseBody=private
+        return HttpResponseRedirect(next, private)  # $ HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
+
+
+def perm_redirect(request):
+    private = "private"
+    next = request.GET.get("next")
+    return HttpResponsePermanentRedirect(next, private) # $ HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
+
+
+def redirect_through_normal_response(request):
+    private = "private"
+    next = request.GET.get("next")
+
+    resp = HttpResponse() # $ HttpResponse mimetype=text/html
+    resp.status_code = 302
+    resp['Location'] = next # $ MISSING: redirectLocation=next
+    resp.content = private # $ MISSING: responseBody=private
+    return resp
+
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
index b067f173882..7c15704f7e3 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
@@ -1,6 +1,6 @@
 import json
 
-from flask import Flask, make_response, jsonify, Response, request
+from flask import Flask, make_response, jsonify, Response, request, redirect
 
 app = Flask(__name__)
 
@@ -172,6 +172,18 @@ def app_response_class():  # $requestHandler
 # TODO: add tests for setting status code
 # TODO: add test that manually creates a redirect by setting status code and suitable header.
 
+################################################################################
+# Redirect
+################################################################################
+
+
+@app.route("/redirect-simple")  # $routeSetup="/redirect-simple"
+def redirect_simple():  # $requestHandler
+    next = request.args['next']
+    resp = redirect(next) # $ MISSING: HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
+    return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
+
+
 ################################################################################
 
 
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
index 0516fe5dac3..eafcb8b0ef9 100644
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -239,6 +239,31 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
   }
 }
 
+class HttpServerHttpRedirectResponseTest extends InlineExpectationsTest {
+  HttpServerHttpRedirectResponseTest() { this = "HttpServerHttpRedirectResponseTest" }
+
+  override string getARelevantTag() { result in ["HttpRedirectResponse", "redirectLocation"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    (
+      exists(HTTP::Server::HttpRedirectResponse redirect |
+        location = redirect.getLocation() and
+        element = redirect.toString() and
+        value = "" and
+        tag = "HttpRedirectResponse"
+      )
+      or
+      exists(HTTP::Server::HttpRedirectResponse redirect |
+        location = redirect.getLocation() and
+        element = redirect.toString() and
+        value = value_from_expr(redirect.getRedirectLocation().asExpr()) and
+        tag = "redirectLocation"
+      )
+    )
+  }
+}
+
 class FileSystemAccessTest extends InlineExpectationsTest {
   FileSystemAccessTest() { this = "FileSystemAccessTest" }
 

From aea974ee0c1372a7872222667f77b22e24263eea Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 14:44:50 +0100
Subject: [PATCH 016/429] Python: Add redirect modeling for Flask

---
 .../ql/src/semmle/python/frameworks/Flask.qll | 29 ++++++++++++++++++-
 .../frameworks/flask/response_test.py         |  2 +-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 68f81e32ceb..c49c012f6f0 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -34,7 +34,7 @@ private module FlaskModel {
    * WARNING: Only holds for a few predefined attributes.
    */
   private DataFlow::Node flask_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["request", "make_response", "Response", "views"] and
+    attr_name in ["request", "make_response", "Response", "views", "redirect"] and
     (
       t.start() and
       result = DataFlow::importNode("flask" + "." + attr_name)
@@ -669,4 +669,31 @@ private module FlaskModel {
 
     override string getMimetypeDefault() { result = "text/html" }
   }
+
+  /**
+   * A call to the `flask.redirect` function.
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.redirect
+   */
+  private class FlaskRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
+    DataFlow::CfgNode {
+    override CallNode node;
+
+    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").asCfgNode() }
+
+    override DataFlow::Node getRedirectLocation() {
+      result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]
+    }
+
+    override DataFlow::Node getBody() { none() }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+    override string getMimetypeDefault() {
+      // note that while you're not able to set content yourself, the function will
+      // actually fill out some default content, that is served with mimetype
+      // `text/html`.
+      result = "text/html"
+    }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
index 7c15704f7e3..ec2de218c84 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/response_test.py
@@ -180,7 +180,7 @@ def app_response_class():  # $requestHandler
 @app.route("/redirect-simple")  # $routeSetup="/redirect-simple"
 def redirect_simple():  # $requestHandler
     next = request.args['next']
-    resp = redirect(next) # $ MISSING: HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
+    resp = redirect(next) # $ HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
 

From ab607b803093fd8a6055b7236c25bdc97fff86e8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 14:45:41 +0100
Subject: [PATCH 017/429] Python: Add redirect modeling for Django

---
 python/ql/src/semmle/python/frameworks/Django.qll  | 14 ++++++++++++--
 .../frameworks/django-v1/response_test.py          |  8 ++++----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 674aedec566..4251b515322 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -724,7 +724,8 @@ private module Django {
            *
            * Use the predicate `HttpResponseRedirect::instance()` to get references to instances of `django.http.response.HttpResponseRedirect`.
            */
-          abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
+          abstract class InstanceSource extends HttpResponse::InstanceSource,
+            HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseRedirect`. */
           private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
@@ -739,6 +740,10 @@ private module Django {
               result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
             }
 
+            override DataFlow::Node getRedirectLocation() {
+              result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
+            }
+
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
@@ -790,7 +795,8 @@ private module Django {
            *
            * Use the predicate `HttpResponsePermanentRedirect::instance()` to get references to instances of `django.http.response.HttpResponsePermanentRedirect`.
            */
-          abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
+          abstract class InstanceSource extends HttpResponse::InstanceSource,
+            HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponsePermanentRedirect`. */
           private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
@@ -805,6 +811,10 @@ private module Django {
               result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
             }
 
+            override DataFlow::Node getRedirectLocation() {
+              result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
+            }
+
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
index b36b1e1822c..69cdd899c8d 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -19,22 +19,22 @@ def safe__manual_content_type(request):
 # Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
     next = request.GET.get("next")
-    return HttpResponseRedirect(next)  # $HttpResponse mimetype=text/html MISSING: HttpRedirectResponse redirectLocation=next
+    return HttpResponseRedirect(next)  # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
 
 def information_exposure_through_redirect(request, as_kw=False, perm_redirect=False):
     # This is a contrived example, but possible
     private = "private"
     next = request.GET.get("next")
     if as_kw:
-        return HttpResponseRedirect(next, content=private)  # $HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
+        return HttpResponseRedirect(next, content=private)  # $HttpResponse mimetype=text/html responseBody=private HttpRedirectResponse redirectLocation=next
     else:
-        return HttpResponseRedirect(next, private)  # $ HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
+        return HttpResponseRedirect(next, private)  # $ HttpResponse mimetype=text/html responseBody=private HttpRedirectResponse redirectLocation=next
 
 
 def perm_redirect(request):
     private = "private"
     next = request.GET.get("next")
-    return HttpResponsePermanentRedirect(next, private) # $ HttpResponse mimetype=text/html responseBody=private MISSING: HttpRedirectResponse redirectLocation=next
+    return HttpResponsePermanentRedirect(next, private) # $ HttpResponse mimetype=text/html responseBody=private HttpRedirectResponse redirectLocation=next
 
 
 def redirect_through_normal_response(request):

From 9d8925ae6a47aa74edacf14e32f15221d5269e3f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 15:16:55 +0100
Subject: [PATCH 018/429] Python: Extend url-redirect tests

Specifically to show how it currently handles prefixing user-input with known
constant.

I changed test to be Python 3 only since I wanted to use f-string.
---
 .../Security/CWE-601/UrlRedirect.expected     | 45 +++++++++++++
 .../test/query-tests/Security/CWE-601/options |  2 +-
 .../test/query-tests/Security/CWE-601/test.py | 64 ++++++++++++++++++-
 3 files changed, 107 insertions(+), 4 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
index 87e3a9b98f1..ec681a905a5 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -3,5 +3,50 @@ edges
 | test.py:7:14:7:25 | dict of externally controlled string | test.py:7:14:7:43 | externally controlled string |
 | test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
 | test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
+| test.py:30:17:30:28 | dict of externally controlled string | test.py:30:17:30:46 | externally controlled string |
+| test.py:30:17:30:28 | dict of externally controlled string | test.py:30:17:30:46 | externally controlled string |
+| test.py:30:17:30:46 | externally controlled string | test.py:31:41:31:49 | externally controlled string |
+| test.py:30:17:30:46 | externally controlled string | test.py:31:41:31:49 | externally controlled string |
+| test.py:31:12:31:50 | externally controlled string | test.py:32:21:32:24 | externally controlled string |
+| test.py:31:12:31:50 | externally controlled string | test.py:32:21:32:24 | externally controlled string |
+| test.py:31:41:31:49 | externally controlled string | test.py:31:12:31:50 | externally controlled string |
+| test.py:31:41:31:49 | externally controlled string | test.py:31:12:31:50 | externally controlled string |
+| test.py:37:17:37:28 | dict of externally controlled string | test.py:37:17:37:46 | externally controlled string |
+| test.py:37:17:37:28 | dict of externally controlled string | test.py:37:17:37:46 | externally controlled string |
+| test.py:37:17:37:46 | externally controlled string | test.py:38:32:38:40 | externally controlled string |
+| test.py:37:17:37:46 | externally controlled string | test.py:38:32:38:40 | externally controlled string |
+| test.py:38:12:38:42 | externally controlled string | test.py:39:21:39:24 | externally controlled string |
+| test.py:38:12:38:42 | externally controlled string | test.py:39:21:39:24 | externally controlled string |
+| test.py:38:32:38:40 | externally controlled string | test.py:38:12:38:42 | externally controlled string |
+| test.py:38:32:38:40 | externally controlled string | test.py:38:12:38:42 | externally controlled string |
+| test.py:53:17:53:28 | dict of externally controlled string | test.py:53:17:53:46 | externally controlled string |
+| test.py:53:17:53:28 | dict of externally controlled string | test.py:53:17:53:46 | externally controlled string |
+| test.py:53:17:53:46 | externally controlled string | test.py:54:14:54:22 | externally controlled string |
+| test.py:53:17:53:46 | externally controlled string | test.py:54:14:54:22 | externally controlled string |
+| test.py:54:14:54:22 | externally controlled string | test.py:54:14:54:41 | externally controlled string |
+| test.py:54:14:54:22 | externally controlled string | test.py:54:14:54:41 | externally controlled string |
+| test.py:54:14:54:41 | externally controlled string | test.py:55:21:55:26 | externally controlled string |
+| test.py:54:14:54:41 | externally controlled string | test.py:55:21:55:26 | externally controlled string |
+| test.py:60:17:60:28 | dict of externally controlled string | test.py:60:17:60:46 | externally controlled string |
+| test.py:60:17:60:28 | dict of externally controlled string | test.py:60:17:60:46 | externally controlled string |
+| test.py:60:17:60:46 | externally controlled string | test.py:61:40:61:48 | externally controlled string |
+| test.py:60:17:60:46 | externally controlled string | test.py:61:40:61:48 | externally controlled string |
+| test.py:61:14:61:49 | externally controlled string | test.py:62:21:62:26 | externally controlled string |
+| test.py:61:14:61:49 | externally controlled string | test.py:62:21:62:26 | externally controlled string |
+| test.py:61:40:61:48 | externally controlled string | test.py:61:14:61:49 | externally controlled string |
+| test.py:61:40:61:48 | externally controlled string | test.py:61:14:61:49 | externally controlled string |
+| test.py:67:17:67:28 | dict of externally controlled string | test.py:67:17:67:46 | externally controlled string |
+| test.py:67:17:67:28 | dict of externally controlled string | test.py:67:17:67:46 | externally controlled string |
+| test.py:67:17:67:46 | externally controlled string | test.py:68:17:68:25 | externally controlled string |
+| test.py:67:17:67:46 | externally controlled string | test.py:68:17:68:25 | externally controlled string |
+| test.py:68:14:68:41 | externally controlled string | test.py:69:21:69:26 | externally controlled string |
+| test.py:68:14:68:41 | externally controlled string | test.py:69:21:69:26 | externally controlled string |
+| test.py:68:17:68:25 | externally controlled string | test.py:68:14:68:41 | externally controlled string |
+| test.py:68:17:68:25 | externally controlled string | test.py:68:14:68:41 | externally controlled string |
 #select
 | test.py:8:21:8:26 | target | test.py:7:14:7:25 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | Attribute | a user-provided value |
+| test.py:32:21:32:24 | safe | test.py:30:17:30:28 | dict of externally controlled string | test.py:32:21:32:24 | externally controlled string | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | Attribute | a user-provided value |
+| test.py:39:21:39:24 | safe | test.py:37:17:37:28 | dict of externally controlled string | test.py:39:21:39:24 | externally controlled string | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | Attribute | a user-provided value |
+| test.py:55:21:55:26 | unsafe | test.py:53:17:53:28 | dict of externally controlled string | test.py:55:21:55:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:53:17:53:28 | Attribute | a user-provided value |
+| test.py:62:21:62:26 | unsafe | test.py:60:17:60:28 | dict of externally controlled string | test.py:62:21:62:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:60:17:60:28 | Attribute | a user-provided value |
+| test.py:69:21:69:26 | unsafe | test.py:67:17:67:28 | dict of externally controlled string | test.py:69:21:69:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:67:17:67:28 | Attribute | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/options b/python/ql/test/query-tests/Security/CWE-601/options
index 84717fe64cf..28b616e5f19 100644
--- a/python/ql/test/query-tests/Security/CWE-601/options
+++ b/python/ql/test/query-tests/Security/CWE-601/options
@@ -1 +1 @@
-semmle-extractor-options: --max-import-depth=2 -p ../lib
+semmle-extractor-options: --lang=3 --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
index 3943f7276bd..dfc9e37281d 100644
--- a/python/ql/test/query-tests/Security/CWE-601/test.py
+++ b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -8,11 +8,69 @@ def hello():
     return redirect(target, code=302)
 
 
-#Check for safe prefixes
+# Check for safe prefixes
 
 @app.route('/ok')
 def ok():
-    untrusted = request.args.get('ok', '')
-    safe = "safe"
+    untrusted = request.args.get('target', '')
+    safe = "https://safe.com/"
     safe += untrusted
     return redirect(safe, code=302)
+
+
+@app.route('/ok2')
+def ok2():
+    untrusted = request.args.get('target', '')
+    safe = "https://safe.com/" + untrusted
+    return redirect(safe, code=302)
+
+
+@app.route('/ok3')
+def ok3():
+    untrusted = request.args.get('target', '')
+    safe = "https://safe.com/{}".format(untrusted)
+    return redirect(safe, code=302) # FP
+
+
+@app.route('/ok4')
+def ok4():
+    untrusted = request.args.get('target', '')
+    safe = f"https://safe.com/{untrusted}"
+    return redirect(safe, code=302) # FP
+
+
+@app.route('/ok5')
+def ok5():
+    untrusted = request.args.get('target', '')
+    safe = "https://safe.com/%s" % untrusted
+    return redirect(safe, code=302)
+
+
+# Check that our sanitizer is not too broad
+
+@app.route('/not_ok1')
+def not_ok1():
+    untrusted = request.args.get('target', '')
+    unsafe = untrusted + "?login=success"
+    return redirect(unsafe, code=302)
+
+
+@app.route('/not_ok2')
+def not_ok2():
+    untrusted = request.args.get('target', '')
+    unsafe = "{}?login=success".format(untrusted)
+    return redirect(unsafe, code=302)
+
+
+@app.route('/not_ok3')
+def not_ok3():
+    untrusted = request.args.get('target', '')
+    unsafe = f"{untrusted}?login=success"
+    return redirect(unsafe, code=302)
+
+
+@app.route('/not_ok4')
+def not_ok4():
+    untrusted = request.args.get('target', '')
+    unsafe = "%s?login=success" % untrusted
+    return redirect(unsafe, code=302) # Missing result

From d8bfa3565fb117a1586cd5aa9d443e2558000ef3 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 15:44:51 +0100
Subject: [PATCH 019/429] Python: Simple port of URL redirect query

Still have not added sanitizer, but seems like old sanitizer was a bit too broad
(also covering %-formatting)
---
 .../2021-01-19-port-url-redirect-query.md     |  2 +
 python/ql/src/Security/CWE-601/UrlRedirect.ql | 32 ++-----
 .../CWE-601/UrlRedirect.ql                    | 41 +++++++++
 .../python/security/dataflow/UrlRedirect.qll  | 28 ++++++
 .../Security/CWE-601/UrlRedirect.expected     | 91 +++++++++----------
 .../test/query-tests/Security/CWE-601/test.py |  8 +-
 6 files changed, 122 insertions(+), 80 deletions(-)
 create mode 100644 python/change-notes/2021-01-19-port-url-redirect-query.md
 create mode 100644 python/ql/src/experimental/Security-old-dataflow/CWE-601/UrlRedirect.ql
 create mode 100644 python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll

diff --git a/python/change-notes/2021-01-19-port-url-redirect-query.md b/python/change-notes/2021-01-19-port-url-redirect-query.md
new file mode 100644
index 00000000000..a80093bc0f2
--- /dev/null
+++ b/python/change-notes/2021-01-19-port-url-redirect-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Ported URL redirection (`py/url-redirection`) query to use new data-flow library. This might result in different results, but overall a more robust and accurate analysis.
diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.ql b/python/ql/src/Security/CWE-601/UrlRedirect.ql
index cb517043a36..944726e1c98 100644
--- a/python/ql/src/Security/CWE-601/UrlRedirect.ql
+++ b/python/ql/src/Security/CWE-601/UrlRedirect.ql
@@ -12,30 +12,10 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.web.HttpRedirect
-import semmle.python.web.HttpRequest
-import semmle.python.security.strings.Untrusted
+import semmle.python.security.dataflow.UrlRedirect
+import DataFlow::PathGraph
 
-/** Url redirection is a problem only if the user controls the prefix of the URL */
-class UntrustedPrefixStringKind extends UntrustedStringKind {
-  override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
-    result = UntrustedStringKind.super.getTaintForFlowStep(fromnode, tonode) and
-    not tonode.(BinaryExprNode).getRight() = fromnode
-  }
-}
-
-class UrlRedirectConfiguration extends TaintTracking::Configuration {
-  UrlRedirectConfiguration() { this = "URL redirect configuration" }
-
-  override predicate isSource(TaintTracking::Source source) {
-    source instanceof HttpRequestTaintSource
-  }
-
-  override predicate isSink(TaintTracking::Sink sink) { sink instanceof HttpRedirectTaintSink }
-}
-
-from UrlRedirectConfiguration config, TaintedPathSource src, TaintedPathSink sink
-where config.hasFlowPath(src, sink)
-select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(),
-  "a user-provided value"
+from UrlRedirectConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
+  "A user-provided value"
diff --git a/python/ql/src/experimental/Security-old-dataflow/CWE-601/UrlRedirect.ql b/python/ql/src/experimental/Security-old-dataflow/CWE-601/UrlRedirect.ql
new file mode 100644
index 00000000000..cb517043a36
--- /dev/null
+++ b/python/ql/src/experimental/Security-old-dataflow/CWE-601/UrlRedirect.ql
@@ -0,0 +1,41 @@
+/**
+ * @name URL redirection from remote source
+ * @description URL redirection based on unvalidated user input
+ *              may cause redirection to malicious web sites.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity low
+ * @id py/url-redirection
+ * @tags security
+ *       external/cwe/cwe-601
+ * @precision high
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.web.HttpRedirect
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+/** Url redirection is a problem only if the user controls the prefix of the URL */
+class UntrustedPrefixStringKind extends UntrustedStringKind {
+  override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
+    result = UntrustedStringKind.super.getTaintForFlowStep(fromnode, tonode) and
+    not tonode.(BinaryExprNode).getRight() = fromnode
+  }
+}
+
+class UrlRedirectConfiguration extends TaintTracking::Configuration {
+  UrlRedirectConfiguration() { this = "URL redirect configuration" }
+
+  override predicate isSource(TaintTracking::Source source) {
+    source instanceof HttpRequestTaintSource
+  }
+
+  override predicate isSink(TaintTracking::Sink sink) { sink instanceof HttpRedirectTaintSink }
+}
+
+from UrlRedirectConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(),
+  "a user-provided value"
diff --git a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
new file mode 100644
index 00000000000..d43df8417b0
--- /dev/null
+++ b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides a taint-tracking configuration for detecting URL redirection
+ * vulnerabilities.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Concepts
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * A taint-tracking configuration for detecting URL redirection vulnerabilities.
+ */
+class UrlRedirectConfiguration extends TaintTracking::Configuration {
+  UrlRedirectConfiguration() { this = "UrlRedirectConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(HTTP::Server::HttpRedirectResponse e).getRedirectLocation()
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StringConstCompare
+  }
+}
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
index ec681a905a5..e1bcf5948d9 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -1,52 +1,43 @@
 edges
-| test.py:7:14:7:25 | dict of externally controlled string | test.py:7:14:7:43 | externally controlled string |
-| test.py:7:14:7:25 | dict of externally controlled string | test.py:7:14:7:43 | externally controlled string |
-| test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
-| test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
-| test.py:30:17:30:28 | dict of externally controlled string | test.py:30:17:30:46 | externally controlled string |
-| test.py:30:17:30:28 | dict of externally controlled string | test.py:30:17:30:46 | externally controlled string |
-| test.py:30:17:30:46 | externally controlled string | test.py:31:41:31:49 | externally controlled string |
-| test.py:30:17:30:46 | externally controlled string | test.py:31:41:31:49 | externally controlled string |
-| test.py:31:12:31:50 | externally controlled string | test.py:32:21:32:24 | externally controlled string |
-| test.py:31:12:31:50 | externally controlled string | test.py:32:21:32:24 | externally controlled string |
-| test.py:31:41:31:49 | externally controlled string | test.py:31:12:31:50 | externally controlled string |
-| test.py:31:41:31:49 | externally controlled string | test.py:31:12:31:50 | externally controlled string |
-| test.py:37:17:37:28 | dict of externally controlled string | test.py:37:17:37:46 | externally controlled string |
-| test.py:37:17:37:28 | dict of externally controlled string | test.py:37:17:37:46 | externally controlled string |
-| test.py:37:17:37:46 | externally controlled string | test.py:38:32:38:40 | externally controlled string |
-| test.py:37:17:37:46 | externally controlled string | test.py:38:32:38:40 | externally controlled string |
-| test.py:38:12:38:42 | externally controlled string | test.py:39:21:39:24 | externally controlled string |
-| test.py:38:12:38:42 | externally controlled string | test.py:39:21:39:24 | externally controlled string |
-| test.py:38:32:38:40 | externally controlled string | test.py:38:12:38:42 | externally controlled string |
-| test.py:38:32:38:40 | externally controlled string | test.py:38:12:38:42 | externally controlled string |
-| test.py:53:17:53:28 | dict of externally controlled string | test.py:53:17:53:46 | externally controlled string |
-| test.py:53:17:53:28 | dict of externally controlled string | test.py:53:17:53:46 | externally controlled string |
-| test.py:53:17:53:46 | externally controlled string | test.py:54:14:54:22 | externally controlled string |
-| test.py:53:17:53:46 | externally controlled string | test.py:54:14:54:22 | externally controlled string |
-| test.py:54:14:54:22 | externally controlled string | test.py:54:14:54:41 | externally controlled string |
-| test.py:54:14:54:22 | externally controlled string | test.py:54:14:54:41 | externally controlled string |
-| test.py:54:14:54:41 | externally controlled string | test.py:55:21:55:26 | externally controlled string |
-| test.py:54:14:54:41 | externally controlled string | test.py:55:21:55:26 | externally controlled string |
-| test.py:60:17:60:28 | dict of externally controlled string | test.py:60:17:60:46 | externally controlled string |
-| test.py:60:17:60:28 | dict of externally controlled string | test.py:60:17:60:46 | externally controlled string |
-| test.py:60:17:60:46 | externally controlled string | test.py:61:40:61:48 | externally controlled string |
-| test.py:60:17:60:46 | externally controlled string | test.py:61:40:61:48 | externally controlled string |
-| test.py:61:14:61:49 | externally controlled string | test.py:62:21:62:26 | externally controlled string |
-| test.py:61:14:61:49 | externally controlled string | test.py:62:21:62:26 | externally controlled string |
-| test.py:61:40:61:48 | externally controlled string | test.py:61:14:61:49 | externally controlled string |
-| test.py:61:40:61:48 | externally controlled string | test.py:61:14:61:49 | externally controlled string |
-| test.py:67:17:67:28 | dict of externally controlled string | test.py:67:17:67:46 | externally controlled string |
-| test.py:67:17:67:28 | dict of externally controlled string | test.py:67:17:67:46 | externally controlled string |
-| test.py:67:17:67:46 | externally controlled string | test.py:68:17:68:25 | externally controlled string |
-| test.py:67:17:67:46 | externally controlled string | test.py:68:17:68:25 | externally controlled string |
-| test.py:68:14:68:41 | externally controlled string | test.py:69:21:69:26 | externally controlled string |
-| test.py:68:14:68:41 | externally controlled string | test.py:69:21:69:26 | externally controlled string |
-| test.py:68:17:68:25 | externally controlled string | test.py:68:14:68:41 | externally controlled string |
-| test.py:68:17:68:25 | externally controlled string | test.py:68:14:68:41 | externally controlled string |
+| test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target |
+| test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe |
+| test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe |
+| test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe |
+| test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe |
+| test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe |
+| test.py:53:17:53:28 | ControlFlowNode for Attribute | test.py:55:21:55:26 | ControlFlowNode for unsafe |
+| test.py:60:17:60:28 | ControlFlowNode for Attribute | test.py:62:21:62:26 | ControlFlowNode for unsafe |
+| test.py:67:17:67:28 | ControlFlowNode for Attribute | test.py:69:21:69:26 | ControlFlowNode for unsafe |
+| test.py:74:17:74:28 | ControlFlowNode for Attribute | test.py:76:21:76:26 | ControlFlowNode for unsafe |
+nodes
+| test.py:7:14:7:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:8:21:8:26 | ControlFlowNode for target | semmle.label | ControlFlowNode for target |
+| test.py:15:17:15:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:18:21:18:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
+| test.py:23:17:23:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:25:21:25:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
+| test.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:32:21:32:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
+| test.py:37:17:37:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:39:21:39:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
+| test.py:44:17:44:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:46:21:46:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
+| test.py:53:17:53:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:55:21:55:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
+| test.py:60:17:60:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:62:21:62:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
+| test.py:67:17:67:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:69:21:69:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
+| test.py:74:17:74:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:76:21:76:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 #select
-| test.py:8:21:8:26 | target | test.py:7:14:7:25 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | Attribute | a user-provided value |
-| test.py:32:21:32:24 | safe | test.py:30:17:30:28 | dict of externally controlled string | test.py:32:21:32:24 | externally controlled string | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | Attribute | a user-provided value |
-| test.py:39:21:39:24 | safe | test.py:37:17:37:28 | dict of externally controlled string | test.py:39:21:39:24 | externally controlled string | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | Attribute | a user-provided value |
-| test.py:55:21:55:26 | unsafe | test.py:53:17:53:28 | dict of externally controlled string | test.py:55:21:55:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:53:17:53:28 | Attribute | a user-provided value |
-| test.py:62:21:62:26 | unsafe | test.py:60:17:60:28 | dict of externally controlled string | test.py:62:21:62:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:60:17:60:28 | Attribute | a user-provided value |
-| test.py:69:21:69:26 | unsafe | test.py:67:17:67:28 | dict of externally controlled string | test.py:69:21:69:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:67:17:67:28 | Attribute | a user-provided value |
+| test.py:8:21:8:26 | ControlFlowNode for target | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:18:21:18:24 | ControlFlowNode for safe | test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:15:17:15:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:25:21:25:24 | ControlFlowNode for safe | test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:23:17:23:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:44:17:44:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:55:21:55:26 | ControlFlowNode for unsafe | test.py:53:17:53:28 | ControlFlowNode for Attribute | test.py:55:21:55:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:53:17:53:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:60:17:60:28 | ControlFlowNode for Attribute | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:60:17:60:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:67:17:67:28 | ControlFlowNode for Attribute | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:67:17:67:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:74:17:74:28 | ControlFlowNode for Attribute | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:74:17:74:28 | ControlFlowNode for Attribute | A user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
index dfc9e37281d..680038576e1 100644
--- a/python/ql/test/query-tests/Security/CWE-601/test.py
+++ b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -15,14 +15,14 @@ def ok():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/"
     safe += untrusted
-    return redirect(safe, code=302)
+    return redirect(safe, code=302) # FP
 
 
 @app.route('/ok2')
 def ok2():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/" + untrusted
-    return redirect(safe, code=302)
+    return redirect(safe, code=302) # FP
 
 
 @app.route('/ok3')
@@ -43,7 +43,7 @@ def ok4():
 def ok5():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/%s" % untrusted
-    return redirect(safe, code=302)
+    return redirect(safe, code=302) # FP
 
 
 # Check that our sanitizer is not too broad
@@ -73,4 +73,4 @@ def not_ok3():
 def not_ok4():
     untrusted = request.args.get('target', '')
     unsafe = "%s?login=success" % untrusted
-    return redirect(unsafe, code=302) # Missing result
+    return redirect(unsafe, code=302)

From 37aa9b9d060dceb2a6b8f080f0fa78655454b6d5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 16:08:10 +0100
Subject: [PATCH 020/429] Python: Add prefix sanitizer on URL redirect query

This doesn't cover 100% of what we want to, but matches what we used to.
---
 .../src/semmle/python/security/dataflow/UrlRedirect.qll  | 9 +++++++++
 .../query-tests/Security/CWE-601/UrlRedirect.expected    | 8 --------
 python/ql/test/query-tests/Security/CWE-601/test.py      | 4 ++--
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
index d43df8417b0..7017bf8aa29 100644
--- a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
+++ b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
@@ -22,6 +22,15 @@ class UrlRedirectConfiguration extends TaintTracking::Configuration {
     sink = any(HTTP::Server::HttpRedirectResponse e).getRedirectLocation()
   }
 
+  override predicate isSanitizer(DataFlow::Node node) {
+    // Url redirection is a problem only if the user controls the prefix of the URL.
+    // This is a copy of the taint-sanitizer from the old points-to query, which doesn't
+    // cover formatting.
+    exists(BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
+      string_concat.getRight() = node.asCfgNode()
+    )
+  }
+
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof StringConstCompare
   }
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
index e1bcf5948d9..1e108f545ca 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -1,7 +1,5 @@
 edges
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target |
-| test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe |
-| test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe |
 | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe |
 | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe |
 | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe |
@@ -12,10 +10,6 @@ edges
 nodes
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:8:21:8:26 | ControlFlowNode for target | semmle.label | ControlFlowNode for target |
-| test.py:15:17:15:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:18:21:18:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
-| test.py:23:17:23:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:25:21:25:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
 | test.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:32:21:32:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
 | test.py:37:17:37:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
@@ -32,8 +26,6 @@ nodes
 | test.py:76:21:76:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 #select
 | test.py:8:21:8:26 | ControlFlowNode for target | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | ControlFlowNode for Attribute | A user-provided value |
-| test.py:18:21:18:24 | ControlFlowNode for safe | test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:15:17:15:28 | ControlFlowNode for Attribute | A user-provided value |
-| test.py:25:21:25:24 | ControlFlowNode for safe | test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:23:17:23:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:32:21:32:24 | ControlFlowNode for safe | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:39:21:39:24 | ControlFlowNode for safe | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:46:21:46:24 | ControlFlowNode for safe | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:44:17:44:28 | ControlFlowNode for Attribute | A user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
index 680038576e1..a2aee6562b2 100644
--- a/python/ql/test/query-tests/Security/CWE-601/test.py
+++ b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -15,14 +15,14 @@ def ok():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/"
     safe += untrusted
-    return redirect(safe, code=302) # FP
+    return redirect(safe, code=302)
 
 
 @app.route('/ok2')
 def ok2():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/" + untrusted
-    return redirect(safe, code=302) # FP
+    return redirect(safe, code=302)
 
 
 @app.route('/ok3')

From 526ccdd2279c20c4de657be44f2c2cba31462633 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 19 Jan 2021 16:21:27 +0100
Subject: [PATCH 021/429] Python: Add safe example from qhelp to qltests

---
 .../query-tests/Security/CWE-601/UrlRedirect.expected     | 8 ++++----
 python/ql/test/query-tests/Security/CWE-601/test.py       | 7 +++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
index 1e108f545ca..53098240671 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -3,10 +3,10 @@ edges
 | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe |
 | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe |
 | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe |
-| test.py:53:17:53:28 | ControlFlowNode for Attribute | test.py:55:21:55:26 | ControlFlowNode for unsafe |
 | test.py:60:17:60:28 | ControlFlowNode for Attribute | test.py:62:21:62:26 | ControlFlowNode for unsafe |
 | test.py:67:17:67:28 | ControlFlowNode for Attribute | test.py:69:21:69:26 | ControlFlowNode for unsafe |
 | test.py:74:17:74:28 | ControlFlowNode for Attribute | test.py:76:21:76:26 | ControlFlowNode for unsafe |
+| test.py:81:17:81:28 | ControlFlowNode for Attribute | test.py:83:21:83:26 | ControlFlowNode for unsafe |
 nodes
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:8:21:8:26 | ControlFlowNode for target | semmle.label | ControlFlowNode for target |
@@ -16,20 +16,20 @@ nodes
 | test.py:39:21:39:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
 | test.py:44:17:44:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:46:21:46:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
-| test.py:53:17:53:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:55:21:55:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 | test.py:60:17:60:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:62:21:62:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 | test.py:67:17:67:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:69:21:69:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 | test.py:74:17:74:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:76:21:76:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
+| test.py:81:17:81:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:83:21:83:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 #select
 | test.py:8:21:8:26 | ControlFlowNode for target | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:32:21:32:24 | ControlFlowNode for safe | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:39:21:39:24 | ControlFlowNode for safe | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:46:21:46:24 | ControlFlowNode for safe | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:44:17:44:28 | ControlFlowNode for Attribute | A user-provided value |
-| test.py:55:21:55:26 | ControlFlowNode for unsafe | test.py:53:17:53:28 | ControlFlowNode for Attribute | test.py:55:21:55:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:53:17:53:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:60:17:60:28 | ControlFlowNode for Attribute | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:60:17:60:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:67:17:67:28 | ControlFlowNode for Attribute | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:67:17:67:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:74:17:74:28 | ControlFlowNode for Attribute | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:74:17:74:28 | ControlFlowNode for Attribute | A user-provided value |
+| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:81:17:81:28 | ControlFlowNode for Attribute | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection due to $@. | test.py:81:17:81:28 | ControlFlowNode for Attribute | A user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
index a2aee6562b2..381eb3a4bae 100644
--- a/python/ql/test/query-tests/Security/CWE-601/test.py
+++ b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -46,6 +46,13 @@ def ok5():
     return redirect(safe, code=302) # FP
 
 
+@app.route('/const-str-compare')
+def const_str_compare():
+    target = request.args.get('target', '')
+    if target == "example.com/":
+        return redirect(target, code=302)
+
+
 # Check that our sanitizer is not too broad
 
 @app.route('/not_ok1')

From 5c6f5b7b33311d5a0072361c0828af0d3077a1a2 Mon Sep 17 00:00:00 2001
From: Luke Cartey <5377966+lcartey@users.noreply.github.com>
Date: Wed, 20 Jan 2021 16:53:03 +0000
Subject: [PATCH 022/429] Java: Track taint through Spring Java bean getters on
 super types

---
 .../code/java/dataflow/internal/TaintTrackingUtil.qll      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index b627d59783f..35f820f9521 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -345,7 +345,9 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.getDeclaringType() instanceof TypeUri and
   m.hasName("toURL")
   or
-  m instanceof GetterMethod and m.getDeclaringType() instanceof SpringUntrustedDataType
+  m instanceof GetterMethod and
+  m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
+  not m.getDeclaringType() instanceof TypeObject
   or
   m.getDeclaringType() instanceof SpringHttpEntity and
   m.getName().regexpMatch("getBody|getHeaders")
@@ -684,7 +686,8 @@ private class FormatterCallable extends TaintPreservingCallable {
     (
       this.hasName(["format", "out", "toString"])
       or
-      this.(Constructor)
+      this
+          .(Constructor)
           .getParameterType(0)
           .(RefType)
           .getASourceSupertype*()

From 48083d657a3d5552c334ec7aa126456dce30da3a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 21 Jan 2021 13:40:58 +0100
Subject: [PATCH 023/429] Python: Apply code-review suggestion

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
index 7017bf8aa29..27c1dabab98 100644
--- a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
+++ b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
@@ -24,7 +24,7 @@ class UrlRedirectConfiguration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) {
     // Url redirection is a problem only if the user controls the prefix of the URL.
-    // This is a copy of the taint-sanitizer from the old points-to query, which doesn't
+    // TODO: This is a copy of the taint-sanitizer from the old points-to query, which doesn't
     // cover formatting.
     exists(BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
       string_concat.getRight() = node.asCfgNode()

From 2f86937e5ae5f58693f55a32856b9cdfe475321a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 21 Jan 2021 13:44:56 +0100
Subject: [PATCH 024/429] Python: Remove unused param in test code

---
 .../library-tests/frameworks/django-v1/response_test.py         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
index 69cdd899c8d..f214cfb63d3 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -21,7 +21,7 @@ def or__redirect(request):
     next = request.GET.get("next")
     return HttpResponseRedirect(next)  # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
 
-def information_exposure_through_redirect(request, as_kw=False, perm_redirect=False):
+def information_exposure_through_redirect(request, as_kw=False):
     # This is a contrived example, but possible
     private = "private"
     next = request.GET.get("next")

From 7a76a5134e7e01537231fc6f7a23dd51965ad913 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 21 Jan 2021 14:04:11 +0100
Subject: [PATCH 025/429] Python: Add redirect modeling for Tornado

After making https://github.com/github/codeql/pull/4995, I realized how easy
this would be :D

Will need to do some manual merge-conflict handling, but it should be all good
:)
---
 .../src/semmle/python/frameworks/Tornado.qll  | 38 +++++++++++++++++++
 .../library-tests/frameworks/tornado/basic.py |  2 +-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 995fb19747d..29c91654b4a 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -216,6 +216,17 @@ private module Tornado {
         /** Gets a reference to one of the methods `get_arguments`, `get_body_arguments`, `get_query_arguments`. */
         DataFlow::Node argumentsMethod() { result = argumentsMethod(DataFlow::TypeTracker::end()) }
 
+        /** Gets a reference the `redirect` method. */
+        private DataFlow::Node redirectMethod(DataFlow::TypeTracker t) {
+          t.startInAttr("redirect") and
+          result = instance()
+          or
+          exists(DataFlow::TypeTracker t2 | result = redirectMethod(t2).track(t2, t))
+        }
+
+        /** Gets a reference the `redirect` method. */
+        DataFlow::Node redirectMethod() { result = redirectMethod(DataFlow::TypeTracker::end()) }
+
         private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
           override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
             // Method access
@@ -540,4 +551,31 @@ private module Tornado {
       not result = this.getArg(0)
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // Response modeling
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to `tornado.web.RequestHandler.write` method.
+   *
+   * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.write
+   */
+  private class TornadoRequestHandlerRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
+    DataFlow::CfgNode {
+    override CallNode node;
+
+    TornadoRequestHandlerRedirectCall() {
+      node.getFunction() = tornado::web::RequestHandler::redirectMethod().asCfgNode()
+    }
+
+    override DataFlow::Node getRedirectLocation() {
+      result.asCfgNode() in [node.getArg(0), node.getArgByName("url")]
+    }
+
+    override DataFlow::Node getBody() { none() }
+
+    override string getMimetypeDefault() { none() }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/tornado/basic.py b/python/ql/test/experimental/library-tests/frameworks/tornado/basic.py
index 6733de040b1..24b37d74a1b 100644
--- a/python/ql/test/experimental/library-tests/frameworks/tornado/basic.py
+++ b/python/ql/test/experimental/library-tests/frameworks/tornado/basic.py
@@ -25,7 +25,7 @@ class RedirectHandler(tornado.web.RequestHandler):
         req = self.request
         h = req.headers
         url = h["url"]
-        self.redirect(url)
+        self.redirect(url) # $ HttpRedirectResponse HttpResponse redirectLocation=url
 
 
 class BaseReverseInheritance(tornado.web.RequestHandler):

From 9071ba2f99ef3f09732999b517a72d45b30c210e Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Mon, 25 Jan 2021 00:06:19 +0300
Subject: [PATCH 026/429] Add files via upload

---
 ...ctingAndHandlingMemoryAllocationErrors.cpp | 32 +++++++
 ...ingAndHandlingMemoryAllocationErrors.qhelp | 29 ++++++
 ...ectingAndHandlingMemoryAllocationErrors.ql | 93 +++++++++++++++++++
 3 files changed, 154 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
new file mode 100644
index 00000000000..6fc3bc2f893
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
@@ -0,0 +1,32 @@
+// BAD: no memory allocation errors are detected
+void f(const int *array, std::size_t size) noexcept {
+  int *copy = new int[size];
+  std::memcpy(copy, array, size * sizeof(*copy));
+  // ...
+  delete [] copy;
+}
+// GOOD: memory allocation errors are detected
+void f(const int *array, std::size_t size) noexcept {
+  int *copy;
+  try {
+    copy = new int[size];
+  } catch(std::bad_alloc) {
+    // Handle error
+    return;
+  }
+  // At this point, copy has been initialized to allocated memory
+  std::memcpy(copy, array, size * sizeof(*copy));
+  // ...
+  delete [] copy;
+}
+// GOOD: memory allocation errors are detected
+void f(const int *array, std::size_t size) noexcept {
+  int *copy = new (std::nothrow) int[size];
+  if (!copy) {
+    // Handle error
+    return;
+  }
+  std::memcpy(copy, array, size * sizeof(*copy));
+  // ...
+  delete [] copy;
+}
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
new file mode 100644
index 00000000000..4b7941a5846
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>when using the new operator to allocate memory, you need to pay attention to the different way of detecting errors. so <code> ::operator new(std::size_t) </code> throws an exception on error, and <code> ::operator new(std::size_t, const std::nothrow_t &) </code> returns zero on error. the programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
+
+<p>Loss of detection probably refers to use cases where memory allocation using your own solutions with strong nesting. It is also possible when using a buffer in the form of fields of different structures with the same names.</p>
+
+</overview>
+<recommendation>
+
+<p>We recommend using the error detection method, depending on the selected memory allocation method.</code>.</p>
+
+</recommendation>
+<example>
+<p>The following file demonstrates various approaches to detecting memory allocation errors using the new operator.</p>
+<sample src="WrongInDetectingAndHandlingMemoryAllocationErrors.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT C++ Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
new file mode 100644
index 00000000000..383c8a1f128
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -0,0 +1,93 @@
+/**
+ * @name Сonfusion In Detecting And Handling Memory Allocation Errors
+ * @description --::operator new(std::size_t) throws an exception on error, and ::operator new(std::size_t, const std::nothrow_t &) returns zero on error.
+ *              --the programmer can get confused when check the error that occurs when allocating memory incorrectly.
+ *              --Making a call of this type may result in a zero byte being written just outside the buffer.
+ * @kind problem
+ * @id cpp/detect-and-handle-memory-allocation-errors
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-570
+ */
+
+import cpp
+
+/**
+ * Lookup if condition compare with 0
+ */
+class IfCompareWithZero extends IfStmt {
+  IfCompareWithZero() {
+    this.getCondition().(EQExpr).getAChild().getValue() = "0"
+    or
+    this.getCondition().(NEExpr).getAChild().getValue() = "0" and
+    this.hasElse()
+  }
+}
+
+/**
+ * lookup for calls to `operator new`, with incorrect error handling.
+ */
+class WrongCheckErrorOperatorNew extends FunctionCall {
+  Expr exp;
+
+  WrongCheckErrorOperatorNew() {
+    this = exp.(NewOrNewArrayExpr).getAChild().(FunctionCall) and
+    (
+      this.getTarget().hasGlobalOrStdName("operator new")
+      or
+      this.getTarget().hasGlobalOrStdName("operator new[]")
+    )
+  }
+
+  /**
+   * Holds if handler `try ... catch` exists.
+   */
+  predicate isExistsTryCatchBlock() {
+    exists(TryStmt tb, AssignExpr aex, Initializer it |
+      tb.getAChild*() = exp
+      or
+      exp = it.getExpr() and
+      tb.getAChild*().(DeclStmt).getADeclaration() = it.getDeclaration()
+      or
+      aex.getAChild*() = exp and
+      tb.getAChild*().(AssignExpr) = aex
+    )
+  }
+
+  /**
+   * Holds if results call `operator new` check in `operator if`.
+   */
+  predicate isExistsIfCondition() {
+    exists(IfCompareWithZero ifc, AssignExpr aex, Initializer it |
+      // call `operator new` directly from the condition of `operator if`.
+      this = ifc.getCondition().getAChild()
+      or
+      // check results call `operator new` with variable appropriation
+      postDominates(ifc, this) and
+      aex.getAChild() = exp and
+      ifc.getCondition().getAChild().(VariableAccess).getTarget() =
+        aex.getLValue().(VariableAccess).getTarget()
+      or
+      // check results call `operator new` with declaration variable
+      postDominates(ifc, this) and
+      exp = it.getExpr() and
+      it.getDeclaration() = ifc.getCondition().getAChild().(VariableAccess).getTarget()
+    )
+  }
+
+  /**
+   * Holds if `(std::nothrow)` exists in call `operator new`.
+   */
+  predicate isExistsNothrow() { this.getAChild().toString() = "nothrow" }
+}
+
+from WrongCheckErrorOperatorNew op
+where
+  // use call `operator new` with `(std::nothrow)` and checking error using `try ... catch` block and not `operator if`
+  op.isExistsNothrow() and not op.isExistsIfCondition() and op.isExistsTryCatchBlock()
+  or
+  // use call `operator new` without `(std::nothrow)` and checking error using `operator if` and not  `try ... catch` block
+  not op.isExistsNothrow() and not op.isExistsTryCatchBlock() and op.isExistsIfCondition()
+select op, "memory allocation error check is incorrect or missing"

From 20e19ec4677c1e414fceb17d16de31327967fe5a Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Mon, 25 Jan 2021 00:09:55 +0300
Subject: [PATCH 027/429] Add files via upload

---
 ...AndHandlingMemoryAllocationErrors.expected |  5 +
 ...ingAndHandlingMemoryAllocationErrors.qlref |  1 +
 .../CWE/CWE-570/semmle/tests/test.cpp         | 97 +++++++++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
new file mode 100644
index 00000000000..80e82cff212
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
@@ -0,0 +1,5 @@
+| test.cpp:30:15:30:26 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:38:9:38:20 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:50:13:50:38 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:51:22:51:47 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:53:18:53:43 | call to operator new[] | memory allocation error check is incorrect or missing |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref
new file mode 100644
index 00000000000..fc3252ef122
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
new file mode 100644
index 00000000000..6f03f896024
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -0,0 +1,97 @@
+#define NULL ((void*)0)
+class exception {};
+
+namespace std{
+  struct nothrow_t {};
+  typedef unsigned long size_t;
+  class bad_alloc{
+    const char* what() const throw();
+  };
+  extern const std::nothrow_t nothrow;
+}
+
+using namespace std;
+
+void* operator new(std::size_t _Size);
+void* operator new[](std::size_t _Size);
+void* operator new( std::size_t count, const std::nothrow_t& tag );
+void* operator new[]( std::size_t count, const std::nothrow_t& tag );
+
+void badNew_0_0()
+{
+    while (true) {
+        new int[100];
+        if(!(new int[100]))
+            return;
+    }
+}
+void badNew_0_1()
+{
+    int * i = new int[100];
+    if(i == 0)
+        return;
+    if(!i)
+        return;
+    if(i == NULL)
+        return;
+    int * j;
+    j = new int[100];
+    if(j == 0)
+        return;
+    if(!j)
+        return;
+    if(j == NULL)
+        return;
+}
+void badNew_1_0()
+{
+    try {
+        while (true) {
+            new(std::nothrow) int[100];
+            int* p = new(std::nothrow) int[100];
+            int* p1;
+            p1 = new(std::nothrow) int[100];
+        }
+    } catch (const exception &){//const std::bad_alloc& e) {
+//        std::cout << e.what() << '\n';
+    }
+}
+void badNew_1_1()
+{
+    while (true) {
+        int* p = new(std::nothrow) int[100];
+        new(std::nothrow) int[100];
+    }
+}
+
+void goodNew_0_0()
+{
+    try {
+        while (true) {
+            new int[100];
+        }
+    } catch (const exception &){//const std::bad_alloc& e) {
+//        std::cout << e.what() << '\n';
+    }
+}
+
+void goodNew_1_0()
+{
+    while (true) {
+        int* p = new(std::nothrow) int[100];
+        if (p == nullptr) {
+//            std::cout << "Allocation returned nullptr\n";
+            break;
+        }
+        int* p1;
+        p1 = new(std::nothrow) int[100];
+        if (p1 == nullptr) {
+//            std::cout << "Allocation returned nullptr\n";
+            break;
+        }
+        if (new(std::nothrow) int[100] == nullptr) {
+//            std::cout << "Allocation returned nullptr\n";
+            break;
+        }
+    }
+}

From 9ae503a5a820ad535a949e1d13b9f368aea7a1eb Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Mon, 25 Jan 2021 00:30:35 +0300
Subject: [PATCH 028/429] Add files via upload

---
 ...emoryLocationAfterEndOfBufferUsingStrlen.c |  9 ++++++
 ...yLocationAfterEndOfBufferUsingStrlen.qhelp | 31 +++++++++++++++++++
 ...moryLocationAfterEndOfBufferUsingStrlen.ql | 25 +++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
new file mode 100644
index 00000000000..ba78d4b97d1
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
@@ -0,0 +1,9 @@
+// BAD: if buffer does not have a terminal zero, then access outside the allocated memory is possible.
+
+buffer[strlen(buffer)] = 0;
+
+
+// GOOD: we will eliminate dangerous behavior if we use a different method of calculating the length. 
+size_t len;
+...
+buffer[len] = 0
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
new file mode 100644
index 00000000000..372a3e1d1c4
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Potentially dangerous use of the strlen function to calculate the length of a string.
+The expression <code>buffer[strlen(buffer)] = 0</code> is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+If terminal zero is present, then the specified expression is meaningless.</p>
+
+<p>False positives include heavily nested strlen. This situation is unlikely.</p>
+
+</overview>
+<recommendation>
+
+<p>We recommend using another method for calculating the string length</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of the strlen function.</p>
+<sample src="AccessOfMemoryLocationAfterEndOfBuffer.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string">STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
new file mode 100644
index 00000000000..80c7f2104ab
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Access Of Memory Location After End Of Buffer
+ * @description --The expression buffer [strlen (buffer)] = 0 is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+ *              --If terminal zero is present, then the specified expression is meaningless.
+ *              --We recommend using another method for calculating the string length.
+ * @kind problem
+ * @id cpp/access-memory-location-after-end-buffer
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-788
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+
+from FunctionCall fc, AssignExpr expr, ArrayExpr exprarr
+where
+  fc.getTarget().hasGlobalOrStdName("strlen") and
+  exprarr = expr.getLValue() and
+  expr.getRValue().getValue().toInt() = 0 and
+  exprarr.getArrayOffset() = fc and
+  hashCons(fc.getArgument(0)) = hashCons(exprarr.getArrayBase())
+select expr, "use a different method to calculate the length."

From b899229298218b20c34540219088f0bb06170728 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Mon, 25 Jan 2021 00:33:54 +0300
Subject: [PATCH 029/429] Add files via upload

---
 ...cationAfterEndOfBufferUsingStrlen.expected |  9 ++++
 ...yLocationAfterEndOfBufferUsingStrlen.qlref |  1 +
 .../Security/CWE/CWE-788/semmle/tests/test.c  | 44 +++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
new file mode 100644
index 00000000000..82d3e224993
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -0,0 +1,9 @@
+| test.c:13:3:13:24 | ... = ... | use a different method to calculate the length. |
+| test.c:14:3:14:40 | ... = ... | use a different method to calculate the length. |
+| test.c:15:3:15:40 | ... = ... | use a different method to calculate the length. |
+| test.c:16:3:16:44 | ... = ... | use a different method to calculate the length. |
+| test.c:17:3:17:44 | ... = ... | use a different method to calculate the length. |
+| test.c:18:3:18:48 | ... = ... | use a different method to calculate the length. |
+| test.c:19:3:19:48 | ... = ... | use a different method to calculate the length. |
+| test.c:20:3:20:50 | ... = ... | use a different method to calculate the length. |
+| test.c:21:3:21:50 | ... = ... | use a different method to calculate the length. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
new file mode 100644
index 00000000000..6ba005d087a
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
new file mode 100644
index 00000000000..84487670bf7
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -0,0 +1,44 @@
+struct buffers
+{
+    unsigned char buff1[50];
+    unsigned char *buff2;
+} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
+
+
+void badFunc0(){
+  unsigned char buff1[12];
+  struct buffers buffAll;
+  struct buffers * buffAll1;
+  
+  buff1[strlen(buff1)]=0;
+  buffAll.buff1[strlen(buffAll.buff1)]=0;
+  buffAll.buff2[strlen(buffAll.buff2)]=0;
+  buffAll1->buff1[strlen(buffAll1->buff1)]=0;
+  buffAll1->buff2[strlen(buffAll1->buff2)]=0;
+  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0;
+  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0;
+  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0;
+  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0;
+}
+void noBadFunc0(){
+  unsigned char buff1[12],buff1_c[12];
+  struct buffers buffAll,buffAll_c;
+  struct buffers * buffAll1,*buffAll1_c;
+  
+  buff1[strlen(buff1_c)]=0;
+  buffAll.buff1[strlen(buffAll_c.buff1)]=0;
+  buffAll.buff2[strlen(buffAll.buff1)]=0;
+  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0;
+  buffAll1->buff2[strlen(buffAll1->buff1)]=0;
+  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0;
+  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0;
+  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0;
+  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0;
+}
+void goodFunc0(){
+  unsigned char buffer[12];
+  int i;
+  for(i = 0; i < 6; i++)
+    buffer[i] = 'A';
+  buffer[i]=0;
+}

From de0bbc8826982276d00bf9edc655443801e3ca5c Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Tue, 26 Jan 2021 23:47:07 +0300
Subject: [PATCH 030/429] Apply suggestions from code review

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp  | 2 +-
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql     | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
index 372a3e1d1c4..51424ce7619 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
@@ -17,7 +17,7 @@ If terminal zero is present, then the specified expression is meaningless.</p>
 </recommendation>
 <example>
 <p>The following example demonstrates an erroneous and corrected use of the strlen function.</p>
-<sample src="AccessOfMemoryLocationAfterEndOfBuffer.c" />
+<sample src="AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c" />
 
 </example>
 <references>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
index 80c7f2104ab..a1d4a169b20 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -1,8 +1,7 @@
 /**
  * @name Access Of Memory Location After End Of Buffer
- * @description --The expression buffer [strlen (buffer)] = 0 is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
- *              --If terminal zero is present, then the specified expression is meaningless.
- *              --We recommend using another method for calculating the string length.
+ * @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+ *              If terminal zero is present, then the specified expression is meaningless.
  * @kind problem
  * @id cpp/access-memory-location-after-end-buffer
  * @problem.severity warning

From fc9d2190574dcf0ab87dcb876a17530493fc35fc Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Tue, 26 Jan 2021 23:50:54 +0300
Subject: [PATCH 031/429] Update
 AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql

---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
index a1d4a169b20..77fc29719f6 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -12,13 +12,12 @@
  */
 
 import cpp
-import semmle.code.cpp.valuenumbering.HashCons
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 from FunctionCall fc, AssignExpr expr, ArrayExpr exprarr
 where
-  fc.getTarget().hasGlobalOrStdName("strlen") and
   exprarr = expr.getLValue() and
   expr.getRValue().getValue().toInt() = 0 and
   exprarr.getArrayOffset() = fc and
-  hashCons(fc.getArgument(0)) = hashCons(exprarr.getArrayBase())
-select expr, "use a different method to calculate the length."
+  globalValueNumber(fc.getArgument(0)) = globalValueNumber(exprarr.getArrayBase())
+select expr, "potential unsafe or redundant assignment."

From 636fe73f400782951db790ee8bd4f826f0686fd1 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Tue, 26 Jan 2021 23:52:18 +0300
Subject: [PATCH 032/429] Update
 AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql

---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
index 77fc29719f6..3e1cfdd6396 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -14,7 +14,7 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-from FunctionCall fc, AssignExpr expr, ArrayExpr exprarr
+from StrlenCall fc, AssignExpr expr, ArrayExpr exprarr
 where
   exprarr = expr.getLValue() and
   expr.getRValue().getValue().toInt() = 0 and

From 9a85b761a17b56d1c4b5a02e5cb26998fac590ff Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 12:46:10 +0300
Subject: [PATCH 033/429] Update test.c

---
 .../Security/CWE/CWE-788/semmle/tests/test.c  | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index 84487670bf7..ce07a2ddba2 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -10,30 +10,30 @@ void badFunc0(){
   struct buffers buffAll;
   struct buffers * buffAll1;
   
-  buff1[strlen(buff1)]=0;
-  buffAll.buff1[strlen(buffAll.buff1)]=0;
-  buffAll.buff2[strlen(buffAll.buff2)]=0;
-  buffAll1->buff1[strlen(buffAll1->buff1)]=0;
-  buffAll1->buff2[strlen(buffAll1->buff2)]=0;
-  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0;
-  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0;
-  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0;
-  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0;
+  buff1[strlen(buff1)]=0; // BAD
+  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
+  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
+  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
+  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
+  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
+  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
+  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
+  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
 }
 void noBadFunc0(){
   unsigned char buff1[12],buff1_c[12];
   struct buffers buffAll,buffAll_c;
   struct buffers * buffAll1,*buffAll1_c;
   
-  buff1[strlen(buff1_c)]=0;
-  buffAll.buff1[strlen(buffAll_c.buff1)]=0;
-  buffAll.buff2[strlen(buffAll.buff1)]=0;
-  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0;
-  buffAll1->buff2[strlen(buffAll1->buff1)]=0;
-  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0;
-  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0;
-  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0;
-  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0;
+  buff1[strlen(buff1_c)]=0; // GOOD
+  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
+  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
+  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
+  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
+  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
+  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
+  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
+  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
 }
 void goodFunc0(){
   unsigned char buffer[12];

From 885d26805febf0b1fe7e253f6065f31f83291c03 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 12:47:51 +0300
Subject: [PATCH 034/429] Update
 AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected

---
 ...ocationAfterEndOfBufferUsingStrlen.expected | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
index 82d3e224993..c2f02dd203e 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -1,9 +1,9 @@
-| test.c:13:3:13:24 | ... = ... | use a different method to calculate the length. |
-| test.c:14:3:14:40 | ... = ... | use a different method to calculate the length. |
-| test.c:15:3:15:40 | ... = ... | use a different method to calculate the length. |
-| test.c:16:3:16:44 | ... = ... | use a different method to calculate the length. |
-| test.c:17:3:17:44 | ... = ... | use a different method to calculate the length. |
-| test.c:18:3:18:48 | ... = ... | use a different method to calculate the length. |
-| test.c:19:3:19:48 | ... = ... | use a different method to calculate the length. |
-| test.c:20:3:20:50 | ... = ... | use a different method to calculate the length. |
-| test.c:21:3:21:50 | ... = ... | use a different method to calculate the length. |
+| test.c:13:3:13:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:14:3:14:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:15:3:15:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:16:3:16:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:17:3:17:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:18:3:18:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:19:3:19:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:20:3:20:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:21:3:21:50 | ... = ... | potential unsafe or redundant assignment. |

From bdba7e14fe293225269ae2932a4cb539b453bedd Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Wed, 27 Jan 2021 11:54:40 +0100
Subject: [PATCH 035/429] Java: Switch to data flow

---
 .../CWE/CWE-295/JxBrowserWithoutCertValidation.ql         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
index 6aee64ed010..71a050a20ce 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -9,7 +9,7 @@
 
 import java
 import semmle.code.java.security.Encryption
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow
 
 /*
  * This query is version specific to JxBrowser < 6.24. The version is indirectly detected.
@@ -57,8 +57,8 @@ private class JxBrowserSafeLoadHandler extends RefType {
   }
 }
 
-private class JxBrowserTaintTracking extends TaintTracking::Configuration {
-  JxBrowserTaintTracking() { this = "JxBrowserTaintTracking" }
+private class JxBrowserFlowConfiguration extends DataFlow::Configuration {
+  JxBrowserFlowConfiguration() { this = "JxBrowserFlowConfiguration" }
 
   override predicate isSource(DataFlow::Node src) {
     exists(ClassInstanceExpr newJxBrowser | newJxBrowser.getConstructedType() instanceof JxBrowser |
@@ -74,7 +74,7 @@ private class JxBrowserTaintTracking extends TaintTracking::Configuration {
   }
 }
 
-from JxBrowserTaintTracking cfg, DataFlow::Node src
+from JxBrowserFlowConfiguration cfg, DataFlow::Node src
 where
   cfg.isSource(src) and
   not cfg.hasFlow(src, _) and

From d3e6e594b2b4efc1d81616cc8bfbe2f3e6aff7d5 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Wed, 27 Jan 2021 11:57:32 +0100
Subject: [PATCH 036/429] Java: Improve QLDoc

---
 .../Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
index 71a050a20ce..4046f4e9606 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -57,6 +57,10 @@ private class JxBrowserSafeLoadHandler extends RefType {
   }
 }
 
+/**
+ * Models flow from the source `new Browser()` to a sink `browser.setLoadHandler(loadHandler)` where `loadHandler`
+ * has been determined to be safe.
+ */
 private class JxBrowserFlowConfiguration extends DataFlow::Configuration {
   JxBrowserFlowConfiguration() { this = "JxBrowserFlowConfiguration" }
 

From 8737c1442b9f52d5f1c3a29e2762db0b850873eb Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 14:48:23 +0300
Subject: [PATCH 037/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.cpp

---
 ...ctingAndHandlingMemoryAllocationErrors.cpp | 55 +++++++++----------
 1 file changed, 27 insertions(+), 28 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
index 6fc3bc2f893..0232fc131eb 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
@@ -1,32 +1,31 @@
-// BAD: no memory allocation errors are detected
-void f(const int *array, std::size_t size) noexcept {
-  int *copy = new int[size];
-  std::memcpy(copy, array, size * sizeof(*copy));
-  // ...
-  delete [] copy;
+// BAD: on memory allocation error, the program terminates.
+void badFunction(const int *source, std::size_t length) noexcept {
+  int * dest = new int[length];
+  std::memset(dest, 0, length);
+// ..
 }
-// GOOD: memory allocation errors are detected
-void f(const int *array, std::size_t size) noexcept {
-  int *copy;
+// GOOD: memory allocation error will be handled.
+void goodFunction(const int *source, std::size_t length) noexcept {
   try {
-    copy = new int[size];
-  } catch(std::bad_alloc) {
-    // Handle error
-    return;
-  }
-  // At this point, copy has been initialized to allocated memory
-  std::memcpy(copy, array, size * sizeof(*copy));
-  // ...
-  delete [] copy;
+       int * dest = new int[length];
+  } catch(std::bad_alloc)
+  std::memset(dest, 0, length);
+// ..
 }
-// GOOD: memory allocation errors are detected
-void f(const int *array, std::size_t size) noexcept {
-  int *copy = new (std::nothrow) int[size];
-  if (!copy) {
-    // Handle error
-    return;
-  }
-  std::memcpy(copy, array, size * sizeof(*copy));
-  // ...
-  delete [] copy;
+// BAD: memory allocation error will not be handled.
+void badFunction(const int *source, std::size_t length) noexcept {
+  try {
+       int * dest = new (std::nothrow) int[length];
+  } catch(std::bad_alloc)
+  std::memset(dest, 0, length);
+// ..
+}
+// GOOD: memory allocation error will be handled.
+void goodFunction(const int *source, std::size_t length) noexcept {
+  int * dest = new (std::nothrow) int[length];
+  if (!dest) {
+      return;
+  }
+  std::memset(dest, 0, length);
+// ..
 }

From bec00643968bad1ae39d53e0256111187569b907 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 14:54:47 +0300
Subject: [PATCH 038/429] Update test.cpp

---
 .../CWE/CWE-570/semmle/tests/test.cpp         | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 6f03f896024..e4aa8cf2976 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -20,14 +20,14 @@ void* operator new[]( std::size_t count, const std::nothrow_t& tag );
 void badNew_0_0()
 {
     while (true) {
-        new int[100];
-        if(!(new int[100]))
+        new int[100]; // BAD [NOT DETECTED]
+        if(!(new int[100])) // BAD [NOT DETECTED]
             return;
     }
 }
 void badNew_0_1()
 {
-    int * i = new int[100];
+    int * i = new int[100]; // BAD
     if(i == 0)
         return;
     if(!i)
@@ -35,7 +35,7 @@ void badNew_0_1()
     if(i == NULL)
         return;
     int * j;
-    j = new int[100];
+    j = new int[100]; // BAD
     if(j == 0)
         return;
     if(!j)
@@ -47,10 +47,10 @@ void badNew_1_0()
 {
     try {
         while (true) {
-            new(std::nothrow) int[100];
-            int* p = new(std::nothrow) int[100];
+            new(std::nothrow) int[100]; // BAD
+            int* p = new(std::nothrow) int[100]; // BAD
             int* p1;
-            p1 = new(std::nothrow) int[100];
+            p1 = new(std::nothrow) int[100]; // BAD
         }
     } catch (const exception &){//const std::bad_alloc& e) {
 //        std::cout << e.what() << '\n';
@@ -59,8 +59,8 @@ void badNew_1_0()
 void badNew_1_1()
 {
     while (true) {
-        int* p = new(std::nothrow) int[100];
-        new(std::nothrow) int[100];
+        int* p = new(std::nothrow) int[100]; // BAD [NOT DETECTED]
+        new(std::nothrow) int[100]; // BAD [NOT DETECTED]
     }
 }
 
@@ -68,7 +68,7 @@ void goodNew_0_0()
 {
     try {
         while (true) {
-            new int[100];
+            new int[100]; // GOOD
         }
     } catch (const exception &){//const std::bad_alloc& e) {
 //        std::cout << e.what() << '\n';
@@ -78,18 +78,18 @@ void goodNew_0_0()
 void goodNew_1_0()
 {
     while (true) {
-        int* p = new(std::nothrow) int[100];
+        int* p = new(std::nothrow) int[100]; // GOOD
         if (p == nullptr) {
 //            std::cout << "Allocation returned nullptr\n";
             break;
         }
         int* p1;
-        p1 = new(std::nothrow) int[100];
+        p1 = new(std::nothrow) int[100]; // GOOD
         if (p1 == nullptr) {
 //            std::cout << "Allocation returned nullptr\n";
             break;
         }
-        if (new(std::nothrow) int[100] == nullptr) {
+        if (new(std::nothrow) int[100] == nullptr) { // GOOD
 //            std::cout << "Allocation returned nullptr\n";
             break;
         }

From 25de82c78cd5c19fd1957a8926ba7e395edf2815 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 15:05:01 +0300
Subject: [PATCH 039/429] Apply suggestions from code review

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
index 4b7941a5846..7be7fcd5b35 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -3,18 +3,18 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>when using the new operator to allocate memory, you need to pay attention to the different way of detecting errors. so <code> ::operator new(std::size_t) </code> throws an exception on error, and <code> ::operator new(std::size_t, const std::nothrow_t &) </code> returns zero on error. the programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
+<p>When using the <code>new</code> operator to allocate memory, you need to pay attention to the different ways of detecting errors. <code>::operator new(std::size_t)</code> throws an exception on error, whereas <code>::operator new(std::size_t, const std::nothrow_t &)</code> returns zero on error. The programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
 
 <p>Loss of detection probably refers to use cases where memory allocation using your own solutions with strong nesting. It is also possible when using a buffer in the form of fields of different structures with the same names.</p>
 
 </overview>
 <recommendation>
 
-<p>We recommend using the error detection method, depending on the selected memory allocation method.</code>.</p>
+<p>Use the correct error detection method corresponding with the memory allocation.</p>
 
 </recommendation>
 <example>
-<p>The following file demonstrates various approaches to detecting memory allocation errors using the new operator.</p>
+<p>The following example demonstrates various approaches to detecting memory allocation errors using the <code>new</code> operator.</p>
 <sample src="WrongInDetectingAndHandlingMemoryAllocationErrors.cpp" />
 
 </example>

From 5d163b4c1575115a5f1c14eba0145b74908ee292 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 15:05:58 +0300
Subject: [PATCH 040/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp     | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
index 7be7fcd5b35..c3e543a1b58 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -5,8 +5,6 @@
 <overview>
 <p>When using the <code>new</code> operator to allocate memory, you need to pay attention to the different ways of detecting errors. <code>::operator new(std::size_t)</code> throws an exception on error, whereas <code>::operator new(std::size_t, const std::nothrow_t &)</code> returns zero on error. The programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
 
-<p>Loss of detection probably refers to use cases where memory allocation using your own solutions with strong nesting. It is also possible when using a buffer in the form of fields of different structures with the same names.</p>
-
 </overview>
 <recommendation>
 

From 16d058f49865acb62d36c1a9b1af0aa6810d9eac Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 15:06:57 +0300
Subject: [PATCH 041/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 .../CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 383c8a1f128..c32c14c1dd0 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -2,7 +2,6 @@
  * @name Сonfusion In Detecting And Handling Memory Allocation Errors
  * @description --::operator new(std::size_t) throws an exception on error, and ::operator new(std::size_t, const std::nothrow_t &) returns zero on error.
  *              --the programmer can get confused when check the error that occurs when allocating memory incorrectly.
- *              --Making a call of this type may result in a zero byte being written just outside the buffer.
  * @kind problem
  * @id cpp/detect-and-handle-memory-allocation-errors
  * @problem.severity warning

From bdfdcbd6735a841c4329a26b15bc4130c10e8f67 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Wed, 27 Jan 2021 15:48:18 +0300
Subject: [PATCH 042/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 ...rongInDetectingAndHandlingMemoryAllocationErrors.ql | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index c32c14c1dd0..e165d61985b 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -44,14 +44,8 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
    * Holds if handler `try ... catch` exists.
    */
   predicate isExistsTryCatchBlock() {
-    exists(TryStmt tb, AssignExpr aex, Initializer it |
-      tb.getAChild*() = exp
-      or
-      exp = it.getExpr() and
-      tb.getAChild*().(DeclStmt).getADeclaration() = it.getDeclaration()
-      or
-      aex.getAChild*() = exp and
-      tb.getAChild*().(AssignExpr) = aex
+    exists(TryStmt ts |
+      this.getEnclosingStmt() = ts.getStmt().getAChild*()
     )
   }
 

From 6a93099b645e32e7598999ddbcf0303f65e657fa Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 28 Jan 2021 03:02:53 +0000
Subject: [PATCH 043/429] Simplify the query and update qldoc

---
 .../experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp  | 2 +-
 .../src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
index 9241b52cf19..ee4afabbed6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
@@ -26,7 +26,7 @@
     </li>
     <li>
       Oracle:
-      <a href="https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html">Simple authentication consists of sending the LDAP server the fully qualified DN of the client (user) and the client's clear-text password</a>
+      <a href="https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html">Simple authentication</a>
     </li>
   </references>
 </qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 602dae21ad7..9563c755410 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -202,13 +202,11 @@ where
   sink.getNode().asExpr() = va and
   exists(BasicAuthFlowConfig bc, DataFlow::PathNode source2, DataFlow::PathNode sink2 |
     bc.hasFlowPath(source2, sink2) and
-    source2.getNode().asExpr().(CompileTimeConstantExpr).getStringValue() = "simple" and
     sink2.getNode().asExpr() = va
   ) and
   not exists(SSLFlowConfig sc, DataFlow::PathNode source3, DataFlow::PathNode sink3 |
     sc.hasFlowPath(source3, sink3) and
-    source3.getNode().asExpr().(CompileTimeConstantExpr).getStringValue() = "ssl" and
-    sink3.getNode().asExpr() = va.getVariable().getAnAccess()
+    sink3.getNode().asExpr() = va
   )
 select sink.getNode(), source, sink, "Insecure LDAP authentication from $@.", source.getNode(),
   "LDAP connection string"

From cfc950f8039ca780b87a6889b2913e6702961b4e Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 7 Jan 2021 21:18:51 +0000
Subject: [PATCH 044/429] Query for weak encryption: Insufficient key size

---
 .../CWE/CWE-326/InsufficientKeySize.java      |  37 +++++
 .../CWE/CWE-326/InsufficientKeySize.qhelp     |  33 ++++
 .../CWE/CWE-326/InsufficientKeySize.ql        | 155 ++++++++++++++++++
 .../semmle/code/java/security/Encryption.qll  |  12 ++
 .../CWE-326/InsufficientKeySize.expected      |   4 +
 .../security/CWE-326/InsufficientKeySize.java |  41 +++++
 .../CWE-326/InsufficientKeySize.qlref         |   1 +
 7 files changed, 283 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
new file mode 100644
index 00000000000..6ccf025c244
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
@@ -0,0 +1,37 @@
+public class InsufficientKeySize {
+    public void CryptoMethod() {
+        KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
+        // BAD: Key size is less than 128
+        keyGen1.init(64);
+
+        KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
+        // GOOD: Key size is no less than 128
+        keyGen2.init(128);
+
+        KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
+        // BAD: Key size is less than 2048
+        keyPairGen1.initialize(1024);
+
+        KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA");
+        // GOOD: Key size is no less than 2048
+        keyPairGen2.initialize(2048);
+
+        KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA");
+        // BAD: Key size is less than 2048
+        keyPairGen3.initialize(1024);
+
+        KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
+        // GOOD: Key size is no less than 2048
+        keyPairGen4.initialize(2048);
+
+        KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1");
+        keyPairGen5.initialize(ecSpec1);
+
+        KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
+        // GOOD: Key size is no less than 224
+        ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1");
+        keyPairGen6.initialize(ecSpec2);
+    }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
new file mode 100644
index 00000000000..8de21f1c90a
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>This rule finds uses of encryption algorithms with too small a key size. Encryption algorithms 
+are vulnerable to brute force attack when too small a key size is used.</p>
+    </overview>
+
+    <recommendation>
+        <p>The key should be at least 2048-bit long when using RSA and DSA encryption, 224-bit long when using EC encryption, and 128-bit long when using 
+symmetric encryption.</p>
+    </recommendation>
+    
+    <references>
+
+        <li>
+            Wikipedia.
+            <a href="http://en.wikipedia.org/wiki/Key_size">Key size</a>
+        </li>
+        <li>
+            SonarSource.
+            <a href="https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426">Cryptographic keys should be robust</a>
+        </li>
+        <li>
+            CWE.
+            <a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a>
+        </li>
+        <li>
+            C# implementation of CodeQL
+            <a href="https://github.com/github/codeql/blob/df29a1636555465527d17668c19c202e365cf502/csharp/ql/src/Security%20Features/InsufficientKeySize.ql">codeql/csharp/ql/src/Security Features/InsufficientKeySize.ql</a>
+        </li>
+ 
+    </references>
+</qhelp>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
new file mode 100644
index 00000000000..882d997f1b8
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -0,0 +1,155 @@
+/**
+ * @name Weak encryption: Insufficient key size
+ * @description Finds uses of encryption algorithms with too small a key size
+ * @kind problem
+ * @id java/insufficient-key-size
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import java
+import semmle.code.java.security.Encryption
+import semmle.code.java.dataflow.TaintTracking
+
+/** The Java class `javax.crypto.KeyGenerator`. */
+class KeyGenerator extends RefType {
+  KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") }
+}
+
+/** The Java class `javax.crypto.KeyGenerator`. */
+class KeyPairGenerator extends RefType {
+  KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") }
+}
+
+/** The Java class `java.security.spec.ECGenParameterSpec`. */
+class ECGenParameterSpec extends RefType {
+  ECGenParameterSpec() { this.hasQualifiedName("java.security.spec", "ECGenParameterSpec") }
+}
+
+/** The `init` method declared in `javax.crypto.KeyGenerator`. */
+class KeyGeneratorInitMethod extends Method {
+  KeyGeneratorInitMethod() {
+    getDeclaringType() instanceof KeyGenerator and
+    hasName("init")
+  }
+}
+
+/** The `initialize` method declared in `java.security.KeyPairGenerator`. */
+class KeyPairGeneratorInitMethod extends Method {
+  KeyPairGeneratorInitMethod() {
+    getDeclaringType() instanceof KeyPairGenerator and
+    hasName("initialize")
+  }
+}
+
+/** Taint configuration tracking flow from a key generator to a `init` method call. */
+class CryptoKeyGeneratorConfiguration extends TaintTracking::Configuration {
+  CryptoKeyGeneratorConfiguration() { this = "CryptoKeyGeneratorConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(JavaxCryptoKeyGenerator jcg | jcg = source.asExpr())
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/** Taint configuration tracking flow from a keypair generator to a `initialize` method call. */
+class KeyPairGeneratorConfiguration extends TaintTracking::Configuration {
+  KeyPairGeneratorConfiguration() { this = "KeyPairGeneratorConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(JavaSecurityKeyPairGenerator jkg | jkg = source.asExpr())
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
+predicate incorrectUseOfAES(MethodAccess ma, string msg) {
+  ma.getMethod() instanceof KeyGeneratorInitMethod and
+  exists(
+    JavaxCryptoKeyGenerator jcg, CryptoKeyGeneratorConfiguration cc, DataFlow::PathNode source,
+    DataFlow::PathNode dest
+  |
+    jcg.getAlgoSpec().(StringLiteral).getValue() = "AES" and
+    source.getNode().asExpr() = jcg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    cc.hasFlowPath(source, dest)
+  ) and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() < 128 and
+  msg = "Key size should be at least 128 bits for AES encryption."
+}
+
+/** Holds if a DSA `KeyPairGenerator` is initialized with an insufficient key size. */
+predicate incorrectUseOfDSA(MethodAccess ma, string msg) {
+  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  exists(
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
+    DataFlow::PathNode dest
+  |
+    jpg.getAlgoSpec().(StringLiteral).getValue() = "DSA" and
+    source.getNode().asExpr() = jpg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    kc.hasFlowPath(source, dest)
+  ) and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048 and
+  msg = "Key size should be at least 2048 bits for DSA encryption."
+}
+
+/** Holds if a RSA `KeyPairGenerator` is initialized with an insufficient key size. */
+predicate incorrectUseOfRSA(MethodAccess ma, string msg) {
+  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  exists(
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
+    DataFlow::PathNode dest
+  |
+    jpg.getAlgoSpec().(StringLiteral).getValue() = "RSA" and
+    source.getNode().asExpr() = jpg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    kc.hasFlowPath(source, dest)
+  ) and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048 and
+  msg = "Key size should be at least 2048 bits for RSA encryption."
+}
+
+/** Holds if an EC `KeyPairGenerator` is initialized with an insufficient key size. */
+predicate incorrectUseOfEC(MethodAccess ma, string msg) {
+  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  exists(
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
+    DataFlow::PathNode dest, ClassInstanceExpr cie
+  |
+    jpg.getAlgoSpec().(StringLiteral).getValue().matches("EC%") and //ECC variants such as ECDH and ECDSA
+    source.getNode().asExpr() = jpg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    kc.hasFlowPath(source, dest) and
+    exists(VariableAssign va |
+      ma.getArgument(0).(VarAccess).getVariable() = va.getDestVar() and
+      va.getSource() = cie and
+      cie.getArgument(0)
+          .(StringLiteral)
+          .getRepresentedString()
+          .regexpCapture(".*[a-zA-Z]+([0-9]+)[a-zA-Z]+.*", 1)
+          .toInt() < 224
+    )
+  ) and
+  msg = "Key size should be at least 224 bits for EC encryption."
+}
+
+from Expr e, string msg
+where
+  incorrectUseOfAES(e, msg) or
+  incorrectUseOfDSA(e, msg) or
+  incorrectUseOfRSA(e, msg) or
+  incorrectUseOfEC(e, msg)
+select e, msg
diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
index d48a5c6c715..b133fd3c523 100644
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -304,3 +304,15 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
 
   override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) }
 }
+
+/** Method call to the Java class `java.security.KeyPairGenerator`. */
+class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
+  JavaSecurityKeyPairGenerator() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType().getQualifiedName() = "java.security.KeyPairGenerator" and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
new file mode 100644
index 00000000000..b47469aed5d
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
@@ -0,0 +1,4 @@
+| InsufficientKeySize.java:9:9:9:24 | init(...) | Key size should be at least 128 bits for AES encryption. |
+| InsufficientKeySize.java:17:9:17:36 | initialize(...) | Key size should be at least 2048 bits for RSA encryption. |
+| InsufficientKeySize.java:25:9:25:36 | initialize(...) | Key size should be at least 2048 bits for DSA encryption. |
+| InsufficientKeySize.java:34:9:34:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
new file mode 100644
index 00000000000..13f74b6fac3
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -0,0 +1,41 @@
+import java.security.KeyPairGenerator;
+import java.security.spec.ECGenParameterSpec;
+import javax.crypto.KeyGenerator;
+
+public class InsufficientKeySize {
+    public void CryptoMethod() {
+        KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
+        // BAD: Key size is less than 128
+        keyGen1.init(64);
+
+        KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
+        // GOOD: Key size is no less than 128
+        keyGen2.init(128);
+
+        KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
+        // BAD: Key size is less than 2048
+        keyPairGen1.initialize(1024);
+
+        KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA");
+        // GOOD: Key size is no less than 2048
+        keyPairGen2.initialize(2048);
+
+        KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA");
+        // BAD: Key size is less than 2048
+        keyPairGen3.initialize(1024);
+
+        KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
+        // GOOD: Key size is no less than 2048
+        keyPairGen4.initialize(2048);
+
+        KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1");
+        keyPairGen5.initialize(ecSpec1);
+
+        KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
+        // GOOD: Key size is no less than 224
+        ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1");
+        keyPairGen6.initialize(ecSpec2);
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.qlref b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.qlref
new file mode 100644
index 00000000000..2b35cd6921e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
\ No newline at end of file

From cbaee937d0ab8962278be494e36eaad5ab24693f Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 8 Jan 2021 21:56:34 +0000
Subject: [PATCH 045/429] Optimize the query

---
 .../CWE/CWE-326/InsufficientKeySize.qhelp     |  6 +-
 .../CWE/CWE-326/InsufficientKeySize.ql        | 91 ++++++++-----------
 .../semmle/code/java/security/Encryption.qll  | 14 ++-
 .../CWE-326/InsufficientKeySize.expected      |  4 +
 .../security/CWE-326/InsufficientKeySize.java | 21 ++++-
 5 files changed, 77 insertions(+), 59 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
index 8de21f1c90a..10ec6adc9df 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
@@ -6,7 +6,7 @@ are vulnerable to brute force attack when too small a key size is used.</p>
     </overview>
 
     <recommendation>
-        <p>The key should be at least 2048-bit long when using RSA and DSA encryption, 224-bit long when using EC encryption, and 128-bit long when using 
+        <p>The key should be at least 2048 bits long when using RSA and DSA encryption, 224 bits long when using EC encryption, and 128 bits long when using 
 symmetric encryption.</p>
     </recommendation>
     
@@ -24,10 +24,6 @@ symmetric encryption.</p>
             CWE.
             <a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a>
         </li>
-        <li>
-            C# implementation of CodeQL
-            <a href="https://github.com/github/codeql/blob/df29a1636555465527d17668c19c202e365cf502/csharp/ql/src/Security%20Features/InsufficientKeySize.ql">codeql/csharp/ql/src/Security Features/InsufficientKeySize.ql</a>
-        </li>
  
     </references>
 </qhelp>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index 882d997f1b8..df265f267f7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -11,16 +11,6 @@ import java
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 
-/** The Java class `javax.crypto.KeyGenerator`. */
-class KeyGenerator extends RefType {
-  KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") }
-}
-
-/** The Java class `javax.crypto.KeyGenerator`. */
-class KeyPairGenerator extends RefType {
-  KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") }
-}
-
 /** The Java class `java.security.spec.ECGenParameterSpec`. */
 class ECGenParameterSpec extends RefType {
   ECGenParameterSpec() { this.hasQualifiedName("java.security.spec", "ECGenParameterSpec") }
@@ -42,9 +32,19 @@ class KeyPairGeneratorInitMethod extends Method {
   }
 }
 
+/** Returns the key size in the EC algorithm string */
+bindingset[algorithm]
+int getECKeySize(string algorithm) {
+  algorithm.matches("sec%") and // specification such as "secp256r1"
+  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
+  or
+  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
+  result = algorithm.regexpCapture("X9.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+}
+
 /** Taint configuration tracking flow from a key generator to a `init` method call. */
-class CryptoKeyGeneratorConfiguration extends TaintTracking::Configuration {
-  CryptoKeyGeneratorConfiguration() { this = "CryptoKeyGeneratorConfiguration" }
+class KeyGeneratorInitConfiguration extends TaintTracking::Configuration {
+  KeyGeneratorInitConfiguration() { this = "KeyGeneratorInitConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     exists(JavaxCryptoKeyGenerator jcg | jcg = source.asExpr())
@@ -59,8 +59,8 @@ class CryptoKeyGeneratorConfiguration extends TaintTracking::Configuration {
 }
 
 /** Taint configuration tracking flow from a keypair generator to a `initialize` method call. */
-class KeyPairGeneratorConfiguration extends TaintTracking::Configuration {
-  KeyPairGeneratorConfiguration() { this = "KeyPairGeneratorConfiguration" }
+class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
+  KeyPairGeneratorInitConfiguration() { this = "KeyPairGeneratorInitConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     exists(JavaSecurityKeyPairGenerator jkg | jkg = source.asExpr())
@@ -75,10 +75,10 @@ class KeyPairGeneratorConfiguration extends TaintTracking::Configuration {
 }
 
 /** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
-predicate incorrectUseOfAES(MethodAccess ma, string msg) {
+predicate hasShortAESKey(MethodAccess ma, string msg) {
   ma.getMethod() instanceof KeyGeneratorInitMethod and
   exists(
-    JavaxCryptoKeyGenerator jcg, CryptoKeyGeneratorConfiguration cc, DataFlow::PathNode source,
+    JavaxCryptoKeyGenerator jcg, KeyGeneratorInitConfiguration cc, DataFlow::PathNode source,
     DataFlow::PathNode dest
   |
     jcg.getAlgoSpec().(StringLiteral).getValue() = "AES" and
@@ -90,66 +90,55 @@ predicate incorrectUseOfAES(MethodAccess ma, string msg) {
   msg = "Key size should be at least 128 bits for AES encryption."
 }
 
-/** Holds if a DSA `KeyPairGenerator` is initialized with an insufficient key size. */
-predicate incorrectUseOfDSA(MethodAccess ma, string msg) {
+/** Holds if an asymmetric `KeyPairGenerator` is initialized with an insufficient key size. */
+bindingset[type]
+predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
   ma.getMethod() instanceof KeyPairGeneratorInitMethod and
   exists(
-    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
-    DataFlow::PathNode dest
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
+    DataFlow::PathNode source, DataFlow::PathNode dest
   |
-    jpg.getAlgoSpec().(StringLiteral).getValue() = "DSA" and
+    jpg.getAlgoSpec().(StringLiteral).getValue() = type and
     source.getNode().asExpr() = jpg and
     dest.getNode().asExpr() = ma.getQualifier() and
     kc.hasFlowPath(source, dest)
   ) and
   ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048 and
-  msg = "Key size should be at least 2048 bits for DSA encryption."
+  msg = "Key size should be at least 2048 bits for " + type + " encryption."
+}
+
+/** Holds if a DSA `KeyPairGenerator` is initialized with an insufficient key size. */
+predicate hasShortDSAKeyPair(MethodAccess ma, string msg) {
+  hasShortAsymmetricKeyPair(ma, msg, "DSA")
 }
 
 /** Holds if a RSA `KeyPairGenerator` is initialized with an insufficient key size. */
-predicate incorrectUseOfRSA(MethodAccess ma, string msg) {
-  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
-  exists(
-    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
-    DataFlow::PathNode dest
-  |
-    jpg.getAlgoSpec().(StringLiteral).getValue() = "RSA" and
-    source.getNode().asExpr() = jpg and
-    dest.getNode().asExpr() = ma.getQualifier() and
-    kc.hasFlowPath(source, dest)
-  ) and
-  ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048 and
-  msg = "Key size should be at least 2048 bits for RSA encryption."
+predicate hasShortRSAKeyPair(MethodAccess ma, string msg) {
+  hasShortAsymmetricKeyPair(ma, msg, "RSA")
 }
 
 /** Holds if an EC `KeyPairGenerator` is initialized with an insufficient key size. */
-predicate incorrectUseOfEC(MethodAccess ma, string msg) {
+predicate hasShortECKeyPair(MethodAccess ma, string msg) {
   ma.getMethod() instanceof KeyPairGeneratorInitMethod and
   exists(
-    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorConfiguration kc, DataFlow::PathNode source,
-    DataFlow::PathNode dest, ClassInstanceExpr cie
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
+    DataFlow::PathNode source, DataFlow::PathNode dest, ClassInstanceExpr cie
   |
     jpg.getAlgoSpec().(StringLiteral).getValue().matches("EC%") and //ECC variants such as ECDH and ECDSA
     source.getNode().asExpr() = jpg and
     dest.getNode().asExpr() = ma.getQualifier() and
     kc.hasFlowPath(source, dest) and
-    exists(VariableAssign va |
-      ma.getArgument(0).(VarAccess).getVariable() = va.getDestVar() and
-      va.getSource() = cie and
-      cie.getArgument(0)
-          .(StringLiteral)
-          .getRepresentedString()
-          .regexpCapture(".*[a-zA-Z]+([0-9]+)[a-zA-Z]+.*", 1)
-          .toInt() < 224
-    )
+    DataFlow::localExprFlow(cie, ma.getArgument(0)) and
+    ma.getArgument(0).getType() instanceof ECGenParameterSpec and
+    getECKeySize(cie.getArgument(0).(StringLiteral).getRepresentedString()) < 224
   ) and
   msg = "Key size should be at least 224 bits for EC encryption."
 }
 
 from Expr e, string msg
 where
-  incorrectUseOfAES(e, msg) or
-  incorrectUseOfDSA(e, msg) or
-  incorrectUseOfRSA(e, msg) or
-  incorrectUseOfEC(e, msg)
+  hasShortAESKey(e, msg) or
+  hasShortDSAKeyPair(e, msg) or
+  hasShortRSAKeyPair(e, msg) or
+  hasShortECKeyPair(e, msg)
 select e, msg
diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
index b133fd3c523..9c10569d8c1 100644
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -38,6 +38,16 @@ class HostnameVerifier extends RefType {
   HostnameVerifier() { hasQualifiedName("javax.net.ssl", "HostnameVerifier") }
 }
 
+/** The Java class `javax.crypto.KeyGenerator`. */
+class KeyGenerator extends RefType {
+  KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") }
+}
+
+/** The Java class `java.security.KeyPairGenerator`. */
+class KeyPairGenerator extends RefType {
+  KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") }
+}
+
 /** The `verify` method of the class `javax.net.ssl.HostnameVerifier`. */
 class HostnameVerifierVerify extends Method {
   HostnameVerifierVerify() {
@@ -248,7 +258,7 @@ class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec {
 class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec {
   JavaxCryptoKeyGenerator() {
     exists(Method m | m.getAReference() = this |
-      m.getDeclaringType().getQualifiedName() = "javax.crypto.KeyGenerator" and
+      m.getDeclaringType() instanceof KeyGenerator and
       m.getName() = "getInstance"
     )
   }
@@ -309,7 +319,7 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
 class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
   JavaSecurityKeyPairGenerator() {
     exists(Method m | m.getAReference() = this |
-      m.getDeclaringType().getQualifiedName() = "java.security.KeyPairGenerator" and
+      m.getDeclaringType() instanceof KeyPairGenerator and
       m.getName() = "getInstance"
     )
   }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
index b47469aed5d..f350495d28f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
@@ -2,3 +2,7 @@
 | InsufficientKeySize.java:17:9:17:36 | initialize(...) | Key size should be at least 2048 bits for RSA encryption. |
 | InsufficientKeySize.java:25:9:25:36 | initialize(...) | Key size should be at least 2048 bits for DSA encryption. |
 | InsufficientKeySize.java:34:9:34:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
+| InsufficientKeySize.java:38:9:38:67 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
+| InsufficientKeySize.java:48:9:48:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
+| InsufficientKeySize.java:53:9:53:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
+| InsufficientKeySize.java:58:9:58:40 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
index 13f74b6fac3..80d49cdf5f1 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -34,8 +34,27 @@ public class InsufficientKeySize {
         keyPairGen5.initialize(ecSpec1);
 
         KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        keyPairGen6.initialize(new ECGenParameterSpec("secp112r1"));
+
+        KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC");
         // GOOD: Key size is no less than 224
         ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1");
-        keyPairGen6.initialize(ecSpec2);
+        keyPairGen7.initialize(ecSpec2);
+
+        KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2");
+        keyPairGen8.initialize(ecSpec3);
+
+        KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3");
+        keyPairGen9.initialize(ecSpec4);
+
+        KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 224
+        ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1");
+        keyPairGen10.initialize(ecSpec5);
     }
 }

From 058f3af4b21bfe3dec4bdcbb84f3bd26c5830dca Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Sat, 9 Jan 2021 13:48:29 +0000
Subject: [PATCH 046/429] Refactor the hasShortSymmetricKey method

---
 .../Security/CWE/CWE-326/InsufficientKeySize.ql    | 14 +++++++++-----
 .../security/CWE-326/InsufficientKeySize.java      |  5 +++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index df265f267f7..169e1e58a69 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -39,7 +39,7 @@ int getECKeySize(string algorithm) {
   result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
   or
   algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
-  result = algorithm.regexpCapture("X9.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }
 
 /** Taint configuration tracking flow from a key generator to a `init` method call. */
@@ -74,22 +74,26 @@ class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
   }
 }
 
-/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
-predicate hasShortAESKey(MethodAccess ma, string msg) {
+/** Holds if a symmetric `KeyGenerator` is initialized with an insufficient key size. */
+bindingset[type]
+predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type) {
   ma.getMethod() instanceof KeyGeneratorInitMethod and
   exists(
     JavaxCryptoKeyGenerator jcg, KeyGeneratorInitConfiguration cc, DataFlow::PathNode source,
     DataFlow::PathNode dest
   |
-    jcg.getAlgoSpec().(StringLiteral).getValue() = "AES" and
+    jcg.getAlgoSpec().(StringLiteral).getValue() = type and
     source.getNode().asExpr() = jcg and
     dest.getNode().asExpr() = ma.getQualifier() and
     cc.hasFlowPath(source, dest)
   ) and
   ma.getArgument(0).(IntegerLiteral).getIntValue() < 128 and
-  msg = "Key size should be at least 128 bits for AES encryption."
+  msg = "Key size should be at least 128 bits for " + type + " encryption."
 }
 
+/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
+predicate hasShortAESKey(MethodAccess ma, string msg) { hasShortSymmetricKey(ma, msg, "AES") }
+
 /** Holds if an asymmetric `KeyPairGenerator` is initialized with an insufficient key size. */
 bindingset[type]
 predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
index 80d49cdf5f1..45b7c610df1 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -56,5 +56,10 @@ public class InsufficientKeySize {
         // BAD: Key size is less than 224
         ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1");
         keyPairGen10.initialize(ecSpec5);
+
+        KeyPairGenerator keyPairGen11 = KeyPairGenerator.getInstance("EC");
+        // GOOD: Key size is no less than 224
+        ECGenParameterSpec ecSpec6 = new ECGenParameterSpec("X9.62 c2tnb359v1");
+        keyPairGen11.initialize(ecSpec6);
     }
 }

From 2ac7b4bab42c4146fb9f629291d049efa43d52e8 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 11 Jan 2021 12:59:00 +0000
Subject: [PATCH 047/429] Update qldoc

---
 .../Security/CWE/CWE-326/InsufficientKeySize.ql    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index 169e1e58a69..c925ef0a966 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -74,7 +74,7 @@ class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
   }
 }
 
-/** Holds if a symmetric `KeyGenerator` is initialized with an insufficient key size. */
+/** Holds if a symmetric `KeyGenerator` implementing encryption algorithm `type` and initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 bindingset[type]
 predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type) {
   ma.getMethod() instanceof KeyGeneratorInitMethod and
@@ -91,10 +91,10 @@ predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type) {
   msg = "Key size should be at least 128 bits for " + type + " encryption."
 }
 
-/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
+/** Holds if an AES `KeyGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 predicate hasShortAESKey(MethodAccess ma, string msg) { hasShortSymmetricKey(ma, msg, "AES") }
 
-/** Holds if an asymmetric `KeyPairGenerator` is initialized with an insufficient key size. */
+/** Holds if an asymmetric `KeyPairGenerator` implementing encryption algorithm `type` and initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 bindingset[type]
 predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
   ma.getMethod() instanceof KeyPairGeneratorInitMethod and
@@ -111,24 +111,24 @@ predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
   msg = "Key size should be at least 2048 bits for " + type + " encryption."
 }
 
-/** Holds if a DSA `KeyPairGenerator` is initialized with an insufficient key size. */
+/** Holds if a DSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 predicate hasShortDSAKeyPair(MethodAccess ma, string msg) {
   hasShortAsymmetricKeyPair(ma, msg, "DSA")
 }
 
-/** Holds if a RSA `KeyPairGenerator` is initialized with an insufficient key size. */
+/** Holds if a RSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 predicate hasShortRSAKeyPair(MethodAccess ma, string msg) {
   hasShortAsymmetricKeyPair(ma, msg, "RSA")
 }
 
-/** Holds if an EC `KeyPairGenerator` is initialized with an insufficient key size. */
+/** Holds if an EC `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 predicate hasShortECKeyPair(MethodAccess ma, string msg) {
   ma.getMethod() instanceof KeyPairGeneratorInitMethod and
   exists(
     JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
     DataFlow::PathNode source, DataFlow::PathNode dest, ClassInstanceExpr cie
   |
-    jpg.getAlgoSpec().(StringLiteral).getValue().matches("EC%") and //ECC variants such as ECDH and ECDSA
+    jpg.getAlgoSpec().(StringLiteral).getValue().matches("EC%") and // ECC variants such as ECDH and ECDSA
     source.getNode().asExpr() = jpg and
     dest.getNode().asExpr() = ma.getQualifier() and
     kc.hasFlowPath(source, dest) and

From ab7d257569907903cf6731fa10f64c348ad25b46 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 15 Jan 2021 13:11:32 +0000
Subject: [PATCH 048/429] Add more cases and change EC to 256 bits

---
 .../CWE/CWE-326/InsufficientKeySize.ql        | 11 +++--
 .../CWE-326/InsufficientKeySize.expected      | 13 +++---
 .../security/CWE-326/InsufficientKeySize.java | 42 +++++++++++++++----
 3 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index c925ef0a966..41242a44805 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -40,6 +40,9 @@ int getECKeySize(string algorithm) {
   or
   algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
   result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+  or
+  (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
+  result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }
 
 /** Taint configuration tracking flow from a key generator to a `init` method call. */
@@ -102,7 +105,7 @@ predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
     JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
     DataFlow::PathNode source, DataFlow::PathNode dest
   |
-    jpg.getAlgoSpec().(StringLiteral).getValue() = type and
+    jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = type and
     source.getNode().asExpr() = jpg and
     dest.getNode().asExpr() = ma.getQualifier() and
     kc.hasFlowPath(source, dest)
@@ -113,7 +116,7 @@ predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
 
 /** Holds if a DSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
 predicate hasShortDSAKeyPair(MethodAccess ma, string msg) {
-  hasShortAsymmetricKeyPair(ma, msg, "DSA")
+  hasShortAsymmetricKeyPair(ma, msg, "DSA") or hasShortAsymmetricKeyPair(ma, msg, "DH")
 }
 
 /** Holds if a RSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
@@ -134,9 +137,9 @@ predicate hasShortECKeyPair(MethodAccess ma, string msg) {
     kc.hasFlowPath(source, dest) and
     DataFlow::localExprFlow(cie, ma.getArgument(0)) and
     ma.getArgument(0).getType() instanceof ECGenParameterSpec and
-    getECKeySize(cie.getArgument(0).(StringLiteral).getRepresentedString()) < 224
+    getECKeySize(cie.getArgument(0).(StringLiteral).getRepresentedString()) < 256
   ) and
-  msg = "Key size should be at least 224 bits for EC encryption."
+  msg = "Key size should be at least 256 bits for EC encryption."
 }
 
 from Expr e, string msg
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
index f350495d28f..421335b84ff 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.expected
@@ -1,8 +1,11 @@
 | InsufficientKeySize.java:9:9:9:24 | init(...) | Key size should be at least 128 bits for AES encryption. |
 | InsufficientKeySize.java:17:9:17:36 | initialize(...) | Key size should be at least 2048 bits for RSA encryption. |
 | InsufficientKeySize.java:25:9:25:36 | initialize(...) | Key size should be at least 2048 bits for DSA encryption. |
-| InsufficientKeySize.java:34:9:34:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
-| InsufficientKeySize.java:38:9:38:67 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
-| InsufficientKeySize.java:48:9:48:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
-| InsufficientKeySize.java:53:9:53:39 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
-| InsufficientKeySize.java:58:9:58:40 | initialize(...) | Key size should be at least 224 bits for EC encryption. |
+| InsufficientKeySize.java:34:9:34:39 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:38:9:38:67 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:48:9:48:39 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:53:9:53:39 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:58:9:58:40 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:68:9:68:40 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:78:9:78:40 | initialize(...) | Key size should be at least 256 bits for EC encryption. |
+| InsufficientKeySize.java:87:9:87:37 | initialize(...) | Key size should be at least 2048 bits for DH encryption. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
index 45b7c610df1..df46d6e69a9 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -29,37 +29,65 @@ public class InsufficientKeySize {
         keyPairGen4.initialize(2048);
 
         KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1");
         keyPairGen5.initialize(ecSpec1);
 
         KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         keyPairGen6.initialize(new ECGenParameterSpec("secp112r1"));
 
         KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC");
-        // GOOD: Key size is no less than 224
+        // GOOD: Key size is no less than 256
         ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1");
         keyPairGen7.initialize(ecSpec2);
 
         KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2");
         keyPairGen8.initialize(ecSpec3);
 
         KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3");
         keyPairGen9.initialize(ecSpec4);
 
         KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1");
         keyPairGen10.initialize(ecSpec5);
 
         KeyPairGenerator keyPairGen11 = KeyPairGenerator.getInstance("EC");
-        // GOOD: Key size is no less than 224
+        // GOOD: Key size is no less than 256
         ECGenParameterSpec ecSpec6 = new ECGenParameterSpec("X9.62 c2tnb359v1");
         keyPairGen11.initialize(ecSpec6);
+
+        KeyPairGenerator keyPairGen12 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 256
+        ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2");
+        keyPairGen12.initialize(ecSpec7);
+
+        KeyPairGenerator keyPairGen13 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is no less than 256
+        ECGenParameterSpec ecSpec8 = new ECGenParameterSpec("prime256v1");
+        keyPairGen13.initialize(ecSpec8);
+
+        KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is less than 256
+        ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1");
+        keyPairGen14.initialize(ecSpec9);
+
+        KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC");
+        // BAD: Key size is no less than 256
+        ECGenParameterSpec ecSpec10 = new ECGenParameterSpec("c2tnb431r1");
+        keyPairGen15.initialize(ecSpec10);
+
+        KeyPairGenerator keyPairGen16 = KeyPairGenerator.getInstance("dh");
+        // BAD: Key size is less than 2048
+        keyPairGen16.initialize(1024);
+
+        KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("DH");
+        // GOOD: Key size is no less than 2048
+        keyPairGen17.initialize(2048);
     }
 }

From 8880b38b1f65f601a9aadc8002dc9731bfe97763 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 28 Jan 2021 15:28:15 +0300
Subject: [PATCH 049/429] Rename
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
 to
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref

---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/{ => AccessOfMemoryLocationAfterEndOfBufferUsingStrlen}/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref (100%)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
rename to cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref

From f65ec97ac210db005941e0292adee295296da837 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 28 Jan 2021 15:28:34 +0300
Subject: [PATCH 050/429] Rename
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
 to
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c

---
 .../test.c                                                        | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/{ => AccessOfMemoryLocationAfterEndOfBufferUsingStrlen}/test.c (100%)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
rename to cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c

From 8ed28157e118a44c29c2aade759f2a18a6e09727 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 28 Jan 2021 15:28:52 +0300
Subject: [PATCH 051/429] Rename
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
 to
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected

---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/{ => AccessOfMemoryLocationAfterEndOfBufferUsingStrlen}/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected (100%)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
rename to cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected

From c8eeb5f73e70c567dc062c7a3b143faa8063ec1a Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Fri, 29 Jan 2021 11:51:15 +0300
Subject: [PATCH 052/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index e165d61985b..04a284d7846 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -22,6 +22,9 @@ class IfCompareWithZero extends IfStmt {
     or
     this.getCondition().(NEExpr).getAChild().getValue() = "0" and
     this.hasElse()
+    or
+    this.getCondition().(NEExpr).getAChild().getValue() = "0" and
+    this.getThen().getAChild*() instanceof ReturnStmt
   }
 }
 

From bdbf5a4fae29511be7d64039847a1a70a7e61545 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Fri, 29 Jan 2021 13:41:45 +0300
Subject: [PATCH 053/429] Apply suggestions from code review

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
index 0232fc131eb..df69886e97b 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
@@ -8,7 +8,9 @@ void badFunction(const int *source, std::size_t length) noexcept {
 void goodFunction(const int *source, std::size_t length) noexcept {
   try {
        int * dest = new int[length];
-  } catch(std::bad_alloc)
+  } catch(std::bad_alloc) {
+    // ...
+  }
   std::memset(dest, 0, length);
 // ..
 }
@@ -16,7 +18,9 @@ void goodFunction(const int *source, std::size_t length) noexcept {
 void badFunction(const int *source, std::size_t length) noexcept {
   try {
        int * dest = new (std::nothrow) int[length];
-  } catch(std::bad_alloc)
+  } catch(std::bad_alloc) {
+    // ...
+  }
   std::memset(dest, 0, length);
 // ..
 }

From 191962f64c6ac49134b388a755d5237cfc1f305e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 29 Jan 2021 12:01:38 +0100
Subject: [PATCH 054/429] C#: Add data flow 'getARuntimeTarget' predicate to
 'FunctionPointerCall'

---
 .../internal/FunctionPointerDataFlow.qll      | 205 ++++++++++++++++++
 .../ql/src/semmle/code/csharp/exprs/Call.qll  |  17 ++
 .../functionpointers/FunctionPointerFlow.cs   |  83 +++++++
 .../FunctionPointerFlow.expected              |   9 +
 .../functionpointers/FunctionPointerFlow.ql   |   5 +
 5 files changed, 319 insertions(+)
 create mode 100755 csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll
 create mode 100644 csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.cs
 create mode 100644 csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected
 create mode 100644 csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.ql

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll
new file mode 100755
index 00000000000..495beb93a22
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll
@@ -0,0 +1,205 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides classes for resolving function pointer calls.
+ */
+
+import csharp
+private import dotnet
+private import semmle.code.csharp.dataflow.CallContext
+private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.DataFlowPublic
+private import semmle.code.csharp.dataflow.FlowSummary
+private import semmle.code.csharp.dispatch.Dispatch
+private import semmle.code.csharp.frameworks.system.linq.Expressions
+
+/** A source of flow for a function pointer expression. */
+private class FunctionPointerFlowSource extends DataFlow::ExprNode {
+  Callable c;
+
+  FunctionPointerFlowSource() {
+    this.getExpr() =
+      any(Expr e |
+        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
+      )
+  }
+
+  /** Gets the callable that is referenced in this function pointer flow source. */
+  Callable getCallable() { result = c }
+}
+
+/** A sink of flow for a function pointer expression. */
+abstract private class FunctionPointerFlowSink extends DataFlow::Node {
+  /**
+   * Gets an actual run-time target of this function pointer call in the given call
+   * context, if any. The call context records the *last* call required to
+   * resolve the target, if any.
+   *
+   * See examples in `DelegateFlowSink`.
+   */
+  cached
+  Callable getARuntimeTarget(CallContext context) {
+    exists(FunctionPointerFlowSource fptrfs |
+      flowsFrom(this, fptrfs, _, context) and
+      result = fptrfs.getCallable()
+    )
+  }
+}
+
+/** A function pointer call expression. */
+class FunctionPointerCallExpr extends FunctionPointerFlowSink, DataFlow::ExprNode {
+  FunctionPointerCall fptrc;
+
+  FunctionPointerCallExpr() { this.getExpr() = fptrc.getFunctionPointerExpr() }
+
+  /** Gets the function pointer call that this expression belongs to. */
+  FunctionPointerCall getFunctionPointerCall() { result = fptrc }
+}
+
+/** A non-function pointer call. */
+private class NonFunctionPointerCall extends Expr {
+  private DispatchCall dc;
+
+  NonFunctionPointerCall() { this = dc.getCall() }
+
+  /**
+   * Gets a run-time target of this call. A target is always a source
+   * declaration, and if the callable has both CIL and source code, only
+   * the source code version is returned.
+   */
+  Callable getARuntimeTarget() { result = getCallableForDataFlow(dc.getADynamicTarget()) }
+
+  /** Gets the `i`th argument of this call. */
+  Expr getArgument(int i) { result = dc.getArgument(i) }
+}
+
+private class NormalReturnNode extends Node {
+  NormalReturnNode() { this.(ReturnNode).getKind() instanceof NormalReturnKind }
+}
+
+/**
+ * Holds if data can flow (inter-procedurally) to function pointer `sink` from
+ * `node`. This predicate searches backwards from `sink` to `node`.
+ *
+ * The parameter `isReturned` indicates whether the path from `sink` to
+ * `node` goes through a returned expression. The call context `lastCall`
+ * records the last call on the path from `node` to `sink`, if any.
+ */
+private predicate flowsFrom(
+  FunctionPointerFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
+) {
+  // Base case
+  sink = node and
+  isReturned = false and
+  lastCall instanceof EmptyCallContext
+  or
+  // Local flow
+  exists(DataFlow::Node mid | flowsFrom(sink, mid, isReturned, lastCall) |
+    LocalFlow::localFlowStepCommon(node, mid)
+    or
+    exists(Ssa::Definition def |
+      LocalFlow::localSsaFlowStep(def, node, mid) and
+      LocalFlow::usesInstanceField(def)
+    )
+  )
+  or
+  // Flow through static field or property
+  exists(DataFlow::Node mid |
+    flowsFrom(sink, mid, _, _) and
+    jumpStep(node, mid) and
+    isReturned = false and
+    lastCall instanceof EmptyCallContext
+  )
+  or
+  // Flow into a callable (non-function pointer call)
+  exists(ParameterNode mid, CallContext prevLastCall, NonFunctionPointerCall call, Parameter p |
+    flowsFrom(sink, mid, isReturned, prevLastCall) and
+    isReturned = false and
+    p = mid.getParameter() and
+    flowIntoNonFunctionPointerCall(call, node.asExpr(), p) and
+    lastCall = getLastCall(prevLastCall, call, p.getPosition())
+  )
+  or
+  // Flow into a callable (function pointer call)
+  exists(
+    ParameterNode mid, CallContext prevLastCall, FunctionPointerCall call, Callable c, Parameter p,
+    int i
+  |
+    flowsFrom(sink, mid, isReturned, prevLastCall) and
+    isReturned = false and
+    flowIntoFunctionPointerCall(call, c, node.asExpr(), i) and
+    c.getParameter(i) = p and
+    p = mid.getParameter() and
+    lastCall = getLastCall(prevLastCall, call, i)
+  )
+  or
+  // Flow out of a callable (non-function pointer call).
+  exists(DataFlow::ExprNode mid |
+    flowsFrom(sink, mid, _, lastCall) and
+    isReturned = true and
+    flowOutOfNonFunctionPointerCall(mid.getExpr(), node)
+  )
+  or
+  // Flow out of a callable (function pointer call).
+  exists(DataFlow::ExprNode mid |
+    flowsFrom(sink, mid, _, _) and
+    isReturned = true and
+    flowOutOfFunctionPointerCall(mid.getExpr(), node, lastCall)
+  )
+}
+
+/**
+ * Gets the last call when tracking flow into `call`. The context
+ * `prevLastCall` is the previous last call, so the result is the
+ * previous call if it exists, otherwise `call` is the last call.
+ */
+bindingset[call, i]
+private CallContext getLastCall(CallContext prevLastCall, Expr call, int i) {
+  prevLastCall instanceof EmptyCallContext and
+  result.(ArgumentCallContext).isArgument(call, i)
+  or
+  prevLastCall instanceof ArgumentCallContext and
+  result = prevLastCall
+}
+
+pragma[noinline]
+private predicate flowIntoNonFunctionPointerCall(
+  NonFunctionPointerCall call, Expr arg, DotNet::Parameter p
+) {
+  exists(DotNet::Callable callable, int i |
+    callable = call.getARuntimeTarget() and
+    p = callable.getAParameter() and
+    arg = call.getArgument(i) and
+    i = p.getPosition()
+  )
+}
+
+pragma[noinline]
+private predicate flowIntoFunctionPointerCall(FunctionPointerCall call, Callable c, Expr arg, int i) {
+  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce |
+    // the call context is irrelevant because the function pointer call
+    // itself will be the context
+    flowsFrom(fptrce, fptrfs, _, _) and
+    arg = call.getArgument(i) and
+    c = fptrfs.getCallable() and
+    call = fptrce.getFunctionPointerCall()
+  )
+}
+
+pragma[noinline]
+private predicate flowOutOfNonFunctionPointerCall(NonFunctionPointerCall call, NormalReturnNode ret) {
+  call.getARuntimeTarget() = ret.getEnclosingCallable()
+}
+
+pragma[noinline]
+private predicate flowOutOfFunctionPointerCall(
+  FunctionPointerCall call, NormalReturnNode ret, CallContext lastCall
+) {
+  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce, Callable c |
+    flowsFrom(fptrce, fptrfs, _, lastCall) and
+    ret.getEnclosingCallable() = c and
+    c = fptrfs.getCallable() and
+    call = fptrce.getFunctionPointerCall()
+  )
+}
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
index a5348040d54..eb04d14d015 100644
--- a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
@@ -8,6 +8,7 @@ import Expr
 import semmle.code.csharp.Callable
 import semmle.code.csharp.dataflow.CallContext as CallContext
 private import semmle.code.csharp.dataflow.internal.DelegateDataFlow
+private import semmle.code.csharp.dataflow.internal.FunctionPointerDataFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import dotnet
 
@@ -618,8 +619,24 @@ class DelegateCall extends Call, @delegate_invocation_expr {
 class FunctionPointerCall extends Call, @function_pointer_invocation_expr {
   override Callable getTarget() { none() }
 
+  /**
+   * Gets a potential run-time target of this function pointer call in the given
+   * call context `cc`.
+   */
+  Callable getARuntimeTarget(CallContext::CallContext cc) {
+    exists(FunctionPointerCallExpr call |
+      this = call.getFunctionPointerCall() and
+      result = call.getARuntimeTarget(cc)
+    )
+  }
+
+  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
+
   override Expr getRuntimeArgument(int i) { result = getArgument(i) }
 
+  /** Gets the function pointer expression of this call. */
+  Expr getFunctionPointerExpr() { result = this.getChild(-1) }
+
   override string toString() { result = "function pointer call" }
 
   override string getAPrimaryQlClass() { result = "FunctionPointerCall" }
diff --git a/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.cs b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.cs
new file mode 100644
index 00000000000..0ebbef4942d
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.cs
@@ -0,0 +1,83 @@
+using System;
+
+unsafe class FunctionPointerFlow
+{
+    public static void Log1(int i) { }
+    public static void Log2(int i) { }
+    public static void Log3(int i) { }
+    public static void Log4(int i) { }
+    public static void Log5(int i) { }
+    public static void Log6(int i) { }
+
+    public static void M2(delegate*<int, void> a)
+    {
+        a(1);
+        a = &Log3;
+        a(2);
+    }
+
+    public void M3()
+    {
+        M2(&Log1);
+    }
+
+    public static void M4(delegate*<int, void> a)
+    {
+        M2(a);
+    }
+
+    public void M5()
+    {
+        M4(&Log2);
+    }
+
+    public delegate*<int, void> M6()
+    {
+        return &Log4;
+    }
+
+    public void M7()
+    {
+        M6()(0);
+    }
+
+    public void M8()
+    {
+        static void LocalFunction(int i) { };
+        M2(&LocalFunction);
+    }
+
+    private static delegate*<int, void> field = &Log5;
+
+    public void M9()
+    {
+        field(1);
+    }
+
+    public void M10(delegate*<delegate*<int, void>, void> aa, delegate*<int, void> a)
+    {
+        aa(a);
+    }
+
+    public void M11()
+    {
+        M10(&M4, &Log6);
+    }
+
+    public void M16(delegate*<Action<int>, void> aa, Action<int> a)
+    {
+        aa(a);
+    }
+
+    public static void M17(Action<int> a)
+    {
+        a(0);
+        a = _ => { };
+        a(0);
+    }
+
+    public void M18()
+    {
+        M16(&M17, (i) => { });
+    }
+}
diff --git a/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected
new file mode 100644
index 00000000000..ad2bfb887c0
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected
@@ -0,0 +1,9 @@
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:5:24:5:27 | Log1 | FunctionPointerFlow.cs:21:12:21:16 | &... |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:6:24:6:27 | Log2 | FunctionPointerFlow.cs:26:12:26:12 | access to parameter a |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:10:24:10:27 | Log6 | FunctionPointerFlow.cs:26:12:26:12 | access to parameter a |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction | FunctionPointerFlow.cs:47:12:47:25 | &... |
+| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | FunctionPointerFlow.cs:7:24:7:27 | Log3 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | FunctionPointerFlow.cs:8:24:8:27 | Log4 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | FunctionPointerFlow.cs:9:24:9:27 | Log5 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:24:24:24:25 | M4 | FunctionPointerFlow.cs:64:13:64:15 | &... |
+| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:72:24:72:26 | M17 | FunctionPointerFlow.cs:81:13:81:16 | &... |
diff --git a/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.ql b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.ql
new file mode 100644
index 00000000000..3434d068329
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.ql
@@ -0,0 +1,5 @@
+import csharp
+
+query predicate fptrCall(FunctionPointerCall fptrc, Callable c, CallContext::CallContext cc) {
+  c = fptrc.getARuntimeTarget(cc)
+}

From 91152d3a65dcdbc989602c57379bbb5462a95303 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 29 Jan 2021 12:02:11 +0100
Subject: [PATCH 055/429] Add additional tests to delegate call data flow

---
 .../dataflow/delegates/DelegateFlow.cs        | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
index 9479cca940d..68a91d02698 100644
--- a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
@@ -4,11 +4,11 @@ class DelegateFlow
 {
     void M1(int i) { }
 
-    void M2(Action<int> a)
+    static void M2(Action<int> a)
     {
         a(0);
         a = _ => { };
-        a(0);
+        a(1);
     }
 
     void M3()
@@ -108,4 +108,20 @@ class DelegateFlow
     }
 
     public delegate void MyDelegate();
+
+    public unsafe void M16(delegate*<Action<int>, void> fnptr, Action<int> a)
+    {
+        fnptr(a);
+    }
+
+    public unsafe void M17()
+    {
+        M16(&M2, (i) => {});    // MISSING: a(0) in M2 is calling this lambda
+    }
+
+    public unsafe void M18()
+    {
+        delegate*<Action<int>, void> fnptr = &M2;
+        fnptr((i) => {});       // MISSING: a(0) in M2 is calling this lambda
+    }
 }

From 76c9b6466e78481c7e6f0cc75ef1224b9a407c06 Mon Sep 17 00:00:00 2001
From: Luke Cartey <5377966+lcartey@users.noreply.github.com>
Date: Fri, 29 Jan 2021 11:27:30 +0000
Subject: [PATCH 056/429] Reformat TaintTrackingUtil.qll with more recent
 CodeQL CLI

---
 .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 35f820f9521..69189d949f1 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -686,8 +686,7 @@ private class FormatterCallable extends TaintPreservingCallable {
     (
       this.hasName(["format", "out", "toString"])
       or
-      this
-          .(Constructor)
+      this.(Constructor)
           .getParameterType(0)
           .(RefType)
           .getASourceSupertype*()

From 92a5a2a06a7d3e7df4662182d5f23277830476a4 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 29 Jan 2021 13:34:19 +0100
Subject: [PATCH 057/429] C++: Solve merge conflicts by merging the two test.c
 test files.

---
 ...cationAfterEndOfBufferUsingStrlen.expected |  9 ++++
 ...yLocationAfterEndOfBufferUsingStrlen.qlref |  0
 ...cationAfterEndOfBufferUsingStrlen.expected |  9 ----
 .../test.c                                    | 44 ------------------
 .../Security/CWE/CWE-788/semmle/tests/test.c  | 45 +++++++++++++++++++
 5 files changed, 54 insertions(+), 53 deletions(-)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
 rename cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/{AccessOfMemoryLocationAfterEndOfBufferUsingStrlen => }/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref (100%)
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
new file mode 100644
index 00000000000..103afd8ffd9
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -0,0 +1,9 @@
+| test.c:42:3:42:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:43:3:43:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:44:3:44:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:45:3:45:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:46:3:46:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:47:3:47:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:48:3:48:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:49:3:49:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:50:3:50:50 | ... = ... | potential unsafe or redundant assignment. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
rename to cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
deleted file mode 100644
index c2f02dd203e..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
+++ /dev/null
@@ -1,9 +0,0 @@
-| test.c:13:3:13:24 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:14:3:14:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:15:3:15:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:16:3:16:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:17:3:17:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:18:3:18:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:19:3:19:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:20:3:20:50 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:21:3:21:50 | ... = ... | potential unsafe or redundant assignment. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c
deleted file mode 100644
index ce07a2ddba2..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen/test.c
+++ /dev/null
@@ -1,44 +0,0 @@
-struct buffers
-{
-    unsigned char buff1[50];
-    unsigned char *buff2;
-} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
-
-
-void badFunc0(){
-  unsigned char buff1[12];
-  struct buffers buffAll;
-  struct buffers * buffAll1;
-  
-  buff1[strlen(buff1)]=0; // BAD
-  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
-  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
-  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
-  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
-  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
-  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
-  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
-  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
-}
-void noBadFunc0(){
-  unsigned char buff1[12],buff1_c[12];
-  struct buffers buffAll,buffAll_c;
-  struct buffers * buffAll1,*buffAll1_c;
-  
-  buff1[strlen(buff1_c)]=0; // GOOD
-  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
-  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
-  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
-  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
-  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
-  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
-  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
-  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
-}
-void goodFunc0(){
-  unsigned char buffer[12];
-  int i;
-  for(i = 0; i < 6; i++)
-    buffer[i] = 'A';
-  buffer[i]=0;
-}
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index c3347e1fd65..d986bb3b13c 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -26,3 +26,48 @@ void workFunction_2_1(char *s) {
   strncat(buf, s, len-strlen(buf)-1); // GOOD
   strncat(buf, s, len-strlen(buf));  // GOOD
 }
+
+struct buffers
+{
+    unsigned char buff1[50];
+    unsigned char *buff2;
+} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
+
+
+void badFunc0(){
+  unsigned char buff1[12];
+  struct buffers buffAll;
+  struct buffers * buffAll1;
+  
+  buff1[strlen(buff1)]=0; // BAD
+  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
+  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
+  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
+  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
+  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
+  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
+  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
+  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
+}
+void noBadFunc0(){
+  unsigned char buff1[12],buff1_c[12];
+  struct buffers buffAll,buffAll_c;
+  struct buffers * buffAll1,*buffAll1_c;
+  
+  buff1[strlen(buff1_c)]=0; // GOOD
+  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
+  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
+  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
+  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
+  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
+  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
+  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
+  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
+}
+void goodFunc0(){
+  unsigned char buffer[12];
+  int i;
+  for(i = 0; i < 6; i++)
+    buffer[i] = 'A';
+  buffer[i]=0;
+}

From ff2f2b57925b0ce89efecfac6747cfee09898a1a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 29 Jan 2021 15:36:11 +0100
Subject: [PATCH 058/429] Python: Add django.shortcuts.redirect test

---
 .../library-tests/frameworks/django-v1/response_test.py     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
index f214cfb63d3..4ce50f98f81 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -1,4 +1,5 @@
 from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
+import django.shortcuts
 
 # Not an XSS sink, since the Content-Type is not "text/html"
 # FP reported in https://github.com/github/codeql-python-team/issues/38
@@ -48,6 +49,11 @@ def redirect_through_normal_response(request):
     return resp
 
 
+def redirect_shortcut(request):
+    next = request.GET.get("next")
+    return django.shortcuts.redirect(next) # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
+
+
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
     return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()

From 9c01aa23045f869da6a1cf049e8fa1768a961fba Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 29 Jan 2021 15:41:00 +0100
Subject: [PATCH 059/429] Python: Add modeling for django.shortcuts.redirect

---
 .../src/semmle/python/frameworks/Django.qll   | 86 ++++++++++++++++++-
 .../frameworks/django-v1/response_test.py     |  2 +-
 2 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 4251b515322..375debe0a17 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -35,7 +35,7 @@ private module Django {
    * WARNING: Only holds for a few predefined attributes.
    */
   private DataFlow::Node django_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["db", "urls", "http", "conf"] and
+    attr_name in ["db", "urls", "http", "conf", "shortcuts"] and
     (
       t.start() and
       result = DataFlow::importNode("django" + "." + attr_name)
@@ -1649,6 +1649,62 @@ private module Django {
         }
       }
     }
+
+    // -------------------------------------------------------------------------
+    // django.shortcuts
+    // -------------------------------------------------------------------------
+    /** Gets a reference to the `django.shortcuts` module. */
+    DataFlow::Node shortcuts() { result = django_attr("shortcuts") }
+
+    /** Provides models for the `django.shortcuts` module */
+    module shortcuts {
+      /**
+       * Gets a reference to the attribute `attr_name` of the `django.shortcuts` module.
+       * WARNING: Only holds for a few predefined attributes.
+       */
+      private DataFlow::Node shortcuts_attr(DataFlow::TypeTracker t, string attr_name) {
+        attr_name in ["redirect"] and
+        (
+          t.start() and
+          result = DataFlow::importNode("django.shortcuts" + "." + attr_name)
+          or
+          t.startInAttr(attr_name) and
+          result = shortcuts()
+        )
+        or
+        // Due to bad performance when using normal setup with `shortcuts_attr(t2, attr_name).track(t2, t)`
+        // we have inlined that code and forced a join
+        exists(DataFlow::TypeTracker t2 |
+          exists(DataFlow::StepSummary summary |
+            shortcuts_attr_first_join(t2, attr_name, result, summary) and
+            t = t2.append(summary)
+          )
+        )
+      }
+
+      pragma[nomagic]
+      private predicate shortcuts_attr_first_join(
+        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
+        DataFlow::StepSummary summary
+      ) {
+        DataFlow::StepSummary::step(shortcuts_attr(t2, attr_name), res, summary)
+      }
+
+      /**
+       * Gets a reference to the attribute `attr_name` of the `django.shortcuts` module.
+       * WARNING: Only holds for a few predefined attributes.
+       */
+      private DataFlow::Node shortcuts_attr(string attr_name) {
+        result = shortcuts_attr(DataFlow::TypeTracker::end(), attr_name)
+      }
+
+      /**
+       * Gets a reference to the `django.shortcuts.redirect` function
+       *
+       * See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
+       */
+      DataFlow::Node redirect() { result = shortcuts_attr("redirect") }
+    }
   }
 
   // ---------------------------------------------------------------------------
@@ -1956,4 +2012,32 @@ private module Django {
       )
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // django.shortcuts.redirect
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to `django.shortcuts.redirect`.
+   *
+   * Note: This works differently depending on what argument is used.
+   * _One_ option is to redirect to a full URL.
+   *
+   * See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
+   */
+  private class DjangoShortcutsRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
+    DataFlow::CfgNode {
+    override CallNode node;
+
+    DjangoShortcutsRedirectCall() { node.getFunction() = django::shortcuts::redirect().asCfgNode() }
+
+    override DataFlow::Node getRedirectLocation() {
+      result.asCfgNode() in [node.getArg(0), node.getArgByName("to")]
+    }
+
+    override DataFlow::Node getBody() { none() }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+    override string getMimetypeDefault() { none() }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
index 4ce50f98f81..99dc97624aa 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -51,7 +51,7 @@ def redirect_through_normal_response(request):
 
 def redirect_shortcut(request):
     next = request.GET.get("next")
-    return django.shortcuts.redirect(next) # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
+    return django.shortcuts.redirect(next) # $ HttpResponse HttpRedirectResponse redirectLocation=next
 
 
 # Ensure that simple subclasses are still vuln to XSS

From ef831bb16ff77e3a8a1b40f3792135f08f973d05 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 29 Jan 2021 16:21:39 +0100
Subject: [PATCH 060/429] Python: Fix tornado redirect QLdoc

---
 python/ql/src/semmle/python/frameworks/Tornado.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 29c91654b4a..f9a537861a0 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -556,9 +556,9 @@ private module Tornado {
   // Response modeling
   // ---------------------------------------------------------------------------
   /**
-   * A call to `tornado.web.RequestHandler.write` method.
+   * A call to `tornado.web.RequestHandler.redirect` method.
    *
-   * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.write
+   * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.redirect
    */
   private class TornadoRequestHandlerRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
     DataFlow::CfgNode {

From 182d435dc600afa85ac95a5ca16bb7fb26c4bba7 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 18 Jan 2021 14:58:21 +0100
Subject: [PATCH 061/429] Python: Replace comprehension read-step by for
 read-step. Add a version targetting sequence nodes.

---
 .../dataflow/new/internal/DataFlowPrivate.qll | 126 +++++++++++++-----
 .../dataflow/coverage/dataflow.expected       |  81 ++++++++++-
 .../experimental/dataflow/coverage/test.py    |  20 ++-
 .../dataflow/regression/dataflow.expected     |   2 +
 .../experimental/dataflow/regression/test.py  |   4 +-
 5 files changed, 188 insertions(+), 45 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index c4f236b0996..38478c6bc47 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -161,15 +161,6 @@ module EssaFlow {
     nodeFrom.(CfgNode).getNode() =
       nodeTo.(EssaNode).getVar().getDefinition().(AssignmentDefinition).getValue()
     or
-    // Definition
-    //   `[a, b] = iterable`
-    //   nodeFrom = `iterable`, cfg node
-    //   nodeTo = `TIterableSequence([a, b])`
-    exists(UnpackingAssignmentDirectTarget target |
-      nodeFrom.asExpr() = target.getValue() and
-      nodeTo = TIterableSequenceNode(target)
-    )
-    or
     // With definition
     //   `with f(42) as x:`
     //   nodeFrom is `f(42)`, cfg node
@@ -1045,7 +1036,7 @@ predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
   or
   popReadStep(nodeFrom, c, nodeTo)
   or
-  comprehensionReadStep(nodeFrom, c, nodeTo)
+  forReadStep(nodeFrom, c, nodeTo)
   or
   attributeReadStep(nodeFrom, c, nodeTo)
   or
@@ -1142,9 +1133,15 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  * also transfer other content, but only tuple content is further read from `sequence` into its elements.
  *
  * The strategy is then via several read-, store-, and flow steps:
- * 1. [Flow] Content is transferred from `iterable` to `TIterableSequence(sequence)` via a
+ * 1. a) [Flow] Content is transferred from `iterable` to `TIterableSequence(sequence)` via a
  *    flow step. From here, everything happens on the LHS.
  *
+ *    b) [Read] If the unpacking happens inside a for as in
+ *    ```python
+ *       for sequence in iterable
+ *    ```
+ *    then content is read from `iterable` to `TIterableSequence(sequence)`.
+ *
  * 2. [Flow] Content is transferred from `TIterableSequence(sequence)` to `sequence` via a
  *    flow step. (Here only tuple content is relevant.)
  *
@@ -1179,7 +1176,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  * Looking at the content propagation to `a`:
  *   `["a", SOURCE]`: [ListElementContent]
  *
- * --Step 1-->
+ * --Step 1a-->
  *
  *   `TIterableSequence((a, b))`: [ListElementContent]
  *
@@ -1205,7 +1202,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  *
  *   `["a", [SOURCE]]`: [ListElementContent; ListElementContent]
  *
- * --Step 1-->
+ * --Step 1a-->
  *
  *   `TIterableSequence((a, [b, *c]))`: [ListElementContent; ListElementContent]
  *
@@ -1238,13 +1235,53 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  *  `c`: [ListElementContent]
  */
 module UnpackingAssignment {
+  /**
+   * The target of a `for`, e.g. `x` in `for x in list` or in `[42 for x in list]`.
+   * This class also records the source, which in both above cases is `list`.
+   * This class abstracts away the differing representations of comprehensions and
+   * for statements.
+   */
+  class ForTarget extends ControlFlowNode {
+    Expr source;
+
+    ForTarget() {
+      exists(For for |
+        source = for.getIter() and
+        this.getNode() = for.getTarget() and
+        not for = any(Comp comp).getNthInnerLoop(0)
+      )
+      or
+      exists(Comp comp |
+        source = comp.getIterable() and
+        this.getNode() = comp.getIterationVariable(0).getAStore()
+      )
+    }
+
+    Expr getSource() { result = source }
+  }
+
+  /** The LHS of an assignemnt, it also records the assigned value. */
+  class AssignmentTarget extends ControlFlowNode {
+    Expr value;
+
+    AssignmentTarget() {
+      exists(Assign assign | this.getNode() = assign.getATarget() | value = assign.getValue())
+    }
+
+    Expr getValue() { result = value }
+  }
+
   /** A direct (or top-level) target of an unpacking assignment. */
   class UnpackingAssignmentDirectTarget extends ControlFlowNode {
     Expr value;
 
     UnpackingAssignmentDirectTarget() {
       this instanceof SequenceNode and
-      exists(Assign assign | this.getNode() = assign.getATarget() | value = assign.getValue())
+      (
+        value = this.(AssignmentTarget).getValue()
+        or
+        value = this.(ForTarget).getSource()
+      )
     }
 
     Expr getValue() { result = value }
@@ -1268,11 +1305,38 @@ module UnpackingAssignment {
     ControlFlowNode getAnElement() { result = this.getElement(_) }
   }
 
+  /**
+   * Step 1a
+   * Data flows from `iterable` to `TIterableSequence(sequence)`
+   */
+  predicate unpackingAssignmentAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
+    exists(AssignmentTarget target |
+      nodeFrom.asExpr() = target.getValue() and
+      nodeTo = TIterableSequenceNode(target)
+    )
+  }
+
+  /**
+   * Step 1b
+   * Data is read from `iterable` to `TIterableSequence(sequence)`
+   */
+  predicate unpackingAssignmentForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
+    exists(ForTarget target |
+      nodeFrom.asExpr() = target.getSource() and
+      nodeTo = TIterableSequenceNode(target.(SequenceNode))
+    ) and
+    (
+      c instanceof ListElementContent
+      or
+      c instanceof SetElementContent
+    )
+  }
+
   /**
    * Step 2
    * Data flows from `TIterableSequence(sequence)` to `sequence`
    */
-  predicate unpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
+  predicate unpackingAssignmentTupleFlowStep(Node nodeFrom, Node nodeTo) {
     exists(UnpackingAssignmentSequenceTarget target |
       nodeFrom = TIterableSequenceNode(target) and
       nodeTo.asCfgNode() = target
@@ -1376,6 +1440,8 @@ module UnpackingAssignment {
 
   /** All read steps associated with unpacking assignment. */
   predicate unpackingAssignmentReadStep(Node nodeFrom, Content c, Node nodeTo) {
+    unpackingAssignmentForReadStep(nodeFrom, c, nodeTo)
+    or
     unpackingAssignmentElementReadStep(nodeFrom, c, nodeTo)
     or
     unpackingAssignmentConvertingReadStep(nodeFrom, c, nodeTo)
@@ -1387,6 +1453,13 @@ module UnpackingAssignment {
     or
     unpackingAssignmentConvertingStoreStep(nodeFrom, c, nodeTo)
   }
+
+  /** All flow steps associated with unpacking assignment. */
+  predicate unpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
+    unpackingAssignmentAssignmentFlowStep(nodeFrom, nodeTo)
+    or
+    unpackingAssignmentTupleFlowStep(nodeFrom, nodeTo)
+  }
 }
 
 import UnpackingAssignment
@@ -1425,25 +1498,10 @@ predicate popReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
   )
 }
 
-/** Data flows from a iterated sequence to the variable iterating over the sequence. */
-predicate comprehensionReadStep(CfgNode nodeFrom, Content c, EssaNode nodeTo) {
-  // Comprehension
-  //   `[x+1 for x in l]`
-  //   nodeFrom is `l`, cfg node
-  //   nodeTo is `x`, essa var
-  //   c denotes element of list or set
-  exists(Comp comp |
-    // outermost for
-    nodeFrom.getNode().getNode() = comp.getIterable() and
-    nodeTo.getVar().getDefinition().(AssignmentDefinition).getDefiningNode().getNode() =
-      comp.getIterationVariable(0).getAStore()
-    or
-    // an inner for
-    exists(int n | n > 0 |
-      nodeFrom.getNode().getNode() = comp.getNthInnerLoop(n).getIter() and
-      nodeTo.getVar().getDefinition().(AssignmentDefinition).getDefiningNode().getNode() =
-        comp.getNthInnerLoop(n).getTarget()
-    )
+predicate forReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
+  exists(ForTarget target |
+    nodeFrom.asExpr() = target.getSource() and
+    nodeTo.asVar().(EssaNodeDefinition).getDefiningNode() = target
   ) and
   (
     c instanceof ListElementContent
diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.expected b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
index ef7ebb797cd..623b86e2a1d 100644
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -285,7 +285,38 @@ edges
 | test.py:639:12:639:13 | ControlFlowNode for a2 [List element] | test.py:639:12:639:16 | ControlFlowNode for Subscript |
 | test.py:640:10:640:11 | ControlFlowNode for a2 [List element] | test.py:640:10:640:14 | ControlFlowNode for Subscript |
 | test.py:647:19:647:24 | ControlFlowNode for SOURCE | test.py:648:10:648:10 | ControlFlowNode for a |
-| test.py:739:16:739:21 | ControlFlowNode for SOURCE | test.py:742:10:742:36 | ControlFlowNode for return_from_inner_scope() |
+| test.py:655:10:655:51 | ControlFlowNode for List [List element, Tuple element at index 0] | test.py:656:16:656:17 | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:655:12:655:17 | ControlFlowNode for SOURCE | test.py:655:12:655:28 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:655:12:655:28 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:655:10:655:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:655:33:655:38 | ControlFlowNode for SOURCE | test.py:655:33:655:49 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:655:33:655:49 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:655:10:655:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:656:9:656:9 | SSA variable x | test.py:657:14:657:14 | ControlFlowNode for x |
+| test.py:656:9:656:11 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:656:9:656:9 | SSA variable x |
+| test.py:656:9:656:11 | IterableSequence [Tuple element at index 0] | test.py:656:9:656:11 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:656:16:656:17 | ControlFlowNode for tl [List element, Tuple element at index 0] | test.py:656:9:656:11 | IterableSequence [Tuple element at index 0] |
+| test.py:663:10:663:51 | ControlFlowNode for List [List element, Tuple element at index 0] | test.py:664:17:664:18 | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:663:12:663:17 | ControlFlowNode for SOURCE | test.py:663:12:663:28 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:663:12:663:28 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:663:10:663:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:663:33:663:38 | ControlFlowNode for SOURCE | test.py:663:33:663:49 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:663:33:663:49 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:663:10:663:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:664:9:664:10 | IterableElement | test.py:664:9:664:10 | SSA variable x [List element] |
+| test.py:664:9:664:10 | SSA variable x [List element] | test.py:666:14:666:14 | ControlFlowNode for x [List element] |
+| test.py:664:9:664:12 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:664:9:664:10 | IterableElement |
+| test.py:664:9:664:12 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:664:12:664:12 | SSA variable y |
+| test.py:664:9:664:12 | IterableSequence [Tuple element at index 0] | test.py:664:9:664:12 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:664:12:664:12 | SSA variable y | test.py:667:16:667:16 | ControlFlowNode for y |
+| test.py:664:17:664:18 | ControlFlowNode for tl [List element, Tuple element at index 0] | test.py:664:9:664:12 | IterableSequence [Tuple element at index 0] |
+| test.py:666:14:666:14 | ControlFlowNode for x [List element] | test.py:666:14:666:17 | ControlFlowNode for Subscript |
+| test.py:672:10:672:51 | ControlFlowNode for List [List element, Tuple element at index 0] | test.py:673:19:673:20 | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:672:12:672:17 | ControlFlowNode for SOURCE | test.py:672:12:672:28 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:672:12:672:28 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:672:10:672:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:672:33:672:38 | ControlFlowNode for SOURCE | test.py:672:33:672:49 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:672:33:672:49 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:672:10:672:51 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:673:9:673:9 | SSA variable x | test.py:674:14:674:14 | ControlFlowNode for x |
+| test.py:673:9:673:14 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:673:9:673:9 | SSA variable x |
+| test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] | test.py:673:9:673:14 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:673:19:673:20 | ControlFlowNode for tl [List element, Tuple element at index 0] | test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] |
+| test.py:749:16:749:21 | ControlFlowNode for SOURCE | test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() |
 nodes
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
 | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
@@ -628,8 +659,42 @@ nodes
 | test.py:640:10:640:14 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:647:19:647:24 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:648:10:648:10 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
-| test.py:739:16:739:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
-| test.py:742:10:742:36 | ControlFlowNode for return_from_inner_scope() | semmle.label | ControlFlowNode for return_from_inner_scope() |
+| test.py:655:10:655:51 | ControlFlowNode for List [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:655:12:655:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:655:12:655:28 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:655:33:655:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:655:33:655:49 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:656:9:656:9 | SSA variable x | semmle.label | SSA variable x |
+| test.py:656:9:656:11 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:656:9:656:11 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
+| test.py:656:16:656:17 | ControlFlowNode for tl [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:657:14:657:14 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:663:10:663:51 | ControlFlowNode for List [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:663:12:663:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:663:12:663:28 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:663:33:663:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:663:33:663:49 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:664:9:664:10 | IterableElement | semmle.label | IterableElement |
+| test.py:664:9:664:10 | SSA variable x [List element] | semmle.label | SSA variable x [List element] |
+| test.py:664:9:664:12 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:664:9:664:12 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
+| test.py:664:12:664:12 | SSA variable y | semmle.label | SSA variable y |
+| test.py:664:17:664:18 | ControlFlowNode for tl [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:666:14:666:14 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:666:14:666:17 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:667:16:667:16 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:672:10:672:51 | ControlFlowNode for List [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:672:12:672:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:672:12:672:28 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:672:33:672:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:672:33:672:49 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:673:9:673:9 | SSA variable x | semmle.label | SSA variable x |
+| test.py:673:9:673:14 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
+| test.py:673:19:673:20 | ControlFlowNode for tl [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for tl [List element, Tuple element at index 0] |
+| test.py:674:14:674:14 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:749:16:749:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | semmle.label | ControlFlowNode for return_from_inner_scope() |
 #select
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() | Flow found |
 | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | Flow found |
@@ -724,4 +789,12 @@ nodes
 | test.py:639:12:639:16 | ControlFlowNode for Subscript | test.py:606:31:606:36 | ControlFlowNode for SOURCE | test.py:639:12:639:16 | ControlFlowNode for Subscript | Flow found |
 | test.py:640:10:640:14 | ControlFlowNode for Subscript | test.py:606:31:606:36 | ControlFlowNode for SOURCE | test.py:640:10:640:14 | ControlFlowNode for Subscript | Flow found |
 | test.py:648:10:648:10 | ControlFlowNode for a | test.py:647:19:647:24 | ControlFlowNode for SOURCE | test.py:648:10:648:10 | ControlFlowNode for a | Flow found |
-| test.py:742:10:742:36 | ControlFlowNode for return_from_inner_scope() | test.py:739:16:739:21 | ControlFlowNode for SOURCE | test.py:742:10:742:36 | ControlFlowNode for return_from_inner_scope() | Flow found |
+| test.py:657:14:657:14 | ControlFlowNode for x | test.py:655:12:655:17 | ControlFlowNode for SOURCE | test.py:657:14:657:14 | ControlFlowNode for x | Flow found |
+| test.py:657:14:657:14 | ControlFlowNode for x | test.py:655:33:655:38 | ControlFlowNode for SOURCE | test.py:657:14:657:14 | ControlFlowNode for x | Flow found |
+| test.py:666:14:666:17 | ControlFlowNode for Subscript | test.py:663:12:663:17 | ControlFlowNode for SOURCE | test.py:666:14:666:17 | ControlFlowNode for Subscript | Flow found |
+| test.py:666:14:666:17 | ControlFlowNode for Subscript | test.py:663:33:663:38 | ControlFlowNode for SOURCE | test.py:666:14:666:17 | ControlFlowNode for Subscript | Flow found |
+| test.py:667:16:667:16 | ControlFlowNode for y | test.py:663:12:663:17 | ControlFlowNode for SOURCE | test.py:667:16:667:16 | ControlFlowNode for y | Flow found |
+| test.py:667:16:667:16 | ControlFlowNode for y | test.py:663:33:663:38 | ControlFlowNode for SOURCE | test.py:667:16:667:16 | ControlFlowNode for y | Flow found |
+| test.py:674:14:674:14 | ControlFlowNode for x | test.py:672:12:672:17 | ControlFlowNode for SOURCE | test.py:674:14:674:14 | ControlFlowNode for x | Flow found |
+| test.py:674:14:674:14 | ControlFlowNode for x | test.py:672:33:672:38 | ControlFlowNode for SOURCE | test.py:674:14:674:14 | ControlFlowNode for x | Flow found |
+| test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | test.py:749:16:749:21 | ControlFlowNode for SOURCE | test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | Flow found |
diff --git a/python/ql/test/experimental/dataflow/coverage/test.py b/python/ql/test/experimental/dataflow/coverage/test.py
index 6a9854903e5..542ab161ed6 100644
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -192,7 +192,7 @@ def test_nested_comprehension_deep_with_local_flow():
 def test_nested_comprehension_dict():
     d = {"s": [SOURCE]}
     x = [y for k, v in d.items() for y in v]
-    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-1 -> x[0]"
+    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-2 -> x[0]"
 
 
 def test_nested_comprehension_paren():
@@ -203,12 +203,12 @@ def test_nested_comprehension_paren():
 # Iterable unpacking in comprehensions
 def test_unpacking_comprehension():
     x = [a for (a, b) in [(SOURCE, NONSOURCE)]]
-    SINK(x[0])  # Flow missing
+    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-1 -> x[0]"
 
 
 def test_star_unpacking_comprehension():
     x = [a[0] for (*a, b) in [(SOURCE, NONSOURCE)]]
-    SINK(x[0])  # Flow missing
+    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-1 -> x[0]"
 
 
 # 6.2.8. Generator expressions
@@ -654,7 +654,7 @@ def test_iterable_repacking():
 def test_iterable_unpacking_in_for():
     tl = [(SOURCE, NONSOURCE), (SOURCE, NONSOURCE)]
     for x,y in tl:
-        SINK(x) #$ MISSING: flow="SOURCE, l:-2 -> x"
+        SINK(x) #$ flow="SOURCE, l:-2 -> x"
         SINK_F(y)
 
 
@@ -663,8 +663,18 @@ def test_iterable_star_unpacking_in_for():
     tl = [(SOURCE, NONSOURCE), (SOURCE, NONSOURCE)]
     for *x,y in tl:
         SINK_F(x)
-        SINK(x[0]) #$ MISSING: flow="SOURCE, l:-3 -> x[0]"
+        SINK(x[0]) #$ flow="SOURCE, l:-3 -> x[0]"
+        SINK_F(y) #$ SPURIOUS: flow="SOURCE, l:-4 -> y"  # FP here since we do not track the tuple lenght and so `*x` could be empty
+
+
+@expects(6)
+def test_iterable_star_unpacking_in_for_2():
+    tl = [(SOURCE, NONSOURCE), (SOURCE, NONSOURCE)]
+    for x,*y,z in tl:
+        SINK(x) #$ flow="SOURCE, l:-2 -> x"
         SINK_F(y)
+        SINK_F(y[0])
+        SINK_F(z)
 
 
 def test_deep_callgraph():
diff --git a/python/ql/test/experimental/dataflow/regression/dataflow.expected b/python/ql/test/experimental/dataflow/regression/dataflow.expected
index 2fe69282e37..dfce2c72737 100644
--- a/python/ql/test/experimental/dataflow/regression/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/regression/dataflow.expected
@@ -21,3 +21,5 @@
 | test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:186:14:186:14 | ControlFlowNode for t |
 | test.py:195:9:195:14 | ControlFlowNode for SOURCE | test.py:197:14:197:14 | ControlFlowNode for t |
 | test.py:195:9:195:14 | ControlFlowNode for SOURCE | test.py:199:14:199:14 | ControlFlowNode for t |
+| test.py:202:10:202:15 | ControlFlowNode for SOURCE | test.py:204:14:204:14 | ControlFlowNode for i |
+| test.py:202:10:202:15 | ControlFlowNode for SOURCE | test.py:205:10:205:10 | ControlFlowNode for i |
diff --git a/python/ql/test/experimental/dataflow/regression/test.py b/python/ql/test/experimental/dataflow/regression/test.py
index aa620b6ba5f..80c9c7e5e34 100644
--- a/python/ql/test/experimental/dataflow/regression/test.py
+++ b/python/ql/test/experimental/dataflow/regression/test.py
@@ -201,8 +201,8 @@ def flow_through_type_test_if_no_class():
 def flow_in_iteration():
     t = [SOURCE]
     for i in t:
-        SINK(i)  # Flow not found
-    SINK(i)  # Flow not found
+        SINK(i)
+    SINK(i)
 
 def flow_in_generator():
     seq = [SOURCE]

From 7f1affa122a1a2569533a97106674df37e3f82a3 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 29 Jan 2021 17:44:53 +0100
Subject: [PATCH 062/429] Python: UnpackingAssignment -> IterableUnpacking

---
 .../dataflow/new/internal/DataFlowPrivate.qll | 44 +++++++++----------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index 38478c6bc47..694243e0e81 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -201,7 +201,7 @@ module EssaFlow {
     nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
     or
     // Flow inside an unpacking assignment
-    unpackingAssignmentFlowStep(nodeFrom, nodeTo)
+    iterableUnpackingFlowStep(nodeFrom, nodeTo)
     or
     // Overflow keyword argument
     exists(CallNode call, CallableValue callable |
@@ -898,7 +898,7 @@ predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
   or
   comprehensionStoreStep(nodeFrom, c, nodeTo)
   or
-  unpackingAssignmentStoreStep(nodeFrom, c, nodeTo)
+  iterableUnpackingStoreStep(nodeFrom, c, nodeTo)
   or
   attributeStoreStep(nodeFrom, c, nodeTo)
   or
@@ -1032,7 +1032,7 @@ predicate kwOverflowStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node
 predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
   subscriptReadStep(nodeFrom, c, nodeTo)
   or
-  unpackingAssignmentReadStep(nodeFrom, c, nodeTo)
+  iterableUnpackingReadStep(nodeFrom, c, nodeTo)
   or
   popReadStep(nodeFrom, c, nodeTo)
   or
@@ -1234,7 +1234,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  *
  *  `c`: [ListElementContent]
  */
-module UnpackingAssignment {
+module IterableUnpacking {
   /**
    * The target of a `for`, e.g. `x` in `for x in list` or in `[42 for x in list]`.
    * This class also records the source, which in both above cases is `list`.
@@ -1309,7 +1309,7 @@ module UnpackingAssignment {
    * Step 1a
    * Data flows from `iterable` to `TIterableSequence(sequence)`
    */
-  predicate unpackingAssignmentAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
+  predicate iterableUnpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
     exists(AssignmentTarget target |
       nodeFrom.asExpr() = target.getValue() and
       nodeTo = TIterableSequenceNode(target)
@@ -1320,7 +1320,7 @@ module UnpackingAssignment {
    * Step 1b
    * Data is read from `iterable` to `TIterableSequence(sequence)`
    */
-  predicate unpackingAssignmentForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
+  predicate iterableUnpackingForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
     exists(ForTarget target |
       nodeFrom.asExpr() = target.getSource() and
       nodeTo = TIterableSequenceNode(target.(SequenceNode))
@@ -1336,7 +1336,7 @@ module UnpackingAssignment {
    * Step 2
    * Data flows from `TIterableSequence(sequence)` to `sequence`
    */
-  predicate unpackingAssignmentTupleFlowStep(Node nodeFrom, Node nodeTo) {
+  predicate iterableUnpackingTupleFlowStep(Node nodeFrom, Node nodeTo) {
     exists(UnpackingAssignmentSequenceTarget target |
       nodeFrom = TIterableSequenceNode(target) and
       nodeTo.asCfgNode() = target
@@ -1349,7 +1349,7 @@ module UnpackingAssignment {
    * As `sequence` is modeled as a tuple, we will not read tuple content as that would allow
    * crosstalk.
    */
-  predicate unpackingAssignmentConvertingReadStep(Node nodeFrom, Content c, Node nodeTo) {
+  predicate iterableUnpackingConvertingReadStep(Node nodeFrom, Content c, Node nodeTo) {
     exists(UnpackingAssignmentSequenceTarget target |
       nodeFrom = TIterableSequenceNode(target) and
       nodeTo = TIterableElementNode(target) and
@@ -1368,7 +1368,7 @@ module UnpackingAssignment {
    * Content type is `TupleElementContent` with indices taken from the syntax.
    * For instance, if `sequence` is `(a, *b, c)`, content is written to index 0, 1, and 2.
    */
-  predicate unpackingAssignmentConvertingStoreStep(Node nodeFrom, Content c, Node nodeTo) {
+  predicate iterableUnpackingConvertingStoreStep(Node nodeFrom, Content c, Node nodeTo) {
     exists(UnpackingAssignmentSequenceTarget target |
       nodeFrom = TIterableElementNode(target) and
       nodeTo.asCfgNode() = target and
@@ -1388,7 +1388,7 @@ module UnpackingAssignment {
    *
    *    c) If the element is a starred variable, with control-flow node `v`, `toNode` is `TIterableElement(v)`.
    */
-  predicate unpackingAssignmentElementReadStep(Node nodeFrom, Content c, Node nodeTo) {
+  predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo) {
     exists(
       UnpackingAssignmentSequenceTarget target, int index, ControlFlowNode element, int starIndex
     |
@@ -1430,7 +1430,7 @@ module UnpackingAssignment {
    * Data flows from `TIterableElement(v)` to the essa variable for `v`, with
    * content type `ListElementContent`.
    */
-  predicate unpackingAssignmentStarredElementStoreStep(Node nodeFrom, Content c, Node nodeTo) {
+  predicate iterableUnpackingStarredElementStoreStep(Node nodeFrom, Content c, Node nodeTo) {
     exists(ControlFlowNode starred | starred.getNode() instanceof Starred |
       nodeFrom = TIterableElementNode(starred) and
       nodeTo.asVar().getDefinition().(MultiAssignmentDefinition).getDefiningNode() = starred and
@@ -1439,30 +1439,30 @@ module UnpackingAssignment {
   }
 
   /** All read steps associated with unpacking assignment. */
-  predicate unpackingAssignmentReadStep(Node nodeFrom, Content c, Node nodeTo) {
-    unpackingAssignmentForReadStep(nodeFrom, c, nodeTo)
+  predicate iterableUnpackingReadStep(Node nodeFrom, Content c, Node nodeTo) {
+    iterableUnpackingForReadStep(nodeFrom, c, nodeTo)
     or
-    unpackingAssignmentElementReadStep(nodeFrom, c, nodeTo)
+    iterableUnpackingElementReadStep(nodeFrom, c, nodeTo)
     or
-    unpackingAssignmentConvertingReadStep(nodeFrom, c, nodeTo)
+    iterableUnpackingConvertingReadStep(nodeFrom, c, nodeTo)
   }
 
   /** All store steps associated with unpacking assignment. */
-  predicate unpackingAssignmentStoreStep(Node nodeFrom, Content c, Node nodeTo) {
-    unpackingAssignmentStarredElementStoreStep(nodeFrom, c, nodeTo)
+  predicate iterableUnpackingStoreStep(Node nodeFrom, Content c, Node nodeTo) {
+    iterableUnpackingStarredElementStoreStep(nodeFrom, c, nodeTo)
     or
-    unpackingAssignmentConvertingStoreStep(nodeFrom, c, nodeTo)
+    iterableUnpackingConvertingStoreStep(nodeFrom, c, nodeTo)
   }
 
   /** All flow steps associated with unpacking assignment. */
-  predicate unpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
-    unpackingAssignmentAssignmentFlowStep(nodeFrom, nodeTo)
+  predicate iterableUnpackingFlowStep(Node nodeFrom, Node nodeTo) {
+    iterableUnpackingAssignmentFlowStep(nodeFrom, nodeTo)
     or
-    unpackingAssignmentTupleFlowStep(nodeFrom, nodeTo)
+    iterableUnpackingTupleFlowStep(nodeFrom, nodeTo)
   }
 }
 
-import UnpackingAssignment
+import IterableUnpacking
 
 /** Data flows from a sequence to a call to `pop` on the sequence. */
 predicate popReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {

From 05a138694d41323f8141784187e8bae028246ecb Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 29 Jan 2021 21:12:44 +0100
Subject: [PATCH 063/429] Python: Fix crashing test

---
 python/ql/test/experimental/dataflow/coverage/test.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/coverage/test.py b/python/ql/test/experimental/dataflow/coverage/test.py
index 542ab161ed6..0da8b40b274 100644
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -672,8 +672,7 @@ def test_iterable_star_unpacking_in_for_2():
     tl = [(SOURCE, NONSOURCE), (SOURCE, NONSOURCE)]
     for x,*y,z in tl:
         SINK(x) #$ flow="SOURCE, l:-2 -> x"
-        SINK_F(y)
-        SINK_F(y[0])
+        SINK_F(y)  # The list itself is not tainted (and is here empty)
         SINK_F(z)
 
 

From b7df18b97e75879ffed2f2c430072c05eba43584 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Sun, 31 Jan 2021 15:16:40 +0300
Subject: [PATCH 064/429] Update
 AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql

---
 ...ssOfMemoryLocationAfterEndOfBufferUsingStrlen.ql | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
index 3e1cfdd6396..012109074e9 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -13,11 +13,22 @@
 
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.dataflow.DataFlow
 
 from StrlenCall fc, AssignExpr expr, ArrayExpr exprarr
 where
   exprarr = expr.getLValue() and
   expr.getRValue().getValue().toInt() = 0 and
-  exprarr.getArrayOffset() = fc and
+  globalValueNumber(exprarr.getArrayOffset()) = globalValueNumber(fc) and
+  not exists(Expr exptmp |
+    (
+      DataFlow::localExprFlow(fc, exptmp) or
+      exptmp.getAChild*() = fc.getArgument(0).(VariableAccess).getTarget().getAnAccess()
+    ) and
+    dominates(exptmp, expr) and
+    postDominates(exptmp, fc) and
+    not exptmp.getEnclosingStmt() = fc.getEnclosingStmt() and
+    not exptmp.getEnclosingStmt() = expr.getEnclosingStmt()
+  ) and
   globalValueNumber(fc.getArgument(0)) = globalValueNumber(exprarr.getArrayBase())
 select expr, "potential unsafe or redundant assignment."

From 2b946aee5a3ff0c7d5e284e2ff7527e4dd79cda6 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Sun, 31 Jan 2021 15:21:54 +0300
Subject: [PATCH 065/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 04a284d7846..403d8388b17 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -58,7 +58,7 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
   predicate isExistsIfCondition() {
     exists(IfCompareWithZero ifc, AssignExpr aex, Initializer it |
       // call `operator new` directly from the condition of `operator if`.
-      this = ifc.getCondition().getAChild()
+      this = ifc.getCondition().getAChild*()
       or
       // check results call `operator new` with variable appropriation
       postDominates(ifc, this) and

From 27fd46b8558cfd825baed747a90073aeb9f63ad1 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 1 Feb 2021 08:55:20 +0100
Subject: [PATCH 066/429] Python: Update test expectation

---
 .../test/experimental/dataflow/coverage/dataflow.expected | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.expected b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
index 623b86e2a1d..978b810ea23 100644
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -316,7 +316,7 @@ edges
 | test.py:673:9:673:14 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:673:9:673:9 | SSA variable x |
 | test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] | test.py:673:9:673:14 | ControlFlowNode for Tuple [Tuple element at index 0] |
 | test.py:673:19:673:20 | ControlFlowNode for tl [List element, Tuple element at index 0] | test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] |
-| test.py:749:16:749:21 | ControlFlowNode for SOURCE | test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() |
+| test.py:748:16:748:21 | ControlFlowNode for SOURCE | test.py:751:10:751:36 | ControlFlowNode for return_from_inner_scope() |
 nodes
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
 | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
@@ -693,8 +693,8 @@ nodes
 | test.py:673:9:673:14 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
 | test.py:673:19:673:20 | ControlFlowNode for tl [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for tl [List element, Tuple element at index 0] |
 | test.py:674:14:674:14 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
-| test.py:749:16:749:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
-| test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | semmle.label | ControlFlowNode for return_from_inner_scope() |
+| test.py:748:16:748:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:751:10:751:36 | ControlFlowNode for return_from_inner_scope() | semmle.label | ControlFlowNode for return_from_inner_scope() |
 #select
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() | Flow found |
 | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | Flow found |
@@ -797,4 +797,4 @@ nodes
 | test.py:667:16:667:16 | ControlFlowNode for y | test.py:663:33:663:38 | ControlFlowNode for SOURCE | test.py:667:16:667:16 | ControlFlowNode for y | Flow found |
 | test.py:674:14:674:14 | ControlFlowNode for x | test.py:672:12:672:17 | ControlFlowNode for SOURCE | test.py:674:14:674:14 | ControlFlowNode for x | Flow found |
 | test.py:674:14:674:14 | ControlFlowNode for x | test.py:672:33:672:38 | ControlFlowNode for SOURCE | test.py:674:14:674:14 | ControlFlowNode for x | Flow found |
-| test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | test.py:749:16:749:21 | ControlFlowNode for SOURCE | test.py:752:10:752:36 | ControlFlowNode for return_from_inner_scope() | Flow found |
+| test.py:751:10:751:36 | ControlFlowNode for return_from_inner_scope() | test.py:748:16:748:21 | ControlFlowNode for SOURCE | test.py:751:10:751:36 | ControlFlowNode for return_from_inner_scope() | Flow found |

From 2a9e66a6675409f60164f32e73f17e187bfa1f76 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 1 Feb 2021 11:17:04 +0100
Subject: [PATCH 067/429] Python: Fix problem after merge conflict

---
 python/ql/src/semmle/python/frameworks/Tornado.qll | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 195bddf1552..1f5859c4945 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -586,6 +586,8 @@ private module Tornado {
     override DataFlow::Node getBody() { none() }
 
     override string getMimetypeDefault() { none() }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
   }
 
   /**

From 3363f5e6dbbba32dada345a76238b73fc3e24732 Mon Sep 17 00:00:00 2001
From: CaptainFreak <patelshoeb4@gmail.com>
Date: Mon, 1 Feb 2021 18:01:34 +0530
Subject: [PATCH 068/429] JS: add query for Express-HBS LFR

---
 .../Security/CWE-073/ExpressHbsLFR.ql         | 44 +++++++++++++++++++
 .../documentation-examples/ExpressHbsLFR.js   | 10 +++++
 .../ExpressHbsLFR_fixed.js                    | 10 +++++
 3 files changed, 64 insertions(+)
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js

diff --git a/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql b/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
new file mode 100644
index 00000000000..de66932a7af
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
@@ -0,0 +1,44 @@
+/**
+ * @name Express-Hbs Local File Read and Potential RCE
+ * @description Writing user input directly to res.render of ExpressJS used with Hbs can lead to LFR
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/express-hbs-lfr
+ * @tags security
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-094
+ */
+
+import javascript
+import DataFlow
+import PathGraph
+import Express
+import semmle.javascript.DynamicPropertyAccess
+
+predicate isUsingHbsEngine() {
+  exists(MethodCallExpr method |
+    method.getMethodName() = "set" and
+    Express::appCreation().flowsToExpr(method.getReceiver()) and
+    method.getArgument(1).getStringValue().matches("hbs")
+  )
+}
+
+class HbsLFRTaint extends TaintTracking::Configuration {
+  HbsLFRTaint() { this = "HbsLFRTaint" }
+
+  override predicate isSource(Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(Node node) {
+    exists(MethodCallExpr mc |
+      Express::isResponse(mc.getReceiver()) and
+      mc.getMethodName() = "render" and
+      node.asExpr() = mc.getArgument(1) and
+      isUsingHbsEngine()
+    )
+  }
+}
+
+from HbsLFRTaint cfg, Node source, Node sink
+where cfg.hasFlow(source, sink)
+select source, sink
diff --git a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
new file mode 100644
index 00000000000..3e0e42f33ca
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', bodyParameter)
+    res.render('template', queryParameter)
+});
\ No newline at end of file
diff --git a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js
new file mode 100644
index 00000000000..54e8e865a1d
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js
@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', {bodyParameter})
+    res.render('template', {queryParameter})
+});
\ No newline at end of file

From 7d62e33feb871d005dfb938056e1d1bce6af0ff7 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 1 Feb 2021 11:38:52 +0100
Subject: [PATCH 069/429] C#: Rework function pointer/delegate call DF

---
 csharp/ql/src/Dead Code/DeadStoreOfLocal.ql   |   2 +-
 .../raw/internal/desugar/Delegate.qll         |   4 +-
 .../code/csharp/dataflow/CallContext.qll      |  25 ++-
 .../dataflow/internal/DelegateDataFlow.qll    |  76 +++++--
 .../internal/FunctionPointerDataFlow.qll      | 205 ------------------
 .../code/csharp/dataflow/internal/SsaImpl.qll |   2 +-
 .../ql/src/semmle/code/csharp/exprs/Call.qll  |  78 ++++---
 .../semmle/code/csharp/metrics/Coupling.qll   |   2 +-
 .../dataflow/delegates/DelegateFlow.cs        |   4 +-
 .../dataflow/delegates/DelegateFlow.expected  |   2 +
 .../expressions/DelegateCall1.ql              |   2 +-
 .../expressions/DelegateCall2.ql              |   2 +-
 .../expressions/DelegateCall3.ql              |   2 +-
 .../library-tests/expressions/EventAccess3.ql |   2 +-
 14 files changed, 133 insertions(+), 275 deletions(-)
 delete mode 100755 csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll

diff --git a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
index 2e8d1b92e02..4e214c6f6d0 100644
--- a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql	
+++ b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql	
@@ -63,7 +63,7 @@ predicate mayEscape(LocalVariable v) {
   exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
     e = getADelegateExpr(c) and
     DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getDelegateExpr() and
+    not succ = any(DelegateCall dc).getExpr() and
     not succ = any(Cast cast).getExpr() and
     not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
     not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll
index 939f14ba8fe..f7c80e497fa 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll
@@ -97,9 +97,7 @@ private class TranslatedDelegateInvokeCall extends TranslatedCompilerGeneratedCa
     )
   }
 
-  override TranslatedExprBase getQualifier() {
-    result = getTranslatedExpr(generatedBy.getDelegateExpr())
-  }
+  override TranslatedExprBase getQualifier() { result = getTranslatedExpr(generatedBy.getExpr()) }
 
   override Instruction getQualifierResult() { result = getQualifier().getResult() }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll b/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
index b0a6d9d98ed..aa501a58e0d 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
@@ -11,7 +11,8 @@ cached
 private newtype TCallContext =
   TEmptyCallContext() or
   TArgNonDelegateCallContext(Expr arg) { exists(DispatchCall dc | arg = dc.getArgument(_)) } or
-  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) }
+  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) } or
+  TArgFunctionPointerCallContext(FunctionPointerCall fptrc, int i) { exists(fptrc.getArgument(i)) }
 
 /**
  * A call context.
@@ -60,12 +61,14 @@ class NonDelegateCallArgumentCallContext extends ArgumentCallContext, TArgNonDel
   override Location getLocation() { result = arg.getLocation() }
 }
 
-/** An argument of a delegate call. */
-class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateCallContext {
-  DelegateCall dc;
+/** An argument of a delegate or function pointer call. */
+class DelegateLikeCallArgumentCallContext extends ArgumentCallContext {
+  DelegateLikeCall dc;
   int arg;
 
-  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
+  DelegateLikeCallArgumentCallContext() {
+    this = TArgDelegateCallContext(dc, arg) or this = TArgFunctionPointerCallContext(dc, arg)
+  }
 
   override predicate isArgument(Expr call, int i) {
     call = dc and
@@ -76,3 +79,15 @@ class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateC
 
   override Location getLocation() { result = dc.getArgument(arg).getLocation() }
 }
+
+/** An argument of a delegate call. */
+class DelegateCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgDelegateCallContext {
+  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
+}
+
+/** An argument of a function pointer call. */
+class FunctionPointerCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgFunctionPointerCallContext {
+  FunctionPointerCallArgumentCallContext() { this = TArgFunctionPointerCallContext(dc, arg) }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
index 0001dd357b0..af70cb19654 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
@@ -14,8 +14,14 @@ private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 
+/** A source of flow for a delegate or function pointer expression. */
+private class DelegateLikeFlowSource extends DataFlow::ExprNode {
+  /** Gets the callable that is referenced in this delegate or function pointer flow source. */
+  Callable getCallable() { none() }
+}
+
 /** A source of flow for a delegate expression. */
-private class DelegateFlowSource extends DataFlow::ExprNode {
+private class DelegateFlowSource extends DelegateLikeFlowSource {
   Callable c;
 
   DelegateFlowSource() {
@@ -27,11 +33,26 @@ private class DelegateFlowSource extends DataFlow::ExprNode {
   }
 
   /** Gets the callable that is referenced in this delegate flow source. */
-  Callable getCallable() { result = c }
+  override Callable getCallable() { result = c }
 }
 
-/** A sink of flow for a delegate expression. */
-abstract private class DelegateFlowSink extends DataFlow::Node {
+/** A source of flow for a function pointer expression. */
+private class FunctionPointerFlowSource extends DelegateLikeFlowSource {
+  Callable c;
+
+  FunctionPointerFlowSource() {
+    this.getExpr() =
+      any(Expr e |
+        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
+      )
+  }
+
+  /** Gets the callable that is referenced in this function pointer flow source. */
+  override Callable getCallable() { result = c }
+}
+
+/** A sink of flow for a delegate or function pointer expression. */
+abstract private class DelegateLikeFlowSink extends DataFlow::Node {
   /**
    * Gets an actual run-time target of this delegate call in the given call
    * context, if any. The call context records the *last* call required to
@@ -85,25 +106,41 @@ abstract private class DelegateFlowSink extends DataFlow::Node {
    */
   cached
   Callable getARuntimeTarget(CallContext context) {
-    exists(DelegateFlowSource dfs |
+    exists(DelegateLikeFlowSource dfs |
       flowsFrom(this, dfs, _, context) and
       result = dfs.getCallable()
     )
   }
 }
 
+/** A delegate or function pointer call expression. */
+class DelegateLikeCallExpr extends DelegateLikeFlowSink, DataFlow::ExprNode {
+  /** Gets the delegate or function pointer call that this expression belongs to. */
+  DelegateLikeCall getCall() { none() }
+}
+
 /** A delegate call expression. */
-class DelegateCallExpr extends DelegateFlowSink, DataFlow::ExprNode {
+class DelegateCallExpr extends DelegateLikeCallExpr {
   DelegateCall dc;
 
-  DelegateCallExpr() { this.getExpr() = dc.getDelegateExpr() }
+  DelegateCallExpr() { this.getExpr() = dc.getExpr() }
 
   /** Gets the delegate call that this expression belongs to. */
-  DelegateCall getDelegateCall() { result = dc }
+  override DelegateCall getCall() { result = dc }
+}
+
+/** A function pointer call expression. */
+class FunctionPointerCallExpr extends DelegateLikeCallExpr {
+  FunctionPointerCall fptrc;
+
+  FunctionPointerCallExpr() { this.getExpr() = fptrc.getExpr() }
+
+  /** Gets the function pointer call that this expression belongs to. */
+  override FunctionPointerCall getCall() { result = fptrc }
 }
 
 /** A parameter of delegate type belonging to a callable with a flow summary. */
-class SummaryDelegateParameterSink extends DelegateFlowSink, ParameterNode {
+class SummaryDelegateParameterSink extends DelegateLikeFlowSink, ParameterNode {
   SummaryDelegateParameterSink() {
     this.getType() instanceof SystemLinqExpressions::DelegateExtType and
     this.isParameterOf(any(SummarizedCallable c), _)
@@ -111,7 +148,7 @@ class SummaryDelegateParameterSink extends DelegateFlowSink, ParameterNode {
 }
 
 /** A delegate expression that is added to an event. */
-class AddEventSource extends DelegateFlowSink, DataFlow::ExprNode {
+class AddEventSource extends DelegateLikeFlowSink, DataFlow::ExprNode {
   AddEventExpr ae;
 
   AddEventSource() { this.getExpr() = ae.getRValue() }
@@ -150,7 +187,7 @@ private class NormalReturnNode extends Node {
  * records the last call on the path from `node` to `sink`, if any.
  */
 private predicate flowsFrom(
-  DelegateFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
+  DelegateLikeFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
 ) {
   // Base case
   sink = node and
@@ -188,7 +225,8 @@ private predicate flowsFrom(
   or
   // Flow into a callable (delegate call)
   exists(
-    ParameterNode mid, CallContext prevLastCall, DelegateCall call, Callable c, Parameter p, int i
+    ParameterNode mid, CallContext prevLastCall, DelegateLikeCall call, Callable c, Parameter p,
+    int i
   |
     flowsFrom(sink, mid, isReturned, prevLastCall) and
     isReturned = false and
@@ -238,14 +276,14 @@ private predicate flowIntoNonDelegateCall(NonDelegateCall call, Expr arg, DotNet
 }
 
 pragma[noinline]
-private predicate flowIntoDelegateCall(DelegateCall call, Callable c, Expr arg, int i) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce |
+private predicate flowIntoDelegateCall(DelegateLikeCall call, Callable c, Expr arg, int i) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce |
     // the call context is irrelevant because the delegate call
     // itself will be the context
     flowsFrom(dce, dfs, _, _) and
     arg = call.getArgument(i) and
     c = dfs.getCallable() and
-    call = dce.getDelegateCall()
+    call = dce.getCall()
   )
 }
 
@@ -255,11 +293,13 @@ private predicate flowOutOfNonDelegateCall(NonDelegateCall call, NormalReturnNod
 }
 
 pragma[noinline]
-private predicate flowOutOfDelegateCall(DelegateCall dc, NormalReturnNode ret, CallContext lastCall) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce, Callable c |
+private predicate flowOutOfDelegateCall(
+  DelegateLikeCall dc, NormalReturnNode ret, CallContext lastCall
+) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce, Callable c |
     flowsFrom(dce, dfs, _, lastCall) and
     ret.getEnclosingCallable() = c and
     c = dfs.getCallable() and
-    dc = dce.getDelegateCall()
+    dc = dce.getCall()
   )
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll
deleted file mode 100755
index 495beb93a22..00000000000
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll
+++ /dev/null
@@ -1,205 +0,0 @@
-/**
- * INTERNAL: Do not use.
- *
- * Provides classes for resolving function pointer calls.
- */
-
-import csharp
-private import dotnet
-private import semmle.code.csharp.dataflow.CallContext
-private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
-private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-private import semmle.code.csharp.dataflow.internal.DataFlowPublic
-private import semmle.code.csharp.dataflow.FlowSummary
-private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.frameworks.system.linq.Expressions
-
-/** A source of flow for a function pointer expression. */
-private class FunctionPointerFlowSource extends DataFlow::ExprNode {
-  Callable c;
-
-  FunctionPointerFlowSource() {
-    this.getExpr() =
-      any(Expr e |
-        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
-      )
-  }
-
-  /** Gets the callable that is referenced in this function pointer flow source. */
-  Callable getCallable() { result = c }
-}
-
-/** A sink of flow for a function pointer expression. */
-abstract private class FunctionPointerFlowSink extends DataFlow::Node {
-  /**
-   * Gets an actual run-time target of this function pointer call in the given call
-   * context, if any. The call context records the *last* call required to
-   * resolve the target, if any.
-   *
-   * See examples in `DelegateFlowSink`.
-   */
-  cached
-  Callable getARuntimeTarget(CallContext context) {
-    exists(FunctionPointerFlowSource fptrfs |
-      flowsFrom(this, fptrfs, _, context) and
-      result = fptrfs.getCallable()
-    )
-  }
-}
-
-/** A function pointer call expression. */
-class FunctionPointerCallExpr extends FunctionPointerFlowSink, DataFlow::ExprNode {
-  FunctionPointerCall fptrc;
-
-  FunctionPointerCallExpr() { this.getExpr() = fptrc.getFunctionPointerExpr() }
-
-  /** Gets the function pointer call that this expression belongs to. */
-  FunctionPointerCall getFunctionPointerCall() { result = fptrc }
-}
-
-/** A non-function pointer call. */
-private class NonFunctionPointerCall extends Expr {
-  private DispatchCall dc;
-
-  NonFunctionPointerCall() { this = dc.getCall() }
-
-  /**
-   * Gets a run-time target of this call. A target is always a source
-   * declaration, and if the callable has both CIL and source code, only
-   * the source code version is returned.
-   */
-  Callable getARuntimeTarget() { result = getCallableForDataFlow(dc.getADynamicTarget()) }
-
-  /** Gets the `i`th argument of this call. */
-  Expr getArgument(int i) { result = dc.getArgument(i) }
-}
-
-private class NormalReturnNode extends Node {
-  NormalReturnNode() { this.(ReturnNode).getKind() instanceof NormalReturnKind }
-}
-
-/**
- * Holds if data can flow (inter-procedurally) to function pointer `sink` from
- * `node`. This predicate searches backwards from `sink` to `node`.
- *
- * The parameter `isReturned` indicates whether the path from `sink` to
- * `node` goes through a returned expression. The call context `lastCall`
- * records the last call on the path from `node` to `sink`, if any.
- */
-private predicate flowsFrom(
-  FunctionPointerFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
-) {
-  // Base case
-  sink = node and
-  isReturned = false and
-  lastCall instanceof EmptyCallContext
-  or
-  // Local flow
-  exists(DataFlow::Node mid | flowsFrom(sink, mid, isReturned, lastCall) |
-    LocalFlow::localFlowStepCommon(node, mid)
-    or
-    exists(Ssa::Definition def |
-      LocalFlow::localSsaFlowStep(def, node, mid) and
-      LocalFlow::usesInstanceField(def)
-    )
-  )
-  or
-  // Flow through static field or property
-  exists(DataFlow::Node mid |
-    flowsFrom(sink, mid, _, _) and
-    jumpStep(node, mid) and
-    isReturned = false and
-    lastCall instanceof EmptyCallContext
-  )
-  or
-  // Flow into a callable (non-function pointer call)
-  exists(ParameterNode mid, CallContext prevLastCall, NonFunctionPointerCall call, Parameter p |
-    flowsFrom(sink, mid, isReturned, prevLastCall) and
-    isReturned = false and
-    p = mid.getParameter() and
-    flowIntoNonFunctionPointerCall(call, node.asExpr(), p) and
-    lastCall = getLastCall(prevLastCall, call, p.getPosition())
-  )
-  or
-  // Flow into a callable (function pointer call)
-  exists(
-    ParameterNode mid, CallContext prevLastCall, FunctionPointerCall call, Callable c, Parameter p,
-    int i
-  |
-    flowsFrom(sink, mid, isReturned, prevLastCall) and
-    isReturned = false and
-    flowIntoFunctionPointerCall(call, c, node.asExpr(), i) and
-    c.getParameter(i) = p and
-    p = mid.getParameter() and
-    lastCall = getLastCall(prevLastCall, call, i)
-  )
-  or
-  // Flow out of a callable (non-function pointer call).
-  exists(DataFlow::ExprNode mid |
-    flowsFrom(sink, mid, _, lastCall) and
-    isReturned = true and
-    flowOutOfNonFunctionPointerCall(mid.getExpr(), node)
-  )
-  or
-  // Flow out of a callable (function pointer call).
-  exists(DataFlow::ExprNode mid |
-    flowsFrom(sink, mid, _, _) and
-    isReturned = true and
-    flowOutOfFunctionPointerCall(mid.getExpr(), node, lastCall)
-  )
-}
-
-/**
- * Gets the last call when tracking flow into `call`. The context
- * `prevLastCall` is the previous last call, so the result is the
- * previous call if it exists, otherwise `call` is the last call.
- */
-bindingset[call, i]
-private CallContext getLastCall(CallContext prevLastCall, Expr call, int i) {
-  prevLastCall instanceof EmptyCallContext and
-  result.(ArgumentCallContext).isArgument(call, i)
-  or
-  prevLastCall instanceof ArgumentCallContext and
-  result = prevLastCall
-}
-
-pragma[noinline]
-private predicate flowIntoNonFunctionPointerCall(
-  NonFunctionPointerCall call, Expr arg, DotNet::Parameter p
-) {
-  exists(DotNet::Callable callable, int i |
-    callable = call.getARuntimeTarget() and
-    p = callable.getAParameter() and
-    arg = call.getArgument(i) and
-    i = p.getPosition()
-  )
-}
-
-pragma[noinline]
-private predicate flowIntoFunctionPointerCall(FunctionPointerCall call, Callable c, Expr arg, int i) {
-  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce |
-    // the call context is irrelevant because the function pointer call
-    // itself will be the context
-    flowsFrom(fptrce, fptrfs, _, _) and
-    arg = call.getArgument(i) and
-    c = fptrfs.getCallable() and
-    call = fptrce.getFunctionPointerCall()
-  )
-}
-
-pragma[noinline]
-private predicate flowOutOfNonFunctionPointerCall(NonFunctionPointerCall call, NormalReturnNode ret) {
-  call.getARuntimeTarget() = ret.getEnclosingCallable()
-}
-
-pragma[noinline]
-private predicate flowOutOfFunctionPointerCall(
-  FunctionPointerCall call, NormalReturnNode ret, CallContext lastCall
-) {
-  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce, Callable c |
-    flowsFrom(fptrce, fptrfs, _, lastCall) and
-    ret.getEnclosingCallable() = c and
-    c = fptrfs.getCallable() and
-    call = fptrce.getFunctionPointerCall()
-  )
-}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
index 3014e33a63b..b29f12e279b 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -245,7 +245,7 @@ private module CallGraph {
      * a library callable and `e` is a delegate argument.
      */
     private predicate delegateCall(Call c, Expr e, boolean libraryDelegateCall) {
-      c = any(DelegateCall dc | e = dc.getDelegateExpr()) and
+      c = any(DelegateCall dc | e = dc.getExpr()) and
       libraryDelegateCall = false
       or
       c.getTarget().fromLibrary() and
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
index eb04d14d015..941873d9afd 100644
--- a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
@@ -8,7 +8,6 @@ import Expr
 import semmle.code.csharp.Callable
 import semmle.code.csharp.dataflow.CallContext as CallContext
 private import semmle.code.csharp.dataflow.internal.DelegateDataFlow
-private import semmle.code.csharp.dataflow.internal.FunctionPointerDataFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import dotnet
 
@@ -528,6 +527,39 @@ class MutatorOperatorCall extends OperatorCall {
   predicate isPostfix() { mutator_invocation_mode(this, 2) }
 }
 
+/**
+ * A function pointer or delegate call.
+ */
+abstract class DelegateLikeCall extends Call {
+  override Callable getTarget() { none() }
+
+  /**
+   * Gets a potential run-time target of this delegate or function pointer call in the given
+   * call context `cc`.
+   */
+  Callable getARuntimeTarget(CallContext::CallContext cc) { none() }
+
+  /**
+   * Gets the delegate or function pointer expression of this call. For example, the
+   * delegate expression of `X()` on line 5 is the access to the field `X` in
+   *
+   * ```csharp
+   * class A {
+   *   Action X = () => { };
+   *
+   *   void CallX() {
+   *     X();
+   *   }
+   * }
+   * ```
+   */
+  Expr getExpr() { result = this.getChild(-1) }
+
+  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
+
+  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
+}
+
 /**
  * A delegate call, for example `x()` on line 5 in
  *
@@ -541,16 +573,14 @@ class MutatorOperatorCall extends OperatorCall {
  * }
  * ```
  */
-class DelegateCall extends Call, @delegate_invocation_expr {
-  override Callable getTarget() { none() }
-
+class DelegateCall extends DelegateLikeCall, @delegate_invocation_expr {
   /**
    * Gets a potential run-time target of this delegate call in the given
    * call context `cc`.
    */
-  Callable getARuntimeTarget(CallContext::CallContext cc) {
+  override Callable getARuntimeTarget(CallContext::CallContext cc) {
     exists(DelegateCallExpr call |
-      this = call.getDelegateCall() and
+      this = call.getCall() and
       result = call.getARuntimeTarget(cc)
     )
     or
@@ -568,7 +598,7 @@ class DelegateCall extends Call, @delegate_invocation_expr {
   }
 
   private AddEventSource getAnAddEventSource(Callable enclosingCallable) {
-    this.getDelegateExpr().(EventAccess).getTarget() = result.getEvent() and
+    this.getExpr().(EventAccess).getTarget() = result.getEvent() and
     enclosingCallable = result.getExpr().getEnclosingCallable()
   }
 
@@ -580,25 +610,12 @@ class DelegateCall extends Call, @delegate_invocation_expr {
     exists(Callable c | result = getAnAddEventSource(c) | c != this.getEnclosingCallable())
   }
 
-  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
-
-  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
-
   /**
-   * Gets the delegate expression of this delegate call. For example, the
-   * delegate expression of `X()` on line 5 is the access to the field `X` in
+   * DEPRECATED: use `getExpr` instead.
    *
-   * ```csharp
-   * class A {
-   *   Action X = () => { };
-   *
-   *   void CallX() {
-   *     X();
-   *   }
-   * }
-   * ```
+   * Gets the delegate expression of this call.
    */
-  Expr getDelegateExpr() { result = this.getChild(-1) }
+  deprecated Expr getDelegateExpr() { result = this.getExpr() }
 
   override string toString() { result = "delegate call" }
 
@@ -616,27 +633,18 @@ class DelegateCall extends Call, @delegate_invocation_expr {
  * }
  * ```
  */
-class FunctionPointerCall extends Call, @function_pointer_invocation_expr {
-  override Callable getTarget() { none() }
-
+class FunctionPointerCall extends DelegateLikeCall, @function_pointer_invocation_expr {
   /**
    * Gets a potential run-time target of this function pointer call in the given
    * call context `cc`.
    */
-  Callable getARuntimeTarget(CallContext::CallContext cc) {
+  override Callable getARuntimeTarget(CallContext::CallContext cc) {
     exists(FunctionPointerCallExpr call |
-      this = call.getFunctionPointerCall() and
+      this = call.getCall() and
       result = call.getARuntimeTarget(cc)
     )
   }
 
-  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
-
-  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
-
-  /** Gets the function pointer expression of this call. */
-  Expr getFunctionPointerExpr() { result = this.getChild(-1) }
-
   override string toString() { result = "function pointer call" }
 
   override string getAPrimaryQlClass() { result = "FunctionPointerCall" }
diff --git a/csharp/ql/src/semmle/code/csharp/metrics/Coupling.qll b/csharp/ql/src/semmle/code/csharp/metrics/Coupling.qll
index 272b56093f6..0da867e116a 100644
--- a/csharp/ql/src/semmle/code/csharp/metrics/Coupling.qll
+++ b/csharp/ql/src/semmle/code/csharp/metrics/Coupling.qll
@@ -78,7 +78,7 @@ predicate depends(ValueOrRefType t, ValueOrRefType u) {
     or
     exists(DelegateCall dc, DelegateType dt |
       dc.getEnclosingCallable().getDeclaringType() = t and
-      dc.getDelegateExpr().getType() = dt and
+      dc.getExpr().getType() = dt and
       usesType(dt.getUnboundDeclaration(), u)
     )
     or
diff --git a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
index 68a91d02698..59c1c924a80 100644
--- a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.cs
@@ -116,12 +116,12 @@ class DelegateFlow
 
     public unsafe void M17()
     {
-        M16(&M2, (i) => {});    // MISSING: a(0) in M2 is calling this lambda
+        M16(&M2, (i) => { });
     }
 
     public unsafe void M18()
     {
         delegate*<Action<int>, void> fnptr = &M2;
-        fnptr((i) => {});       // MISSING: a(0) in M2 is calling this lambda
+        fnptr((i) => { });
     }
 }
diff --git a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.expected b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.expected
index 9b572b699d0..80ae0d0fe89 100644
--- a/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.expected
@@ -7,6 +7,8 @@ delegateCall
 | DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:16:12:16:19 | (...) => ... | DelegateFlow.cs:16:12:16:19 | (...) => ... |
 | DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:27:12:27:19 | (...) => ... | DelegateFlow.cs:22:12:22:12 | access to parameter a |
 | DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:98:9:98:37 | LocalFunction | DelegateFlow.cs:99:12:99:24 | delegate creation of type Action<Int32> |
+| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:119:18:119:27 | (...) => ... | DelegateFlow.cs:114:15:114:15 | access to parameter a |
+| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:125:15:125:24 | (...) => ... | DelegateFlow.cs:125:15:125:24 | (...) => ... |
 | DelegateFlow.cs:11:9:11:12 | delegate call | DelegateFlow.cs:10:13:10:20 | (...) => ... | file://:0:0:0:0 | <empty> |
 | DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:38:12:38:25 | (...) => ... | DelegateFlow.cs:38:12:38:25 | (...) => ... |
 | DelegateFlow.cs:38:19:38:22 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 | DelegateFlow.cs:33:12:33:12 | access to parameter a |
diff --git a/csharp/ql/test/library-tests/expressions/DelegateCall1.ql b/csharp/ql/test/library-tests/expressions/DelegateCall1.ql
index 430d2fdc43a..8d8f818a9e6 100644
--- a/csharp/ql/test/library-tests/expressions/DelegateCall1.ql
+++ b/csharp/ql/test/library-tests/expressions/DelegateCall1.ql
@@ -9,7 +9,7 @@ where
   m.hasName("MainDelegateAndMethodAccesses") and
   e.getEnclosingCallable() = m and
   e.getNumberOfArguments() = 1 and
-  e.getDelegateExpr() = a and
+  e.getExpr() = a and
   a.getTarget().hasName("cd1") and
   e.getArgument(0).getValue() = "-40"
 select m, e, a
diff --git a/csharp/ql/test/library-tests/expressions/DelegateCall2.ql b/csharp/ql/test/library-tests/expressions/DelegateCall2.ql
index 4fb915f3086..fee6f1c703a 100644
--- a/csharp/ql/test/library-tests/expressions/DelegateCall2.ql
+++ b/csharp/ql/test/library-tests/expressions/DelegateCall2.ql
@@ -9,7 +9,7 @@ where
   m.hasName("MainDelegateAndMethodAccesses") and
   e.getEnclosingCallable() = m and
   e.getNumberOfArguments() = 1 and
-  e.getDelegateExpr() = a and
+  e.getExpr() = a and
   a.getTarget().hasName("cd7") and
   e.getArgument(0).(AddExpr).getRightOperand().(LocalVariableAccess).getTarget().hasName("x")
 select m, e, a
diff --git a/csharp/ql/test/library-tests/expressions/DelegateCall3.ql b/csharp/ql/test/library-tests/expressions/DelegateCall3.ql
index 5702cad683a..b68b35dde45 100644
--- a/csharp/ql/test/library-tests/expressions/DelegateCall3.ql
+++ b/csharp/ql/test/library-tests/expressions/DelegateCall3.ql
@@ -8,7 +8,7 @@ from Method m, DelegateCall e, LocalVariableAccess a
 where
   m.hasName("MainDelegateAndMethodAccesses") and
   e.getEnclosingCallable() = m and
-  e.getDelegateExpr() = a and
+  e.getExpr() = a and
   a.getTarget().hasName("cd7") and
   a.getTarget().getType().(DelegateType).hasQualifiedName("Expressions.D")
 select m, e, a
diff --git a/csharp/ql/test/library-tests/expressions/EventAccess3.ql b/csharp/ql/test/library-tests/expressions/EventAccess3.ql
index 741f973b221..56d5cb1beb9 100644
--- a/csharp/ql/test/library-tests/expressions/EventAccess3.ql
+++ b/csharp/ql/test/library-tests/expressions/EventAccess3.ql
@@ -11,7 +11,7 @@ where
   e.getTarget().getName() = "Click" and
   e.getTarget().getDeclaringType() = m.getDeclaringType() and
   d.getEnclosingCallable() = m and
-  d.getDelegateExpr() = e and
+  d.getExpr() = e and
   d.getArgument(0) instanceof ThisAccess and
   d.getArgument(1).(ParameterAccess).getTarget().hasName("e")
 select m, d, e

From b8194bd1f806dc43e459d073690ead4d9cda2fa1 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 1 Feb 2021 14:38:59 +0100
Subject: [PATCH 070/429] Python: Add support for API graphs

Currently only supports the "use" side of things.

For the most part, this follows the corresponding implementation for
JavaScript. Major differences include:

- No `MkImportUse` nodes -- we just move directly from
  `MkModuleImport` to its uses.

- Paths are no longer labelled by s-expressions, but rather by a
string that mirrors how you would access it in QL. This makes it very
easy to see how to access an API component -- simply look at its
`toString`!

This PR also extends `LocalSourceNode` to support looking up attribute
references and invocations of such nodes. This was again based on the
JavaScript equivalent (though without specific classes for
`InvokeNode` and the like, it's a bit more awkward to use).
---
 python/ql/src/semmle/python/ApiGraphs.qll     | 343 ++++++++++++++++++
 .../dataflow/new/internal/DataFlowPublic.qll  |  82 ++++-
 2 files changed, 424 insertions(+), 1 deletion(-)
 create mode 100644 python/ql/src/semmle/python/ApiGraphs.qll

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
new file mode 100644
index 00000000000..fbee343b623
--- /dev/null
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -0,0 +1,343 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+
+module API {
+  class Node extends Impl::TApiNode {
+    /**
+     * Gets a data-flow node corresponding to a use of the API component represented by this node.
+     *
+     * For example, `import re; re.escape` is a use of the `escape` function from the
+     * `re` module, and `import re; re.escape("hello")` is a use of the return of that function.
+     *
+     * This includes indirect uses found via data flow, meaning that in
+     * ```python
+     * def f(x):
+     *     pass
+     *
+     * f(obj.foo)
+     * ```
+     * both `obj.foo` and `x` are uses of the `foo` member from `obj`.
+     */
+    DataFlow::Node getAUse() {
+      exists(DataFlow::LocalSourceNode src | Impl::use(this, src) |
+        Impl::trackUseNode(src).flowsTo(result)
+      )
+    }
+
+    /**
+     * Gets an immediate use of the API component represented by this node.
+     *
+     * For example, `import re; re.escape` is a an immediate use of the `escape` member
+     * from the `re` module.
+     *
+     * Unlike `getAUse()`, this predicate only gets the immediate references, not the indirect uses
+     * found via data flow. This means that in `x = re.escape` only `re.escape` is a reference
+     * to the `escape` member of `re`, neither `x` nor any node that `x` flows to is a reference to
+     * this API component.
+     */
+    DataFlow::LocalSourceNode getAnImmediateUse() { Impl::use(this, result) }
+
+    /**
+     * Gets a call to the function represented by this API component.
+     */
+    DataFlow::Node getACall() { result = getReturn().getAnImmediateUse() }
+
+    /**
+     * Gets a node representing member `m` of this API component.
+     *
+     * For example, modules have an `exports` member representing their exports, and objects have
+     * their properties as members.
+     */
+    bindingset[m]
+    bindingset[result]
+    Node getMember(string m) { result = getASuccessor(Label::member(m)) }
+
+    /**
+     * Gets a node representing a member of this API component where the name of the member is
+     * not known statically.
+     */
+    Node getUnknownMember() { result = getASuccessor(Label::unknownMember()) }
+
+    /**
+     * Gets a node representing a member of this API component where the name of the member may
+     * or may not be known statically.
+     */
+    Node getAMember() {
+      result = getASuccessor(Label::member(_)) or
+      result = getUnknownMember()
+    }
+
+    /**
+     * Gets a node representing the result of the function represented by this node.
+     *
+     * This predicate may have multiple results when there are multiple invocations of this API component.
+     * Consider using `getACall()` if there is a need to distingiush between individual calls.
+     */
+    Node getReturn() { result = getASuccessor(Label::return()) }
+
+    /**
+     * Gets a string representation of the lexicographically least among all shortest access paths
+     * from the root to this node.
+     */
+    string getPath() { result = min(string p | p = getAPath(Impl::distanceFromRoot(this)) | p) }
+
+    /**
+     * Gets a node such that there is an edge in the API graph between this node and the other
+     * one, and that edge is labeled with `lbl`.
+     */
+    Node getASuccessor(string lbl) { Impl::edge(this, lbl, result) }
+
+    /**
+     * Gets a node such that there is an edge in the API graph between that other node and
+     * this one, and that edge is labeled with `lbl`
+     */
+    Node getAPredecessor(string lbl) { this = result.getASuccessor(lbl) }
+
+    /**
+     * Gets a node such that there is an edge in the API graph between this node and the other
+     * one.
+     */
+    Node getAPredecessor() { result = getAPredecessor(_) }
+
+    /**
+     * Gets a node such that there is an edge in the API graph between that other node and
+     * this one.
+     */
+    Node getASuccessor() { result = getASuccessor(_) }
+
+    /**
+     * Gets the data-flow node that gives rise to this node, if any.
+     */
+    DataFlow::Node getInducingNode() { this = Impl::MkUse(result) }
+
+    /**
+     * Holds if this node is located in file `path` between line `startline`, column `startcol`,
+     * and line `endline`, column `endcol`.
+     *
+     * For nodes that do not have a meaningful location, `path` is the empty string and all other
+     * parameters are zero.
+     */
+    predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
+      getInducingNode().hasLocationInfo(path, startline, startcol, endline, endcol)
+      or
+      not exists(getInducingNode()) and
+      path = "" and
+      startline = 0 and
+      startcol = 0 and
+      endline = 0 and
+      endcol = 0
+    }
+
+    /**
+     * Gets a textual representation of this node.
+     */
+    string toString() {
+      none() // defined in subclasses
+    }
+
+    /**
+     * Gets a path of the given `length` from the root to this node.
+     */
+    private string getAPath(int length) {
+      this instanceof Impl::MkRoot and
+      length = 0 and
+      result = ""
+      or
+      exists(Node pred, string lbl, string predpath |
+        Impl::edge(pred, lbl, this) and
+        lbl != "" and
+        predpath = pred.getAPath(length - 1) and
+        exists(string dot | if length = 1 then dot = "" else dot = "." |
+          result = predpath + dot + lbl and
+          // avoid producing strings longer than 1MB
+          result.length() < 1000 * 1000
+        )
+      ) and
+      length in [1 .. Impl::distanceFromRoot(this)]
+    }
+
+    /** Gets the shortest distance from the root to this node in the API graph. */
+    int getDepth() { result = Impl::distanceFromRoot(this) }
+  }
+
+  /** The root node of an API graph. */
+  class Root extends Node, Impl::MkRoot {
+    override string toString() { result = "root" }
+  }
+
+  /** A node corresponding to the use of an API component. */
+  class Use extends Node, Impl::TUse {
+    override string toString() {
+      exists(string type |
+        this = Impl::MkUse(_) and type = "Use "
+        or
+        this = Impl::MkModuleImport(_) and type = "ModuleImport "
+      |
+        result = type + getPath()
+        or
+        not exists(this.getPath()) and result = type + "with no path"
+      )
+    }
+  }
+
+  /** Gets the root node. */
+  Root root() { any() }
+
+  /** Gets a node corresponding to an import of module `m`. */
+  Node moduleImport(string m) { result = Impl::MkModuleImport(m) }
+
+  /**
+   * Provides the actual implementation of API graphs, cached for performance.
+   *
+   * Ideally, we'd like nodes to correspond to (global) access paths, with edge labels
+   * corresponding to extending the access path by one element. We also want to be able to map
+   * nodes to their definitions and uses in the data-flow graph, and this should happen modulo
+   * (inter-procedural) data flow.
+   *
+   * This, however, is not easy to implement, since access paths can have unbounded length
+   * and we need some way of recognizing cycles to avoid non-termination. Unfortunately, expressing
+   * a condition like "this node hasn't been involved in constructing any predecessor of
+   * this node in the API graph" without negative recursion is tricky.
+   *
+   * So instead most nodes are directly associated with a data-flow node, representing
+   * either a use or a definition of an API component. This ensures that we only have a finite
+   * number of nodes. However, we can now have multiple nodes with the same access
+   * path, which are essentially indistinguishable for a client of the API.
+   *
+   * On the other hand, a single node can have multiple access paths (which is, of
+   * course, unavoidable). We pick as canonical the alphabetically least access path with
+   * shortest length.
+   */
+  cached
+  private module Impl {
+    cached
+    newtype TApiNode =
+      /** The root of the API graph. */
+      MkRoot() or
+      /** An abstract representative for imports of the module called `name`. */
+      MkModuleImport(string name) { imports(_, name) } or
+      /** A use of an API member at the node `nd`. */
+      MkUse(DataFlow::Node nd) { use(_, _, nd) }
+
+    class TUse = MkModuleImport or MkUse;
+
+    /** Holds if `imp` is an import of a module named `name` */
+    private predicate imports(DataFlow::Node imp, string name) { imp = DataFlow::importNode(name) }
+
+    /**
+     * Holds if `ref` is a use of a node that should have an incoming edge from `base` labeled
+     * `lbl` in the API graph.
+     */
+    cached
+    predicate use(TApiNode base, string lbl, DataFlow::Node ref) {
+      exists(DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode pred |
+        use(base, src) and pred = trackUseNode(src)
+      |
+        lbl = Label::memberFromRef(ref) and
+        ref = pred.getAnAttributeRead()
+        or
+        lbl = Label::return() and
+        ref = pred.getAnInvocation()
+      )
+    }
+
+    /**
+     * Holds if `ref` is a use of node `nd`.
+     */
+    cached
+    predicate use(TApiNode nd, DataFlow::Node ref) {
+      exists(string name |
+        nd = MkModuleImport(name) and
+        ref = DataFlow::importNode(name)
+      )
+      or
+      nd = MkUse(ref)
+    }
+
+    /**
+     * Gets a data-flow node to which `nd`, which is a use of an API-graph node, flows.
+     *
+     * The flow from `nd` to that node may be inter-procedural.
+     */
+    private DataFlow::LocalSourceNode trackUseNode(
+      DataFlow::LocalSourceNode src, DataFlow::TypeTracker t
+    ) {
+      t.start() and
+      use(_, src) and
+      result = src
+      or
+      // Due to bad performance when using `trackUseNode(t2, attr_name).track(t2, t)`
+      // we have inlined that code and forced a join
+      exists(DataFlow::StepSummary summary |
+        t = trackUseNode_first_join(src, result, summary).append(summary)
+      )
+    }
+
+    pragma[nomagic]
+    private DataFlow::TypeTracker trackUseNode_first_join(
+      DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode res, DataFlow::StepSummary summary
+    ) {
+      DataFlow::StepSummary::step(trackUseNode(src, result), res, summary)
+    }
+
+    cached
+    DataFlow::LocalSourceNode trackUseNode(DataFlow::LocalSourceNode src) {
+      result = trackUseNode(src, DataFlow::TypeTracker::end())
+    }
+
+    /**
+     * Holds if there is an edge from `pred` to `succ` in the API graph that is labeled with `lbl`.
+     */
+    cached
+    predicate edge(Node pred, string lbl, Node succ) {
+      /* There's an edge from the root node for each imported module. */
+      exists(string m |
+        pred = MkRoot() and
+        lbl = Label::mod(m)
+      |
+        succ = MkModuleImport(m)
+      )
+      or
+      /* Every node that is a use of an API component is itself added to the API graph. */
+      exists(DataFlow::LocalSourceNode ref |
+        use(pred, lbl, ref) and
+        succ = MkUse(ref)
+      )
+    }
+
+    /**
+     * Holds if there is an edge from `pred` to `succ` in the API graph.
+     */
+    private predicate edge(TApiNode pred, TApiNode succ) { edge(pred, _, succ) }
+
+    /** Gets the shortest distance from the root to `nd` in the API graph. */
+    cached
+    int distanceFromRoot(TApiNode nd) = shortestDistances(MkRoot/0, edge/2)(_, nd, result)
+  }
+}
+
+private module Label {
+  /** Gets the edge label for the module `m`. */
+  bindingset[m]
+  bindingset[result]
+  string mod(string m) { result = "moduleImport(\"" + m + "\")" }
+
+  /** Gets the `member` edge label for member `m`. */
+  bindingset[m]
+  bindingset[result]
+  string member(string m) { result = "getMember(\"" + m + "\")" }
+
+  /** Gets the `member` edge label for the unknown member. */
+  string unknownMember() { result = "getUnknownMember()" }
+
+  /** Gets the `member` edge label for the given attribute reference. */
+  string memberFromRef(DataFlow::AttrRef pr) {
+    result = member(pr.getAttributeName())
+    or
+    not exists(pr.getAttributeName()) and
+    result = unknownMember()
+  }
+
+  /** Gets the `return` edge label. */
+  string return() { result = "getReturn()" }
+}
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index cb807917419..f2f90723d77 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -447,7 +447,87 @@ class LocalSourceNode extends Node {
 
   /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */
   cached
-  predicate flowsTo(Node nodeTo) { simpleLocalFlowStep*(this, nodeTo) }
+  predicate flowsTo(Node nodeTo) { Cached::hasLocalSource(nodeTo, this) }
+
+  /**
+   * Gets a reference (read or write) of attribute `attrName` on this node.
+   */
+  AttrRef getAnAttributeReference(string attrName) { Cached::namedAttrRef(this, attrName, result) }
+
+  /**
+   * Gets a read of attribute `attrName` on this node.
+   */
+  AttrRead getAnAttributeRead(string attrName) { result = getAnAttributeReference(attrName) }
+
+  /**
+   * Gets a reference (read or write) of any attribute on this node.
+   */
+  AttrRef getAnAttributeReference() {
+    Cached::namedAttrRef(this, _, result)
+    or
+    Cached::dynamicAttrRef(this, result)
+  }
+
+  /**
+   * Gets a read of any attribute on this node.
+   */
+  AttrRead getAnAttributeRead() { result = getAnAttributeReference() }
+
+  /**
+   * Gets an invocation (with our without `new`) of this node.
+   */
+  Node getAnInvocation() { Cached::invocation(this, result) }
+}
+
+cached
+private module Cached {
+  /**
+   * Holds if `source` is a `LocalSourceNode` that can reach `sink` via local flow steps.
+   *
+   * The slightly backwards parametering ordering is to force correct indexing.
+   */
+  cached
+  predicate hasLocalSource(Node sink, Node source) {
+    // Declaring `source` to be a `SourceNode` currently causes a redundant check in the
+    // recursive case, so instead we check it explicitly here.
+    source = sink and
+    source instanceof LocalSourceNode
+    or
+    exists(Node mid |
+      hasLocalSource(mid, source) and
+      simpleLocalFlowStep(mid, sink)
+    )
+  }
+
+  /**
+   * Holds if `base` flows to the base of `ref` and `ref` has attribute name `attr`.
+   */
+  cached
+  predicate namedAttrRef(LocalSourceNode base, string attr, AttrRef ref) {
+    hasLocalSource(ref.getObject(), base) and
+    ref.getAttributeName() = attr
+  }
+
+  /**
+   * Holds if `base` flows to the base of `ref` and `ref` has no known attribute name.
+   */
+  cached
+  predicate dynamicAttrRef(LocalSourceNode base, AttrRef ref) {
+    hasLocalSource(ref.getObject(), base) and
+    not exists(ref.getAttributeName())
+  }
+
+  /**
+   * Holds if `func` flows to the callee of `invoke`.
+   */
+  cached
+  predicate invocation(LocalSourceNode func, Node invoke) {
+    exists(CfgNode n, CallNode call |
+      invoke.asCfgNode() = call and n.asCfgNode() = call.getFunction()
+    |
+      hasLocalSource(n, func)
+    )
+  }
 }
 
 /**

From 384d0212b11a49dfb73ffe06e6738c5f8ed8de81 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Mon, 1 Feb 2021 16:41:43 +0100
Subject: [PATCH 071/429] Update
 python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

Co-authored-by: Taus <tausbn@github.com>
---
 .../src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index 694243e0e81..2ab91694217 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1260,7 +1260,7 @@ module IterableUnpacking {
     Expr getSource() { result = source }
   }
 
-  /** The LHS of an assignemnt, it also records the assigned value. */
+  /** The LHS of an assignment, it also records the assigned value. */
   class AssignmentTarget extends ControlFlowNode {
     Expr value;
 

From cd7b013a0c084f624952796659566f4be2e300ed Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 1 Feb 2021 18:57:25 +0100
Subject: [PATCH 072/429] Python: Add missing documentation

---
 python/ql/src/semmle/python/ApiGraphs.qll | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index fbee343b623..2dc62ed30a6 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -1,7 +1,22 @@
+/**
+ * Provides an implementation of  _API graphs_, which are an abstract representation of the API
+ * surface used and/or defined by a code base.
+ *
+ * The nodes of the API graph represent definitions and uses of API components. The edges are
+ * directed and labeled; they specify how the components represented by nodes relate to each other.
+ */
+
 import python
 import semmle.python.dataflow.new.DataFlow
 
+/**
+ * Provides classes and predicates for working with APIs used in a database.
+ */
 module API {
+  /**
+   * An abstract representation of a definition or use of an API component such as a function
+   * exported by a Python package, or its result.
+   */
   class Node extends Impl::TApiNode {
     /**
      * Gets a data-flow node corresponding to a use of the API component represented by this node.

From 74fd2c1c3880ce5a5cdeb46d40a1bb0254791697 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 1 Feb 2021 14:57:35 +0100
Subject: [PATCH 073/429] C#: Move uncertain-read logic into shared SSA
 implementation

---
 .../code/csharp/dataflow/internal/SsaImpl.qll | 64 ++-----------
 .../dataflow/internal/SsaImplCommon.qll       | 92 ++++++++++++++++---
 .../dataflow/internal/SsaImplSpecific.qll     |  2 +-
 3 files changed, 90 insertions(+), 68 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
index d51122ef568..5e25c1ea0a4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -954,10 +954,12 @@ private predicate variableReadPseudo(ControlFlow::BasicBlock bb, int i, Ssa::Sou
  *
  * This includes implicit reads via calls.
  */
-predicate variableRead(ControlFlow::BasicBlock bb, int i, Ssa::SourceVariable v) {
-  variableReadActual(bb, i, v)
+predicate variableRead(ControlFlow::BasicBlock bb, int i, Ssa::SourceVariable v, boolean certain) {
+  variableReadActual(bb, i, v) and
+  certain = true
   or
-  variableReadPseudo(bb, i, v)
+  variableReadPseudo(bb, i, v) and
+  certain = false
 }
 
 cached
@@ -1107,26 +1109,6 @@ private module Cached {
     ssaDefReachesEndOfBlock(bb, def, _)
   }
 
-  private predicate adjacentDefReaches(
-    Definition def, ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2
-  ) {
-    adjacentDefRead(def, bb1, i1, bb2, i2)
-    or
-    exists(ControlFlow::BasicBlock bb3, int i3 |
-      adjacentDefReaches(def, bb1, i1, bb3, i3) and
-      variableReadPseudo(bb3, i3, _) and
-      adjacentDefRead(def, bb3, i3, bb2, i2)
-    )
-  }
-
-  pragma[noinline]
-  private predicate adjacentDefActualRead(
-    Definition def, ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2
-  ) {
-    adjacentDefReaches(def, bb1, i1, bb2, i2) and
-    variableReadActual(bb2, i2, _)
-  }
-
   cached
   AssignableRead getAReadAtNode(Definition def, ControlFlow::Node cfn) {
     exists(Ssa::SourceVariable v, ControlFlow::BasicBlock bb, int i |
@@ -1145,7 +1127,7 @@ private module Cached {
   predicate firstReadSameVar(Definition def, ControlFlow::Node cfn) {
     exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
       def.definesAt(_, bb1, i1) and
-      adjacentDefActualRead(def, bb1, i1, bb2, i2) and
+      adjacentDefNoUncertainReads(def, bb1, i1, bb2, i2) and
       cfn = bb2.getNode(i2)
     )
   }
@@ -1160,48 +1142,20 @@ private module Cached {
     exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
       cfn1 = bb1.getNode(i1) and
       variableReadActual(bb1, i1, _) and
-      adjacentDefActualRead(def, bb1, i1, bb2, i2) and
+      adjacentDefNoUncertainReads(def, bb1, i1, bb2, i2) and
       cfn2 = bb2.getNode(i2)
     )
   }
 
-  private predicate adjacentDefPseudoRead(
-    Definition def, ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2
-  ) {
-    adjacentDefReaches(def, bb1, i1, bb2, i2) and
-    variableReadPseudo(bb2, i2, _)
-  }
-
-  private predicate reachesLastRefRedef(
-    Definition def, ControlFlow::BasicBlock bb, int i, Definition next
-  ) {
-    lastRefRedef(def, bb, i, next)
-    or
-    exists(ControlFlow::BasicBlock bb0, int i0 |
-      reachesLastRefRedef(def, bb0, i0, next) and
-      adjacentDefPseudoRead(def, bb, i, bb0, i0)
-    )
-  }
-
   cached
   predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
-    reachesLastRefRedef(def, bb, i, next) and
-    not variableReadPseudo(bb, i, def.getSourceVariable())
-  }
-
-  private predicate reachesLastRef(Definition def, ControlFlow::BasicBlock bb, int i) {
-    lastRef(def, bb, i)
-    or
-    exists(ControlFlow::BasicBlock bb0, int i0 |
-      reachesLastRef(def, bb0, i0) and
-      adjacentDefPseudoRead(def, bb, i, bb0, i0)
-    )
+    lastRefRedefNoUncertainReads(def, bb, i, next)
   }
 
   cached
   predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
     exists(ControlFlow::BasicBlock bb, int i |
-      reachesLastRef(def, bb, i) and
+      lastRefNoUncertainReads(def, bb, i) and
       variableReadActual(bb, i, _) and
       cfn = bb.getNode(i)
     )
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
index f4cb01f7a97..2257994c2e0 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
@@ -17,18 +17,18 @@ private module Liveness {
    * (certain or uncertain) writes.
    */
   private newtype TRefKind =
-    Read() or
-    Write(boolean certain) { certain = true or certain = false }
+    Read(boolean certain) { certain in [false, true] } or
+    Write(boolean certain) { certain in [false, true] }
 
   private class RefKind extends TRefKind {
     string toString() {
-      this = Read() and result = "read"
+      exists(boolean certain | this = Read(certain) and result = "read (" + certain + ")")
       or
       exists(boolean certain | this = Write(certain) and result = "write (" + certain + ")")
     }
 
     int getOrder() {
-      this = Read() and
+      this = Read(_) and
       result = 0
       or
       this = Write(_) and
@@ -40,7 +40,7 @@ private module Liveness {
    * Holds if the `i`th node of basic block `bb` is a reference to `v` of kind `k`.
    */
   private predicate ref(BasicBlock bb, int i, SourceVariable v, RefKind k) {
-    variableRead(bb, i, v) and k = Read()
+    exists(boolean certain | variableRead(bb, i, v, certain) | k = Read(certain))
     or
     exists(boolean certain | variableWrite(bb, i, v, certain) | k = Write(certain))
   }
@@ -95,7 +95,7 @@ private module Liveness {
    */
   predicate liveAtEntry(BasicBlock bb, SourceVariable v) {
     // The first read or certain write to `v` inside `bb` is a read
-    refRank(bb, _, v, Read()) = firstReadOrCertainWrite(bb, v)
+    refRank(bb, _, v, Read(_)) = firstReadOrCertainWrite(bb, v)
     or
     // There is no certain write to `v` inside `bb`, but `v` is live at entry
     // to a successor basic block of `bb`
@@ -120,7 +120,7 @@ private module Liveness {
       liveAtExit(bb, v)
       or
       ref(bb, i, v, kind) and
-      kind = Read()
+      kind = Read(_)
       or
       exists(RefKind nextKind |
         liveAtRank(bb, _, v, rnk + 1) and
@@ -237,7 +237,7 @@ private module SsaDefReaches {
    * Unlike `Liveness::ref`, this includes `phi` nodes.
    */
   predicate ssaRef(BasicBlock bb, int i, SourceVariable v, SsaRefKind k) {
-    variableRead(bb, i, v) and
+    variableRead(bb, i, v, _) and
     k = SsaRead()
     or
     exists(Definition def | def.definesAt(v, bb, i)) and
@@ -304,7 +304,7 @@ private module SsaDefReaches {
     exists(int rnk |
       ssaDefReachesRank(bb, def, rnk, v) and
       rnk = ssaRefRank(bb, i, v, SsaRead()) and
-      variableRead(bb, i, v)
+      variableRead(bb, i, v, _)
     )
   }
 
@@ -368,7 +368,7 @@ private module SsaDefReaches {
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
     ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _)
+    variableRead(bb2, i2, _, _)
   }
 }
 
@@ -394,6 +394,7 @@ private predicate ssaDefReachesEndOfBlockRec(BasicBlock bb, Definition def, Sour
  * block `bb`, at which point it is still live, without crossing another
  * SSA definition of `v`.
  */
+pragma[nomagic]
 predicate ssaDefReachesEndOfBlock(BasicBlock bb, Definition def, SourceVariable v) {
   exists(int last | last = maxSsaRefRank(bb, v) |
     ssaDefReachesRank(bb, def, last, v) and
@@ -412,10 +413,11 @@ predicate ssaDefReachesEndOfBlock(BasicBlock bb, Definition def, SourceVariable
  * basic block `bb`, without crossing another SSA definition of `v`. The read
  * is of kind `rk`.
  */
+pragma[nomagic]
 predicate ssaDefReachesRead(SourceVariable v, Definition def, BasicBlock bb, int i) {
   ssaDefReachesReadWithinBlock(v, def, bb, i)
   or
-  variableRead(bb, i, v) and
+  variableRead(bb, i, v, _) and
   ssaDefReachesEndOfBlock(getABasicBlockPredecessor(bb), def, v) and
   not ssaDefReachesReadWithinBlock(v, _, bb, i)
 }
@@ -427,11 +429,12 @@ predicate ssaDefReachesRead(SourceVariable v, Definition def, BasicBlock bb, int
  * or a write), `def` is read at index `i2` in basic block `bb2`, and there is a
  * path between them without any read of `def`.
  */
+pragma[nomagic]
 predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2) {
   exists(int rnk |
     rnk = ssaDefRank(def, _, bb1, i1, _) and
     rnk + 1 = ssaDefRank(def, _, bb1, i2, SsaRead()) and
-    variableRead(bb1, i2, _) and
+    variableRead(bb1, i2, _, _) and
     bb2 = bb1
   )
   or
@@ -439,6 +442,30 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+private predicate adjacentDefReachesRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  not variableRead(bb1, i1, def.getSourceVariable(), false)
+  or
+  exists(BasicBlock bb3, int i3 |
+    adjacentDefReachesRead(def, bb1, i1, bb3, i3) and
+    variableRead(bb3, i3, _, false) and
+    adjacentDefRead(def, bb3, i3, bb2, i2)
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `adjacentDefRead`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2) {
+  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
+  variableRead(bb2, i2, _, true)
+}
+
 /**
  * NB: If this predicate is exposed, it should be cached.
  *
@@ -446,6 +473,7 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
  * `def`. The reference is last because it can reach another write `next`,
  * without passing through another read or write.
  */
+pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
   exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
     // Next reference to `v` inside `bb` is a write
@@ -462,6 +490,29 @@ predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
   )
 }
 
+private predicate adjacentDefReachesUncertainRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
+) {
+  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
+  variableRead(bb2, i2, _, false)
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `lastRefRedef`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate lastRefRedefNoUncertainReads(Definition def, BasicBlock bb, int i, Definition next) {
+  lastRefRedef(def, bb, i, next) and
+  not variableRead(bb, i, def.getSourceVariable(), false)
+  or
+  exists(BasicBlock bb0, int i0 |
+    lastRefRedef(def, bb0, i0, next) and
+    adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
+  )
+}
+
 /**
  * NB: If this predicate is exposed, it should be cached.
  *
@@ -472,6 +523,7 @@ predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
  * SSA definition for the underlying source variable, without passing through
  * another read.
  */
+pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
@@ -487,6 +539,22 @@ predicate lastRef(Definition def, BasicBlock bb, int i) {
   )
 }
 
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `lastRefRedef`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate lastRefNoUncertainReads(Definition def, BasicBlock bb, int i) {
+  lastRef(def, bb, i) and
+  not variableRead(bb, i, def.getSourceVariable(), false)
+  or
+  exists(BasicBlock bb0, int i0 |
+    lastRef(def, bb0, i0) and
+    adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
+  )
+}
+
 /** A static single assignment (SSA) definition. */
 class Definition extends TDefinition {
   /** Gets the source variable underlying this SSA definition. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll
index c99ad7d8fb3..2091b73c388 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll
@@ -16,4 +16,4 @@ class SourceVariable = SsaImpl::TSourceVariable;
 
 predicate variableWrite = SsaImpl::variableWrite/4;
 
-predicate variableRead = SsaImpl::variableRead/3;
+predicate variableRead = SsaImpl::variableRead/4;

From b19fd7bb7278302bfd707947c96ed16c29896746 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 2 Feb 2021 10:42:32 +0100
Subject: [PATCH 074/429] C#: Only cache `TDefinition` in the shared SSA
 implementation

---
 .../src/semmle/code/csharp/dataflow/SSA.qll   | 33 +++++--
 .../code/csharp/dataflow/internal/SsaImpl.qll | 12 ++-
 .../dataflow/internal/SsaImplCommon.qll       | 97 ++++++++-----------
 3 files changed, 77 insertions(+), 65 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll
index 0bd7e848639..44307d68e1f 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll
@@ -384,9 +384,18 @@ module Ssa {
       result.getAControlFlowNode() = cfn
     }
 
+    /**
+     * Gets an SSA definition whose value can flow to this one in one step. This
+     * includes inputs to phi nodes and the prior definitions of uncertain writes.
+     */
+    private Definition getAPhiInputOrPriorDefinition() {
+      result = this.(PhiNode).getAnInput() or
+      result = this.(UncertainDefinition).getPriorDefinition()
+    }
+
     /**
      * Gets a definition that ultimately defines this SSA definition and is
-     * not itself a pseudo node. Example:
+     * not itself a phi node. Example:
      *
      * ```csharp
      * int Field;
@@ -413,8 +422,9 @@ module Ssa {
      *   definition on line 4, the explicit definition on line 7, and the implicit
      *   definition on line 9.
      */
-    final override Definition getAnUltimateDefinition() {
-      result = SsaImpl::Definition.super.getAnUltimateDefinition()
+    final Definition getAnUltimateDefinition() {
+      result = this.getAPhiInputOrPriorDefinition*() and
+      not result instanceof PhiNode
     }
 
     /**
@@ -425,7 +435,7 @@ module Ssa {
     /**
      * Gets the syntax element associated with this SSA definition, if any.
      * This is either an expression, for example `x = 0`, a parameter, or a
-     * callable. Pseudo nodes have no associated syntax element.
+     * callable. Phi nodes have no associated syntax element.
      */
     Element getElement() { result = this.getControlFlowNode().getElement() }
 
@@ -681,7 +691,12 @@ module Ssa {
      *   definition on line 4, the explicit definition on line 7, and the implicit
      *   call definition on line 9 as inputs.
      */
-    final override Definition getAnInput() { result = SsaImpl::PhiNode.super.getAnInput() }
+    final Definition getAnInput() { this.hasInputFromBlock(result, _) }
+
+    /** Holds if `inp` is an input to this phi node along the edge originating in `bb`. */
+    predicate hasInputFromBlock(Definition inp, ControlFlow::BasicBlock bb) {
+      inp = SsaImpl::phiHasInputFromBlock(this, bb)
+    }
 
     override string toString() {
       result = getToStringPrefix(this) + "SSA phi(" + getSourceVariable() + ")"
@@ -704,5 +719,11 @@ module Ssa {
    * need not be certain), an implicit non-local update via a call, or an
    * uncertain update of the qualifier.
    */
-  class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition { }
+  class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition {
+    /**
+     * Gets the immediately preceding definition. Since this update is uncertain,
+     * the value from the preceding definition might still be valid.
+     */
+    Definition getPriorDefinition() { result = SsaImpl::uncertainWriteDefinitionInput(this) }
+  }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
index 5e25c1ea0a4..eff99d351c4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -1075,7 +1075,7 @@ private module Cached {
     Ssa::ExplicitDefinition def, Ssa::ImplicitEntryDefinition edef,
     ControlFlow::Nodes::ElementNode c, boolean additionalCalls
   ) {
-    exists(Ssa::SourceVariable v, Definition def0, ControlFlow::BasicBlock bb, int i |
+    exists(Ssa::SourceVariable v, Ssa::Definition def0, ControlFlow::BasicBlock bb, int i |
       v = def.getSourceVariable() and
       capturedReadIn(_, _, v, edef.getSourceVariable(), c, additionalCalls) and
       def = def0.getAnUltimateDefinition() and
@@ -1109,6 +1109,11 @@ private module Cached {
     ssaDefReachesEndOfBlock(bb, def, _)
   }
 
+  cached
+  Definition phiHasInputFromBlock(PhiNode phi, ControlFlow::BasicBlock bb) {
+    phiHasInputFromBlock(phi, result, bb)
+  }
+
   cached
   AssignableRead getAReadAtNode(Definition def, ControlFlow::Node cfn) {
     exists(Ssa::SourceVariable v, ControlFlow::BasicBlock bb, int i |
@@ -1161,6 +1166,11 @@ private module Cached {
     )
   }
 
+  cached
+  Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
+    uncertainWriteDefinitionInput(def, result)
+  }
+
   cached
   predicate isLiveOutRefParameterDefinition(Ssa::Definition def, Parameter p) {
     p.isOutOrRef() and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
index 2257994c2e0..be01c05b8fa 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
@@ -174,35 +174,16 @@ private predicate inDefDominanceFrontier(BasicBlock bb, SourceVariable v) {
 }
 
 cached
-private module Cached {
-  cached
-  newtype TDefinition =
-    TWriteDef(SourceVariable v, BasicBlock bb, int i) {
-      variableWrite(bb, i, v, _) and
-      liveAfterWrite(bb, i, v)
-    } or
-    TPhiNode(SourceVariable v, BasicBlock bb) {
-      inDefDominanceFrontier(bb, v) and
-      liveAtEntry(bb, v)
-    }
-
-  cached
-  predicate uncertainWriteDefinitionInput(UncertainWriteDefinition def, Definition inp) {
-    lastRefRedef(inp, _, _, def)
+newtype TDefinition =
+  TWriteDef(SourceVariable v, BasicBlock bb, int i) {
+    variableWrite(bb, i, v, _) and
+    liveAfterWrite(bb, i, v)
+  } or
+  TPhiNode(SourceVariable v, BasicBlock bb) {
+    inDefDominanceFrontier(bb, v) and
+    liveAtEntry(bb, v)
   }
 
-  cached
-  predicate phiHasInputFromBlock(PhiNode phi, Definition inp, BasicBlock bb) {
-    exists(SourceVariable v, BasicBlock bbDef |
-      phi.definesAt(v, bbDef, _) and
-      getABasicBlockPredecessor(bbDef) = bb and
-      ssaDefReachesEndOfBlock(bb, inp, v)
-    )
-  }
-}
-
-import Cached
-
 private module SsaDefReaches {
   newtype TSsaRefKind =
     SsaRead() or
@@ -406,6 +387,20 @@ predicate ssaDefReachesEndOfBlock(BasicBlock bb, Definition def, SourceVariable
   not ssaRef(bb, _, v, SsaDef())
 }
 
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if `inp` is an input to the phi node `phi` along the edge originating in `bb`.
+ */
+pragma[nomagic]
+predicate phiHasInputFromBlock(PhiNode phi, Definition inp, BasicBlock bb) {
+  exists(SourceVariable v, BasicBlock bbDef |
+    phi.definesAt(v, bbDef, _) and
+    getABasicBlockPredecessor(bbDef) = bb and
+    ssaDefReachesEndOfBlock(bb, inp, v)
+  )
+}
+
 /**
  * NB: If this predicate is exposed, it should be cached.
  *
@@ -446,7 +441,11 @@ private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
   adjacentDefRead(def, bb1, i1, bb2, i2) and
-  not variableRead(bb1, i1, def.getSourceVariable(), false)
+  exists(SourceVariable v | v = def.getSourceVariable() |
+    ssaRef(bb1, i1, v, SsaDef())
+    or
+    variableRead(bb1, i1, v, true)
+  )
   or
   exists(BasicBlock bb3, int i3 |
     adjacentDefReachesRead(def, bb1, i1, bb3, i3) and
@@ -490,6 +489,18 @@ predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
   )
 }
 
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if `inp` is an immediately preceding definition of uncertain definition
+ * `def`. Since `def` is uncertain, the value from the preceding definition might
+ * still be valid.
+ */
+pragma[nomagic]
+predicate uncertainWriteDefinitionInput(UncertainWriteDefinition def, Definition inp) {
+  lastRefRedef(inp, _, _, def)
+}
+
 private predicate adjacentDefReachesUncertainRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
@@ -574,24 +585,6 @@ class Definition extends TDefinition {
   /** Gets the basic block to which this SSA definition belongs. */
   final BasicBlock getBasicBlock() { this.definesAt(_, result, _) }
 
-  /**
-   * Gets an SSA definition whose value can flow to this one in one step. This
-   * includes inputs to phi nodes and the prior definitions of uncertain writes.
-   */
-  private Definition getAPseudoInputOrPriorDefinition() {
-    result = this.(PhiNode).getAnInput() or
-    result = this.(UncertainWriteDefinition).getPriorDefinition()
-  }
-
-  /**
-   * Gets a definition that ultimately defines this SSA definition and is
-   * not itself a phi node.
-   */
-  Definition getAnUltimateDefinition() {
-    result = this.getAPseudoInputOrPriorDefinition*() and
-    not result instanceof PhiNode
-  }
-
   /** Gets a textual representation of this SSA definition. */
   string toString() { none() }
 }
@@ -609,12 +602,6 @@ class WriteDefinition extends Definition, TWriteDef {
 
 /** A phi node. */
 class PhiNode extends Definition, TPhiNode {
-  /** Gets an input of this phi node. */
-  Definition getAnInput() { this.hasInputFromBlock(result, _) }
-
-  /** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
-  predicate hasInputFromBlock(Definition inp, BasicBlock bb) { phiHasInputFromBlock(this, inp, bb) }
-
   override string toString() { result = "Phi" }
 }
 
@@ -629,10 +616,4 @@ class UncertainWriteDefinition extends WriteDefinition {
       variableWrite(bb, i, v, false)
     )
   }
-
-  /**
-   * Gets the immediately preceding definition. Since this update is uncertain,
-   * the value from the preceding definition might still be valid.
-   */
-  Definition getPriorDefinition() { uncertainWriteDefinitionInput(this, result) }
 }

From d046e39a826b2fcb247a1d615811549d0e7cb2d8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Feb 2021 12:04:24 +0100
Subject: [PATCH 075/429] Python: Fix tornado inline expectations in tests

After merge commit
---
 .../library-tests/frameworks/tornado/response_test.py          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/tornado/response_test.py b/python/ql/test/experimental/library-tests/frameworks/tornado/response_test.py
index d8af7f3895a..42cd37c2118 100644
--- a/python/ql/test/experimental/library-tests/frameworks/tornado/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/tornado/response_test.py
@@ -33,7 +33,8 @@ class ExplicitContentType(tornado.web.RequestHandler):
 
 class ExampleRedirect(tornado.web.RequestHandler):
     def get(self): # $ requestHandler
-        self.redirect("http://example.com") # TODO: Model redirect
+        url = "http://example.com"
+        self.redirect(url) # $ HttpRedirectResponse HttpResponse redirectLocation=url
 
 
 class ExampleConnectionWrite(tornado.web.RequestHandler):

From 64f0dfb17452a8a0842410ad0fd7c1aa30541b65 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 2 Feb 2021 14:21:26 +0100
Subject: [PATCH 076/429] Fix code review findings

---
 .../code/csharp/dataflow/CallContext.qll      |  8 +---
 .../dataflow/internal/DataFlowDispatch.qll    | 10 ++---
 .../dataflow/internal/DataFlowPrivate.qll     |  2 +-
 .../dataflow/internal/DelegateDataFlow.qll    | 41 +++++++------------
 .../ql/src/semmle/code/csharp/exprs/Call.qll  | 27 +++++-------
 5 files changed, 32 insertions(+), 56 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll b/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
index aa501a58e0d..8be2fc0939f 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
@@ -82,12 +82,8 @@ class DelegateLikeCallArgumentCallContext extends ArgumentCallContext {
 
 /** An argument of a delegate call. */
 class DelegateCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
-  TArgDelegateCallContext {
-  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
-}
+  TArgDelegateCallContext { }
 
 /** An argument of a function pointer call. */
 class FunctionPointerCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
-  TArgFunctionPointerCallContext {
-  FunctionPointerCallArgumentCallContext() { this = TArgFunctionPointerCallContext(dc, arg) }
-}
+  TArgFunctionPointerCallContext { }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
index 2337f2ec349..c68ba38e0b5 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -101,7 +101,7 @@ private module Cached {
     TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
       cfn.getElement() = dc.getCall()
     } or
-    TExplicitDelegateCall(ControlFlow::Nodes::ElementNode cfn, DelegateCall dc) {
+    TExplicitDelegateLikeCall(ControlFlow::Nodes::ElementNode cfn, DelegateLikeCall dc) {
       cfn.getElement() = dc
     } or
     TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn, Callable target) {
@@ -308,12 +308,12 @@ abstract class DelegateDataFlowCall extends DataFlowCall {
   override DataFlowCallable getARuntimeTarget() { result = this.getARuntimeTarget(_) }
 }
 
-/** An explicit delegate call relevant for data flow. */
-class ExplicitDelegateDataFlowCall extends DelegateDataFlowCall, TExplicitDelegateCall {
+/** An explicit delegate or function pointer call relevant for data flow. */
+class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDelegateLikeCall {
   private ControlFlow::Nodes::ElementNode cfn;
-  private DelegateCall dc;
+  private DelegateLikeCall dc;
 
-  ExplicitDelegateDataFlowCall() { this = TExplicitDelegateCall(cfn, dc) }
+  ExplicitDelegateLikeDataFlowCall() { this = TExplicitDelegateLikeCall(cfn, dc) }
 
   override DataFlowCallable getARuntimeTarget(CallContext::CallContext cc) {
     result = getCallableForDataFlow(dc.getARuntimeTarget(cc))
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index 5446323543a..64452768185 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -1394,7 +1394,7 @@ private module OutNodes {
 
   private DataFlowCall csharpCall(Expr e, ControlFlow::Node cfn) {
     e = any(DispatchCall dc | result = TNonDelegateCall(cfn, dc)).getCall() or
-    result = TExplicitDelegateCall(cfn, e)
+    result = TExplicitDelegateLikeCall(cfn, e)
   }
 
   /** A valid return type for a method that uses `yield return`. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
index af70cb19654..e6b15b95d7f 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
@@ -15,9 +15,9 @@ private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 
 /** A source of flow for a delegate or function pointer expression. */
-private class DelegateLikeFlowSource extends DataFlow::ExprNode {
+abstract private class DelegateLikeFlowSource extends DataFlow::ExprNode {
   /** Gets the callable that is referenced in this delegate or function pointer flow source. */
-  Callable getCallable() { none() }
+  abstract Callable getCallable();
 }
 
 /** A source of flow for a delegate expression. */
@@ -41,10 +41,13 @@ private class FunctionPointerFlowSource extends DelegateLikeFlowSource {
   Callable c;
 
   FunctionPointerFlowSource() {
-    this.getExpr() =
-      any(Expr e |
-        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
-      )
+    c =
+      this.getExpr()
+          .(AddressOfExpr)
+          .getOperand()
+          .(CallableAccess)
+          .getTarget()
+          .getUnboundDeclaration()
   }
 
   /** Gets the callable that is referenced in this function pointer flow source. */
@@ -115,28 +118,12 @@ abstract private class DelegateLikeFlowSink extends DataFlow::Node {
 
 /** A delegate or function pointer call expression. */
 class DelegateLikeCallExpr extends DelegateLikeFlowSink, DataFlow::ExprNode {
+  DelegateLikeCall dc;
+
+  DelegateLikeCallExpr() { this.getExpr() = dc.getExpr() }
+
   /** Gets the delegate or function pointer call that this expression belongs to. */
-  DelegateLikeCall getCall() { none() }
-}
-
-/** A delegate call expression. */
-class DelegateCallExpr extends DelegateLikeCallExpr {
-  DelegateCall dc;
-
-  DelegateCallExpr() { this.getExpr() = dc.getExpr() }
-
-  /** Gets the delegate call that this expression belongs to. */
-  override DelegateCall getCall() { result = dc }
-}
-
-/** A function pointer call expression. */
-class FunctionPointerCallExpr extends DelegateLikeCallExpr {
-  FunctionPointerCall fptrc;
-
-  FunctionPointerCallExpr() { this.getExpr() = fptrc.getExpr() }
-
-  /** Gets the function pointer call that this expression belongs to. */
-  override FunctionPointerCall getCall() { result = fptrc }
+  DelegateLikeCall getCall() { result = dc }
 }
 
 /** A parameter of delegate type belonging to a callable with a flow summary. */
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
index 941873d9afd..078ecd1a52a 100644
--- a/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Call.qll
@@ -527,17 +527,24 @@ class MutatorOperatorCall extends OperatorCall {
   predicate isPostfix() { mutator_invocation_mode(this, 2) }
 }
 
+private class DelegateLikeCall_ = @delegate_invocation_expr or @function_pointer_invocation_expr;
+
 /**
  * A function pointer or delegate call.
  */
-abstract class DelegateLikeCall extends Call {
+class DelegateLikeCall extends Call, DelegateLikeCall_ {
   override Callable getTarget() { none() }
 
   /**
    * Gets a potential run-time target of this delegate or function pointer call in the given
    * call context `cc`.
    */
-  Callable getARuntimeTarget(CallContext::CallContext cc) { none() }
+  Callable getARuntimeTarget(CallContext::CallContext cc) {
+    exists(DelegateLikeCallExpr call |
+      this = call.getCall() and
+      result = call.getARuntimeTarget(cc)
+    )
+  }
 
   /**
    * Gets the delegate or function pointer expression of this call. For example, the
@@ -579,10 +586,7 @@ class DelegateCall extends DelegateLikeCall, @delegate_invocation_expr {
    * call context `cc`.
    */
   override Callable getARuntimeTarget(CallContext::CallContext cc) {
-    exists(DelegateCallExpr call |
-      this = call.getCall() and
-      result = call.getARuntimeTarget(cc)
-    )
+    result = DelegateLikeCall.super.getARuntimeTarget(cc)
     or
     exists(AddEventSource aes, CallContext::CallContext cc2 |
       aes = this.getAnAddEventSource(_) and
@@ -634,17 +638,6 @@ class DelegateCall extends DelegateLikeCall, @delegate_invocation_expr {
  * ```
  */
 class FunctionPointerCall extends DelegateLikeCall, @function_pointer_invocation_expr {
-  /**
-   * Gets a potential run-time target of this function pointer call in the given
-   * call context `cc`.
-   */
-  override Callable getARuntimeTarget(CallContext::CallContext cc) {
-    exists(FunctionPointerCallExpr call |
-      this = call.getCall() and
-      result = call.getARuntimeTarget(cc)
-    )
-  }
-
   override string toString() { result = "function pointer call" }
 
   override string getAPrimaryQlClass() { result = "FunctionPointerCall" }

From 50be54385a6a0ab4d7219c350bd16d1f7e9f1f12 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 2 Feb 2021 14:49:50 +0000
Subject: [PATCH 077/429] Update qldoc

---
 .../Security/CWE/CWE-326/InsufficientKeySize.java             | 4 ++--
 java/ql/src/semmle/code/java/security/Encryption.qll          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
index 6ccf025c244..ff30196abb5 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.java
@@ -25,12 +25,12 @@ public class InsufficientKeySize {
         keyPairGen4.initialize(2048);
 
         KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
-        // BAD: Key size is less than 224
+        // BAD: Key size is less than 256
         ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1");
         keyPairGen5.initialize(ecSpec1);
 
         KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
-        // GOOD: Key size is no less than 224
+        // GOOD: Key size is no less than 256
         ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1");
         keyPairGen6.initialize(ecSpec2);
     }
diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
index 9c10569d8c1..ddbaf9cba73 100644
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -315,7 +315,7 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
   override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) }
 }
 
-/** Method call to the Java class `java.security.KeyPairGenerator`. */
+/** A method call to the Java class `java.security.KeyPairGenerator`. */
 class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
   JavaSecurityKeyPairGenerator() {
     exists(Method m | m.getAReference() = this |

From 5e3b6fa3415d899c6bf2dea25de011244d563cee Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 2 Feb 2021 16:20:39 +0000
Subject: [PATCH 078/429] Update qldoc

---
 .../experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
index 10ec6adc9df..4d4ec76f060 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.qhelp
@@ -6,7 +6,7 @@ are vulnerable to brute force attack when too small a key size is used.</p>
     </overview>
 
     <recommendation>
-        <p>The key should be at least 2048 bits long when using RSA and DSA encryption, 224 bits long when using EC encryption, and 128 bits long when using 
+        <p>The key should be at least 2048 bits long when using RSA and DSA encryption, 256 bits long when using EC encryption, and 128 bits long when using 
 symmetric encryption.</p>
     </recommendation>
     

From 3151aeff48c41c067e1daea026edbe3d759b702b Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 2 Feb 2021 18:26:29 +0000
Subject: [PATCH 079/429] Enhance the query

---
 .../CWE/CWE-522/InsecureLdapAuth.java         |  2 +-
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  | 72 +++++++++----------
 .../code/java/frameworks/Networking.qll       |  1 +
 3 files changed, 36 insertions(+), 39 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
index 33764506a1b..3c5f6555100 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.java
@@ -15,7 +15,7 @@ public class InsecureLdapAuth {
 		environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
 		environment.put(Context.PROVIDER_URL, ldapUrl);
 		environment.put(Context.REFERRAL, "follow");
-		env.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
 		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
 		environment.put(Context.SECURITY_CREDENTIALS, password);
 		DirContext dirContext = new InitialDirContext(environment);
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 9563c755410..b6e7b5ed702 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -76,7 +76,7 @@ class InsecureLdapUrl extends Expr {
  */
 predicate isProviderUrlSetter(MethodAccess ma) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
-  (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
+  ma.getMethod().hasName(["put", "setProperty"]) and
   (
     ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "java.naming.provider.url"
     or
@@ -89,27 +89,48 @@ predicate isProviderUrlSetter(MethodAccess ma) {
 }
 
 /**
- * Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue` in some `Hashtable`.
+ * Holds if `ma` sets `fieldValue` to `envValue` in some `Hashtable`.
  */
 bindingset[fieldValue, envValue]
-predicate hasEnvWithValue(MethodAccess ma, string fieldValue, string envValue) {
+predicate hasFieldValueEnv(MethodAccess ma, string fieldValue, string envValue) {
+  // environment.put("java.naming.security.authentication", "simple")
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
-  (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
+  ma.getMethod().hasName(["put", "setProperty"]) and
   ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue and
   ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
 }
 
+/**
+ * Holds if `ma` sets attribute name `fieldName` to `envValue` in some `Hashtable`.
+ */
+bindingset[fieldName, envValue]
+predicate hasFieldNameEnv(MethodAccess ma, string fieldName, string envValue) {
+  // environment.put(Context.SECURITY_AUTHENTICATION, "simple")
+  ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
+  ma.getMethod().hasName(["put", "setProperty"]) and
+  exists(Field f |
+    ma.getArgument(0) = f.getAnAccess() and
+    f.hasName(fieldName) and
+    f.getDeclaringType() instanceof TypeNamingContext
+  ) and
+  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
+}
+
 /**
  * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
  */
 predicate isBasicAuthEnv(MethodAccess ma) {
-  hasEnvWithValue(ma, "java.naming.security.authentication", "simple")
+  hasFieldValueEnv(ma, "java.naming.security.authentication", "simple") or
+  hasFieldNameEnv(ma, "SECURITY_AUTHENTICATION", "simple")
 }
 
 /**
  * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
  */
-predicate isSSLEnv(MethodAccess ma) { hasEnvWithValue(ma, "java.naming.security.protocol", "ssl") }
+predicate isSSLEnv(MethodAccess ma) {
+  hasFieldValueEnv(ma, "java.naming.security.protocol", "ssl") or
+  hasFieldNameEnv(ma, "SECURITY_PROTOCOL", "ssl")
+}
 
 /**
  * A taint-tracking configuration for `ldap://` URL in LDAP authentication.
@@ -141,12 +162,12 @@ class InsecureUrlFlowConfig extends TaintTracking::Configuration {
 /**
  * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
  */
-class BasicAuthFlowConfig extends TaintTracking::Configuration {
+class BasicAuthFlowConfig extends DataFlow::Configuration {
   BasicAuthFlowConfig() { this = "InsecureLdapAuth:BasicAuthFlowConfig" }
 
   /** Source of `simple` configuration. */
   override predicate isSource(DataFlow::Node src) {
-    src.asExpr().(CompileTimeConstantExpr).getStringValue() = "simple"
+    exists(MethodAccess ma | isBasicAuthEnv(ma) and ma.getQualifier() = src.asExpr())
   }
 
   /** Sink of directory context creation. */
@@ -156,26 +177,17 @@ class BasicAuthFlowConfig extends TaintTracking::Configuration {
       sink.asExpr() = cc.getArgument(0)
     )
   }
-
-  /** Method call of `env.put()`. */
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      pred.asExpr() = ma.getArgument(1) and
-      isBasicAuthEnv(ma) and
-      succ.asExpr() = ma.getQualifier()
-    )
-  }
 }
 
 /**
  * A taint-tracking configuration for `ssl` configuration in LDAP authentication.
  */
-class SSLFlowConfig extends TaintTracking::Configuration {
+class SSLFlowConfig extends DataFlow::Configuration {
   SSLFlowConfig() { this = "InsecureLdapAuth:SSLFlowConfig" }
 
   /** Source of `ssl` configuration. */
   override predicate isSource(DataFlow::Node src) {
-    src.asExpr().(CompileTimeConstantExpr).getStringValue() = "ssl"
+    exists(MethodAccess ma | isSSLEnv(ma) and ma.getQualifier() = src.asExpr())
   }
 
   /** Sink of directory context creation. */
@@ -185,28 +197,12 @@ class SSLFlowConfig extends TaintTracking::Configuration {
       sink.asExpr() = cc.getArgument(0)
     )
   }
-
-  /** Method call of `env.put()`. */
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      pred.asExpr() = ma.getArgument(1) and
-      isSSLEnv(ma) and
-      succ.asExpr() = ma.getQualifier()
-    )
-  }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureUrlFlowConfig config, VarAccess va
+from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureUrlFlowConfig config
 where
   config.hasFlowPath(source, sink) and
-  sink.getNode().asExpr() = va and
-  exists(BasicAuthFlowConfig bc, DataFlow::PathNode source2, DataFlow::PathNode sink2 |
-    bc.hasFlowPath(source2, sink2) and
-    sink2.getNode().asExpr() = va
-  ) and
-  not exists(SSLFlowConfig sc, DataFlow::PathNode source3, DataFlow::PathNode sink3 |
-    sc.hasFlowPath(source3, sink3) and
-    sink3.getNode().asExpr() = va
-  )
+  exists(BasicAuthFlowConfig bc | bc.hasFlowTo(sink.getNode())) and
+  not exists(SSLFlowConfig sc | sc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Insecure LDAP authentication from $@.", source.getNode(),
   "LDAP connection string"
diff --git a/java/ql/src/semmle/code/java/frameworks/Networking.qll b/java/ql/src/semmle/code/java/frameworks/Networking.qll
index 997b8075403..cad948ed2f4 100644
--- a/java/ql/src/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Networking.qll
@@ -132,6 +132,7 @@ class UrlOpenConnectionMethod extends Method {
 
 /**
  * A string matching private host names of IPv4 and IPv6, which only matches the host portion therefore checking for port is not necessary.
+ * Several examples are localhost, reserved IPv4 IP addresses including 127.0.0.1, 10.x.x.x, 172.16.x,x, 192.168.x,x, and reserved IPv6 addresses including [0:0:0:0:0:0:0:1] and [::1]
  */
 class PrivateHostName extends string {
   bindingset[this]

From e4c3544a3f2706625f4c961a38c5d9c8700486e1 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Tue, 2 Feb 2021 21:59:33 +0100
Subject: [PATCH 080/429] Python: Add support for `from foo.bar import baz`

This turned out to be fairly simple. Given an import such as
```python
from foo.bar.baz import quux
```
we create an API-graph node for each valid dotted prefix of
`foo.bar.baz`, i.e. `foo`, `foo.bar`, and `foo.bar.baz`. For these, we
then insert nodes in the API graph, such that `foo` steps to `foo.bar`
along an edge labeled `bar`, etc.

Finally, we only allow undotted names to hang off of the API-graph
root. Thus, `foo` will have a `moduleImport` edge off of the root, and
a `getMember` edge for `bar` (which in turn has a `getMember` edge for
`baz`).

Relative imports are explicitly ignored.

Finally, this commit also adds inline tests for a variety of ways of
importing modules, including a copy of the "import-helper" tests (with
a few modifications to allow a single annotation per line, as these
get rather long quickly!).
---
 python/ql/src/semmle/python/ApiGraphs.qll     | 56 +++++++++++++++++--
 .../dataflow/ApiGraphs/mypkg/__init__.py      |  1 +
 .../dataflow/ApiGraphs/mypkg/bar.py           |  1 +
 .../dataflow/ApiGraphs/mypkg/foo.py           |  1 +
 .../experimental/dataflow/ApiGraphs/options   |  1 +
 .../experimental/dataflow/ApiGraphs/test.py   | 34 +++++++++++
 .../experimental/dataflow/ApiGraphs/test1.py  |  6 ++
 .../experimental/dataflow/ApiGraphs/test2.py  |  4 ++
 .../experimental/dataflow/ApiGraphs/test3.py  |  4 ++
 .../experimental/dataflow/ApiGraphs/test4.py  |  4 ++
 .../experimental/dataflow/ApiGraphs/test5.py  | 10 ++++
 .../experimental/dataflow/ApiGraphs/test6.py  |  6 ++
 .../experimental/dataflow/ApiGraphs/test7.py  | 10 ++++
 .../dataflow/ApiGraphs/test_deep.py           |  4 ++
 .../dataflow/ApiGraphs/use.expected           |  0
 .../experimental/dataflow/ApiGraphs/use.ql    | 30 ++++++++++
 16 files changed, 168 insertions(+), 4 deletions(-)
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/mypkg/__init__.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/mypkg/bar.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/mypkg/foo.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/options
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test1.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test2.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test3.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test4.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test5.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test6.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test7.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/test_deep.py
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/use.expected
 create mode 100644 python/ql/test/experimental/dataflow/ApiGraphs/use.ql

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 2dc62ed30a6..2c1ff3b6cf7 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -230,14 +230,52 @@ module API {
       /** The root of the API graph. */
       MkRoot() or
       /** An abstract representative for imports of the module called `name`. */
-      MkModuleImport(string name) { imports(_, name) } or
+      MkModuleImport(string name) {
+        imports(_, name) or name = any(ImportExpr e | not e.isRelative()).getAnImportedModuleName()
+      } or
       /** A use of an API member at the node `nd`. */
       MkUse(DataFlow::Node nd) { use(_, _, nd) }
 
     class TUse = MkModuleImport or MkUse;
 
+    /**
+     * Holds if the dotted module name `sub` refers to the `member` member of `base`.
+     *
+     * For instance, `prefix_member("foo.bar", "baz", "foo.bar.baz")` would hold.
+     */
+    private predicate prefix_member(TApiNode base, string member, TApiNode sub) {
+      exists(string base_str, string sub_str |
+        base = MkModuleImport(base_str) and
+        sub = MkModuleImport(sub_str)
+      |
+        base_str + "." + member = sub_str and
+        not member.matches("%.%")
+      )
+    }
+
     /** Holds if `imp` is an import of a module named `name` */
-    private predicate imports(DataFlow::Node imp, string name) { imp = DataFlow::importNode(name) }
+    private predicate imports(DataFlow::Node import_node, string name) {
+      exists(Variable var, Import imp, Alias alias |
+        alias = imp.getAName() and
+        alias.getAsname() = var.getAStore() and
+        (
+          name = alias.getValue().(ImportMember).getImportedModuleName()
+          or
+          name = alias.getValue().(ImportExpr).getImportedModuleName() and
+          not alias.getValue().(ImportExpr).isRelative()
+        ) and
+        import_node.asExpr() = alias.getValue()
+      )
+      or
+      exists(ImportExpr imp_expr |
+        not imp_expr.isRelative() and
+        imp_expr.getName() = name and
+        import_node.asCfgNode().getNode() = imp_expr and
+        // in `import foo.bar` we DON'T want to give a result for `importNode("foo.bar")`,
+        // only for `importNode("foo")`. We exclude those cases with the following clause.
+        not exists(Import imp | imp.getAName().getValue() = imp_expr)
+      )
+    }
 
     /**
      * Holds if `ref` is a use of a node that should have an incoming edge from `base` labeled
@@ -248,9 +286,11 @@ module API {
       exists(DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode pred |
         use(base, src) and pred = trackUseNode(src)
       |
+        // Reading an attribute on a node that is a use of `base`:
         lbl = Label::memberFromRef(ref) and
         ref = pred.getAnAttributeRead()
         or
+        // Calling a node that is a use of `base`
         lbl = Label::return() and
         ref = pred.getAnInvocation()
       )
@@ -263,7 +303,7 @@ module API {
     predicate use(TApiNode nd, DataFlow::Node ref) {
       exists(string name |
         nd = MkModuleImport(name) and
-        ref = DataFlow::importNode(name)
+        imports(ref, name)
       )
       or
       nd = MkUse(ref)
@@ -310,7 +350,15 @@ module API {
         pred = MkRoot() and
         lbl = Label::mod(m)
       |
-        succ = MkModuleImport(m)
+        succ = MkModuleImport(m) and
+        // Only allow undotted names to count as base modules.
+        not m.matches("%.%")
+      )
+      or
+      /* Step from the dotted module name `foo.bar` to `foo.bar.baz` along an edge labeled `baz` */
+      exists(string member |
+        prefix_member(pred, member, succ) and
+        lbl = Label::member(member)
       )
       or
       /* Every node that is a use of an API component is itself added to the API graph. */
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/__init__.py b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/__init__.py
new file mode 100644
index 00000000000..c84a9b135a3
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/__init__.py
@@ -0,0 +1 @@
+foo = 42
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/bar.py b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/bar.py
new file mode 100644
index 00000000000..2ae28399f5f
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/bar.py
@@ -0,0 +1 @@
+pass
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/foo.py b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/foo.py
new file mode 100644
index 00000000000..2ae28399f5f
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/mypkg/foo.py
@@ -0,0 +1 @@
+pass
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/options b/python/ql/test/experimental/dataflow/ApiGraphs/options
new file mode 100644
index 00000000000..1099600818b
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3
\ No newline at end of file
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
new file mode 100644
index 00000000000..c361e3a169f
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -0,0 +1,34 @@
+import a1 #$ use=moduleImport("a1")
+
+x = a1.blah1 #$ use=moduleImport("a1").getMember("blah1")
+
+import a2 as m2 #$ use=moduleImport("a2")
+
+x2 = m2.blah2 #$ use=moduleImport("a2").getMember("blah2")
+
+import a3.b3 as m3 #$ use=moduleImport("a3").getMember("b3")
+
+x3 = m3.blah3 #$  use=moduleImport("a3").getMember("b3").getMember("blah3")
+
+from a4.b4 import c4 as m4 #$ use=moduleImport("a4").getMember("b4").getMember("c4")
+
+x4 = m4.blah4 #$ use=moduleImport("a4").getMember("b4").getMember("c4").getMember("blah4")
+
+import a.b.c.d #$ use=moduleImport("a")
+
+ab = a.b #$ use=moduleImport("a").getMember("b")
+
+abc = ab.c #$ use=moduleImport("a").getMember("b").getMember("c")
+
+abcd = abc.d #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d")
+
+x5 = abcd() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getReturn()
+
+y5 = x5.method() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getReturn().getMember("method").getReturn()
+
+
+# Relative imports. These are ignored
+
+from .foo import bar
+
+from ..foobar import baz
\ No newline at end of file
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test1.py b/python/ql/test/experimental/dataflow/ApiGraphs/test1.py
new file mode 100644
index 00000000000..847abda7749
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test1.py
@@ -0,0 +1,6 @@
+import mypkg #$ use=moduleImport("mypkg")
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
+try:
+    print(mypkg.bar) #$ use=moduleImport("mypkg").getMember("bar")
+except AttributeError as e:
+    print(e)  # module 'mypkg' has no attribute 'bar'
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test2.py b/python/ql/test/experimental/dataflow/ApiGraphs/test2.py
new file mode 100644
index 00000000000..dce67f0b034
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test2.py
@@ -0,0 +1,4 @@
+from mypkg import foo #$ use=moduleImport("mypkg").getMember("foo")
+from mypkg import bar #$ use=moduleImport("mypkg").getMember("bar")
+print(foo) #$ use=moduleImport("mypkg").getMember("foo")
+print(bar) #$ use=moduleImport("mypkg").getMember("bar")
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test3.py b/python/ql/test/experimental/dataflow/ApiGraphs/test3.py
new file mode 100644
index 00000000000..83ff25cc402
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test3.py
@@ -0,0 +1,4 @@
+import mypkg.foo #$ use=moduleImport("mypkg")
+import mypkg.bar #$ use=moduleImport("mypkg")
+print(mypkg.foo)  #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.foo' ...
+print(mypkg.bar)  #$ use=moduleImport("mypkg").getMember("bar") // <module 'mypkg.bar' ...
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test4.py b/python/ql/test/experimental/dataflow/ApiGraphs/test4.py
new file mode 100644
index 00000000000..200d3b820c7
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test4.py
@@ -0,0 +1,4 @@
+import mypkg.foo as _foo #$ use=moduleImport("mypkg").getMember("foo")
+import mypkg.bar as _bar #$ use=moduleImport("mypkg").getMember("bar")
+print(_foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
+print(_bar) #$ use=moduleImport("mypkg").getMember("bar") // <module 'mypkg.bar' ...
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test5.py b/python/ql/test/experimental/dataflow/ApiGraphs/test5.py
new file mode 100644
index 00000000000..8d1bc48b9a4
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test5.py
@@ -0,0 +1,10 @@
+import mypkg #$ use=moduleImport("mypkg")
+
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
+try:
+    print(mypkg.bar) #$ use=moduleImport("mypkg").getMember("bar")
+except AttributeError as e:
+    print(e)  # module 'mypkg' has no attribute 'bar'
+
+from mypkg import bar as _bar #$ use=moduleImport("mypkg").getMember("bar")
+print(mypkg.bar) #$ use=moduleImport("mypkg").getMember("bar") // <module 'mypkg.bar' ...
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test6.py b/python/ql/test/experimental/dataflow/ApiGraphs/test6.py
new file mode 100644
index 00000000000..f0da9d16840
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test6.py
@@ -0,0 +1,6 @@
+import mypkg #$ use=moduleImport("mypkg")
+
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
+
+import mypkg.foo #$ use=moduleImport("mypkg")
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.foo' ...
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test7.py b/python/ql/test/experimental/dataflow/ApiGraphs/test7.py
new file mode 100644
index 00000000000..6ecb6e3e3f8
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test7.py
@@ -0,0 +1,10 @@
+from mypkg import foo #$ use=moduleImport("mypkg").getMember("foo")
+
+print(foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
+
+import mypkg.foo #$ use=moduleImport("mypkg")
+print(foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
+
+from mypkg import foo #$ use=moduleImport("mypkg").getMember("foo")
+print(foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test_deep.py b/python/ql/test/experimental/dataflow/ApiGraphs/test_deep.py
new file mode 100644
index 00000000000..0d5dab44411
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test_deep.py
@@ -0,0 +1,4 @@
+from start.middle.end import foo #$ use=moduleImport("start").getMember("middle").getMember("end").getMember("foo")
+from start.middle.end import bar #$ use=moduleImport("start").getMember("middle").getMember("end").getMember("bar")
+print(foo) #$ use=moduleImport("start").getMember("middle").getMember("end").getMember("foo")
+print(bar) #$ use=moduleImport("start").getMember("middle").getMember("end").getMember("bar")
\ No newline at end of file
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/use.expected b/python/ql/test/experimental/dataflow/ApiGraphs/use.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/use.ql b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
new file mode 100644
index 00000000000..f02bb048c58
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
@@ -0,0 +1,30 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.ApiGraphs
+
+class ApiUseTest extends InlineExpectationsTest {
+  ApiUseTest() { this = "ApiUseTest" }
+
+  override string getARelevantTag() { result = "use" }
+
+  private predicate relevant_node(API::Node a, DataFlow::Node n, Location l) {
+    n = a.getAUse() and l = n.getLocation()
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(API::Node a, DataFlow::Node n | relevant_node(a, n, location) |
+      tag = "use" and
+      // Only report the longest path on this line:
+      value =
+        max(API::Node a2, Location l2 |
+          relevant_node(a2, _, l2) and
+          l2.getFile() = location.getFile() and
+          l2.getStartLine() = location.getStartLine()
+        |
+          a2.getPath()
+        ) and
+      element = n.toString()
+    )
+  }
+}

From 064568c36da7022261bc0dad9fc69cf70985b596 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jbj@github.com>
Date: Wed, 3 Feb 2021 08:49:37 +0100
Subject: [PATCH 081/429] Revert "Merge pull request #4784 from
 MathiasVP/mathiasvp/reverse-read-take-3"

This reverts commit 1b3d69d617a46b9c966b886e9941bd6cce9fcc9b, reversing
changes made to 527c41520e2d7ee8ca941d254545d0cc5300b608.
---
 .../ir/dataflow/internal/DataFlowPrivate.qll  | 342 ++++++-------
 .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 391 ++++-----------
 .../dataflow-ir-consistency.expected          |  65 ++-
 .../dataflow/dataflow-tests/test.cpp          |   2 +-
 .../dataflow/fields/aliasing.cpp              |  28 --
 .../dataflow/fields/by_reference.cpp          |  12 +-
 .../fields/dataflow-consistency.expected      |   8 -
 .../fields/dataflow-ir-consistency.expected   | 200 +++++---
 .../dataflow/fields/ir-path-flow.expected     | 468 +++++-------------
 .../fields/partial-definition-diff.expected   | 263 ++++++----
 .../fields/partial-definition-ir.expected     | 266 ----------
 .../fields/partial-definition.expected        |  17 -
 .../dataflow/fields/path-flow.expected        |  55 --
 .../library-tests/dataflow/fields/simple.cpp  |  12 -
 .../dataflow-ir-consistency.expected          | 194 ++++----
 .../TaintedAllocationSize.expected            |  24 +-
 .../ArithmeticUncontrolled.expected           |  30 +-
 17 files changed, 885 insertions(+), 1492 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
index 68b31a732f4..762ce8d47b4 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -2,7 +2,6 @@ private import cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
-private import semmle.code.cpp.models.interfaces.DataFlow
 
 /**
  * A data flow node that occurs as the argument of a call and is passed as-is
@@ -210,13 +209,6 @@ private class FieldContent extends Content, TFieldContent {
   predicate hasOffset(Class cl, int start, int end) { cl = c and start = startBit and end = endBit }
 
   Field getAField() { result = getAField(c, startBit, endBit) }
-
-  pragma[noinline]
-  Field getADirectField() {
-    c = result.getDeclaringType() and
-    this.getAField() = result and
-    this.hasOffset(c, _, _)
-  }
 }
 
 private class CollectionContent extends Content, TCollectionContent {
@@ -229,101 +221,69 @@ private class ArrayContent extends Content, TArrayContent {
   override string toString() { result = "array content" }
 }
 
-/**
- * A store step from the value of a `StoreInstruction` to the "innermost" field of the destination.
- * This predicate only holds when there is no `ChiInsturction` that merges the result of the
- * `StoreInstruction` into a larger memory.
- */
-private predicate instrToFieldNodeStoreStepNoChi(
-  Node node1, FieldContent f, PartialDefinitionNode node2
-) {
-  exists(StoreInstruction store, PartialFieldDefinition pd |
-    pd = node2.getPartialDefinition() and
-    not exists(ChiInstruction chi | chi.getPartial() = store) and
-    pd.getPreUpdateNode() = GetFieldNode::fromInstruction(store.getDestinationAddress()) and
+private predicate fieldStoreStepNoChi(Node node1, FieldContent f, PostUpdateNode node2) {
+  exists(StoreInstruction store, Class c |
+    store = node2.asInstruction() and
     store.getSourceValueOperand() = node1.asOperand() and
-    f.getADirectField() = pd.getPreUpdateNode().getField()
+    getWrittenField(store, f.(FieldContent).getAField(), c) and
+    f.hasOffset(c, _, _)
   )
 }
 
-/**
- * A store step from a `StoreInstruction` to the "innermost" field
- * of the destination. This predicate only holds when there exists a `ChiInstruction` that merges the
- * result of the `StoreInstruction` into a larger memory.
- */
-private predicate instrToFieldNodeStoreStepChi(
-  Node node1, FieldContent f, PartialDefinitionNode node2
-) {
-  exists(
-    ChiPartialOperand operand, StoreInstruction store, ChiInstruction chi, PartialFieldDefinition pd
-  |
-    pd = node2.getPartialDefinition() and
-    not chi.isResultConflated() and
-    node1.asOperand() = operand and
+private FieldAddressInstruction getFieldInstruction(Instruction instr) {
+  result = instr or
+  result = instr.(CopyValueInstruction).getUnary()
+}
+
+pragma[noinline]
+private predicate getWrittenField(Instruction instr, Field f, Class c) {
+  exists(FieldAddressInstruction fa |
+    fa =
+      getFieldInstruction([
+          instr.(StoreInstruction).getDestinationAddress(),
+          instr.(WriteSideEffectInstruction).getDestinationAddress()
+        ]) and
+    f = fa.getField() and
+    c = f.getDeclaringType()
+  )
+}
+
+private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) {
+  exists(ChiPartialOperand operand, ChiInstruction chi |
     chi.getPartialOperand() = operand and
-    store = operand.getDef() and
-    pd.getPreUpdateNode() = GetFieldNode::fromInstruction(store.getDestinationAddress()) and
-    f.getADirectField() = pd.getPreUpdateNode().getField()
-  )
-}
-
-private predicate callableWithoutDefinitionStoreStep(
-  Node node1, FieldContent f, PartialDefinitionNode node2
-) {
-  exists(
-    WriteSideEffectInstruction write, ChiInstruction chi, PartialFieldDefinition pd,
-    Function callable, CallInstruction call
-  |
-    chi.getPartial() = write and
-    not chi.isResultConflated() and
-    pd = node2.getPartialDefinition() and
-    pd.getPreUpdateNode() = GetFieldNode::fromInstruction(write.getDestinationAddress()) and
-    f.getADirectField() = pd.getPreUpdateNode().getField() and
-    call = write.getPrimaryInstruction() and
-    callable = call.getStaticCallTarget() and
-    not callable.hasDefinition()
-  |
-    exists(OutParameterDeref out | out.getIndex() = write.getIndex() |
-      callable.(DataFlowFunction).hasDataFlow(_, out) and
-      node1.asInstruction() = write
-    )
-    or
-    // Ideally we shouldn't need to do a store step from a read side effect, but if we don't have a
-    // model for the callee there might not be flow to the write side effect (since the callee has no
-    // definition). This case ensures that we propagate dataflow when a field is passed into a
-    // function that has a write side effect, even though the write side effect doesn't have incoming
-    // flow.
-    not callable instanceof DataFlowFunction and
-    exists(ReadSideEffectInstruction read | call = read.getPrimaryInstruction() |
-      node1.asInstruction() = read.getSideEffectOperand().getAnyDef()
+    node1.asOperand() = operand and
+    node2.asInstruction() = chi and
+    exists(Class c |
+      c = chi.getResultType() and
+      exists(int startBit, int endBit |
+        chi.getUpdatedInterval(startBit, endBit) and
+        f.hasOffset(c, startBit, endBit)
+      )
+      or
+      getWrittenField(operand.getDef(), f.getAField(), c) and
+      f.hasOffset(c, _, _)
     )
   )
 }
 
-/**
- * A store step from a `StoreInstruction` to the `ChiInstruction` generated from assigning
- * to a pointer or array indirection
- */
-private predicate arrayStoreStepChi(Node node1, ArrayContent a, PartialDefinitionNode node2) {
+private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) {
   a = TArrayContent() and
-  exists(
-    ChiPartialOperand operand, ChiInstruction chi, StoreInstruction store, PartialDefinition pd
-  |
-    pd = node2.getPartialDefinition() and
+  exists(ChiPartialOperand operand, ChiInstruction chi, StoreInstruction store |
     chi.getPartialOperand() = operand and
     store = operand.getDef() and
     node1.asOperand() = operand and
     // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode`
     // and `PointerStoreNode` require it in their characteristic predicates.
-    pd.getPreUpdateNode().asOperand() = chi.getTotalOperand()
-  |
-    // `x[i] = taint()`
-    // This matches the characteristic predicate in `ArrayStoreNode`.
-    store.getDestinationAddress() instanceof PointerAddInstruction
-    or
-    // `*p = taint()`
-    // This matches the characteristic predicate in `PointerStoreNode`.
-    store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
+    node2.asInstruction() = chi and
+    (
+      // `x[i] = taint()`
+      // This matches the characteristic predicate in `ArrayStoreNode`.
+      store.getDestinationAddress() instanceof PointerAddInstruction
+      or
+      // `*p = taint()`
+      // This matches the characteristic predicate in `PointerStoreNode`.
+      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
+    )
   )
 }
 
@@ -333,10 +293,82 @@ private predicate arrayStoreStepChi(Node node1, ArrayContent a, PartialDefinitio
  * value of `node1`.
  */
 predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  instrToFieldNodeStoreStepNoChi(node1, f, node2) or
-  instrToFieldNodeStoreStepChi(node1, f, node2) or
+  fieldStoreStepNoChi(node1, f, node2) or
+  fieldStoreStepChi(node1, f, node2) or
   arrayStoreStepChi(node1, f, node2) or
-  callableWithoutDefinitionStoreStep(node1, f, node2)
+  fieldStoreStepAfterArraySuppression(node1, f, node2)
+}
+
+// This predicate pushes the correct `FieldContent` onto the access path when the
+// `suppressArrayRead` predicate has popped off an `ArrayContent`.
+private predicate fieldStoreStepAfterArraySuppression(
+  Node node1, FieldContent f, PostUpdateNode node2
+) {
+  exists(WriteSideEffectInstruction write, ChiInstruction chi, Class c |
+    not chi.isResultConflated() and
+    node1.asInstruction() = chi and
+    node2.asInstruction() = chi and
+    chi.getPartial() = write and
+    getWrittenField(write, f.getAField(), c) and
+    f.hasOffset(c, _, _)
+  )
+}
+
+bindingset[result, i]
+private int unbindInt(int i) { i <= result and i >= result }
+
+pragma[noinline]
+private predicate getLoadedField(LoadInstruction load, Field f, Class c) {
+  exists(FieldAddressInstruction fa |
+    fa = load.getSourceAddress() and
+    f = fa.getField() and
+    c = f.getDeclaringType()
+  )
+}
+
+/**
+ * Holds if data can flow from `node1` to `node2` via a read of `f`.
+ * Thus, `node1` references an object with a field `f` whose value ends up in
+ * `node2`.
+ */
+private predicate fieldReadStep(Node node1, FieldContent f, Node node2) {
+  exists(LoadOperand operand |
+    node2.asOperand() = operand and
+    node1.asInstruction() = operand.getAnyDef() and
+    exists(Class c |
+      c = operand.getAnyDef().getResultType() and
+      exists(int startBit, int endBit |
+        operand.getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and
+        f.hasOffset(c, startBit, endBit)
+      )
+      or
+      getLoadedField(operand.getUse(), f.getAField(), c) and
+      f.hasOffset(c, _, _)
+    )
+  )
+}
+
+/**
+ * When a store step happens in a function that looks like an array write such as:
+ * ```cpp
+ * void f(int* pa) {
+ *   pa = source();
+ * }
+ * ```
+ * it can be a write to an array, but it can also happen that `f` is called as `f(&a.x)`. If that is
+ * the case, the `ArrayContent` that was written by the call to `f` should be popped off the access
+ * path, and a `FieldContent` containing `x` should be pushed instead.
+ * So this case pops `ArrayContent` off the access path, and the `fieldStoreStepAfterArraySuppression`
+ * predicate in `storeStep` ensures that we push the right `FieldContent` onto the access path.
+ */
+predicate suppressArrayRead(Node node1, ArrayContent a, Node node2) {
+  a = TArrayContent() and
+  exists(WriteSideEffectInstruction write, ChiInstruction chi |
+    node1.asInstruction() = write and
+    node2.asInstruction() = chi and
+    chi.getPartial() = write and
+    getWrittenField(write, _, _)
+  )
 }
 
 private class ArrayToPointerConvertInstruction extends ConvertInstruction {
@@ -346,96 +378,34 @@ private class ArrayToPointerConvertInstruction extends ConvertInstruction {
   }
 }
 
-private class InexactLoadOperand extends LoadOperand {
-  InexactLoadOperand() { this.isDefinitionInexact() }
-}
-
-/** Get the result type of `i`, if it is a `PointerType`. */
-private PointerType getPointerType(Instruction i) {
-  // We are done if the type is a pointer type that is not a glvalue
-  i.getResultLanguageType().hasType(result, false)
+private Instruction skipOneCopyValueInstructionRec(CopyValueInstruction copy) {
+  copy.getUnary() = result and not result instanceof CopyValueInstruction
   or
-  // Some instructions produce a glvalue. Recurse past those to get the actual `PointerType`.
-  result = getPointerType(i.(PointerOffsetInstruction).getLeft())
+  result = skipOneCopyValueInstructionRec(copy.getUnary())
 }
 
-pragma[noinline]
-private predicate deconstructLoad(
-  LoadInstruction load, InexactLoadOperand loadOperand, Instruction addressInstr
-) {
-  load.getSourceAddress() = addressInstr and
-  load.getSourceValueOperand() = loadOperand
+private Instruction skipCopyValueInstructions(Operand op) {
+  not result instanceof CopyValueInstruction and result = op.getDef()
+  or
+  result = skipOneCopyValueInstructionRec(op.getDef())
 }
 
 private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) {
   a = TArrayContent() and
   // Explicit dereferences such as `*p` or `p[i]` where `p` is a pointer or array.
-  exists(InexactLoadOperand loadOperand, LoadInstruction load, Instruction address |
-    deconstructLoad(load, loadOperand, address) and
-    node1.asInstruction() = loadOperand.getAnyDef() and
-    not node1.asInstruction().isResultConflated() and
-    loadOperand = node2.asOperand() and
-    // Ensure that the load is actually loading from an array or a pointer.
-    getPointerType(address).getBaseType() = load.getResultType()
-  )
-}
-
-/** Step from the value loaded by a `LoadInstruction` to the "outermost" loaded field. */
-private predicate instrToFieldNodeReadStep(FieldNode node1, FieldContent f, Node node2) {
-  (
-    node1.getNextNode() = node2
-    or
-    not exists(node1.getNextNode()) and
-    (
-      exists(LoadInstruction load |
-        node2.asInstruction() = load and
-        node1 = GetFieldNode::fromInstruction(load.getSourceAddress())
-      )
-      or
-      exists(ReadSideEffectInstruction read |
-        node2.asOperand() = read.getSideEffectOperand() and
-        node1 = GetFieldNode::fromInstruction(read.getArgumentDef())
-      )
-    )
-  ) and
-  f.getADirectField() = node1.getField()
-}
-
-bindingset[result, i]
-private int unbindInt(int i) { i <= result and i >= result }
-
-pragma[noinline]
-private FieldNode getFieldNodeFromLoadOperand(LoadOperand loadOperand) {
-  result = GetFieldNode::fromOperand(loadOperand.getAddressOperand())
-}
-
-/**
- * Sometimes there's no explicit field dereference. In such cases we use the IR alias analysis to
- * determine the offset being, and deduce the field from this information.
- */
-private predicate aliasedReadStep(Node node1, FieldContent f, Node node2) {
-  exists(LoadOperand operand, Class c, int startBit, int endBit |
-    // Ensure that we don't already catch this store step using a `FieldNode`.
-    not instrToFieldNodeReadStep(getFieldNodeFromLoadOperand(operand), f, _) and
+  exists(LoadOperand operand, Instruction address |
+    operand.isDefinitionInexact() and
     node1.asInstruction() = operand.getAnyDef() and
-    node2.asOperand() = operand and
-    not node1.asInstruction().isResultConflated() and
-    c = operand.getAnyDef().getResultType() and
-    f.hasOffset(c, startBit, endBit) and
-    operand.getUsedInterval(unbindInt(startBit), unbindInt(endBit))
+    operand = node2.asOperand() and
+    address = skipCopyValueInstructions(operand.getAddressOperand()) and
+    (
+      address instanceof LoadInstruction or
+      address instanceof ArrayToPointerConvertInstruction or
+      address instanceof PointerOffsetInstruction
+    )
   )
 }
 
-/** Get the result type of an `Instruction` i, if it is a `ReferenceType`. */
-private ReferenceType getReferenceType(Instruction i) {
-  i.getResultLanguageType().hasType(result, false)
-}
-
-pragma[noinline]
-Type getResultTypeOfSourceValue(CopyValueInstruction copy) {
-  result = copy.getSourceValue().getResultType()
-}
-
 /**
  * In cases such as:
  * ```cpp
@@ -447,25 +417,21 @@ Type getResultTypeOfSourceValue(CopyValueInstruction copy) {
  * f(&x);
  * use(x);
  * ```
- * the store to `*pa` in `f` will push `ArrayContent` onto the access path. The `innerRead` predicate
- * pops the `ArrayContent` off the access path when a value-to-pointer or value-to-reference conversion
- * happens on the argument that is ends up as the target of such a store.
+ * the load on `x` in `use(x)` will exactly overlap with its definition (in this case the definition
+ * is a `WriteSideEffect`). This predicate pops the `ArrayContent` (pushed by the store in `f`)
+ * from the access path.
  */
-private predicate innerReadStep(Node node1, Content a, Node node2) {
+private predicate exactReadStep(Node node1, ArrayContent a, Node node2) {
   a = TArrayContent() and
-  exists(WriteSideEffectInstruction write, CallInstruction call, CopyValueInstruction copyValue |
-    write.getPrimaryInstruction() = call and
+  exists(WriteSideEffectInstruction write, ChiInstruction chi |
+    not chi.isResultConflated() and
+    chi.getPartial() = write and
     node1.asInstruction() = write and
-    (
-      not exists(ChiInstruction chi | chi.getPartial() = write)
-      or
-      exists(ChiInstruction chi | chi.getPartial() = write and not chi.isResultConflated())
-    ) and
-    node2.asInstruction() = write and
-    copyValue = call.getArgument(write.getIndex()) and
-    // Check that `copyValue` is actually doing a T to a T* conversion.
-    [getPointerType(copyValue).getBaseType(), getReferenceType(copyValue).getBaseType()].stripType() =
-      getResultTypeOfSourceValue(copyValue).stripType()
+    node2.asInstruction() = chi and
+    // To distinquish this case from the `arrayReadStep` case we require that the entire variable was
+    // overwritten by the `WriteSideEffectInstruction` (i.e., there is a load that reads the
+    // entire variable).
+    exists(LoadInstruction load | load.getSourceValue() = chi)
   )
 }
 
@@ -475,10 +441,10 @@ private predicate innerReadStep(Node node1, Content a, Node node2) {
  * `node2`.
  */
 predicate readStep(Node node1, Content f, Node node2) {
-  aliasedReadStep(node1, f, node2) or
+  fieldReadStep(node1, f, node2) or
   arrayReadStep(node1, f, node2) or
-  instrToFieldNodeReadStep(node1, f, node2) or
-  innerReadStep(node1, f, node2)
+  exactReadStep(node1, f, node2) or
+  suppressArrayRead(node1, f, node2)
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index aba8e3bceec..b21a0abc20b 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -15,11 +15,7 @@ cached
 private newtype TIRDataFlowNode =
   TInstructionNode(Instruction i) or
   TOperandNode(Operand op) or
-  TVariableNode(Variable var) or
-  // `FieldNodes` are used as targets of certain `storeStep`s to implement handling of stores to
-  // nested structs.
-  TFieldNode(FieldAddressInstruction field) or
-  TPartialDefinitionNode(PartialDefinition pd)
+  TVariableNode(Variable var)
 
 /**
  * A node in a data flow graph.
@@ -32,22 +28,7 @@ class Node extends TIRDataFlowNode {
   /**
    * INTERNAL: Do not use.
    */
-  final Declaration getEnclosingCallable() {
-    result = unique(Declaration d | d = this.getEnclosingCallableImpl() | d)
-  }
-
-  final private Declaration getEnclosingCallableImpl() {
-    result = this.asInstruction().getEnclosingFunction() or
-    result = this.asOperand().getUse().getEnclosingFunction() or
-    // When flow crosses from one _enclosing callable_ to another, the
-    // interprocedural data-flow library discards call contexts and inserts a
-    // node in the big-step relation used for human-readable path explanations.
-    // Therefore we want a distinct enclosing callable for each `VariableNode`,
-    // and that can be the `Variable` itself.
-    result = this.asVariable() or
-    result = this.(FieldNode).getFieldInstruction().getEnclosingFunction() or
-    result = this.(PartialDefinitionNode).getPreUpdateNode().getFunction()
-  }
+  Declaration getEnclosingCallable() { none() } // overridden in subclasses
 
   /** Gets the function to which this node belongs, if any. */
   Function getFunction() { none() } // overridden in subclasses
@@ -152,6 +133,8 @@ class InstructionNode extends Node, TInstructionNode {
   /** Gets the instruction corresponding to this node. */
   Instruction getInstruction() { result = instr }
 
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
   override Function getFunction() { result = instr.getEnclosingFunction() }
 
   override IRType getType() { result = instr.getResultIRType() }
@@ -176,6 +159,8 @@ class OperandNode extends Node, TOperandNode {
   /** Gets the operand corresponding to this node. */
   Operand getOperand() { result = op }
 
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
   override Function getFunction() { result = op.getUse().getEnclosingFunction() }
 
   override IRType getType() { result = op.getIRType() }
@@ -185,139 +170,6 @@ class OperandNode extends Node, TOperandNode {
   override string toString() { result = this.getOperand().toString() }
 }
 
-/**
- * INTERNAL: do not use. Encapsulates the details of getting a `FieldNode` from
- * an `Instruction` or an `Operand`.
- */
-module GetFieldNode {
-  /** An abstract class that defines conversion-like instructions. */
-  abstract private class SkippableInstruction extends Instruction {
-    abstract Instruction getSourceInstruction();
-  }
-
-  /**
-   * Gets the instruction that is propaged through a non-empty sequence of conversion-like instructions.
-   */
-  private Instruction skipSkippableInstructionsRec(SkippableInstruction skip) {
-    result = skip.getSourceInstruction() and not result instanceof SkippableInstruction
-    or
-    result = skipSkippableInstructionsRec(skip.getSourceInstruction())
-  }
-
-  /**
-   * Gets the instruction that is propagated through a (possibly empty) sequence of conversion-like
-   * instructions.
-   */
-  private Instruction skipSkippableInstructions(Instruction instr) {
-    result = instr and not result instanceof SkippableInstruction
-    or
-    result = skipSkippableInstructionsRec(instr)
-  }
-
-  private class SkippableCopyValueInstruction extends SkippableInstruction, CopyValueInstruction {
-    override Instruction getSourceInstruction() { result = this.getSourceValue() }
-  }
-
-  private class SkippableConvertInstruction extends SkippableInstruction, ConvertInstruction {
-    override Instruction getSourceInstruction() { result = this.getUnary() }
-  }
-
-  private class SkippableCheckedConvertInstruction extends SkippableInstruction,
-    CheckedConvertOrNullInstruction {
-    override Instruction getSourceInstruction() { result = this.getUnary() }
-  }
-
-  private class SkippableInheritanceConversionInstruction extends SkippableInstruction,
-    InheritanceConversionInstruction {
-    override Instruction getSourceInstruction() { result = this.getUnary() }
-  }
-
-  /**
-   * INTERNAL: do not use. Gets the `FieldNode` corresponding to `instr`, if
-   * `instr` is an instruction that propagates an address of a `FieldAddressInstruction`.
-   */
-  FieldNode fromInstruction(Instruction instr) {
-    result.getFieldInstruction() = skipSkippableInstructions(instr)
-  }
-
-  /**
-   * INTERNAL: do not use. Gets the `FieldNode` corresponding to `op`, if the definition
-   * of `op` is an instruction that propagates an address of a `FieldAddressInstruction`.
-   */
-  FieldNode fromOperand(Operand op) { result = fromInstruction(op.getDef()) }
-}
-
-/**
- * INTERNAL: do not use. A `FieldNode` represents the state of a field before any partial definitions
- * of the field. For instance, in the snippet:
- * ```cpp
- * struct A { struct B { int c; } b; };
- * // ...
- * A a;
- * f(a.b.c);
- * ```
- * there are two `FieldNode`s: one corresponding to `c`, and one corresponding to `b`. Similarly,
- * in `a.b.c = x` there are two `FieldNode`s: one for `c` and one for `b`.
- */
-class FieldNode extends Node, TFieldNode {
-  FieldAddressInstruction field;
-
-  FieldNode() { this = TFieldNode(field) }
-
-  /** Gets the `Field` of this `FieldNode`. */
-  Field getField() { result = getFieldInstruction().getField() }
-
-  /** Gets the `FieldAddressInstruction` of this `FieldNode`. */
-  FieldAddressInstruction getFieldInstruction() { result = field }
-
-  /**
-   * Gets the `FieldNode` corresponding to the parent field of this `FieldNode`, if any.
-   *
-   * For example, if `f` is the `FieldNode` for `c` in the expression `a.b.c`, then `f.getObjectNode()`
-   * gives the `FieldNode` of `b`, and `f.getObjectNode().getObjectNode()` has no result as `a` is
-   * not a field.
-   */
-  FieldNode getObjectNode() { result = GetFieldNode::fromInstruction(field.getObjectAddress()) }
-
-  /**
-   * Gets the `FieldNode` that has this `FieldNode` as parent, if any.
-   *
-   * For example, if `f` is the `FieldNode` corresponding to `b` in `a.b.c`, then `f.getNextNode()`
-   * gives the `FieldNode` corresponding to `c`, and `f.getNextNode().getNextNode()`.
-   */
-  FieldNode getNextNode() { result.getObjectNode() = this }
-
-  /** Gets the class where the field of this node is declared. */
-  Class getDeclaringType() { result = getField().getDeclaringType() }
-
-  override Function getFunction() { result = field.getEnclosingFunction() }
-
-  override IRType getType() { result = field.getResultIRType() }
-
-  override Location getLocation() { result = field.getLocation() }
-
-  override string toString() { result = this.getField().toString() }
-}
-
-/**
- * INTERNAL: do not use. A partial definition of a `FieldNode`.
- */
-class PartialFieldDefinition extends FieldNode, PartialDefinition {
-  /**
-   * The pre-update node of a partial definition of a `FieldNode` is the `FieldNode` itself. This ensures
-   * that the data flow library's reverse read mechanism builds up the correct access path for nested
-   * fields.
-   * For instance, in `a.b.c = x` there is a partial definition for `c` (let's call it `post[c]`) and a
-   * partial definition for `b` (let's call it `post[b]`), and there is a read step from `b` to `c`
-   * (using `instrToFieldNodeReadStep`), so there is a store step from `post[c]` to `post[b]`.
-   */
-  override FieldNode getPreUpdateNode() { result = this }
-
-  override Expr getDefinedExpr() {
-    result = this.getFieldInstruction().getObjectAddress().getUnconvertedResultExpression()
-  }
-}
-
 /**
  * An expression, viewed as a node in a data flow graph.
  */
@@ -455,26 +307,11 @@ deprecated class UninitializedNode extends Node {
  * This class exists to match the interface used by Java. There are currently no non-abstract
  * classes that extend it. When we implement field flow, we can revisit this.
  */
-abstract class PostUpdateNode extends Node {
+abstract class PostUpdateNode extends InstructionNode {
   /**
    * Gets the node before the state update.
    */
   abstract Node getPreUpdateNode();
-
-  override Function getFunction() { result = getPreUpdateNode().getFunction() }
-
-  override IRType getType() { result = getPreUpdateNode().getType() }
-
-  override Location getLocation() { result = getPreUpdateNode().getLocation() }
-}
-
-/** INTERNAL: do not use. A partial definition of a node. */
-abstract class PartialDefinition extends Node {
-  /** Gets the node before the state update. */
-  abstract Node getPreUpdateNode();
-
-  /** Gets the expression that is partially defined by this node. */
-  abstract Expr getDefinedExpr();
 }
 
 /**
@@ -490,40 +327,112 @@ abstract class PartialDefinition extends Node {
  * setY(&x); // a partial definition of the object `x`.
  * ```
  */
-class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNode {
-  PartialDefinition pd;
+abstract private class PartialDefinitionNode extends PostUpdateNode {
+  abstract Expr getDefinedExpr();
+}
 
-  PartialDefinitionNode() { this = TPartialDefinitionNode(pd) }
+private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
+  override ChiInstruction instr;
+  StoreInstruction store;
 
-  /** Gets the expression that is partially defined by this node, if any. */
-  Expr getDefinedExpr() { result = pd.getDefinedExpr() }
+  ExplicitFieldStoreQualifierNode() {
+    not instr.isResultConflated() and
+    instr.getPartial() = store and
+    (
+      instr.getUpdatedInterval(_, _) or
+      store.getDestinationAddress() instanceof FieldAddressInstruction
+    )
+  }
 
-  override Node getPreUpdateNode() { result = pd.getPreUpdateNode() }
+  // By using an operand as the result of this predicate we avoid the dataflow inconsistency errors
+  // caused by having multiple nodes sharing the same pre update node. This inconsistency error can cause
+  // a tuple explosion in the big step dataflow relation since it can make many nodes be the entry node
+  // into a big step.
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
 
-  /** Gets the `PartialDefinition` associated with this node. */
-  PartialDefinition getPartialDefinition() { result = pd }
+  override Expr getDefinedExpr() {
+    result =
+      store
+          .getDestinationAddress()
+          .(FieldAddressInstruction)
+          .getObjectAddress()
+          .getUnconvertedResultExpression()
+  }
+}
 
-  override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
+/**
+ * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
+ * For instance, an update to a field of a struct containing only one field. For these cases we
+ * attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
+ * (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
+ */
+private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
+  override StoreInstruction instr;
+
+  ExplicitSingleFieldStoreQualifierNode() {
+    not exists(ChiInstruction chi | chi.getPartial() = instr) and
+    // Without this condition any store would create a `PostUpdateNode`.
+    instr.getDestinationAddress() instanceof FieldAddressInstruction
+  }
+
+  override Node getPreUpdateNode() { none() }
+
+  override Expr getDefinedExpr() {
+    result =
+      instr
+          .getDestinationAddress()
+          .(FieldAddressInstruction)
+          .getObjectAddress()
+          .getUnconvertedResultExpression()
+  }
+}
+
+private FieldAddressInstruction getFieldInstruction(Instruction instr) {
+  result = instr or
+  result = instr.(CopyValueInstruction).getUnary()
+}
+
+/**
+ * The target of a `fieldStoreStepAfterArraySuppression` store step, which is used to convert
+ * an `ArrayContent` to a `FieldContent` when the `WriteSideEffect` instruction stores
+ * into a field. See the QLDoc for `suppressArrayRead` for an example of where such a conversion
+ * is inserted.
+ */
+private class WriteSideEffectFieldStoreQualifierNode extends PartialDefinitionNode {
+  override ChiInstruction instr;
+  WriteSideEffectInstruction write;
+  FieldAddressInstruction field;
+
+  WriteSideEffectFieldStoreQualifierNode() {
+    not instr.isResultConflated() and
+    instr.getPartial() = write and
+    field = getFieldInstruction(write.getDestinationAddress())
+  }
+
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
+
+  override Expr getDefinedExpr() {
+    result = field.getObjectAddress().getUnconvertedResultExpression()
+  }
 }
 
 /**
  * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
  * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
  */
-private class ArrayStoreNode extends InstructionNode, PartialDefinition {
-  ChiInstruction chi;
+private class ArrayStoreNode extends PartialDefinitionNode {
+  override ChiInstruction instr;
   PointerAddInstruction add;
 
   ArrayStoreNode() {
-    chi = this.getInstruction() and
-    not chi.isResultConflated() and
+    not instr.isResultConflated() and
     exists(StoreInstruction store |
-      chi.getPartial() = store and
+      instr.getPartial() = store and
       add = store.getDestinationAddress()
     )
   }
 
-  override Node getPreUpdateNode() { result.asOperand() = chi.getTotalOperand() }
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
 
   override Expr getDefinedExpr() { result = add.getLeft().getUnconvertedResultExpression() }
 }
@@ -532,24 +441,18 @@ private class ArrayStoreNode extends InstructionNode, PartialDefinition {
  * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
  * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
  */
-private class PointerStoreNode extends InstructionNode, PartialDefinition {
-  ChiInstruction chi;
-  LoadInstruction load;
+private class PointerStoreNode extends PostUpdateNode {
+  override ChiInstruction instr;
 
   PointerStoreNode() {
-    chi = this.getInstruction() and
-    not chi.isResultConflated() and
+    not instr.isResultConflated() and
     exists(StoreInstruction store |
-      chi.getPartial() = store and
-      load = store.getDestinationAddress().(CopyValueInstruction).getUnary()
+      instr.getPartial() = store and
+      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
     )
   }
 
-  override Node getPreUpdateNode() { result.asOperand() = chi.getTotalOperand() }
-
-  override Expr getDefinedExpr() {
-    result = load.getSourceAddress().getUnconvertedResultExpression()
-  }
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
 }
 
 /**
@@ -562,7 +465,7 @@ private class PointerStoreNode extends InstructionNode, PartialDefinition {
  * returned. This node will have its `getArgument()` equal to `&x` and its
  * `getVariableAccess()` equal to `x`.
  */
-class DefinitionByReferenceNode extends InstructionNode, PostUpdateNode {
+class DefinitionByReferenceNode extends InstructionNode {
   override WriteSideEffectInstruction instr;
 
   /** Gets the unconverted argument corresponding to this node. */
@@ -590,22 +493,6 @@ class DefinitionByReferenceNode extends InstructionNode, PostUpdateNode {
     not exists(instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget()) and
     result = "output argument"
   }
-
-  override Function getFunction() { result = instr.getEnclosingFunction() }
-
-  override IRType getType() { result = instr.getResultIRType() }
-
-  override Location getLocation() { result = instr.getLocation() }
-
-  // Make the read side effect's side effect operand the pre update node of this write side effect.
-  // This ensures that we match up the parameter index of the parameter indirection's modification.
-  override Node getPreUpdateNode() {
-    exists(ReadSideEffectInstruction read |
-      read.getPrimaryInstruction() = instr.getPrimaryInstruction() and
-      read.getArgumentDef() = instr.getDestinationAddress() and
-      result.asOperand() = read.getSideEffectOperand()
-    )
-  }
 }
 
 /**
@@ -623,6 +510,15 @@ class VariableNode extends Node, TVariableNode {
 
   override Function getFunction() { none() }
 
+  override Declaration getEnclosingCallable() {
+    // When flow crosses from one _enclosing callable_ to another, the
+    // interprocedural data-flow library discards call contexts and inserts a
+    // node in the big-step relation used for human-readable path explanations.
+    // Therefore we want a distinct enclosing callable for each `VariableNode`,
+    // and that can be the `Variable` itself.
+    result = v
+  }
+
   override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
 
   override Location getLocation() { result = v.getLocation() }
@@ -689,69 +585,6 @@ Node uninitializedNode(LocalVariable v) { none() }
  */
 predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) }
 
-private predicate flowOutOfPostUpdate(PartialDefinitionNode nodeFrom, Node nodeTo) {
-  // flow from the "outermost" field to the `ChiInstruction`, or `StoreInstruction`
-  // if no `ChiInstruction` exists.
-  exists(AddressOperand addressOperand, PartialFieldDefinition pd |
-    pd = nodeFrom.getPartialDefinition() and
-    not exists(pd.getPreUpdateNode().getObjectNode()) and
-    pd.getPreUpdateNode().getNextNode*() = GetFieldNode::fromOperand(addressOperand) and
-    (
-      exists(ChiInstruction chi |
-        nodeTo.asInstruction() = chi and
-        chi.getPartial().getAnOperand() = addressOperand
-      )
-      or
-      exists(StoreInstruction store |
-        not exists(ChiInstruction chi | chi.getPartial() = store) and
-        nodeTo.asInstruction() = store and
-        store.getDestinationAddressOperand() = addressOperand
-      )
-    )
-  )
-  or
-  // Note: This partial definition cannot be a `PostUpdateFieldNode` since these nodes do not have an
-  // operand node as their pre update node.
-  exists(PartialDefinition pd |
-    pd = nodeFrom.getPartialDefinition() and
-    nodeTo.asInstruction().(ChiInstruction).getTotalOperand() = pd.getPreUpdateNode().asOperand()
-  )
-}
-
-/**
- * Gets the `FieldNode` corresponding to the outermost field that is used to compute `address`.
- */
-private FieldNode getOutermostFieldNode(Instruction address) {
-  not exists(result.getObjectNode()) and
-  result.getNextNode*() = GetFieldNode::fromInstruction(address)
-}
-
-private predicate flowIntoReadNode(Node nodeFrom, FieldNode nodeTo) {
-  // flow from the memory of a load to the "outermost" field of that load.
-  exists(LoadInstruction load |
-    nodeTo = getOutermostFieldNode(load.getSourceAddress()) and
-    not nodeFrom.asInstruction().isResultConflated() and
-    nodeFrom.asInstruction() = load.getSourceValueOperand().getAnyDef()
-  )
-  or
-  // We need this to make stores look like loads for the dataflow library. So when there's a store
-  // of the form x->y = z we need to make the field node corresponding to y look like it's reading
-  // from the memory of x.
-  exists(StoreInstruction store, ChiInstruction chi |
-    chi.getPartial() = store and
-    nodeTo = getOutermostFieldNode(store.getDestinationAddress()) and
-    not nodeFrom.asInstruction().isResultConflated() and
-    nodeFrom.asInstruction() = chi.getTotal()
-  )
-  or
-  exists(ReadSideEffectInstruction read, SideEffectOperand sideEffect |
-    sideEffect = read.getSideEffectOperand() and
-    not sideEffect.getAnyDef().isResultConflated() and
-    nodeTo = getOutermostFieldNode(read.getArgumentDef()) and
-    nodeFrom.asOperand() = sideEffect
-  )
-}
-
 /**
  * INTERNAL: do not use.
  *
@@ -765,10 +598,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   or
   // Instruction -> Operand flow
   simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
-  or
-  flowIntoReadNode(nodeFrom, nodeTo)
-  or
-  flowOutOfPostUpdate(nodeFrom, nodeTo)
 }
 
 pragma[noinline]
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
index b9f6f717c80..fc6c97aa2a6 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -26,21 +26,60 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
-| dispatch.cpp:15:8:15:8 | Top output argument | PostUpdateNode should have one pre-update node but has 0. |
-| dispatch.cpp:21:8:21:8 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
-| dispatch.cpp:60:18:60:29 | Bottom output argument | PostUpdateNode should have one pre-update node but has 0. |
-| dispatch.cpp:61:18:61:29 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
-| dispatch.cpp:65:10:65:21 | Bottom output argument | PostUpdateNode should have one pre-update node but has 0. |
-| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
-| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
-| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
-| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
+| BarrierGuard.cpp:49:3:49:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| BarrierGuard.cpp:60:3:60:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:28:3:28:34 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:34:22:34:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:34:32:34:37 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:39:32:39:37 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:39:42:39:47 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:43:35:43:40 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:43:51:43:51 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:49:25:49:30 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:49:35:49:40 | Chi | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:50:3:50:26 | Chi | PostUpdateNode should not be the target of local flow. |
+| example.c:17:19:17:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| example.c:17:21:17:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| example.c:24:2:24:30 | Chi | PostUpdateNode should not be the target of local flow. |
+| example.c:24:13:24:30 | Chi | PostUpdateNode should not be the target of local flow. |
+| example.c:26:2:26:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:13:12:13:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:13:15:13:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:28:10:31:2 | Chi | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:28:10:31:2 | Chi | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:43:3:43:14 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:11:5:11:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:20:5:20:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:22:7:22:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:24:7:24:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:29:5:29:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:31:7:31:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:39:7:39:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:44:5:44:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:46:7:46:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:48:7:48:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:75:5:75:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:83:5:83:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:87:7:87:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:89:7:89:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:94:5:94:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:96:7:96:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:104:7:104:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:109:5:109:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:113:7:113:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:115:7:115:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:91:3:91:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:115:3:115:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:120:3:120:10 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:125:3:125:11 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:359:5:359:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:373:5:373:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:465:3:465:15 | Chi | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
index 774ecddeab2..f59552aa2dd 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -362,7 +362,7 @@ class FlowThroughFields {
   int f() {
     sink(field); // tainted or clean? Not sure.
     taintField();
-    sink(field); // $ ast,ir
+    sink(field); // $ ast MISSING: ir
   }
 
   int calledAfterTaint() {
diff --git a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
index 833e85600a6..500bbed53a9 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
@@ -204,32 +204,4 @@ void deep_member_field_arrow(S2 *ps2) {
 void deep_member_field_arrow_different_fields(S2 *ps2) {
   taint_a_ptr(&ps2->s.m1);
   sink(ps2->s.m2);
-}
-
-void test_deep_struct_fields() {
-  S2 s2;
-  s2.s.m1 = user_input();
-  S s = s2.s;
-  sink(s.m1); // $ ast,ir
-}
-
-void test_deep_struct_fields_no_flow() {
-  S2 s2;
-  s2.s.m1 = user_input();
-  S s = s2.s;
-  sink(s.m2);
-}
-
-void test_deep_struct_fields_taint_through_call() {
-  S2 s2;
-  taint_a_ptr(&s2.s.m1);
-  S s = s2.s;
-  sink(s.m1); // $ ast,ir
-}
-
-void test_deep_struct_fields_taint_through_call_no_flow() {
-  S2 s2;
-  taint_a_ptr(&s2.s.m1);
-  S s = s2.s;
-  sink(s.m2);
 }
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp b/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
index 46abcd62c07..8e84d39be3b 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
@@ -1,4 +1,4 @@
-void sink(void *o); void sink(const char *o);
+void sink(void *o);
 void *user_input(void);
 
 struct S {
@@ -135,13 +135,3 @@ void test_outer_with_ref(Outer *pouter) {
   sink(pouter->inner_ptr->a); // $ ast MISSING: ir
   sink(pouter->a); // $ ast,ir
 }
-
-void taint_a_ptr(const char **pa) {
-  *pa = (char*)user_input();
-}
-
-void test_const_char_ref() {
-  const char* s;
-  taint_a_ptr(&s);
-  sink(s); // $ ast ir=140:9 ir=140:16
-}
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
index 500faa38eb1..c6528723d22 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
@@ -89,10 +89,6 @@ postWithInFlow
 | aliasing.cpp:194:21:194:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:200:23:200:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:205:23:205:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
-| aliasing.cpp:211:8:211:9 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
-| aliasing.cpp:218:8:218:9 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
-| aliasing.cpp:225:21:225:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
-| aliasing.cpp:232:21:232:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:6:3:6:5 | arr [inner post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:6:3:6:8 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:15:3:15:10 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
@@ -123,9 +119,6 @@ postWithInFlow
 | by_reference.cpp:108:24:108:24 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:123:28:123:36 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:127:30:127:38 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
-| by_reference.cpp:140:3:140:5 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| by_reference.cpp:140:4:140:5 | pa [inner post update] | PostUpdateNode should not be the target of local flow. |
-| by_reference.cpp:145:16:145:16 | s [inner post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:11:22:11:23 | a_ [post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:12:22:12:23 | b_ [post update] | PostUpdateNode should not be the target of local flow. |
 | conflated.cpp:10:3:10:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
@@ -159,6 +152,5 @@ postWithInFlow
 | simple.cpp:65:7:65:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:83:12:83:13 | f1 [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
-| simple.cpp:104:9:104:9 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:24:11:24:12 | ab [inner post update] | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:36:17:36:24 | nestedAB [inner post update] | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
index 0a03ccef569..63d3b2c0f48 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
@@ -20,71 +20,145 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
-| A.cpp:9:9:9:9 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:14:9:14:9 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:31:14:31:21 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:38:7:38:8 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:39:7:39:8 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:41:15:41:21 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:47:12:47:18 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:54:12:54:18 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:55:12:55:19 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:57:11:57:24 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:57:17:57:23 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:62:13:62:19 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:64:21:64:28 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:71:13:71:19 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:73:25:73:32 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:89:15:89:21 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:99:14:99:21 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:116:12:116:19 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:126:12:126:18 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:130:12:130:18 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:142:14:142:20 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:143:25:143:31 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:150:12:150:18 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:151:12:151:24 | D output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:159:12:159:18 | B output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:160:18:160:60 | MyList output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:160:32:160:59 | MyList output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:161:18:161:40 | MyList output argument | PostUpdateNode should have one pre-update node but has 0. |
-| A.cpp:162:18:162:40 | MyList output argument | PostUpdateNode should have one pre-update node but has 0. |
-| B.cpp:7:16:7:35 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| B.cpp:8:16:8:27 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| B.cpp:16:16:16:38 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| B.cpp:17:16:17:27 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| C.cpp:18:12:18:18 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:29:15:29:41 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:29:24:29:40 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:36:15:36:41 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:36:24:36:40 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:43:15:43:41 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:43:24:43:40 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:50:15:50:41 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:50:24:50:40 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:57:16:57:42 | Box2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| D.cpp:57:25:57:41 | Box1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:22:11:22:17 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:25:7:25:7 | Bar output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:48:9:48:10 | Outer output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:49:9:49:10 | Outer output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:50:9:50:10 | Outer output argument | PostUpdateNode should have one pre-update node but has 0. |
-| complex.cpp:51:9:51:10 | Outer output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conflated.cpp:59:20:59:39 | LinkedList output argument | PostUpdateNode should have one pre-update node but has 0. |
-| constructors.cpp:34:11:34:26 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| constructors.cpp:35:11:35:26 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| constructors.cpp:36:11:36:37 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| constructors.cpp:37:11:37:15 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
-| realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
-| simple.cpp:34:11:34:15 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| simple.cpp:35:11:35:15 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| simple.cpp:36:11:36:15 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| simple.cpp:37:11:37:15 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
+| simple.cpp:65:5:65:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
+| simple.cpp:92:5:92:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
+| A.cpp:25:7:25:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:27:22:27:32 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:98:12:98:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:100:5:100:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:142:7:142:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:143:7:143:31 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:183:7:183:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| A.cpp:184:7:184:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| B.cpp:6:15:6:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| B.cpp:15:15:15:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| B.cpp:35:7:35:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| B.cpp:36:7:36:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| B.cpp:46:7:46:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| C.cpp:22:12:22:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| C.cpp:22:12:22:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| C.cpp:24:5:24:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| C.cpp:24:16:24:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:9:21:9:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:11:29:11:36 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:16:21:16:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:18:29:18:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:28:15:28:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:35:15:35:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:42:15:42:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:49:15:49:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:56:15:56:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:57:5:57:42 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:9:3:9:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:13:3:13:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:17:3:17:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:21:12:21:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:21:15:21:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:22:12:22:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:22:15:22:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:23:12:23:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:23:15:23:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:35:12:35:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:35:15:35:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:37:3:37:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:40:12:40:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:40:15:40:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:42:3:42:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:47:12:47:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:47:15:47:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:49:3:49:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:52:12:52:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:52:15:52:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:54:3:54:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:59:12:59:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:59:15:59:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:60:3:60:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:70:19:70:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:70:22:70:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:72:3:72:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:77:19:77:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:77:22:77:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:79:3:79:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:84:19:84:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:84:22:84:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:86:3:86:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:91:19:91:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:91:22:91:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:92:3:92:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:98:3:98:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:106:3:106:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:111:15:111:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:147:15:147:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:175:15:175:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:181:15:181:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:187:15:187:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:194:15:194:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:200:15:200:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:205:15:205:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:5:18:5:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:5:21:5:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:6:3:6:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:14:18:14:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:14:21:14:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:15:3:15:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| arrays.cpp:36:3:36:37 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:12:5:12:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:16:5:16:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:84:3:84:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:88:3:88:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:92:3:92:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:96:3:96:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:102:21:102:39 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:104:15:104:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:106:21:106:41 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:108:15:108:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:122:21:122:38 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:124:15:124:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:126:21:126:40 | Chi | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:128:15:128:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:11:22:11:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:12:22:12:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:14:26:14:26 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:14:33:14:33 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:22:11:22:17 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:25:7:25:7 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:42:16:42:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:43:16:43:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:53:12:53:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:54:12:54:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:55:12:55:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| complex.cpp:56:12:56:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| conflated.cpp:45:39:45:42 | Chi | PostUpdateNode should not be the target of local flow. |
+| conflated.cpp:53:3:53:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| constructors.cpp:20:24:20:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| constructors.cpp:21:24:21:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| constructors.cpp:23:28:23:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| constructors.cpp:23:35:23:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| qualifiers.cpp:9:30:9:44 | Chi | PostUpdateNode should not be the target of local flow. |
+| qualifiers.cpp:12:49:12:64 | Chi | PostUpdateNode should not be the target of local flow. |
+| qualifiers.cpp:13:51:13:65 | Chi | PostUpdateNode should not be the target of local flow. |
+| realistic.cpp:39:12:39:95 | Chi | PostUpdateNode should not be the target of local flow. |
+| realistic.cpp:49:9:49:64 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:20:24:20:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:21:24:21:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:23:28:23:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:23:35:23:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:65:5:65:22 | Store | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:83:9:83:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:92:5:92:22 | Store | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:20:20:20:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:20:34:20:34 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:27:7:27:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:27:21:27:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:28:5:28:7 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:36:10:36:24 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:40:20:40:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:40:34:40:34 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:42:7:42:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:42:21:42:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| struct_init.c:43:5:43:7 | Chi | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
index 0f25daa307d..c8b70a74b3a 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -4,62 +4,50 @@ edges
 | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] |
 | A.cpp:57:11:57:24 | B output argument [c] | A.cpp:57:28:57:30 | call to get |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | B output argument [c] |
-| A.cpp:98:12:98:18 | new | A.cpp:100:9:100:9 | a [post update] [a] |
-| A.cpp:100:9:100:9 | a [post update] [a] | A.cpp:103:14:103:14 | *c [a] |
-| A.cpp:103:14:103:14 | *c [a] | A.cpp:107:16:107:16 | a [a] |
-| A.cpp:107:16:107:16 | a [a] | A.cpp:107:16:107:16 | a |
+| A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Chi [a] |
+| A.cpp:100:5:100:13 | Chi [a] | A.cpp:103:14:103:14 | *c [a] |
+| A.cpp:103:14:103:14 | *c [a] | A.cpp:107:16:107:16 | a |
 | A.cpp:126:5:126:5 | Chi [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:126:5:126:5 | Chi [c] |
-| A.cpp:126:5:126:5 | set output argument [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | set output argument [c] |
-| A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:132:13:132:13 | c [c] |
-| A.cpp:132:13:132:13 | c [c] | A.cpp:132:13:132:13 | c |
+| A.cpp:131:8:131:8 | Chi [c] | A.cpp:132:13:132:13 | c |
+| A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:131:8:131:8 | Chi [c] |
 | A.cpp:142:7:142:20 | Chi [c] | A.cpp:151:18:151:18 | D output argument [c] |
-| A.cpp:142:10:142:10 | c [post update] [c] | A.cpp:142:7:142:20 | Chi [c] |
-| A.cpp:142:10:142:10 | c [post update] [c] | A.cpp:151:18:151:18 | D output argument [c] |
-| A.cpp:142:14:142:20 | new | A.cpp:142:10:142:10 | c [post update] [c] |
+| A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Chi [c] |
 | A.cpp:143:7:143:31 | Chi [b] | A.cpp:151:12:151:24 | D output argument [b] |
-| A.cpp:143:13:143:13 | b [post update] [b] | A.cpp:143:7:143:31 | Chi [b] |
-| A.cpp:143:25:143:31 | new | A.cpp:143:13:143:13 | b [post update] [b] |
+| A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Chi [b] |
 | A.cpp:150:12:150:18 | new | A.cpp:151:12:151:24 | D output argument [b] |
-| A.cpp:151:12:151:24 | D output argument [b] | A.cpp:152:13:152:13 | b [b] |
-| A.cpp:151:18:151:18 | D output argument [c] | A.cpp:154:13:154:13 | c [c] |
-| A.cpp:152:13:152:13 | b [b] | A.cpp:152:13:152:13 | b |
-| A.cpp:154:13:154:13 | c [c] | A.cpp:154:13:154:13 | c |
+| A.cpp:151:12:151:24 | Chi [b] | A.cpp:152:13:152:13 | b |
+| A.cpp:151:12:151:24 | D output argument [b] | A.cpp:151:12:151:24 | Chi [b] |
+| A.cpp:151:18:151:18 | Chi [c] | A.cpp:154:13:154:13 | c |
+| A.cpp:151:18:151:18 | D output argument [c] | A.cpp:151:18:151:18 | Chi [c] |
 | C.cpp:18:12:18:18 | C output argument [s1] | C.cpp:27:8:27:11 | *#this [s1] |
 | C.cpp:18:12:18:18 | C output argument [s3] | C.cpp:27:8:27:11 | *#this [s3] |
-| C.cpp:22:9:22:22 | s1 [post update] [s1] | C.cpp:24:5:24:25 | Chi [s1] |
-| C.cpp:22:12:22:21 | new | C.cpp:22:9:22:22 | s1 [post update] [s1] |
+| C.cpp:22:12:22:21 | Chi [s1] | C.cpp:24:5:24:25 | Chi [s1] |
+| C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Chi [s1] |
 | C.cpp:24:5:24:25 | Chi [s1] | C.cpp:18:12:18:18 | C output argument [s1] |
 | C.cpp:24:5:24:25 | Chi [s3] | C.cpp:18:12:18:18 | C output argument [s3] |
-| C.cpp:24:11:24:12 | s3 [post update] [s3] | C.cpp:24:5:24:25 | Chi [s3] |
-| C.cpp:24:16:24:25 | new | C.cpp:24:11:24:12 | s3 [post update] [s3] |
-| C.cpp:27:8:27:11 | *#this [s1] | C.cpp:29:10:29:11 | s1 [s1] |
-| C.cpp:27:8:27:11 | *#this [s3] | C.cpp:31:10:31:11 | s3 [s3] |
-| C.cpp:29:10:29:11 | s1 [s1] | C.cpp:29:10:29:11 | s1 |
-| C.cpp:31:10:31:11 | s3 [s3] | C.cpp:31:10:31:11 | s3 |
+| C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Chi [s3] |
+| C.cpp:27:8:27:11 | *#this [s1] | C.cpp:29:10:29:11 | s1 |
+| C.cpp:27:8:27:11 | *#this [s3] | C.cpp:31:10:31:11 | s3 |
 | aliasing.cpp:9:3:9:22 | Chi [m1] | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] |
-| aliasing.cpp:9:6:9:7 | m1 [post update] [m1] | aliasing.cpp:9:3:9:22 | Chi [m1] |
-| aliasing.cpp:9:6:9:7 | m1 [post update] [m1] | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] |
-| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:6:9:7 | m1 [post update] [m1] |
+| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:3:9:22 | Chi [m1] |
 | aliasing.cpp:13:3:13:21 | Chi [m1] | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] |
-| aliasing.cpp:13:5:13:6 | m1 [post update] [m1] | aliasing.cpp:13:3:13:21 | Chi [m1] |
-| aliasing.cpp:13:5:13:6 | m1 [post update] [m1] | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] |
-| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:5:13:6 | m1 [post update] [m1] |
-| aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | aliasing.cpp:29:11:29:12 | m1 [m1] |
-| aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | aliasing.cpp:30:11:30:12 | m1 [m1] |
-| aliasing.cpp:29:11:29:12 | m1 [m1] | aliasing.cpp:29:11:29:12 | m1 |
-| aliasing.cpp:30:11:30:12 | m1 [m1] | aliasing.cpp:30:11:30:12 | m1 |
+| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:3:13:21 | Chi [m1] |
+| aliasing.cpp:25:17:25:19 | Chi [m1] | aliasing.cpp:29:11:29:12 | m1 |
+| aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | aliasing.cpp:25:17:25:19 | Chi [m1] |
+| aliasing.cpp:26:19:26:20 | Chi [m1] | aliasing.cpp:30:11:30:12 | m1 |
+| aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | aliasing.cpp:26:19:26:20 | Chi [m1] |
 | aliasing.cpp:37:13:37:22 | call to user_input | aliasing.cpp:38:11:38:12 | m1 |
 | aliasing.cpp:42:11:42:20 | call to user_input | aliasing.cpp:43:13:43:14 | m1 |
-| aliasing.cpp:60:6:60:7 | m1 [post update] [m1] | aliasing.cpp:62:14:62:15 | m1 [m1] |
-| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:6:60:7 | m1 [post update] [m1] |
-| aliasing.cpp:62:14:62:15 | m1 [m1] | aliasing.cpp:62:14:62:15 | m1 |
+| aliasing.cpp:60:3:60:22 | Chi [m1] | aliasing.cpp:61:13:61:14 | Store [m1] |
+| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:3:60:22 | Chi [m1] |
+| aliasing.cpp:61:13:61:14 | Store [m1] | aliasing.cpp:62:14:62:15 | m1 |
 | aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 |
 | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 |
 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 |
-| aliasing.cpp:98:5:98:6 | m1 [post update] [m1] | aliasing.cpp:100:14:100:14 | Store [m1] |
-| aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:5:98:6 | m1 [post update] [m1] |
+| aliasing.cpp:98:3:98:21 | Chi [m1] | aliasing.cpp:100:14:100:14 | Store [m1] |
+| aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:3:98:21 | Chi [m1] |
 | aliasing.cpp:100:14:100:14 | Store [m1] | aliasing.cpp:102:8:102:10 | * ... |
 | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] |
 | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument [array content] |
@@ -70,19 +58,7 @@ edges
 | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] |
 | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] |
 | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:225:15:225:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:106:3:106:20 | Chi [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:158:15:158:20 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:164:15:164:20 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | aliasing.cpp:225:15:225:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] |
+| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Chi [array content] |
 | aliasing.cpp:121:15:121:16 | Chi [array content] | aliasing.cpp:122:8:122:12 | access to array |
 | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | aliasing.cpp:121:15:121:16 | Chi [array content] |
 | aliasing.cpp:126:15:126:20 | Chi [array content] | aliasing.cpp:127:8:127:16 | * ... |
@@ -95,37 +71,16 @@ edges
 | aliasing.cpp:158:15:158:20 | taint_a_ptr output argument [array content] | aliasing.cpp:158:15:158:20 | Chi [array content] |
 | aliasing.cpp:164:15:164:20 | Chi [array content] | aliasing.cpp:165:8:165:16 | access to array |
 | aliasing.cpp:164:15:164:20 | taint_a_ptr output argument [array content] | aliasing.cpp:164:15:164:20 | Chi [array content] |
-| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument | aliasing.cpp:175:21:175:22 | m1 [post update] [m1] |
-| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument |
-| aliasing.cpp:175:19:175:19 | s [post update] [s, m1] | aliasing.cpp:176:11:176:11 | s [s, m1] |
-| aliasing.cpp:175:21:175:22 | m1 [post update] [m1] | aliasing.cpp:175:19:175:19 | s [post update] [s, m1] |
-| aliasing.cpp:176:11:176:11 | s [s, m1] | aliasing.cpp:176:13:176:14 | m1 [m1] |
-| aliasing.cpp:176:13:176:14 | m1 [m1] | aliasing.cpp:176:13:176:14 | m1 |
-| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument | aliasing.cpp:187:21:187:22 | m1 [post update] [m1] |
-| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument |
-| aliasing.cpp:187:19:187:19 | s [post update] [s, m1] | aliasing.cpp:189:13:189:13 | s [s, m1] |
-| aliasing.cpp:187:21:187:22 | m1 [post update] [m1] | aliasing.cpp:187:19:187:19 | s [post update] [s, m1] |
-| aliasing.cpp:189:13:189:13 | s [s, m1] | aliasing.cpp:189:15:189:16 | m1 [m1] |
-| aliasing.cpp:189:15:189:16 | m1 [m1] | aliasing.cpp:189:15:189:16 | m1 |
-| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument | aliasing.cpp:200:23:200:24 | m1 [post update] [m1] |
-| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument |
-| aliasing.cpp:200:21:200:21 | s [post update] [s, m1] | aliasing.cpp:201:13:201:13 | s [s, m1] |
-| aliasing.cpp:200:23:200:24 | m1 [post update] [m1] | aliasing.cpp:200:21:200:21 | s [post update] [s, m1] |
-| aliasing.cpp:201:13:201:13 | s [s, m1] | aliasing.cpp:201:15:201:16 | m1 [m1] |
-| aliasing.cpp:201:15:201:16 | m1 [m1] | aliasing.cpp:201:15:201:16 | m1 |
-| aliasing.cpp:211:6:211:6 | s [post update] [s, m1] | aliasing.cpp:212:12:212:12 | s [s, m1] |
-| aliasing.cpp:211:8:211:9 | m1 [post update] [m1] | aliasing.cpp:211:6:211:6 | s [post update] [s, m1] |
-| aliasing.cpp:211:13:211:22 | call to user_input | aliasing.cpp:211:8:211:9 | m1 [post update] [m1] |
-| aliasing.cpp:212:12:212:12 | s [m1] | aliasing.cpp:213:10:213:11 | m1 [m1] |
-| aliasing.cpp:212:12:212:12 | s [s, m1] | aliasing.cpp:212:12:212:12 | s [m1] |
-| aliasing.cpp:213:10:213:11 | m1 [m1] | aliasing.cpp:213:10:213:11 | m1 |
-| aliasing.cpp:225:15:225:22 | taint_a_ptr output argument | aliasing.cpp:225:21:225:22 | m1 [post update] [m1] |
-| aliasing.cpp:225:15:225:22 | taint_a_ptr output argument [array content] | aliasing.cpp:225:15:225:22 | taint_a_ptr output argument |
-| aliasing.cpp:225:19:225:19 | s [post update] [s, m1] | aliasing.cpp:226:12:226:12 | s [s, m1] |
-| aliasing.cpp:225:21:225:22 | m1 [post update] [m1] | aliasing.cpp:225:19:225:19 | s [post update] [s, m1] |
-| aliasing.cpp:226:12:226:12 | s [m1] | aliasing.cpp:227:10:227:11 | m1 [m1] |
-| aliasing.cpp:226:12:226:12 | s [s, m1] | aliasing.cpp:226:12:226:12 | s [m1] |
-| aliasing.cpp:227:10:227:11 | m1 [m1] | aliasing.cpp:227:10:227:11 | m1 |
+| aliasing.cpp:175:15:175:22 | Chi | aliasing.cpp:175:15:175:22 | Chi [m1] |
+| aliasing.cpp:175:15:175:22 | Chi [m1] | aliasing.cpp:176:13:176:14 | m1 |
+| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | aliasing.cpp:175:15:175:22 | Chi |
+| aliasing.cpp:187:15:187:22 | Chi | aliasing.cpp:187:15:187:22 | Chi [m1] |
+| aliasing.cpp:187:15:187:22 | Chi [m1] | aliasing.cpp:188:13:188:14 | Store [m1] |
+| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | aliasing.cpp:187:15:187:22 | Chi |
+| aliasing.cpp:188:13:188:14 | Store [m1] | aliasing.cpp:189:15:189:16 | m1 |
+| aliasing.cpp:200:15:200:24 | Chi | aliasing.cpp:200:15:200:24 | Chi [m1] |
+| aliasing.cpp:200:15:200:24 | Chi [m1] | aliasing.cpp:201:15:201:16 | m1 |
+| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | aliasing.cpp:200:15:200:24 | Chi |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... |
@@ -141,126 +96,65 @@ edges
 | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:84:10:84:10 | a [post update] [a] | by_reference.cpp:84:3:84:25 | Chi [a] |
-| by_reference.cpp:84:10:84:10 | a [post update] [a] | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:84:10:84:10 | a [post update] [a] | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:10:84:10 | a [post update] [a] |
+| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:3:84:25 | Chi [a] |
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:88:9:88:9 | a [post update] [a] | by_reference.cpp:88:3:88:24 | Chi [a] |
-| by_reference.cpp:88:9:88:9 | a [post update] [a] | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:88:9:88:9 | a [post update] [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:9:88:9 | a [post update] [a] |
+| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Chi [a] |
 | by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] |
 | by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:92:3:92:20 | ChiTotal [post update] [array content] | by_reference.cpp:92:3:92:20 | Chi [array content] |
-| by_reference.cpp:92:3:92:20 | ChiTotal [post update] [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:92:3:92:20 | ChiTotal [post update] [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | ChiTotal [post update] [array content] |
+| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Chi [array content] |
 | by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] |
 | by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] |
-| by_reference.cpp:96:3:96:19 | ChiTotal [post update] [array content] | by_reference.cpp:96:3:96:19 | Chi [array content] |
-| by_reference.cpp:96:3:96:19 | ChiTotal [post update] [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] |
-| by_reference.cpp:96:3:96:19 | ChiTotal [post update] [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] |
-| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | ChiTotal [post update] [array content] |
-| by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:28:102:39 | inner_nested [post update] [a, a] |
-| by_reference.cpp:102:28:102:39 | inner_nested [post update] [a, a] | by_reference.cpp:110:14:110:25 | inner_nested [a, a] |
-| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument | by_reference.cpp:104:22:104:22 | a [post update] [a] |
-| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument |
-| by_reference.cpp:104:22:104:22 | a [post update] [a] | by_reference.cpp:112:14:112:14 | a [a] |
-| by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:106:30:106:41 | inner_nested [post update] [a, a] |
-| by_reference.cpp:106:30:106:41 | inner_nested [post update] [a, a] | by_reference.cpp:114:16:114:27 | inner_nested [a, a] |
-| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument | by_reference.cpp:108:24:108:24 | a [post update] [a] |
-| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument |
-| by_reference.cpp:108:24:108:24 | a [post update] [a] | by_reference.cpp:116:16:116:16 | a [a] |
-| by_reference.cpp:110:14:110:25 | inner_nested [a, a] | by_reference.cpp:110:27:110:27 | a [a] |
-| by_reference.cpp:110:27:110:27 | a [a] | by_reference.cpp:110:27:110:27 | a |
-| by_reference.cpp:112:14:112:14 | a [a] | by_reference.cpp:112:14:112:14 | a |
-| by_reference.cpp:114:16:114:27 | inner_nested [a, a] | by_reference.cpp:114:29:114:29 | a [a] |
-| by_reference.cpp:114:29:114:29 | a [a] | by_reference.cpp:114:29:114:29 | a |
-| by_reference.cpp:116:16:116:16 | a [a] | by_reference.cpp:116:16:116:16 | a |
-| by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:27:122:38 | inner_nested [post update] [a, a] |
-| by_reference.cpp:122:27:122:38 | inner_nested [post update] [a, a] | by_reference.cpp:130:14:130:25 | inner_nested [a, a] |
-| by_reference.cpp:124:15:124:21 | taint_a_ref output argument | by_reference.cpp:124:21:124:21 | a [post update] [a] |
-| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument |
-| by_reference.cpp:124:21:124:21 | a [post update] [a] | by_reference.cpp:132:14:132:14 | a [a] |
-| by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:126:29:126:40 | inner_nested [post update] [a, a] |
-| by_reference.cpp:126:29:126:40 | inner_nested [post update] [a, a] | by_reference.cpp:134:16:134:27 | inner_nested [a, a] |
-| by_reference.cpp:128:15:128:23 | taint_a_ref output argument | by_reference.cpp:128:23:128:23 | a [post update] [a] |
-| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument |
-| by_reference.cpp:128:23:128:23 | a [post update] [a] | by_reference.cpp:136:16:136:16 | a [a] |
-| by_reference.cpp:130:14:130:25 | inner_nested [a, a] | by_reference.cpp:130:27:130:27 | a [a] |
-| by_reference.cpp:130:27:130:27 | a [a] | by_reference.cpp:130:27:130:27 | a |
-| by_reference.cpp:132:14:132:14 | a [a] | by_reference.cpp:132:14:132:14 | a |
-| by_reference.cpp:134:16:134:27 | inner_nested [a, a] | by_reference.cpp:134:29:134:29 | a [a] |
-| by_reference.cpp:134:29:134:29 | a [a] | by_reference.cpp:134:29:134:29 | a |
-| by_reference.cpp:136:16:136:16 | a [a] | by_reference.cpp:136:16:136:16 | a |
-| by_reference.cpp:140:3:140:27 | Chi [array content] | by_reference.cpp:145:15:145:16 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] | by_reference.cpp:140:3:140:27 | Chi [array content] |
-| by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] | by_reference.cpp:145:15:145:16 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:140:9:140:27 | (char *)... | by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] |
-| by_reference.cpp:140:9:140:27 | (const char *)... | by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] |
-| by_reference.cpp:140:16:140:25 | call to user_input | by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] |
-| by_reference.cpp:145:15:145:16 | taint_a_ptr output argument | by_reference.cpp:146:8:146:8 | s |
-| by_reference.cpp:145:15:145:16 | taint_a_ptr output argument [array content] | by_reference.cpp:145:15:145:16 | taint_a_ptr output argument |
+| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Chi [array content] |
+| by_reference.cpp:102:21:102:39 | Chi [a] | by_reference.cpp:110:27:110:27 | a |
+| by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:21:102:39 | Chi [a] |
+| by_reference.cpp:104:15:104:22 | Chi | by_reference.cpp:104:15:104:22 | Chi [a] |
+| by_reference.cpp:104:15:104:22 | Chi [a] | by_reference.cpp:112:14:112:14 | a |
+| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | by_reference.cpp:104:15:104:22 | Chi |
+| by_reference.cpp:106:21:106:41 | Chi [a] | by_reference.cpp:114:29:114:29 | a |
+| by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:106:21:106:41 | Chi [a] |
+| by_reference.cpp:108:15:108:24 | Chi | by_reference.cpp:108:15:108:24 | Chi [a] |
+| by_reference.cpp:108:15:108:24 | Chi [a] | by_reference.cpp:116:16:116:16 | a |
+| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | by_reference.cpp:108:15:108:24 | Chi |
+| by_reference.cpp:122:21:122:38 | Chi [a] | by_reference.cpp:130:27:130:27 | a |
+| by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:21:122:38 | Chi [a] |
+| by_reference.cpp:124:15:124:21 | Chi | by_reference.cpp:124:15:124:21 | Chi [a] |
+| by_reference.cpp:124:15:124:21 | Chi [a] | by_reference.cpp:132:14:132:14 | a |
+| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | by_reference.cpp:124:15:124:21 | Chi |
+| by_reference.cpp:126:21:126:40 | Chi [a] | by_reference.cpp:134:29:134:29 | a |
+| by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:126:21:126:40 | Chi [a] |
+| by_reference.cpp:128:15:128:23 | Chi | by_reference.cpp:128:15:128:23 | Chi [a] |
+| by_reference.cpp:128:15:128:23 | Chi [a] | by_reference.cpp:136:16:136:16 | a |
+| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | Chi |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:42:18:42:18 | call to a |
+| complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | Chi [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | a output argument [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:43:18:43:18 | call to b |
-| complex.cpp:40:17:40:17 | *b [f, f, a_] | complex.cpp:42:10:42:14 | inner [f, f, a_] |
-| complex.cpp:40:17:40:17 | *b [f, f, b_] | complex.cpp:42:10:42:14 | inner [f, f, b_] |
-| complex.cpp:40:17:40:17 | *b [f, f, b_] | complex.cpp:42:16:42:16 | a output argument [f, f, b_] |
-| complex.cpp:40:17:40:17 | *b [f, f, b_] | complex.cpp:43:10:43:14 | inner [f, f, b_] |
-| complex.cpp:40:17:40:17 | *b [f, f, f, f, a_] | complex.cpp:42:10:42:14 | inner [f, f, f, f, a_] |
-| complex.cpp:42:10:42:14 | inner [f, f, a_] | complex.cpp:42:16:42:16 | f [f, a_] |
-| complex.cpp:42:10:42:14 | inner [f, f, b_] | complex.cpp:42:16:42:16 | f [f, b_] |
-| complex.cpp:42:10:42:14 | inner [f, f, f, f, a_] | complex.cpp:42:16:42:16 | f [f, f, f, a_] |
-| complex.cpp:42:10:42:14 | inner [post update] [f, f, b_] | complex.cpp:43:10:43:14 | inner [f, f, b_] |
-| complex.cpp:42:10:42:14 | inner [post update] [f, f, f, f, b_] | complex.cpp:43:10:43:14 | inner [f, f, f, f, b_] |
-| complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:42:16:42:16 | f [post update] [f, b_] |
+| complex.cpp:42:16:42:16 | Chi [b_] | complex.cpp:43:18:43:18 | call to b |
+| complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:42:16:42:16 | Chi [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:43:18:43:18 | call to b |
-| complex.cpp:42:16:42:16 | a output argument [f, f, b_] | complex.cpp:42:16:42:16 | f [post update] [f, f, f, b_] |
-| complex.cpp:42:16:42:16 | a output argument [f, f, b_] | complex.cpp:43:10:43:14 | inner [f, f, b_] |
-| complex.cpp:42:16:42:16 | f [f, a_] | complex.cpp:42:18:42:18 | call to a |
-| complex.cpp:42:16:42:16 | f [f, b_] | complex.cpp:42:16:42:16 | a output argument [b_] |
-| complex.cpp:42:16:42:16 | f [f, f, f, a_] | complex.cpp:42:10:42:14 | inner [f, f, a_] |
-| complex.cpp:42:16:42:16 | f [post update] [f, b_] | complex.cpp:42:10:42:14 | inner [post update] [f, f, b_] |
-| complex.cpp:42:16:42:16 | f [post update] [f, f, f, b_] | complex.cpp:42:10:42:14 | inner [post update] [f, f, f, f, b_] |
-| complex.cpp:43:10:43:14 | inner [f, f, b_] | complex.cpp:43:16:43:16 | f [f, b_] |
-| complex.cpp:43:10:43:14 | inner [f, f, f, f, b_] | complex.cpp:43:16:43:16 | f [f, f, f, b_] |
-| complex.cpp:43:16:43:16 | f [f, b_] | complex.cpp:43:18:43:18 | call to b |
-| complex.cpp:43:16:43:16 | f [f, f, f, b_] | complex.cpp:43:10:43:14 | inner [f, f, b_] |
-| complex.cpp:53:6:53:10 | inner [post update] [f, f, a_] | complex.cpp:40:17:40:17 | *b [f, f, a_] |
-| complex.cpp:53:12:53:12 | f [post update] [f, a_] | complex.cpp:53:6:53:10 | inner [post update] [f, f, a_] |
+| complex.cpp:53:12:53:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] |
 | complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] |
-| complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:53:12:53:12 | f [post update] [f, a_] |
+| complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:53:12:53:12 | Chi [a_] |
 | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:53:12:53:12 | setA output argument [a_] |
-| complex.cpp:54:6:54:10 | inner [post update] [f, f, b_] | complex.cpp:40:17:40:17 | *b [f, f, b_] |
-| complex.cpp:54:12:54:12 | f [post update] [f, b_] | complex.cpp:54:6:54:10 | inner [post update] [f, f, b_] |
+| complex.cpp:54:12:54:12 | Chi [b_] | complex.cpp:40:17:40:17 | *b [b_] |
 | complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:40:17:40:17 | *b [b_] |
-| complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:54:12:54:12 | f [post update] [f, b_] |
+| complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:54:12:54:12 | Chi [b_] |
 | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:54:12:54:12 | setB output argument [b_] |
-| complex.cpp:55:6:55:10 | inner [post update] [f, f, a_] | complex.cpp:40:17:40:17 | *b [f, f, a_] |
-| complex.cpp:55:6:55:10 | inner [post update] [f, f, a_] | complex.cpp:56:6:56:10 | inner [f, f, a_] |
-| complex.cpp:55:6:55:10 | inner [post update] [f, f, a_] | complex.cpp:56:12:56:12 | setB output argument [f, f, a_] |
-| complex.cpp:55:12:55:12 | f [post update] [f, a_] | complex.cpp:55:6:55:10 | inner [post update] [f, f, a_] |
+| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] |
+| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
+| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] |
-| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:55:12:55:12 | f [post update] [f, a_] |
+| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:55:12:55:12 | Chi [a_] |
+| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
 | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:55:12:55:12 | setA output argument [a_] |
-| complex.cpp:56:6:56:10 | inner [f, f, a_] | complex.cpp:56:12:56:12 | f [f, a_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, a_] | complex.cpp:40:17:40:17 | *b [f, f, a_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, b_] | complex.cpp:40:17:40:17 | *b [f, f, b_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, f, f, a_] | complex.cpp:40:17:40:17 | *b [f, f, f, f, a_] |
-| complex.cpp:56:12:56:12 | f [f, a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, a_] | complex.cpp:56:6:56:10 | inner [post update] [f, f, a_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, b_] | complex.cpp:56:6:56:10 | inner [post update] [f, f, b_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, f, f, a_] | complex.cpp:56:6:56:10 | inner [post update] [f, f, f, f, a_] |
+| complex.cpp:56:12:56:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] |
+| complex.cpp:56:12:56:12 | Chi [b_] | complex.cpp:40:17:40:17 | *b [b_] |
 | complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] |
-| complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:56:12:56:12 | f [post update] [f, a_] |
+| complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:40:17:40:17 | *b [b_] |
-| complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:56:12:56:12 | f [post update] [f, b_] |
-| complex.cpp:56:12:56:12 | setB output argument [f, f, a_] | complex.cpp:40:17:40:17 | *b [f, f, a_] |
-| complex.cpp:56:12:56:12 | setB output argument [f, f, a_] | complex.cpp:56:12:56:12 | f [post update] [f, f, f, a_] |
+| complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:56:12:56:12 | Chi [b_] |
 | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:56:12:56:12 | setB output argument [b_] |
 | constructors.cpp:26:15:26:15 | *f [a_] | constructors.cpp:28:12:28:12 | call to a |
 | constructors.cpp:26:15:26:15 | *f [b_] | constructors.cpp:28:10:28:10 | a output argument [b_] |
@@ -288,25 +182,21 @@ edges
 | simple.cpp:42:5:42:5 | setB output argument [a_] | simple.cpp:26:15:26:15 | *f [a_] |
 | simple.cpp:42:5:42:5 | setB output argument [b_] | simple.cpp:26:15:26:15 | *f [b_] |
 | simple.cpp:42:12:42:21 | call to user_input | simple.cpp:42:5:42:5 | setB output argument [b_] |
-| simple.cpp:65:7:65:7 | i [post update] [i] | simple.cpp:67:13:67:13 | i [i] |
-| simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:7:65:7 | i [post update] [i] |
-| simple.cpp:67:13:67:13 | i [i] | simple.cpp:67:13:67:13 | i |
-| simple.cpp:83:9:83:10 | f2 [post update] [f1, f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
-| simple.cpp:83:12:83:13 | f1 [post update] [f1] | simple.cpp:83:9:83:10 | f2 [post update] [f1, f1] |
-| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:12:83:13 | f1 [post update] [f1] |
-| simple.cpp:92:7:92:7 | i [post update] [i] | simple.cpp:94:13:94:13 | i [i] |
-| simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:7:92:7 | i [post update] [i] |
-| simple.cpp:94:13:94:13 | i [i] | simple.cpp:94:13:94:13 | i |
-| struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:12:15:12 | a [a] |
-| struct_init.c:15:12:15:12 | a [a] | struct_init.c:15:12:15:12 | a |
-| struct_init.c:20:17:20:36 | a [post update] [a] | struct_init.c:14:24:14:25 | *ab [a] |
-| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:17:20:36 | a [post update] [a] |
+| simple.cpp:65:5:65:22 | Store [i] | simple.cpp:66:12:66:12 | Store [i] |
+| simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] |
+| simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i |
+| simple.cpp:83:9:83:28 | Chi [f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
+| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Chi [f1] |
+| simple.cpp:92:5:92:22 | Store [i] | simple.cpp:93:20:93:20 | Store [i] |
+| simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | Store [i] |
+| simple.cpp:93:20:93:20 | Store [i] | simple.cpp:94:13:94:13 | i |
+| struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:12:15:12 | a |
+| struct_init.c:20:20:20:29 | Chi [a] | struct_init.c:14:24:14:25 | *ab [a] |
+| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | Chi [a] |
 | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:22:11:22:11 | a |
-| struct_init.c:26:23:29:3 | nestedAB [post update] [nestedAB, a] | struct_init.c:36:17:36:24 | nestedAB [nestedAB, a] |
-| struct_init.c:27:5:27:23 | a [post update] [a] | struct_init.c:26:23:29:3 | nestedAB [post update] [nestedAB, a] |
-| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:5:27:23 | a [post update] [a] |
+| struct_init.c:27:7:27:16 | Chi [a] | struct_init.c:14:24:14:25 | *ab [a] |
+| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | Chi [a] |
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:23:31:23 | a |
-| struct_init.c:36:17:36:24 | nestedAB [nestedAB, a] | struct_init.c:14:24:14:25 | *ab [a] |
 nodes
 | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:55:12:55:19 | (C *)... | semmle.label | (C *)... |
@@ -316,75 +206,66 @@ nodes
 | A.cpp:57:17:57:23 | new | semmle.label | new |
 | A.cpp:57:28:57:30 | call to get | semmle.label | call to get |
 | A.cpp:98:12:98:18 | new | semmle.label | new |
-| A.cpp:100:9:100:9 | a [post update] [a] | semmle.label | a [post update] [a] |
+| A.cpp:100:5:100:13 | Chi [a] | semmle.label | Chi [a] |
 | A.cpp:103:14:103:14 | *c [a] | semmle.label | *c [a] |
 | A.cpp:107:16:107:16 | a | semmle.label | a |
-| A.cpp:107:16:107:16 | a [a] | semmle.label | a [a] |
 | A.cpp:126:5:126:5 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:126:5:126:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:126:12:126:18 | new | semmle.label | new |
+| A.cpp:131:8:131:8 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] |
 | A.cpp:132:13:132:13 | c | semmle.label | c |
-| A.cpp:132:13:132:13 | c [c] | semmle.label | c [c] |
 | A.cpp:142:7:142:20 | Chi [c] | semmle.label | Chi [c] |
-| A.cpp:142:10:142:10 | c [post update] [c] | semmle.label | c [post update] [c] |
 | A.cpp:142:14:142:20 | new | semmle.label | new |
 | A.cpp:143:7:143:31 | Chi [b] | semmle.label | Chi [b] |
-| A.cpp:143:13:143:13 | b [post update] [b] | semmle.label | b [post update] [b] |
 | A.cpp:143:25:143:31 | new | semmle.label | new |
 | A.cpp:150:12:150:18 | new | semmle.label | new |
+| A.cpp:151:12:151:24 | Chi [b] | semmle.label | Chi [b] |
 | A.cpp:151:12:151:24 | D output argument [b] | semmle.label | D output argument [b] |
+| A.cpp:151:18:151:18 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:151:18:151:18 | D output argument [c] | semmle.label | D output argument [c] |
 | A.cpp:152:13:152:13 | b | semmle.label | b |
-| A.cpp:152:13:152:13 | b [b] | semmle.label | b [b] |
 | A.cpp:154:13:154:13 | c | semmle.label | c |
-| A.cpp:154:13:154:13 | c [c] | semmle.label | c [c] |
 | C.cpp:18:12:18:18 | C output argument [s1] | semmle.label | C output argument [s1] |
 | C.cpp:18:12:18:18 | C output argument [s3] | semmle.label | C output argument [s3] |
-| C.cpp:22:9:22:22 | s1 [post update] [s1] | semmle.label | s1 [post update] [s1] |
+| C.cpp:22:12:22:21 | Chi [s1] | semmle.label | Chi [s1] |
 | C.cpp:22:12:22:21 | new | semmle.label | new |
 | C.cpp:24:5:24:25 | Chi [s1] | semmle.label | Chi [s1] |
 | C.cpp:24:5:24:25 | Chi [s3] | semmle.label | Chi [s3] |
-| C.cpp:24:11:24:12 | s3 [post update] [s3] | semmle.label | s3 [post update] [s3] |
 | C.cpp:24:16:24:25 | new | semmle.label | new |
 | C.cpp:27:8:27:11 | *#this [s1] | semmle.label | *#this [s1] |
 | C.cpp:27:8:27:11 | *#this [s3] | semmle.label | *#this [s3] |
 | C.cpp:29:10:29:11 | s1 | semmle.label | s1 |
-| C.cpp:29:10:29:11 | s1 [s1] | semmle.label | s1 [s1] |
 | C.cpp:31:10:31:11 | s3 | semmle.label | s3 |
-| C.cpp:31:10:31:11 | s3 [s3] | semmle.label | s3 [s3] |
 | aliasing.cpp:9:3:9:22 | Chi [m1] | semmle.label | Chi [m1] |
-| aliasing.cpp:9:6:9:7 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
 | aliasing.cpp:9:11:9:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:13:3:13:21 | Chi [m1] | semmle.label | Chi [m1] |
-| aliasing.cpp:13:5:13:6 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
 | aliasing.cpp:13:10:13:19 | call to user_input | semmle.label | call to user_input |
+| aliasing.cpp:25:17:25:19 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | semmle.label | pointerSetter output argument [m1] |
+| aliasing.cpp:26:19:26:20 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | semmle.label | referenceSetter output argument [m1] |
 | aliasing.cpp:29:11:29:12 | m1 | semmle.label | m1 |
-| aliasing.cpp:29:11:29:12 | m1 [m1] | semmle.label | m1 [m1] |
 | aliasing.cpp:30:11:30:12 | m1 | semmle.label | m1 |
-| aliasing.cpp:30:11:30:12 | m1 [m1] | semmle.label | m1 [m1] |
 | aliasing.cpp:37:13:37:22 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:38:11:38:12 | m1 | semmle.label | m1 |
 | aliasing.cpp:42:11:42:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 |
-| aliasing.cpp:60:6:60:7 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
+| aliasing.cpp:60:3:60:22 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input |
+| aliasing.cpp:61:13:61:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:62:14:62:15 | m1 | semmle.label | m1 |
-| aliasing.cpp:62:14:62:15 | m1 [m1] | semmle.label | m1 [m1] |
 | aliasing.cpp:79:11:79:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:80:12:80:13 | m1 | semmle.label | m1 |
 | aliasing.cpp:86:10:86:19 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:87:12:87:13 | m1 | semmle.label | m1 |
 | aliasing.cpp:92:12:92:21 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:93:12:93:13 | m1 | semmle.label | m1 |
-| aliasing.cpp:98:5:98:6 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
+| aliasing.cpp:98:3:98:21 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:98:10:98:19 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:100:14:100:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:102:8:102:10 | * ... | semmle.label | * ... |
 | aliasing.cpp:106:3:106:20 | Chi [array content] | semmle.label | Chi [array content] |
-| aliasing.cpp:106:3:106:20 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | aliasing.cpp:106:9:106:18 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:121:15:121:16 | Chi [array content] | semmle.label | Chi [array content] |
 | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
@@ -404,42 +285,19 @@ nodes
 | aliasing.cpp:164:15:164:20 | Chi [array content] | semmle.label | Chi [array content] |
 | aliasing.cpp:164:15:164:20 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
 | aliasing.cpp:165:8:165:16 | access to array | semmle.label | access to array |
-| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
+| aliasing.cpp:175:15:175:22 | Chi | semmle.label | Chi |
+| aliasing.cpp:175:15:175:22 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| aliasing.cpp:175:19:175:19 | s [post update] [s, m1] | semmle.label | s [post update] [s, m1] |
-| aliasing.cpp:175:21:175:22 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
-| aliasing.cpp:176:11:176:11 | s [s, m1] | semmle.label | s [s, m1] |
 | aliasing.cpp:176:13:176:14 | m1 | semmle.label | m1 |
-| aliasing.cpp:176:13:176:14 | m1 [m1] | semmle.label | m1 [m1] |
-| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
+| aliasing.cpp:187:15:187:22 | Chi | semmle.label | Chi |
+| aliasing.cpp:187:15:187:22 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| aliasing.cpp:187:19:187:19 | s [post update] [s, m1] | semmle.label | s [post update] [s, m1] |
-| aliasing.cpp:187:21:187:22 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
-| aliasing.cpp:189:13:189:13 | s [s, m1] | semmle.label | s [s, m1] |
+| aliasing.cpp:188:13:188:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:189:15:189:16 | m1 | semmle.label | m1 |
-| aliasing.cpp:189:15:189:16 | m1 [m1] | semmle.label | m1 [m1] |
-| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
+| aliasing.cpp:200:15:200:24 | Chi | semmle.label | Chi |
+| aliasing.cpp:200:15:200:24 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| aliasing.cpp:200:21:200:21 | s [post update] [s, m1] | semmle.label | s [post update] [s, m1] |
-| aliasing.cpp:200:23:200:24 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
-| aliasing.cpp:201:13:201:13 | s [s, m1] | semmle.label | s [s, m1] |
 | aliasing.cpp:201:15:201:16 | m1 | semmle.label | m1 |
-| aliasing.cpp:201:15:201:16 | m1 [m1] | semmle.label | m1 [m1] |
-| aliasing.cpp:211:6:211:6 | s [post update] [s, m1] | semmle.label | s [post update] [s, m1] |
-| aliasing.cpp:211:8:211:9 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
-| aliasing.cpp:211:13:211:22 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:212:12:212:12 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:212:12:212:12 | s [s, m1] | semmle.label | s [s, m1] |
-| aliasing.cpp:213:10:213:11 | m1 | semmle.label | m1 |
-| aliasing.cpp:213:10:213:11 | m1 [m1] | semmle.label | m1 [m1] |
-| aliasing.cpp:225:15:225:22 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
-| aliasing.cpp:225:15:225:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| aliasing.cpp:225:19:225:19 | s [post update] [s, m1] | semmle.label | s [post update] [s, m1] |
-| aliasing.cpp:225:21:225:22 | m1 [post update] [m1] | semmle.label | m1 [post update] [m1] |
-| aliasing.cpp:226:12:226:12 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:226:12:226:12 | s [s, m1] | semmle.label | s [s, m1] |
-| aliasing.cpp:227:10:227:11 | m1 | semmle.label | m1 |
-| aliasing.cpp:227:10:227:11 | m1 [m1] | semmle.label | m1 [m1] |
 | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array |
 | arrays.cpp:9:8:9:11 | * ... | semmle.label | * ... |
@@ -461,111 +319,60 @@ nodes
 | by_reference.cpp:68:21:68:30 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:69:8:69:20 | call to nonMemberGetA | semmle.label | call to nonMemberGetA |
 | by_reference.cpp:84:3:84:25 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:84:10:84:10 | a [post update] [a] | semmle.label | a [post update] [a] |
 | by_reference.cpp:84:14:84:23 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:88:3:88:24 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:88:9:88:9 | a [post update] [a] | semmle.label | a [post update] [a] |
 | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:92:3:92:20 | Chi [array content] | semmle.label | Chi [array content] |
-| by_reference.cpp:92:3:92:20 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | by_reference.cpp:92:9:92:18 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:96:3:96:19 | Chi [array content] | semmle.label | Chi [array content] |
-| by_reference.cpp:96:3:96:19 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | by_reference.cpp:96:8:96:17 | call to user_input | semmle.label | call to user_input |
+| by_reference.cpp:102:21:102:39 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:102:28:102:39 | inner_nested [post update] [a, a] | semmle.label | inner_nested [post update] [a, a] |
-| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
+| by_reference.cpp:104:15:104:22 | Chi | semmle.label | Chi |
+| by_reference.cpp:104:15:104:22 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| by_reference.cpp:104:22:104:22 | a [post update] [a] | semmle.label | a [post update] [a] |
+| by_reference.cpp:106:21:106:41 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:106:30:106:41 | inner_nested [post update] [a, a] | semmle.label | inner_nested [post update] [a, a] |
-| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
+| by_reference.cpp:108:15:108:24 | Chi | semmle.label | Chi |
+| by_reference.cpp:108:15:108:24 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| by_reference.cpp:108:24:108:24 | a [post update] [a] | semmle.label | a [post update] [a] |
-| by_reference.cpp:110:14:110:25 | inner_nested [a, a] | semmle.label | inner_nested [a, a] |
 | by_reference.cpp:110:27:110:27 | a | semmle.label | a |
-| by_reference.cpp:110:27:110:27 | a [a] | semmle.label | a [a] |
 | by_reference.cpp:112:14:112:14 | a | semmle.label | a |
-| by_reference.cpp:112:14:112:14 | a [a] | semmle.label | a [a] |
-| by_reference.cpp:114:16:114:27 | inner_nested [a, a] | semmle.label | inner_nested [a, a] |
 | by_reference.cpp:114:29:114:29 | a | semmle.label | a |
-| by_reference.cpp:114:29:114:29 | a [a] | semmle.label | a [a] |
 | by_reference.cpp:116:16:116:16 | a | semmle.label | a |
-| by_reference.cpp:116:16:116:16 | a [a] | semmle.label | a [a] |
+| by_reference.cpp:122:21:122:38 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:122:27:122:38 | inner_nested [post update] [a, a] | semmle.label | inner_nested [post update] [a, a] |
-| by_reference.cpp:124:15:124:21 | taint_a_ref output argument | semmle.label | taint_a_ref output argument |
+| by_reference.cpp:124:15:124:21 | Chi | semmle.label | Chi |
+| by_reference.cpp:124:15:124:21 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
-| by_reference.cpp:124:21:124:21 | a [post update] [a] | semmle.label | a [post update] [a] |
+| by_reference.cpp:126:21:126:40 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:126:29:126:40 | inner_nested [post update] [a, a] | semmle.label | inner_nested [post update] [a, a] |
-| by_reference.cpp:128:15:128:23 | taint_a_ref output argument | semmle.label | taint_a_ref output argument |
+| by_reference.cpp:128:15:128:23 | Chi | semmle.label | Chi |
+| by_reference.cpp:128:15:128:23 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
-| by_reference.cpp:128:23:128:23 | a [post update] [a] | semmle.label | a [post update] [a] |
-| by_reference.cpp:130:14:130:25 | inner_nested [a, a] | semmle.label | inner_nested [a, a] |
 | by_reference.cpp:130:27:130:27 | a | semmle.label | a |
-| by_reference.cpp:130:27:130:27 | a [a] | semmle.label | a [a] |
 | by_reference.cpp:132:14:132:14 | a | semmle.label | a |
-| by_reference.cpp:132:14:132:14 | a [a] | semmle.label | a [a] |
-| by_reference.cpp:134:16:134:27 | inner_nested [a, a] | semmle.label | inner_nested [a, a] |
 | by_reference.cpp:134:29:134:29 | a | semmle.label | a |
-| by_reference.cpp:134:29:134:29 | a [a] | semmle.label | a [a] |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
-| by_reference.cpp:136:16:136:16 | a [a] | semmle.label | a [a] |
-| by_reference.cpp:140:3:140:27 | Chi [array content] | semmle.label | Chi [array content] |
-| by_reference.cpp:140:3:140:27 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
-| by_reference.cpp:140:9:140:27 | (char *)... | semmle.label | (char *)... |
-| by_reference.cpp:140:9:140:27 | (const char *)... | semmle.label | (const char *)... |
-| by_reference.cpp:140:16:140:25 | call to user_input | semmle.label | call to user_input |
-| by_reference.cpp:145:15:145:16 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
-| by_reference.cpp:145:15:145:16 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
-| by_reference.cpp:146:8:146:8 | s | semmle.label | s |
 | complex.cpp:40:17:40:17 | *b [a_] | semmle.label | *b [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | semmle.label | *b [b_] |
-| complex.cpp:40:17:40:17 | *b [f, f, a_] | semmle.label | *b [f, f, a_] |
-| complex.cpp:40:17:40:17 | *b [f, f, b_] | semmle.label | *b [f, f, b_] |
-| complex.cpp:40:17:40:17 | *b [f, f, f, f, a_] | semmle.label | *b [f, f, f, f, a_] |
-| complex.cpp:42:10:42:14 | inner [f, f, a_] | semmle.label | inner [f, f, a_] |
-| complex.cpp:42:10:42:14 | inner [f, f, b_] | semmle.label | inner [f, f, b_] |
-| complex.cpp:42:10:42:14 | inner [f, f, f, f, a_] | semmle.label | inner [f, f, f, f, a_] |
-| complex.cpp:42:10:42:14 | inner [post update] [f, f, b_] | semmle.label | inner [post update] [f, f, b_] |
-| complex.cpp:42:10:42:14 | inner [post update] [f, f, f, f, b_] | semmle.label | inner [post update] [f, f, f, f, b_] |
+| complex.cpp:42:16:42:16 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | semmle.label | a output argument [b_] |
-| complex.cpp:42:16:42:16 | a output argument [f, f, b_] | semmle.label | a output argument [f, f, b_] |
-| complex.cpp:42:16:42:16 | f [f, a_] | semmle.label | f [f, a_] |
-| complex.cpp:42:16:42:16 | f [f, b_] | semmle.label | f [f, b_] |
-| complex.cpp:42:16:42:16 | f [f, f, f, a_] | semmle.label | f [f, f, f, a_] |
-| complex.cpp:42:16:42:16 | f [post update] [f, b_] | semmle.label | f [post update] [f, b_] |
-| complex.cpp:42:16:42:16 | f [post update] [f, f, f, b_] | semmle.label | f [post update] [f, f, f, b_] |
 | complex.cpp:42:18:42:18 | call to a | semmle.label | call to a |
-| complex.cpp:43:10:43:14 | inner [f, f, b_] | semmle.label | inner [f, f, b_] |
-| complex.cpp:43:10:43:14 | inner [f, f, f, f, b_] | semmle.label | inner [f, f, f, f, b_] |
-| complex.cpp:43:16:43:16 | f [f, b_] | semmle.label | f [f, b_] |
-| complex.cpp:43:16:43:16 | f [f, f, f, b_] | semmle.label | f [f, f, f, b_] |
 | complex.cpp:43:18:43:18 | call to b | semmle.label | call to b |
-| complex.cpp:53:6:53:10 | inner [post update] [f, f, a_] | semmle.label | inner [post update] [f, f, a_] |
-| complex.cpp:53:12:53:12 | f [post update] [f, a_] | semmle.label | f [post update] [f, a_] |
+| complex.cpp:53:12:53:12 | Chi [a_] | semmle.label | Chi [a_] |
 | complex.cpp:53:12:53:12 | setA output argument [a_] | semmle.label | setA output argument [a_] |
 | complex.cpp:53:19:53:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:54:6:54:10 | inner [post update] [f, f, b_] | semmle.label | inner [post update] [f, f, b_] |
-| complex.cpp:54:12:54:12 | f [post update] [f, b_] | semmle.label | f [post update] [f, b_] |
+| complex.cpp:54:12:54:12 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:54:12:54:12 | setB output argument [b_] | semmle.label | setB output argument [b_] |
 | complex.cpp:54:19:54:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:55:6:55:10 | inner [post update] [f, f, a_] | semmle.label | inner [post update] [f, f, a_] |
-| complex.cpp:55:12:55:12 | f [post update] [f, a_] | semmle.label | f [post update] [f, a_] |
+| complex.cpp:55:12:55:12 | Chi [a_] | semmle.label | Chi [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | semmle.label | setA output argument [a_] |
 | complex.cpp:55:19:55:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:56:6:56:10 | inner [f, f, a_] | semmle.label | inner [f, f, a_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, a_] | semmle.label | inner [post update] [f, f, a_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, b_] | semmle.label | inner [post update] [f, f, b_] |
-| complex.cpp:56:6:56:10 | inner [post update] [f, f, f, f, a_] | semmle.label | inner [post update] [f, f, f, f, a_] |
-| complex.cpp:56:12:56:12 | f [f, a_] | semmle.label | f [f, a_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, a_] | semmle.label | f [post update] [f, a_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, b_] | semmle.label | f [post update] [f, b_] |
-| complex.cpp:56:12:56:12 | f [post update] [f, f, f, a_] | semmle.label | f [post update] [f, f, f, a_] |
+| complex.cpp:56:12:56:12 | Chi [a_] | semmle.label | Chi [a_] |
+| complex.cpp:56:12:56:12 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:56:12:56:12 | setB output argument [a_] | semmle.label | setB output argument [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [b_] | semmle.label | setB output argument [b_] |
-| complex.cpp:56:12:56:12 | setB output argument [f, f, a_] | semmle.label | setB output argument [f, f, a_] |
 | complex.cpp:56:19:56:28 | call to user_input | semmle.label | call to user_input |
 | constructors.cpp:26:15:26:15 | *f [a_] | semmle.label | *f [a_] |
 | constructors.cpp:26:15:26:15 | *f [b_] | semmle.label | *f [b_] |
@@ -594,29 +401,25 @@ nodes
 | simple.cpp:42:5:42:5 | setB output argument [a_] | semmle.label | setB output argument [a_] |
 | simple.cpp:42:5:42:5 | setB output argument [b_] | semmle.label | setB output argument [b_] |
 | simple.cpp:42:12:42:21 | call to user_input | semmle.label | call to user_input |
-| simple.cpp:65:7:65:7 | i [post update] [i] | semmle.label | i [post update] [i] |
+| simple.cpp:65:5:65:22 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
+| simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:67:13:67:13 | i | semmle.label | i |
-| simple.cpp:67:13:67:13 | i [i] | semmle.label | i [i] |
-| simple.cpp:83:9:83:10 | f2 [post update] [f1, f1] | semmle.label | f2 [post update] [f1, f1] |
-| simple.cpp:83:12:83:13 | f1 [post update] [f1] | semmle.label | f1 [post update] [f1] |
+| simple.cpp:83:9:83:28 | Chi [f1] | semmle.label | Chi [f1] |
 | simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 |
-| simple.cpp:92:7:92:7 | i [post update] [i] | semmle.label | i [post update] [i] |
+| simple.cpp:92:5:92:22 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:92:11:92:20 | call to user_input | semmle.label | call to user_input |
+| simple.cpp:93:20:93:20 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:94:13:94:13 | i | semmle.label | i |
-| simple.cpp:94:13:94:13 | i [i] | semmle.label | i [i] |
 | struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] |
 | struct_init.c:15:12:15:12 | a | semmle.label | a |
-| struct_init.c:15:12:15:12 | a [a] | semmle.label | a [a] |
-| struct_init.c:20:17:20:36 | a [post update] [a] | semmle.label | a [post update] [a] |
+| struct_init.c:20:20:20:29 | Chi [a] | semmle.label | Chi [a] |
 | struct_init.c:20:20:20:29 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:22:11:22:11 | a | semmle.label | a |
-| struct_init.c:26:23:29:3 | nestedAB [post update] [nestedAB, a] | semmle.label | nestedAB [post update] [nestedAB, a] |
-| struct_init.c:27:5:27:23 | a [post update] [a] | semmle.label | a [post update] [a] |
+| struct_init.c:27:7:27:16 | Chi [a] | semmle.label | Chi [a] |
 | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:31:23:31:23 | a | semmle.label | a |
-| struct_init.c:36:17:36:24 | nestedAB [nestedAB, a] | semmle.label | nestedAB [nestedAB, a] |
 #select
 | A.cpp:56:13:56:15 | call to get | A.cpp:55:12:55:19 | (C *)... | A.cpp:56:13:56:15 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | (C *)... | (C *)... |
 | A.cpp:56:13:56:15 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:13:56:15 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
@@ -646,8 +449,6 @@ nodes
 | aliasing.cpp:176:13:176:14 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:176:13:176:14 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | aliasing.cpp:189:15:189:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:189:15:189:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | aliasing.cpp:201:15:201:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:201:15:201:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
-| aliasing.cpp:213:10:213:11 | m1 | aliasing.cpp:211:13:211:22 | call to user_input | aliasing.cpp:213:10:213:11 | m1 | m1 flows from $@ | aliasing.cpp:211:13:211:22 | call to user_input | call to user_input |
-| aliasing.cpp:227:10:227:11 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:227:10:227:11 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:9:8:9:11 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:10:8:10:15 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
@@ -665,9 +466,6 @@ nodes
 | by_reference.cpp:132:14:132:14 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:132:14:132:14 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
 | by_reference.cpp:134:29:134:29 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:134:29:134:29 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:136:16:136:16 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
-| by_reference.cpp:146:8:146:8 | s | by_reference.cpp:140:9:140:27 | (char *)... | by_reference.cpp:146:8:146:8 | s | s flows from $@ | by_reference.cpp:140:9:140:27 | (char *)... | (char *)... |
-| by_reference.cpp:146:8:146:8 | s | by_reference.cpp:140:9:140:27 | (const char *)... | by_reference.cpp:146:8:146:8 | s | s flows from $@ | by_reference.cpp:140:9:140:27 | (const char *)... | (const char *)... |
-| by_reference.cpp:146:8:146:8 | s | by_reference.cpp:140:16:140:25 | call to user_input | by_reference.cpp:146:8:146:8 | s | s flows from $@ | by_reference.cpp:140:16:140:25 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:53:19:53:28 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:55:19:55:28 | call to user_input | call to user_input |
 | complex.cpp:43:18:43:18 | call to b | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:43:18:43:18 | call to b | call to b flows from $@ | complex.cpp:54:19:54:28 | call to user_input | call to user_input |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
index d7939750db6..996836a65b4 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
@@ -1,12 +1,12 @@
 | A.cpp:25:13:25:13 | c | AST only |
 | A.cpp:27:28:27:28 | c | AST only |
-| A.cpp:28:29:28:29 | this | IR only |
 | A.cpp:31:20:31:20 | c | AST only |
 | A.cpp:40:5:40:6 | cc | AST only |
 | A.cpp:41:5:41:6 | ct | AST only |
 | A.cpp:42:10:42:12 | & ... | AST only |
 | A.cpp:43:10:43:12 | & ... | AST only |
 | A.cpp:48:20:48:20 | c | AST only |
+| A.cpp:49:10:49:10 | b | AST only |
 | A.cpp:49:13:49:13 | c | AST only |
 | A.cpp:55:5:55:5 | b | AST only |
 | A.cpp:56:10:56:10 | b | AST only |
@@ -14,11 +14,15 @@
 | A.cpp:57:28:57:30 | call to get | AST only |
 | A.cpp:64:10:64:15 | this | AST only |
 | A.cpp:64:17:64:18 | b1 | AST only |
+| A.cpp:65:10:65:11 | b1 | AST only |
 | A.cpp:65:14:65:14 | c | AST only |
+| A.cpp:66:10:66:11 | b2 | AST only |
 | A.cpp:66:14:66:14 | c | AST only |
 | A.cpp:73:10:73:19 | this | AST only |
 | A.cpp:73:21:73:22 | b1 | AST only |
+| A.cpp:74:10:74:11 | b1 | AST only |
 | A.cpp:74:14:74:14 | c | AST only |
+| A.cpp:75:10:75:11 | b2 | AST only |
 | A.cpp:75:14:75:14 | c | AST only |
 | A.cpp:81:10:81:15 | this | AST only |
 | A.cpp:81:17:81:18 | b1 | AST only |
@@ -30,61 +34,85 @@
 | A.cpp:100:9:100:9 | a | AST only |
 | A.cpp:101:5:101:6 | this | AST only |
 | A.cpp:101:8:101:9 | c1 | AST only |
+| A.cpp:107:12:107:13 | c1 | AST only |
 | A.cpp:107:16:107:16 | a | AST only |
+| A.cpp:120:12:120:13 | c1 | AST only |
 | A.cpp:120:16:120:16 | a | AST only |
 | A.cpp:126:5:126:5 | b | AST only |
 | A.cpp:131:5:131:6 | this | AST only |
 | A.cpp:131:8:131:8 | b | AST only |
+| A.cpp:132:10:132:10 | b | AST only |
 | A.cpp:132:13:132:13 | c | AST only |
 | A.cpp:142:10:142:10 | c | AST only |
 | A.cpp:143:13:143:13 | b | AST only |
 | A.cpp:151:18:151:18 | b | AST only |
 | A.cpp:151:21:151:21 | this | AST only |
+| A.cpp:152:10:152:10 | d | AST only |
 | A.cpp:152:13:152:13 | b | AST only |
+| A.cpp:153:10:153:10 | d | AST only |
+| A.cpp:153:13:153:13 | b | AST only |
 | A.cpp:153:16:153:16 | c | AST only |
+| A.cpp:154:10:154:10 | b | AST only |
 | A.cpp:154:13:154:13 | c | AST only |
 | A.cpp:160:29:160:29 | b | AST only |
 | A.cpp:161:38:161:39 | l1 | AST only |
 | A.cpp:162:38:162:39 | l2 | AST only |
+| A.cpp:163:10:163:11 | l3 | AST only |
 | A.cpp:163:14:163:17 | head | AST only |
+| A.cpp:164:10:164:11 | l3 | AST only |
+| A.cpp:164:14:164:17 | next | AST only |
 | A.cpp:164:20:164:23 | head | AST only |
+| A.cpp:165:10:165:11 | l3 | AST only |
+| A.cpp:165:14:165:17 | next | AST only |
+| A.cpp:165:20:165:23 | next | AST only |
 | A.cpp:165:26:165:29 | head | AST only |
+| A.cpp:166:10:166:11 | l3 | AST only |
+| A.cpp:166:14:166:17 | next | AST only |
+| A.cpp:166:20:166:23 | next | AST only |
+| A.cpp:166:26:166:29 | next | AST only |
 | A.cpp:166:32:166:35 | head | AST only |
-| A.cpp:167:47:167:50 | l | IR only |
+| A.cpp:169:12:169:12 | l | AST only |
 | A.cpp:169:15:169:18 | head | AST only |
 | A.cpp:183:7:183:10 | head | AST only |
 | A.cpp:184:13:184:16 | next | AST only |
 | B.cpp:7:25:7:25 | e | AST only |
 | B.cpp:8:25:8:26 | b1 | AST only |
+| B.cpp:9:10:9:11 | b2 | AST only |
+| B.cpp:9:14:9:17 | box1 | AST only |
 | B.cpp:9:20:9:24 | elem1 | AST only |
+| B.cpp:10:10:10:11 | b2 | AST only |
+| B.cpp:10:14:10:17 | box1 | AST only |
 | B.cpp:10:20:10:24 | elem2 | AST only |
 | B.cpp:16:37:16:37 | e | AST only |
 | B.cpp:17:25:17:26 | b1 | AST only |
+| B.cpp:18:10:18:11 | b2 | AST only |
+| B.cpp:18:14:18:17 | box1 | AST only |
 | B.cpp:18:20:18:24 | elem1 | AST only |
+| B.cpp:19:10:19:11 | b2 | AST only |
+| B.cpp:19:14:19:17 | box1 | AST only |
 | B.cpp:19:20:19:24 | elem2 | AST only |
 | B.cpp:35:13:35:17 | elem1 | AST only |
 | B.cpp:36:13:36:17 | elem2 | AST only |
 | B.cpp:46:13:46:16 | box1 | AST only |
 | C.cpp:19:5:19:5 | c | AST only |
 | C.cpp:24:11:24:12 | s3 | AST only |
-| C.cpp:29:10:29:11 | this | IR only |
-| C.cpp:30:10:30:11 | this | IR only |
-| C.cpp:31:10:31:11 | this | IR only |
 | D.cpp:9:21:9:24 | elem | AST only |
-| D.cpp:10:30:10:33 | this | IR only |
 | D.cpp:11:29:11:32 | elem | AST only |
 | D.cpp:16:21:16:23 | box | AST only |
-| D.cpp:17:30:17:32 | this | IR only |
 | D.cpp:18:29:18:31 | box | AST only |
 | D.cpp:22:10:22:11 | b2 | AST only |
 | D.cpp:22:14:22:20 | call to getBox1 | AST only |
 | D.cpp:22:25:22:31 | call to getElem | AST only |
+| D.cpp:30:5:30:5 | b | AST only |
+| D.cpp:30:8:30:10 | box | AST only |
 | D.cpp:30:13:30:16 | elem | AST only |
 | D.cpp:31:14:31:14 | b | AST only |
+| D.cpp:37:5:37:5 | b | AST only |
 | D.cpp:37:8:37:10 | box | AST only |
 | D.cpp:37:21:37:21 | e | AST only |
 | D.cpp:38:14:38:14 | b | AST only |
 | D.cpp:44:5:44:5 | b | AST only |
+| D.cpp:44:8:44:14 | call to getBox1 | AST only |
 | D.cpp:44:19:44:22 | elem | AST only |
 | D.cpp:45:14:45:14 | b | AST only |
 | D.cpp:51:5:51:5 | b | AST only |
@@ -92,14 +120,26 @@
 | D.cpp:51:27:51:27 | e | AST only |
 | D.cpp:52:14:52:14 | b | AST only |
 | D.cpp:57:5:57:12 | boxfield | AST only |
+| D.cpp:58:5:58:12 | boxfield | AST only |
+| D.cpp:58:5:58:12 | this | AST only |
+| D.cpp:58:15:58:17 | box | AST only |
 | D.cpp:58:20:58:23 | elem | AST only |
 | D.cpp:59:5:59:7 | this | AST only |
+| D.cpp:64:10:64:17 | boxfield | AST only |
+| D.cpp:64:10:64:17 | this | AST only |
+| D.cpp:64:20:64:22 | box | AST only |
 | D.cpp:64:25:64:28 | elem | AST only |
+| E.cpp:21:10:21:10 | p | AST only |
+| E.cpp:21:13:21:16 | data | AST only |
 | E.cpp:21:18:21:23 | buffer | AST only |
 | E.cpp:28:21:28:23 | raw | AST only |
+| E.cpp:29:21:29:21 | b | AST only |
 | E.cpp:29:24:29:29 | buffer | AST only |
+| E.cpp:30:21:30:21 | p | AST only |
+| E.cpp:30:23:30:26 | data | AST only |
 | E.cpp:30:28:30:33 | buffer | AST only |
 | E.cpp:31:10:31:12 | raw | AST only |
+| E.cpp:32:10:32:10 | b | AST only |
 | E.cpp:32:13:32:18 | buffer | AST only |
 | E.cpp:33:18:33:19 | & ... | AST only |
 | aliasing.cpp:9:6:9:7 | m1 | AST only |
@@ -107,92 +147,79 @@
 | aliasing.cpp:17:5:17:6 | m1 | AST only |
 | aliasing.cpp:25:17:25:19 | & ... | AST only |
 | aliasing.cpp:26:19:26:20 | s2 | AST only |
-| aliasing.cpp:29:11:29:12 | s1 | IR only |
-| aliasing.cpp:30:11:30:12 | s2 | IR only |
-| aliasing.cpp:31:11:31:12 | s3 | IR only |
 | aliasing.cpp:37:8:37:9 | m1 | AST only |
-| aliasing.cpp:38:11:38:12 | s1 | IR only |
 | aliasing.cpp:42:6:42:7 | m1 | AST only |
-| aliasing.cpp:43:13:43:14 | ref2 | IR only |
 | aliasing.cpp:49:9:49:10 | m1 | AST only |
-| aliasing.cpp:50:11:50:12 | s1 | IR only |
 | aliasing.cpp:54:6:54:7 | m1 | AST only |
-| aliasing.cpp:55:14:55:15 | copy2 | IR only |
 | aliasing.cpp:60:6:60:7 | m1 | AST only |
-| aliasing.cpp:62:14:62:15 | copy2 | IR only |
-| aliasing.cpp:71:11:71:11 | w | IR only |
 | aliasing.cpp:72:5:72:6 | m1 | AST only |
-| aliasing.cpp:73:10:73:10 | w | IR only |
-| aliasing.cpp:73:12:73:13 | s | IR only |
-| aliasing.cpp:78:13:78:13 | w | IR only |
 | aliasing.cpp:79:6:79:7 | m1 | AST only |
-| aliasing.cpp:80:10:80:10 | w | IR only |
-| aliasing.cpp:80:12:80:13 | s | IR only |
-| aliasing.cpp:85:12:85:12 | w | IR only |
 | aliasing.cpp:86:5:86:6 | m1 | AST only |
-| aliasing.cpp:87:10:87:10 | w | IR only |
-| aliasing.cpp:87:12:87:13 | s | IR only |
+| aliasing.cpp:92:3:92:3 | w | AST only |
 | aliasing.cpp:92:7:92:8 | m1 | AST only |
-| aliasing.cpp:93:10:93:10 | w | IR only |
-| aliasing.cpp:93:12:93:13 | s | IR only |
 | aliasing.cpp:98:5:98:6 | m1 | AST only |
-| aliasing.cpp:101:21:101:22 | s_copy | IR only |
 | aliasing.cpp:106:3:106:5 | * ... | AST only |
 | aliasing.cpp:111:15:111:19 | & ... | AST only |
-| aliasing.cpp:112:10:112:11 | s | IR only |
 | aliasing.cpp:121:15:121:16 | xs | AST only |
 | aliasing.cpp:126:15:126:20 | ... - ... | AST only |
 | aliasing.cpp:131:15:131:16 | xs | AST only |
 | aliasing.cpp:136:15:136:17 | + ... | AST only |
+| aliasing.cpp:141:15:141:15 | s | AST only |
 | aliasing.cpp:141:17:141:20 | data | AST only |
-| aliasing.cpp:143:10:143:13 | s | IR only |
 | aliasing.cpp:147:15:147:22 | & ... | AST only |
-| aliasing.cpp:148:13:148:14 | access to array | IR only |
+| aliasing.cpp:158:15:158:15 | s | AST only |
 | aliasing.cpp:158:17:158:20 | data | AST only |
-| aliasing.cpp:159:11:159:14 | s | IR only |
+| aliasing.cpp:164:15:164:15 | s | AST only |
 | aliasing.cpp:164:17:164:20 | data | AST only |
-| aliasing.cpp:165:10:165:13 | s | IR only |
 | aliasing.cpp:175:15:175:22 | & ... | AST only |
-| aliasing.cpp:176:11:176:11 | s2 | IR only |
-| aliasing.cpp:176:13:176:14 | s | IR only |
+| aliasing.cpp:175:16:175:17 | s2 | AST only |
 | aliasing.cpp:181:15:181:22 | & ... | AST only |
-| aliasing.cpp:182:11:182:11 | s2 | IR only |
-| aliasing.cpp:182:13:182:14 | s | IR only |
+| aliasing.cpp:181:16:181:17 | s2 | AST only |
 | aliasing.cpp:187:15:187:22 | & ... | AST only |
-| aliasing.cpp:189:13:189:13 | s2_2 | IR only |
-| aliasing.cpp:189:15:189:16 | s | IR only |
+| aliasing.cpp:187:16:187:17 | s2 | AST only |
 | aliasing.cpp:194:15:194:22 | & ... | AST only |
-| aliasing.cpp:196:13:196:13 | s2_2 | IR only |
-| aliasing.cpp:196:15:196:16 | s | IR only |
+| aliasing.cpp:194:16:194:17 | s2 | AST only |
 | aliasing.cpp:200:15:200:24 | & ... | AST only |
-| aliasing.cpp:201:13:201:13 | ps2 | IR only |
-| aliasing.cpp:201:15:201:16 | s | IR only |
+| aliasing.cpp:200:16:200:18 | ps2 | AST only |
 | aliasing.cpp:205:15:205:24 | & ... | AST only |
-| aliasing.cpp:206:13:206:13 | ps2 | IR only |
-| aliasing.cpp:206:15:206:16 | s | IR only |
-| aliasing.cpp:211:8:211:9 | m1 | AST only |
-| aliasing.cpp:212:12:212:12 | s2 | IR only |
-| aliasing.cpp:213:10:213:11 | s | IR only |
-| aliasing.cpp:218:8:218:9 | m1 | AST only |
-| aliasing.cpp:219:12:219:12 | s2 | IR only |
-| aliasing.cpp:220:10:220:11 | s | IR only |
-| aliasing.cpp:225:15:225:22 | & ... | AST only |
-| aliasing.cpp:226:12:226:12 | s2 | IR only |
-| aliasing.cpp:227:10:227:11 | s | IR only |
-| aliasing.cpp:232:15:232:22 | & ... | AST only |
-| aliasing.cpp:233:12:233:12 | s2 | IR only |
-| aliasing.cpp:234:10:234:11 | s | IR only |
+| aliasing.cpp:205:16:205:18 | ps2 | AST only |
 | arrays.cpp:6:3:6:8 | access to array | AST only |
 | arrays.cpp:6:3:6:23 | arr | IR only |
 | arrays.cpp:15:3:15:10 | * ... | AST only |
+| arrays.cpp:36:3:36:3 | o | AST only |
+| arrays.cpp:36:5:36:10 | nested | AST only |
 | arrays.cpp:36:19:36:22 | data | AST only |
+| arrays.cpp:37:8:37:8 | o | AST only |
+| arrays.cpp:37:8:37:22 | access to array | AST only |
+| arrays.cpp:37:10:37:15 | nested | AST only |
 | arrays.cpp:37:24:37:27 | data | AST only |
+| arrays.cpp:38:8:38:8 | o | AST only |
+| arrays.cpp:38:8:38:22 | access to array | AST only |
+| arrays.cpp:38:10:38:15 | nested | AST only |
 | arrays.cpp:38:24:38:27 | data | AST only |
+| arrays.cpp:42:3:42:3 | o | AST only |
+| arrays.cpp:42:3:42:20 | access to array | AST only |
+| arrays.cpp:42:5:42:12 | indirect | AST only |
 | arrays.cpp:42:22:42:25 | data | AST only |
+| arrays.cpp:43:8:43:8 | o | AST only |
+| arrays.cpp:43:8:43:25 | access to array | AST only |
+| arrays.cpp:43:10:43:17 | indirect | AST only |
 | arrays.cpp:43:27:43:30 | data | AST only |
+| arrays.cpp:44:8:44:8 | o | AST only |
+| arrays.cpp:44:8:44:25 | access to array | AST only |
+| arrays.cpp:44:10:44:17 | indirect | AST only |
 | arrays.cpp:44:27:44:30 | data | AST only |
+| arrays.cpp:48:3:48:3 | o | AST only |
+| arrays.cpp:48:3:48:20 | access to array | AST only |
+| arrays.cpp:48:5:48:12 | indirect | AST only |
 | arrays.cpp:48:22:48:25 | data | AST only |
+| arrays.cpp:49:8:49:8 | o | AST only |
+| arrays.cpp:49:8:49:25 | access to array | AST only |
+| arrays.cpp:49:10:49:17 | indirect | AST only |
 | arrays.cpp:49:27:49:30 | data | AST only |
+| arrays.cpp:50:8:50:8 | o | AST only |
+| arrays.cpp:50:8:50:25 | access to array | AST only |
+| arrays.cpp:50:10:50:17 | indirect | AST only |
 | arrays.cpp:50:27:50:30 | data | AST only |
 | by_reference.cpp:12:8:12:8 | a | AST only |
 | by_reference.cpp:16:11:16:11 | a | AST only |
@@ -200,8 +227,6 @@
 | by_reference.cpp:20:23:20:27 | value | AST only |
 | by_reference.cpp:24:19:24:22 | this | AST only |
 | by_reference.cpp:24:25:24:29 | value | AST only |
-| by_reference.cpp:32:15:32:15 | s | IR only |
-| by_reference.cpp:36:18:36:18 | this | IR only |
 | by_reference.cpp:50:3:50:3 | s | AST only |
 | by_reference.cpp:50:17:50:26 | call to user_input | AST only |
 | by_reference.cpp:51:10:51:20 | call to getDirectly | AST only |
@@ -219,63 +244,87 @@
 | by_reference.cpp:92:3:92:5 | * ... | AST only |
 | by_reference.cpp:96:3:96:4 | pa | AST only |
 | by_reference.cpp:102:21:102:39 | & ... | AST only |
+| by_reference.cpp:103:21:103:25 | outer | AST only |
 | by_reference.cpp:103:27:103:35 | inner_ptr | AST only |
 | by_reference.cpp:104:15:104:22 | & ... | AST only |
 | by_reference.cpp:106:21:106:41 | & ... | AST only |
+| by_reference.cpp:107:21:107:26 | pouter | AST only |
 | by_reference.cpp:107:29:107:37 | inner_ptr | AST only |
 | by_reference.cpp:108:15:108:24 | & ... | AST only |
+| by_reference.cpp:110:8:110:12 | outer | AST only |
+| by_reference.cpp:110:14:110:25 | inner_nested | AST only |
 | by_reference.cpp:110:27:110:27 | a | AST only |
+| by_reference.cpp:111:8:111:12 | outer | AST only |
+| by_reference.cpp:111:14:111:22 | inner_ptr | AST only |
 | by_reference.cpp:111:25:111:25 | a | AST only |
+| by_reference.cpp:112:8:112:12 | outer | AST only |
 | by_reference.cpp:112:14:112:14 | a | AST only |
+| by_reference.cpp:114:8:114:13 | pouter | AST only |
+| by_reference.cpp:114:16:114:27 | inner_nested | AST only |
 | by_reference.cpp:114:29:114:29 | a | AST only |
+| by_reference.cpp:115:8:115:13 | pouter | AST only |
+| by_reference.cpp:115:16:115:24 | inner_ptr | AST only |
 | by_reference.cpp:115:27:115:27 | a | AST only |
+| by_reference.cpp:116:8:116:13 | pouter | AST only |
 | by_reference.cpp:116:16:116:16 | a | AST only |
 | by_reference.cpp:122:27:122:38 | inner_nested | AST only |
 | by_reference.cpp:123:21:123:36 | * ... | AST only |
+| by_reference.cpp:123:22:123:26 | outer | AST only |
 | by_reference.cpp:124:21:124:21 | a | AST only |
 | by_reference.cpp:126:29:126:40 | inner_nested | AST only |
 | by_reference.cpp:127:21:127:38 | * ... | AST only |
+| by_reference.cpp:127:22:127:27 | pouter | AST only |
 | by_reference.cpp:128:23:128:23 | a | AST only |
+| by_reference.cpp:130:8:130:12 | outer | AST only |
+| by_reference.cpp:130:14:130:25 | inner_nested | AST only |
 | by_reference.cpp:130:27:130:27 | a | AST only |
+| by_reference.cpp:131:8:131:12 | outer | AST only |
+| by_reference.cpp:131:14:131:22 | inner_ptr | AST only |
 | by_reference.cpp:131:25:131:25 | a | AST only |
+| by_reference.cpp:132:8:132:12 | outer | AST only |
 | by_reference.cpp:132:14:132:14 | a | AST only |
+| by_reference.cpp:134:8:134:13 | pouter | AST only |
+| by_reference.cpp:134:16:134:27 | inner_nested | AST only |
 | by_reference.cpp:134:29:134:29 | a | AST only |
+| by_reference.cpp:135:8:135:13 | pouter | AST only |
+| by_reference.cpp:135:16:135:24 | inner_ptr | AST only |
 | by_reference.cpp:135:27:135:27 | a | AST only |
+| by_reference.cpp:136:8:136:13 | pouter | AST only |
 | by_reference.cpp:136:16:136:16 | a | AST only |
-| by_reference.cpp:140:3:140:5 | * ... | AST only |
-| by_reference.cpp:145:15:145:16 | & ... | AST only |
-| complex.cpp:9:20:9:21 | this | IR only |
-| complex.cpp:10:20:10:21 | this | IR only |
 | complex.cpp:11:22:11:23 | a_ | AST only |
 | complex.cpp:12:22:12:23 | b_ | AST only |
+| complex.cpp:42:8:42:8 | b | AST only |
 | complex.cpp:42:16:42:16 | f | AST only |
+| complex.cpp:43:8:43:8 | b | AST only |
 | complex.cpp:43:16:43:16 | f | AST only |
+| complex.cpp:53:3:53:4 | b1 | AST only |
 | complex.cpp:53:12:53:12 | f | AST only |
+| complex.cpp:54:3:54:4 | b2 | AST only |
 | complex.cpp:54:12:54:12 | f | AST only |
+| complex.cpp:55:3:55:4 | b3 | AST only |
 | complex.cpp:55:12:55:12 | f | AST only |
+| complex.cpp:56:3:56:4 | b3 | AST only |
 | complex.cpp:56:12:56:12 | f | AST only |
 | complex.cpp:59:7:59:8 | b1 | AST only |
 | complex.cpp:62:7:62:8 | b2 | AST only |
 | complex.cpp:65:7:65:8 | b3 | AST only |
 | complex.cpp:68:7:68:8 | b4 | AST only |
 | conflated.cpp:10:3:10:7 | * ... | AST only |
-| conflated.cpp:11:12:11:12 | ra | IR only |
+| conflated.cpp:10:4:10:5 | ra | AST only |
 | conflated.cpp:19:19:19:21 | raw | AST only |
 | conflated.cpp:20:8:20:10 | raw | AST only |
+| conflated.cpp:29:3:29:4 | pa | AST only |
 | conflated.cpp:29:7:29:7 | x | AST only |
-| conflated.cpp:30:12:30:12 | pa | IR only |
+| conflated.cpp:36:3:36:4 | pa | AST only |
 | conflated.cpp:36:7:36:7 | x | AST only |
-| conflated.cpp:37:12:37:12 | pa | IR only |
 | conflated.cpp:53:7:53:10 | next | AST only |
+| conflated.cpp:54:3:54:4 | ll | AST only |
+| conflated.cpp:54:7:54:10 | next | AST only |
 | conflated.cpp:54:13:54:13 | y | AST only |
-| conflated.cpp:55:12:55:15 | ll | IR only |
-| conflated.cpp:55:18:55:18 | next | IR only |
 | conflated.cpp:59:35:59:38 | next | AST only |
+| conflated.cpp:60:3:60:4 | ll | AST only |
+| conflated.cpp:60:7:60:10 | next | AST only |
 | conflated.cpp:60:13:60:13 | y | AST only |
-| conflated.cpp:61:12:61:15 | ll | IR only |
-| conflated.cpp:61:18:61:18 | next | IR only |
-| constructors.cpp:18:22:18:23 | this | IR only |
-| constructors.cpp:19:22:19:23 | this | IR only |
 | constructors.cpp:20:24:20:25 | a_ | AST only |
 | constructors.cpp:21:24:21:25 | b_ | AST only |
 | constructors.cpp:28:10:28:10 | f | AST only |
@@ -287,55 +336,68 @@
 | qualifiers.cpp:9:36:9:36 | a | AST only |
 | qualifiers.cpp:12:56:12:56 | a | AST only |
 | qualifiers.cpp:13:57:13:57 | a | AST only |
-| qualifiers.cpp:18:32:18:36 | this | IR only |
 | qualifiers.cpp:22:5:22:9 | outer | AST only |
+| qualifiers.cpp:22:11:22:18 | call to getInner | AST only |
 | qualifiers.cpp:22:23:22:23 | a | AST only |
+| qualifiers.cpp:23:10:23:14 | outer | AST only |
+| qualifiers.cpp:23:16:23:20 | inner | AST only |
 | qualifiers.cpp:23:23:23:23 | a | AST only |
 | qualifiers.cpp:27:5:27:9 | outer | AST only |
 | qualifiers.cpp:27:11:27:18 | call to getInner | AST only |
 | qualifiers.cpp:27:28:27:37 | call to user_input | AST only |
+| qualifiers.cpp:28:10:28:14 | outer | AST only |
+| qualifiers.cpp:28:16:28:20 | inner | AST only |
 | qualifiers.cpp:28:23:28:23 | a | AST only |
 | qualifiers.cpp:32:17:32:21 | outer | AST only |
 | qualifiers.cpp:32:23:32:30 | call to getInner | AST only |
 | qualifiers.cpp:32:35:32:44 | call to user_input | AST only |
+| qualifiers.cpp:33:10:33:14 | outer | AST only |
+| qualifiers.cpp:33:16:33:20 | inner | AST only |
 | qualifiers.cpp:33:23:33:23 | a | AST only |
 | qualifiers.cpp:37:19:37:35 | * ... | AST only |
 | qualifiers.cpp:37:20:37:24 | outer | AST only |
 | qualifiers.cpp:37:38:37:47 | call to user_input | AST only |
+| qualifiers.cpp:38:10:38:14 | outer | AST only |
+| qualifiers.cpp:38:16:38:20 | inner | AST only |
 | qualifiers.cpp:38:23:38:23 | a | AST only |
+| qualifiers.cpp:42:6:42:22 | * ... | AST only |
 | qualifiers.cpp:42:7:42:11 | outer | AST only |
 | qualifiers.cpp:42:25:42:25 | a | AST only |
+| qualifiers.cpp:43:10:43:14 | outer | AST only |
+| qualifiers.cpp:43:16:43:20 | inner | AST only |
 | qualifiers.cpp:43:23:43:23 | a | AST only |
 | qualifiers.cpp:47:6:47:11 | & ... | AST only |
+| qualifiers.cpp:47:15:47:22 | call to getInner | AST only |
 | qualifiers.cpp:47:27:47:27 | a | AST only |
+| qualifiers.cpp:48:10:48:14 | outer | AST only |
+| qualifiers.cpp:48:16:48:20 | inner | AST only |
 | qualifiers.cpp:48:23:48:23 | a | AST only |
 | realistic.cpp:26:5:26:10 | offset | AST only |
 | realistic.cpp:42:20:42:20 | o | AST only |
+| realistic.cpp:49:9:49:11 | foo | AST only |
 | realistic.cpp:49:20:49:22 | baz | AST only |
+| realistic.cpp:53:9:53:11 | foo | AST only |
+| realistic.cpp:53:9:53:18 | access to array | AST only |
+| realistic.cpp:53:20:53:22 | baz | AST only |
+| realistic.cpp:53:25:53:33 | userInput | AST only |
 | realistic.cpp:53:35:53:43 | bufferLen | AST only |
+| realistic.cpp:54:16:54:18 | foo | AST only |
+| realistic.cpp:54:16:54:25 | access to array | AST only |
+| realistic.cpp:54:27:54:29 | baz | AST only |
+| realistic.cpp:54:32:54:40 | userInput | AST only |
 | realistic.cpp:54:42:54:47 | buffer | AST only |
-| realistic.cpp:55:16:55:18 | foo | IR only |
-| realistic.cpp:55:23:55:25 | access to array | IR only |
-| realistic.cpp:55:28:55:36 | baz | IR only |
-| realistic.cpp:55:38:55:46 | userInput | IR only |
-| realistic.cpp:57:92:57:94 | foo | IR only |
-| realistic.cpp:57:99:57:101 | access to array | IR only |
-| realistic.cpp:57:104:57:112 | baz | IR only |
-| realistic.cpp:57:114:57:122 | userInput | IR only |
 | realistic.cpp:60:16:60:18 | dst | AST only |
-| realistic.cpp:60:25:60:27 | foo | IR only |
-| realistic.cpp:60:32:60:34 | access to array | IR only |
-| realistic.cpp:60:37:60:45 | baz | IR only |
-| realistic.cpp:60:47:60:52 | userInput | IR only |
-| realistic.cpp:60:59:60:61 | foo | IR only |
-| realistic.cpp:60:66:60:68 | access to array | IR only |
-| realistic.cpp:60:71:60:79 | baz | IR only |
-| realistic.cpp:60:81:60:89 | userInput | IR only |
+| realistic.cpp:61:21:61:23 | foo | AST only |
+| realistic.cpp:61:21:61:30 | access to array | AST only |
+| realistic.cpp:61:32:61:34 | baz | AST only |
+| realistic.cpp:61:37:61:45 | userInput | AST only |
 | realistic.cpp:61:47:61:55 | bufferLen | AST only |
+| realistic.cpp:65:21:65:23 | foo | AST only |
+| realistic.cpp:65:21:65:30 | access to array | AST only |
+| realistic.cpp:65:32:65:34 | baz | AST only |
+| realistic.cpp:65:37:65:45 | userInput | AST only |
 | realistic.cpp:65:47:65:52 | buffer | AST only |
 | realistic.cpp:66:21:66:23 | dst | AST only |
-| simple.cpp:18:22:18:23 | this | IR only |
-| simple.cpp:19:22:19:23 | this | IR only |
 | simple.cpp:20:24:20:25 | a_ | AST only |
 | simple.cpp:21:24:21:25 | b_ | AST only |
 | simple.cpp:28:10:28:10 | f | AST only |
@@ -349,24 +411,31 @@
 | simple.cpp:51:9:51:9 | h | AST only |
 | simple.cpp:54:9:54:9 | i | AST only |
 | simple.cpp:65:7:65:7 | i | AST only |
-| simple.cpp:67:13:67:13 | a2 | IR only |
-| simple.cpp:79:16:79:17 | this | IR only |
-| simple.cpp:79:19:79:20 | f2 | IR only |
+| simple.cpp:83:9:83:10 | this | AST only |
 | simple.cpp:83:12:83:13 | f1 | AST only |
 | simple.cpp:84:14:84:20 | this | AST only |
 | simple.cpp:92:7:92:7 | i | AST only |
-| simple.cpp:94:13:94:13 | a2 | IR only |
-| simple.cpp:104:9:104:9 | i | AST only |
-| simple.cpp:106:13:106:13 | b2 | IR only |
-| simple.cpp:106:15:106:15 | a | IR only |
+| struct_init.c:15:8:15:9 | ab | AST only |
 | struct_init.c:15:12:15:12 | a | AST only |
+| struct_init.c:16:8:16:9 | ab | AST only |
 | struct_init.c:16:12:16:12 | b | AST only |
+| struct_init.c:22:8:22:9 | ab | AST only |
 | struct_init.c:22:11:22:11 | a | AST only |
+| struct_init.c:23:8:23:9 | ab | AST only |
 | struct_init.c:23:11:23:11 | b | AST only |
 | struct_init.c:24:10:24:12 | & ... | AST only |
+| struct_init.c:31:8:31:12 | outer | AST only |
+| struct_init.c:31:14:31:21 | nestedAB | AST only |
 | struct_init.c:31:23:31:23 | a | AST only |
+| struct_init.c:32:8:32:12 | outer | AST only |
+| struct_init.c:32:14:32:21 | nestedAB | AST only |
 | struct_init.c:32:23:32:23 | b | AST only |
+| struct_init.c:33:8:33:12 | outer | AST only |
+| struct_init.c:33:14:33:22 | pointerAB | AST only |
 | struct_init.c:33:25:33:25 | a | AST only |
+| struct_init.c:34:8:34:12 | outer | AST only |
+| struct_init.c:34:14:34:22 | pointerAB | AST only |
 | struct_init.c:34:25:34:25 | b | AST only |
 | struct_init.c:36:10:36:24 | & ... | AST only |
+| struct_init.c:46:10:46:14 | outer | AST only |
 | struct_init.c:46:16:46:24 | pointerAB | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
index 437a36cc2ba..294c46a5694 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
@@ -1,338 +1,72 @@
 | A.cpp:25:7:25:10 | this |
 | A.cpp:27:22:27:25 | this |
-| A.cpp:28:23:28:26 | this |
-| A.cpp:49:10:49:10 | b |
-| A.cpp:65:10:65:11 | b1 |
-| A.cpp:66:10:66:11 | b2 |
-| A.cpp:74:10:74:11 | b1 |
-| A.cpp:75:10:75:11 | b2 |
 | A.cpp:100:5:100:6 | c1 |
-| A.cpp:107:12:107:13 | c1 |
-| A.cpp:120:12:120:13 | c1 |
-| A.cpp:132:10:132:10 | b |
 | A.cpp:142:7:142:7 | b |
 | A.cpp:143:7:143:10 | this |
-| A.cpp:152:10:152:10 | d |
-| A.cpp:153:10:153:10 | d |
-| A.cpp:153:13:153:13 | b |
-| A.cpp:154:10:154:10 | b |
-| A.cpp:163:10:163:11 | l3 |
-| A.cpp:164:10:164:11 | l3 |
-| A.cpp:164:14:164:17 | next |
-| A.cpp:165:10:165:11 | l3 |
-| A.cpp:165:14:165:17 | next |
-| A.cpp:165:20:165:23 | next |
-| A.cpp:166:10:166:11 | l3 |
-| A.cpp:166:14:166:17 | next |
-| A.cpp:166:20:166:23 | next |
-| A.cpp:166:26:166:29 | next |
-| A.cpp:167:44:167:44 | l |
-| A.cpp:169:12:169:12 | l |
 | A.cpp:183:7:183:10 | this |
 | A.cpp:184:7:184:10 | this |
-| B.cpp:9:10:9:11 | b2 |
-| B.cpp:9:14:9:17 | box1 |
-| B.cpp:10:10:10:11 | b2 |
-| B.cpp:10:14:10:17 | box1 |
-| B.cpp:18:10:18:11 | b2 |
-| B.cpp:18:14:18:17 | box1 |
-| B.cpp:19:10:19:11 | b2 |
-| B.cpp:19:14:19:17 | box1 |
 | B.cpp:35:7:35:10 | this |
 | B.cpp:36:7:36:10 | this |
 | B.cpp:46:7:46:10 | this |
 | C.cpp:24:5:24:8 | this |
-| C.cpp:29:10:29:11 | this |
-| C.cpp:30:10:30:11 | this |
-| C.cpp:31:10:31:11 | this |
 | D.cpp:9:21:9:24 | this |
-| D.cpp:10:30:10:33 | this |
 | D.cpp:11:29:11:32 | this |
 | D.cpp:16:21:16:23 | this |
-| D.cpp:17:30:17:32 | this |
 | D.cpp:18:29:18:31 | this |
-| D.cpp:30:5:30:5 | b |
-| D.cpp:30:8:30:10 | box |
-| D.cpp:37:5:37:5 | b |
-| D.cpp:44:8:44:14 | call to getBox1 |
 | D.cpp:57:5:57:12 | this |
-| D.cpp:58:5:58:12 | boxfield |
-| D.cpp:58:5:58:12 | this |
-| D.cpp:58:15:58:17 | box |
-| D.cpp:64:10:64:17 | boxfield |
-| D.cpp:64:10:64:17 | this |
-| D.cpp:64:20:64:22 | box |
-| E.cpp:21:10:21:10 | p |
-| E.cpp:21:13:21:16 | data |
-| E.cpp:29:21:29:21 | b |
-| E.cpp:30:21:30:21 | p |
-| E.cpp:30:23:30:26 | data |
-| E.cpp:32:10:32:10 | b |
 | aliasing.cpp:9:3:9:3 | s |
 | aliasing.cpp:13:3:13:3 | s |
 | aliasing.cpp:17:3:17:3 | s |
-| aliasing.cpp:29:8:29:9 | s1 |
-| aliasing.cpp:30:8:30:9 | s2 |
-| aliasing.cpp:31:8:31:9 | s3 |
 | aliasing.cpp:37:3:37:6 | ref1 |
-| aliasing.cpp:38:8:38:9 | s1 |
 | aliasing.cpp:42:3:42:4 | s2 |
-| aliasing.cpp:43:8:43:11 | ref2 |
 | aliasing.cpp:49:3:49:7 | copy1 |
-| aliasing.cpp:50:8:50:9 | s1 |
 | aliasing.cpp:54:3:54:4 | s2 |
-| aliasing.cpp:55:8:55:12 | copy2 |
 | aliasing.cpp:60:3:60:4 | s2 |
-| aliasing.cpp:62:8:62:12 | copy2 |
-| aliasing.cpp:71:9:71:9 | w |
 | aliasing.cpp:72:3:72:3 | s |
-| aliasing.cpp:73:8:73:8 | w |
-| aliasing.cpp:73:10:73:10 | s |
-| aliasing.cpp:78:11:78:11 | w |
 | aliasing.cpp:79:3:79:3 | s |
-| aliasing.cpp:80:8:80:8 | w |
-| aliasing.cpp:80:10:80:10 | s |
-| aliasing.cpp:85:10:85:10 | w |
 | aliasing.cpp:86:3:86:3 | s |
-| aliasing.cpp:87:8:87:8 | w |
-| aliasing.cpp:87:10:87:10 | s |
-| aliasing.cpp:92:3:92:3 | w |
 | aliasing.cpp:92:5:92:5 | s |
-| aliasing.cpp:93:8:93:8 | w |
-| aliasing.cpp:93:10:93:10 | s |
 | aliasing.cpp:98:3:98:3 | s |
-| aliasing.cpp:101:14:101:19 | s_copy |
 | aliasing.cpp:111:16:111:16 | s |
-| aliasing.cpp:112:8:112:8 | s |
-| aliasing.cpp:141:15:141:15 | s |
-| aliasing.cpp:143:8:143:8 | s |
 | aliasing.cpp:147:16:147:19 | access to array |
-| aliasing.cpp:148:8:148:11 | access to array |
-| aliasing.cpp:158:15:158:15 | s |
-| aliasing.cpp:159:9:159:9 | s |
-| aliasing.cpp:164:15:164:15 | s |
-| aliasing.cpp:165:8:165:8 | s |
-| aliasing.cpp:175:16:175:17 | s2 |
 | aliasing.cpp:175:19:175:19 | s |
-| aliasing.cpp:176:8:176:9 | s2 |
-| aliasing.cpp:176:11:176:11 | s |
-| aliasing.cpp:181:16:181:17 | s2 |
 | aliasing.cpp:181:19:181:19 | s |
-| aliasing.cpp:182:8:182:9 | s2 |
-| aliasing.cpp:182:11:182:11 | s |
-| aliasing.cpp:187:16:187:17 | s2 |
 | aliasing.cpp:187:19:187:19 | s |
-| aliasing.cpp:189:8:189:11 | s2_2 |
-| aliasing.cpp:189:13:189:13 | s |
-| aliasing.cpp:194:16:194:17 | s2 |
 | aliasing.cpp:194:19:194:19 | s |
-| aliasing.cpp:196:8:196:11 | s2_2 |
-| aliasing.cpp:196:13:196:13 | s |
-| aliasing.cpp:200:16:200:18 | ps2 |
 | aliasing.cpp:200:21:200:21 | s |
-| aliasing.cpp:201:8:201:10 | ps2 |
-| aliasing.cpp:201:13:201:13 | s |
-| aliasing.cpp:205:16:205:18 | ps2 |
 | aliasing.cpp:205:21:205:21 | s |
-| aliasing.cpp:206:8:206:10 | ps2 |
-| aliasing.cpp:206:13:206:13 | s |
-| aliasing.cpp:211:3:211:4 | s2 |
-| aliasing.cpp:211:6:211:6 | s |
-| aliasing.cpp:212:9:212:10 | s2 |
-| aliasing.cpp:213:8:213:8 | s |
-| aliasing.cpp:218:3:218:4 | s2 |
-| aliasing.cpp:218:6:218:6 | s |
-| aliasing.cpp:219:9:219:10 | s2 |
-| aliasing.cpp:220:8:220:8 | s |
-| aliasing.cpp:225:16:225:17 | s2 |
-| aliasing.cpp:225:19:225:19 | s |
-| aliasing.cpp:226:9:226:10 | s2 |
-| aliasing.cpp:227:8:227:8 | s |
-| aliasing.cpp:232:16:232:17 | s2 |
-| aliasing.cpp:232:19:232:19 | s |
-| aliasing.cpp:233:9:233:10 | s2 |
-| aliasing.cpp:234:8:234:8 | s |
 | arrays.cpp:6:3:6:5 | arr |
-| arrays.cpp:36:3:36:3 | o |
 | arrays.cpp:36:3:36:17 | access to array |
-| arrays.cpp:36:5:36:10 | nested |
-| arrays.cpp:37:8:37:8 | o |
-| arrays.cpp:37:8:37:22 | access to array |
-| arrays.cpp:37:10:37:15 | nested |
-| arrays.cpp:38:8:38:8 | o |
-| arrays.cpp:38:8:38:22 | access to array |
-| arrays.cpp:38:10:38:15 | nested |
-| arrays.cpp:42:3:42:3 | o |
-| arrays.cpp:42:3:42:20 | access to array |
-| arrays.cpp:42:5:42:12 | indirect |
-| arrays.cpp:43:8:43:8 | o |
-| arrays.cpp:43:8:43:25 | access to array |
-| arrays.cpp:43:10:43:17 | indirect |
-| arrays.cpp:44:8:44:8 | o |
-| arrays.cpp:44:8:44:25 | access to array |
-| arrays.cpp:44:10:44:17 | indirect |
-| arrays.cpp:48:3:48:3 | o |
-| arrays.cpp:48:3:48:20 | access to array |
-| arrays.cpp:48:5:48:12 | indirect |
-| arrays.cpp:49:8:49:8 | o |
-| arrays.cpp:49:8:49:25 | access to array |
-| arrays.cpp:49:10:49:17 | indirect |
-| arrays.cpp:50:8:50:8 | o |
-| arrays.cpp:50:8:50:25 | access to array |
-| arrays.cpp:50:10:50:17 | indirect |
 | by_reference.cpp:12:5:12:5 | s |
 | by_reference.cpp:16:5:16:8 | this |
-| by_reference.cpp:32:12:32:12 | s |
-| by_reference.cpp:36:12:36:15 | this |
 | by_reference.cpp:84:3:84:7 | inner |
 | by_reference.cpp:88:3:88:7 | inner |
 | by_reference.cpp:102:22:102:26 | outer |
-| by_reference.cpp:103:21:103:25 | outer |
 | by_reference.cpp:104:16:104:20 | outer |
 | by_reference.cpp:106:22:106:27 | pouter |
-| by_reference.cpp:107:21:107:26 | pouter |
 | by_reference.cpp:108:16:108:21 | pouter |
-| by_reference.cpp:110:8:110:12 | outer |
-| by_reference.cpp:110:14:110:25 | inner_nested |
-| by_reference.cpp:111:8:111:12 | outer |
-| by_reference.cpp:111:14:111:22 | inner_ptr |
-| by_reference.cpp:112:8:112:12 | outer |
-| by_reference.cpp:114:8:114:13 | pouter |
-| by_reference.cpp:114:16:114:27 | inner_nested |
-| by_reference.cpp:115:8:115:13 | pouter |
-| by_reference.cpp:115:16:115:24 | inner_ptr |
-| by_reference.cpp:116:8:116:13 | pouter |
 | by_reference.cpp:122:21:122:25 | outer |
-| by_reference.cpp:123:22:123:26 | outer |
 | by_reference.cpp:124:15:124:19 | outer |
 | by_reference.cpp:126:21:126:26 | pouter |
-| by_reference.cpp:127:22:127:27 | pouter |
 | by_reference.cpp:128:15:128:20 | pouter |
-| by_reference.cpp:130:8:130:12 | outer |
-| by_reference.cpp:130:14:130:25 | inner_nested |
-| by_reference.cpp:131:8:131:12 | outer |
-| by_reference.cpp:131:14:131:22 | inner_ptr |
-| by_reference.cpp:132:8:132:12 | outer |
-| by_reference.cpp:134:8:134:13 | pouter |
-| by_reference.cpp:134:16:134:27 | inner_nested |
-| by_reference.cpp:135:8:135:13 | pouter |
-| by_reference.cpp:135:16:135:24 | inner_ptr |
-| by_reference.cpp:136:8:136:13 | pouter |
-| complex.cpp:9:20:9:21 | this |
-| complex.cpp:10:20:10:21 | this |
 | complex.cpp:11:22:11:23 | this |
 | complex.cpp:12:22:12:23 | this |
-| complex.cpp:42:8:42:8 | b |
 | complex.cpp:42:10:42:14 | inner |
-| complex.cpp:43:8:43:8 | b |
 | complex.cpp:43:10:43:14 | inner |
-| complex.cpp:53:3:53:4 | b1 |
 | complex.cpp:53:6:53:10 | inner |
-| complex.cpp:54:3:54:4 | b2 |
 | complex.cpp:54:6:54:10 | inner |
-| complex.cpp:55:3:55:4 | b3 |
 | complex.cpp:55:6:55:10 | inner |
-| complex.cpp:56:3:56:4 | b3 |
 | complex.cpp:56:6:56:10 | inner |
-| conflated.cpp:10:4:10:5 | ra |
-| conflated.cpp:11:9:11:10 | ra |
-| conflated.cpp:29:3:29:4 | pa |
-| conflated.cpp:30:8:30:9 | pa |
-| conflated.cpp:36:3:36:4 | pa |
-| conflated.cpp:37:8:37:9 | pa |
 | conflated.cpp:53:3:53:4 | ll |
-| conflated.cpp:54:3:54:4 | ll |
-| conflated.cpp:54:7:54:10 | next |
-| conflated.cpp:55:8:55:9 | ll |
-| conflated.cpp:55:12:55:15 | next |
-| conflated.cpp:60:3:60:4 | ll |
-| conflated.cpp:60:7:60:10 | next |
-| conflated.cpp:61:8:61:9 | ll |
-| conflated.cpp:61:12:61:15 | next |
-| constructors.cpp:18:22:18:23 | this |
-| constructors.cpp:19:22:19:23 | this |
 | constructors.cpp:20:24:20:25 | this |
 | constructors.cpp:21:24:21:25 | this |
 | qualifiers.cpp:9:30:9:33 | this |
 | qualifiers.cpp:12:49:12:53 | inner |
 | qualifiers.cpp:13:51:13:55 | inner |
-| qualifiers.cpp:18:32:18:36 | this |
-| qualifiers.cpp:22:11:22:18 | call to getInner |
-| qualifiers.cpp:23:10:23:14 | outer |
-| qualifiers.cpp:23:16:23:20 | inner |
-| qualifiers.cpp:28:10:28:14 | outer |
-| qualifiers.cpp:28:16:28:20 | inner |
-| qualifiers.cpp:33:10:33:14 | outer |
-| qualifiers.cpp:33:16:33:20 | inner |
-| qualifiers.cpp:38:10:38:14 | outer |
-| qualifiers.cpp:38:16:38:20 | inner |
-| qualifiers.cpp:42:6:42:22 | * ... |
-| qualifiers.cpp:43:10:43:14 | outer |
-| qualifiers.cpp:43:16:43:20 | inner |
-| qualifiers.cpp:47:15:47:22 | call to getInner |
-| qualifiers.cpp:48:10:48:14 | outer |
-| qualifiers.cpp:48:16:48:20 | inner |
-| realistic.cpp:49:9:49:11 | foo |
 | realistic.cpp:49:9:49:18 | access to array |
-| realistic.cpp:53:9:53:11 | foo |
-| realistic.cpp:53:9:53:18 | access to array |
-| realistic.cpp:53:20:53:22 | baz |
-| realistic.cpp:53:25:53:33 | userInput |
-| realistic.cpp:54:16:54:18 | foo |
-| realistic.cpp:54:16:54:25 | access to array |
-| realistic.cpp:54:27:54:29 | baz |
-| realistic.cpp:54:32:54:40 | userInput |
-| realistic.cpp:55:12:55:14 | foo |
-| realistic.cpp:55:12:55:21 | access to array |
-| realistic.cpp:55:23:55:25 | baz |
-| realistic.cpp:55:28:55:36 | userInput |
-| realistic.cpp:57:88:57:90 | foo |
-| realistic.cpp:57:88:57:97 | access to array |
-| realistic.cpp:57:99:57:101 | baz |
-| realistic.cpp:57:104:57:112 | userInput |
-| realistic.cpp:60:21:60:23 | foo |
-| realistic.cpp:60:21:60:30 | access to array |
-| realistic.cpp:60:32:60:34 | baz |
-| realistic.cpp:60:37:60:45 | userInput |
-| realistic.cpp:60:55:60:57 | foo |
-| realistic.cpp:60:55:60:64 | access to array |
-| realistic.cpp:60:66:60:68 | baz |
-| realistic.cpp:60:71:60:79 | userInput |
-| realistic.cpp:61:21:61:23 | foo |
-| realistic.cpp:61:21:61:30 | access to array |
-| realistic.cpp:61:32:61:34 | baz |
-| realistic.cpp:61:37:61:45 | userInput |
-| realistic.cpp:65:21:65:23 | foo |
-| realistic.cpp:65:21:65:30 | access to array |
-| realistic.cpp:65:32:65:34 | baz |
-| realistic.cpp:65:37:65:45 | userInput |
-| simple.cpp:18:22:18:23 | this |
-| simple.cpp:19:22:19:23 | this |
 | simple.cpp:20:24:20:25 | this |
 | simple.cpp:21:24:21:25 | this |
 | simple.cpp:65:5:65:5 | a |
-| simple.cpp:67:10:67:11 | a2 |
-| simple.cpp:79:16:79:17 | f2 |
-| simple.cpp:79:16:79:17 | this |
 | simple.cpp:83:9:83:10 | f2 |
-| simple.cpp:83:9:83:10 | this |
 | simple.cpp:92:5:92:5 | a |
-| simple.cpp:94:10:94:11 | a2 |
-| simple.cpp:104:5:104:5 | b |
-| simple.cpp:104:7:104:7 | a |
-| simple.cpp:106:10:106:11 | b2 |
-| simple.cpp:106:13:106:13 | a |
-| struct_init.c:15:8:15:9 | ab |
-| struct_init.c:16:8:16:9 | ab |
-| struct_init.c:22:8:22:9 | ab |
-| struct_init.c:23:8:23:9 | ab |
-| struct_init.c:31:8:31:12 | outer |
-| struct_init.c:31:14:31:21 | nestedAB |
-| struct_init.c:32:8:32:12 | outer |
-| struct_init.c:32:14:32:21 | nestedAB |
-| struct_init.c:33:8:33:12 | outer |
-| struct_init.c:33:14:33:22 | pointerAB |
-| struct_init.c:34:8:34:12 | outer |
-| struct_init.c:34:14:34:22 | pointerAB |
 | struct_init.c:36:11:36:15 | outer |
-| struct_init.c:46:10:46:14 | outer |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
index 9821d527b87..9b03e4f8039 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
@@ -220,18 +220,6 @@
 | aliasing.cpp:205:15:205:24 | & ... |
 | aliasing.cpp:205:16:205:18 | ps2 |
 | aliasing.cpp:205:21:205:21 | s |
-| aliasing.cpp:211:3:211:4 | s2 |
-| aliasing.cpp:211:6:211:6 | s |
-| aliasing.cpp:211:8:211:9 | m1 |
-| aliasing.cpp:218:3:218:4 | s2 |
-| aliasing.cpp:218:6:218:6 | s |
-| aliasing.cpp:218:8:218:9 | m1 |
-| aliasing.cpp:225:15:225:22 | & ... |
-| aliasing.cpp:225:16:225:17 | s2 |
-| aliasing.cpp:225:19:225:19 | s |
-| aliasing.cpp:232:15:232:22 | & ... |
-| aliasing.cpp:232:16:232:17 | s2 |
-| aliasing.cpp:232:19:232:19 | s |
 | arrays.cpp:6:3:6:8 | access to array |
 | arrays.cpp:15:3:15:10 | * ... |
 | arrays.cpp:36:3:36:3 | o |
@@ -352,8 +340,6 @@
 | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter |
 | by_reference.cpp:136:16:136:16 | a |
-| by_reference.cpp:140:3:140:5 | * ... |
-| by_reference.cpp:145:15:145:16 | & ... |
 | complex.cpp:11:22:11:23 | a_ |
 | complex.cpp:11:22:11:23 | this |
 | complex.cpp:12:22:12:23 | b_ |
@@ -498,9 +484,6 @@
 | simple.cpp:84:14:84:20 | this |
 | simple.cpp:92:5:92:5 | a |
 | simple.cpp:92:7:92:7 | i |
-| simple.cpp:104:5:104:5 | b |
-| simple.cpp:104:7:104:7 | a |
-| simple.cpp:104:9:104:9 | i |
 | struct_init.c:15:8:15:9 | ab |
 | struct_init.c:15:12:15:12 | a |
 | struct_init.c:16:8:16:9 | ab |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
index 6ea374d0ddf..6604dde87d4 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
@@ -160,7 +160,6 @@ edges
 | aliasing.cpp:106:4:106:5 | pa [inner post update] | aliasing.cpp:175:15:175:22 | ref arg & ... |
 | aliasing.cpp:106:4:106:5 | pa [inner post update] | aliasing.cpp:187:15:187:22 | ref arg & ... |
 | aliasing.cpp:106:4:106:5 | pa [inner post update] | aliasing.cpp:200:15:200:24 | ref arg & ... |
-| aliasing.cpp:106:4:106:5 | pa [inner post update] | aliasing.cpp:225:15:225:22 | ref arg & ... |
 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:4:106:5 | pa [inner post update] |
 | aliasing.cpp:158:15:158:15 | s [post update] [data] | aliasing.cpp:159:9:159:9 | s [data] |
 | aliasing.cpp:158:17:158:20 | ref arg data | aliasing.cpp:158:15:158:15 | s [post update] [data] |
@@ -188,20 +187,6 @@ edges
 | aliasing.cpp:200:23:200:24 | m1 [inner post update] | aliasing.cpp:200:21:200:21 | s [post update] [m1] |
 | aliasing.cpp:201:8:201:10 | ps2 [s, m1] | aliasing.cpp:201:13:201:13 | s [m1] |
 | aliasing.cpp:201:13:201:13 | s [m1] | aliasing.cpp:201:15:201:16 | m1 |
-| aliasing.cpp:211:3:211:4 | s2 [post update] [s, m1] | aliasing.cpp:212:9:212:10 | s2 [s, m1] |
-| aliasing.cpp:211:3:211:24 | ... = ... | aliasing.cpp:211:6:211:6 | s [post update] [m1] |
-| aliasing.cpp:211:6:211:6 | s [post update] [m1] | aliasing.cpp:211:3:211:4 | s2 [post update] [s, m1] |
-| aliasing.cpp:211:13:211:22 | call to user_input | aliasing.cpp:211:3:211:24 | ... = ... |
-| aliasing.cpp:212:9:212:10 | s2 [s, m1] | aliasing.cpp:212:12:212:12 | s [m1] |
-| aliasing.cpp:212:12:212:12 | s [m1] | aliasing.cpp:213:8:213:8 | s [m1] |
-| aliasing.cpp:213:8:213:8 | s [m1] | aliasing.cpp:213:10:213:11 | m1 |
-| aliasing.cpp:225:15:225:22 | ref arg & ... | aliasing.cpp:225:21:225:22 | m1 [inner post update] |
-| aliasing.cpp:225:16:225:17 | s2 [post update] [s, m1] | aliasing.cpp:226:9:226:10 | s2 [s, m1] |
-| aliasing.cpp:225:19:225:19 | s [post update] [m1] | aliasing.cpp:225:16:225:17 | s2 [post update] [s, m1] |
-| aliasing.cpp:225:21:225:22 | m1 [inner post update] | aliasing.cpp:225:19:225:19 | s [post update] [m1] |
-| aliasing.cpp:226:9:226:10 | s2 [s, m1] | aliasing.cpp:226:12:226:12 | s [m1] |
-| aliasing.cpp:226:12:226:12 | s [m1] | aliasing.cpp:227:8:227:8 | s [m1] |
-| aliasing.cpp:227:8:227:8 | s [m1] | aliasing.cpp:227:10:227:11 | m1 |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... |
@@ -323,9 +308,6 @@ edges
 | by_reference.cpp:135:8:135:13 | pouter [inner_ptr, a] | by_reference.cpp:135:16:135:24 | inner_ptr [a] |
 | by_reference.cpp:135:16:135:24 | inner_ptr [a] | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | by_reference.cpp:136:16:136:16 | a |
-| by_reference.cpp:140:4:140:5 | pa [inner post update] | by_reference.cpp:145:15:145:16 | ref arg & ... |
-| by_reference.cpp:140:16:140:25 | call to user_input | by_reference.cpp:140:4:140:5 | pa [inner post update] |
-| by_reference.cpp:145:15:145:16 | ref arg & ... | by_reference.cpp:146:8:146:8 | s |
 | complex.cpp:40:17:40:17 | b [inner, f, a_] | complex.cpp:42:8:42:8 | b [inner, f, a_] |
 | complex.cpp:40:17:40:17 | b [inner, f, b_] | complex.cpp:43:8:43:8 | b [inner, f, b_] |
 | complex.cpp:42:8:42:8 | b [inner, f, a_] | complex.cpp:42:10:42:14 | inner [f, a_] |
@@ -467,12 +449,6 @@ edges
 | simple.cpp:92:5:92:22 | ... = ... | simple.cpp:92:5:92:5 | a [post update] [i] |
 | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | ... = ... |
 | simple.cpp:94:10:94:11 | a2 [i] | simple.cpp:94:13:94:13 | i |
-| simple.cpp:104:5:104:5 | b [post update] [a, i] | simple.cpp:106:10:106:11 | b2 [a, i] |
-| simple.cpp:104:5:104:24 | ... = ... | simple.cpp:104:7:104:7 | a [post update] [i] |
-| simple.cpp:104:7:104:7 | a [post update] [i] | simple.cpp:104:5:104:5 | b [post update] [a, i] |
-| simple.cpp:104:13:104:22 | call to user_input | simple.cpp:104:5:104:24 | ... = ... |
-| simple.cpp:106:10:106:11 | b2 [a, i] | simple.cpp:106:13:106:13 | a [i] |
-| simple.cpp:106:13:106:13 | a [i] | simple.cpp:106:15:106:15 | i |
 | struct_init.c:14:24:14:25 | ab [a] | struct_init.c:15:8:15:9 | ab [a] |
 | struct_init.c:15:8:15:9 | ab [a] | struct_init.c:15:12:15:12 | a |
 | struct_init.c:20:17:20:36 | {...} [a] | struct_init.c:22:8:22:9 | ab [a] |
@@ -713,22 +689,6 @@ nodes
 | aliasing.cpp:201:8:201:10 | ps2 [s, m1] | semmle.label | ps2 [s, m1] |
 | aliasing.cpp:201:13:201:13 | s [m1] | semmle.label | s [m1] |
 | aliasing.cpp:201:15:201:16 | m1 | semmle.label | m1 |
-| aliasing.cpp:211:3:211:4 | s2 [post update] [s, m1] | semmle.label | s2 [post update] [s, m1] |
-| aliasing.cpp:211:3:211:24 | ... = ... | semmle.label | ... = ... |
-| aliasing.cpp:211:6:211:6 | s [post update] [m1] | semmle.label | s [post update] [m1] |
-| aliasing.cpp:211:13:211:22 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:212:9:212:10 | s2 [s, m1] | semmle.label | s2 [s, m1] |
-| aliasing.cpp:212:12:212:12 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:213:8:213:8 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:213:10:213:11 | m1 | semmle.label | m1 |
-| aliasing.cpp:225:15:225:22 | ref arg & ... | semmle.label | ref arg & ... |
-| aliasing.cpp:225:16:225:17 | s2 [post update] [s, m1] | semmle.label | s2 [post update] [s, m1] |
-| aliasing.cpp:225:19:225:19 | s [post update] [m1] | semmle.label | s [post update] [m1] |
-| aliasing.cpp:225:21:225:22 | m1 [inner post update] | semmle.label | m1 [inner post update] |
-| aliasing.cpp:226:9:226:10 | s2 [s, m1] | semmle.label | s2 [s, m1] |
-| aliasing.cpp:226:12:226:12 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:227:8:227:8 | s [m1] | semmle.label | s [m1] |
-| aliasing.cpp:227:10:227:11 | m1 | semmle.label | m1 |
 | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array |
 | arrays.cpp:8:8:8:13 | access to array | semmle.label | access to array |
@@ -858,10 +818,6 @@ nodes
 | by_reference.cpp:135:27:135:27 | a | semmle.label | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | semmle.label | pouter [a] |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
-| by_reference.cpp:140:4:140:5 | pa [inner post update] | semmle.label | pa [inner post update] |
-| by_reference.cpp:140:16:140:25 | call to user_input | semmle.label | call to user_input |
-| by_reference.cpp:145:15:145:16 | ref arg & ... | semmle.label | ref arg & ... |
-| by_reference.cpp:146:8:146:8 | s | semmle.label | s |
 | complex.cpp:40:17:40:17 | b [inner, f, a_] | semmle.label | b [inner, f, a_] |
 | complex.cpp:40:17:40:17 | b [inner, f, b_] | semmle.label | b [inner, f, b_] |
 | complex.cpp:42:8:42:8 | b [inner, f, a_] | semmle.label | b [inner, f, a_] |
@@ -1024,13 +980,6 @@ nodes
 | simple.cpp:92:11:92:20 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:94:10:94:11 | a2 [i] | semmle.label | a2 [i] |
 | simple.cpp:94:13:94:13 | i | semmle.label | i |
-| simple.cpp:104:5:104:5 | b [post update] [a, i] | semmle.label | b [post update] [a, i] |
-| simple.cpp:104:5:104:24 | ... = ... | semmle.label | ... = ... |
-| simple.cpp:104:7:104:7 | a [post update] [i] | semmle.label | a [post update] [i] |
-| simple.cpp:104:13:104:22 | call to user_input | semmle.label | call to user_input |
-| simple.cpp:106:10:106:11 | b2 [a, i] | semmle.label | b2 [a, i] |
-| simple.cpp:106:13:106:13 | a [i] | semmle.label | a [i] |
-| simple.cpp:106:15:106:15 | i | semmle.label | i |
 | struct_init.c:14:24:14:25 | ab [a] | semmle.label | ab [a] |
 | struct_init.c:15:8:15:9 | ab [a] | semmle.label | ab [a] |
 | struct_init.c:15:12:15:12 | a | semmle.label | a |
@@ -1096,8 +1045,6 @@ nodes
 | aliasing.cpp:176:13:176:14 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:176:13:176:14 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | aliasing.cpp:189:15:189:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:189:15:189:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | aliasing.cpp:201:15:201:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:201:15:201:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
-| aliasing.cpp:213:10:213:11 | m1 | aliasing.cpp:211:13:211:22 | call to user_input | aliasing.cpp:213:10:213:11 | m1 | m1 flows from $@ | aliasing.cpp:211:13:211:22 | call to user_input | call to user_input |
-| aliasing.cpp:227:10:227:11 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:227:10:227:11 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:8:8:8:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:9:8:9:11 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
@@ -1124,7 +1071,6 @@ nodes
 | by_reference.cpp:134:29:134:29 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:134:29:134:29 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:135:27:135:27 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:135:27:135:27 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:136:16:136:16 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
-| by_reference.cpp:146:8:146:8 | s | by_reference.cpp:140:16:140:25 | call to user_input | by_reference.cpp:146:8:146:8 | s | s flows from $@ | by_reference.cpp:140:16:140:25 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:53:19:53:28 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:55:19:55:28 | call to user_input | call to user_input |
 | complex.cpp:43:18:43:18 | call to b | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:43:18:43:18 | call to b | call to b flows from $@ | complex.cpp:54:19:54:28 | call to user_input | call to user_input |
@@ -1152,7 +1098,6 @@ nodes
 | simple.cpp:67:13:67:13 | i | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:67:13:67:13 | i | i flows from $@ | simple.cpp:65:11:65:20 | call to user_input | call to user_input |
 | simple.cpp:84:14:84:20 | call to getf2f1 | simple.cpp:83:17:83:26 | call to user_input | simple.cpp:84:14:84:20 | call to getf2f1 | call to getf2f1 flows from $@ | simple.cpp:83:17:83:26 | call to user_input | call to user_input |
 | simple.cpp:94:13:94:13 | i | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:94:13:94:13 | i | i flows from $@ | simple.cpp:92:11:92:20 | call to user_input | call to user_input |
-| simple.cpp:106:15:106:15 | i | simple.cpp:104:13:104:22 | call to user_input | simple.cpp:106:15:106:15 | i | i flows from $@ | simple.cpp:104:13:104:22 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:20:20:20:29 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:27:7:27:16 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:40:20:40:29 | call to user_input | call to user_input |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/simple.cpp b/cpp/ql/test/library-tests/dataflow/fields/simple.cpp
index 829974a1b67..e4d4f70edb0 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/simple.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/simple.cpp
@@ -94,16 +94,4 @@ void single_field_test_typedef(A_typedef a)
     sink(a2.i); //$ ast,ir
 }
 
-struct B {
-    A a;
-};
-
-void single_field_test_depth_2()
-{
-    B b;
-    b.a.i = user_input();
-    B b2 = b;
-    sink(b2.a.i); //$ ast MISSING: ir
-}
-
 } // namespace Simple
diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
index 4f709d960cc..6aeadb2f174 100644
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
@@ -1464,93 +1464,117 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
-| allocators.cpp:16:14:16:36 | Foo output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:16:19:16:20 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:26:23:26:24 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:41:22:41:23 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:48:22:48:24 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:48:34:48:36 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| condition_decls.cpp:48:52:48:53 | BoxedInt output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:30:9:30:13 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:30:18:30:22 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:33:9:33:13 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:33:18:33:22 | C1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:39:9:39:13 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:39:18:39:22 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:42:9:42:13 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| conditional_destructors.cpp:42:18:42:22 | C2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| constructorinitializer.cpp:8:6:8:18 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:77:19:77:21 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:82:11:82:14 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:82:17:82:55 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:82:45:82:48 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:82:51:82:51 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:88:25:88:30 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp11.cpp:88:33:88:38 | Val output argument | PostUpdateNode should have one pre-update node but has 0. |
-| cpp17.cpp:15:5:15:45 | HasTwoArgCtor output argument | PostUpdateNode should have one pre-update node but has 0. |
-| destructors.cpp:50:9:50:13 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| destructors.cpp:51:36:51:38 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| file://:0:0:0:0 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:616:12:616:13 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:617:15:617:22 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:619:16:619:30 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:662:9:662:19 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:663:5:663:5 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:736:5:736:19 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:745:8:745:8 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:748:10:748:10 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:757:12:757:12 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:757:12:757:12 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:766:13:766:13 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:766:13:766:13 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:775:15:775:15 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:775:15:775:15 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:784:15:784:15 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:784:15:784:15 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:793:15:793:15 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:793:15:793:15 | MiddleVB1 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:793:15:793:15 | MiddleVB2 output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:793:15:793:15 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:800:8:800:8 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:801:10:801:10 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:802:11:802:11 | Derived output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:809:7:809:13 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:810:7:810:26 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:823:7:823:13 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:824:7:824:26 | Base output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:846:8:846:8 | PolymorphicBase output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:850:19:850:19 | PolymorphicBase output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:851:22:851:22 | PolymorphicDerived output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:868:3:868:12 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:944:3:944:14 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ir.cpp:945:3:945:27 | String output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ms_assume.cpp:28:18:28:23 | fgets output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ms_try_mix.cpp:11:12:11:15 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ms_try_mix.cpp:28:12:28:15 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ms_try_mix.cpp:48:10:48:13 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| newexpr.cpp:8:2:8:20 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| ops.cpp:26:31:26:53 | C_with_constr_destr output argument | PostUpdateNode should have one pre-update node but has 0. |
-| parameterinitializer.cpp:25:5:25:8 | c output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:31:10:31:11 | MyClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:236:7:236:7 | MyConstructorClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:240:7:240:7 | MyConstructorClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:249:21:249:23 | MyConstructorClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:250:17:250:19 | MyDerivedClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| static_init_templates.cpp:251:20:251:23 | MyContainingClass output argument | PostUpdateNode should have one pre-update node but has 0. |
-| stmt_expr.cpp:13:18:13:19 | C output argument | PostUpdateNode should have one pre-update node but has 0. |
-| try_catch.cpp:7:8:7:8 | exception output argument | PostUpdateNode should have one pre-update node but has 0. |
-| try_catch.cpp:7:8:7:8 | exception output argument | PostUpdateNode should have one pre-update node but has 0. |
-| try_catch.cpp:13:5:13:16 | exn1 output argument | PostUpdateNode should have one pre-update node but has 0. |
+| assignexpr.cpp:9:2:9:12 | Store | PostUpdateNode should have one pre-update node but has 0. |
+| bad_asts.cpp:15:10:15:12 | Store | PostUpdateNode should have one pre-update node but has 0. |
+| cpp11.cpp:65:19:65:45 | Store | PostUpdateNode should have one pre-update node but has 0. |
+| ir.cpp:531:14:531:14 | Store | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| cpp11.cpp:77:19:77:21 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:11:82:14 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:45:82:48 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:51:82:51 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:809:7:809:13 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:810:7:810:26 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:823:7:823:13 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:824:7:824:26 | Base output argument | PostUpdateNode should not be the target of local flow. |
+| aggregateinitializer.c:3:14:3:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| aggregateinitializer.c:3:21:3:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| allocators.cpp:3:27:3:27 | Chi | PostUpdateNode should not be the target of local flow. |
+| allocators.cpp:3:35:3:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| allocators.cpp:4:11:4:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| allocators.cpp:4:17:4:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| assignexpr.cpp:9:2:9:12 | Store | PostUpdateNode should not be the target of local flow. |
+| bad_asts.cpp:15:10:15:12 | Store | PostUpdateNode should not be the target of local flow. |
+| builtin.c:14:26:14:26 | Chi | PostUpdateNode should not be the target of local flow. |
+| builtin.c:14:29:14:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| builtin.c:14:32:14:32 | Chi | PostUpdateNode should not be the target of local flow. |
+| builtin.c:14:35:14:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:3:5:3:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:3:21:3:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| conditional_destructors.cpp:6:13:6:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| conditional_destructors.cpp:18:13:18:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:65:19:65:45 | Store | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:45:82:48 | Chi | PostUpdateNode should not be the target of local flow. |
+| defdestructordeleteexpr.cpp:4:9:4:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| deleteexpr.cpp:7:9:7:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:177:5:177:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:178:5:178:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:183:5:183:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:184:5:184:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:342:5:342:10 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:428:5:428:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:429:5:429:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:504:19:504:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:504:22:504:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:505:16:505:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:505:19:505:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:506:16:506:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:506:16:506:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:513:14:513:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:513:14:513:16 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:514:14:514:26 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:514:19:514:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:514:22:514:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:515:19:515:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:515:22:515:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:515:29:515:29 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:515:32:515:32 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:516:17:516:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:516:19:516:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:516:24:516:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:516:26:516:26 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:521:19:521:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:521:22:521:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:521:25:521:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:522:16:522:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:522:19:522:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:531:14:531:14 | Store | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:577:16:577:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:577:19:577:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:578:19:578:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:578:22:578:22 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:579:16:579:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:579:19:579:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:643:9:643:21 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:644:9:644:23 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:645:9:645:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:659:9:659:14 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:660:13:660:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:661:9:661:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:662:9:662:19 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:663:5:663:5 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:745:8:745:8 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:745:8:745:8 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:748:10:748:10 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:754:8:754:8 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:757:12:757:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:763:8:763:8 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:766:13:766:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:775:15:775:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:784:15:784:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:793:15:793:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:943:3:943:11 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:947:3:947:25 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:962:17:962:47 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:962:17:962:47 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:962:17:962:47 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:962:26:962:30 | Chi | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:962:41:962:45 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:130:5:130:11 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:131:5:131:13 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:154:32:154:32 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:154:35:154:35 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:154:40:154:40 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:154:43:154:43 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:157:14:157:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:158:14:158:18 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:160:31:160:33 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:160:31:160:33 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:220:3:223:3 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:221:10:221:10 | Chi | PostUpdateNode should not be the target of local flow. |
+| misc.c:222:10:222:10 | Chi | PostUpdateNode should not be the target of local flow. |
+| range_analysis.c:102:5:102:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| static_init_templates.cpp:3:2:3:8 | Chi | PostUpdateNode should not be the target of local flow. |
+| static_init_templates.cpp:21:2:21:12 | Chi | PostUpdateNode should not be the target of local flow. |
+| static_init_templates.cpp:240:7:240:7 | Chi | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
index 0299afff063..9876b9695ad 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -59,21 +59,18 @@ edges
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
 | test.cpp:241:2:241:32 | Chi [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] |
 | test.cpp:241:2:241:32 | Chi [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] |
-| test.cpp:241:2:241:32 | ChiTotal [post update] [array content] | test.cpp:241:2:241:32 | Chi [array content] |
-| test.cpp:241:2:241:32 | ChiTotal [post update] [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] |
-| test.cpp:241:2:241:32 | ChiTotal [post update] [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] |
-| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | ChiTotal [post update] [array content] |
-| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | ChiTotal [post update] [array content] |
+| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi [array content] |
+| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi [array content] |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument [array content] | test.cpp:279:17:279:20 | get_size output argument |
-| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | get_size output argument |
+| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument [array content] | test.cpp:279:17:279:20 | Chi |
+| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
 | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
 | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
 | test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
@@ -147,7 +144,6 @@ nodes
 | test.cpp:237:2:237:8 | Argument 0 | semmle.label | Argument 0 |
 | test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] |
 | test.cpp:241:2:241:32 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:241:2:241:32 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
@@ -155,12 +151,12 @@ nodes
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:279:17:279:20 | Chi | semmle.label | Chi |
 | test.cpp:279:17:279:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:295:18:295:21 | Chi | semmle.label | Chi |
 | test.cpp:295:18:295:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
index c684f1da6ce..ca8dd38fc3b 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -43,23 +43,19 @@ edges
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:13:2:13:15 | Chi [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] |
-| test.cpp:13:2:13:15 | ChiTotal [post update] [array content] | test.cpp:13:2:13:15 | Chi [array content] |
-| test.cpp:13:2:13:15 | ChiTotal [post update] [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | ChiTotal [post update] [array content] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | ChiTotal [post update] [array content] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
 | test.cpp:18:2:18:14 | Chi [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] |
-| test.cpp:18:2:18:14 | ChiTotal [post update] [array content] | test.cpp:18:2:18:14 | Chi [array content] |
-| test.cpp:18:2:18:14 | ChiTotal [post update] [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | ChiTotal [post update] [array content] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | ChiTotal [post update] [array content] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | test.cpp:30:13:30:14 | get_rand2 output argument |
-| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | get_rand3 output argument |
+| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | test.cpp:30:13:30:14 | Chi |
+| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
@@ -114,24 +110,22 @@ nodes
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] |
 | test.cpp:13:2:13:15 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:13:2:13:15 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] |
 | test.cpp:18:2:18:14 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:18:2:18:14 | ChiTotal [post update] [array content] | semmle.label | ChiTotal [post update] [array content] |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | semmle.label | get_rand2 output argument |
+| test.cpp:30:13:30:14 | Chi | semmle.label | Chi |
 | test.cpp:30:13:30:14 | get_rand2 output argument [array content] | semmle.label | get_rand2 output argument [array content] |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
+| test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
 | test.cpp:36:13:36:13 | get_rand3 output argument [array content] | semmle.label | get_rand3 output argument [array content] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |

From 691a316460622fbd4d9e2b2af42d0128b0a38687 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 3 Feb 2021 09:07:27 +0100
Subject: [PATCH 082/429] C++: Add tests to
 cpp/unsigned-difference-expression-compared-zero and remove a couple of
 classes of FPs.

---
 ...nsignedDifferenceExpressionComparedZero.ql | 19 ++++-
 ...dDifferenceExpressionComparedZero.expected | 10 +++
 ...gnedDifferenceExpressionComparedZero.qlref |  1 +
 .../test.cpp                                  | 77 +++++++++++++++++++
 4 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 300b2f944b5..7b110ec24db 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -13,11 +13,28 @@
 
 import cpp
 import semmle.code.cpp.commons.Exclusions
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.controlflow.Guards
+
+/** Holds if `sub` will never be nonnegative. */
+predicate nonNegative(SubExpr sub) {
+  not exprMightOverflowNegatively(sub.getFullyConverted())
+  or
+  // The subtraction is guarded by a check of the form `left >= right`.
+  exists(GuardCondition guard, Expr left, Expr right |
+    left = globalValueNumber(sub.getLeftOperand()).getAnExpr() and
+    right = globalValueNumber(sub.getRightOperand()).getAnExpr() and
+    guard.controls(sub.getBasicBlock(), true) and
+    guard.ensuresLt(left, right, 0, sub.getBasicBlock(), false)
+  )
+}
 
 from RelationalOperation ro, SubExpr sub
 where
   not isFromMacroDefinition(ro) and
   ro.getLesserOperand().getValue().toInt() = 0 and
   ro.getGreaterOperand() = sub and
-  sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned()
+  sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
+  not nonNegative(sub)
 select ro, "Difference in condition is always greater than or equal to zero"
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
new file mode 100644
index 00000000000..6e1b80a4c8c
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -0,0 +1,10 @@
+| test.cpp:6:5:6:13 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:10:8:10:24 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:15:9:15:25 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:32:12:32:20 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:39:12:39:20 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:47:5:47:13 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:55:5:55:13 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:62:5:62:13 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:69:5:69:13 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:75:8:75:16 | ... > ... | Difference in condition is always greater than or equal to zero |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
new file mode 100644
index 00000000000..2d15983a540
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
new file mode 100644
index 00000000000..11de69e8c62
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -0,0 +1,77 @@
+int getAnInt();
+
+bool cond();
+
+void test(unsigned x, unsigned y, bool unknown) {
+	if(x - y > 0) { } // BAD
+
+	unsigned total = getAnInt();
+	unsigned limit = getAnInt();
+	while(limit - total > 0) { // BAD
+		total += getAnInt();
+	}
+
+	if(total <= limit) {
+		while(limit - total > 0) { // GOOD [FALSE POSITIVE]
+			total += getAnInt();
+			if(total > limit) break;
+		}
+	}
+
+	if(x >= y) {
+		bool b = x - y > 0; // GOOD
+	}
+
+	if((int)(x - y) >= 0) { } // GOOD. Maybe an overflow happened, but the result is converted to the "likely intended" result before the comparison
+
+	if(unknown) {
+		y = x & 0xFF;
+	} else {
+		y = x;
+	}
+	bool b1 = x - y > 0; // GOOD [FALSE POSITIVE]
+
+	x = getAnInt();
+	y = getAnInt();
+	if(y > x) {
+		y = x - 1;
+	}
+	bool b2 = x - y > 0; // GOOD [FALSE POSITIVE]
+
+	int N = getAnInt();
+	y = x;
+	while(cond()) {
+		if(unknown) { y--; }
+	}
+	
+	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+
+	x = y;
+	while(cond()) {
+		if(unknown) break;
+		y--;
+	}
+
+	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+
+	y = 0;
+	for(int i = 0; i < x; ++i) {
+		if(unknown) { ++y; }
+	}
+
+	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+
+	x = y;
+	while(cond()) {
+		if(unknown) { x++; }
+	}
+
+	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+
+	int n = getAnInt();
+	if (n > x - y) { n = x - y; }
+	if (n > 0) {
+  	y += n; // NOTE: `n` is at most `x - y` at this point.
+  	if (x - y > 0) {} // GOOD [FALSE POSITIVE]
+	}
+}
\ No newline at end of file

From 12ee49748545effc470898a36101b2caf3882973 Mon Sep 17 00:00:00 2001
From: CaptainFreak <patelshoeb4@gmail.com>
Date: Wed, 3 Feb 2021 15:48:02 +0530
Subject: [PATCH 083/429] move query to src, rename and refactor

---
 .../CWE-073/TemplateObjectInjection.ql}       | 21 +++++++------------
 .../TemplateObjectInjection.js}               |  0
 .../TemplateObjectInjection_fixed.js}         |  0
 3 files changed, 8 insertions(+), 13 deletions(-)
 rename javascript/ql/{test/experimental/Security/CWE-073/ExpressHbsLFR.ql => src/experimental/Security/CWE-073/TemplateObjectInjection.ql} (55%)
 rename javascript/ql/{test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js => src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js} (100%)
 rename javascript/ql/{test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js => src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js} (100%)

diff --git a/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
similarity index 55%
rename from javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
rename to javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
index de66932a7af..b1074ab618f 100644
--- a/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
+++ b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
@@ -1,10 +1,10 @@
 /**
- * @name Express-Hbs Local File Read and Potential RCE
- * @description Writing user input directly to res.render of ExpressJS used with Hbs can lead to LFR
+ * @name Template Object Injection
+ * @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id js/express-hbs-lfr
+ * @id js/template-object-injection
  * @tags security
  *       external/cwe/cwe-073
  *       external/cwe/cwe-094
@@ -13,15 +13,9 @@
 import javascript
 import DataFlow
 import PathGraph
-import Express
-import semmle.javascript.DynamicPropertyAccess
 
 predicate isUsingHbsEngine() {
-  exists(MethodCallExpr method |
-    method.getMethodName() = "set" and
-    Express::appCreation().flowsToExpr(method.getReceiver()) and
-    method.getArgument(1).getStringValue().matches("hbs")
-  )
+  Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
 }
 
 class HbsLFRTaint extends TaintTracking::Configuration {
@@ -39,6 +33,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {
   }
 }
 
-from HbsLFRTaint cfg, Node source, Node sink
-where cfg.hasFlow(source, sink)
-select source, sink
+from HbsLFRTaint cfg, PathNode source, PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
+  "user-provided value"
diff --git a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js b/javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js
similarity index 100%
rename from javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
rename to javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js
diff --git a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js b/javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js
similarity index 100%
rename from javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js
rename to javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js

From c6a22844e2e781f766ebe747f89e701b966f67c3 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 12:16:57 +0100
Subject: [PATCH 084/429] add test for `js/template-object-injection`

---
 .../CWE-073/TemplateObjectInjection.expected  | 37 +++++++++++++++++++
 .../CWE-073/TemplateObjectInjection.qlref     |  1 +
 .../test/experimental/Security/CWE-073/tst.js | 17 +++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref
 create mode 100644 javascript/ql/test/experimental/Security/CWE-073/tst.js

diff --git a/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
new file mode 100644
index 00000000000..455498d5d58
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
@@ -0,0 +1,37 @@
+nodes
+| tst.js:5:9:5:46 | bodyParameter |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:12:32:12:44 | bodyParameter |
+| tst.js:12:32:12:44 | bodyParameter |
+| tst.js:14:28:14:41 | queryParameter |
+| tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:14:28:14:46 | queryParameter + "" |
+edges
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:14:28:14:41 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
+#select
+| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
+| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:12:32:12:44 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:12:32:12:44 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
+| tst.js:14:28:14:46 | queryParameter + "" | tst.js:6:26:6:49 | req.que ... rameter | tst.js:14:28:14:46 | queryParameter + "" | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
diff --git a/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref
new file mode 100644
index 00000000000..4fcdae0f812
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-073/TemplateObjectInjection.ql
diff --git a/javascript/ql/test/experimental/Security/CWE-073/tst.js b/javascript/ql/test/experimental/Security/CWE-073/tst.js
new file mode 100644
index 00000000000..b42ccea740a
--- /dev/null
+++ b/javascript/ql/test/experimental/Security/CWE-073/tst.js
@@ -0,0 +1,17 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter;
+    var queryParameter = req.query.queryParameter;
+
+    res.render('template', bodyParameter); // NOT OK
+    res.render('template', queryParameter); // NOT OK
+
+    if (typeof bodyParameter === "string") {
+        res.render('template', bodyParameter); // OK - but still flagged [INCONSISTENCY]
+    }
+    res.render('template', queryParameter + ""); // OK - but still flagged [INCONSISTENCY]
+
+    res.render('template', {profile: bodyParameter}); // OK
+}); 
\ No newline at end of file

From a5bde53bfe28df903ab846e2b51f8b4407b7d70d Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 12:26:37 +0100
Subject: [PATCH 085/429] use the TaintedObject library in
 `js/template-object-injection`

---
 .../CWE-073/TemplateObjectInjection.ql        | 27 +++++++++---
 .../CWE-073/TemplateObjectInjection.expected  | 42 +++++++++++++------
 .../test/experimental/Security/CWE-073/tst.js | 17 ++++++--
 3 files changed, 65 insertions(+), 21 deletions(-)

diff --git a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
index b1074ab618f..583255dfeb4 100644
--- a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
@@ -11,8 +11,8 @@
  */
 
 import javascript
-import DataFlow
-import PathGraph
+import DataFlow::PathGraph
+import semmle.javascript.security.TaintedObject
 
 predicate isUsingHbsEngine() {
   Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
@@ -21,19 +21,34 @@ predicate isUsingHbsEngine() {
 class HbsLFRTaint extends TaintTracking::Configuration {
   HbsLFRTaint() { this = "HbsLFRTaint" }
 
-  override predicate isSource(Node node) { node instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(Node node) {
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    TaintedObject::isSource(source, label)
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    label = TaintedObject::label() and
     exists(MethodCallExpr mc |
       Express::isResponse(mc.getReceiver()) and
       mc.getMethodName() = "render" and
-      node.asExpr() = mc.getArgument(1) and
+      sink.asExpr() = mc.getArgument(1) and
       isUsingHbsEngine()
     )
   }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof TaintedObject::SanitizerGuard
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  ) {
+    TaintedObject::step(src, trg, inlbl, outlbl)
+  }
 }
 
-from HbsLFRTaint cfg, PathNode source, PathNode sink
+from HbsLFRTaint cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
   "user-provided value"
diff --git a/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
index 455498d5d58..f8dc8d8f47d 100644
--- a/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
@@ -4,34 +4,52 @@ nodes
 | tst.js:5:25:5:32 | req.body |
 | tst.js:5:25:5:46 | req.bod ... rameter |
 | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
 | tst.js:6:26:6:49 | req.que ... rameter |
 | tst.js:6:26:6:49 | req.que ... rameter |
 | tst.js:8:28:8:40 | bodyParameter |
 | tst.js:8:28:8:40 | bodyParameter |
 | tst.js:9:28:9:41 | queryParameter |
 | tst.js:9:28:9:41 | queryParameter |
-| tst.js:12:32:12:44 | bodyParameter |
-| tst.js:12:32:12:44 | bodyParameter |
-| tst.js:14:28:14:41 | queryParameter |
-| tst.js:14:28:14:46 | queryParameter + "" |
-| tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:18:19:18:32 | queryParameter |
+| tst.js:18:19:18:32 | queryParameter |
+| tst.js:21:24:21:26 | obj |
+| tst.js:21:24:21:26 | obj |
+| tst.js:22:28:22:30 | obj |
+| tst.js:22:28:22:30 | obj |
+| tst.js:24:11:24:24 | str |
+| tst.js:24:17:24:19 | obj |
+| tst.js:24:17:24:24 | obj + "" |
+| tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:39:27:41 | str |
 edges
 | tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
 | tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
-| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
-| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
 | tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
 | tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
 | tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
 | tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
 | tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
-| tst.js:6:9:6:49 | queryParameter | tst.js:14:28:14:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
 | tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
 | tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
-| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
-| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
+| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:24:17:24:19 | obj |
+| tst.js:24:11:24:24 | str | tst.js:27:39:27:41 | str |
+| tst.js:24:17:24:19 | obj | tst.js:24:17:24:24 | obj + "" |
+| tst.js:24:17:24:24 | obj + "" | tst.js:24:11:24:24 | str |
+| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
 #select
 | tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
 | tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
-| tst.js:12:32:12:44 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:12:32:12:44 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
-| tst.js:14:28:14:46 | queryParameter + "" | tst.js:6:26:6:49 | req.que ... rameter | tst.js:14:28:14:46 | queryParameter + "" | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:22:28:22:30 | obj | tst.js:6:26:6:49 | req.que ... rameter | tst.js:22:28:22:30 | obj | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:27:28:27:42 | JSON.parse(str) | tst.js:6:26:6:49 | req.que ... rameter | tst.js:27:28:27:42 | JSON.parse(str) | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
diff --git a/javascript/ql/test/experimental/Security/CWE-073/tst.js b/javascript/ql/test/experimental/Security/CWE-073/tst.js
index b42ccea740a..9ff93d14cb5 100644
--- a/javascript/ql/test/experimental/Security/CWE-073/tst.js
+++ b/javascript/ql/test/experimental/Security/CWE-073/tst.js
@@ -9,9 +9,20 @@ app.post('/path', function(req, res) {
     res.render('template', queryParameter); // NOT OK
 
     if (typeof bodyParameter === "string") {
-        res.render('template', bodyParameter); // OK - but still flagged [INCONSISTENCY]
+        res.render('template', bodyParameter); // OK
     }
-    res.render('template', queryParameter + ""); // OK - but still flagged [INCONSISTENCY]
+    res.render('template', queryParameter + ""); // OK
 
     res.render('template', {profile: bodyParameter}); // OK
-}); 
\ No newline at end of file
+
+    indirect(res, queryParameter);
+}); 
+
+function indirect(res, obj) {
+    res.render("template", obj); // NOT OK
+
+    const str = obj + "";
+    res.render("template", str); // OK 
+
+    res.render("template", JSON.parse(str)); // NOT OK
+}
\ No newline at end of file

From d016ba225286fd828c36833cbf6c35c861b6c5c6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 12:29:23 +0100
Subject: [PATCH 086/429] rename name dataflow configuration in
 `js/template-object-injection`

---
 .../Security/CWE-073/TemplateObjectInjection.ql             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
index 583255dfeb4..8c5c19e6096 100644
--- a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
@@ -18,8 +18,8 @@ predicate isUsingHbsEngine() {
   Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
 }
 
-class HbsLFRTaint extends TaintTracking::Configuration {
-  HbsLFRTaint() { this = "HbsLFRTaint" }
+class TemplateObjInjectionConfig extends TaintTracking::Configuration {
+  TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
@@ -48,7 +48,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {
   }
 }
 
-from HbsLFRTaint cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
   "user-provided value"

From 2ace10fcdfb54ee3fe7f93a5cdddfd99aedfa534 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 3 Feb 2021 12:21:31 +0000
Subject: [PATCH 087/429] Use PostUpdateNode for wrapper method calls

---
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  |  9 +++--
 .../CWE-522/InsecureLdapAuth.expected         | 36 +++++++++----------
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index b6e7b5ed702..8411a128c9c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -9,6 +9,7 @@
  */
 
 import java
+import DataFlow
 import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.TaintTracking
@@ -167,7 +168,9 @@ class BasicAuthFlowConfig extends DataFlow::Configuration {
 
   /** Source of `simple` configuration. */
   override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | isBasicAuthEnv(ma) and ma.getQualifier() = src.asExpr())
+    exists(MethodAccess ma |
+      isBasicAuthEnv(ma) and ma.getQualifier() = src.(PostUpdateNode).getPreUpdateNode().asExpr()
+    )
   }
 
   /** Sink of directory context creation. */
@@ -187,7 +190,9 @@ class SSLFlowConfig extends DataFlow::Configuration {
 
   /** Source of `ssl` configuration. */
   override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | isSSLEnv(ma) and ma.getQualifier() = src.asExpr())
+    exists(MethodAccess ma |
+      isSSLEnv(ma) and ma.getQualifier() = src.(PostUpdateNode).getPreUpdateNode().asExpr()
+    )
   }
 
   /** Sink of directory context creation. */
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
index 1af36e67d05..863e8e55dcf 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,23 +1,21 @@
 edges
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
-| InsecureLdapAuth.java:17:52:17:59 | "simple" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
-| InsecureLdapAuth.java:31:52:31:59 | "simple" : String | InsecureLdapAuth.java:34:49:34:59 | environment |
-| InsecureLdapAuth.java:45:52:45:59 | "simple" : String | InsecureLdapAuth.java:48:49:48:59 | environment |
+| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:48:49:48:59 | environment |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
-| InsecureLdapAuth.java:59:52:59:59 | "simple" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
-| InsecureLdapAuth.java:62:46:62:50 | "ssl" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
-| InsecureLdapAuth.java:88:52:88:59 | "simple" : String | InsecureLdapAuth.java:91:49:91:59 | environment |
+| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:91:49:91:59 | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
-| InsecureLdapAuth.java:102:52:102:59 | "simple" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
-| InsecureLdapAuth.java:117:58:117:65 | "simple" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
 | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
-| InsecureLdapAuth.java:124:38:124:42 | "ssl" : String | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable |
-| InsecureLdapAuth.java:128:44:128:51 | "simple" : String | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
@@ -25,37 +23,35 @@ edges
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:17:52:17:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
-| InsecureLdapAuth.java:31:52:31:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
-| InsecureLdapAuth.java:45:52:45:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
-| InsecureLdapAuth.java:59:52:59:59 | "simple" : String | semmle.label | "simple" : String |
-| InsecureLdapAuth.java:62:46:62:50 | "ssl" : String | semmle.label | "ssl" : String |
+| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
 | InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
-| InsecureLdapAuth.java:88:52:88:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:102:52:102:59 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:117:58:117:65 | "simple" : String | semmle.label | "simple" : String |
+| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
-| InsecureLdapAuth.java:124:38:124:42 | "ssl" : String | semmle.label | "ssl" : String |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
-| InsecureLdapAuth.java:128:44:128:51 | "simple" : String | semmle.label | "simple" : String |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |

From 8cf8b704c580191c34ec68a6fe3026160e866491 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 3 Feb 2021 16:16:48 +0100
Subject: [PATCH 088/429] C++: Add more indirection flow in dataflow models.
 Also revert the additions to DataFlowUtil added in #5035 as they can add too
 much flow.

---
 .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 21 ---------------
 .../implementations/IdentityFunction.qll      |  2 ++
 .../cpp/models/implementations/Iterator.qll   |  7 +++++
 .../cpp/models/implementations/StdString.qll  | 27 +++++++++++++++++++
 .../cpp/models/implementations/Strset.qll     |  3 +++
 5 files changed, 39 insertions(+), 21 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index aba8e3bceec..37bcd335172 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -911,27 +911,6 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
       )
     )
   )
-  or
-  impliedModelFlow(opFrom, iTo)
-}
-
-/**
- * When a `DataFlowFunction` specifies dataflow from a parameter `p` to the return value there should
- * also be dataflow from the parameter dereference (i.e., `*p`) to the return value dereference.
- */
-private predicate impliedModelFlow(Operand opFrom, Instruction iTo) {
-  exists(
-    CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut,
-    int index
-  |
-    call.getStaticCallTarget() = func and
-    func.hasDataFlow(modelIn, modelOut)
-  |
-    modelIn.isParameterOrQualifierAddress(index) and
-    modelOut.isReturnValue() and
-    opFrom = getSideEffectFor(call, index).(ReadSideEffectInstruction).getSideEffectOperand() and
-    iTo = call // TODO: Add write side effects for return values
-  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
index 0178cd0f7ec..bd188cffe49 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
@@ -32,5 +32,7 @@ private class IdentityFunction extends DataFlowFunction, SideEffectFunction, Ali
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // These functions simply return the argument value.
     input.isParameter(0) and output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index 3a789a6aa25..a5b1c0e83ec 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -109,6 +109,8 @@ private class IteratorCrementOperator extends Operator, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input = iteratorInput and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
 
@@ -159,6 +161,8 @@ private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunctio
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -201,6 +205,9 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
     or
     input.isReturnValueDeref() and
     output.isQualifierObject()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 8fd2f79cfdd..9f4c458815f 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -293,6 +293,9 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -319,6 +322,9 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -361,6 +367,9 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -397,6 +406,9 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -430,6 +442,9 @@ private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -453,6 +468,9 @@ private class StdGetLine extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -486,6 +504,9 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -522,6 +543,9 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -605,6 +629,9 @@ private class StdStreamFunction extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
index f4a80cbabac..bf6430e548b 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
@@ -40,6 +40,9 @@ private class StrsetFunction extends ArrayFunction, DataFlowFunction, AliasFunct
     // flow from the input string to the output string
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate parameterNeverEscapes(int index) { none() }

From 3fafb47b1680fc7fb42418a1ca6816986262ab05 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 16:41:22 +0100
Subject: [PATCH 089/429] Python: Fix global flow

A slightly odd fix, but still morally okay, I think. The main issue
here was that global variables have their first occurrence in an inner
scope inside a so-called "scope entry definition", that then
subsequently flows to the first use of this variable. This meant that
that first use was _not_ a `LocalSourceNode` (since _something_ flowed
into it), and this blocked `trackUseNode` from type-tracking to it (as
it expects all nodes to be `LocalSourceNode`s).

The answer, then, is to say that a `LocalSourceNode` is simply one
that doesn't have flow to it from _any `CfgNode`_ (through one or more
steps). This disregards the flow from the scope entry definition, as
that is flow from an `EssaNode`.

Additionally, it makes sense to exclude `ModuleVariableNode`s. These
should never be considered local sources, since they always have flow
from (at least) the place where the corresponding global variable is
introduced.
---
 .../semmle/python/dataflow/new/internal/DataFlowPublic.qll   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index f2f90723d77..1cf756069f0 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -443,7 +443,10 @@ class BarrierGuard extends GuardNode {
  * - Function parameters
  */
 class LocalSourceNode extends Node {
-  LocalSourceNode() { not simpleLocalFlowStep(_, this) }
+  LocalSourceNode() {
+    not simpleLocalFlowStep+(any(CfgNode n), this) and
+    not this instanceof ModuleVariableNode
+  }
 
   /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */
   cached

From 93f91d8746182f425b5472f7c84f39dc72800591 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 3 Feb 2021 17:44:04 +0100
Subject: [PATCH 090/429] Python: Apply suggestions from code review

Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
---
 python/ql/src/semmle/python/frameworks/Tornado.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 1f5859c4945..4351188d8bb 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -567,7 +567,7 @@ private module Tornado {
   // Response modeling
   // ---------------------------------------------------------------------------
   /**
-   * A call to `tornado.web.RequestHandler.redirect` method.
+   * A call to the `tornado.web.RequestHandler.redirect` method.
    *
    * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.redirect
    */
@@ -591,7 +591,7 @@ private module Tornado {
   }
 
   /**
-   * A call to `tornado.web.RequestHandler.write` method.
+   * A call to the `tornado.web.RequestHandler.write` method.
    *
    * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.write
    */

From 724c3e00e02be120f2a48630c2bc6ab6dfa9fd32 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 3 Feb 2021 16:45:15 +0000
Subject: [PATCH 091/429] Update help file

---
 .../experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
index ee4afabbed6..c729759a06e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
@@ -15,11 +15,6 @@
   </example>
 
   <references>
-    <li>
-      CWE:
-      <a href="https://cwe.mitre.org/data/definitions/522">CWE-522: Insufficiently Protected Credentials</a>
-      <a href="https://cwe.mitre.org/data/definitions/319">CWE-319: Cleartext Transmission of Sensitive Information</a>
-    </li>
     <li>
       Oracle:
       <a href="https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html">LDAP and LDAPS URLs</a>

From 6ce160c51c9276704d0b414119737f4a5bce830e Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 19:49:53 +0100
Subject: [PATCH 092/429] Python: Use call instead of invocation

---
 python/ql/src/semmle/python/ApiGraphs.qll            |  2 +-
 .../python/dataflow/new/internal/DataFlowPublic.qll  | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 2c1ff3b6cf7..e8072a91540 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -292,7 +292,7 @@ module API {
         or
         // Calling a node that is a use of `base`
         lbl = Label::return() and
-        ref = pred.getAnInvocation()
+        ref = pred.getACall()
       )
     }
 
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 1cf756069f0..b2e2298182e 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -477,9 +477,9 @@ class LocalSourceNode extends Node {
   AttrRead getAnAttributeRead() { result = getAnAttributeReference() }
 
   /**
-   * Gets an invocation (with our without `new`) of this node.
+   * Gets a call to this node.
    */
-  Node getAnInvocation() { Cached::invocation(this, result) }
+  Node getACall() { Cached::call(this, result) }
 }
 
 cached
@@ -521,12 +521,12 @@ private module Cached {
   }
 
   /**
-   * Holds if `func` flows to the callee of `invoke`.
+   * Holds if `func` flows to the callee of `call`.
    */
   cached
-  predicate invocation(LocalSourceNode func, Node invoke) {
-    exists(CfgNode n, CallNode call |
-      invoke.asCfgNode() = call and n.asCfgNode() = call.getFunction()
+  predicate call(LocalSourceNode func, Node call) {
+    exists(CfgNode n, CallNode call_node |
+      call.asCfgNode() = call_node and n.asCfgNode() = call_node.getFunction()
     |
       hasLocalSource(n, func)
     )

From c5d6792c1eb727cd5fd1f8a6e84fd296c2e0e5bd Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 19:50:21 +0100
Subject: [PATCH 093/429] Python: Make `toString` abstract

---
 python/ql/src/semmle/python/ApiGraphs.qll | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index e8072a91540..d4091a7a2bf 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -146,9 +146,7 @@ module API {
     /**
      * Gets a textual representation of this node.
      */
-    string toString() {
-      none() // defined in subclasses
-    }
+    abstract string toString();
 
     /**
      * Gets a path of the given `length` from the root to this node.

From 05f290f7347c8c213461c66a999dad26c941a5b6 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 19:51:34 +0100
Subject: [PATCH 094/429] Python: Better explanation in `use/3`

---
 python/ql/src/semmle/python/ApiGraphs.qll | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index d4091a7a2bf..04eeb785c5b 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -282,6 +282,13 @@ module API {
     cached
     predicate use(TApiNode base, string lbl, DataFlow::Node ref) {
       exists(DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode pred |
+        // First, we find a predecessor of the node `ref` that we want to determine. The predecessor
+        // is any node that is a type-tracked use of a data flow node (`src`), which is itself a
+        // reference to the API node `base`.
+        //
+        // Once we have identified the predecessor, we define its relation to the successor `ref` as
+        // well as the label on the edge from `pred` to `ref`. This label describes the nature of
+        // the relationship between `pred` and `ref`.
         use(base, src) and pred = trackUseNode(src)
       |
         // Reading an attribute on a node that is a use of `base`:

From 56515c570879f89baeed251c091cc8b528ade9fd Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Wed, 3 Feb 2021 21:29:15 +0100
Subject: [PATCH 095/429] Python: Improve documentation for `moduleImport`

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/ApiGraphs.qll | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 04eeb785c5b..54ae9f86875 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -196,7 +196,13 @@ module API {
   /** Gets the root node. */
   Root root() { any() }
 
-  /** Gets a node corresponding to an import of module `m`. */
+  /** 
+   * Gets a node corresponding to an import of module `m`. 
+   *
+   * Note: You should only use this predicate for top level modules. If you want nodes corresponding to a submodule,
+   * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`, 
+   * use `moduleImport("foo").getMember("bar")`.
+   */
   Node moduleImport(string m) { result = Impl::MkModuleImport(m) }
 
   /**

From cccca879d959caf17d0ed26350e82385a0ba5294 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 3 Feb 2021 21:52:00 +0100
Subject: [PATCH 096/429] C#: Add initial DB scheme

---
 .../initial/semmlecode.csharp.dbscheme        | 1707 +++++++++++++++++
 1 file changed, 1707 insertions(+)
 create mode 100644 csharp/upgrades/initial/semmlecode.csharp.dbscheme

diff --git a/csharp/upgrades/initial/semmlecode.csharp.dbscheme b/csharp/upgrades/initial/semmlecode.csharp.dbscheme
new file mode 100644
index 00000000000..34565707dfb
--- /dev/null
+++ b/csharp/upgrades/initial/semmlecode.csharp.dbscheme
@@ -0,0 +1,1707 @@
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  varchar(900) queryPath: string ref,
+  int location: @location ref,
+  varchar(900) message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  varchar(900) queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  varchar(900) path: string ref,
+  int column: int ref,
+  varchar(900) value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  varchar(900) prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  varchar(900) relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  varchar(900) relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * Version history
+ */
+
+svnentries(
+  int id: @svnentry,
+  varchar(500) revision: string ref,
+  varchar(500) author: string ref,
+  date revisionDate: date ref,
+  int changeSize: int ref);
+
+svnaffectedfiles(
+  int id: @svnentry ref,
+  int file: @file ref,
+  varchar(500) action: string ref);
+
+svnentrymsg(
+  int id: @svnentry ref,
+  varchar(500) message: string ref
+)
+
+svnchurn(
+  int commit: @svnentry ref,
+  int file: @file ref,
+  int addedLines: int ref,
+  int deletedLines: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace;
+
+@declaration = @callable | @generic | @assignable;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  unique int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  varchar(900) fullname: string ref,
+  varchar(900) name: string ref,
+  varchar(900) version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  varchar(900) name: string ref,
+  varchar(900) simple: string ref,
+  varchar(900) ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  varchar(900) name: string ref,
+  varchar(900) simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  varchar(900) name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  varchar(900) name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  varchar(900) name: string ref);
+
+typeref_type(
+  unique int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @struct_type ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+is_generic(unique int id: @generic ref);
+
+is_constructed(unique int id: @generic ref);
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor;
+
+modifiers(
+  unique int id: @modifier,
+  varchar(900) name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @literal_expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  varchar(900) name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  varchar(900) name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  varchar(900) name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  varchar(900) name: string ref,
+  varchar(900) symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  unique int id: @variable ref,
+  varchar(900) value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  unique int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  unique int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    varchar(900) name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+@ref_callable = @local_function | @method | @delegate_type;
+
+ref_returns(int fn: @ref_callable ref);
+
+ref_readonly_returns(int fn: @ref_callable ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  varchar(900) name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  varchar(900) name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  varchar(900) name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case
+| 30 = @local_function_stmt
+  ;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  varchar(900) value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  varchar(900) name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  varchar(900) name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  varchar(900) encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  varchar(900) root: string ref,
+  varchar(900) publicId: string ref,
+  varchar(900) systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  varchar(900) name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  varchar(900) name: string ref,
+  varchar(3600) value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  varchar(900) prefixName: string ref,
+  varchar(900) URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  varchar(3600) text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  varchar(3600) text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  varchar(800) text: string ref,
+  varchar(800) rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  varchar(1000) name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  varchar(1000) name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  varchar(1000) body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  varchar(1000) name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  varchar(1000) name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  varchar(900) value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  varchar(900) name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_method(
+  unique int id: @cil_method,
+  varchar(900) name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  varchar(900) name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+
+#keyset[method, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int method: @cil_method ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  varchar(900) name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  varchar(900) name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  varchar(100) param: string ref,
+  varchar(900) value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  varchar(900) value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)

From b5633625b37460046eecf649fa6672233fa37ed8 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Wed, 3 Feb 2021 21:56:03 +0100
Subject: [PATCH 097/429] Update
 python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 .../semmle/python/dataflow/new/internal/DataFlowPrivate.qll    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index 2ab91694217..e17305ee355 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1323,7 +1323,8 @@ module IterableUnpacking {
   predicate iterableUnpackingForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
     exists(ForTarget target |
       nodeFrom.asExpr() = target.getSource() and
-      nodeTo = TIterableSequenceNode(target.(SequenceNode))
+      target instanceof SequenceNode and
+      nodeTo = TIterableSequenceNode(target)
     ) and
     (
       c instanceof ListElementContent

From a7ca065411166b2c0a388ee225ef95bfe748be88 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 3 Feb 2021 22:14:15 +0100
Subject: [PATCH 098/429] Python: Fix `ForTarget`

---
 .../dataflow/new/internal/DataFlowPrivate.qll |  2 +-
 .../dataflow/coverage/dataflow.expected       | 44 +++++++++++++++++++
 .../experimental/dataflow/coverage/test.py    |  4 +-
 3 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index e17305ee355..10ced3c768c 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1253,7 +1253,7 @@ module IterableUnpacking {
       or
       exists(Comp comp |
         source = comp.getIterable() and
-        this.getNode() = comp.getIterationVariable(0).getAStore()
+        this.getNode() = comp.getNthInnerLoop(0).getTarget()
       )
     }
 
diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.expected b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
index 978b810ea23..ff3d518d1bc 100644
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -95,6 +95,26 @@ edges
 | test.py:199:33:199:40 | ControlFlowNode for List [List element] | test.py:199:28:199:28 | SSA variable z |
 | test.py:199:34:199:39 | ControlFlowNode for SOURCE | test.py:199:33:199:40 | ControlFlowNode for List [List element] |
 | test.py:200:10:200:10 | ControlFlowNode for x [List element] | test.py:200:10:200:13 | ControlFlowNode for Subscript |
+| test.py:205:9:205:47 | ControlFlowNode for ListComp [List element] | test.py:206:10:206:10 | ControlFlowNode for x [List element] |
+| test.py:205:10:205:10 | ControlFlowNode for a | test.py:205:9:205:47 | ControlFlowNode for ListComp [List element] |
+| test.py:205:17:205:17 | SSA variable a | test.py:205:10:205:10 | ControlFlowNode for a |
+| test.py:205:17:205:20 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:205:17:205:17 | SSA variable a |
+| test.py:205:17:205:20 | IterableSequence [Tuple element at index 0] | test.py:205:17:205:20 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:205:26:205:46 | ControlFlowNode for List [List element, Tuple element at index 0] | test.py:205:17:205:20 | IterableSequence [Tuple element at index 0] |
+| test.py:205:28:205:33 | ControlFlowNode for SOURCE | test.py:205:28:205:44 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:205:28:205:44 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:205:26:205:46 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:206:10:206:10 | ControlFlowNode for x [List element] | test.py:206:10:206:13 | ControlFlowNode for Subscript |
+| test.py:210:9:210:51 | ControlFlowNode for ListComp [List element] | test.py:211:10:211:10 | ControlFlowNode for x [List element] |
+| test.py:210:10:210:10 | ControlFlowNode for a [List element] | test.py:210:10:210:13 | ControlFlowNode for Subscript |
+| test.py:210:10:210:13 | ControlFlowNode for Subscript | test.py:210:9:210:51 | ControlFlowNode for ListComp [List element] |
+| test.py:210:20:210:21 | IterableElement | test.py:210:20:210:21 | SSA variable a [List element] |
+| test.py:210:20:210:21 | SSA variable a [List element] | test.py:210:10:210:10 | ControlFlowNode for a [List element] |
+| test.py:210:20:210:24 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:210:20:210:21 | IterableElement |
+| test.py:210:20:210:24 | IterableSequence [Tuple element at index 0] | test.py:210:20:210:24 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:210:30:210:50 | ControlFlowNode for List [List element, Tuple element at index 0] | test.py:210:20:210:24 | IterableSequence [Tuple element at index 0] |
+| test.py:210:32:210:37 | ControlFlowNode for SOURCE | test.py:210:32:210:48 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:210:32:210:48 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:210:30:210:50 | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:211:10:211:10 | ControlFlowNode for x [List element] | test.py:211:10:211:13 | ControlFlowNode for Subscript |
 | test.py:349:11:349:16 | ControlFlowNode for SOURCE | test.py:349:11:349:17 | ControlFlowNode for Tuple [Tuple element at index 0] |
 | test.py:349:11:349:17 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:349:10:349:21 | ControlFlowNode for Subscript |
 | test.py:353:10:353:17 | ControlFlowNode for List [List element] | test.py:353:10:353:20 | ControlFlowNode for Subscript |
@@ -440,6 +460,28 @@ nodes
 | test.py:199:34:199:39 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:200:10:200:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
 | test.py:200:10:200:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:205:9:205:47 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:205:10:205:10 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
+| test.py:205:17:205:17 | SSA variable a | semmle.label | SSA variable a |
+| test.py:205:17:205:20 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:205:17:205:20 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
+| test.py:205:26:205:46 | ControlFlowNode for List [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:205:28:205:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:205:28:205:44 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:206:10:206:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:206:10:206:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:210:9:210:51 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:210:10:210:10 | ControlFlowNode for a [List element] | semmle.label | ControlFlowNode for a [List element] |
+| test.py:210:10:210:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:210:20:210:21 | IterableElement | semmle.label | IterableElement |
+| test.py:210:20:210:21 | SSA variable a [List element] | semmle.label | SSA variable a [List element] |
+| test.py:210:20:210:24 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:210:20:210:24 | IterableSequence [Tuple element at index 0] | semmle.label | IterableSequence [Tuple element at index 0] |
+| test.py:210:30:210:50 | ControlFlowNode for List [List element, Tuple element at index 0] | semmle.label | ControlFlowNode for List [List element, Tuple element at index 0] |
+| test.py:210:32:210:37 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:210:32:210:48 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:211:10:211:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:211:10:211:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:349:10:349:21 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:349:11:349:16 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:349:11:349:17 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
@@ -722,6 +764,8 @@ nodes
 | test.py:184:10:184:13 | ControlFlowNode for Subscript | test.py:183:23:183:28 | ControlFlowNode for SOURCE | test.py:184:10:184:13 | ControlFlowNode for Subscript | Flow found |
 | test.py:189:10:189:13 | ControlFlowNode for Subscript | test.py:188:25:188:30 | ControlFlowNode for SOURCE | test.py:189:10:189:13 | ControlFlowNode for Subscript | Flow found |
 | test.py:200:10:200:13 | ControlFlowNode for Subscript | test.py:199:34:199:39 | ControlFlowNode for SOURCE | test.py:200:10:200:13 | ControlFlowNode for Subscript | Flow found |
+| test.py:206:10:206:13 | ControlFlowNode for Subscript | test.py:205:28:205:33 | ControlFlowNode for SOURCE | test.py:206:10:206:13 | ControlFlowNode for Subscript | Flow found |
+| test.py:211:10:211:13 | ControlFlowNode for Subscript | test.py:210:32:210:37 | ControlFlowNode for SOURCE | test.py:211:10:211:13 | ControlFlowNode for Subscript | Flow found |
 | test.py:349:10:349:21 | ControlFlowNode for Subscript | test.py:349:11:349:16 | ControlFlowNode for SOURCE | test.py:349:10:349:21 | ControlFlowNode for Subscript | Flow found |
 | test.py:353:10:353:20 | ControlFlowNode for Subscript | test.py:353:11:353:16 | ControlFlowNode for SOURCE | test.py:353:10:353:20 | ControlFlowNode for Subscript | Flow found |
 | test.py:357:10:357:27 | ControlFlowNode for Subscript | test.py:357:16:357:21 | ControlFlowNode for SOURCE | test.py:357:10:357:27 | ControlFlowNode for Subscript | Flow found |
diff --git a/python/ql/test/experimental/dataflow/coverage/test.py b/python/ql/test/experimental/dataflow/coverage/test.py
index 0da8b40b274..2fdf9a9984d 100644
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -203,12 +203,12 @@ def test_nested_comprehension_paren():
 # Iterable unpacking in comprehensions
 def test_unpacking_comprehension():
     x = [a for (a, b) in [(SOURCE, NONSOURCE)]]
-    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-1 -> x[0]"
+    SINK(x[0]) #$ flow="SOURCE, l:-1 -> x[0]"
 
 
 def test_star_unpacking_comprehension():
     x = [a[0] for (*a, b) in [(SOURCE, NONSOURCE)]]
-    SINK(x[0]) #$ MISSING:flow="SOURCE, l:-1 -> x[0]"
+    SINK(x[0]) #$ flow="SOURCE, l:-1 -> x[0]"
 
 
 # 6.2.8. Generator expressions

From ebfb1faf779f45a063da91a8db21bd711bf83aaf Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 22:26:46 +0100
Subject: [PATCH 099/429] Python: Autoformat

---
 python/ql/src/semmle/python/ApiGraphs.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 54ae9f86875..6928d83477a 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -196,11 +196,11 @@ module API {
   /** Gets the root node. */
   Root root() { any() }
 
-  /** 
-   * Gets a node corresponding to an import of module `m`. 
+  /**
+   * Gets a node corresponding to an import of module `m`.
    *
    * Note: You should only use this predicate for top level modules. If you want nodes corresponding to a submodule,
-   * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`, 
+   * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`,
    * use `moduleImport("foo").getMember("bar")`.
    */
   Node moduleImport(string m) { result = Impl::MkModuleImport(m) }

From ba98b08001886288414f96511d5d284dc9c4c0b6 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 22:31:33 +0100
Subject: [PATCH 100/429] Python: Further elaboration of `use/3`

---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 6928d83477a..49f1ee1303c 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -290,7 +290,7 @@ module API {
       exists(DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode pred |
         // First, we find a predecessor of the node `ref` that we want to determine. The predecessor
         // is any node that is a type-tracked use of a data flow node (`src`), which is itself a
-        // reference to the API node `base`.
+        // reference to the API node `base`. Thus, `pred` and `src` both represent uses of `base`.
         //
         // Once we have identified the predecessor, we define its relation to the successor `ref` as
         // well as the label on the edge from `pred` to `ref`. This label describes the nature of

From 5974af661e1c8d11aa92c5fb36ee41e10f616202 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Wed, 3 Feb 2021 22:43:21 +0100
Subject: [PATCH 101/429] Python: Update test file

Makes the `a.b.c.d` test more sensible.

Also adds a test that shows a case where we're currently _not_ getting
the right flow.
---
 .../experimental/dataflow/ApiGraphs/test.py   | 39 +++++++++++++++++--
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index c361e3a169f..8137066ad6f 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -22,13 +22,46 @@ abc = ab.c #$ use=moduleImport("a").getMember("b").getMember("c")
 
 abcd = abc.d #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d")
 
-x5 = abcd() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getReturn()
+x5 = abcd.method() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getMember("method").getReturn()
 
-y5 = x5.method() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getReturn().getMember("method").getReturn()
+from a6 import m6 #$ use=moduleImport("a6").getMember("m6")
+
+x6 = m6().foo().bar() #$ use=moduleImport("a6").getMember("m6").getReturn().getMember("foo").getReturn().getMember("bar").getReturn()
 
 
 # Relative imports. These are ignored
 
 from .foo import bar
 
-from ..foobar import baz
\ No newline at end of file
+from ..foobar import baz
+
+
+# Use of imports across scopes
+
+def use_m4():
+    x = m4.blah4 #$ use=moduleImport("a4").getMember("b4").getMember("c4").getMember("blah4")
+
+def local_import_use():
+    from foo import bar #$ use=moduleImport("foo").getMember("bar")
+
+    x = bar() #$ use=moduleImport("foo").getMember("bar").getReturn()
+
+from eggs import ham as spam #$ use=moduleImport("eggs").getMember("ham")
+
+def bbb():
+    f = spam #$ use=moduleImport("eggs").getMember("ham")
+
+from danger import SOURCE #$ use=moduleImport("danger").getMember("SOURCE")
+
+foo = SOURCE #$ use=moduleImport("danger").getMember("SOURCE")
+
+def change_foo():
+    global foo
+    foo = SOURCE #$ use=moduleImport("danger").getMember("SOURCE")
+
+def f():
+    global foo
+    sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")
+    foo = NONSOURCE
+    change_foo()
+    sink(foo) #$ MISSING: use=moduleImport("danger").getMember("SOURCE")

From 5e1e27c2b6b3429623b66531d4fe0b090e70638a Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Wed, 3 Feb 2021 15:12:31 -0800
Subject: [PATCH 102/429] Adding queries related to the Solorigate campaign

---
 .../backdoor/DangerousNativeFunctionCall.ql   |  53 ++++++
 .../DangerousNativeFunctionCall.qlhelp        |   8 +
 .../backdoor/PotentialTimeBomb.ql             | 153 ++++++++++++++++
 .../backdoor/ProcessNameToHashTaintFlow.ql    |  57 ++++++
 .../ProcessNameToHashTaintFlow.qlhelp         |   9 +
 .../campaign/Solorigate-Readme.md             | 121 +++++++++++++
 .../ModifedFnvFunctionDetection.qhelp         |  12 ++
 .../Solorigate/ModifedFnvFunctionDetection.ql |  32 ++++
 .../NumberOfKnownCommandsAboveThreshold.qhelp |  12 ++
 .../NumberOfKnownCommandsAboveThreshold.ql    |  20 +++
 .../NumberOfKnownHashesAboveThreshold.qhelp   |  13 ++
 .../NumberOfKnownHashesAboveThreshold.ql      |  23 +++
 .../NumberOfKnownLiteralsAboveThreshold.qhelp |  13 ++
 .../NumberOfKnownLiteralsAboveThreshold.ql    |  23 +++
 ...mberOfKnownMethodNamesAboveThreshold.qhelp |  13 ++
 .../NumberOfKnownMethodNamesAboveThreshold.ql |  23 +++
 .../campaign/Solorigate/Solorigate.qhelp      |  13 ++
 .../campaign/Solorigate/Solorigate.qll        | 163 ++++++++++++++++++
 .../SwallowEverythingExceptionHandler.qhelp   |  12 ++
 .../SwallowEverythingExceptionHandler.ql      |  30 ++++
 .../Cryptography/NonCryptographicHashes.qll   | 108 ++++++++++++
 21 files changed, 911 insertions(+)
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
 create mode 100644 csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.ql
 create mode 100644 csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
new file mode 100644
index 00000000000..cbc42c41ddb
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
@@ -0,0 +1,53 @@
+/**
+ * @name Potential dangerous use of native functions
+ * @description Please review code for possible malicious intent or unsafe handling.
+ * @kind problem
+ * @problem.severity warning
+ * @precision low
+ * @id cs/backdoor/dangerous-native-functions
+ * @tags security
+ *       solorigate
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.system.runtime.InteropServices
+
+predicate isDangerousMethod(Method m) {
+  m.getName() = "OpenProcessToken" or
+  m.getName() = "OpenThreadToken" or
+  m.getName() = "DuplicateToken" or
+  m.getName() = "DuplicateTokenEx" or
+  m.getName().matches("LogonUser%") or
+  m.getName().matches("WNetAddConnection%") or
+  m.getName() = "DeviceIoControl" or
+  m.getName().matches ("LoadLibrary%") or
+  m.getName() = "GetProcAddress" or
+  m.getName().matches ("CreateProcess%") or
+  m.getName().matches ("InitiateSystemShutdown%") or
+  m.getName() = "GetCurrentProcess" or
+  m.getName() = "GetCurrentProcessToken" or
+  m.getName() = "GetCurrentThreadToken" or
+  m.getName() = "GetCurrentThreadEffectiveToken" or
+  m.getName() = "OpenThreadToken" or
+  m.getName() = "SetTokenInformation" or
+  m.getName().matches ("LookupPrivilegeValue%") or
+  m.getName() = "AdjustTokenPrivileges" or
+  m.getName() = "SetProcessPrivilege" or
+  m.getName() = "ImpersonateLoggedOnUser" or
+  m.getName().matches ("Add%Ace%")
+}
+
+predicate isExternMethod(Method externMethod) {
+  externMethod.isExtern()
+  or
+  externMethod.getAnAttribute().getType() instanceof
+      SystemRuntimeInteropServicesDllImportAttributeClass
+  or
+  externMethod.getDeclaringType().getAnAttribute().getType() instanceof
+      SystemRuntimeInteropServicesComImportAttributeClass
+}
+  
+from MethodCall mc
+where isExternMethod(mc.getTarget()) 
+and isDangerousMethod(mc.getTarget())
+select mc, "Call to an external method $@", mc, mc.toString()
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp
new file mode 100644
index 00000000000..8d1aff62988
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp	
@@ -0,0 +1,8 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices.</p>
+  </overview>
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
new file mode 100644
index 00000000000..367ec6955e2
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -0,0 +1,153 @@
+/**
+ * @name Potential Timebomb
+ * @description Flow from a file last modification date (very likely implant installation time) and an offset to condition statement (the trigger)
+ * @kind problem
+ * @precision Low
+ * @problem.severity warning
+ * @id cs/backdoor/potential-time-bomb
+ * @tags security
+ *       solorigate
+ */
+
+import csharp
+import DataFlow
+
+/**
+ * Class that will help to find the source for the trigger file-modification date.
+ * 
+ * May be extended as new patterns for similar time bombs are found.
+ */
+class GetLastWriteTimeMethod extends Method {
+	GetLastWriteTimeMethod() {
+		this.getQualifiedName() in [ "System.IO.File.GetLastWriteTime", "System.IO.File.GetFileCreationTime", "System.IO.File.GetCreationTimeUtc", "System.IO.File.GetLastAccessTimeUtc" ]
+	}
+}
+
+/**
+ * Abstracts `System.DateTime` structure
+ */
+class DateTimeStruct extends Struct {
+	DateTimeStruct() {
+		this.getQualifiedName() = "System.DateTime"
+	}
+	
+	/**
+	 * holds if the Callable is used for DateTime arithmetic operations
+	 */
+	Callable getATimeSpanArtithmeticCallable() {
+		( result = this.getAnOperator() or result = this.getAMethod()) and
+		( result.getName() in ["Add", "AddDays", "AddHours", "AddMilliseconds", "AddMinutes", "AddMonths", "AddSeconds", "AddTicks", "AddYears", "+", "-"] )
+	}
+
+	/**
+	 * Holds if the Callable is used for DateTime comparision
+	 */
+	Callable getAComparisonCallable() {
+		( result = this.getAnOperator() or result = this.getAMethod()) and
+		( result.getName() in ["Compare", "CompareTo", "Equals", "==", "!=", "<", ">", "<=", ">="] )
+	}
+}
+
+/**
+ * Dataflow configuration to find flow from a GetLastWriteTime source to a DateTime arithmetic operation 
+ */
+private class FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable extends TaintTracking::Configuration {
+  FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable() {
+    this = "FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable"
+  }
+
+  override
+  predicate isSource(DataFlow::Node source) {
+    exists( Call call, GetLastWriteTimeMethod m |
+    	m.getACall() = call and
+    	source.asExpr() = call
+    )
+  }
+
+  override
+  predicate isSink(DataFlow::Node sink) {
+    exists( Call call, DateTimeStruct dateTime |
+    	call.getAChild*() = sink.asExpr() and
+    	call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+    )
+  }
+}
+
+/**
+ * Dataflow configuration to find flow from a DateTime arithmetic operation to a DateTime comparison operation 
+ */
+private class FlowsFromTimeSpanArithmeticToTimeComparisonCallable extends TaintTracking::Configuration {
+  FlowsFromTimeSpanArithmeticToTimeComparisonCallable() {
+    this = "FlowsFromTimeSpanArithmeticToTimeComparisonCallable"
+  }
+
+  override
+  predicate isSource(DataFlow::Node source) {
+    exists( DateTimeStruct dateTime, Call call |
+    	source.asExpr() = call | 
+    	call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+    )
+  }
+
+  override
+  predicate isSink(DataFlow::Node sink) {
+    exists( Call call, DateTimeStruct dateTime |
+    	call.getAnArgument().getAChild*() = sink.asExpr() and
+    	call = dateTime.getAComparisonCallable().getACall()
+    )
+  
+  }
+}
+
+/**
+ * Dataflow configuration to find flow from a DateTime comparison operation to a Selection Statement (such as an If) 
+ */
+private class FlowsFromTimeComparisonCallableToSelectionStatementCondition extends TaintTracking::Configuration {
+  FlowsFromTimeComparisonCallableToSelectionStatementCondition() {
+    this = "FlowsFromTimeComparisonCallableToSelectionStatementCondition"
+  }
+
+  override
+  predicate isSource(DataFlow::Node source) {
+    exists( DateTimeStruct dateTime, Call call |
+    	source.asExpr() = call | 
+    	call = dateTime.getAComparisonCallable().getACall()
+    )
+  }
+
+  override
+  predicate isSink(DataFlow::Node sink) {
+    exists( SelectionStmt sel |
+    	sel.getCondition().getAChild*() = sink.asExpr()
+    )
+  
+  }
+}
+
+/**
+ * Holds if the last file modification date from the call to getLastWriteTimeMethodCall will be used in a DateTime arithmetic operation timeArithmeticCall,
+ * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger 
+ */
+predicate isPotentialTimeBomb( Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement ) {
+	exists( FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable config1, Node sink, DateTimeStruct dateTime,
+			FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2, Node sink2,
+			FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3 |
+  	  	config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and 
+		timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
+		timeArithmeticCall.getAChild*() = sink.asExpr() and 
+		config2.hasFlow(exprNode(timeArithmeticCall), sink2) and 
+		timeComparisonCall = dateTime.getAComparisonCallable().getACall() and 
+		timeComparisonCall.getAnArgument().getAChild*() = sink2.asExpr() and
+		config3.hasFlow(exprNode(timeComparisonCall), sink3) and
+		selStatement.getCondition().getAChild*() = sink3.asExpr()
+	)
+}
+
+from Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
+where isPotentialTimeBomb( getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall, selStatement )
+select selStatement, "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger."
+	, timeComparisonCall, timeComparisonCall.toString() 
+ 	, timeArithmeticCall, "an offset"
+   	,getLastWriteTimeMethodCall, "last modification time of a file"
+ 
+
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
new file mode 100644
index 00000000000..63085f75ddc
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -0,0 +1,57 @@
+/**
+ * @name ProcessName to hash function flow
+ * @description Flow from a function retrieving process name to a hash function
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/backdoor/process-name-to-hash-function
+ */
+
+import csharp
+import DataFlow
+import microsoft.code.csharp.Cryptography.NonCryptographicHashes
+
+class DataFlowFromMethodToHash extends TaintTracking::Configuration {
+	DataFlowFromMethodToHash() {
+		this = "DataFlowFromMethodNameToHashFunction"
+	}
+  /**
+   * Holds if `source` is a relevant data flow source.
+   */
+  override predicate isSource(Node source)
+  {
+    isSuspiciousPropertyName(source.asExpr())
+  }
+
+  /**
+   * Holds if `sink` is a relevant data flow sink.
+   */
+  override predicate isSink(Node sink)
+  {
+    isGetHash(sink.asExpr())
+  }
+}
+
+predicate isGetHash(Expr arg) {
+  exists (MethodCall mc | 
+  (mc.getTarget().getName().matches ("%Hash%") or
+   mc.getTarget().getName().regexpMatch("Md[4-5]|Sha[1-9]{1,3}")
+  )
+  and 
+  mc.getAnArgument() = arg) or 
+  exists( Callable callable, Parameter param, Call call, int i |
+  	isCallableAPotentialNonCryptographicHashFunction( callable, param ) and 
+  	callable.getParameter(i) = param and
+  	call = callable.getACall() and
+  	call.getArgument(i) = arg)
+}
+
+predicate isSuspiciousPropertyName(PropertyRead pr) {
+	pr.getTarget().getQualifiedName() = "System.Diagnostics.Process.ProcessName"	
+}
+
+from Node src, Node sink, DataFlowFromMethodToHash conf
+where conf.hasFlow(src, sink)
+select src, "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.", sink, "here"
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp
new file mode 100644
index 00000000000..39d21b32b72
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp	
@@ -0,0 +1,9 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects code flow from PorcessName property on the Process class into a hash function.</p>
+    <p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
+  </overview>
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
new file mode 100644
index 00000000000..471fd9ed6f8
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md	
@@ -0,0 +1,121 @@
+# Working with Solorigate queries
+
+These queries hunt for Indicators of Compromise (IoCs) associated with the malicious implant code that was inserted into the SolarWinds Orion product.  
+
+This ReadMe walks through what each query does and limitations of the approaches taken, suggestions for modifications, and general advice on using CodeQL to author backdoor hunting queries.  There are two approaches taken with the queries; the first is to look for syntactic characteristics used in the malicious implant, things like names and particular literals.  The second approach looks for semantic patterns – particular functionality and flow associated with the implant.  
+
+When editing this queries for open sourcing, we tried to find the right balance between detection capability and false positive rate, mindful that different organizations have differing resources to review the findings.  
+
+## Syntactic queries
+
+These queries are targeting specific names/values and other syntactic traits present in the Solorigate IoCs.  They tend to either target syntax that is easy for the malicious actor to alter between operations or syntax that is going to be fairly coincidental, so are either very precise but very fragile, or imprecise but more durable.  However, they are very fast to execute, and very easy to modify, so can be easily repurposed to do first pass analysis in future campaigns to hunt for code IoCs.  Several of them use a list syntax introduced in CodeQL 1.26, so require that version of newer to compile and execute.
+
+### cs/Solorigate/number-of-known-commands-in-enum-above-threshold
+
+**Implemented in:** NumberOfKnownCommandsAboveThreshold.ql
+
+This query looks for enumerations that look like they are defining Command and Control functionality, based on the enumeration in Solorigate.  Enumerations are a convenient way of defining and referencing this functionality, so are likely to be used in other implants.  This query does allow some fuzziness to how many commands are defined, by default looking for any enumeration with at least 10 of the 18 commands but is brittle to changes in the names of the commands.
+
+The specific list of commands it looks for within the enumeration is defined in Solorigate.qll in countSolorigateCommandInEnum.  There are several “clusters” of commands – for example, commands to interact with the file system, with the registry, etc.  If implementing an API for file system or registry interactions it is possible to coincidentally include similar command names, but it is unlikely a single enumeration would coincidentally contain commands to interact with the file system, assembly, handle process execution, etc.  If you know your code performs a subset of those functions, deleting those specific commands from countSolorigateCommandInEnum and lowering the threshold of the query should reduce false positives, though does increase the chance of false negatives.  
+
+This query could be modified to reduce false negatives by decreasing the threshold and changing the name comparisons of the enumeration values to fuzzy matches, but doing so will produce higher false positives.  Fuzzy matching is also more computationally costly, so will increase the execution time.  
+
+### cs/Solorigate/number-of-known-hashes-above-threshold
+
+**Implemented in:** NumberofKnownHashesAboveThreshold.ql
+
+This query looks for the presence of 5 or more of the XOR’ed hashes Solorigate derived from the names of running processes they wanted to avoid(various anti-malware, etc.).  The Solorigate implant would first hash the process name with FNV-1A, and then XOR it with the magic number 6605813339339102567, and then compared to a list of these derived hashes to see if any of the processes the implant wanted to evade were currently running.  Likely the reason for the XOR with a magic number is so that comparison values can be unique per implant, so it is very unlikely they were reused elsewhere.  However, these values are incredibly unlikely to appear coincidentally in source, so if this query does have findings there is a high probability the findings are malicious.
+
+The derived hash literals are defined in Solorigate.qll in “solorigateSuspiciousHashes”.  If a similar campaign happens in the future this query can easily be repurposed by swapping the current hash values with the values for that campaign.  Like now, doing so probably won’t trigger findings as the malicious actor would likely make the values unique per implant, but this is a very quick query to both author/tweak and to execute, so the cost of checking “just in case” is quite low.
+
+“cs/Solorigate/modified-fnv-function-detection” and “cs/backdoor/process-name-to-hash-function” attempt to detect the actual process name hashing technique rather than the particular values, so will be durable to use of different magic numbers.
+
+### cs/Solorigate/number-of-known-literals-above-threshold
+
+**Implemented In:** NumberOfKnownLiteralsAboveThreshold.ql
+
+This query looks for literals present in the implant, however since many of the literals would appear coincidentally in a great deal of code (common IP addresses, host names, etc.), this query does not fire unless at least 30 of the literals are all present.  Many of the literals would need to be reused in other implants if similar functionality were desired (though they could be hidden with a reversable obfuscation technique).
+
+The query is ensuring that these are semantic literals, so will not incorrectly count usages in comments/method names/variable names/etc. – this shows that even for a relatively simple detection CodeQL provides advantages over more simplistic text parsing.  As previously mentioned, many of these literals are incredibly common, so the likelihood that a finding represents malicious modification is low.  Its recommended to triage the other queries first, as triaging the results of this query is more labor intensive and results are less likely to represent malicious activity.  Reducing the threshold value in NumberOfKnownLiteralsAboveThreshold.ql will increase the chance that it catches other implants that used a subset of the literals, but will also significantly increase false positives.  Alternatively, if the first run produces a large number of results, moving the threshold value up helps reduce the findings to only code that more completely mirrors the literals used in Solorigate, while increasing the possibility potential false negatives.
+
+The list of literals is defined in Solorigate.qll in solorigateSuspiciousLiterals.  When run against specific code bases the result set may be more manageable by removing methods and literals known to be legitimately used in that code base, though trimming the list too extensively will increase the chances of false negatives.  This query can easily be repurposed for future campaigns by replacing the literals here with the literals that were features of IoCs in those campaigns.  If the number of IoC literals is greater in future campaigns, moving the threshold value up from 30 would likely increase detection accuracy without significantly increasing false negative rates.  On the flip side, if the number of literals is significantly less, the threshold value will likely need to be decreased from 30.
+
+### cs/solorigate/number-of-known-method-names-above-threshold
+
+**Implemented In:** NumberOfKnownMethodNamesAboveThreshold.ql
+
+This query looks for method names present within the implant, but as with the literals, the method names would appear coincidentally in many code bases as they were intended to blend in.  Because the individual method names are highly likely to be coincidentally used, this query only fires if 50 or more are present.  This query is ensuring that these are used as method names, so will not incorrectly count usage in literals/comments/variable names/etc. While these are common method names, it would be uncommon (but still possible – we had plenty of false positives) for many of them to all be defined within the same project.  Excluding methods that are common overrides in class declarations (ex. ToString) will lower the false positive rate, but with the threshold of 50 we found the result set manageable without that adjustment.  
+
+The list of literals is defined in Solorigate.qll in solorigateSuspiciousMethodNames.  While the previous queries looking for the command Enumeration, Derived process hashes, and literals may provide some value if ported to cover other languages, the specific method list for this query does not, as the methods are particular for C#.  However, if an additional implant targeting another language is discovered in the future, the basic approach used in this query is re-usable even if the method names are not.
+
+## Semantic Queries
+
+The semantic queries are not looking for any specific names or terms unique to the IoCs, but rather techniques or patterns used for the implant’s functionality.  Some can be evaded by implementing the functionality via different semantics, but a malicious agent would need to specifically take pains to do so.  These queries may detect unrelated backdoors, and can also be ported to cover other programming languages to detect the same techniques in those languages.
+
+### cs/Solorigate/modified-fnv-function-detection
+
+**Implemented in:** ModifiedFnvFunctionDetection.ql
+
+The Solorigate implant tries to evade various security detection software by comparing hashes of the process names against an embedded list of values.  However, to make the embedded list unique per implant, the hashes were then XOR’ed with a magic value.  The implant embedded a version of the FNV-1A hash function for this purpose, so this query looks for use of an “FNV-like” implementation with XOR.
+
+The logic that determines what is “FNV-like” is in NonCryptographicHashes.qll, in the predicate “maybeUsedInFNVFunction”.  This logic is not looking for specific known implementations of an FNV function, but rather method code that looks like it is trying to implement one of the FNV functions.  This should avoid evasions based purely on the name of the function, but deliberate attempts to obfuscate the implementation of the function may be able to evade this analysis.  
+
+Separately, and unrelated to Solorigate, this predicate (as well as the one looking for “Elfhash-like”) can be combined with control flow analysis to ensure that these hash functions are not being used in a cryptographic context where their use would be insecure.  
+
+### cs/backdoor/process-name-to-hash-function
+
+**Implemented in:** ProcessNameToHashTaintFlow.ql
+
+This query takes a different approach than the previous two – rather than looking for use of FNV-like methods used specifically in conjunction with an XOR, it instead looks for flow from System.Diagnostics.Process.ProcessName to something that “looks like” a hash function.  It determines what looks like a hash function by looking for methods whose names contain “Hash” or MD4/5 or some variation of SHA, or whose implementation is either “FNV-Like” or “Elf-Like” (see NonCryptographicHashes.qll for the logic that determines FNV or Elf-like – looking at the implementation is durable to simple renaming of the methods). This approach should catch a variety of process name hashing schemes, though it should be noted that there are legitimate reasons to hash a process name.  The flow analysis is interprocedural, so can detect attempts to obfuscate the hashing of process names by distributing the steps across the source.  As the definition of a hash function is intentionally a bit fuzzy this query has a medium precision (i.e. it may falsely catch code that is not attempting to hash the process name), and as there are legitimate reasons to hash a process name the chance that an accurate finding represents a malicious implant is moderate to low depending on the code base.
+
+To add additional hash detections logic to cast a wider net, modify isGetHash in ProcessNameToHashTaintFlow.ql. 
+
+### cs/backdoor/potential-time-bomb
+
+**Implemented in:** PotentialTimeBomb.ql
+
+This query looks for a the Solorigate Implant's time delay functionality.  The Backdoor would not initially activate until 12-14 days *after* the Orion update with the implanted code was installed.  It did this by checking the last file write time, randomly adding between 288 and 336 hours to it, and comparing that against the current system time before it initially called back to the C2 servers controlling the campaign.  This query detects that technique by looking for flow from GetLastWriteTime to an arithmetic operation, and from there to a comparison against the current time.  This query will coincidentally flag any software that invokes an action a certain time after installation - for example, prompting the user to register or activate the product after a certain period has elapsed.  
+
+The accuracy of this query could be improved to reduce those coincidental findings by checking if there is then flow to a remote source (which is the case in the Solorigate implant) or to shell or process execution as they are often features of time bombed malicious code, however the additional flow steps do increase the execution time and increase the chance of false negatives.  This query as is produced a manageable set of false positives when run across our thousands of databases, so we suggest first running it as is, and only making those modifications if the practice appears to be common in your code bases.
+
+To make this query more generic, it could be modified to check for other ways of persisting an initial data on the system - reading a registry key, file contents, system reboot time, etc.  However, each additional data source will increase false positives.  
+
+### cs/Solorigate/swallow-everything-exception
+
+**Implemented in:** SwallowEverythingExceptionHandler.ql
+
+The Solorigate Implant wraps the implanted code in a
+
+    try {  
+     //stuff
+    } 
+    catch (Exception) {}
+
+to ensure that runtime exceptions didn’t tip anyone off.  This query looks for all catches of generic exceptions, with empty exception blocks.  The detection is high precision – it will accurately find all empty generic exception handlers.  However, it is unfortunately a common enough bad programming practice that there are plenty of writeups in existence explaining that it is a bad programming practice, so the likelihood of the findings being a malicious implant are low.  It’s recommended that they be reviewed to ensure this bad practice isn’t hiding latent (or not so latent) bugs in the code.
+
+It can be evaded by including any statements in the catch block, but the existing cs/catch-of-all-exceptions query can be used to catch that evasion.  That query’s findings will be a superset of this query, as it will catch many legitimate situations where the exception was anticipated and the catch block can take action that would make swallowing the exception and continuing on relatively risk free.  By looking at empty catch statements, this query looks for the exact pattern in the Solorigate implant and will generate fewer findings to review.
+
+### cs/backdoor/dangerous-native-functions
+
+**Implemented in:** DangerousNativeFunctionCalls.ql
+
+This query looks for several native Windows API that might be present in backdoor functionality, including several used in Solorigate.  It is also more broadly useful in looking for a technique that can be used to evade queries looking for malicious execution of processes by calling the native platform libraries instead of the .Net Class libraries.  We are including it to act as inspiration for other query developers to think about how they can query not just for backdoor patterns but also how they can hunt for attempts to then evade those queries.
+
+While the results of this query are useful on their own, both to cast a wide net to find this evasion technique, and to review why the developers chose the more error prone PInvoke implementation in benign findings, this query was kept simple specifically to use as an example. It can easily be combined with Data Flow or Taint Flow by adding a call to the isExternMethod predicate in DangerousNativeFunctionCalls to an overridden isSink implementation.  With this relatively simple addition, flow from untrusted sources like web requests into the potentially dangerous API can easily be detected, and at the very least represent a potential security vulnerability that should be reviewed, but may also represent a C2 implementation attempting to evade searches for the standard Class Library functions.
+
+## Build CodeQL Databases from the production Build Servers/Pipelines
+
+The malicious modifications of SolarWinds’ code took place on the build server (more details from [CrowdStrike](https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/)), so CodeQL databases used for analysis should ideally be built from the same build servers.  CodeQL utilizes the same Roslyn Compiler as MSBuild, so absent the malicious actor specifically building checks for the presence of CodeQL, it is likely the injection technique utilized by the malicious actor would replicate when CodeQL was run.  Alternatively, if building CodeQL databases in an independent environment, other techniques can be used to validate that the code that was compiled into the final binaries is the same as the source code in the source repository.
+
+> ### FYI
+>
+> While the step-by-step details are outside the scope of this ReadMe, if the build environment is configured to perform deterministic builds (not all compilers support this, nor default to this if they do), the binaries produced by the build environment can be compared to binaries produced from the same source compiled in a distinct environment.  Additionally, some compilers can be configured to emit a manifest of the source code hashes for the source files that were compiled (MSBuild puts them in the PDB files emitted during compilation), which can be compared to source hashes created in an independent environment.  If the comparison of either the deterministically built binaries or source hashes do not match, that is a clear indicator that further investigation is warranted.  These two techniques can be automated to provide ongoing validation of the build output.  
+>
+>If comparing source hashes, it is strongly recommended that SHA256 rather than weaker hashes be used.  This can be configured in the following Microsoft compilers by using the specified compiler flags below:
+>
+> * cl.exe /ZH:SHA_256
+> * ml.exe /ZH:SHA_256
+> * ml64.exe /ZH:SHA_256
+> * armasm.exe -gh:SHA_256
+> * armasm64.exe -gh:SHA_256
+> * csc.exe /checksumalgorithm:SHA256
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp
new file mode 100644
index 00000000000..d3abdc85f28
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp	
@@ -0,0 +1,12 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by 6605813339339102567 after computing the FNV-1A.</p>
+    <p>This query detects FNV-like hash calculations where there is an additional xor (with any static value) after the hash calculation loop.</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql
new file mode 100644
index 00000000000..e8e2f42dfe4
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql	
@@ -0,0 +1,32 @@
+/**
+ * @name Detects a modified FNV function
+ * @description Possible indication of Solorigate. Detects a modified FNV1 function, where there is an additional xor using a literal after the regular FNV hash
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @precision high
+ * @id cs/solorigate/modified-fnv-function-detection
+ * @problem.severity error
+ */
+
+import csharp
+import Solorigate
+import microsoft.code.csharp.Cryptography.NonCryptographicHashes
+
+from Variable v, Literal l, LoopStmt loop, Expr additional_xor
+where maybeUsedInFNVFunction( v, _, _, loop)
+	and (
+		exists( BitwiseXorExpr xor2 |
+		 	xor2.getAnOperand() = l and additional_xor = xor2 |
+	 		loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode()
+	 		and xor2.getAnOperand() = v.getAnAccess()
+	 	) or exists( AssignXorExpr xor2 |
+		 	xor2.getAnOperand() = l and additional_xor = xor2  |
+	 		loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode()
+	 		and xor2.getAnOperand() = v.getAnAccess()
+	 	)
+	 )
+ select l, "The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@."
+	, v, v.toString()
+	, additional_xor, "xor"
+	, l, l.toString()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp
new file mode 100644
index 00000000000..0db1732805d
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp	
@@ -0,0 +1,12 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects if there is an enum that includes various of the values used for the Solorigate commands.</p>
+    <p>Please notice that by themselves the names of these enum constants are not malign.</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
new file mode 100644
index 00000000000..154d115a39f
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
@@ -0,0 +1,20 @@
+/**
+ * @name Number of Solorigate-related command names in enum is above the threshold 
+ * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered by an external agent.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project.
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/solorigate/number-of-known-commands-in-enum-above-threshold
+ */
+
+import csharp
+import Solorigate
+
+from Enum e, int total
+where total =  countSolorigateCommandInEnum(e)
+	and total > 10
+select e, "The enum $@ may be related to Solorigate. It matches " + total + " of the values used for commands in the enum."
+	, e, e.getName()
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp
new file mode 100644
index 00000000000..a5fca70869b
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp	
@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects literals that look like Solorigate Hash values used in the Solorigate code.</p>
+    <p>This query detects when the code includes at least 5 of the Hash literals used in the Solorigate tampered code</p>
+    <p>Please notice that by themselves these literals are not malign, but several of the values together would be less likely to be coincidental.</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
new file mode 100644
index 00000000000..6d4f7818a9e
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
@@ -0,0 +1,23 @@
+/**
+ * @name Number of Solorigate-related Hashes as literals is above the threshold 
+ * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincideentally
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/solorigate/number-of-known-hashes-above-threshold
+ */
+
+import csharp
+import Solorigate
+
+
+from Literal l, int total, int threshold
+where total = countSolorigateSuspiciousHash()
+	and threshold = 5 // out of ~200 known literals
+	and isSolorigateHash(l)
+	and total > threshold
+select l, "The Hash literal $@ may be related to the Solorigate campaign. Total count = " + total + " is above the threshold " + threshold + "."
+	, l, l.getValue()
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp
new file mode 100644
index 00000000000..5a275eeadba
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp	
@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects literals used in the Solorigate code.</p>
+    <p>This query detects when the code includes at least 30 of the literals used in the Solorigate tampered code</p>
+    <p>Please notice that by themselves these literals are not malign.</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
new file mode 100644
index 00000000000..d736e6fbf42
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
@@ -0,0 +1,23 @@
+/**
+ * @name Number of Solorigate-related literals is above the threshold 
+ * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project.
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/solorigate/number-of-known-literals-above-threshold
+ */
+
+import csharp
+import Solorigate
+
+
+from Literal l, int total, int threshold
+where total = countSolorigateSuspiciousLiterals()
+	and threshold = 30 // out of ~150 known literals
+	and isSolorigateLiteral(l)
+	and total > threshold
+select l, "The literal $@ may be related to the Solorigate campaign. Total count = " + total + " is above the threshold " + threshold + "."
+	, l, l.getValue()
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp
new file mode 100644
index 00000000000..9216fa9e2e5
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp	
@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects method names used in the Solorigate code.</p>
+    <p>This query detects when the code includes at least 50 of the mthods used in the Solorigate tampered code</p>
+    <p>Please notice that by themselves these method names are not malign.</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
new file mode 100644
index 00000000000..f38a2f2dfb8
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
@@ -0,0 +1,23 @@
+/**
+ * @name Number of Solorigate-related method names is above the threshold 
+ * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project.
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/solorigate/number-of-known-method-names-above-threshold
+ */
+
+import csharp
+import Solorigate
+
+
+from Method m, int total, int threshold
+where total = countSolorigateSuspiciousMethodNames() 
+	and threshold = 50 // out of ~ 100 known names
+	and isSolorigateSuspiciousMethodName(m)
+	and total > threshold
+select m, "The method $@ may be related to Solorigate. Total count = " + total + " is above the threshold " + threshold + "."
+	, m, m.getName()
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
new file mode 100644
index 00000000000..798ae65ba8b
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+ <overview>
+  <p>The nation-state supply chain attack on SolarWinds known as Solorigate or SunBurst gave nation-state actors access to some victims' networks.</p>
+  <p>The purpose of these rules is to identify poetntially tampered code that requires further analysis</p>
+</overview> 
+<recommendation>
+  <p>Any findings from these rules are only intended to indicate suspicious code that shares similarities with known portions of code used for this attack, but no certainty that the code is related or part of any attack.</p>
+  <p>For more information, please visit https://aka.ms/solorigate. </p>
+</recommendation>
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
new file mode 100644
index 00000000000..77cd4c0fe2e
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
@@ -0,0 +1,163 @@
+/* *
+ * Provides reusable predicates related to Solorigate
+ * 
+ */
+
+import csharp
+
+/*
+ * Returns a list of Literals representing process hashes.  These are unlikely to be recycled between campaigns, so not expected to have hits, but if present
+ * are almost certainly an indicator of compromise
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
+ */
+private string solorigateSuspiciousHashes() {
+	result = 	[   
+		"10063651499895178962",  "10235971842993272939", "10296494671777307979", "10336842116636872171", "10374841591685794123", "10393903804869831898", "10463926208560207521", 
+		"10484659978517092504", "10501212300031893463", "10545868833523019926", "10657751674541025650", "106672141413120087", "10734127004244879770", "10829648878147112121", 
+		"1099511628211", "11073283311104541690", "1109067043404435916", "11109294216876344399", "11266044540366291518", "11385275378891906608", "11771945869106552231", "11801746708619571308", 
+		"11818825521849580123", "11913842725949116895", "12027963942392743532", "12094027092655598256", "12343334044036541897", "12445177985737237804", "12445232961318634374", 
+		"12574535824074203265", "12679195163651834776", "12709986806548166638", "12718416789200275332", "12785322942775634499", "12790084614253405985", "12969190449276002545", 
+		"13014156621614176974", "13029357933491444455",  "13135068273077306806", "13260224381505715848", "13316211011159594063", "13464308873961738403", "13544031715334011032", 
+		"13581776705111912829", "13599785766252827703", "13611051401579634621", "13611814135072561278", "13655261125244647696", "1367627386496056834", "1368907909245890092", "13693525876560827283", 
+		"13783346438774742614", "13799353263187722717", "13825071784440082496", "13852439084267373191", "13876356431472225791", "14055243717250701608", "14079676299181301772", "14095938998438966337", 
+		"14111374107076822891", "14193859431895170587", "14226582801651130532", "14243671177281069512", "14256853800858727521", "14480775929210717493", "14482658293117931546", 
+		"14513577387099045298", "14630721578341374856", "14695981039346656037", "14710585101020280896", "1475579823244607677", "14868920869169964081", "14968320160131875803", "14971809093655817917", 
+		"15039834196857999838", "15092207615430402812", "15114163911481793350", "15194901817027173566", "15267980678929160412",  "15457732070353984570", "15514036435533858158", 
+		"15535773470978271326", "15587050164583443069", "155978580751494388", "15695338751700748390", "15997665423159927228", "16066522799090129502", "16066651430762394116", "16112751343173365533", 
+		"16130138450758310172", "1614465773938842903", "16292685861617888592", "16335643316870329598", "16423314183614230717", "16570804352575357627", "1682585410644922036", "16858955978146406642", 
+		"16990567851129491937", "17017923349298346219", "17097380490166623672", "17109238199226571972",  "17204844226884380288", "17291806236368054941", "17351543633914244545", 
+		"17439059603042731363", "17574002783607647274", "17624147599670377042", "17633734304611248415", "17683972236092287897", "17849680105131524334", "17939405613729073960", "17956969551821596225", 
+		"17978774977754553159", "17984632978012874803", "17997967489723066537",  "18147627057830191163", "18150909006539876521", "18159703063075866524", "18246404330670877335", 
+		"18294908219222222902", "18392881921099771407",  "18446744073709551613", "191060519014405309", "2032008861530788751", 
+		"2128122064571842954", "2147483647", "2147745794", "2380224015317016190", "2478231962306073784", "2532538262737333146", 
+		"2589926981877829912", "2597124982561782591", "2600364143812063535", "2717025511528702475", "2734787258623754862", "27407921587843457", "2760663353550280147", 
+		"2797129108883749491", "2810460305047003196", "292198192373389586", "2934149816356927366",  "3045986759481489935", "3178468437029279937", "3200333496547938354", "3320026265773918739", 
+		"3320767229281015341", "3341747963119755850", "3407972863931386250", "3413052607651207697", "3413886037471417852", "3421197789791424393", "3421213182954201407", "3425260965299690882", 
+		"3538022140597504361", "3575761800716667678", "3588624367609827560", "3626142665768487764", "3642525650883269872", "3656637464651387014", "3660705254426876796", "3769837838875367802", 
+		"3778500091710709090", "3796405623695665524", "3869935012404164040", "3890769468012566366", "3890794756780010537", "397780960855462669", "4030236413975199654", "4088976323439621041", 
+		 "4454255944391929578", "4501656691368064027", "4578480846255629462", "4821863173800309721", "4931721628717906635", "506634811745884560", "5132256620104998637", 
+		"5183687599225757871", "521157249538507889", "5219431737322569038",  "541172992193764396", "5415426428750045503", "5449730069165757263", "5587557070429522647", "5614586596107908838", 
+		"576626207276463000",  "5942282052525294911", "5945487981219695001", "5984963105389676759", "607197993339007484", 
+		"6088115528707848728", "6116246686670134098", "6180361713414290679", "6195833633417633900", "6274014997237900919", "640589622539783622", "6461429591783621719", "6491986958834001955", 
+		"6508141243778577344",  "6605813339339102567", "682250828679635420", "6827032273910657891", "6943102301517884811", "700598796416086955", "7080175711202577138", 
+		"7175363135479931834", "7315838824213522000", "7412338704062093516", "7516148236133302073", "7574774749059321801", "7701683279824397773", "7775177810774851294", "7810436520414958497", 
+		"7878537243757499832", "79089792725215063", "7982848972385914508", "8052533790968282297", "8129411991672431889", "8146185202538899243", "835151375515278827", "8381292265993977266", 
+		"8408095252303317471", "8473756179280619170", "8478833628889826985", "8612208440357175863", "8697424601205169055", "8698326794961817906",  "8709004393777297355", "8727477769544302060", 
+		"8760312338504300643", "8799118153397725683", "8873858923435176895", "8994091295115840290", "9007106680104765185", "9061219083560670602", "9149947745824492274", "917638920165491138", "9234894663364701749", 
+		"9333057603143916814", "9384605490088500348", "9531326785919727076", "9555688264681862794", "9559632696372799208", "9903758755917170407" 
+		]
+
+}
+
+/* 
+ * Holds if the literal is one that matches a literal found in Solorigate code.
+ * 
+ * NOTE: Some of the values have been commented out as they are commonly found elsewhere.  
+ */
+predicate isSolorigateHash(Literal l){
+	l.getValue() = solorigateSuspiciousHashes()
+}
+
+/* 
+ * Returns the total number of Solorigate-related literales found in the project 
+ */
+int countSolorigateSuspiciousHash(){
+	result =  count(string s | exists( Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
+}
+
+/*
+ * Returns a list of Literals used by Solorigate 
+ * 
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
+ */
+private string solorigateSuspiciousLiterals() {
+	result = 	[   "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n", "[{0,5}] {1}\n", "[E] {0} {1} {2}",
+		"\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion", "\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",",
+		"\\OrionImprovement\\SolarWinds.OrionImprovement.exe", "0123456789abcdefghijklmnopqrstuvwxyz-_.", 
+		"\"sessionId\":\"{0}\",", "\"steps\":[", "\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",", "{0} {1} HTTP/{2}\n", 
+		"10140", "144.86.226.0",  "154.118.140.0",  "172.16.0.0",  "18.130.0.0",  "184.72.0.0",  "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220",  "217.163.7.0", "224.0.0.0", 
+		"240.0.0.0",  "255.240.0.0", "255.254.0.0",	"255.255.248.0",  "3.0.0.382", "41.84.159.0", "43140", "4320", "43260", "524287",  "583da945-62af-10e8-4902-a8f205c72b2e", "65280", 
+		"71.152.53.0", "74.114.24.0",  "8.18.144.0",  "87.238.80.0",  "96.31.172.0", "983040", "99.79.0.0", 
+		"Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com", "api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp", "-global", "-secureca",  "CloudMonitoring", 
+		"MACAddress", "DHCPEnabled", "DHCPServer", "DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet", "DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser", 
+		"fc00::", "fe00::", "fec0::",  "ffc0::", "ff00::", 
+		"HKCC", "HKCR", "HKCU", "HKDD", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA", "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+		"HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match", "Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components",
+		"opensans", "Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone", "ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege", "SeTakeOwnershipPrivilege", 
+		"SolarWinds", "SolarWindsOrionImprovementClient/", "SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events", "swip/upd/", "swip/Upload.ashx", "SYSTEM", 
+		"SYSTEM\\CurrentControlSet\\services", "us-east-1", "us-east-2", "us-west-2", 
+		"fonts/woff/{0}-{1}-{2}{3}.woff2", "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c", "pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj", 
+		"Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true", "Select * From Win32_OperatingSystem", "Select * From Win32_Process", "Select * From Win32_SystemDriver", "Select * From Win32_UserAccount"]
+
+}
+
+/* 
+ * Holds if the literal is one that matches a literal found in Solorigate code.
+ * 
+ * NOTE: Some of the values have been commented out as they are commonly found elsewhere.  
+ */
+predicate isSolorigateLiteral(Literal l){
+	l.getValue() = solorigateSuspiciousLiterals()
+}
+
+/* 
+ * Returns the total number of Solorigate-related literales found in the project 
+ */
+int countSolorigateSuspiciousLiterals(){
+	result =  count(string s | exists( Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
+}
+
+/*
+ * Returns a list of method names used by Solorigate 
+ * 
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ */
+private string solorigateSuspiciousMethodNames() {
+	result = [ "Abort", "AddFileExecutionEngine", "AddRegistryExecutionEngine", "AdjustTokenPrivileges", "Base64Decode", "Base64Encode", "ByteArrayToHexString", "CheckServerConnection", "Close", "CloseHandle", "CollectSystemDescription", 
+		"Compress", "CreateSecureString", "CreateString", "CreateUploadRequest", "CreateUploadRequestImpl", "Decompress", "DecryptShort", "Deflate", "DelayMin", "DelayMs", "DeleteFile", "DeleteRegistryValue", "DeleteValue", 
+		"ExecuteEngine", "FileExists", "GetAddresses", "GetAddressFamily", "GetArgumentIndex", "GetBaseUri", "GetBaseUriImpl", "GetCache", "GetCurrentProcess", "GetCurrentString", "GetDescriptionId", "GetFileHash", "GetFileSystemEntries", 
+		"GetHash", "GetHive", "GetIntArray", "GetIPHostEntry", "GetManagementObjectProperty", "GetNetworkAdapterConfiguration", "GetNewOwnerName", "GetNextString", "GetNextStringEx", "GetOrCreateUserID", "GetOrionImprovementCustomerId", 
+		"GetOSVersion", "GetPreviousString", "GetProcessByDescription", "GetRegistrySubKeyAndValueNames", "GetStatus", "GetStringHash", "GetSubKeyAndValueNames", "GetUserAgent", "GetValue", "GetWebProxy", "HexStringToByteArray", "Inflate", 
+		"Initialize", "InitiateSystemShutdownExW", "IsNullOrInvalidName", "IsSynchronized", "KillTask", "LookupPrivilegeValueW", "OpenProcessToken", "ParseServiceResponse", "Quote", "ReadConfig", "ReadDeviceInfo", "ReadRegistryValue", 
+		"ReadReportStatus", "ReadServiceStatus", "RebootComputer", "RunTask", "SearchAssemblies", "SearchConfigurations", "SearchServices", "SetAutomaticMode", "SetKeyOwner", "SetKeyOwnerWithPrivileges", "SetKeyPermissions", "SetManualMode", 
+		"SetProcessPrivilege", "SetRegistryValue", "SetTime", "SetValue", "SplitString", "ToString", "TrackEvent", "TrackProcesses", "Unquote", "Unzip", "Update", "UpdateBuffer", "UpdateNotification", "UploadSystemDescription", "Valid", 
+		"WriteConfig", "WriteFile", "WriteReportStatus", "WriteServiceStatus", "Zip"]
+}
+
+/* 
+ * Holds if the method is one that matches a method found in Solorigate code.
+ * 
+ * NOTE: Pretty much all of these method names are common.   
+ */
+predicate isSolorigateSuspiciousMethodName(Method m) {
+	m.fromSource() and
+	(
+		m.getName() = solorigateSuspiciousMethodNames()
+			
+	)
+}
+
+/* 
+ * Returns the total number of Solorigate-related method names found in the project 
+ */
+int countSolorigateSuspiciousMethodNames(){
+	result =  count(string s | exists(Method m | s=m.getName() and s = solorigateSuspiciousMethodNames()))
+}
+
+
+/* 
+ * Returns the total number of Solorigate-related commands in the given enum
+ * 
+ * This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
+ * and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ */
+int countSolorigateCommandInEnum(Enum e) {
+	result = count(string s, EnumConstant ec | 
+		e.getAnEnumConstant() = ec and
+		s = ec.getName() and 
+		s in [ "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription", "RunTask", "GetProcessByDescription", "KillTask", 
+			"GetFileSystemEntries", "WriteFile", "FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue", 
+			"DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None" ] )
+}
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
new file mode 100644
index 00000000000..83fa8f8c58c
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp	
@@ -0,0 +1,12 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>The malicious code was wrapped in generic exception catch blocks that lacked any statements</p>
+    <p>This query detects all generic exception empty catch blocks, but it is strongly suggested that the results for cs/catch-of-all-exceptions also be reviewed in the event that a malicious swallow everything exception handler was not empty</p>
+  </overview>
+
+  <include src="Solorigate.qhelp" />
+
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.ql
new file mode 100644
index 00000000000..f481956883c
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.ql	
@@ -0,0 +1,30 @@
+/**
+ * @name Looks for use of a Swallow Everything empty catch block
+ * @description Possible indication of Solorigate. The maliciously inserted source was wrapped in a Swallow Everything catch to hide any runtime exceptions
+ * @kind problem
+ * @tags security
+ *       solorigate
+ * @precision high
+ * @id cs/solorigate/swallow-everything-exception
+ * @problem.severity error
+ */
+
+import csharp
+import Solorigate
+import semmle.code.csharp.frameworks.System
+
+class GenericCatchClause extends CatchClause {
+  GenericCatchClause() {
+    this instanceof GeneralCatchClause
+    or
+    this =
+      any(SpecificCatchClause scc |
+        scc.getCaughtExceptionType() instanceof SystemExceptionClass and
+        not scc.hasFilterClause()
+      )
+  }
+}
+
+from GenericCatchClause gcc
+where gcc.getBlock().getNumberOfStmts() = 0
+select gcc, "Empty Swallow Everything Exception."
diff --git a/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll b/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
new file mode 100644
index 00000000000..4f611bac84b
--- /dev/null
+++ b/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
@@ -0,0 +1,108 @@
+/* *
+ * Predicates that help detect potential non-cryptographic hash functions
+ * 
+ * By themselves, non-cryptographic functions are common and not dangerous
+ * These predicates are intended for helping detect non-cryptographic hashes that may be used
+ * in a context that is not appropriate, or for detecting modified hash functions
+ */
+
+import csharp
+private import DataFlow
+private import semmle.code.csharp.dataflow.TaintTracking2
+
+predicate maybeANonCryptogrphicHash( Callable callable, Variable v, Expr xor, Expr mul, LoopStmt loop ) {
+	callable = loop.getEnclosingCallable() and
+	(
+	  maybeUsedInFNVFunction( v, xor, mul, loop) or
+	  maybeUsedInElfHashFunction( v, xor, mul, loop)
+	)
+}
+
+/** 
+ * Holds if the arguments are used in a way that resembles a FNV hash function
+ * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
+ * followed by a multiplication `mul` expression.
+ */
+predicate maybeUsedInFNVFunction( Variable v, Expr xor, Expr mul, LoopStmt loop) {
+	exists( Expr e1, Expr e2  | 
+		exists( Operation axore, Operation amule | 
+			xor = axore and mul = amule |
+			e1.getAChild*() = v.getAnAccess() and
+			e2.getAChild*() = v.getAnAccess() and
+			e1 = axore.getAnOperand() and
+			e2 = amule.getAnOperand() and
+			axore.getAControlFlowNode().getASuccessor*() = amule.getAControlFlowNode() and
+			(axore instanceof AssignXorExpr or axore instanceof BitwiseXorExpr) and
+			(amule instanceof AssignMulExpr or amule instanceof MulExpr)
+		) 
+  )
+  and loop.getAChild*() = mul.getEnclosingStmt()
+  and loop.getAChild*() = xor.getEnclosingStmt()
+}
+
+/** 
+ * Holds if the arguments are used in a way that resembles an Elf-Hash hash function
+ * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
+ * followed by an addition `add` expression.
+ */
+predicate maybeUsedInElfHashFunction(Variable v, Expr xorExpr, Expr addExpr, LoopStmt loop) {
+	exists( Expr e1, Operation add, Expr e2, AssignExpr addAssign, Operation xor, AssignExpr xorAssign, Operation notOp, AssignExpr notAssign |
+		xorExpr = xor and
+		addExpr = add and
+		( add instanceof AddExpr or add instanceof AssignAddExpr ) and
+  	    e1.getAChild*() = add.getAnOperand() and
+  		e1 instanceof BinaryBitwiseOperation and
+ 		e2 = e1.(BinaryBitwiseOperation).getLeftOperand() and
+ 		v = addAssign.getTargetVariable() and
+ 		addAssign.getAChild*() = add and
+ 		( xor instanceof BitwiseXorExpr or xor instanceof AssignXorExpr ) and
+		addAssign.getAControlFlowNode().getASuccessor*() = xor.getAControlFlowNode() and
+		xorAssign.getAChild*() = xor and
+		v = xorAssign.getTargetVariable() and
+		(notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseOperation ) and
+		xor.getAControlFlowNode().getASuccessor*() = notOp.getAControlFlowNode() and
+		notAssign.getAChild*() = notOp and
+		v = notAssign.getTargetVariable() and 
+		loop.getAChild*() = add.getEnclosingStmt() and
+  	    loop.getAChild*() = xor.getEnclosingStmt()
+	)
+}
+
+/**
+ * Any dataflow from any source to any sink, used internally
+ */
+private class AnyDataFlow extends TaintTracking2::Configuration {
+  AnyDataFlow() {
+    this = "DataFlowFromDataGatheringMethodToVariable"
+  }
+
+  override predicate isSource(Node source) {
+    any()
+  }
+
+  override predicate isSink(Node sink)
+  {
+    any()
+  }
+}
+
+/** 
+ * Holds if the Callable is a function that behaves like a non-cryptographic hash
+ * where the parameter `param` is likely the message to hash
+ */
+predicate isCallableAPotentialNonCryptographicHashFunction( Callable callable, Parameter param) {
+	exists( Variable v, Expr op1, Expr op2, LoopStmt loop |
+	  maybeANonCryptogrphicHash(callable, v, op1, op2, loop)
+	  and callable.getAParameter() = param
+	  and ( 
+	    param.getAnAccess() = op1.(Operation).getAnOperand().getAChild*() or
+	    param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*() or
+	    exists( AnyDataFlow config, Node source, Node sink |
+	  	  ( sink.asExpr() = op1.(Operation).getAChild*() or
+	  	    sink.asExpr() = op2.(Operation).getAChild*()) and
+	  	  source.asExpr() = param.getAnAccess() and
+	      config.hasFlow(source, sink)
+	    )
+	  )
+	)
+}

From 86a2aa97ec4053740182347f19408032b900b62c Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Wed, 3 Feb 2021 15:48:16 -0800
Subject: [PATCH 103/429] Fixing incorrect file extension & adding suite

---
 csharp/ql/src/codeql-suites/solorigate.qls                    | 4 ++++
 ...eFunctionCall.qlhelp => DangerousNativeFunctionCall.qhelp} | 0
 ...oHashTaintFlow.qlhelp => ProcessNameToHashTaintFlow.qhelp} | 0
 3 files changed, 4 insertions(+)
 create mode 100644 csharp/ql/src/codeql-suites/solorigate.qls
 rename csharp/ql/src/experimental/Security Features/backdoor/{DangerousNativeFunctionCall.qlhelp => DangerousNativeFunctionCall.qhelp} (100%)
 rename csharp/ql/src/experimental/Security Features/backdoor/{ProcessNameToHashTaintFlow.qlhelp => ProcessNameToHashTaintFlow.qhelp} (100%)

diff --git a/csharp/ql/src/codeql-suites/solorigate.qls b/csharp/ql/src/codeql-suites/solorigate.qls
new file mode 100644
index 00000000000..f6e575bb700
--- /dev/null
+++ b/csharp/ql/src/codeql-suites/solorigate.qls
@@ -0,0 +1,4 @@
+- description: Queries related to Solorigate
+- qlpack: codeql-csharp
+- include:
+    tags contain: solorigate
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlhelp
rename to csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlhelp
rename to csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp

From 53ab787efc28a07949ad08cbcef203023fd8ad3b Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Wed, 3 Feb 2021 15:54:47 -0800
Subject: [PATCH 104/429] Fixed format

---
 .../backdoor/DangerousNativeFunctionCall.ql   |  23 +-
 .../backdoor/PotentialTimeBomb.ql             | 157 +++++----
 .../backdoor/ProcessNameToHashTaintFlow.ql    |  44 ++-
 .../Solorigate/ModifedFnvFunctionDetection.ql |  32 +-
 .../NumberOfKnownCommandsAboveThreshold.ql    |  12 +-
 .../NumberOfKnownHashesAboveThreshold.ql      |  17 +-
 .../NumberOfKnownLiteralsAboveThreshold.ql    |  17 +-
 .../NumberOfKnownMethodNamesAboveThreshold.ql |  17 +-
 .../campaign/Solorigate/Solorigate.qll        | 331 +++++++++++-------
 .../Cryptography/NonCryptographicHashes.qll   | 141 ++++----
 10 files changed, 436 insertions(+), 355 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
index cbc42c41ddb..cc8f0bda367 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
@@ -20,34 +20,35 @@ predicate isDangerousMethod(Method m) {
   m.getName().matches("LogonUser%") or
   m.getName().matches("WNetAddConnection%") or
   m.getName() = "DeviceIoControl" or
-  m.getName().matches ("LoadLibrary%") or
+  m.getName().matches("LoadLibrary%") or
   m.getName() = "GetProcAddress" or
-  m.getName().matches ("CreateProcess%") or
-  m.getName().matches ("InitiateSystemShutdown%") or
+  m.getName().matches("CreateProcess%") or
+  m.getName().matches("InitiateSystemShutdown%") or
   m.getName() = "GetCurrentProcess" or
   m.getName() = "GetCurrentProcessToken" or
   m.getName() = "GetCurrentThreadToken" or
   m.getName() = "GetCurrentThreadEffectiveToken" or
   m.getName() = "OpenThreadToken" or
   m.getName() = "SetTokenInformation" or
-  m.getName().matches ("LookupPrivilegeValue%") or
+  m.getName().matches("LookupPrivilegeValue%") or
   m.getName() = "AdjustTokenPrivileges" or
   m.getName() = "SetProcessPrivilege" or
   m.getName() = "ImpersonateLoggedOnUser" or
-  m.getName().matches ("Add%Ace%")
+  m.getName().matches("Add%Ace%")
 }
 
 predicate isExternMethod(Method externMethod) {
   externMethod.isExtern()
   or
   externMethod.getAnAttribute().getType() instanceof
-      SystemRuntimeInteropServicesDllImportAttributeClass
+    SystemRuntimeInteropServicesDllImportAttributeClass
   or
   externMethod.getDeclaringType().getAnAttribute().getType() instanceof
-      SystemRuntimeInteropServicesComImportAttributeClass
+    SystemRuntimeInteropServicesComImportAttributeClass
 }
-  
+
 from MethodCall mc
-where isExternMethod(mc.getTarget()) 
-and isDangerousMethod(mc.getTarget())
-select mc, "Call to an external method $@", mc, mc.toString()
\ No newline at end of file
+where
+  isExternMethod(mc.getTarget()) and
+  isDangerousMethod(mc.getTarget())
+select mc, "Call to an external method $@", mc, mc.toString()
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
index 367ec6955e2..3c83c0145f0 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -14,140 +14,139 @@ import DataFlow
 
 /**
  * Class that will help to find the source for the trigger file-modification date.
- * 
+ *
  * May be extended as new patterns for similar time bombs are found.
  */
 class GetLastWriteTimeMethod extends Method {
-	GetLastWriteTimeMethod() {
-		this.getQualifiedName() in [ "System.IO.File.GetLastWriteTime", "System.IO.File.GetFileCreationTime", "System.IO.File.GetCreationTimeUtc", "System.IO.File.GetLastAccessTimeUtc" ]
-	}
+  GetLastWriteTimeMethod() {
+    this.getQualifiedName() in [
+        "System.IO.File.GetLastWriteTime", "System.IO.File.GetFileCreationTime",
+        "System.IO.File.GetCreationTimeUtc", "System.IO.File.GetLastAccessTimeUtc"
+      ]
+  }
 }
 
 /**
  * Abstracts `System.DateTime` structure
  */
 class DateTimeStruct extends Struct {
-	DateTimeStruct() {
-		this.getQualifiedName() = "System.DateTime"
-	}
-	
-	/**
-	 * holds if the Callable is used for DateTime arithmetic operations
-	 */
-	Callable getATimeSpanArtithmeticCallable() {
-		( result = this.getAnOperator() or result = this.getAMethod()) and
-		( result.getName() in ["Add", "AddDays", "AddHours", "AddMilliseconds", "AddMinutes", "AddMonths", "AddSeconds", "AddTicks", "AddYears", "+", "-"] )
-	}
+  DateTimeStruct() { this.getQualifiedName() = "System.DateTime" }
 
-	/**
-	 * Holds if the Callable is used for DateTime comparision
-	 */
-	Callable getAComparisonCallable() {
-		( result = this.getAnOperator() or result = this.getAMethod()) and
-		( result.getName() in ["Compare", "CompareTo", "Equals", "==", "!=", "<", ">", "<=", ">="] )
-	}
+  /**
+   * holds if the Callable is used for DateTime arithmetic operations
+   */
+  Callable getATimeSpanArtithmeticCallable() {
+    (result = this.getAnOperator() or result = this.getAMethod()) and
+    result.getName() in [
+        "Add", "AddDays", "AddHours", "AddMilliseconds", "AddMinutes", "AddMonths", "AddSeconds",
+        "AddTicks", "AddYears", "+", "-"
+      ]
+  }
+
+  /**
+   * Holds if the Callable is used for DateTime comparision
+   */
+  Callable getAComparisonCallable() {
+    (result = this.getAnOperator() or result = this.getAMethod()) and
+    result.getName() in ["Compare", "CompareTo", "Equals", "==", "!=", "<", ">", "<=", ">="]
+  }
 }
 
 /**
- * Dataflow configuration to find flow from a GetLastWriteTime source to a DateTime arithmetic operation 
+ * Dataflow configuration to find flow from a GetLastWriteTime source to a DateTime arithmetic operation
  */
 private class FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable extends TaintTracking::Configuration {
   FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable() {
     this = "FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable"
   }
 
-  override
-  predicate isSource(DataFlow::Node source) {
-    exists( Call call, GetLastWriteTimeMethod m |
-    	m.getACall() = call and
-    	source.asExpr() = call
+  override predicate isSource(DataFlow::Node source) {
+    exists(Call call, GetLastWriteTimeMethod m |
+      m.getACall() = call and
+      source.asExpr() = call
     )
   }
 
-  override
-  predicate isSink(DataFlow::Node sink) {
-    exists( Call call, DateTimeStruct dateTime |
-    	call.getAChild*() = sink.asExpr() and
-    	call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call call, DateTimeStruct dateTime |
+      call.getAChild*() = sink.asExpr() and
+      call = dateTime.getATimeSpanArtithmeticCallable().getACall()
     )
   }
 }
 
 /**
- * Dataflow configuration to find flow from a DateTime arithmetic operation to a DateTime comparison operation 
+ * Dataflow configuration to find flow from a DateTime arithmetic operation to a DateTime comparison operation
  */
 private class FlowsFromTimeSpanArithmeticToTimeComparisonCallable extends TaintTracking::Configuration {
   FlowsFromTimeSpanArithmeticToTimeComparisonCallable() {
     this = "FlowsFromTimeSpanArithmeticToTimeComparisonCallable"
   }
 
-  override
-  predicate isSource(DataFlow::Node source) {
-    exists( DateTimeStruct dateTime, Call call |
-    	source.asExpr() = call | 
-    	call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+  override predicate isSource(DataFlow::Node source) {
+    exists(DateTimeStruct dateTime, Call call | source.asExpr() = call |
+      call = dateTime.getATimeSpanArtithmeticCallable().getACall()
     )
   }
 
-  override
-  predicate isSink(DataFlow::Node sink) {
-    exists( Call call, DateTimeStruct dateTime |
-    	call.getAnArgument().getAChild*() = sink.asExpr() and
-    	call = dateTime.getAComparisonCallable().getACall()
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call call, DateTimeStruct dateTime |
+      call.getAnArgument().getAChild*() = sink.asExpr() and
+      call = dateTime.getAComparisonCallable().getACall()
     )
-  
   }
 }
 
 /**
- * Dataflow configuration to find flow from a DateTime comparison operation to a Selection Statement (such as an If) 
+ * Dataflow configuration to find flow from a DateTime comparison operation to a Selection Statement (such as an If)
  */
 private class FlowsFromTimeComparisonCallableToSelectionStatementCondition extends TaintTracking::Configuration {
   FlowsFromTimeComparisonCallableToSelectionStatementCondition() {
     this = "FlowsFromTimeComparisonCallableToSelectionStatementCondition"
   }
 
-  override
-  predicate isSource(DataFlow::Node source) {
-    exists( DateTimeStruct dateTime, Call call |
-    	source.asExpr() = call | 
-    	call = dateTime.getAComparisonCallable().getACall()
+  override predicate isSource(DataFlow::Node source) {
+    exists(DateTimeStruct dateTime, Call call | source.asExpr() = call |
+      call = dateTime.getAComparisonCallable().getACall()
     )
   }
 
-  override
-  predicate isSink(DataFlow::Node sink) {
-    exists( SelectionStmt sel |
-    	sel.getCondition().getAChild*() = sink.asExpr()
-    )
-  
+  override predicate isSink(DataFlow::Node sink) {
+    exists(SelectionStmt sel | sel.getCondition().getAChild*() = sink.asExpr())
   }
 }
 
 /**
  * Holds if the last file modification date from the call to getLastWriteTimeMethodCall will be used in a DateTime arithmetic operation timeArithmeticCall,
- * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger 
+ * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger
  */
-predicate isPotentialTimeBomb( Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement ) {
-	exists( FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable config1, Node sink, DateTimeStruct dateTime,
-			FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2, Node sink2,
-			FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3 |
-  	  	config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and 
-		timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
-		timeArithmeticCall.getAChild*() = sink.asExpr() and 
-		config2.hasFlow(exprNode(timeArithmeticCall), sink2) and 
-		timeComparisonCall = dateTime.getAComparisonCallable().getACall() and 
-		timeComparisonCall.getAnArgument().getAChild*() = sink2.asExpr() and
-		config3.hasFlow(exprNode(timeComparisonCall), sink3) and
-		selStatement.getCondition().getAChild*() = sink3.asExpr()
-	)
+predicate isPotentialTimeBomb(
+  Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
+  SelectionStmt selStatement
+) {
+  exists(
+    FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable config1, Node sink,
+    DateTimeStruct dateTime, FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2,
+    Node sink2, FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3
+  |
+    config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and
+    timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
+    timeArithmeticCall.getAChild*() = sink.asExpr() and
+    config2.hasFlow(exprNode(timeArithmeticCall), sink2) and
+    timeComparisonCall = dateTime.getAComparisonCallable().getACall() and
+    timeComparisonCall.getAnArgument().getAChild*() = sink2.asExpr() and
+    config3.hasFlow(exprNode(timeComparisonCall), sink3) and
+    selStatement.getCondition().getAChild*() = sink3.asExpr()
+  )
 }
 
-from Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
-where isPotentialTimeBomb( getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall, selStatement )
-select selStatement, "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger."
-	, timeComparisonCall, timeComparisonCall.toString() 
- 	, timeArithmeticCall, "an offset"
-   	,getLastWriteTimeMethodCall, "last modification time of a file"
- 
-
+from
+  Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
+  SelectionStmt selStatement
+where
+  isPotentialTimeBomb(getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall,
+    selStatement)
+select selStatement,
+  "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger.",
+  timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "an offset",
+  getLastWriteTimeMethodCall, "last modification time of a file"
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index 63085f75ddc..4b1c657eff3 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -14,44 +14,42 @@ import DataFlow
 import microsoft.code.csharp.Cryptography.NonCryptographicHashes
 
 class DataFlowFromMethodToHash extends TaintTracking::Configuration {
-	DataFlowFromMethodToHash() {
-		this = "DataFlowFromMethodNameToHashFunction"
-	}
+  DataFlowFromMethodToHash() { this = "DataFlowFromMethodNameToHashFunction" }
+
   /**
    * Holds if `source` is a relevant data flow source.
    */
-  override predicate isSource(Node source)
-  {
-    isSuspiciousPropertyName(source.asExpr())
-  }
+  override predicate isSource(Node source) { isSuspiciousPropertyName(source.asExpr()) }
 
   /**
    * Holds if `sink` is a relevant data flow sink.
    */
-  override predicate isSink(Node sink)
-  {
-    isGetHash(sink.asExpr())
-  }
+  override predicate isSink(Node sink) { isGetHash(sink.asExpr()) }
 }
 
 predicate isGetHash(Expr arg) {
-  exists (MethodCall mc | 
-  (mc.getTarget().getName().matches ("%Hash%") or
-   mc.getTarget().getName().regexpMatch("Md[4-5]|Sha[1-9]{1,3}")
+  exists(MethodCall mc |
+    (
+      mc.getTarget().getName().matches("%Hash%") or
+      mc.getTarget().getName().regexpMatch("Md[4-5]|Sha[1-9]{1,3}")
+    ) and
+    mc.getAnArgument() = arg
+  )
+  or
+  exists(Callable callable, Parameter param, Call call, int i |
+    isCallableAPotentialNonCryptographicHashFunction(callable, param) and
+    callable.getParameter(i) = param and
+    call = callable.getACall() and
+    call.getArgument(i) = arg
   )
-  and 
-  mc.getAnArgument() = arg) or 
-  exists( Callable callable, Parameter param, Call call, int i |
-  	isCallableAPotentialNonCryptographicHashFunction( callable, param ) and 
-  	callable.getParameter(i) = param and
-  	call = callable.getACall() and
-  	call.getArgument(i) = arg)
 }
 
 predicate isSuspiciousPropertyName(PropertyRead pr) {
-	pr.getTarget().getQualifiedName() = "System.Diagnostics.Process.ProcessName"	
+  pr.getTarget().getQualifiedName() = "System.Diagnostics.Process.ProcessName"
 }
 
 from Node src, Node sink, DataFlowFromMethodToHash conf
 where conf.hasFlow(src, sink)
-select src, "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.", sink, "here"
\ No newline at end of file
+select src,
+  "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.",
+  sink, "here"
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql
index e8e2f42dfe4..2e94ea4ad4e 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql	
@@ -14,19 +14,19 @@ import Solorigate
 import microsoft.code.csharp.Cryptography.NonCryptographicHashes
 
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
-where maybeUsedInFNVFunction( v, _, _, loop)
-	and (
-		exists( BitwiseXorExpr xor2 |
-		 	xor2.getAnOperand() = l and additional_xor = xor2 |
-	 		loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode()
-	 		and xor2.getAnOperand() = v.getAnAccess()
-	 	) or exists( AssignXorExpr xor2 |
-		 	xor2.getAnOperand() = l and additional_xor = xor2  |
-	 		loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode()
-	 		and xor2.getAnOperand() = v.getAnAccess()
-	 	)
-	 )
- select l, "The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@."
-	, v, v.toString()
-	, additional_xor, "xor"
-	, l, l.toString()
+where
+  maybeUsedInFNVFunction(v, _, _, loop) and
+  (
+    exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
+      loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      xor2.getAnOperand() = v.getAnAccess()
+    )
+    or
+    exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
+      loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      xor2.getAnOperand() = v.getAnAccess()
+    )
+  )
+select l,
+  "The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@.",
+  v, v.toString(), additional_xor, "xor", l, l.toString()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
index 154d115a39f..f60d4232004 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
@@ -1,5 +1,5 @@
 /**
- * @name Number of Solorigate-related command names in enum is above the threshold 
+ * @name Number of Solorigate-related command names in enum is above the threshold
  * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
@@ -14,7 +14,9 @@ import csharp
 import Solorigate
 
 from Enum e, int total
-where total =  countSolorigateCommandInEnum(e)
-	and total > 10
-select e, "The enum $@ may be related to Solorigate. It matches " + total + " of the values used for commands in the enum."
-	, e, e.getName()
\ No newline at end of file
+where
+  total = countSolorigateCommandInEnum(e) and
+  total > 10
+select e,
+  "The enum $@ may be related to Solorigate. It matches " + total +
+    " of the values used for commands in the enum.", e, e.getName()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
index 6d4f7818a9e..830a9b48c2a 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
@@ -1,5 +1,5 @@
 /**
- * @name Number of Solorigate-related Hashes as literals is above the threshold 
+ * @name Number of Solorigate-related Hashes as literals is above the threshold
  * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincideentally
  * @kind problem
@@ -13,11 +13,12 @@
 import csharp
 import Solorigate
 
-
 from Literal l, int total, int threshold
-where total = countSolorigateSuspiciousHash()
-	and threshold = 5 // out of ~200 known literals
-	and isSolorigateHash(l)
-	and total > threshold
-select l, "The Hash literal $@ may be related to the Solorigate campaign. Total count = " + total + " is above the threshold " + threshold + "."
-	, l, l.getValue()
\ No newline at end of file
+where
+  total = countSolorigateSuspiciousHash() and
+  threshold = 5 and // out of ~200 known literals
+  isSolorigateHash(l) and
+  total > threshold
+select l,
+  "The Hash literal $@ may be related to the Solorigate campaign. Total count = " + total +
+    " is above the threshold " + threshold + ".", l, l.getValue()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
index d736e6fbf42..a280fefddfa 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
@@ -1,5 +1,5 @@
 /**
- * @name Number of Solorigate-related literals is above the threshold 
+ * @name Number of Solorigate-related literals is above the threshold
  * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
@@ -13,11 +13,12 @@
 import csharp
 import Solorigate
 
-
 from Literal l, int total, int threshold
-where total = countSolorigateSuspiciousLiterals()
-	and threshold = 30 // out of ~150 known literals
-	and isSolorigateLiteral(l)
-	and total > threshold
-select l, "The literal $@ may be related to the Solorigate campaign. Total count = " + total + " is above the threshold " + threshold + "."
-	, l, l.getValue()
\ No newline at end of file
+where
+  total = countSolorigateSuspiciousLiterals() and
+  threshold = 30 and // out of ~150 known literals
+  isSolorigateLiteral(l) and
+  total > threshold
+select l,
+  "The literal $@ may be related to the Solorigate campaign. Total count = " + total +
+    " is above the threshold " + threshold + ".", l, l.getValue()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
index f38a2f2dfb8..277d8c745bd 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
@@ -1,5 +1,5 @@
 /**
- * @name Number of Solorigate-related method names is above the threshold 
+ * @name Number of Solorigate-related method names is above the threshold
  * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
@@ -13,11 +13,12 @@
 import csharp
 import Solorigate
 
-
 from Method m, int total, int threshold
-where total = countSolorigateSuspiciousMethodNames() 
-	and threshold = 50 // out of ~ 100 known names
-	and isSolorigateSuspiciousMethodName(m)
-	and total > threshold
-select m, "The method $@ may be related to Solorigate. Total count = " + total + " is above the threshold " + threshold + "."
-	, m, m.getName()
\ No newline at end of file
+where
+  total = countSolorigateSuspiciousMethodNames() and
+  threshold = 50 and // out of ~ 100 known names
+  isSolorigateSuspiciousMethodName(m) and
+  total > threshold
+select m,
+  "The method $@ may be related to Solorigate. Total count = " + total + " is above the threshold " +
+    threshold + ".", m, m.getName()
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
index 77cd4c0fe2e..15444930fad 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
@@ -1,6 +1,5 @@
-/* *
+/*
  * Provides reusable predicates related to Solorigate
- * 
  */
 
 import csharp
@@ -8,156 +7,236 @@ import csharp
 /*
  * Returns a list of Literals representing process hashes.  These are unlikely to be recycled between campaigns, so not expected to have hits, but if present
  * are almost certainly an indicator of compromise
- * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
  * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
  */
+
 private string solorigateSuspiciousHashes() {
-	result = 	[   
-		"10063651499895178962",  "10235971842993272939", "10296494671777307979", "10336842116636872171", "10374841591685794123", "10393903804869831898", "10463926208560207521", 
-		"10484659978517092504", "10501212300031893463", "10545868833523019926", "10657751674541025650", "106672141413120087", "10734127004244879770", "10829648878147112121", 
-		"1099511628211", "11073283311104541690", "1109067043404435916", "11109294216876344399", "11266044540366291518", "11385275378891906608", "11771945869106552231", "11801746708619571308", 
-		"11818825521849580123", "11913842725949116895", "12027963942392743532", "12094027092655598256", "12343334044036541897", "12445177985737237804", "12445232961318634374", 
-		"12574535824074203265", "12679195163651834776", "12709986806548166638", "12718416789200275332", "12785322942775634499", "12790084614253405985", "12969190449276002545", 
-		"13014156621614176974", "13029357933491444455",  "13135068273077306806", "13260224381505715848", "13316211011159594063", "13464308873961738403", "13544031715334011032", 
-		"13581776705111912829", "13599785766252827703", "13611051401579634621", "13611814135072561278", "13655261125244647696", "1367627386496056834", "1368907909245890092", "13693525876560827283", 
-		"13783346438774742614", "13799353263187722717", "13825071784440082496", "13852439084267373191", "13876356431472225791", "14055243717250701608", "14079676299181301772", "14095938998438966337", 
-		"14111374107076822891", "14193859431895170587", "14226582801651130532", "14243671177281069512", "14256853800858727521", "14480775929210717493", "14482658293117931546", 
-		"14513577387099045298", "14630721578341374856", "14695981039346656037", "14710585101020280896", "1475579823244607677", "14868920869169964081", "14968320160131875803", "14971809093655817917", 
-		"15039834196857999838", "15092207615430402812", "15114163911481793350", "15194901817027173566", "15267980678929160412",  "15457732070353984570", "15514036435533858158", 
-		"15535773470978271326", "15587050164583443069", "155978580751494388", "15695338751700748390", "15997665423159927228", "16066522799090129502", "16066651430762394116", "16112751343173365533", 
-		"16130138450758310172", "1614465773938842903", "16292685861617888592", "16335643316870329598", "16423314183614230717", "16570804352575357627", "1682585410644922036", "16858955978146406642", 
-		"16990567851129491937", "17017923349298346219", "17097380490166623672", "17109238199226571972",  "17204844226884380288", "17291806236368054941", "17351543633914244545", 
-		"17439059603042731363", "17574002783607647274", "17624147599670377042", "17633734304611248415", "17683972236092287897", "17849680105131524334", "17939405613729073960", "17956969551821596225", 
-		"17978774977754553159", "17984632978012874803", "17997967489723066537",  "18147627057830191163", "18150909006539876521", "18159703063075866524", "18246404330670877335", 
-		"18294908219222222902", "18392881921099771407",  "18446744073709551613", "191060519014405309", "2032008861530788751", 
-		"2128122064571842954", "2147483647", "2147745794", "2380224015317016190", "2478231962306073784", "2532538262737333146", 
-		"2589926981877829912", "2597124982561782591", "2600364143812063535", "2717025511528702475", "2734787258623754862", "27407921587843457", "2760663353550280147", 
-		"2797129108883749491", "2810460305047003196", "292198192373389586", "2934149816356927366",  "3045986759481489935", "3178468437029279937", "3200333496547938354", "3320026265773918739", 
-		"3320767229281015341", "3341747963119755850", "3407972863931386250", "3413052607651207697", "3413886037471417852", "3421197789791424393", "3421213182954201407", "3425260965299690882", 
-		"3538022140597504361", "3575761800716667678", "3588624367609827560", "3626142665768487764", "3642525650883269872", "3656637464651387014", "3660705254426876796", "3769837838875367802", 
-		"3778500091710709090", "3796405623695665524", "3869935012404164040", "3890769468012566366", "3890794756780010537", "397780960855462669", "4030236413975199654", "4088976323439621041", 
-		 "4454255944391929578", "4501656691368064027", "4578480846255629462", "4821863173800309721", "4931721628717906635", "506634811745884560", "5132256620104998637", 
-		"5183687599225757871", "521157249538507889", "5219431737322569038",  "541172992193764396", "5415426428750045503", "5449730069165757263", "5587557070429522647", "5614586596107908838", 
-		"576626207276463000",  "5942282052525294911", "5945487981219695001", "5984963105389676759", "607197993339007484", 
-		"6088115528707848728", "6116246686670134098", "6180361713414290679", "6195833633417633900", "6274014997237900919", "640589622539783622", "6461429591783621719", "6491986958834001955", 
-		"6508141243778577344",  "6605813339339102567", "682250828679635420", "6827032273910657891", "6943102301517884811", "700598796416086955", "7080175711202577138", 
-		"7175363135479931834", "7315838824213522000", "7412338704062093516", "7516148236133302073", "7574774749059321801", "7701683279824397773", "7775177810774851294", "7810436520414958497", 
-		"7878537243757499832", "79089792725215063", "7982848972385914508", "8052533790968282297", "8129411991672431889", "8146185202538899243", "835151375515278827", "8381292265993977266", 
-		"8408095252303317471", "8473756179280619170", "8478833628889826985", "8612208440357175863", "8697424601205169055", "8698326794961817906",  "8709004393777297355", "8727477769544302060", 
-		"8760312338504300643", "8799118153397725683", "8873858923435176895", "8994091295115840290", "9007106680104765185", "9061219083560670602", "9149947745824492274", "917638920165491138", "9234894663364701749", 
-		"9333057603143916814", "9384605490088500348", "9531326785919727076", "9555688264681862794", "9559632696372799208", "9903758755917170407" 
-		]
-
-}
-
-/* 
- * Holds if the literal is one that matches a literal found in Solorigate code.
- * 
- * NOTE: Some of the values have been commented out as they are commonly found elsewhere.  
- */
-predicate isSolorigateHash(Literal l){
-	l.getValue() = solorigateSuspiciousHashes()
-}
-
-/* 
- * Returns the total number of Solorigate-related literales found in the project 
- */
-int countSolorigateSuspiciousHash(){
-	result =  count(string s | exists( Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
+  result =
+    [
+      "10063651499895178962", "10235971842993272939", "10296494671777307979",
+      "10336842116636872171", "10374841591685794123", "10393903804869831898",
+      "10463926208560207521", "10484659978517092504", "10501212300031893463",
+      "10545868833523019926", "10657751674541025650", "106672141413120087", "10734127004244879770",
+      "10829648878147112121", "1099511628211", "11073283311104541690", "1109067043404435916",
+      "11109294216876344399", "11266044540366291518", "11385275378891906608",
+      "11771945869106552231", "11801746708619571308", "11818825521849580123",
+      "11913842725949116895", "12027963942392743532", "12094027092655598256",
+      "12343334044036541897", "12445177985737237804", "12445232961318634374",
+      "12574535824074203265", "12679195163651834776", "12709986806548166638",
+      "12718416789200275332", "12785322942775634499", "12790084614253405985",
+      "12969190449276002545", "13014156621614176974", "13029357933491444455",
+      "13135068273077306806", "13260224381505715848", "13316211011159594063",
+      "13464308873961738403", "13544031715334011032", "13581776705111912829",
+      "13599785766252827703", "13611051401579634621", "13611814135072561278",
+      "13655261125244647696", "1367627386496056834", "1368907909245890092", "13693525876560827283",
+      "13783346438774742614", "13799353263187722717", "13825071784440082496",
+      "13852439084267373191", "13876356431472225791", "14055243717250701608",
+      "14079676299181301772", "14095938998438966337", "14111374107076822891",
+      "14193859431895170587", "14226582801651130532", "14243671177281069512",
+      "14256853800858727521", "14480775929210717493", "14482658293117931546",
+      "14513577387099045298", "14630721578341374856", "14695981039346656037",
+      "14710585101020280896", "1475579823244607677", "14868920869169964081", "14968320160131875803",
+      "14971809093655817917", "15039834196857999838", "15092207615430402812",
+      "15114163911481793350", "15194901817027173566", "15267980678929160412",
+      "15457732070353984570", "15514036435533858158", "15535773470978271326",
+      "15587050164583443069", "155978580751494388", "15695338751700748390", "15997665423159927228",
+      "16066522799090129502", "16066651430762394116", "16112751343173365533",
+      "16130138450758310172", "1614465773938842903", "16292685861617888592", "16335643316870329598",
+      "16423314183614230717", "16570804352575357627", "1682585410644922036", "16858955978146406642",
+      "16990567851129491937", "17017923349298346219", "17097380490166623672",
+      "17109238199226571972", "17204844226884380288", "17291806236368054941",
+      "17351543633914244545", "17439059603042731363", "17574002783607647274",
+      "17624147599670377042", "17633734304611248415", "17683972236092287897",
+      "17849680105131524334", "17939405613729073960", "17956969551821596225",
+      "17978774977754553159", "17984632978012874803", "17997967489723066537",
+      "18147627057830191163", "18150909006539876521", "18159703063075866524",
+      "18246404330670877335", "18294908219222222902", "18392881921099771407",
+      "18446744073709551613", "191060519014405309", "2032008861530788751", "2128122064571842954",
+      "2147483647", "2147745794", "2380224015317016190", "2478231962306073784",
+      "2532538262737333146", "2589926981877829912", "2597124982561782591", "2600364143812063535",
+      "2717025511528702475", "2734787258623754862", "27407921587843457", "2760663353550280147",
+      "2797129108883749491", "2810460305047003196", "292198192373389586", "2934149816356927366",
+      "3045986759481489935", "3178468437029279937", "3200333496547938354", "3320026265773918739",
+      "3320767229281015341", "3341747963119755850", "3407972863931386250", "3413052607651207697",
+      "3413886037471417852", "3421197789791424393", "3421213182954201407", "3425260965299690882",
+      "3538022140597504361", "3575761800716667678", "3588624367609827560", "3626142665768487764",
+      "3642525650883269872", "3656637464651387014", "3660705254426876796", "3769837838875367802",
+      "3778500091710709090", "3796405623695665524", "3869935012404164040", "3890769468012566366",
+      "3890794756780010537", "397780960855462669", "4030236413975199654", "4088976323439621041",
+      "4454255944391929578", "4501656691368064027", "4578480846255629462", "4821863173800309721",
+      "4931721628717906635", "506634811745884560", "5132256620104998637", "5183687599225757871",
+      "521157249538507889", "5219431737322569038", "541172992193764396", "5415426428750045503",
+      "5449730069165757263", "5587557070429522647", "5614586596107908838", "576626207276463000",
+      "5942282052525294911", "5945487981219695001", "5984963105389676759", "607197993339007484",
+      "6088115528707848728", "6116246686670134098", "6180361713414290679", "6195833633417633900",
+      "6274014997237900919", "640589622539783622", "6461429591783621719", "6491986958834001955",
+      "6508141243778577344", "6605813339339102567", "682250828679635420", "6827032273910657891",
+      "6943102301517884811", "700598796416086955", "7080175711202577138", "7175363135479931834",
+      "7315838824213522000", "7412338704062093516", "7516148236133302073", "7574774749059321801",
+      "7701683279824397773", "7775177810774851294", "7810436520414958497", "7878537243757499832",
+      "79089792725215063", "7982848972385914508", "8052533790968282297", "8129411991672431889",
+      "8146185202538899243", "835151375515278827", "8381292265993977266", "8408095252303317471",
+      "8473756179280619170", "8478833628889826985", "8612208440357175863", "8697424601205169055",
+      "8698326794961817906", "8709004393777297355", "8727477769544302060", "8760312338504300643",
+      "8799118153397725683", "8873858923435176895", "8994091295115840290", "9007106680104765185",
+      "9061219083560670602", "9149947745824492274", "917638920165491138", "9234894663364701749",
+      "9333057603143916814", "9384605490088500348", "9531326785919727076", "9555688264681862794",
+      "9559632696372799208", "9903758755917170407"
+    ]
 }
 
 /*
- * Returns a list of Literals used by Solorigate 
- * 
- * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * Holds if the literal is one that matches a literal found in Solorigate code.
+ *
+ * NOTE: Some of the values have been commented out as they are commonly found elsewhere.
+ */
+
+predicate isSolorigateHash(Literal l) { l.getValue() = solorigateSuspiciousHashes() }
+
+/*
+ * Returns the total number of Solorigate-related literales found in the project
+ */
+
+int countSolorigateSuspiciousHash() {
+  result =
+    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
+}
+
+/*
+ * Returns a list of Literals used by Solorigate
+ *
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
  * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
  */
+
 private string solorigateSuspiciousLiterals() {
-	result = 	[   "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n", "[{0,5}] {1}\n", "[E] {0} {1} {2}",
-		"\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion", "\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",",
-		"\\OrionImprovement\\SolarWinds.OrionImprovement.exe", "0123456789abcdefghijklmnopqrstuvwxyz-_.", 
-		"\"sessionId\":\"{0}\",", "\"steps\":[", "\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",", "{0} {1} HTTP/{2}\n", 
-		"10140", "144.86.226.0",  "154.118.140.0",  "172.16.0.0",  "18.130.0.0",  "184.72.0.0",  "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220",  "217.163.7.0", "224.0.0.0", 
-		"240.0.0.0",  "255.240.0.0", "255.254.0.0",	"255.255.248.0",  "3.0.0.382", "41.84.159.0", "43140", "4320", "43260", "524287",  "583da945-62af-10e8-4902-a8f205c72b2e", "65280", 
-		"71.152.53.0", "74.114.24.0",  "8.18.144.0",  "87.238.80.0",  "96.31.172.0", "983040", "99.79.0.0", 
-		"Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com", "api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp", "-global", "-secureca",  "CloudMonitoring", 
-		"MACAddress", "DHCPEnabled", "DHCPServer", "DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet", "DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser", 
-		"fc00::", "fe00::", "fec0::",  "ffc0::", "ff00::", 
-		"HKCC", "HKCR", "HKCU", "HKDD", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA", "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
-		"HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match", "Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components",
-		"opensans", "Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone", "ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege", "SeTakeOwnershipPrivilege", 
-		"SolarWinds", "SolarWindsOrionImprovementClient/", "SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events", "swip/upd/", "swip/Upload.ashx", "SYSTEM", 
-		"SYSTEM\\CurrentControlSet\\services", "us-east-1", "us-east-2", "us-west-2", 
-		"fonts/woff/{0}-{1}-{2}{3}.woff2", "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c", "pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj", 
-		"Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true", "Select * From Win32_OperatingSystem", "Select * From Win32_Process", "Select * From Win32_SystemDriver", "Select * From Win32_UserAccount"]
-
-}
-
-/* 
- * Holds if the literal is one that matches a literal found in Solorigate code.
- * 
- * NOTE: Some of the values have been commented out as they are commonly found elsewhere.  
- */
-predicate isSolorigateLiteral(Literal l){
-	l.getValue() = solorigateSuspiciousLiterals()
-}
-
-/* 
- * Returns the total number of Solorigate-related literales found in the project 
- */
-int countSolorigateSuspiciousLiterals(){
-	result =  count(string s | exists( Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
+  result =
+    [
+      "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n",
+      "[{0,5}] {1}\n", "[E] {0} {1} {2}",
+      "\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion",
+      "\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",",
+      "\\OrionImprovement\\SolarWinds.OrionImprovement.exe",
+      "0123456789abcdefghijklmnopqrstuvwxyz-_.", "\"sessionId\":\"{0}\",", "\"steps\":[",
+      "\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",",
+      "{0} {1} HTTP/{2}\n", "10140", "144.86.226.0", "154.118.140.0", "172.16.0.0", "18.130.0.0",
+      "184.72.0.0", "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220", "217.163.7.0",
+      "224.0.0.0", "240.0.0.0", "255.240.0.0", "255.254.0.0", "255.255.248.0", "3.0.0.382",
+      "41.84.159.0", "43140", "4320", "43260", "524287", "583da945-62af-10e8-4902-a8f205c72b2e",
+      "65280", "71.152.53.0", "74.114.24.0", "8.18.144.0", "87.238.80.0", "96.31.172.0", "983040",
+      "99.79.0.0", "Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com",
+      "api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp",
+      "-global", "-secureca", "CloudMonitoring", "MACAddress", "DHCPEnabled", "DHCPServer",
+      "DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet",
+      "DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser",
+      "fc00::", "fe00::", "fec0::", "ffc0::", "ff00::", "HKCC", "HKCR", "HKCU", "HKDD",
+      "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA",
+      "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+      "HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match",
+      "Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components", "opensans",
+      "Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone",
+      "ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege",
+      "SeTakeOwnershipPrivilege", "SolarWinds", "SolarWindsOrionImprovementClient/",
+      "SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events",
+      "swip/upd/", "swip/Upload.ashx", "SYSTEM", "SYSTEM\\CurrentControlSet\\services", "us-east-1",
+      "us-east-2", "us-west-2", "fonts/woff/{0}-{1}-{2}{3}.woff2",
+      "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c",
+      "pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj",
+      "Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true",
+      "Select * From Win32_OperatingSystem", "Select * From Win32_Process",
+      "Select * From Win32_SystemDriver", "Select * From Win32_UserAccount"
+    ]
 }
 
 /*
- * Returns a list of method names used by Solorigate 
- * 
- * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * Holds if the literal is one that matches a literal found in Solorigate code.
+ *
+ * NOTE: Some of the values have been commented out as they are commonly found elsewhere.
  */
+
+predicate isSolorigateLiteral(Literal l) { l.getValue() = solorigateSuspiciousLiterals() }
+
+/*
+ * Returns the total number of Solorigate-related literales found in the project
+ */
+
+int countSolorigateSuspiciousLiterals() {
+  result =
+    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
+}
+
+/*
+ * Returns a list of method names used by Solorigate
+ *
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
+ */
+
 private string solorigateSuspiciousMethodNames() {
-	result = [ "Abort", "AddFileExecutionEngine", "AddRegistryExecutionEngine", "AdjustTokenPrivileges", "Base64Decode", "Base64Encode", "ByteArrayToHexString", "CheckServerConnection", "Close", "CloseHandle", "CollectSystemDescription", 
-		"Compress", "CreateSecureString", "CreateString", "CreateUploadRequest", "CreateUploadRequestImpl", "Decompress", "DecryptShort", "Deflate", "DelayMin", "DelayMs", "DeleteFile", "DeleteRegistryValue", "DeleteValue", 
-		"ExecuteEngine", "FileExists", "GetAddresses", "GetAddressFamily", "GetArgumentIndex", "GetBaseUri", "GetBaseUriImpl", "GetCache", "GetCurrentProcess", "GetCurrentString", "GetDescriptionId", "GetFileHash", "GetFileSystemEntries", 
-		"GetHash", "GetHive", "GetIntArray", "GetIPHostEntry", "GetManagementObjectProperty", "GetNetworkAdapterConfiguration", "GetNewOwnerName", "GetNextString", "GetNextStringEx", "GetOrCreateUserID", "GetOrionImprovementCustomerId", 
-		"GetOSVersion", "GetPreviousString", "GetProcessByDescription", "GetRegistrySubKeyAndValueNames", "GetStatus", "GetStringHash", "GetSubKeyAndValueNames", "GetUserAgent", "GetValue", "GetWebProxy", "HexStringToByteArray", "Inflate", 
-		"Initialize", "InitiateSystemShutdownExW", "IsNullOrInvalidName", "IsSynchronized", "KillTask", "LookupPrivilegeValueW", "OpenProcessToken", "ParseServiceResponse", "Quote", "ReadConfig", "ReadDeviceInfo", "ReadRegistryValue", 
-		"ReadReportStatus", "ReadServiceStatus", "RebootComputer", "RunTask", "SearchAssemblies", "SearchConfigurations", "SearchServices", "SetAutomaticMode", "SetKeyOwner", "SetKeyOwnerWithPrivileges", "SetKeyPermissions", "SetManualMode", 
-		"SetProcessPrivilege", "SetRegistryValue", "SetTime", "SetValue", "SplitString", "ToString", "TrackEvent", "TrackProcesses", "Unquote", "Unzip", "Update", "UpdateBuffer", "UpdateNotification", "UploadSystemDescription", "Valid", 
-		"WriteConfig", "WriteFile", "WriteReportStatus", "WriteServiceStatus", "Zip"]
+  result =
+    [
+      "Abort", "AddFileExecutionEngine", "AddRegistryExecutionEngine", "AdjustTokenPrivileges",
+      "Base64Decode", "Base64Encode", "ByteArrayToHexString", "CheckServerConnection", "Close",
+      "CloseHandle", "CollectSystemDescription", "Compress", "CreateSecureString", "CreateString",
+      "CreateUploadRequest", "CreateUploadRequestImpl", "Decompress", "DecryptShort", "Deflate",
+      "DelayMin", "DelayMs", "DeleteFile", "DeleteRegistryValue", "DeleteValue", "ExecuteEngine",
+      "FileExists", "GetAddresses", "GetAddressFamily", "GetArgumentIndex", "GetBaseUri",
+      "GetBaseUriImpl", "GetCache", "GetCurrentProcess", "GetCurrentString", "GetDescriptionId",
+      "GetFileHash", "GetFileSystemEntries", "GetHash", "GetHive", "GetIntArray", "GetIPHostEntry",
+      "GetManagementObjectProperty", "GetNetworkAdapterConfiguration", "GetNewOwnerName",
+      "GetNextString", "GetNextStringEx", "GetOrCreateUserID", "GetOrionImprovementCustomerId",
+      "GetOSVersion", "GetPreviousString", "GetProcessByDescription",
+      "GetRegistrySubKeyAndValueNames", "GetStatus", "GetStringHash", "GetSubKeyAndValueNames",
+      "GetUserAgent", "GetValue", "GetWebProxy", "HexStringToByteArray", "Inflate", "Initialize",
+      "InitiateSystemShutdownExW", "IsNullOrInvalidName", "IsSynchronized", "KillTask",
+      "LookupPrivilegeValueW", "OpenProcessToken", "ParseServiceResponse", "Quote", "ReadConfig",
+      "ReadDeviceInfo", "ReadRegistryValue", "ReadReportStatus", "ReadServiceStatus",
+      "RebootComputer", "RunTask", "SearchAssemblies", "SearchConfigurations", "SearchServices",
+      "SetAutomaticMode", "SetKeyOwner", "SetKeyOwnerWithPrivileges", "SetKeyPermissions",
+      "SetManualMode", "SetProcessPrivilege", "SetRegistryValue", "SetTime", "SetValue",
+      "SplitString", "ToString", "TrackEvent", "TrackProcesses", "Unquote", "Unzip", "Update",
+      "UpdateBuffer", "UpdateNotification", "UploadSystemDescription", "Valid", "WriteConfig",
+      "WriteFile", "WriteReportStatus", "WriteServiceStatus", "Zip"
+    ]
 }
 
-/* 
+/*
  * Holds if the method is one that matches a method found in Solorigate code.
- * 
- * NOTE: Pretty much all of these method names are common.   
+ *
+ * NOTE: Pretty much all of these method names are common.
  */
+
 predicate isSolorigateSuspiciousMethodName(Method m) {
-	m.fromSource() and
-	(
-		m.getName() = solorigateSuspiciousMethodNames()
-			
-	)
+  m.fromSource() and
+  m.getName() = solorigateSuspiciousMethodNames()
 }
 
-/* 
- * Returns the total number of Solorigate-related method names found in the project 
+/*
+ * Returns the total number of Solorigate-related method names found in the project
  */
-int countSolorigateSuspiciousMethodNames(){
-	result =  count(string s | exists(Method m | s=m.getName() and s = solorigateSuspiciousMethodNames()))
+
+int countSolorigateSuspiciousMethodNames() {
+  result =
+    count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
 }
 
-
-/* 
+/*
  * Returns the total number of Solorigate-related commands in the given enum
- * 
+ *
  * This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
- * and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8 
+ * and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
  */
+
 int countSolorigateCommandInEnum(Enum e) {
-	result = count(string s, EnumConstant ec | 
-		e.getAnEnumConstant() = ec and
-		s = ec.getName() and 
-		s in [ "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription", "RunTask", "GetProcessByDescription", "KillTask", 
-			"GetFileSystemEntries", "WriteFile", "FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue", 
-			"DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None" ] )
+  result =
+    count(string s, EnumConstant ec |
+      e.getAnEnumConstant() = ec and
+      s = ec.getName() and
+      s in [
+          "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription",
+          "RunTask", "GetProcessByDescription", "KillTask", "GetFileSystemEntries", "WriteFile",
+          "FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue",
+          "DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None"
+        ]
+    )
 }
diff --git a/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll b/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
index 4f611bac84b..ea4368af7f6 100644
--- a/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
+++ b/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
@@ -1,6 +1,6 @@
-/* *
+/*
  * Predicates that help detect potential non-cryptographic hash functions
- * 
+ *
  * By themselves, non-cryptographic functions are common and not dangerous
  * These predicates are intended for helping detect non-cryptographic hashes that may be used
  * in a context that is not appropriate, or for detecting modified hash functions
@@ -10,99 +10,98 @@ import csharp
 private import DataFlow
 private import semmle.code.csharp.dataflow.TaintTracking2
 
-predicate maybeANonCryptogrphicHash( Callable callable, Variable v, Expr xor, Expr mul, LoopStmt loop ) {
-	callable = loop.getEnclosingCallable() and
-	(
-	  maybeUsedInFNVFunction( v, xor, mul, loop) or
-	  maybeUsedInElfHashFunction( v, xor, mul, loop)
-	)
+predicate maybeANonCryptogrphicHash(Callable callable, Variable v, Expr xor, Expr mul, LoopStmt loop) {
+  callable = loop.getEnclosingCallable() and
+  (
+    maybeUsedInFNVFunction(v, xor, mul, loop) or
+    maybeUsedInElfHashFunction(v, xor, mul, loop)
+  )
 }
 
-/** 
+/**
  * Holds if the arguments are used in a way that resembles a FNV hash function
  * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
  * followed by a multiplication `mul` expression.
  */
-predicate maybeUsedInFNVFunction( Variable v, Expr xor, Expr mul, LoopStmt loop) {
-	exists( Expr e1, Expr e2  | 
-		exists( Operation axore, Operation amule | 
-			xor = axore and mul = amule |
-			e1.getAChild*() = v.getAnAccess() and
-			e2.getAChild*() = v.getAnAccess() and
-			e1 = axore.getAnOperand() and
-			e2 = amule.getAnOperand() and
-			axore.getAControlFlowNode().getASuccessor*() = amule.getAControlFlowNode() and
-			(axore instanceof AssignXorExpr or axore instanceof BitwiseXorExpr) and
-			(amule instanceof AssignMulExpr or amule instanceof MulExpr)
-		) 
-  )
-  and loop.getAChild*() = mul.getEnclosingStmt()
-  and loop.getAChild*() = xor.getEnclosingStmt()
+predicate maybeUsedInFNVFunction(Variable v, Expr xor, Expr mul, LoopStmt loop) {
+  exists(Expr e1, Expr e2 |
+    exists(Operation axore, Operation amule | xor = axore and mul = amule |
+      e1.getAChild*() = v.getAnAccess() and
+      e2.getAChild*() = v.getAnAccess() and
+      e1 = axore.getAnOperand() and
+      e2 = amule.getAnOperand() and
+      axore.getAControlFlowNode().getASuccessor*() = amule.getAControlFlowNode() and
+      (axore instanceof AssignXorExpr or axore instanceof BitwiseXorExpr) and
+      (amule instanceof AssignMulExpr or amule instanceof MulExpr)
+    )
+  ) and
+  loop.getAChild*() = mul.getEnclosingStmt() and
+  loop.getAChild*() = xor.getEnclosingStmt()
 }
 
-/** 
+/**
  * Holds if the arguments are used in a way that resembles an Elf-Hash hash function
  * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
  * followed by an addition `add` expression.
  */
 predicate maybeUsedInElfHashFunction(Variable v, Expr xorExpr, Expr addExpr, LoopStmt loop) {
-	exists( Expr e1, Operation add, Expr e2, AssignExpr addAssign, Operation xor, AssignExpr xorAssign, Operation notOp, AssignExpr notAssign |
-		xorExpr = xor and
-		addExpr = add and
-		( add instanceof AddExpr or add instanceof AssignAddExpr ) and
-  	    e1.getAChild*() = add.getAnOperand() and
-  		e1 instanceof BinaryBitwiseOperation and
- 		e2 = e1.(BinaryBitwiseOperation).getLeftOperand() and
- 		v = addAssign.getTargetVariable() and
- 		addAssign.getAChild*() = add and
- 		( xor instanceof BitwiseXorExpr or xor instanceof AssignXorExpr ) and
-		addAssign.getAControlFlowNode().getASuccessor*() = xor.getAControlFlowNode() and
-		xorAssign.getAChild*() = xor and
-		v = xorAssign.getTargetVariable() and
-		(notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseOperation ) and
-		xor.getAControlFlowNode().getASuccessor*() = notOp.getAControlFlowNode() and
-		notAssign.getAChild*() = notOp and
-		v = notAssign.getTargetVariable() and 
-		loop.getAChild*() = add.getEnclosingStmt() and
-  	    loop.getAChild*() = xor.getEnclosingStmt()
-	)
+  exists(
+    Expr e1, Operation add, Expr e2, AssignExpr addAssign, Operation xor, AssignExpr xorAssign,
+    Operation notOp, AssignExpr notAssign
+  |
+    xorExpr = xor and
+    addExpr = add and
+    (add instanceof AddExpr or add instanceof AssignAddExpr) and
+    e1.getAChild*() = add.getAnOperand() and
+    e1 instanceof BinaryBitwiseOperation and
+    e2 = e1.(BinaryBitwiseOperation).getLeftOperand() and
+    v = addAssign.getTargetVariable() and
+    addAssign.getAChild*() = add and
+    (xor instanceof BitwiseXorExpr or xor instanceof AssignXorExpr) and
+    addAssign.getAControlFlowNode().getASuccessor*() = xor.getAControlFlowNode() and
+    xorAssign.getAChild*() = xor and
+    v = xorAssign.getTargetVariable() and
+    (notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseOperation) and
+    xor.getAControlFlowNode().getASuccessor*() = notOp.getAControlFlowNode() and
+    notAssign.getAChild*() = notOp and
+    v = notAssign.getTargetVariable() and
+    loop.getAChild*() = add.getEnclosingStmt() and
+    loop.getAChild*() = xor.getEnclosingStmt()
+  )
 }
 
 /**
  * Any dataflow from any source to any sink, used internally
  */
 private class AnyDataFlow extends TaintTracking2::Configuration {
-  AnyDataFlow() {
-    this = "DataFlowFromDataGatheringMethodToVariable"
-  }
+  AnyDataFlow() { this = "DataFlowFromDataGatheringMethodToVariable" }
 
-  override predicate isSource(Node source) {
-    any()
-  }
+  override predicate isSource(Node source) { any() }
 
-  override predicate isSink(Node sink)
-  {
-    any()
-  }
+  override predicate isSink(Node sink) { any() }
 }
 
-/** 
+/**
  * Holds if the Callable is a function that behaves like a non-cryptographic hash
  * where the parameter `param` is likely the message to hash
  */
-predicate isCallableAPotentialNonCryptographicHashFunction( Callable callable, Parameter param) {
-	exists( Variable v, Expr op1, Expr op2, LoopStmt loop |
-	  maybeANonCryptogrphicHash(callable, v, op1, op2, loop)
-	  and callable.getAParameter() = param
-	  and ( 
-	    param.getAnAccess() = op1.(Operation).getAnOperand().getAChild*() or
-	    param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*() or
-	    exists( AnyDataFlow config, Node source, Node sink |
-	  	  ( sink.asExpr() = op1.(Operation).getAChild*() or
-	  	    sink.asExpr() = op2.(Operation).getAChild*()) and
-	  	  source.asExpr() = param.getAnAccess() and
-	      config.hasFlow(source, sink)
-	    )
-	  )
-	)
+predicate isCallableAPotentialNonCryptographicHashFunction(Callable callable, Parameter param) {
+  exists(Variable v, Expr op1, Expr op2, LoopStmt loop |
+    maybeANonCryptogrphicHash(callable, v, op1, op2, loop) and
+    callable.getAParameter() = param and
+    (
+      param.getAnAccess() = op1.(Operation).getAnOperand().getAChild*()
+      or
+      param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*()
+      or
+      exists(AnyDataFlow config, Node source, Node sink |
+        (
+          sink.asExpr() = op1.(Operation).getAChild*() or
+          sink.asExpr() = op2.(Operation).getAChild*()
+        ) and
+        source.asExpr() = param.getAnAccess() and
+        config.hasFlow(source, sink)
+      )
+    )
+  )
 }

From 3be229f097d1d41bf4154a09ecaecc48da4b80f7 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 11:09:30 +0100
Subject: [PATCH 105/429] C#: Separate visitors to dedicated files, rename and
 reorganize comment extraction related classes

---
 .../Semmle.Extraction.CSharp/Analyser.cs      |   4 +-
 .../Entities/CommentLine.cs                   |  93 +------------
 .../Populators/Comments.cs                    |  33 -----
 .../Populators/CompilationUnitVisitor.cs      |  51 +++++++
 .../Populators/TriviaPopulator.cs             | 127 ++++++++++++++++++
 ...ilationUnit.cs => TypeContainerVisitor.cs} |  68 ----------
 .../Populators/TypeOrNamespaceVisitor.cs      |  24 ++++
 7 files changed, 205 insertions(+), 195 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/Comments.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs
 rename csharp/extractor/Semmle.Extraction.CSharp/Populators/{CompilationUnit.cs => TypeContainerVisitor.cs} (56%)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index 1222403515f..b4076956c4f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -374,9 +374,9 @@ namespace Semmle.Extraction.CSharp
                     if (!upToDate)
                     {
                         var cx = extractor.CreateContext(compilation.Clone(), trapWriter, new SourceScope(tree), AddAssemblyTrapPrefix);
-                        Populators.CompilationUnit.Extract(cx, tree.GetRoot());
+                        CompilationUnitVisitor.Extract(cx, tree.GetRoot());
                         cx.PopulateAll();
-                        cx.ExtractComments(cx.CommentGenerator);
+                        TriviaPopulator.ExtractCommentBlocks(cx, cx.CommentGenerator);
                         cx.PopulateAll();
                     }
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
index ba1770f20e5..f6348211695 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
@@ -21,97 +21,6 @@ namespace Semmle.Extraction.CSharp.Entities
         public string Text { get { return symbol.Item2; } }
         public string RawText { get; private set; }
 
-        public static void Extract(Context cx, SyntaxTrivia trivia)
-        {
-            switch (trivia.Kind())
-            {
-                case SyntaxKind.SingleLineDocumentationCommentTrivia:
-                    /*
-                        This is actually a multi-line comment consisting of /// lines.
-                        So split it up.
-                    */
-
-                    var text = trivia.ToFullString();
-
-                    var split = text.Split('\n');
-                    var currentLocation = trivia.GetLocation().SourceSpan.Start - 3;
-
-                    for (var line = 0; line < split.Length - 1; ++line)
-                    {
-                        var fullLine = split[line];
-                        var nextLineLocation = currentLocation + fullLine.Length + 1;
-                        fullLine = fullLine.TrimEnd('\r');
-                        var trimmedLine = fullLine;
-
-                        var leadingSpaces = trimmedLine.IndexOf('/');
-                        if (leadingSpaces != -1)
-                        {
-                            fullLine = fullLine.Substring(leadingSpaces);
-                            currentLocation += leadingSpaces;
-                            trimmedLine = trimmedLine.Substring(leadingSpaces + 3); // Remove leading spaces and the "///"
-                            trimmedLine = trimmedLine.Trim();
-
-                            var span = Microsoft.CodeAnalysis.Text.TextSpan.FromBounds(currentLocation, currentLocation + fullLine.Length);
-                            var location = Microsoft.CodeAnalysis.Location.Create(trivia.SyntaxTree, span);
-                            var commentType = CommentLineType.XmlDoc;
-                            cx.CommentGenerator.AddComment(Create(cx, location, commentType, trimmedLine, fullLine));
-                        }
-                        else
-                        {
-                            cx.ModelError("Unexpected comment format");
-                        }
-                        currentLocation = nextLineLocation;
-                    }
-                    break;
-
-                case SyntaxKind.SingleLineCommentTrivia:
-                    {
-                        var contents = trivia.ToString().Substring(2);
-                        var commentType = CommentLineType.Singleline;
-                        if (contents.Length > 0 && contents[0] == '/')
-                        {
-                            commentType = CommentLineType.XmlDoc;
-                            contents = contents.Substring(1);       // An XML comment.
-                        }
-                        cx.CommentGenerator.AddComment(Create(cx, trivia.GetLocation(), commentType, contents.Trim(), trivia.ToFullString()));
-                    }
-                    break;
-                case SyntaxKind.MultiLineDocumentationCommentTrivia:
-                case SyntaxKind.MultiLineCommentTrivia:
-                    /*  We receive a single SyntaxTrivia for a multiline block spanning several lines.
-                        So we split it into separate lines
-                    */
-                    text = trivia.ToFullString();
-
-                    split = text.Split('\n');
-                    currentLocation = trivia.GetLocation().SourceSpan.Start;
-
-                    for (var line = 0; line < split.Length; ++line)
-                    {
-                        var fullLine = split[line];
-                        var nextLineLocation = currentLocation + fullLine.Length + 1;
-                        fullLine = fullLine.TrimEnd('\r');
-                        var trimmedLine = fullLine;
-                        if (line == 0)
-                            trimmedLine = trimmedLine.Substring(2);
-                        if (line == split.Length - 1)
-                            trimmedLine = trimmedLine.Substring(0, trimmedLine.Length - 2);
-                        trimmedLine = trimmedLine.Trim();
-
-                        var span = Microsoft.CodeAnalysis.Text.TextSpan.FromBounds(currentLocation, currentLocation + fullLine.Length);
-                        var location = Microsoft.CodeAnalysis.Location.Create(trivia.SyntaxTree, span);
-                        var commentType = line == 0 ? CommentLineType.Multiline : CommentLineType.MultilineContinuation;
-                        cx.CommentGenerator.AddComment(Create(cx, location, commentType, trimmedLine, fullLine));
-                        currentLocation = nextLineLocation;
-                    }
-                    break;
-                // Strangely, these are reported as SingleLineCommentTrivia.
-                case SyntaxKind.DocumentationCommentExteriorTrivia:
-                    cx.ModelError($"Unhandled comment type {trivia.Kind()} for {trivia}");
-                    break;
-            }
-        }
-
         private Extraction.Entities.Location location;
 
         public override void Populate(TextWriter trapFile)
@@ -131,7 +40,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write(";commentline");
         }
 
-        private static CommentLine Create(Context cx, Microsoft.CodeAnalysis.Location loc, CommentLineType type, string text, string raw)
+        internal static CommentLine Create(Context cx, Microsoft.CodeAnalysis.Location loc, CommentLineType type, string text, string raw)
         {
             var init = (loc, type, text, raw);
             return CommentLineFactory.Instance.CreateEntity(cx, init, init);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Comments.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/Comments.cs
deleted file mode 100644
index 8f6bb6f5206..00000000000
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Comments.cs
+++ /dev/null
@@ -1,33 +0,0 @@
-using Semmle.Extraction.CommentProcessing;
-using System;
-
-namespace Semmle.Extraction.CSharp.Populators
-{
-    /// <summary>
-    /// Populators for comments.
-    /// </summary>
-    public static class Comments
-    {
-        public static void ExtractComments(this Context cx, ICommentGenerator gen)
-        {
-            cx.Try(null, null, () =>
-            {
-                gen.GenerateBindings((entity, duplicationGuardKey, block, binding) =>
-                {
-                    var commentBlock = Entities.CommentBlock.Create(cx, block);
-                    Action a = () =>
-                    {
-                        commentBlock.BindTo(entity, binding);
-                    };
-                    // When the duplication guard key exists, it means that the entity is guarded against
-                    // trap duplication (<see cref = "Context.BindComments(IEntity, Location)" />).
-                    // We must therefore also guard comment construction.
-                    if (duplicationGuardKey != null)
-                        cx.WithDuplicationGuard(duplicationGuardKey, a);
-                    else
-                        a();
-                });
-            });
-        }
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
new file mode 100644
index 00000000000..a98816fc23e
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -0,0 +1,51 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Util.Logging;
+
+namespace Semmle.Extraction.CSharp.Populators
+{
+    internal class CompilationUnitVisitor : TypeOrNamespaceVisitor
+    {
+        private CompilationUnitVisitor(Context cx)
+            : base(cx, cx.TrapWriter.Writer, null) { }
+
+        public override void VisitExternAliasDirective(ExternAliasDirectiveSyntax node)
+        {
+            // This information is not yet extracted.
+            cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), Extraction.Entities.Location.Create(cx, node.GetLocation()), "", Severity.Info);
+        }
+
+        public override void VisitCompilationUnit(CompilationUnitSyntax compilationUnit)
+        {
+            foreach (var m in compilationUnit.ChildNodes())
+            {
+                cx.Try(m, null, () => ((CSharpSyntaxNode)m).Accept(this));
+            }
+
+            // Gather comments:
+            foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span))
+            {
+                TriviaPopulator.ExtractTrivia(cx, trivia);
+            }
+
+            foreach (var trivia in compilationUnit.GetLeadingTrivia())
+            {
+                TriviaPopulator.ExtractTrivia(cx, trivia);
+            }
+
+            foreach (var trivia in compilationUnit.GetTrailingTrivia())
+            {
+                TriviaPopulator.ExtractTrivia(cx, trivia);
+            }
+        }
+
+        public static void Extract(Context cx, SyntaxNode unit)
+        {
+            // Ensure that the file itself is populated in case the source file is totally empty
+            Extraction.Entities.File.Create(cx, unit.SyntaxTree.FilePath);
+
+            ((CSharpSyntaxNode)unit).Accept(new CompilationUnitVisitor(cx));
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs
new file mode 100644
index 00000000000..8aa99960a5b
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs
@@ -0,0 +1,127 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Semmle.Extraction.CommentProcessing;
+using Semmle.Extraction.CSharp.Entities;
+using System;
+
+namespace Semmle.Extraction.CSharp.Populators
+{
+    /// <summary>
+    /// Populators for trivias.
+    /// </summary>
+    public static class TriviaPopulator
+    {
+        public static void ExtractCommentBlocks(Context cx, ICommentGenerator gen)
+        {
+            cx.Try(null, null, () =>
+            {
+                gen.GenerateBindings((entity, duplicationGuardKey, block, binding) =>
+                {
+                    var commentBlock = Entities.CommentBlock.Create(cx, block);
+                    Action a = () =>
+                    {
+                        commentBlock.BindTo(entity, binding);
+                    };
+                    // When the duplication guard key exists, it means that the entity is guarded against
+                    // trap duplication (<see cref = "Context.BindComments(IEntity, Location)" />).
+                    // We must therefore also guard comment construction.
+                    if (duplicationGuardKey != null)
+                        cx.WithDuplicationGuard(duplicationGuardKey, a);
+                    else
+                        a();
+                });
+            });
+        }
+
+        public static void ExtractTrivia(Context cx, SyntaxTrivia trivia)
+        {
+            switch (trivia.Kind())
+            {
+                case SyntaxKind.SingleLineDocumentationCommentTrivia:
+                    /*
+                        This is actually a multi-line comment consisting of /// lines.
+                        So split it up.
+                    */
+
+                    var text = trivia.ToFullString();
+
+                    var split = text.Split('\n');
+                    var currentLocation = trivia.GetLocation().SourceSpan.Start - 3;
+
+                    for (var line = 0; line < split.Length - 1; ++line)
+                    {
+                        var fullLine = split[line];
+                        var nextLineLocation = currentLocation + fullLine.Length + 1;
+                        fullLine = fullLine.TrimEnd('\r');
+                        var trimmedLine = fullLine;
+
+                        var leadingSpaces = trimmedLine.IndexOf('/');
+                        if (leadingSpaces != -1)
+                        {
+                            fullLine = fullLine.Substring(leadingSpaces);
+                            currentLocation += leadingSpaces;
+                            trimmedLine = trimmedLine.Substring(leadingSpaces + 3); // Remove leading spaces and the "///"
+                            trimmedLine = trimmedLine.Trim();
+
+                            var span = Microsoft.CodeAnalysis.Text.TextSpan.FromBounds(currentLocation, currentLocation + fullLine.Length);
+                            var location = Microsoft.CodeAnalysis.Location.Create(trivia.SyntaxTree, span);
+                            var commentType = CommentLineType.XmlDoc;
+                            cx.CommentGenerator.AddComment(CommentLine.Create(cx, location, commentType, trimmedLine, fullLine));
+                        }
+                        else
+                        {
+                            cx.ModelError("Unexpected comment format");
+                        }
+                        currentLocation = nextLineLocation;
+                    }
+                    break;
+
+                case SyntaxKind.SingleLineCommentTrivia:
+                    {
+                        var contents = trivia.ToString().Substring(2);
+                        var commentType = CommentLineType.Singleline;
+                        if (contents.Length > 0 && contents[0] == '/')
+                        {
+                            commentType = CommentLineType.XmlDoc;
+                            contents = contents.Substring(1);       // An XML comment.
+                        }
+                        cx.CommentGenerator.AddComment(CommentLine.Create(cx, trivia.GetLocation(), commentType, contents.Trim(), trivia.ToFullString()));
+                    }
+                    break;
+                case SyntaxKind.MultiLineDocumentationCommentTrivia:
+                case SyntaxKind.MultiLineCommentTrivia:
+                    /*  We receive a single SyntaxTrivia for a multiline block spanning several lines.
+                        So we split it into separate lines
+                    */
+                    text = trivia.ToFullString();
+
+                    split = text.Split('\n');
+                    currentLocation = trivia.GetLocation().SourceSpan.Start;
+
+                    for (var line = 0; line < split.Length; ++line)
+                    {
+                        var fullLine = split[line];
+                        var nextLineLocation = currentLocation + fullLine.Length + 1;
+                        fullLine = fullLine.TrimEnd('\r');
+                        var trimmedLine = fullLine;
+                        if (line == 0)
+                            trimmedLine = trimmedLine.Substring(2);
+                        if (line == split.Length - 1)
+                            trimmedLine = trimmedLine.Substring(0, trimmedLine.Length - 2);
+                        trimmedLine = trimmedLine.Trim();
+
+                        var span = Microsoft.CodeAnalysis.Text.TextSpan.FromBounds(currentLocation, currentLocation + fullLine.Length);
+                        var location = Microsoft.CodeAnalysis.Location.Create(trivia.SyntaxTree, span);
+                        var commentType = line == 0 ? CommentLineType.Multiline : CommentLineType.MultilineContinuation;
+                        cx.CommentGenerator.AddComment(CommentLine.Create(cx, location, commentType, trimmedLine, fullLine));
+                        currentLocation = nextLineLocation;
+                    }
+                    break;
+                // Strangely, these are reported as SingleLineCommentTrivia.
+                case SyntaxKind.DocumentationCommentExteriorTrivia:
+                    cx.ModelError($"Unhandled comment type {trivia.Kind()} for {trivia}");
+                    break;
+            }
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnit.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
similarity index 56%
rename from csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnit.cs
rename to csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
index 69814bf197a..a45ede39501 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnit.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
@@ -1,10 +1,7 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.CSharp.Entities;
 using Semmle.Extraction.Entities;
-using Semmle.Util;
-using Semmle.Util.Logging;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -82,69 +79,4 @@ namespace Semmle.Extraction.CSharp.Populators
             }
         }
     }
-
-    internal class TypeOrNamespaceVisitor : TypeContainerVisitor
-    {
-        public TypeOrNamespaceVisitor(Context cx, TextWriter trapFile, IEntity parent)
-            : base(cx, trapFile, parent) { }
-
-        public override void VisitUsingDirective(UsingDirectiveSyntax usingDirective)
-        {
-            // Only deal with "using namespace" not "using X = Y"
-            if (usingDirective.Alias == null)
-                new UsingDirective(cx, usingDirective, (NamespaceDeclaration)parent);
-        }
-
-        public override void VisitNamespaceDeclaration(NamespaceDeclarationSyntax node)
-        {
-            NamespaceDeclaration.Create(cx, node, (NamespaceDeclaration)parent);
-        }
-    }
-
-    internal class CompilationUnitVisitor : TypeOrNamespaceVisitor
-    {
-        public CompilationUnitVisitor(Context cx)
-            : base(cx, cx.TrapWriter.Writer, null) { }
-
-        public override void VisitExternAliasDirective(ExternAliasDirectiveSyntax node)
-        {
-            // This information is not yet extracted.
-            cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), Extraction.Entities.Location.Create(cx, node.GetLocation()), "", Severity.Info);
-        }
-
-        public override void VisitCompilationUnit(CompilationUnitSyntax compilationUnit)
-        {
-            foreach (var m in compilationUnit.ChildNodes())
-            {
-                cx.Try(m, null, () => ((CSharpSyntaxNode)m).Accept(this));
-            }
-
-            // Gather comments:
-            foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span))
-            {
-                CommentLine.Extract(cx, trivia);
-            }
-
-            foreach (var trivia in compilationUnit.GetLeadingTrivia())
-            {
-                CommentLine.Extract(cx, trivia);
-            }
-
-            foreach (var trivia in compilationUnit.GetTrailingTrivia())
-            {
-                CommentLine.Extract(cx, trivia);
-            }
-        }
-    }
-
-    public class CompilationUnit
-    {
-        public static void Extract(Context cx, SyntaxNode unit)
-        {
-            // Ensure that the file itself is populated in case the source file is totally empty
-            Semmle.Extraction.Entities.File.Create(cx, unit.SyntaxTree.FilePath);
-
-            ((CSharpSyntaxNode)unit).Accept(new CompilationUnitVisitor(cx));
-        }
-    }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs
new file mode 100644
index 00000000000..aacdc5d2a4f
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs
@@ -0,0 +1,24 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.CSharp.Entities;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Populators
+{
+    internal class TypeOrNamespaceVisitor : TypeContainerVisitor
+    {
+        public TypeOrNamespaceVisitor(Context cx, TextWriter trapFile, IEntity parent)
+            : base(cx, trapFile, parent) { }
+
+        public override void VisitUsingDirective(UsingDirectiveSyntax usingDirective)
+        {
+            // Only deal with "using namespace" not "using X = Y"
+            if (usingDirective.Alias == null)
+                new UsingDirective(cx, usingDirective, (NamespaceDeclaration)parent);
+        }
+
+        public override void VisitNamespaceDeclaration(NamespaceDeclarationSyntax node)
+        {
+            NamespaceDeclaration.Create(cx, node, (NamespaceDeclaration)parent);
+        }
+    }
+}

From c3ef6841d093356a78c715c75d753f7496d376e3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 11:13:21 +0100
Subject: [PATCH 106/429] Add tests for trivia types

---
 .../comments/BindingAfter.expected            |  1 +
 .../library-tests/comments/Comments.expected  |  3 +
 .../library-tests/comments/Orphans.expected   |  1 +
 .../ql/test/library-tests/comments/trivia.cs  | 78 +++++++++++++++++++
 4 files changed, 83 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/comments/trivia.cs

diff --git a/csharp/ql/test/library-tests/comments/BindingAfter.expected b/csharp/ql/test/library-tests/comments/BindingAfter.expected
index 44c01d79239..6838f406708 100644
--- a/csharp/ql/test/library-tests/comments/BindingAfter.expected
+++ b/csharp/ql/test/library-tests/comments/BindingAfter.expected
@@ -55,3 +55,4 @@
 | comments2.cs:118:5:118:21 | // ... | comments2.cs:119:11:119:25 | GenericClass<> | GenericClass<> |
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:128:9:128:17 | return ...; | x |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:14:7:14:9 | Tr1 | semmle-extractor-options: --standalone |
diff --git a/csharp/ql/test/library-tests/comments/Comments.expected b/csharp/ql/test/library-tests/comments/Comments.expected
index 388687e7857..80208664157 100644
--- a/csharp/ql/test/library-tests/comments/Comments.expected
+++ b/csharp/ql/test/library-tests/comments/Comments.expected
@@ -70,6 +70,9 @@ singlelineComment
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:124:5:124:16 | // ... | 1 | GenericFn | // GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:127:20:127:23 | // ... | 1 | x | // x |
 | comments2.cs:132:1:132:21 | // ... | comments2.cs:132:1:132:21 | // ... | 1 | End of comment2.cs | // End of comment2.cs |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:1:1:1:42 | // ... | 3 | semmle-extractor-options: --standalone | //  semmle-extractor-options: --standalone |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:2:1:2:21 | // ... | 3 | Start of trivia.cs | // Start of trivia.cs |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:3:1:3:15 | // ... | 3 | Unassociated | // Unassociated |
 multilineComment
 | comments1.cs:11:1:11:25 | /* ... */ | comments1.cs:11:1:11:25 | /* ... */ | 1 | A multiline comment | /* A multiline comment */ |
 | comments1.cs:25:1:25:43 | /* ... */ | comments1.cs:25:1:25:15 | /* ... */ | 2 | This is a | /* This is a */ |
diff --git a/csharp/ql/test/library-tests/comments/Orphans.expected b/csharp/ql/test/library-tests/comments/Orphans.expected
index e57bc81990e..56e5af20cd2 100644
--- a/csharp/ql/test/library-tests/comments/Orphans.expected
+++ b/csharp/ql/test/library-tests/comments/Orphans.expected
@@ -14,3 +14,4 @@
 | comments2.cs:5:27:5:41 | // ... |
 | comments2.cs:8:1:8:15 | // ... |
 | comments2.cs:132:1:132:21 | // ... |
+| trivia.cs:1:1:3:15 | // ... |
diff --git a/csharp/ql/test/library-tests/comments/trivia.cs b/csharp/ql/test/library-tests/comments/trivia.cs
new file mode 100644
index 00000000000..e22ddf77a63
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/trivia.cs
@@ -0,0 +1,78 @@
+//  semmle-extractor-options: --standalone
+// Start of trivia.cs
+// Unassociated
+#define DEBUG
+
+#undef DEBUG
+
+using System;
+using System.Collections;
+using System.Collections.Generic;
+
+#pragma warning disable 414, CS3021
+#pragma checksum "file.cs" "{406EA660-64CF-4C82-B6F0-42D48172A799}" "ab007f1d23d9" // New checksum
+class Tr1
+{
+    static void M1()
+    {
+#line 200 "Special"
+        int i;
+        int j;
+#line default
+        char c;
+#pragma warning restore
+        float f;
+#line hidden // numbering not affected
+        string s;
+#line default
+        double d;
+    }
+}
+
+class Tr2
+{
+    static void M1()
+    {
+        #region fields
+        int i;
+        #region nested
+        int j;
+        #endregion
+        #endregion
+    }
+}
+
+class Tr3
+{
+    static void M1()
+    {
+#nullable disable// Sets the nullable annotation and warning contexts to disabled.
+#nullable enable// Sets the nullable annotation and warning contexts to enabled.
+#nullable restore// Restores the nullable annotation and warning contexts to project settings.
+#nullable disable annotations// Sets the nullable annotation context to disabled.
+#nullable enable annotations// Sets the nullable annotation context to enabled.
+#nullable restore annotations// Restores the nullable annotation context to project settings.
+#nullable disable warnings// Sets the nullable warning context to disabled.
+#nullable enable warnings// Sets the nullable warning context to enabled.
+#nullable restore warnings// Restores the nullable warning context to project settings.
+    }
+}
+
+class Tr4
+{
+    static void M1()
+    {
+#if DEBUG
+#warning DEBUG is defined
+        var i = 0;
+#if NESTED
+        i--;
+#endif
+#elif (NOTDEBUG == true) || !(TEST)
+#error NOTDEBUG is defined or TEST is not
+        var i = 1;
+#else
+        var i = 2;
+#endif
+    }
+}
\ No newline at end of file

From 046a37b8342fe45dd9376358a8ba89ce60fcb503 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 12:23:06 +0100
Subject: [PATCH 107/429] Simplify element access extraction

---
 .../Entities/Expressions/ElementAccess.cs     |  8 +--
 .../Populators/Ast.cs                         | 63 -------------------
 .../arguments/argumentType.expected           | 12 ++++
 3 files changed, 14 insertions(+), 69 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/Ast.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
index afc4cd2cd93..59e573984fe 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
@@ -30,12 +30,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             }
             else
             {
-                var child = -1;
-                Create(cx, qualifier, this, child++);
-                foreach (var a in argumentList.Arguments)
-                {
-                    cx.Extract(a, this, child++);
-                }
+                Create(cx, qualifier, this, -1);
+                PopulateArguments(trapFile, argumentList, 0);
 
                 var symbolInfo = cx.GetSymbolInfo(base.Syntax);
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Ast.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/Ast.cs
deleted file mode 100644
index 866d436bda1..00000000000
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Ast.cs
+++ /dev/null
@@ -1,63 +0,0 @@
-using Microsoft.CodeAnalysis;
-using Microsoft.CodeAnalysis.CSharp;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.CSharp.Entities;
-
-namespace Semmle.Extraction.CSharp.Populators
-{
-    internal class Ast : CSharpSyntaxVisitor
-    {
-        private readonly Context cx;
-        private readonly IExpressionParentEntity parent;
-        private readonly int child;
-
-        public Ast(Context cx, IExpressionParentEntity parent, int child)
-        {
-            this.cx = cx;
-            this.parent = parent;
-            this.child = child;
-        }
-
-        public override void DefaultVisit(SyntaxNode node)
-        {
-            cx.ModelError(node, $"Unhandled syntax node {node.Kind()}");
-        }
-
-        public override void VisitArgumentList(ArgumentListSyntax node)
-        {
-            var c = 0;
-            foreach (var m in node.Arguments)
-            {
-                cx.Extract(m, parent, c++);
-            }
-        }
-
-        public override void VisitArgument(ArgumentSyntax node)
-        {
-            Expression.Create(cx, node.Expression, parent, child);
-        }
-    }
-
-    public static class AstExtensions
-    {
-        public static void Extract(this Context cx, CSharpSyntaxNode node, IExpressionParentEntity parent, int child)
-        {
-            using (cx.StackGuard)
-            {
-                try
-                {
-                    node.Accept(new Ast(cx, parent, child));
-                }
-                catch (System.Exception ex)  // lgtm[cs/catch-of-all-exceptions]
-                {
-                    cx.ModelError(node, $"Exception processing syntax node of type {node.Kind()}: {ex.Message}");
-                }
-            }
-        }
-
-        public static void Extract(this Context cx, SyntaxNode node, IEntity parent, int child)
-        {
-            cx.Extract(((CSharpSyntaxNode)node), parent, child);
-        }
-    }
-}
diff --git a/csharp/ql/test/library-tests/arguments/argumentType.expected b/csharp/ql/test/library-tests/arguments/argumentType.expected
index 39697e63729..e2cd7fc4a51 100644
--- a/csharp/ql/test/library-tests/arguments/argumentType.expected
+++ b/csharp/ql/test/library-tests/arguments/argumentType.expected
@@ -22,3 +22,15 @@
 | arguments.cs:40:41:40:41 | 0 | 0 |
 | arguments.cs:45:12:45:32 | array creation of type Object[] | 0 |
 | arguments.cs:45:35:45:38 | null | 0 |
+| arguments.cs:55:21:55:21 | 1 | 0 |
+| arguments.cs:55:24:55:24 | 2 | 0 |
+| arguments.cs:56:21:56:21 | 3 | 0 |
+| arguments.cs:56:24:56:24 | 4 | 0 |
+| arguments.cs:59:14:59:14 | 8 | 0 |
+| arguments.cs:59:17:59:17 | 9 | 0 |
+| arguments.cs:60:14:60:15 | 10 | 0 |
+| arguments.cs:60:14:60:15 | 10 | 0 |
+| arguments.cs:60:18:60:19 | 11 | 0 |
+| arguments.cs:60:18:60:19 | 11 | 0 |
+| arguments.cs:62:21:62:22 | 15 | 0 |
+| arguments.cs:62:25:62:26 | 16 | 0 |

From 48d24b2264ab65d5877174251b3430d85ff5162d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 13:40:33 +0100
Subject: [PATCH 108/429] Get line comments from trivia lines

---
 .../Populators/CompilationUnitVisitor.cs              |  2 +-
 .../test/library-tests/comments/BindingAfter.expected |  2 ++
 .../library-tests/comments/BindingBefore.expected     |  1 +
 .../library-tests/comments/BindingParent.expected     | 10 ++++++++++
 .../ql/test/library-tests/comments/Bindings.expected  | 11 +++++++++++
 .../ql/test/library-tests/comments/Comments.expected  | 11 +++++++++++
 6 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
index a98816fc23e..918366de186 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -24,7 +24,7 @@ namespace Semmle.Extraction.CSharp.Populators
             }
 
             // Gather comments:
-            foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span))
+            foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span, descendIntoTrivia: true))
             {
                 TriviaPopulator.ExtractTrivia(cx, trivia);
             }
diff --git a/csharp/ql/test/library-tests/comments/BindingAfter.expected b/csharp/ql/test/library-tests/comments/BindingAfter.expected
index 6838f406708..a44d0360f73 100644
--- a/csharp/ql/test/library-tests/comments/BindingAfter.expected
+++ b/csharp/ql/test/library-tests/comments/BindingAfter.expected
@@ -56,3 +56,5 @@
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:128:9:128:17 | return ...; | x |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:14:7:14:9 | Tr1 | semmle-extractor-options: --standalone |
+| trivia.cs:13:84:13:98 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
+| trivia.cs:25:14:25:38 | // ... | trivia.cs:26:9:26:17 | ... ...; | numbering not affected |
diff --git a/csharp/ql/test/library-tests/comments/BindingBefore.expected b/csharp/ql/test/library-tests/comments/BindingBefore.expected
index 4d41ea94864..9cb36b9e7cc 100644
--- a/csharp/ql/test/library-tests/comments/BindingBefore.expected
+++ b/csharp/ql/test/library-tests/comments/BindingBefore.expected
@@ -48,3 +48,4 @@
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:119:11:119:25 | GenericClass<> | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:127:9:127:18 | ... ...; | x |
 | comments2.cs:132:1:132:21 | // ... | comments2.cs:11:7:11:8 | C2 | End of comment2.cs |
+| trivia.cs:25:14:25:38 | // ... | trivia.cs:24:9:24:16 | ... ...; | numbering not affected |
diff --git a/csharp/ql/test/library-tests/comments/BindingParent.expected b/csharp/ql/test/library-tests/comments/BindingParent.expected
index de8fed3666b..d9c8f24d48d 100644
--- a/csharp/ql/test/library-tests/comments/BindingParent.expected
+++ b/csharp/ql/test/library-tests/comments/BindingParent.expected
@@ -47,3 +47,13 @@
 | comments2.cs:121:17:121:20 | // ... | comments2.cs:119:11:119:25 | GenericClass<> | f |
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:11:7:11:8 | C2 | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:126:5:129:5 | {...} | x |
+| trivia.cs:25:14:25:38 | // ... | trivia.cs:17:5:29:5 | {...} | numbering not affected |
+| trivia.cs:49:18:49:82 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to disabled. |
+| trivia.cs:50:17:50:80 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to enabled. |
+| trivia.cs:51:18:51:94 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable annotation and warning contexts to project settings. |
+| trivia.cs:52:30:52:81 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation context to disabled. |
+| trivia.cs:53:29:53:79 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation context to enabled. |
+| trivia.cs:54:30:54:93 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable annotation context to project settings. |
+| trivia.cs:55:27:55:75 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable warning context to disabled. |
+| trivia.cs:56:26:56:73 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable warning context to enabled. |
+| trivia.cs:57:27:57:87 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable warning context to project settings. |
diff --git a/csharp/ql/test/library-tests/comments/Bindings.expected b/csharp/ql/test/library-tests/comments/Bindings.expected
index b241ed56b55..90889ddeda0 100644
--- a/csharp/ql/test/library-tests/comments/Bindings.expected
+++ b/csharp/ql/test/library-tests/comments/Bindings.expected
@@ -49,3 +49,14 @@
 | comments2.cs:121:17:121:20 | // ... | comments2.cs:121:13:121:13 | f | f |
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:127:9:127:18 | ... ...; | x |
+| trivia.cs:13:84:13:98 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
+| trivia.cs:25:14:25:38 | // ... | trivia.cs:17:5:29:5 | {...} | numbering not affected |
+| trivia.cs:49:18:49:82 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to disabled. |
+| trivia.cs:50:17:50:80 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to enabled. |
+| trivia.cs:51:18:51:94 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable annotation and warning contexts to project settings. |
+| trivia.cs:52:30:52:81 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation context to disabled. |
+| trivia.cs:53:29:53:79 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation context to enabled. |
+| trivia.cs:54:30:54:93 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable annotation context to project settings. |
+| trivia.cs:55:27:55:75 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable warning context to disabled. |
+| trivia.cs:56:26:56:73 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable warning context to enabled. |
+| trivia.cs:57:27:57:87 | // ... | trivia.cs:48:5:58:5 | {...} | Restores the nullable warning context to project settings. |
diff --git a/csharp/ql/test/library-tests/comments/Comments.expected b/csharp/ql/test/library-tests/comments/Comments.expected
index 80208664157..176211192a6 100644
--- a/csharp/ql/test/library-tests/comments/Comments.expected
+++ b/csharp/ql/test/library-tests/comments/Comments.expected
@@ -73,6 +73,17 @@ singlelineComment
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:1:1:1:42 | // ... | 3 | semmle-extractor-options: --standalone | //  semmle-extractor-options: --standalone |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:2:1:2:21 | // ... | 3 | Start of trivia.cs | // Start of trivia.cs |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:3:1:3:15 | // ... | 3 | Unassociated | // Unassociated |
+| trivia.cs:13:84:13:98 | // ... | trivia.cs:13:84:13:98 | // ... | 1 | New checksum | // New checksum |
+| trivia.cs:25:14:25:38 | // ... | trivia.cs:25:14:25:38 | // ... | 1 | numbering not affected | // numbering not affected |
+| trivia.cs:49:18:49:82 | // ... | trivia.cs:49:18:49:82 | // ... | 1 | Sets the nullable annotation and warning contexts to disabled. | // Sets the nullable annotation and warning contexts to disabled. |
+| trivia.cs:50:17:50:80 | // ... | trivia.cs:50:17:50:80 | // ... | 1 | Sets the nullable annotation and warning contexts to enabled. | // Sets the nullable annotation and warning contexts to enabled. |
+| trivia.cs:51:18:51:94 | // ... | trivia.cs:51:18:51:94 | // ... | 1 | Restores the nullable annotation and warning contexts to project settings. | // Restores the nullable annotation and warning contexts to project settings. |
+| trivia.cs:52:30:52:81 | // ... | trivia.cs:52:30:52:81 | // ... | 1 | Sets the nullable annotation context to disabled. | // Sets the nullable annotation context to disabled. |
+| trivia.cs:53:29:53:79 | // ... | trivia.cs:53:29:53:79 | // ... | 1 | Sets the nullable annotation context to enabled. | // Sets the nullable annotation context to enabled. |
+| trivia.cs:54:30:54:93 | // ... | trivia.cs:54:30:54:93 | // ... | 1 | Restores the nullable annotation context to project settings. | // Restores the nullable annotation context to project settings. |
+| trivia.cs:55:27:55:75 | // ... | trivia.cs:55:27:55:75 | // ... | 1 | Sets the nullable warning context to disabled. | // Sets the nullable warning context to disabled. |
+| trivia.cs:56:26:56:73 | // ... | trivia.cs:56:26:56:73 | // ... | 1 | Sets the nullable warning context to enabled. | // Sets the nullable warning context to enabled. |
+| trivia.cs:57:27:57:87 | // ... | trivia.cs:57:27:57:87 | // ... | 1 | Restores the nullable warning context to project settings. | // Restores the nullable warning context to project settings. |
 multilineComment
 | comments1.cs:11:1:11:25 | /* ... */ | comments1.cs:11:1:11:25 | /* ... */ | 1 | A multiline comment | /* A multiline comment */ |
 | comments1.cs:25:1:25:43 | /* ... */ | comments1.cs:25:1:25:15 | /* ... */ | 2 | This is a | /* This is a */ |

From 40186db768584015b372fa37fe92ad0984272d1f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 15:51:38 +0100
Subject: [PATCH 109/429] Rename CommentPopulator

---
 .../Semmle.Extraction.CSharp/Analyser.cs         |  9 +++++++--
 .../{TriviaPopulator.cs => CommentPopulator.cs}  |  6 +++---
 .../Populators/CompilationUnitVisitor.cs         | 16 ++++------------
 3 files changed, 14 insertions(+), 17 deletions(-)
 rename csharp/extractor/Semmle.Extraction.CSharp/Populators/{TriviaPopulator.cs => CommentPopulator.cs} (97%)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index b4076956c4f..fb03a6eee92 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -374,9 +374,14 @@ namespace Semmle.Extraction.CSharp
                     if (!upToDate)
                     {
                         var cx = extractor.CreateContext(compilation.Clone(), trapWriter, new SourceScope(tree), AddAssemblyTrapPrefix);
-                        CompilationUnitVisitor.Extract(cx, tree.GetRoot());
+                        // Ensure that the file itself is populated in case the source file is totally empty
+                        var root = tree.GetRoot();
+                        Extraction.Entities.File.Create(cx, root.SyntaxTree.FilePath);
+
+                        var csNode = (CSharpSyntaxNode)root;
+                        csNode.Accept(new CompilationUnitVisitor(cx));
                         cx.PopulateAll();
-                        TriviaPopulator.ExtractCommentBlocks(cx, cx.CommentGenerator);
+                        CommentPopulator.ExtractCommentBlocks(cx, cx.CommentGenerator);
                         cx.PopulateAll();
                     }
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
similarity index 97%
rename from csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs
rename to csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
index 8aa99960a5b..0574a11db5f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TriviaPopulator.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
@@ -7,9 +7,9 @@ using System;
 namespace Semmle.Extraction.CSharp.Populators
 {
     /// <summary>
-    /// Populators for trivias.
+    /// Populators for comments.
     /// </summary>
-    public static class TriviaPopulator
+    public static class CommentPopulator
     {
         public static void ExtractCommentBlocks(Context cx, ICommentGenerator gen)
         {
@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CSharp.Populators
             });
         }
 
-        public static void ExtractTrivia(Context cx, SyntaxTrivia trivia)
+        public static void ExtractComment(Context cx, SyntaxTrivia trivia)
         {
             switch (trivia.Kind())
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
index 918366de186..bebdee933cd 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -7,7 +7,7 @@ namespace Semmle.Extraction.CSharp.Populators
 {
     internal class CompilationUnitVisitor : TypeOrNamespaceVisitor
     {
-        private CompilationUnitVisitor(Context cx)
+        public CompilationUnitVisitor(Context cx)
             : base(cx, cx.TrapWriter.Writer, null) { }
 
         public override void VisitExternAliasDirective(ExternAliasDirectiveSyntax node)
@@ -26,26 +26,18 @@ namespace Semmle.Extraction.CSharp.Populators
             // Gather comments:
             foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span, descendIntoTrivia: true))
             {
-                TriviaPopulator.ExtractTrivia(cx, trivia);
+                CommentPopulator.ExtractComment(cx, trivia);
             }
 
             foreach (var trivia in compilationUnit.GetLeadingTrivia())
             {
-                TriviaPopulator.ExtractTrivia(cx, trivia);
+                CommentPopulator.ExtractComment(cx, trivia);
             }
 
             foreach (var trivia in compilationUnit.GetTrailingTrivia())
             {
-                TriviaPopulator.ExtractTrivia(cx, trivia);
+                CommentPopulator.ExtractComment(cx, trivia);
             }
         }
-
-        public static void Extract(Context cx, SyntaxNode unit)
-        {
-            // Ensure that the file itself is populated in case the source file is totally empty
-            Extraction.Entities.File.Create(cx, unit.SyntaxTree.FilePath);
-
-            ((CSharpSyntaxNode)unit).Accept(new CompilationUnitVisitor(cx));
-        }
     }
 }

From 8b9c6712d1ca9fceec88221eb7940e545574d7b4 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 15:52:12 +0100
Subject: [PATCH 110/429] Extract pragma warning directives

---
 .../Semmle.Extraction.CSharp/Analyser.cs      |  1 +
 .../IPreprocessorDirective.cs                 |  4 ++
 .../PragmaWarningDirective.cs                 | 43 +++++++++++++++++++
 .../Populators/DirectiveVisitor.cs            | 21 +++++++++
 .../Semmle.Extraction.CSharp/Tuples.cs        | 20 +++++++++
 csharp/ql/src/csharp.qll                      |  1 +
 .../src/semmle/code/csharp/Preprocessor.qll   | 30 +++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      | 22 +++++++++-
 .../comments/PragmaWarnings.expected          |  7 +++
 .../library-tests/comments/PragmaWarnings.ql  |  9 ++++
 10 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
 create mode 100644 csharp/ql/src/semmle/code/csharp/Preprocessor.qll
 create mode 100644 csharp/ql/test/library-tests/comments/PragmaWarnings.expected
 create mode 100644 csharp/ql/test/library-tests/comments/PragmaWarnings.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index fb03a6eee92..5aa4f452d92 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -380,6 +380,7 @@ namespace Semmle.Extraction.CSharp
 
                         var csNode = (CSharpSyntaxNode)root;
                         csNode.Accept(new CompilationUnitVisitor(cx));
+                        csNode.Accept(new DirectiveVisitor(cx));
                         cx.PopulateAll();
                         CommentPopulator.ExtractCommentBlocks(cx, cx.CommentGenerator);
                         cx.PopulateAll();
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
new file mode 100644
index 00000000000..89d2418258e
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
@@ -0,0 +1,4 @@
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal interface IPreprocessorDirective { }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
new file mode 100644
index 00000000000..a96a49d76d3
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
@@ -0,0 +1,43 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Entities;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class PragmaWarningDirective : FreshEntity, IPreprocessorDirective
+    {
+        private readonly PragmaWarningDirectiveTriviaSyntax trivia;
+
+        public PragmaWarningDirective(Context cx, PragmaWarningDirectiveTriviaSyntax trivia)
+            : base(cx)
+        {
+            this.trivia = trivia;
+            TryPopulate();
+        }
+
+        protected override void Populate(TextWriter trapFile)
+        {
+            trapFile.pragma_warnings(this, trivia.DisableOrRestoreKeyword.IsKind(SyntaxKind.DisableKeyword) ? 0 : 1);
+
+            var childIndex = 0;
+            foreach (var code in trivia.ErrorCodes)
+            {
+                trapFile.pragma_warning_error_codes(this, code.ToString(), childIndex++);
+            }
+
+            trapFile.preprocessor_directive_location(this, cx.Create(ReportingLocation));
+
+            if (!cx.Extractor.Standalone)
+            {
+                var assembly = Assembly.CreateOutputAssembly(cx);
+                trapFile.preprocessor_directive_assembly(this, assembly);
+            }
+        }
+
+        public sealed override Microsoft.CodeAnalysis.Location ReportingLocation => trivia.GetLocation();
+
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
new file mode 100644
index 00000000000..a4092e54455
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -0,0 +1,21 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+
+namespace Semmle.Extraction.CSharp.Populators
+{
+    internal class DirectiveVisitor : CSharpSyntaxWalker
+    {
+        private readonly Context cx;
+
+        public DirectiveVisitor(Context cx) : base(SyntaxWalkerDepth.StructuredTrivia)
+        {
+            this.cx = cx;
+        }
+
+        public override void VisitPragmaWarningDirectiveTrivia(PragmaWarningDirectiveTriviaSyntax node)
+        {
+            new Entities.PragmaWarningDirective(cx, node);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 630c2848e3d..8a6e570ff53 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -590,5 +590,25 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("using_static_directives", @using, type);
         }
+
+        internal static void preprocessor_directive_location(this TextWriter trapFile, IPreprocessorDirective directive, Location location)
+        {
+            trapFile.WriteTuple("preprocessor_directive_location", directive, location);
+        }
+
+        internal static void preprocessor_directive_assembly(this TextWriter trapFile, IPreprocessorDirective directive, Assembly assembly)
+        {
+            trapFile.WriteTuple("preprocessor_directive_assembly", directive, assembly);
+        }
+
+        internal static void pragma_warnings(this TextWriter trapFile, PragmaWarningDirective pragma, int kind)
+        {
+            trapFile.WriteTuple("pragma_warnings", pragma, kind);
+        }
+
+        internal static void pragma_warning_error_codes(this TextWriter trapFile, PragmaWarningDirective pragma, string errorCode, int child)
+        {
+            trapFile.WriteTuple("pragma_warning_error_codes", pragma, errorCode, child);
+        }
     }
 }
diff --git a/csharp/ql/src/csharp.qll b/csharp/ql/src/csharp.qll
index 2a44f6e864a..3c821c9a443 100644
--- a/csharp/ql/src/csharp.qll
+++ b/csharp/ql/src/csharp.qll
@@ -19,6 +19,7 @@ import semmle.code.csharp.Type
 import semmle.code.csharp.Using
 import semmle.code.csharp.Variable
 import semmle.code.csharp.XML
+import semmle.code.csharp.Preprocessor
 import semmle.code.csharp.exprs.Access
 import semmle.code.csharp.exprs.ArithmeticOperation
 import semmle.code.csharp.exprs.Assignment
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
new file mode 100644
index 00000000000..d432a0a3588
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -0,0 +1,30 @@
+/**
+ * Provides all preprocessor directive classes.
+ */
+
+import Element
+
+class PreprocessorDirective extends Element, @preprocessor_directive {
+  override Location getALocation() { preprocessor_directive_location(this, result) }
+}
+
+/**
+ * A `#pragma warning` directive.
+ */
+class PragmaWarningDirective extends PreprocessorDirective, @pragma_warning {
+  /** Holds if this is a `#pragma warning restore` directive. */
+  predicate restore() { pragma_warnings(this, 1) }
+
+  /** Holds if this is a `#pragma warning disable` directive. */
+  predicate disable() { pragma_warnings(this, 0) }
+
+  /** Holds if this directive specifies error codes. */
+  predicate hasErrorCodes() { exists(string s | pragma_warning_error_codes(this, s, _)) }
+
+  /** Gets a specified error code from this directive. */
+  string getAnErrorCode() { pragma_warning_error_codes(this, result, _) }
+
+  override string toString() { result = "#pragma warning ..." }
+
+  override string getAPrimaryQlClass() { result = "PragmaWarningDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index efcd69e086a..3812d7ce9db 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -217,7 +217,7 @@ tokens(
 
 @element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
          | @using_directive | @type_parameter_constraints | @external_element
-         | @xmllocatable | @asp_element | @namespace;
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
 
 @declaration = @callable | @generic | @assignable | @namespace;
 
@@ -331,6 +331,26 @@ using_directive_location(
   unique int id: @using_directive ref,
   int loc: @location ref);
 
+@preprocessor_directive = @pragma_warning;
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_assembly(
+  unique int id: @preprocessor_directive ref,
+  int loc: @assembly ref);
+
 /** TYPES **/
 
 types(
diff --git a/csharp/ql/test/library-tests/comments/PragmaWarnings.expected b/csharp/ql/test/library-tests/comments/PragmaWarnings.expected
new file mode 100644
index 00000000000..ade1a86da1c
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PragmaWarnings.expected
@@ -0,0 +1,7 @@
+disable
+| trivia.cs:12:1:12:35 | #pragma warning ... |
+restore
+| trivia.cs:23:1:23:23 | #pragma warning ... |
+errorCodes
+| trivia.cs:12:1:12:35 | #pragma warning ... | 414 |
+| trivia.cs:12:1:12:35 | #pragma warning ... | CS3021 |
diff --git a/csharp/ql/test/library-tests/comments/PragmaWarnings.ql b/csharp/ql/test/library-tests/comments/PragmaWarnings.ql
new file mode 100644
index 00000000000..15d793b6392
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PragmaWarnings.ql
@@ -0,0 +1,9 @@
+import csharp
+
+query predicate disable(PragmaWarningDirective pragma) { pragma.disable() }
+
+query predicate restore(PragmaWarningDirective pragma) { pragma.restore() }
+
+query predicate errorCodes(PragmaWarningDirective pragma, string code) {
+  pragma.hasErrorCodes() and code = pragma.getAnErrorCode()
+}

From 94bf3467b72aa14cc6ca39ad99c3ba92a6c1cf1e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 16:59:14 +0100
Subject: [PATCH 111/429] Extract pragma checksum directives

---
 .../IPreprocessorDirective.cs                 |  4 --
 .../PragmaChecksumDirective.cs                | 18 +++++++++
 .../PragmaWarningDirective.cs                 | 23 ++----------
 .../PreprocessorDirective.cs                  | 37 +++++++++++++++++++
 .../Populators/DirectiveVisitor.cs            |  5 +++
 .../Semmle.Extraction.CSharp/Tuples.cs        | 14 ++++++-
 .../src/semmle/code/csharp/Preprocessor.qll   | 18 +++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      |  8 +++-
 .../comments/PragmaChecksums.expected         |  1 +
 .../library-tests/comments/PragmaChecksums.ql |  4 ++
 10 files changed, 105 insertions(+), 27 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/PragmaChecksums.expected
 create mode 100644 csharp/ql/test/library-tests/comments/PragmaChecksums.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
deleted file mode 100644
index 89d2418258e..00000000000
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IPreprocessorDirective.cs
+++ /dev/null
@@ -1,4 +0,0 @@
-namespace Semmle.Extraction.CSharp.Entities
-{
-    internal interface IPreprocessorDirective { }
-}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
new file mode 100644
index 00000000000..9de67176e54
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class PragmaChecksumDirective : PreprocessorDirective<PragmaChecksumDirectiveTriviaSyntax>
+    {
+        public PragmaChecksumDirective(Context cx, PragmaChecksumDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.pragma_checksums(this, trivia.File.ToString(), trivia.Guid.ToString(), trivia.Bytes.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
index a96a49d76d3..4502fa4a87a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaWarningDirective.cs
@@ -1,23 +1,18 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.Entities;
 using System.IO;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    internal class PragmaWarningDirective : FreshEntity, IPreprocessorDirective
+    internal class PragmaWarningDirective : PreprocessorDirective<PragmaWarningDirectiveTriviaSyntax>
     {
-        private readonly PragmaWarningDirectiveTriviaSyntax trivia;
-
         public PragmaWarningDirective(Context cx, PragmaWarningDirectiveTriviaSyntax trivia)
-            : base(cx)
+            : base(cx, trivia)
         {
-            this.trivia = trivia;
-            TryPopulate();
         }
 
-        protected override void Populate(TextWriter trapFile)
+        protected override void PopulatePreprocessor(TextWriter trapFile)
         {
             trapFile.pragma_warnings(this, trivia.DisableOrRestoreKeyword.IsKind(SyntaxKind.DisableKeyword) ? 0 : 1);
 
@@ -26,18 +21,6 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 trapFile.pragma_warning_error_codes(this, code.ToString(), childIndex++);
             }
-
-            trapFile.preprocessor_directive_location(this, cx.Create(ReportingLocation));
-
-            if (!cx.Extractor.Standalone)
-            {
-                var assembly = Assembly.CreateOutputAssembly(cx);
-                trapFile.preprocessor_directive_assembly(this, assembly);
-            }
         }
-
-        public sealed override Microsoft.CodeAnalysis.Location ReportingLocation => trivia.GetLocation();
-
-        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
new file mode 100644
index 00000000000..e19ffe43549
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -0,0 +1,37 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Entities;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal abstract class PreprocessorDirective<TDirective> : FreshEntity where TDirective : DirectiveTriviaSyntax
+    {
+        protected readonly TDirective trivia;
+
+        protected PreprocessorDirective(Context cx, TDirective trivia)
+            : base(cx)
+        {
+            this.trivia = trivia;
+            TryPopulate();
+        }
+
+        protected sealed override void Populate(TextWriter trapFile)
+        {
+            PopulatePreprocessor(trapFile);
+
+            trapFile.preprocessor_directive_location(this, cx.Create(ReportingLocation));
+
+            if (!cx.Extractor.Standalone)
+            {
+                var assembly = Assembly.CreateOutputAssembly(cx);
+                trapFile.preprocessor_directive_assembly(this, assembly);
+            }
+        }
+
+        protected abstract void PopulatePreprocessor(TextWriter trapFile);
+
+        public sealed override Microsoft.CodeAnalysis.Location ReportingLocation => trivia.GetLocation();
+
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index a4092e54455..c1d23ca5f0b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -17,5 +17,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.PragmaWarningDirective(cx, node);
         }
+
+        public override void VisitPragmaChecksumDirectiveTrivia(PragmaChecksumDirectiveTriviaSyntax node)
+        {
+            new Entities.PragmaChecksumDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 8a6e570ff53..55060767806 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -1,3 +1,4 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.CommentProcessing;
 using Semmle.Extraction.CSharp.Entities;
 using Semmle.Extraction.Entities;
@@ -591,12 +592,16 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("using_static_directives", @using, type);
         }
 
-        internal static void preprocessor_directive_location(this TextWriter trapFile, IPreprocessorDirective directive, Location location)
+        internal static void preprocessor_directive_location<TDirective>(this TextWriter trapFile,
+            PreprocessorDirective<TDirective> directive, Location location)
+            where TDirective : DirectiveTriviaSyntax
         {
             trapFile.WriteTuple("preprocessor_directive_location", directive, location);
         }
 
-        internal static void preprocessor_directive_assembly(this TextWriter trapFile, IPreprocessorDirective directive, Assembly assembly)
+        internal static void preprocessor_directive_assembly<TDirective>(this TextWriter trapFile,
+            PreprocessorDirective<TDirective> directive, Assembly assembly)
+            where TDirective : DirectiveTriviaSyntax
         {
             trapFile.WriteTuple("preprocessor_directive_assembly", directive, assembly);
         }
@@ -610,5 +615,10 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("pragma_warning_error_codes", pragma, errorCode, child);
         }
+
+        internal static void pragma_checksums(this TextWriter trapFile, PragmaChecksumDirective pragma, string file, string guid, string bytes)
+        {
+            trapFile.WriteTuple("pragma_checksums", pragma, file, guid, bytes);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index d432a0a3588..46e806aface 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -28,3 +28,21 @@ class PragmaWarningDirective extends PreprocessorDirective, @pragma_warning {
 
   override string getAPrimaryQlClass() { result = "PragmaWarningDirective" }
 }
+
+/**
+ * A `#pragma checksum` directive.
+ */
+class PragmaChecksumDirective extends PreprocessorDirective, @pragma_checksum {
+  /** Gets the file name of this directive. */
+  string getFileName() { pragma_checksums(this, result, _, _) }
+
+  /** Gets the GUID of this directive. */
+  string getGuid() { pragma_checksums(this, _, result, _) }
+
+  /** Gets the checksum bytes of this directive. */
+  string getBytes() { pragma_checksums(this, _, _, result) }
+
+  override string toString() { result = "#pragma checksum ..." }
+
+  override string getAPrimaryQlClass() { result = "PragmaChecksumDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 3812d7ce9db..5530f36c85e 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -331,7 +331,13 @@ using_directive_location(
   unique int id: @using_directive ref,
   int loc: @location ref);
 
-@preprocessor_directive = @pragma_warning;
+@preprocessor_directive = @pragma_warning | @pragma_checksum;
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  string file: string ref,
+  string guid: string ref,
+  string bytes: string ref);
 
 pragma_warnings(
   unique int id: @pragma_warning,
diff --git a/csharp/ql/test/library-tests/comments/PragmaChecksums.expected b/csharp/ql/test/library-tests/comments/PragmaChecksums.expected
new file mode 100644
index 00000000000..185e834cbdf
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PragmaChecksums.expected
@@ -0,0 +1 @@
+| trivia.cs:13:1:13:98 | #pragma checksum ... | "file.cs" | "{406EA660-64CF-4C82-B6F0-42D48172A799}" | "ab007f1d23d9" |
diff --git a/csharp/ql/test/library-tests/comments/PragmaChecksums.ql b/csharp/ql/test/library-tests/comments/PragmaChecksums.ql
new file mode 100644
index 00000000000..7d3f10ab3b5
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PragmaChecksums.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from PragmaChecksumDirective p
+select p, p.getFileName(), p.getGuid(), p.getBytes()

From 9b405144ffb9949f99a3df121e1c888beb16d0a1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 17:15:14 +0100
Subject: [PATCH 112/429] Extract define directives

---
 .../PreprocessorDirectives/DefineDirective.cs  | 18 ++++++++++++++++++
 .../Populators/DirectiveVisitor.cs             |  5 +++++
 .../Semmle.Extraction.CSharp/Tuples.cs         |  5 +++++
 .../ql/src/semmle/code/csharp/Preprocessor.qll | 12 ++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme       |  6 +++++-
 .../comments/DefineDirectives.expected         |  1 +
 .../library-tests/comments/DefineDirectives.ql |  4 ++++
 7 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/DefineDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/DefineDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/DefineDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/DefineDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/DefineDirective.cs
new file mode 100644
index 00000000000..2ca967a4864
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/DefineDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class DefineDirective : PreprocessorDirective<DefineDirectiveTriviaSyntax>
+    {
+        public DefineDirective(Context cx, DefineDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_defines(this, trivia.Name.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index c1d23ca5f0b..69222935483 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -22,5 +22,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.PragmaChecksumDirective(cx, node);
         }
+
+        public override void VisitDefineDirectiveTrivia(DefineDirectiveTriviaSyntax node)
+        {
+            new Entities.DefineDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 55060767806..9e14c8d32d2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -620,5 +620,10 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("pragma_checksums", pragma, file, guid, bytes);
         }
+
+        internal static void directive_defines(this TextWriter trapFile, DefineDirective directive, string name)
+        {
+            trapFile.WriteTuple("directive_defines", directive, name);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 46e806aface..a5281da2241 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -46,3 +46,15 @@ class PragmaChecksumDirective extends PreprocessorDirective, @pragma_checksum {
 
   override string getAPrimaryQlClass() { result = "PragmaChecksumDirective" }
 }
+
+/**
+ * An `#define` directive.
+ */
+class DefineDirective extends PreprocessorDirective, @directive_define {
+  /** Gets the name of the preprocessor symbol that is being set by this directive. */
+  string getName() { directive_defines(this, result) }
+
+  override string toString() { result = "#define ..." }
+
+  override string getAPrimaryQlClass() { result = "DefineDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 5530f36c85e..05e53c0042d 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -331,7 +331,11 @@ using_directive_location(
   unique int id: @using_directive ref,
   int loc: @location ref);
 
-@preprocessor_directive = @pragma_warning | @pragma_checksum;
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define;
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
 
 pragma_checksums(
   unique int id: @pragma_checksum,
diff --git a/csharp/ql/test/library-tests/comments/DefineDirectives.expected b/csharp/ql/test/library-tests/comments/DefineDirectives.expected
new file mode 100644
index 00000000000..e58b3859d58
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/DefineDirectives.expected
@@ -0,0 +1 @@
+| trivia.cs:4:1:4:13 | #define ... | DEBUG |
diff --git a/csharp/ql/test/library-tests/comments/DefineDirectives.ql b/csharp/ql/test/library-tests/comments/DefineDirectives.ql
new file mode 100644
index 00000000000..a27b18f9fbe
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/DefineDirectives.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from DefineDirective d
+select d, d.getName()

From 3740aba4a800b2a96d84ee90600902b31d85d969 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 19 Jan 2021 17:22:51 +0100
Subject: [PATCH 113/429] Extract undef directives

---
 .../UndefineDirective.cs                       | 18 ++++++++++++++++++
 .../Populators/DirectiveVisitor.cs             |  5 +++++
 .../Semmle.Extraction.CSharp/Tuples.cs         |  5 +++++
 .../ql/src/semmle/code/csharp/Preprocessor.qll | 12 ++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme       |  6 +++++-
 .../comments/UndefineDirectives.expected       |  1 +
 .../comments/UndefineDirectives.ql             |  4 ++++
 7 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/UndefineDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/UndefineDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/UndefineDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/UndefineDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/UndefineDirective.cs
new file mode 100644
index 00000000000..d4b976d50c0
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/UndefineDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class UndefineDirective : PreprocessorDirective<UndefDirectiveTriviaSyntax>
+    {
+        public UndefineDirective(Context cx, UndefDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_undefines(this, trivia.Name.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 69222935483..07fd08965e0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -27,5 +27,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.DefineDirective(cx, node);
         }
+
+        public override void VisitUndefDirectiveTrivia(UndefDirectiveTriviaSyntax node)
+        {
+            new Entities.UndefineDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 9e14c8d32d2..b55ef23b6f4 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -625,5 +625,10 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_defines", directive, name);
         }
+
+        internal static void directive_undefines(this TextWriter trapFile, UndefineDirective directive, string name)
+        {
+            trapFile.WriteTuple("directive_undefines", directive, name);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index a5281da2241..174349e57d4 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -58,3 +58,15 @@ class DefineDirective extends PreprocessorDirective, @directive_define {
 
   override string getAPrimaryQlClass() { result = "DefineDirective" }
 }
+
+/**
+ * An `#undef` directive.
+ */
+class UndefineDirective extends PreprocessorDirective, @directive_undefine {
+  /** Gets the name of the preprocessor symbol that is being unset by this directive. */
+  string getName() { directive_undefines(this, result) }
+
+  override string toString() { result = "#undef ..." }
+
+  override string getAPrimaryQlClass() { result = "UndefineDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 05e53c0042d..a026ea3d661 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -331,7 +331,11 @@ using_directive_location(
   unique int id: @using_directive ref,
   int loc: @location ref);
 
-@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define;
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine;
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
 
 directive_defines(
   unique int id: @directive_define,
diff --git a/csharp/ql/test/library-tests/comments/UndefineDirectives.expected b/csharp/ql/test/library-tests/comments/UndefineDirectives.expected
new file mode 100644
index 00000000000..016d2623f7d
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/UndefineDirectives.expected
@@ -0,0 +1 @@
+| trivia.cs:6:1:6:12 | #undef ... | DEBUG |
diff --git a/csharp/ql/test/library-tests/comments/UndefineDirectives.ql b/csharp/ql/test/library-tests/comments/UndefineDirectives.ql
new file mode 100644
index 00000000000..72e992f9373
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/UndefineDirectives.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from UndefineDirective d
+select d, d.getName()

From 15c611e22f80aa4926158fc57ab6b0720e66d1cc Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 08:55:41 +0100
Subject: [PATCH 114/429] Extract warning and error directives

---
 .../PreprocessorDirectives/ErrorDirective.cs  | 18 ++++++++++++++
 .../WarningDirective.cs                       | 18 ++++++++++++++
 .../Populators/DirectiveVisitor.cs            | 10 ++++++++
 .../Semmle.Extraction.CSharp/Tuples.cs        | 10 ++++++++
 .../src/semmle/code/csharp/Preprocessor.qll   | 24 +++++++++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      | 11 ++++++++-
 .../comments/ErrorDirectives.expected         |  1 +
 .../library-tests/comments/ErrorDirectives.ql |  4 ++++
 .../comments/WarningDirectives.expected       |  1 +
 .../comments/WarningDirectives.ql             |  4 ++++
 10 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ErrorDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/WarningDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/ErrorDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/ErrorDirectives.ql
 create mode 100644 csharp/ql/test/library-tests/comments/WarningDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/WarningDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ErrorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ErrorDirective.cs
new file mode 100644
index 00000000000..2917d077839
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ErrorDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class ErrorDirective : PreprocessorDirective<ErrorDirectiveTriviaSyntax>
+    {
+        public ErrorDirective(Context cx, ErrorDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_errors(this, trivia.EndOfDirectiveToken.LeadingTrivia.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/WarningDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/WarningDirective.cs
new file mode 100644
index 00000000000..1511be8d28c
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/WarningDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class WarningDirective : PreprocessorDirective<WarningDirectiveTriviaSyntax>
+    {
+        public WarningDirective(Context cx, WarningDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_warnings(this, trivia.EndOfDirectiveToken.LeadingTrivia.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 07fd08965e0..7bafdac71b4 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -32,5 +32,15 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.UndefineDirective(cx, node);
         }
+
+        public override void VisitWarningDirectiveTrivia(WarningDirectiveTriviaSyntax node)
+        {
+            new Entities.WarningDirective(cx, node);
+        }
+
+        public override void VisitErrorDirectiveTrivia(ErrorDirectiveTriviaSyntax node)
+        {
+            new Entities.ErrorDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index b55ef23b6f4..bcdacb8c3c1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -630,5 +630,15 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_undefines", directive, name);
         }
+
+        internal static void directive_warnings(this TextWriter trapFile, WarningDirective directive, string message)
+        {
+            trapFile.WriteTuple("directive_warnings", directive, message);
+        }
+
+        internal static void directive_errors(this TextWriter trapFile, ErrorDirective directive, string message)
+        {
+            trapFile.WriteTuple("directive_errors", directive, message);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 174349e57d4..39dce043013 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -70,3 +70,27 @@ class UndefineDirective extends PreprocessorDirective, @directive_undefine {
 
   override string getAPrimaryQlClass() { result = "UndefineDirective" }
 }
+
+/**
+ * A `#warning` directive.
+ */
+class WarningDirective extends PreprocessorDirective, @directive_warning {
+  /** Gets the text of the warning. */
+  string getMessage() { directive_warnings(this, result) }
+
+  override string toString() { result = "#warning ..." }
+
+  override string getAPrimaryQlClass() { result = "WarningDirective" }
+}
+
+/**
+ * An `#error` directive.
+ */
+class ErrorDirective extends PreprocessorDirective, @directive_error {
+  /** Gets the text of the error. */
+  string getMessage() { directive_errors(this, result) }
+
+  override string toString() { result = "#error ..." }
+
+  override string getAPrimaryQlClass() { result = "ErrorDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index a026ea3d661..b05630b6e9a 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -331,7 +331,16 @@ using_directive_location(
   unique int id: @using_directive ref,
   int loc: @location ref);
 
-@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine;
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error;
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
 
 directive_undefines(
   unique int id: @directive_undefine,
diff --git a/csharp/ql/test/library-tests/comments/ErrorDirectives.expected b/csharp/ql/test/library-tests/comments/ErrorDirectives.expected
new file mode 100644
index 00000000000..656b501c904
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/ErrorDirectives.expected
@@ -0,0 +1 @@
+| trivia.cs:72:1:72:41 | #error ... | NOTDEBUG is defined or TEST is not |
diff --git a/csharp/ql/test/library-tests/comments/ErrorDirectives.ql b/csharp/ql/test/library-tests/comments/ErrorDirectives.ql
new file mode 100644
index 00000000000..dbfbb986a4c
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/ErrorDirectives.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from ErrorDirective d
+select d, d.getMessage()
diff --git a/csharp/ql/test/library-tests/comments/WarningDirectives.expected b/csharp/ql/test/library-tests/comments/WarningDirectives.expected
new file mode 100644
index 00000000000..105119a8127
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/WarningDirectives.expected
@@ -0,0 +1 @@
+| trivia.cs:66:1:66:25 | #warning ... | DEBUG is defined |
diff --git a/csharp/ql/test/library-tests/comments/WarningDirectives.ql b/csharp/ql/test/library-tests/comments/WarningDirectives.ql
new file mode 100644
index 00000000000..0b1dedf1d77
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/WarningDirectives.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from WarningDirective d
+select d, d.getMessage()

From 4bb8b6c9924cbe9767818acc7302cfb718999766 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 09:34:18 +0100
Subject: [PATCH 115/429] Extract nullable directives

---
 .../NullableDirective.cs                      | 35 ++++++++++++++
 .../Populators/DirectiveVisitor.cs            |  5 ++
 .../Semmle.Extraction.CSharp/Tuples.cs        |  5 ++
 .../src/semmle/code/csharp/Preprocessor.qll   | 46 +++++++++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      |  7 ++-
 .../comments/NullableDirectives.expected      | 21 +++++++++
 .../comments/NullableDirectives.ql            | 11 +++++
 7 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/NullableDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/NullableDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/NullableDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/NullableDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/NullableDirective.cs
new file mode 100644
index 00000000000..e6bb4e79fed
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/NullableDirective.cs
@@ -0,0 +1,35 @@
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class NullableDirective : PreprocessorDirective<NullableDirectiveTriviaSyntax>
+    {
+        public NullableDirective(Context cx, NullableDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            var setting = trivia.SettingToken.Kind() switch
+            {
+                SyntaxKind.DisableKeyword => 0,
+                SyntaxKind.EnableKeyword => 1,
+                SyntaxKind.RestoreKeyword => 2,
+                _ => throw new InternalError(trivia, "Unhandled setting token kind")
+            };
+
+            var target = trivia.TargetToken.Kind() switch
+            {
+                SyntaxKind.None => 0,
+                SyntaxKind.AnnotationsKeyword => 1,
+                SyntaxKind.WarningsKeyword => 2,
+                _ => throw new InternalError(trivia, "Unhandled target token kind")
+            };
+
+            trapFile.directive_nullables(this, setting, target);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 7bafdac71b4..d16b4ca041b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -42,5 +42,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.ErrorDirective(cx, node);
         }
+
+        public override void VisitNullableDirectiveTrivia(NullableDirectiveTriviaSyntax node)
+        {
+            new Entities.NullableDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index bcdacb8c3c1..4b834d42ae1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -640,5 +640,10 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_errors", directive, message);
         }
+
+        internal static void directive_nullables(this TextWriter trapFile, NullableDirective directive, int setting, int target)
+        {
+            trapFile.WriteTuple("directive_nullables", directive, setting, target);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 39dce043013..8996756d069 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -94,3 +94,49 @@ class ErrorDirective extends PreprocessorDirective, @directive_error {
 
   override string getAPrimaryQlClass() { result = "ErrorDirective" }
 }
+
+/**
+ * A `#nullable` directive.
+ */
+class NullableDirective extends PreprocessorDirective, @directive_nullable {
+  /** Holds if this is a `#nullable disable` directive. */
+  predicate disable() { directive_nullables(this, 0, _) }
+
+  /** Holds if this is a `#nullable enable` directive. */
+  predicate enable() { directive_nullables(this, 1, _) }
+
+  /** Holds if this is a `#nullable restore` directive. */
+  predicate restore() { directive_nullables(this, 2, _) }
+
+  /** Holds if this directive targets all nullable contexts. */
+  predicate targetsAll() { directive_nullables(this, _, 0) }
+
+  /** Holds if this directive targets nullable annotation context. */
+  predicate targetsAnnotations() { directive_nullables(this, _, 1) }
+
+  /** Holds if this directive targets nullable warning context. */
+  predicate targetsWarnings() { directive_nullables(this, _, 2) }
+
+  /** Gets the succeeding `#nullable` directive in the file, if any. */
+  NullableDirective getSuccNullableDirective() {
+    result =
+      rank[1](NullableDirective next |
+        next.getFile() = this.getFile() and
+        next.getLocation().getStartLine() > this.getLocation().getStartLine()
+      |
+        next order by next.getLocation().getStartLine()
+      )
+  }
+
+  /** Holds if there is a succeeding `#nullable` directive in the file. */
+  predicate hasSuccNullableDirective() {
+    exists(NullableDirective other |
+      other.getFile() = this.getFile() and
+      other.getLocation().getStartLine() > this.getLocation().getStartLine()
+    )
+  }
+
+  override string toString() { result = "#nullable ..." }
+
+  override string getAPrimaryQlClass() { result = "NullableDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index b05630b6e9a..e815200408e 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -332,7 +332,12 @@ using_directive_location(
   int loc: @location ref);
 
 @preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
-  | @directive_error;
+  | @directive_error | @directive_nullable;
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
 
 directive_warnings(
   unique int id: @directive_warning,
diff --git a/csharp/ql/test/library-tests/comments/NullableDirectives.expected b/csharp/ql/test/library-tests/comments/NullableDirectives.expected
new file mode 100644
index 00000000000..bbf13afa63b
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/NullableDirectives.expected
@@ -0,0 +1,21 @@
+nullables
+| trivia.cs:49:1:49:82 | #nullable ... | 0 | 0 |
+| trivia.cs:50:1:50:80 | #nullable ... | 1 | 0 |
+| trivia.cs:51:1:51:94 | #nullable ... | 2 | 0 |
+| trivia.cs:52:1:52:81 | #nullable ... | 0 | 1 |
+| trivia.cs:53:1:53:79 | #nullable ... | 1 | 1 |
+| trivia.cs:54:1:54:93 | #nullable ... | 2 | 1 |
+| trivia.cs:55:1:55:75 | #nullable ... | 0 | 2 |
+| trivia.cs:56:1:56:73 | #nullable ... | 1 | 2 |
+| trivia.cs:57:1:57:87 | #nullable ... | 2 | 2 |
+succ
+| trivia.cs:49:1:49:82 | #nullable ... | trivia.cs:50:1:50:80 | #nullable ... |
+| trivia.cs:50:1:50:80 | #nullable ... | trivia.cs:51:1:51:94 | #nullable ... |
+| trivia.cs:51:1:51:94 | #nullable ... | trivia.cs:52:1:52:81 | #nullable ... |
+| trivia.cs:52:1:52:81 | #nullable ... | trivia.cs:53:1:53:79 | #nullable ... |
+| trivia.cs:53:1:53:79 | #nullable ... | trivia.cs:54:1:54:93 | #nullable ... |
+| trivia.cs:54:1:54:93 | #nullable ... | trivia.cs:55:1:55:75 | #nullable ... |
+| trivia.cs:55:1:55:75 | #nullable ... | trivia.cs:56:1:56:73 | #nullable ... |
+| trivia.cs:56:1:56:73 | #nullable ... | trivia.cs:57:1:57:87 | #nullable ... |
+last
+| trivia.cs:57:1:57:87 | #nullable ... |
diff --git a/csharp/ql/test/library-tests/comments/NullableDirectives.ql b/csharp/ql/test/library-tests/comments/NullableDirectives.ql
new file mode 100644
index 00000000000..a5312df39e9
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/NullableDirectives.ql
@@ -0,0 +1,11 @@
+import csharp
+
+query predicate nullables(NullableDirective d, int setting, int target) {
+  directive_nullables(d, setting, target)
+}
+
+query predicate succ(NullableDirective d, NullableDirective succ) {
+  d.getSuccNullableDirective() = succ
+}
+
+query predicate last(NullableDirective d) { not d.hasSuccNullableDirective() }

From fe0a494bab546ba05458a68bc3ca756cc5033e3b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 10:06:05 +0100
Subject: [PATCH 116/429] Extract line directives

---
 .../PreprocessorDirectives/LineDirective.cs   | 34 +++++++++
 .../Populators/DirectiveVisitor.cs            |  5 ++
 .../Semmle.Extraction.CSharp/Tuples.cs        | 10 +++
 .../src/semmle/code/csharp/Preprocessor.qll   | 69 +++++++++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      | 11 ++-
 .../comments/LineDirectives.expected          | 13 ++++
 .../library-tests/comments/LineDirectives.ql  | 13 ++++
 .../ql/test/library-tests/comments/trivia.cs  |  2 +-
 8 files changed, 155 insertions(+), 2 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/LineDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/LineDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
new file mode 100644
index 00000000000..2ca34d6c7a1
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
@@ -0,0 +1,34 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class LineDirective : PreprocessorDirective<LineDirectiveTriviaSyntax>
+    {
+        public LineDirective(Context cx, LineDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            var type = trivia.Line.Kind() switch
+            {
+                SyntaxKind.DefaultKeyword => 0,
+                SyntaxKind.HiddenKeyword => 1,
+                SyntaxKind.NumericLiteralToken => 2,
+                _ => throw new InternalError(trivia, "Unhandled line token kind")
+            };
+
+            trapFile.directive_lines(this, type);
+
+            if (trivia.Line.IsKind(SyntaxKind.NumericLiteralToken))
+            {
+                var value = (int)trivia.Line.Value;
+                trapFile.directive_line_values(this, value, trivia.File.ValueText);
+            }
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index d16b4ca041b..baa52ec7f03 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -47,5 +47,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.NullableDirective(cx, node);
         }
+
+        public override void VisitLineDirectiveTrivia(LineDirectiveTriviaSyntax node)
+        {
+            new Entities.LineDirective(cx, node);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 4b834d42ae1..1ee94ff1426 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -645,5 +645,15 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_nullables", directive, setting, target);
         }
+
+        internal static void directive_lines(this TextWriter trapFile, LineDirective directive, int kind)
+        {
+            trapFile.WriteTuple("directive_lines", directive, kind);
+        }
+
+        internal static void directive_line_values(this TextWriter trapFile, LineDirective directive, int line, string file)
+        {
+            trapFile.WriteTuple("directive_line_values", directive, line, file);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 8996756d069..983e58da2cb 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -140,3 +140,72 @@ class NullableDirective extends PreprocessorDirective, @directive_nullable {
 
   override string getAPrimaryQlClass() { result = "NullableDirective" }
 }
+
+/**
+ * A `#line` directive, such as `#line default`, `#line hidden`, or `#line`
+ * directive with line number.
+ */
+class LineDirective extends PreprocessorDirective, @directive_line {
+  /** Gets the succeeding `#line` directive in the file, if any. */
+  LineDirective getSuccLineDirective() {
+    result =
+      rank[1](LineDirective next |
+        next.getFile() = this.getFile() and
+        next.getLocation().getStartLine() > this.getLocation().getStartLine()
+      |
+        next order by next.getLocation().getStartLine()
+      )
+  }
+
+  /** Holds if there is a succeeding `#line` directive in the file. */
+  predicate hasSuccLineDirective() {
+    exists(LineDirective other |
+      other.getFile() = this.getFile() and
+      other.getLocation().getStartLine() > this.getLocation().getStartLine()
+    )
+  }
+
+  override string toString() { result = "#line ..." }
+
+  override string getAPrimaryQlClass() { result = "LineDirective" }
+}
+
+/**
+ * A `#line default` directive.
+ */
+class DefaultLineDirective extends LineDirective {
+  DefaultLineDirective() { directive_lines(this, 0) }
+
+  override string toString() { result = "#line default" }
+
+  override string getAPrimaryQlClass() { result = "DefaultLineDirective" }
+}
+
+/**
+ * A `#line hidden` directive.
+ */
+class HiddenLineDirective extends LineDirective {
+  HiddenLineDirective() { directive_lines(this, 1) }
+
+  override string toString() { result = "#line hidden" }
+
+  override string getAPrimaryQlClass() { result = "HiddenLineDirective" }
+}
+
+/**
+ * A numeric `#line` directive, such as `#line 200 file`
+ */
+class NumericLineDirective extends LineDirective {
+  NumericLineDirective() { directive_lines(this, 2) }
+
+  /** Gets the line number of this directive. */
+  int getLine() { directive_line_values(this, result, _) }
+
+  /** Holds if this directive specifies a file name. */
+  predicate hasFileName() { this.getFileName() != "" }
+
+  /** Gets the file name of this directive. */
+  string getFileName() { directive_line_values(this, _, result) }
+
+  override string getAPrimaryQlClass() { result = "NumericLineDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index e815200408e..92e9947958b 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -332,7 +332,16 @@ using_directive_location(
   int loc: @location ref);
 
 @preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
-  | @directive_error | @directive_nullable;
+  | @directive_error | @directive_nullable | @directive_line;
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_values(
+  unique int id: @directive_line ref,
+  int line: int ref,
+  string file: string ref);
 
 directive_nullables(
   unique int id: @directive_nullable,
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.expected b/csharp/ql/test/library-tests/comments/LineDirectives.expected
new file mode 100644
index 00000000000..ae79e53d1b4
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.expected
@@ -0,0 +1,13 @@
+default
+| trivia.cs:21:1:21:13 | #line default |
+hidden
+| trivia.cs:25:1:25:38 | #line hidden |
+lines
+| trivia.cs:18:1:18:19 | #line ... | 200 | Special |
+| trivia.cs:27:1:27:9 | #line ... | 300 |  |
+succ
+| trivia.cs:18:1:18:19 | #line ... | trivia.cs:21:1:21:13 | #line default |
+| trivia.cs:21:1:21:13 | #line default | trivia.cs:25:1:25:38 | #line hidden |
+| trivia.cs:25:1:25:38 | #line hidden | trivia.cs:27:1:27:9 | #line ... |
+last
+| trivia.cs:27:1:27:9 | #line ... |
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.ql b/csharp/ql/test/library-tests/comments/LineDirectives.ql
new file mode 100644
index 00000000000..db05488911a
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.ql
@@ -0,0 +1,13 @@
+import csharp
+
+query predicate default(DefaultLineDirective line) { any() }
+
+query predicate hidden(HiddenLineDirective line) { any() }
+
+query predicate lines(NumericLineDirective line, int l, string file) {
+  line.getLine() = l and line.getFileName() = file
+}
+
+query predicate succ(LineDirective d, LineDirective succ) { d.getSuccLineDirective() = succ }
+
+query predicate last(LineDirective d) { not d.hasSuccLineDirective() }
diff --git a/csharp/ql/test/library-tests/comments/trivia.cs b/csharp/ql/test/library-tests/comments/trivia.cs
index e22ddf77a63..69aea425499 100644
--- a/csharp/ql/test/library-tests/comments/trivia.cs
+++ b/csharp/ql/test/library-tests/comments/trivia.cs
@@ -24,7 +24,7 @@ class Tr1
         float f;
 #line hidden // numbering not affected
         string s;
-#line default
+#line 300
         double d;
     }
 }

From a5d18f9b6882e8f99c55deb667e482f8aa53829d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 11:07:24 +0100
Subject: [PATCH 117/429] Extract region directives

---
 .../EndRegionDirective.cs                     | 23 ++++++++++++++++
 .../PreprocessorDirectives/RegionDirective.cs | 18 +++++++++++++
 .../Populators/DirectiveVisitor.cs            | 23 ++++++++++++++++
 .../Semmle.Extraction.CSharp/Tuples.cs        | 15 +++++++++++
 .../src/semmle/code/csharp/Preprocessor.qll   | 27 +++++++++++++++++++
 csharp/ql/src/semmlecode.csharp.dbscheme      | 14 +++++++++-
 .../comments/RegionDirectives.expected        |  6 +++++
 .../comments/RegionDirectives.ql              |  8 ++++++
 8 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/RegionDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/RegionDirectives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
new file mode 100644
index 00000000000..a320c89028c
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
@@ -0,0 +1,23 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class EndRegionDirective : PreprocessorDirective<EndRegionDirectiveTriviaSyntax>
+    {
+        public EndRegionDirective(Context cx, EndRegionDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_endregions(this);
+        }
+
+        internal static void WriteRegionBlock(Context cx, RegionDirective region, EndRegionDirective endregion)
+        {
+            cx.TrapWriter.Writer.regions(region, endregion);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
new file mode 100644
index 00000000000..28a707ee4de
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class RegionDirective : PreprocessorDirective<RegionDirectiveTriviaSyntax>
+    {
+        public RegionDirective(Context cx, RegionDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_regions(this, trivia.EndOfDirectiveToken.LeadingTrivia.ToString());
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index baa52ec7f03..a825ecead61 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -1,3 +1,5 @@
+using System.Collections.Generic;
+using System.Linq;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
@@ -52,5 +54,26 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             new Entities.LineDirective(cx, node);
         }
+
+        private readonly Stack<Entities.RegionDirective> regionStarts = new Stack<Entities.RegionDirective>();
+
+        public override void VisitRegionDirectiveTrivia(RegionDirectiveTriviaSyntax node)
+        {
+            var region = new Entities.RegionDirective(cx, node);
+            regionStarts.Push(region);
+        }
+
+        public override void VisitEndRegionDirectiveTrivia(EndRegionDirectiveTriviaSyntax node)
+        {
+            var endregion = new Entities.EndRegionDirective(cx, node);
+            if (regionStarts.Count == 0)
+            {
+                cx.ExtractionError("Couldn't find start region", null,
+                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                return;
+            }
+            var start = regionStarts.Pop();
+            Entities.EndRegionDirective.WriteRegionBlock(cx, start, endregion);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 1ee94ff1426..1eebf07c37f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -655,5 +655,20 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_line_values", directive, line, file);
         }
+
+        internal static void directive_regions(this TextWriter trapFile, RegionDirective directive, string name)
+        {
+            trapFile.WriteTuple("directive_regions", directive, name);
+        }
+
+        internal static void directive_endregions(this TextWriter trapFile, EndRegionDirective directive)
+        {
+            trapFile.WriteTuple("directive_endregions", directive);
+        }
+
+        internal static void regions(this TextWriter trapFile, RegionDirective start, EndRegionDirective end)
+        {
+            trapFile.WriteTuple("regions", start, end);
+        }
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 983e58da2cb..10397230f2e 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -209,3 +209,30 @@ class NumericLineDirective extends LineDirective {
 
   override string getAPrimaryQlClass() { result = "NumericLineDirective" }
 }
+
+/**
+ * A `#region` directive.
+ */
+class RegionDirective extends PreprocessorDirective, @directive_region {
+  /** Gets the name of this region. */
+  string getName() { directive_regions(this, result) }
+
+  /** Gets the closing `#endregion` directive. */
+  EndRegionDirective getEnd() { regions(this, result) }
+
+  override string toString() { result = "#region ..." }
+
+  override string getAPrimaryQlClass() { result = "RegionDirective" }
+}
+
+/**
+ * A `#endregion` directive.
+ */
+class EndRegionDirective extends PreprocessorDirective, @directive_endregion {
+  /** Gets the opening `#region` directive. */
+  RegionDirective getStart() { regions(result, this) }
+
+  override string toString() { result = "#endregion" }
+
+  override string getAPrimaryQlClass() { result = "EndRegionDirective" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 92e9947958b..ad723e09a4d 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -332,7 +332,19 @@ using_directive_location(
   int loc: @location ref);
 
 @preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
-  | @directive_error | @directive_nullable | @directive_line;
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion;
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+directive_endregions(
+  unique int id: @directive_endregion);
+
+#keyset[start, end]
+regions(
+  unique int start: @directive_region ref,
+  unique int end: @directive_endregion ref);
 
 directive_lines(
   unique int id: @directive_line,
diff --git a/csharp/ql/test/library-tests/comments/RegionDirectives.expected b/csharp/ql/test/library-tests/comments/RegionDirectives.expected
new file mode 100644
index 00000000000..aead68e7ff0
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/RegionDirectives.expected
@@ -0,0 +1,6 @@
+regionDirectives
+| trivia.cs:36:9:36:22 | #region ... | fields | trivia.cs:41:9:41:18 | #endregion |
+| trivia.cs:38:9:38:22 | #region ... | nested | trivia.cs:40:9:40:18 | #endregion |
+endregions
+| trivia.cs:40:9:40:18 | #endregion | trivia.cs:38:9:38:22 | #region ... |
+| trivia.cs:41:9:41:18 | #endregion | trivia.cs:36:9:36:22 | #region ... |
diff --git a/csharp/ql/test/library-tests/comments/RegionDirectives.ql b/csharp/ql/test/library-tests/comments/RegionDirectives.ql
new file mode 100644
index 00000000000..9b1296819f2
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/RegionDirectives.ql
@@ -0,0 +1,8 @@
+import csharp
+
+query predicate regionDirectives(RegionDirective d, string name, EndRegionDirective end) {
+  d.getName() = name and
+  d.getEnd() = end
+}
+
+query predicate endregions(EndRegionDirective d, RegionDirective start) { d.getStart() = start }

From 41fbce0ad00899ce5bb791a911a9ab93e0fad631 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 15:21:36 +0100
Subject: [PATCH 118/429] Extract #if directives

---
 .../Entities/Expression.cs                    |  38 +++-
 .../Entities/Expressions/DefineSymbol.cs      |  18 ++
 .../Entities/Expressions/Literal.cs           |   5 +
 .../Entities/Expressions/Name.cs              |  12 +-
 .../PreprocessorDirectives/ElifDirective.cs   |  22 +++
 .../PreprocessorDirectives/ElseDirective.cs   |  18 ++
 .../PreprocessorDirectives/EndIfDirective.cs  |  18 ++
 .../IIfSiblingDirective.cs                    |   4 +
 .../PreprocessorDirectives/IfDirective.cs     |  40 ++++
 .../PreprocessorDirectives/RegionDirective.cs |   1 +
 .../Kinds/ExprKind.cs                         |   2 +
 .../Populators/DirectiveVisitor.cs            |  47 +++++
 .../Semmle.Extraction.CSharp/Tuples.cs        |  38 ++++
 .../src/semmle/code/csharp/Preprocessor.qll   |  92 +++++++++
 csharp/ql/src/semmle/code/csharp/PrintAst.qll |   2 +
 .../ql/src/semmle/code/csharp/exprs/Expr.qll  |  18 ++
 csharp/ql/src/semmlecode.csharp.dbscheme      |  41 +++-
 .../comments/IfDirectives.expected            |  19 ++
 .../library-tests/comments/IfDirectives.ql    |  33 ++++
 .../library-tests/comments/PrintAst.expected  | 175 ++++++++++++++++++
 .../library-tests/comments/PrintAst.qlref     |   1 +
 21 files changed, 639 insertions(+), 5 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/DefineSymbol.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IIfSiblingDirective.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
 create mode 100644 csharp/ql/test/library-tests/comments/IfDirectives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/IfDirectives.ql
 create mode 100644 csharp/ql/test/library-tests/comments/PrintAst.expected
 create mode 100644 csharp/ql/test/library-tests/comments/PrintAst.qlref

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 9d701d242a3..5829bbffa9e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -529,7 +529,17 @@ namespace Semmle.Extraction.CSharp.Entities
             get
             {
                 var c = Model.GetConstantValue(Node);
-                return c.HasValue ? Expression.ValueAsString(c.Value) : null;
+                if (c.HasValue)
+                {
+                    return Expression.ValueAsString(c.Value);
+                }
+
+                if (TryGetBoolValueInsideIfDirective(out var val))
+                {
+                    return Expression.ValueAsString(val);
+                }
+
+                return null;
             }
         }
 
@@ -593,5 +603,31 @@ namespace Semmle.Extraction.CSharp.Entities
         }
 
         public NullableFlowState FlowState => TypeInfo.Nullability.FlowState;
+
+        public bool IsInsideIfDirective()
+        {
+            return Node.Ancestors().Any(a => a is ElifDirectiveTriviaSyntax || a is IfDirectiveTriviaSyntax);
+        }
+
+        public bool TryGetBoolValueInsideIfDirective(out bool val)
+        {
+            var isTrue = Node.IsKind(SyntaxKind.TrueLiteralExpression);
+            var isFalse = Node.IsKind(SyntaxKind.FalseLiteralExpression);
+
+            if (!isTrue && !isFalse)
+            {
+                val = false;
+                return false;
+            }
+
+            if (!IsInsideIfDirective())
+            {
+                val = false;
+                return false;
+            }
+
+            val = isTrue;
+            return true;
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/DefineSymbol.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/DefineSymbol.cs
new file mode 100644
index 00000000000..d0111c010b2
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/DefineSymbol.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Kinds;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities.Expressions
+{
+    internal class DefineSymbol : Expression<IdentifierNameSyntax>
+    {
+        private DefineSymbol(ExpressionNodeInfo info) : base(info.SetKind(ExprKind.DEFINE_SYMBOL)) { }
+
+        public static Expression Create(ExpressionNodeInfo info) => new DefineSymbol(info).TryPopulate();
+
+        protected override void PopulateExpression(TextWriter trapFile)
+        {
+            trapFile.directive_define_symbols(this, Syntax.Identifier.Text);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
index ad63cc26ac6..d91f426cfd7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
@@ -25,6 +25,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     return ExprKind.NULL_LITERAL;
             }
 
+            if (info.TryGetBoolValueInsideIfDirective(out var _))
+            {
+                return ExprKind.BOOL_LITERAL;
+            }
+
             var type = info.Type?.Symbol;
             return GetExprKind(type, info.Node, info.Context);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
index d44c85d6ddc..d74afd16329 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
@@ -1,5 +1,6 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
 using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Entities.Expressions
@@ -26,8 +27,15 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             if (target == null)
             {
-                info.Context.ModelError(info.Node, "Failed to resolve name");
-                return new Unknown(info);
+                if (info.IsInsideIfDirective())
+                {
+                    return DefineSymbol.Create(info);
+                }
+                else
+                {
+                    info.Context.ModelError(info.Node, "Failed to resolve name");
+                    return new Unknown(info);
+                }
             }
 
             // There is a very strange bug in Microsoft.CodeAnalysis whereby
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
new file mode 100644
index 00000000000..26314244ac6
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
@@ -0,0 +1,22 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class ElifDirective : PreprocessorDirective<ElifDirectiveTriviaSyntax>, IIfSiblingDirective, IExpressionParentEntity
+    {
+        public ElifDirective(Context cx, ElifDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        public bool IsTopLevelParent => true;
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_elifs(this, trivia.BranchTaken, trivia.ConditionValue);
+
+            Expression.Create(cx, trivia.Condition, this, 0);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
new file mode 100644
index 00000000000..48c786627ac
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class ElseDirective : PreprocessorDirective<ElseDirectiveTriviaSyntax>, IIfSiblingDirective
+    {
+        public ElseDirective(Context cx, ElseDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_elses(this, trivia.BranchTaken);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
new file mode 100644
index 00000000000..85d5c89f353
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
@@ -0,0 +1,18 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class EndIfDirective : PreprocessorDirective<EndIfDirectiveTriviaSyntax>
+    {
+        public EndIfDirective(Context cx, EndIfDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_endifs(this);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IIfSiblingDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IIfSiblingDirective.cs
new file mode 100644
index 00000000000..7a849962f09
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IIfSiblingDirective.cs
@@ -0,0 +1,4 @@
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal interface IIfSiblingDirective { }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
new file mode 100644
index 00000000000..fc9af188c1d
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
@@ -0,0 +1,40 @@
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.Collections.Generic;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class IfDirective : PreprocessorDirective<IfDirectiveTriviaSyntax>, IExpressionParentEntity
+    {
+        private readonly List<IIfSiblingDirective> branches = new List<IIfSiblingDirective>();
+
+        public IfDirective(Context cx, IfDirectiveTriviaSyntax trivia)
+            : base(cx, trivia)
+        {
+        }
+
+        public bool IsTopLevelParent => true;
+
+        protected override void PopulatePreprocessor(TextWriter trapFile)
+        {
+            trapFile.directive_ifs(this, trivia.BranchTaken, trivia.ConditionValue);
+
+            Expression.Create(cx, trivia.Condition, this, 0);
+        }
+
+        internal void Add(IIfSiblingDirective branch)
+        {
+            branches.Add(branch);
+        }
+
+        internal void WriteBranches(EndIfDirective endif)
+        {
+            cx.TrapWriter.Writer.directive_if_endif(this, endif);
+            var siblings = 0;
+            foreach (var branch in branches)
+            {
+                cx.TrapWriter.Writer.directive_if_siblings(this, branch, siblings++);
+            }
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
index 28a707ee4de..b2f017688a3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/RegionDirective.cs
@@ -1,4 +1,5 @@
 using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System;
 using System.IO;
 
 namespace Semmle.Extraction.CSharp.Entities
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs b/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs
index ee1185da30d..292e8c47d98 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs
@@ -124,5 +124,7 @@ namespace Semmle.Extraction.Kinds
         AND_PATTERN = 127,
         OR_PATTERN = 128,
         FUNCTION_POINTER_INVOCATION = 129,
+
+        DEFINE_SYMBOL = 999
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index a825ecead61..074441a70cb 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -75,5 +75,52 @@ namespace Semmle.Extraction.CSharp.Populators
             var start = regionStarts.Pop();
             Entities.EndRegionDirective.WriteRegionBlock(cx, start, endregion);
         }
+
+        private readonly Stack<Entities.IfDirective> ifStarts = new Stack<Entities.IfDirective>();
+
+        public override void VisitIfDirectiveTrivia(IfDirectiveTriviaSyntax node)
+        {
+            var ifStart = new Entities.IfDirective(cx, node);
+            ifStarts.Push(ifStart);
+        }
+
+        public override void VisitEndIfDirectiveTrivia(EndIfDirectiveTriviaSyntax node)
+        {
+            var endif = new Entities.EndIfDirective(cx, node);
+            if (ifStarts.Count == 0)
+            {
+                cx.ExtractionError("Couldn't find start if", null,
+                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                return;
+            }
+            var start = ifStarts.Pop();
+            start.WriteBranches(endif);
+        }
+
+        public override void VisitElifDirectiveTrivia(ElifDirectiveTriviaSyntax node)
+        {
+            var elif = new Entities.ElifDirective(cx, node);
+            if (ifStarts.Count == 0)
+            {
+                cx.ExtractionError("Couldn't find start if", null,
+                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                return;
+            }
+            var start = ifStarts.Peek();
+            start.Add(elif);
+        }
+
+        public override void VisitElseDirectiveTrivia(ElseDirectiveTriviaSyntax node)
+        {
+            var elseDirective = new Entities.ElseDirective(cx, node);
+            if (ifStarts.Count == 0)
+            {
+                cx.ExtractionError("Couldn't find start if", null,
+                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                return;
+            }
+            var start = ifStarts.Peek();
+            start.Add(elseDirective);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 1eebf07c37f..19b730f7cc0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -1,6 +1,7 @@
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.CommentProcessing;
 using Semmle.Extraction.CSharp.Entities;
+using Semmle.Extraction.CSharp.Entities.Expressions;
 using Semmle.Extraction.Entities;
 using Semmle.Extraction.Kinds;
 using Semmle.Util;
@@ -670,5 +671,42 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("regions", start, end);
         }
+
+        internal static void directive_ifs(this TextWriter trapFile, IfDirective directive, bool branchTaken, bool conditionValue)
+        {
+            trapFile.WriteTuple("directive_ifs", directive, branchTaken ? 1 : 0, conditionValue ? 1 : 0);
+        }
+
+        internal static void directive_elifs(this TextWriter trapFile, ElifDirective directive, bool branchTaken, bool conditionValue)
+        {
+            trapFile.WriteTuple("directive_elifs", directive, branchTaken ? 1 : 0, conditionValue ? 1 : 0);
+        }
+
+        internal static void directive_elses(this TextWriter trapFile, ElseDirective directive, bool branchTaken)
+        {
+            trapFile.WriteTuple("directive_elses", directive, branchTaken ? 1 : 0);
+        }
+
+        internal static void directive_endifs(this TextWriter trapFile, EndIfDirective directive)
+        {
+            trapFile.WriteTuple("directive_endifs", directive);
+        }
+
+        internal static void directive_if_endif(this TextWriter trapFile, IfDirective start, EndIfDirective end)
+        {
+            trapFile.WriteTuple("directive_if_endif", start, end);
+        }
+
+        internal static void directive_if_siblings(this TextWriter trapFile, IfDirective start, IIfSiblingDirective siblingDirective, int index)
+        {
+            trapFile.WriteTuple("directive_if_siblings", start, siblingDirective, index);
+        }
+
+        internal static void directive_define_symbols(this TextWriter trapFile, DefineSymbol symb, string name)
+        {
+            trapFile.WriteTuple("directive_define_symbols", symb, name);
+        }
+
+
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 10397230f2e..1f23275a7a7 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -236,3 +236,95 @@ class EndRegionDirective extends PreprocessorDirective, @directive_endregion {
 
   override string getAPrimaryQlClass() { result = "EndRegionDirective" }
 }
+
+/**
+ * A branching preprocessor directive, such as `IfDirective`, `ElifDirective`, or
+ * `ElseDirective`.
+ */
+class BranchDirective extends PreprocessorDirective {
+  /** Holds if the branch is taken by the preprocessor. */
+  predicate branchTaken() { none() }
+}
+
+/**
+ * A preprocessor directive with a branching condition, such as `IfDirective` or
+ * `ElifDirective`.
+ */
+class ConditionalDirective extends BranchDirective {
+  /** Gets the condition. */
+  Expr getCondition() { result = this.getChild(0) }
+
+  /** Holds if the condition is matched. */
+  predicate conditionMatched() { none() }
+}
+
+/**
+ * An `#if` preprocessor directive.
+ */
+class IfDirective extends ConditionalDirective, @directive_if {
+  override predicate branchTaken() { directive_ifs(this, 1, _) }
+
+  override predicate conditionMatched() { directive_ifs(this, _, 1) }
+
+  /** Gets the closing `#endif` preprocessor directive. */
+  EndifDirective getEndifDirective() { directive_if_endif(this, result) }
+
+  /** Gets the sibling `#elif` or `#else` preprocessor directive at index `sibling`. */
+  BranchDirective getSiblingDirective(int sibling) { directive_if_siblings(this, result, sibling) }
+
+  /** Gets a sibling `#elif` or `#else` preprocessor directive. */
+  BranchDirective getASiblingDirective() { result = getSiblingDirective(_) }
+
+  override string toString() { result = "#if ..." }
+
+  override string getAPrimaryQlClass() { result = "IfDirective" }
+}
+
+/**
+ * An `#elif` preprocessor directive.
+ */
+class ElifDirective extends ConditionalDirective, @directive_elif {
+  override predicate branchTaken() { directive_elifs(this, 1, _) }
+
+  override predicate conditionMatched() { directive_elifs(this, _, 1) }
+
+  /** Gets the opening `#if` preprocessor directive. */
+  IfDirective getIfDirective() { directive_if_siblings(result, this, _) }
+
+  /** Gets the successive branching preprocessor directive (`#elif` or `#else`), if any. */
+  BranchDirective getSuccSiblingDirective() {
+    exists(IfDirective i, int index |
+      directive_if_siblings(i, this, index) and directive_if_siblings(i, result, index + 1)
+    )
+  }
+
+  override string toString() { result = "#elif ..." }
+
+  override string getAPrimaryQlClass() { result = "ElifDirective" }
+}
+
+/**
+ * An `#else` preprocessor directive.
+ */
+class ElseDirective extends BranchDirective, @directive_else {
+  /** Gets the opening `#if` preprocessor directive. */
+  IfDirective getIfDirective() { directive_if_siblings(result, this, _) }
+
+  override predicate branchTaken() { directive_elses(this, 1) }
+
+  override string toString() { result = "#else" }
+
+  override string getAPrimaryQlClass() { result = "ElseDirective" }
+}
+
+/**
+ * An `#endif` preprocessor directive.
+ */
+class EndifDirective extends PreprocessorDirective, @directive_endif {
+  /** Gets the opening `#if` preprocessor directive. */
+  IfDirective getIfDirective() { directive_if_endif(result, this) }
+
+  override string toString() { result = "#endif" }
+
+  override string getAPrimaryQlClass() { result = "EndifDirective" }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/PrintAst.qll b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
index 63ff928f9fc..a4ab6f7632c 100644
--- a/csharp/ql/src/semmle/code/csharp/PrintAst.qll
+++ b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
@@ -48,6 +48,8 @@ private predicate isNotNeeded(Element e) {
   or
   e instanceof TupleType
   or
+  e instanceof ConditionalDirective
+  or
   isNotNeeded(e.(Declaration).getDeclaringType())
   or
   isNotNeeded(e.(Parameter).getDeclaringElement())
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll b/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
index 4078557f366..5a954b7a925 100644
--- a/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
@@ -1134,3 +1134,21 @@ class SuppressNullableWarningExpr extends Expr, @suppress_nullable_warning_expr
 
   override string getAPrimaryQlClass() { result = "SuppressNullableWarningExpr" }
 }
+
+/**
+ * A preprocessor symbol inside an expression, such as DEBUG in line 2
+ * ```csharp
+ * #define DEBUG
+ * #if (DEBUG == true)
+ *   Console.WriteLine("Debug version");
+ * #endif
+ * ```
+ */
+class DefineSymbolExpr extends Expr, @define_symbol_expr {
+  /** Gets the name of the symbol. */
+  string getName() { directive_define_symbols(this, result) }
+
+  override string toString() { result = getName() }
+
+  override string getAPrimaryQlClass() { result = "DefineSymbolExpr" }
+}
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index ad723e09a4d..a13a6f6d628 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -332,7 +332,42 @@ using_directive_location(
   int loc: @location ref);
 
 @preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
-  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion;
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref);  /* 0: false, 1: true */
+
+directive_endifs(
+  unique int id: @directive_endif);
+
+#keyset[start, end]
+directive_if_endif(
+  unique int start: @directive_if ref,
+  unique int end: @directive_endif ref);
+
+@directive_if_sibling = @directive_else | @directive_elif;
+
+#keyset[start, index]
+directive_if_siblings(
+  int start: @directive_if ref,
+  int sibling: @directive_if_sibling ref,
+  int index: int ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
 
 directive_regions(
   unique int id: @directive_region,
@@ -955,7 +990,7 @@ expr_parent(
   int index: int ref,
   int parent: @control_flow_element ref);
 
-@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter;
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
 
 @top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
 
@@ -1104,6 +1139,8 @@ case @expr.kind of
 | 127 = @and_pattern_expr
 | 128 = @or_pattern_expr
 | 129 = @function_pointer_invocation_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
 ;
 
 @switch = @switch_stmt | @switch_expr;
diff --git a/csharp/ql/test/library-tests/comments/IfDirectives.expected b/csharp/ql/test/library-tests/comments/IfDirectives.expected
new file mode 100644
index 00000000000..3a3a24ef798
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/IfDirectives.expected
@@ -0,0 +1,19 @@
+ifDirectives
+| trivia.cs:65:1:65:9 | #if ... | trivia.cs:76:1:76:6 | #endif | not taken | false | trivia.cs:65:5:65:9 | DEBUG |
+| trivia.cs:68:1:68:10 | #if ... | trivia.cs:70:1:70:6 | #endif | not taken | false | trivia.cs:68:5:68:10 | NESTED |
+siblings
+| trivia.cs:65:1:65:9 | #if ... | trivia.cs:71:1:71:35 | #elif ... | 0 | taken |
+| trivia.cs:65:1:65:9 | #if ... | trivia.cs:74:1:74:5 | #else | 1 | not taken |
+conditionalDirectives
+| trivia.cs:65:1:65:9 | #if ... | not taken | false | trivia.cs:65:5:65:9 | DEBUG |
+| trivia.cs:68:1:68:10 | #if ... | not taken | false | trivia.cs:68:5:68:10 | NESTED |
+| trivia.cs:71:1:71:35 | #elif ... | taken | true | trivia.cs:71:7:71:35 | ... \|\| ... |
+expressions
+| trivia.cs:65:5:65:9 | DEBUG |
+| trivia.cs:68:5:68:10 | NESTED |
+| trivia.cs:71:7:71:35 | ... \|\| ... |
+| trivia.cs:71:8:71:15 | NOTDEBUG |
+| trivia.cs:71:8:71:23 | ... == ... |
+| trivia.cs:71:20:71:23 | true |
+| trivia.cs:71:29:71:35 | !... |
+| trivia.cs:71:31:71:34 | TEST |
diff --git a/csharp/ql/test/library-tests/comments/IfDirectives.ql b/csharp/ql/test/library-tests/comments/IfDirectives.ql
new file mode 100644
index 00000000000..d7e97d3abf8
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/IfDirectives.ql
@@ -0,0 +1,33 @@
+import csharp
+
+private string getConditionValue(ConditionalDirective d) {
+  if d.conditionMatched() then result = "true" else result = "false"
+}
+
+private string getBranchValue(BranchDirective d) {
+  if d.branchTaken() then result = "taken" else result = "not taken"
+}
+
+query predicate ifDirectives(
+  IfDirective d, EndifDirective endif, string taken, string condValue, Expr expr
+) {
+  d.getEndifDirective() = endif and
+  d.getCondition() = expr and
+  taken = getBranchValue(d) and
+  condValue = getConditionValue(d)
+}
+
+query predicate siblings(IfDirective d, BranchDirective sibling, int index, string taken) {
+  d.getSiblingDirective(index) = sibling and
+  taken = getBranchValue(sibling)
+}
+
+query predicate conditionalDirectives(
+  ConditionalDirective cond, string taken, string condValue, Expr expr
+) {
+  cond.getCondition() = expr and
+  taken = getBranchValue(cond) and
+  condValue = getConditionValue(cond)
+}
+
+query predicate expressions(Expr e) { e.getParent+() instanceof ConditionalDirective }
diff --git a/csharp/ql/test/library-tests/comments/PrintAst.expected b/csharp/ql/test/library-tests/comments/PrintAst.expected
new file mode 100644
index 00000000000..96f0f088501
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PrintAst.expected
@@ -0,0 +1,175 @@
+comments1.cs:
+#    9| [Class] C
+#   35| [Class] Foo
+#   40|   5: [Field] x
+#   40|     -1: [TypeMention] int
+#   43|   6: [Field] y
+#   43|     -1: [TypeMention] int
+#   44|   7: [Field] z
+#   44|     -1: [TypeMention] int
+comments2.cs:
+#   11| [Class] C2
+#   13|   4: [Field] field1
+#   13|     -1: [TypeMention] int
+#   14|   5: [Field] field2
+#   14|     -1: [TypeMention] int
+#   19|   6: [Method] f
+#   19|     -1: [TypeMention] Void
+#   20|     4: [BlockStmt] {...}
+#   23|       0: [ExprStmt] ...;
+#   23|         0: [MethodCall] call to method f
+#   26|       1: [ExprStmt] ...;
+#   26|         0: [MethodCall] call to method g
+#   26|           0: [IntLiteral] 2
+#   29|   7: [Method] g
+#   29|     -1: [TypeMention] Void
+#-----|     2: (Parameters)
+#   29|       0: [Parameter] x
+#   29|         -1: [TypeMention] int
+#   30|     4: [BlockStmt] {...}
+#   32|       0: [LocalVariableDeclStmt] ... ...;
+#   32|         0: [LocalVariableDeclAndInitExpr] Int32 y = ...
+#   32|           -1: [TypeMention] int
+#   32|           0: [LocalVariableAccess] access to local variable y
+#   32|           1: [IntLiteral] 0
+#   34|       1: [LocalVariableDeclStmt] ... ...;
+#   34|         0: [LocalVariableDeclAndInitExpr] Int32 z = ...
+#   34|           -1: [TypeMention] int
+#   34|           0: [LocalVariableAccess] access to local variable z
+#   34|           1: [IntLiteral] 0
+#   40|   8: [Class] C3
+#   48|   9: [IndexerProperty] S1
+#   48|     -1: [TypeMention] string
+#   52|     3: [Getter] get_S1
+#   52|       4: [BlockStmt] {...}
+#   52|         0: [ReturnStmt] return ...;
+#   52|           0: [StringLiteral] ""
+#   53|     4: [Setter] set_S1
+#-----|       2: (Parameters)
+#   53|         0: [Parameter] value
+#   54|       4: [BlockStmt] {...}
+#   61|   10: [Enum] Values
+#   66|     5: [Field] First
+#   67|     6: [Field] Second
+#   73|     7: [Field] Third
+#   79|   11: [InstanceConstructor] C2
+#   80|     4: [BlockStmt] {...}
+#   85|   12: [Destructor] ~C2
+#   86|     4: [BlockStmt] {...}
+#   90|   13: [AddOperator] +
+#   90|     -1: [TypeMention] int
+#-----|     2: (Parameters)
+#   90|       0: [Parameter] x
+#   90|         -1: [TypeMention] C2
+#   90|       1: [Parameter] b
+#   90|         -1: [TypeMention] C2
+#   91|     4: [BlockStmt] {...}
+#   92|       0: [ReturnStmt] return ...;
+#   92|         0: [IntLiteral] 2
+#   95|   14: [Method] f
+#   95|     -1: [TypeMention] Void
+#-----|     2: (Parameters)
+#   96|       0: [Parameter] x
+#   96|         -1: [TypeMention] int
+#   97|       1: [Parameter] y
+#   97|         -1: [TypeMention] int
+#   99|     4: [BlockStmt] {...}
+#  103|   15: [DelegateType] D
+#  107|   16: [Event] E
+#  107|     -1: [TypeMention] D
+#  107|     3: [AddEventAccessor] add_E
+#-----|       2: (Parameters)
+#  107|         0: [Parameter] value
+#  107|     4: [RemoveEventAccessor] remove_E
+#-----|       2: (Parameters)
+#  107|         0: [Parameter] value
+#  110|   17: [Method] gen
+#  110|     -1: [TypeMention] Void
+#  111|     4: [BlockStmt] {...}
+#  112|       0: [LocalVariableDeclStmt] ... ...;
+#  112|         0: [LocalVariableDeclAndInitExpr] GenericClass<Int32> t1 = ...
+#  112|           -1: [TypeMention] GenericClass<Int32>
+#  112|           0: [LocalVariableAccess] access to local variable t1
+#  112|           1: [ObjectCreation] object creation of type GenericClass<Int32>
+#  112|             0: [TypeMention] GenericClass<Int32>
+#  112|               1: [TypeMention] int
+#  113|       1: [LocalVariableDeclStmt] ... ...;
+#  113|         0: [LocalVariableDeclAndInitExpr] Int32 t2 = ...
+#  113|           -1: [TypeMention] int
+#  113|           0: [LocalVariableAccess] access to local variable t2
+#  113|           1: [MethodCall] call to method GenericFn
+#  114|       2: [LocalVariableDeclStmt] ... ...;
+#  114|         0: [LocalVariableDeclAndInitExpr] GenericClass<Double> t3 = ...
+#  114|           -1: [TypeMention] GenericClass<Double>
+#  114|           0: [LocalVariableAccess] access to local variable t3
+#  114|           1: [ObjectCreation] object creation of type GenericClass<Double>
+#  114|             0: [TypeMention] GenericClass<Double>
+#  114|               1: [TypeMention] double
+#  115|       3: [LocalVariableDeclStmt] ... ...;
+#  115|         0: [LocalVariableDeclAndInitExpr] Int32 t4 = ...
+#  115|           -1: [TypeMention] int
+#  115|           0: [LocalVariableAccess] access to local variable t4
+#  115|           1: [MethodCall] call to method GenericFn
+#  119|   18: [Class] GenericClass<>
+#-----|     1: (Type parameters)
+#  119|       0: [TypeParameter] T
+#  121|     5: [Field] f
+#  121|       -1: [TypeMention] int
+#  125|   21: [Method] GenericFn
+#  125|     -1: [TypeMention] int
+#-----|     1: (Type parameters)
+#  125|       0: [TypeParameter] T
+#  126|     4: [BlockStmt] {...}
+#  127|       0: [LocalVariableDeclStmt] ... ...;
+#  127|         0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  127|           -1: [TypeMention] int
+#  127|           0: [LocalVariableAccess] access to local variable x
+#  127|           1: [IntLiteral] 0
+#  128|       1: [ReturnStmt] return ...;
+#  128|         0: [IntLiteral] 0
+trivia.cs:
+#   14| [Class] Tr1
+#   16|   5: [Method] M1
+#   16|     -1: [TypeMention] Void
+#   17|     4: [BlockStmt] {...}
+#   19|       0: [LocalVariableDeclStmt] ... ...;
+#   19|         0: [LocalVariableDeclExpr] Int32 i
+#   19|           0: [TypeMention] int
+#   20|       1: [LocalVariableDeclStmt] ... ...;
+#   20|         0: [LocalVariableDeclExpr] Int32 j
+#   20|           0: [TypeMention] int
+#   22|       2: [LocalVariableDeclStmt] ... ...;
+#   22|         0: [LocalVariableDeclExpr] Char c
+#   22|           0: [TypeMention] char
+#   24|       3: [LocalVariableDeclStmt] ... ...;
+#   24|         0: [LocalVariableDeclExpr] Single f
+#   24|           0: [TypeMention] float
+#   26|       4: [LocalVariableDeclStmt] ... ...;
+#   26|         0: [LocalVariableDeclExpr] String s
+#   26|           0: [TypeMention] string
+#   28|       5: [LocalVariableDeclStmt] ... ...;
+#   28|         0: [LocalVariableDeclExpr] Double d
+#   28|           0: [TypeMention] double
+#   32| [Class] Tr2
+#   34|   5: [Method] M1
+#   34|     -1: [TypeMention] Void
+#   35|     4: [BlockStmt] {...}
+#   37|       0: [LocalVariableDeclStmt] ... ...;
+#   37|         0: [LocalVariableDeclExpr] Int32 i
+#   37|           0: [TypeMention] int
+#   39|       1: [LocalVariableDeclStmt] ... ...;
+#   39|         0: [LocalVariableDeclExpr] Int32 j
+#   39|           0: [TypeMention] int
+#   45| [Class] Tr3
+#   47|   5: [Method] M1
+#   47|     -1: [TypeMention] Void
+#   48|     4: [BlockStmt] {...}
+#   61| [Class] Tr4
+#   63|   5: [Method] M1
+#   63|     -1: [TypeMention] Void
+#   64|     4: [BlockStmt] {...}
+#   73|       0: [LocalVariableDeclStmt] ... ...;
+#   73|         0: [LocalVariableDeclAndInitExpr] Int32 i = ...
+#   73|           -1: [TypeMention] int
+#   73|           0: [LocalVariableAccess] access to local variable i
+#   73|           1: [IntLiteral] 1
diff --git a/csharp/ql/test/library-tests/comments/PrintAst.qlref b/csharp/ql/test/library-tests/comments/PrintAst.qlref
new file mode 100644
index 00000000000..15af8b109dd
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/PrintAst.qlref
@@ -0,0 +1 @@
+semmle/code/csharp/PrintAst.ql
\ No newline at end of file

From a896e1522d240aaadf827e53673ecacd7209bfc1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 20 Jan 2021 15:42:27 +0100
Subject: [PATCH 119/429] Extract active flag from directives, fix missing
 assembly location

---
 .../PreprocessorDirective.cs                  |  1 +
 .../Semmle.Extraction.CSharp/Tuples.cs        |  9 ++-
 .../src/semmle/code/csharp/Preprocessor.qll   |  6 +-
 csharp/ql/src/semmlecode.csharp.dbscheme      |  4 ++
 .../comments/BindingAfter.expected            |  2 +-
 .../library-tests/comments/Comments.expected  |  2 +-
 .../comments/Directives.expected              | 60 +++++++++++++++++++
 .../test/library-tests/comments/Directives.ql |  6 ++
 .../comments/ErrorDirectives.expected         |  2 +-
 .../comments/WarningDirectives.expected       |  2 +-
 .../ql/test/library-tests/comments/trivia.cs  |  6 +-
 11 files changed, 90 insertions(+), 10 deletions(-)
 create mode 100644 csharp/ql/test/library-tests/comments/Directives.expected
 create mode 100644 csharp/ql/test/library-tests/comments/Directives.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
index e19ffe43549..2a968d7fa46 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -19,6 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             PopulatePreprocessor(trapFile);
 
+            trapFile.preprocessor_directive_active(this, trivia.IsActive);
             trapFile.preprocessor_directive_location(this, cx.Create(ReportingLocation));
 
             if (!cx.Extractor.Standalone)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 19b730f7cc0..46609d38bde 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -607,6 +607,13 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("preprocessor_directive_assembly", directive, assembly);
         }
 
+        internal static void preprocessor_directive_active<TDirective>(this TextWriter trapFile,
+            PreprocessorDirective<TDirective> directive, bool isActive)
+            where TDirective : DirectiveTriviaSyntax
+        {
+            trapFile.WriteTuple("preprocessor_directive_active", directive, isActive ? 1 : 0);
+        }
+
         internal static void pragma_warnings(this TextWriter trapFile, PragmaWarningDirective pragma, int kind)
         {
             trapFile.WriteTuple("pragma_warnings", pragma, kind);
@@ -706,7 +713,5 @@ namespace Semmle.Extraction.CSharp
         {
             trapFile.WriteTuple("directive_define_symbols", symb, name);
         }
-
-
     }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 1f23275a7a7..5b44fd3f30f 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -5,7 +5,11 @@
 import Element
 
 class PreprocessorDirective extends Element, @preprocessor_directive {
-  override Location getALocation() { preprocessor_directive_location(this, result) }
+  predicate active() { preprocessor_directive_active(this, 1) }
+
+  override Location getALocation() {
+    preprocessor_directive_location(this, result) or preprocessor_directive_assembly(this, result)
+  }
 }
 
 /**
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index a13a6f6d628..a904422305b 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -435,6 +435,10 @@ preprocessor_directive_assembly(
   unique int id: @preprocessor_directive ref,
   int loc: @assembly ref);
 
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
 /** TYPES **/
 
 types(
diff --git a/csharp/ql/test/library-tests/comments/BindingAfter.expected b/csharp/ql/test/library-tests/comments/BindingAfter.expected
index a44d0360f73..df5cd92ade0 100644
--- a/csharp/ql/test/library-tests/comments/BindingAfter.expected
+++ b/csharp/ql/test/library-tests/comments/BindingAfter.expected
@@ -55,6 +55,6 @@
 | comments2.cs:118:5:118:21 | // ... | comments2.cs:119:11:119:25 | GenericClass<> | GenericClass<> |
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:128:9:128:17 | return ...; | x |
-| trivia.cs:1:1:3:15 | // ... | trivia.cs:14:7:14:9 | Tr1 | semmle-extractor-options: --standalone |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:14:7:14:9 | Tr1 |  |
 | trivia.cs:13:84:13:98 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
 | trivia.cs:25:14:25:38 | // ... | trivia.cs:26:9:26:17 | ... ...; | numbering not affected |
diff --git a/csharp/ql/test/library-tests/comments/Comments.expected b/csharp/ql/test/library-tests/comments/Comments.expected
index 176211192a6..a6df0ef7bc6 100644
--- a/csharp/ql/test/library-tests/comments/Comments.expected
+++ b/csharp/ql/test/library-tests/comments/Comments.expected
@@ -70,7 +70,7 @@ singlelineComment
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:124:5:124:16 | // ... | 1 | GenericFn | // GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:127:20:127:23 | // ... | 1 | x | // x |
 | comments2.cs:132:1:132:21 | // ... | comments2.cs:132:1:132:21 | // ... | 1 | End of comment2.cs | // End of comment2.cs |
-| trivia.cs:1:1:3:15 | // ... | trivia.cs:1:1:1:42 | // ... | 3 | semmle-extractor-options: --standalone | //  semmle-extractor-options: --standalone |
+| trivia.cs:1:1:3:15 | // ... | trivia.cs:1:1:1:2 | // ... | 3 |  | // |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:2:1:2:21 | // ... | 3 | Start of trivia.cs | // Start of trivia.cs |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:3:1:3:15 | // ... | 3 | Unassociated | // Unassociated |
 | trivia.cs:13:84:13:98 | // ... | trivia.cs:13:84:13:98 | // ... | 1 | New checksum | // New checksum |
diff --git a/csharp/ql/test/library-tests/comments/Directives.expected b/csharp/ql/test/library-tests/comments/Directives.expected
new file mode 100644
index 00000000000..2fa3a1acae3
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/Directives.expected
@@ -0,0 +1,60 @@
+| trivia.cs:4:1:4:13 | #define ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:4:1:4:13 | #define ... | trivia.cs:4:1:4:13 | trivia.cs:4:1:4:13 | active |
+| trivia.cs:6:1:6:12 | #undef ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:6:1:6:12 | #undef ... | trivia.cs:6:1:6:12 | trivia.cs:6:1:6:12 | active |
+| trivia.cs:12:1:12:35 | #pragma warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:12:1:12:35 | #pragma warning ... | trivia.cs:12:1:12:35 | trivia.cs:12:1:12:35 | active |
+| trivia.cs:13:1:13:98 | #pragma checksum ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:13:1:13:98 | #pragma checksum ... | trivia.cs:13:1:13:98 | trivia.cs:13:1:13:98 | active |
+| trivia.cs:18:1:18:19 | #line ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:18:1:18:19 | #line ... | trivia.cs:18:1:18:19 | trivia.cs:18:1:18:19 | active |
+| trivia.cs:21:1:21:13 | #line default | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:21:1:21:13 | #line default | trivia.cs:21:1:21:13 | trivia.cs:21:1:21:13 | active |
+| trivia.cs:23:1:23:23 | #pragma warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:23:1:23:23 | #pragma warning ... | trivia.cs:23:1:23:23 | trivia.cs:23:1:23:23 | active |
+| trivia.cs:25:1:25:38 | #line hidden | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:25:1:25:38 | #line hidden | trivia.cs:25:1:25:38 | trivia.cs:25:1:25:38 | active |
+| trivia.cs:27:1:27:9 | #line ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:27:1:27:9 | #line ... | trivia.cs:27:1:27:9 | trivia.cs:27:1:27:9 | active |
+| trivia.cs:36:9:36:22 | #region ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:36:9:36:22 | #region ... | trivia.cs:36:9:36:22 | trivia.cs:36:9:36:22 | active |
+| trivia.cs:38:9:38:22 | #region ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:38:9:38:22 | #region ... | trivia.cs:38:9:38:22 | trivia.cs:38:9:38:22 | active |
+| trivia.cs:40:9:40:18 | #endregion | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:40:9:40:18 | #endregion | trivia.cs:40:9:40:18 | trivia.cs:40:9:40:18 | active |
+| trivia.cs:41:9:41:18 | #endregion | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:41:9:41:18 | #endregion | trivia.cs:41:9:41:18 | trivia.cs:41:9:41:18 | active |
+| trivia.cs:49:1:49:82 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:49:1:49:82 | #nullable ... | trivia.cs:49:1:49:82 | trivia.cs:49:1:49:82 | active |
+| trivia.cs:50:1:50:80 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:50:1:50:80 | #nullable ... | trivia.cs:50:1:50:80 | trivia.cs:50:1:50:80 | active |
+| trivia.cs:51:1:51:94 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:51:1:51:94 | #nullable ... | trivia.cs:51:1:51:94 | trivia.cs:51:1:51:94 | active |
+| trivia.cs:52:1:52:81 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:52:1:52:81 | #nullable ... | trivia.cs:52:1:52:81 | trivia.cs:52:1:52:81 | active |
+| trivia.cs:53:1:53:79 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:53:1:53:79 | #nullable ... | trivia.cs:53:1:53:79 | trivia.cs:53:1:53:79 | active |
+| trivia.cs:54:1:54:93 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:54:1:54:93 | #nullable ... | trivia.cs:54:1:54:93 | trivia.cs:54:1:54:93 | active |
+| trivia.cs:55:1:55:75 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:55:1:55:75 | #nullable ... | trivia.cs:55:1:55:75 | trivia.cs:55:1:55:75 | active |
+| trivia.cs:56:1:56:73 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:56:1:56:73 | #nullable ... | trivia.cs:56:1:56:73 | trivia.cs:56:1:56:73 | active |
+| trivia.cs:57:1:57:87 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:57:1:57:87 | #nullable ... | trivia.cs:57:1:57:87 | trivia.cs:57:1:57:87 | active |
+| trivia.cs:65:1:65:9 | #if ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:65:1:65:9 | #if ... | trivia.cs:65:1:65:9 | trivia.cs:65:1:65:9 | active |
+| trivia.cs:66:1:66:23 | #error ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
+| trivia.cs:66:1:66:23 | #error ... | trivia.cs:66:1:66:23 | trivia.cs:66:1:66:23 | inactive |
+| trivia.cs:68:1:68:10 | #if ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
+| trivia.cs:68:1:68:10 | #if ... | trivia.cs:68:1:68:10 | trivia.cs:68:1:68:10 | inactive |
+| trivia.cs:70:1:70:6 | #endif | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
+| trivia.cs:70:1:70:6 | #endif | trivia.cs:70:1:70:6 | trivia.cs:70:1:70:6 | inactive |
+| trivia.cs:71:1:71:35 | #elif ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:71:1:71:35 | #elif ... | trivia.cs:71:1:71:35 | trivia.cs:71:1:71:35 | active |
+| trivia.cs:72:1:72:43 | #warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:72:1:72:43 | #warning ... | trivia.cs:72:1:72:43 | trivia.cs:72:1:72:43 | active |
+| trivia.cs:74:1:74:5 | #else | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:74:1:74:5 | #else | trivia.cs:74:1:74:5 | trivia.cs:74:1:74:5 | active |
+| trivia.cs:76:1:76:6 | #endif | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+| trivia.cs:76:1:76:6 | #endif | trivia.cs:76:1:76:6 | trivia.cs:76:1:76:6 | active |
diff --git a/csharp/ql/test/library-tests/comments/Directives.ql b/csharp/ql/test/library-tests/comments/Directives.ql
new file mode 100644
index 00000000000..606ffd042bb
--- /dev/null
+++ b/csharp/ql/test/library-tests/comments/Directives.ql
@@ -0,0 +1,6 @@
+import csharp
+
+query predicate directives(PreprocessorDirective d, Location l, string isActive) {
+  d.getALocation() = l and
+  if d.active() then isActive = "active" else isActive = "inactive"
+}
diff --git a/csharp/ql/test/library-tests/comments/ErrorDirectives.expected b/csharp/ql/test/library-tests/comments/ErrorDirectives.expected
index 656b501c904..e3fb9babaf0 100644
--- a/csharp/ql/test/library-tests/comments/ErrorDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/ErrorDirectives.expected
@@ -1 +1 @@
-| trivia.cs:72:1:72:41 | #error ... | NOTDEBUG is defined or TEST is not |
+| trivia.cs:66:1:66:23 | #error ... | DEBUG is defined |
diff --git a/csharp/ql/test/library-tests/comments/WarningDirectives.expected b/csharp/ql/test/library-tests/comments/WarningDirectives.expected
index 105119a8127..b4ed32ea179 100644
--- a/csharp/ql/test/library-tests/comments/WarningDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/WarningDirectives.expected
@@ -1 +1 @@
-| trivia.cs:66:1:66:25 | #warning ... | DEBUG is defined |
+| trivia.cs:72:1:72:43 | #warning ... | NOTDEBUG is defined or TEST is not |
diff --git a/csharp/ql/test/library-tests/comments/trivia.cs b/csharp/ql/test/library-tests/comments/trivia.cs
index 69aea425499..61cfe454409 100644
--- a/csharp/ql/test/library-tests/comments/trivia.cs
+++ b/csharp/ql/test/library-tests/comments/trivia.cs
@@ -1,4 +1,4 @@
-//  semmle-extractor-options: --standalone
+//
 // Start of trivia.cs
 // Unassociated
 #define DEBUG
@@ -63,13 +63,13 @@ class Tr4
     static void M1()
     {
 #if DEBUG
-#warning DEBUG is defined
+#error DEBUG is defined
         var i = 0;
 #if NESTED
         i--;
 #endif
 #elif (NOTDEBUG == true) || !(TEST)
-#error NOTDEBUG is defined or TEST is not
+#warning NOTDEBUG is defined or TEST is not
         var i = 1;
 #else
         var i = 2;

From 3900698b41571635cf9da85a2bda21d1c1cb852a Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 21 Jan 2021 11:28:23 +0100
Subject: [PATCH 120/429] Add doc comments for preprocessor directive base
 class

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 5b44fd3f30f..df33fc746e0 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -4,7 +4,17 @@
 
 import Element
 
+/**
+ * A preprocessor directive, such as `PragmaWarningDirective`, `PragmaChecksumDirective`,
+ * `DefineDirective`, `UndefineDirective`, `WarningDirective`, `ErrorDirective`,
+ * `NullableDirective`, `LineDirective`, `RegionDirective`, `EndRegionDirective`,
+ * `BranchDirective`, or `EndifDirective`.
+ */
 class PreprocessorDirective extends Element, @preprocessor_directive {
+  /**
+   * Holds if this directive is processed by the preprocessor, such as any directive
+   * that is not inside a not taken `BranchDirective`.
+   */
   predicate active() { preprocessor_directive_active(this, 1) }
 
   override Location getALocation() {

From bd64dda4c393db0fafa2ec2271e242477ab7fe7b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 15:34:49 +0100
Subject: [PATCH 121/429] Fix code review findings in pragma warning directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll       | 6 +++---
 csharp/ql/test/library-tests/comments/PragmaWarnings.ql | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index df33fc746e0..b22058c05eb 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -27,13 +27,13 @@ class PreprocessorDirective extends Element, @preprocessor_directive {
  */
 class PragmaWarningDirective extends PreprocessorDirective, @pragma_warning {
   /** Holds if this is a `#pragma warning restore` directive. */
-  predicate restore() { pragma_warnings(this, 1) }
+  predicate isRestore() { pragma_warnings(this, 1) }
 
   /** Holds if this is a `#pragma warning disable` directive. */
-  predicate disable() { pragma_warnings(this, 0) }
+  predicate isDisable() { pragma_warnings(this, 0) }
 
   /** Holds if this directive specifies error codes. */
-  predicate hasErrorCodes() { exists(string s | pragma_warning_error_codes(this, s, _)) }
+  predicate hasErrorCodes() { pragma_warning_error_codes(this, _, _) }
 
   /** Gets a specified error code from this directive. */
   string getAnErrorCode() { pragma_warning_error_codes(this, result, _) }
diff --git a/csharp/ql/test/library-tests/comments/PragmaWarnings.ql b/csharp/ql/test/library-tests/comments/PragmaWarnings.ql
index 15d793b6392..58ce589474e 100644
--- a/csharp/ql/test/library-tests/comments/PragmaWarnings.ql
+++ b/csharp/ql/test/library-tests/comments/PragmaWarnings.ql
@@ -1,8 +1,8 @@
 import csharp
 
-query predicate disable(PragmaWarningDirective pragma) { pragma.disable() }
+query predicate disable(PragmaWarningDirective pragma) { pragma.isDisable() }
 
-query predicate restore(PragmaWarningDirective pragma) { pragma.restore() }
+query predicate restore(PragmaWarningDirective pragma) { pragma.isRestore() }
 
 query predicate errorCodes(PragmaWarningDirective pragma, string code) {
   pragma.hasErrorCodes() and code = pragma.getAnErrorCode()

From 567516471c2a53d81503c64f1c2e1f0d938f006d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 15:37:05 +0100
Subject: [PATCH 122/429] Fix code review findings in 'define' directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index b22058c05eb..d747c870296 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -62,7 +62,7 @@ class PragmaChecksumDirective extends PreprocessorDirective, @pragma_checksum {
 }
 
 /**
- * An `#define` directive.
+ * A `#define` directive.
  */
 class DefineDirective extends PreprocessorDirective, @directive_define {
   /** Gets the name of the preprocessor symbol that is being set by this directive. */

From f7832adfb8762d99ff18de1091ed9a43ef433254 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 15:38:34 +0100
Subject: [PATCH 123/429] Fix code review findings in 'nullable' directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index d747c870296..416082596b1 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -114,13 +114,13 @@ class ErrorDirective extends PreprocessorDirective, @directive_error {
  */
 class NullableDirective extends PreprocessorDirective, @directive_nullable {
   /** Holds if this is a `#nullable disable` directive. */
-  predicate disable() { directive_nullables(this, 0, _) }
+  predicate isDisable() { directive_nullables(this, 0, _) }
 
   /** Holds if this is a `#nullable enable` directive. */
-  predicate enable() { directive_nullables(this, 1, _) }
+  predicate isEnable() { directive_nullables(this, 1, _) }
 
   /** Holds if this is a `#nullable restore` directive. */
-  predicate restore() { directive_nullables(this, 2, _) }
+  predicate isRestore() { directive_nullables(this, 2, _) }
 
   /** Holds if this directive targets all nullable contexts. */
   predicate targetsAll() { directive_nullables(this, _, 0) }
@@ -134,7 +134,7 @@ class NullableDirective extends PreprocessorDirective, @directive_nullable {
   /** Gets the succeeding `#nullable` directive in the file, if any. */
   NullableDirective getSuccNullableDirective() {
     result =
-      rank[1](NullableDirective next |
+      min(NullableDirective next |
         next.getFile() = this.getFile() and
         next.getLocation().getStartLine() > this.getLocation().getStartLine()
       |

From 6ef8e51bcfc6307bc75c3ca477538c7e63b2c206 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 15:58:25 +0100
Subject: [PATCH 124/429] Fix code review findings in 'line' directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll         | 8 ++++----
 .../test/library-tests/comments/LineDirectives.expected   | 2 +-
 csharp/ql/test/library-tests/comments/LineDirectives.ql   | 3 ++-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 416082596b1..e391fccbb6c 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -163,7 +163,7 @@ class LineDirective extends PreprocessorDirective, @directive_line {
   /** Gets the succeeding `#line` directive in the file, if any. */
   LineDirective getSuccLineDirective() {
     result =
-      rank[1](LineDirective next |
+      min(LineDirective next |
         next.getFile() = this.getFile() and
         next.getLocation().getStartLine() > this.getLocation().getStartLine()
       |
@@ -216,10 +216,10 @@ class NumericLineDirective extends LineDirective {
   int getLine() { directive_line_values(this, result, _) }
 
   /** Holds if this directive specifies a file name. */
-  predicate hasFileName() { this.getFileName() != "" }
+  predicate hasFileName() { exists(this.getFileName()) }
 
-  /** Gets the file name of this directive. */
-  string getFileName() { directive_line_values(this, _, result) }
+  /** Gets the file name of this directive, if any. */
+  string getFileName() { directive_line_values(this, _, result) and result != "" }
 
   override string getAPrimaryQlClass() { result = "NumericLineDirective" }
 }
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.expected b/csharp/ql/test/library-tests/comments/LineDirectives.expected
index ae79e53d1b4..c8be4e27890 100644
--- a/csharp/ql/test/library-tests/comments/LineDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.expected
@@ -4,7 +4,7 @@ hidden
 | trivia.cs:25:1:25:38 | #line hidden |
 lines
 | trivia.cs:18:1:18:19 | #line ... | 200 | Special |
-| trivia.cs:27:1:27:9 | #line ... | 300 |  |
+| trivia.cs:27:1:27:9 | #line ... | 300 | no file |
 succ
 | trivia.cs:18:1:18:19 | #line ... | trivia.cs:21:1:21:13 | #line default |
 | trivia.cs:21:1:21:13 | #line default | trivia.cs:25:1:25:38 | #line hidden |
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.ql b/csharp/ql/test/library-tests/comments/LineDirectives.ql
index db05488911a..4fa2adedb9d 100644
--- a/csharp/ql/test/library-tests/comments/LineDirectives.ql
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.ql
@@ -5,7 +5,8 @@ query predicate default(DefaultLineDirective line) { any() }
 query predicate hidden(HiddenLineDirective line) { any() }
 
 query predicate lines(NumericLineDirective line, int l, string file) {
-  line.getLine() = l and line.getFileName() = file
+  line.getLine() = l and
+  if line.hasFileName() then line.getFileName() = file else file = "no file"
 }
 
 query predicate succ(LineDirective d, LineDirective succ) { d.getSuccLineDirective() = succ }

From 60b23dc505e90c779c49477e589c99a867b864a6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 16:03:43 +0100
Subject: [PATCH 125/429] Fix code review findings in 'endregion' directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll             | 4 ++--
 .../ql/test/library-tests/comments/RegionDirectives.expected  | 4 ----
 csharp/ql/test/library-tests/comments/RegionDirectives.ql     | 2 --
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index e391fccbb6c..090ee91b618 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -240,11 +240,11 @@ class RegionDirective extends PreprocessorDirective, @directive_region {
 }
 
 /**
- * A `#endregion` directive.
+ * An `#endregion` directive.
  */
 class EndRegionDirective extends PreprocessorDirective, @directive_endregion {
   /** Gets the opening `#region` directive. */
-  RegionDirective getStart() { regions(result, this) }
+  RegionDirective getStart() { result.getEnd() = this }
 
   override string toString() { result = "#endregion" }
 
diff --git a/csharp/ql/test/library-tests/comments/RegionDirectives.expected b/csharp/ql/test/library-tests/comments/RegionDirectives.expected
index aead68e7ff0..9ede79514b6 100644
--- a/csharp/ql/test/library-tests/comments/RegionDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/RegionDirectives.expected
@@ -1,6 +1,2 @@
-regionDirectives
 | trivia.cs:36:9:36:22 | #region ... | fields | trivia.cs:41:9:41:18 | #endregion |
 | trivia.cs:38:9:38:22 | #region ... | nested | trivia.cs:40:9:40:18 | #endregion |
-endregions
-| trivia.cs:40:9:40:18 | #endregion | trivia.cs:38:9:38:22 | #region ... |
-| trivia.cs:41:9:41:18 | #endregion | trivia.cs:36:9:36:22 | #region ... |
diff --git a/csharp/ql/test/library-tests/comments/RegionDirectives.ql b/csharp/ql/test/library-tests/comments/RegionDirectives.ql
index 9b1296819f2..ea4c7cab4ec 100644
--- a/csharp/ql/test/library-tests/comments/RegionDirectives.ql
+++ b/csharp/ql/test/library-tests/comments/RegionDirectives.ql
@@ -4,5 +4,3 @@ query predicate regionDirectives(RegionDirective d, string name, EndRegionDirect
   d.getName() = name and
   d.getEnd() = end
 }
-
-query predicate endregions(EndRegionDirective d, RegionDirective start) { d.getStart() = start }

From e450b614648d42b4c64d51591d8a2cc36e577f91 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 16:09:45 +0100
Subject: [PATCH 126/429] Fix code review findings in directives base class

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll   | 2 +-
 csharp/ql/test/library-tests/comments/Directives.ql | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 090ee91b618..11a2da1d4a5 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -15,7 +15,7 @@ class PreprocessorDirective extends Element, @preprocessor_directive {
    * Holds if this directive is processed by the preprocessor, such as any directive
    * that is not inside a not taken `BranchDirective`.
    */
-  predicate active() { preprocessor_directive_active(this, 1) }
+  predicate isActive() { preprocessor_directive_active(this, 1) }
 
   override Location getALocation() {
     preprocessor_directive_location(this, result) or preprocessor_directive_assembly(this, result)
diff --git a/csharp/ql/test/library-tests/comments/Directives.ql b/csharp/ql/test/library-tests/comments/Directives.ql
index 606ffd042bb..3af699b9a0c 100644
--- a/csharp/ql/test/library-tests/comments/Directives.ql
+++ b/csharp/ql/test/library-tests/comments/Directives.ql
@@ -2,5 +2,5 @@ import csharp
 
 query predicate directives(PreprocessorDirective d, Location l, string isActive) {
   d.getALocation() = l and
-  if d.active() then isActive = "active" else isActive = "inactive"
+  if d.isActive() then isActive = "active" else isActive = "inactive"
 }

From 2b7cc1575765bd69130ffb0ed0cbc5a11a20905f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 16:12:56 +0100
Subject: [PATCH 127/429] Introduce base class for branching and conditional
 directives

---
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll | 4 ++--
 csharp/ql/src/semmlecode.csharp.dbscheme          | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 11a2da1d4a5..8ed13ce0426 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -255,7 +255,7 @@ class EndRegionDirective extends PreprocessorDirective, @directive_endregion {
  * A branching preprocessor directive, such as `IfDirective`, `ElifDirective`, or
  * `ElseDirective`.
  */
-class BranchDirective extends PreprocessorDirective {
+class BranchDirective extends PreprocessorDirective, @branch_directive {
   /** Holds if the branch is taken by the preprocessor. */
   predicate branchTaken() { none() }
 }
@@ -264,7 +264,7 @@ class BranchDirective extends PreprocessorDirective {
  * A preprocessor directive with a branching condition, such as `IfDirective` or
  * `ElifDirective`.
  */
-class ConditionalDirective extends BranchDirective {
+class ConditionalDirective extends BranchDirective, @conditional_directive {
   /** Gets the condition. */
   Expr getCondition() { result = this.getChild(0) }
 
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index a904422305b..b85e3971657 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -335,6 +335,9 @@ using_directive_location(
   | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
   | @directive_elif | @directive_else | @directive_endif;
 
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
 directive_ifs(
   unique int id: @directive_if,
   int branchTaken: int ref,     /* 0: false, 1: true */

From a5dec5b4aa754ea0e0bb72d7819ccd76d6fabcb6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 16:32:05 +0100
Subject: [PATCH 128/429] C#: Limit ancestor traversal for 'if' and 'elif'
 lookup

---
 .../Entities/Expression.cs                    | 28 ++++++-------------
 .../Entities/Expressions/Literal.cs           |  3 +-
 .../Entities/Expressions/Name.cs              | 15 ++++++----
 3 files changed, 19 insertions(+), 27 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 5829bbffa9e..6c738da3af1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -534,7 +534,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     return Expression.ValueAsString(c.Value);
                 }
 
-                if (TryGetBoolValueInsideIfDirective(out var val))
+                if (TryGetBoolValueFromLiteral(out var val))
                 {
                     return Expression.ValueAsString(val);
                 }
@@ -604,30 +604,18 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public NullableFlowState FlowState => TypeInfo.Nullability.FlowState;
 
-        public bool IsInsideIfDirective()
-        {
-            return Node.Ancestors().Any(a => a is ElifDirectiveTriviaSyntax || a is IfDirectiveTriviaSyntax);
-        }
-
-        public bool TryGetBoolValueInsideIfDirective(out bool val)
+        private bool TryGetBoolValueFromLiteral(out bool val)
         {
             var isTrue = Node.IsKind(SyntaxKind.TrueLiteralExpression);
             var isFalse = Node.IsKind(SyntaxKind.FalseLiteralExpression);
 
-            if (!isTrue && !isFalse)
-            {
-                val = false;
-                return false;
-            }
-
-            if (!IsInsideIfDirective())
-            {
-                val = false;
-                return false;
-            }
-
             val = isTrue;
-            return true;
+            return isTrue || isFalse;
+        }
+
+        public bool IsBoolLiteral()
+        {
+            return TryGetBoolValueFromLiteral(out var _);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
index d91f426cfd7..51acebef5c8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
@@ -25,7 +25,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     return ExprKind.NULL_LITERAL;
             }
 
-            if (info.TryGetBoolValueInsideIfDirective(out var _))
+            // short circuit bool literals, because they have no type in `#if A = true`
+            if (info.IsBoolLiteral())
             {
                 return ExprKind.BOOL_LITERAL;
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
index d74afd16329..faf5c9e2bd1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Name.cs
@@ -27,15 +27,13 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             if (target == null)
             {
-                if (info.IsInsideIfDirective())
+                if (IsInsideIfDirective(info.Node))
                 {
                     return DefineSymbol.Create(info);
                 }
-                else
-                {
-                    info.Context.ModelError(info.Node, "Failed to resolve name");
-                    return new Unknown(info);
-                }
+
+                info.Context.ModelError(info.Node, "Failed to resolve name");
+                return new Unknown(info);
             }
 
             // There is a very strange bug in Microsoft.CodeAnalysis whereby
@@ -72,5 +70,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     throw new InternalError(info.Node, $"Unhandled identifier kind '{target.Kind}'");
             }
         }
+
+        private static bool IsInsideIfDirective(ExpressionSyntax node)
+        {
+            return node.Ancestors().Any(a => a is ElifDirectiveTriviaSyntax || a is IfDirectiveTriviaSyntax);
+        }
     }
 }

From 72547b89e60f4494f8c67a68e7b23b0275aa4ff7 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 26 Jan 2021 16:56:46 +0100
Subject: [PATCH 129/429] Rework endregion extraction

---
 .../PreprocessorDirectives/EndRegionDirective.cs  | 15 +++++++--------
 .../PreprocessorDirective.cs                      |  7 +++++--
 .../Populators/DirectiveVisitor.cs                |  4 ++--
 .../extractor/Semmle.Extraction.CSharp/Tuples.cs  |  4 ++--
 csharp/ql/src/semmle/code/csharp/Preprocessor.qll |  2 +-
 csharp/ql/src/semmlecode.csharp.dbscheme          |  9 +++------
 6 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
index a320c89028c..d4d75470a97 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndRegionDirective.cs
@@ -5,19 +5,18 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal class EndRegionDirective : PreprocessorDirective<EndRegionDirectiveTriviaSyntax>
     {
-        public EndRegionDirective(Context cx, EndRegionDirectiveTriviaSyntax trivia)
-            : base(cx, trivia)
+        private readonly RegionDirective region;
+
+        public EndRegionDirective(Context cx, EndRegionDirectiveTriviaSyntax trivia, RegionDirective region)
+            : base(cx, trivia, populateFromBase: false)
         {
+            this.region = region;
+            TryPopulate();
         }
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            trapFile.directive_endregions(this);
-        }
-
-        internal static void WriteRegionBlock(Context cx, RegionDirective region, EndRegionDirective endregion)
-        {
-            cx.TrapWriter.Writer.regions(region, endregion);
+            trapFile.directive_endregions(this, region);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
index 2a968d7fa46..62c70b3360e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -8,11 +8,14 @@ namespace Semmle.Extraction.CSharp.Entities
     {
         protected readonly TDirective trivia;
 
-        protected PreprocessorDirective(Context cx, TDirective trivia)
+        protected PreprocessorDirective(Context cx, TDirective trivia, bool populateFromBase = true)
             : base(cx)
         {
             this.trivia = trivia;
-            TryPopulate();
+            if (populateFromBase)
+            {
+                TryPopulate();
+            }
         }
 
         protected sealed override void Populate(TextWriter trapFile)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 074441a70cb..f0044e891bc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -65,15 +65,15 @@ namespace Semmle.Extraction.CSharp.Populators
 
         public override void VisitEndRegionDirectiveTrivia(EndRegionDirectiveTriviaSyntax node)
         {
-            var endregion = new Entities.EndRegionDirective(cx, node);
             if (regionStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start region", null,
                     Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
+
             var start = regionStarts.Pop();
-            Entities.EndRegionDirective.WriteRegionBlock(cx, start, endregion);
+            new Entities.EndRegionDirective(cx, node, start);
         }
 
         private readonly Stack<Entities.IfDirective> ifStarts = new Stack<Entities.IfDirective>();
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 46609d38bde..95f5db2d744 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -669,9 +669,9 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("directive_regions", directive, name);
         }
 
-        internal static void directive_endregions(this TextWriter trapFile, EndRegionDirective directive)
+        internal static void directive_endregions(this TextWriter trapFile, EndRegionDirective directive, RegionDirective start)
         {
-            trapFile.WriteTuple("directive_endregions", directive);
+            trapFile.WriteTuple("directive_endregions", directive, start);
         }
 
         internal static void regions(this TextWriter trapFile, RegionDirective start, EndRegionDirective end)
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 8ed13ce0426..77c6bd199bb 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -232,7 +232,7 @@ class RegionDirective extends PreprocessorDirective, @directive_region {
   string getName() { directive_regions(this, result) }
 
   /** Gets the closing `#endregion` directive. */
-  EndRegionDirective getEnd() { regions(this, result) }
+  EndRegionDirective getEnd() { directive_endregions(result, this) }
 
   override string toString() { result = "#region ..." }
 
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index b85e3971657..6dd5048ac60 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -376,13 +376,10 @@ directive_regions(
   unique int id: @directive_region,
   string name: string ref);
 
+#keyset[id, start]
 directive_endregions(
-  unique int id: @directive_endregion);
-
-#keyset[start, end]
-regions(
-  unique int start: @directive_region ref,
-  unique int end: @directive_endregion ref);
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
 
 directive_lines(
   unique int id: @directive_line,

From 1ab4af275d1abc131af11b68ea54fc25b647028e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 27 Jan 2021 09:24:25 +0100
Subject: [PATCH 130/429] Rework if/elif/else/endif extraction

---
 .../PreprocessorDirectives/ElifDirective.cs   | 12 ++++++--
 .../PreprocessorDirectives/ElseDirective.cs   | 12 ++++++--
 .../PreprocessorDirectives/EndIfDirective.cs  | 10 +++++--
 .../PreprocessorDirectives/IfDirective.cs     | 18 ------------
 .../Populators/DirectiveVisitor.cs            | 28 +++++++++++++------
 .../Semmle.Extraction.CSharp/Tuples.cs        | 24 ++++++----------
 .../src/semmle/code/csharp/Preprocessor.qll   | 22 +++++++++------
 csharp/ql/src/semmlecode.csharp.dbscheme      | 27 +++++++-----------
 8 files changed, 76 insertions(+), 77 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
index 26314244ac6..ace89464b96 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
@@ -5,16 +5,22 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal class ElifDirective : PreprocessorDirective<ElifDirectiveTriviaSyntax>, IIfSiblingDirective, IExpressionParentEntity
     {
-        public ElifDirective(Context cx, ElifDirectiveTriviaSyntax trivia)
-            : base(cx, trivia)
+        private readonly IfDirective start;
+        private readonly int index;
+
+        public ElifDirective(Context cx, ElifDirectiveTriviaSyntax trivia, IfDirective start, int index)
+            : base(cx, trivia, populateFromBase: false)
         {
+            this.start = start;
+            this.index = index;
+            TryPopulate();
         }
 
         public bool IsTopLevelParent => true;
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            trapFile.directive_elifs(this, trivia.BranchTaken, trivia.ConditionValue);
+            trapFile.directive_elifs(this, trivia.BranchTaken, trivia.ConditionValue, start, index);
 
             Expression.Create(cx, trivia.Condition, this, 0);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
index 48c786627ac..7ab7d45b6e9 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElseDirective.cs
@@ -5,14 +5,20 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal class ElseDirective : PreprocessorDirective<ElseDirectiveTriviaSyntax>, IIfSiblingDirective
     {
-        public ElseDirective(Context cx, ElseDirectiveTriviaSyntax trivia)
-            : base(cx, trivia)
+        private readonly IfDirective start;
+        private readonly int index;
+
+        public ElseDirective(Context cx, ElseDirectiveTriviaSyntax trivia, IfDirective start, int index)
+            : base(cx, trivia, populateFromBase: false)
         {
+            this.start = start;
+            this.index = index;
+            TryPopulate();
         }
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            trapFile.directive_elses(this, trivia.BranchTaken);
+            trapFile.directive_elses(this, trivia.BranchTaken, start, index);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
index 85d5c89f353..9c349844dc6 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/EndIfDirective.cs
@@ -5,14 +5,18 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal class EndIfDirective : PreprocessorDirective<EndIfDirectiveTriviaSyntax>
     {
-        public EndIfDirective(Context cx, EndIfDirectiveTriviaSyntax trivia)
-            : base(cx, trivia)
+        private readonly IfDirective start;
+
+        public EndIfDirective(Context cx, EndIfDirectiveTriviaSyntax trivia, IfDirective start)
+            : base(cx, trivia, populateFromBase: false)
         {
+            this.start = start;
+            TryPopulate();
         }
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            trapFile.directive_endifs(this);
+            trapFile.directive_endifs(this, start);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
index fc9af188c1d..e1b81e60d8a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
@@ -1,13 +1,10 @@
 using Microsoft.CodeAnalysis.CSharp.Syntax;
-using System.Collections.Generic;
 using System.IO;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
     internal class IfDirective : PreprocessorDirective<IfDirectiveTriviaSyntax>, IExpressionParentEntity
     {
-        private readonly List<IIfSiblingDirective> branches = new List<IIfSiblingDirective>();
-
         public IfDirective(Context cx, IfDirectiveTriviaSyntax trivia)
             : base(cx, trivia)
         {
@@ -21,20 +18,5 @@ namespace Semmle.Extraction.CSharp.Entities
 
             Expression.Create(cx, trivia.Condition, this, 0);
         }
-
-        internal void Add(IIfSiblingDirective branch)
-        {
-            branches.Add(branch);
-        }
-
-        internal void WriteBranches(EndIfDirective endif)
-        {
-            cx.TrapWriter.Writer.directive_if_endif(this, endif);
-            var siblings = 0;
-            foreach (var branch in branches)
-            {
-                cx.TrapWriter.Writer.directive_if_siblings(this, branch, siblings++);
-            }
-        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index f0044e891bc..4098576a86d 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -76,51 +76,63 @@ namespace Semmle.Extraction.CSharp.Populators
             new Entities.EndRegionDirective(cx, node, start);
         }
 
-        private readonly Stack<Entities.IfDirective> ifStarts = new Stack<Entities.IfDirective>();
+        private class IfDirectiveStackElement
+        {
+            public Entities.IfDirective Entity { get; }
+            public int SiblingCount { get; set; }
+
+
+            public IfDirectiveStackElement(Entities.IfDirective entity)
+            {
+                Entity = entity;
+            }
+        }
+
+        private readonly Stack<IfDirectiveStackElement> ifStarts = new Stack<IfDirectiveStackElement>();
 
         public override void VisitIfDirectiveTrivia(IfDirectiveTriviaSyntax node)
         {
             var ifStart = new Entities.IfDirective(cx, node);
-            ifStarts.Push(ifStart);
+            ifStarts.Push(new IfDirectiveStackElement(ifStart));
         }
 
         public override void VisitEndIfDirectiveTrivia(EndIfDirectiveTriviaSyntax node)
         {
-            var endif = new Entities.EndIfDirective(cx, node);
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
                     Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
+
             var start = ifStarts.Pop();
-            start.WriteBranches(endif);
+            new Entities.EndIfDirective(cx, node, start.Entity);
         }
 
         public override void VisitElifDirectiveTrivia(ElifDirectiveTriviaSyntax node)
         {
-            var elif = new Entities.ElifDirective(cx, node);
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
                     Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
+
             var start = ifStarts.Peek();
-            start.Add(elif);
+            new Entities.ElifDirective(cx, node, start.Entity, start.SiblingCount++);
         }
 
         public override void VisitElseDirectiveTrivia(ElseDirectiveTriviaSyntax node)
         {
-            var elseDirective = new Entities.ElseDirective(cx, node);
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
                     Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
+
             var start = ifStarts.Peek();
-            start.Add(elseDirective);
+            new Entities.ElseDirective(cx, node, start.Entity, start.SiblingCount++);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 95f5db2d744..82416e64978 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -684,29 +684,21 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("directive_ifs", directive, branchTaken ? 1 : 0, conditionValue ? 1 : 0);
         }
 
-        internal static void directive_elifs(this TextWriter trapFile, ElifDirective directive, bool branchTaken, bool conditionValue)
+        internal static void directive_elifs(this TextWriter trapFile, ElifDirective directive, bool branchTaken, bool conditionValue,
+            IfDirective start, int index)
         {
-            trapFile.WriteTuple("directive_elifs", directive, branchTaken ? 1 : 0, conditionValue ? 1 : 0);
+            trapFile.WriteTuple("directive_elifs", directive, branchTaken ? 1 : 0, conditionValue ? 1 : 0, start, index);
         }
 
-        internal static void directive_elses(this TextWriter trapFile, ElseDirective directive, bool branchTaken)
+        internal static void directive_elses(this TextWriter trapFile, ElseDirective directive, bool branchTaken,
+            IfDirective start, int index)
         {
-            trapFile.WriteTuple("directive_elses", directive, branchTaken ? 1 : 0);
+            trapFile.WriteTuple("directive_elses", directive, branchTaken ? 1 : 0, start, index);
         }
 
-        internal static void directive_endifs(this TextWriter trapFile, EndIfDirective directive)
+        internal static void directive_endifs(this TextWriter trapFile, EndIfDirective directive, IfDirective start)
         {
-            trapFile.WriteTuple("directive_endifs", directive);
-        }
-
-        internal static void directive_if_endif(this TextWriter trapFile, IfDirective start, EndIfDirective end)
-        {
-            trapFile.WriteTuple("directive_if_endif", start, end);
-        }
-
-        internal static void directive_if_siblings(this TextWriter trapFile, IfDirective start, IIfSiblingDirective siblingDirective, int index)
-        {
-            trapFile.WriteTuple("directive_if_siblings", start, siblingDirective, index);
+            trapFile.WriteTuple("directive_endifs", directive, start);
         }
 
         internal static void directive_define_symbols(this TextWriter trapFile, DefineSymbol symb, string name)
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 77c6bd199bb..8548db264fd 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -281,10 +281,13 @@ class IfDirective extends ConditionalDirective, @directive_if {
   override predicate conditionMatched() { directive_ifs(this, _, 1) }
 
   /** Gets the closing `#endif` preprocessor directive. */
-  EndifDirective getEndifDirective() { directive_if_endif(this, result) }
+  EndifDirective getEndifDirective() { directive_endifs(result, this) }
 
   /** Gets the sibling `#elif` or `#else` preprocessor directive at index `sibling`. */
-  BranchDirective getSiblingDirective(int sibling) { directive_if_siblings(this, result, sibling) }
+  BranchDirective getSiblingDirective(int sibling) {
+    directive_elifs(result, _, _, this, sibling) or
+    directive_elses(result, _, this, sibling)
+  }
 
   /** Gets a sibling `#elif` or `#else` preprocessor directive. */
   BranchDirective getASiblingDirective() { result = getSiblingDirective(_) }
@@ -298,17 +301,18 @@ class IfDirective extends ConditionalDirective, @directive_if {
  * An `#elif` preprocessor directive.
  */
 class ElifDirective extends ConditionalDirective, @directive_elif {
-  override predicate branchTaken() { directive_elifs(this, 1, _) }
+  override predicate branchTaken() { directive_elifs(this, 1, _, _, _) }
 
-  override predicate conditionMatched() { directive_elifs(this, _, 1) }
+  override predicate conditionMatched() { directive_elifs(this, _, 1, _, _) }
 
   /** Gets the opening `#if` preprocessor directive. */
-  IfDirective getIfDirective() { directive_if_siblings(result, this, _) }
+  IfDirective getIfDirective() { directive_elifs(this, _, _, result, _) }
 
   /** Gets the successive branching preprocessor directive (`#elif` or `#else`), if any. */
   BranchDirective getSuccSiblingDirective() {
     exists(IfDirective i, int index |
-      directive_if_siblings(i, this, index) and directive_if_siblings(i, result, index + 1)
+      this = i.getSiblingDirective(index) and
+      result = i.getSiblingDirective(index + 1)
     )
   }
 
@@ -322,9 +326,9 @@ class ElifDirective extends ConditionalDirective, @directive_elif {
  */
 class ElseDirective extends BranchDirective, @directive_else {
   /** Gets the opening `#if` preprocessor directive. */
-  IfDirective getIfDirective() { directive_if_siblings(result, this, _) }
+  IfDirective getIfDirective() { directive_elses(this, _, result, _) }
 
-  override predicate branchTaken() { directive_elses(this, 1) }
+  override predicate branchTaken() { directive_elses(this, 1, _, _) }
 
   override string toString() { result = "#else" }
 
@@ -336,7 +340,7 @@ class ElseDirective extends BranchDirective, @directive_else {
  */
 class EndifDirective extends PreprocessorDirective, @directive_endif {
   /** Gets the opening `#if` preprocessor directive. */
-  IfDirective getIfDirective() { directive_if_endif(result, this) }
+  IfDirective getIfDirective() { directive_endifs(this, result) }
 
   override string toString() { result = "#endif" }
 
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 6dd5048ac60..f5d3daf62b8 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -346,28 +346,21 @@ directive_ifs(
 directive_elifs(
   unique int id: @directive_elif,
   int branchTaken: int ref,     /* 0: false, 1: true */
-  int conditionValue: int ref); /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
 
 directive_elses(
   unique int id: @directive_else,
-  int branchTaken: int ref);  /* 0: false, 1: true */
-
-directive_endifs(
-  unique int id: @directive_endif);
-
-#keyset[start, end]
-directive_if_endif(
-  unique int start: @directive_if ref,
-  unique int end: @directive_endif ref);
-
-@directive_if_sibling = @directive_else | @directive_elif;
-
-#keyset[start, index]
-directive_if_siblings(
-  int start: @directive_if ref,
-  int sibling: @directive_if_sibling ref,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
   int index: int ref);
 
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
 directive_define_symbols(
   unique int id: @define_symbol_expr ref,
   string name: string ref);

From 967765342ee1161140442c9ae378e88cb15abaf8 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 27 Jan 2021 16:17:32 +0100
Subject: [PATCH 131/429] Assign preprocessor directives to compilation + make
 compilation cached

---
 .../Semmle.Extraction.CSharp/Analyser.cs      |  10 +-
 .../Entities/Compilation.cs                   | 125 ------------------
 .../Entities/Compilations/Compilation.cs      | 105 +++++++++++++++
 .../Entities/Compilations/Diagnostic.cs       |  23 ++++
 .../Compilations/PerformanceMetrics.cs        |  32 +++++
 .../Entities/Compilations/Timings.cs          |  11 ++
 .../PreprocessorDirective.cs                  |   4 +-
 .../Semmle.Extraction.CSharp/Extractor.cs     |  12 +-
 .../Semmle.Extraction.CSharp/Tuples.cs        |   6 +-
 csharp/extractor/Semmle.Extraction/Context.cs |  12 +-
 .../src/semmle/code/csharp/Preprocessor.qll   |   8 +-
 csharp/ql/src/semmlecode.csharp.dbscheme      |   4 +-
 .../comments/Directives.expected              |  62 ++++-----
 .../test/library-tests/comments/Directives.ql |   3 +
 14 files changed, 236 insertions(+), 181 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilation.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/PerformanceMetrics.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Timings.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index 5aa4f452d92..75db5c0e951 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -215,14 +215,12 @@ namespace Semmle.Extraction.CSharp
         /// <summary>
         /// Extracts compilation-wide entities, such as compilations and compiler diagnostics.
         /// </summary>
-        public void AnalyseCompilation(string cwd, string[] args)
+        public void AnalyseCompilation()
         {
-            extractionTasks.Add(() => DoAnalyseCompilation(cwd, args));
+            extractionTasks.Add(() => DoAnalyseCompilation());
         }
 
-
-
-        private void DoAnalyseCompilation(string cwd, string[] args)
+        private void DoAnalyseCompilation()
         {
             try
             {
@@ -234,7 +232,7 @@ namespace Semmle.Extraction.CSharp
                 compilationTrapFile = trapWriter;  // Dispose later
                 var cx = extractor.CreateContext(compilation.Clone(), trapWriter, new AssemblyScope(assembly, assemblyPath), AddAssemblyTrapPrefix);
 
-                compilationEntity = new Entities.Compilation(cx, cwd, args);
+                compilationEntity = Entities.Compilation.Create(cx);
             }
             catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilation.cs
deleted file mode 100644
index d4f0da99a28..00000000000
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilation.cs
+++ /dev/null
@@ -1,125 +0,0 @@
-using Microsoft.CodeAnalysis;
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using Semmle.Util;
-
-namespace Semmle.Extraction.CSharp.Entities
-{
-    internal class Compilation : FreshEntity
-    {
-        private readonly string cwd;
-        private readonly string[] args;
-
-        public Compilation(Context cx, string cwd, string[] args) : base(cx)
-        {
-            this.cwd = cwd;
-            this.args = args;
-            TryPopulate();
-        }
-
-        protected override void Populate(TextWriter trapFile)
-        {
-            var assembly = Extraction.Entities.Assembly.CreateOutputAssembly(cx);
-
-            trapFile.compilations(this, FileUtils.ConvertToUnix(cwd));
-            trapFile.compilation_assembly(this, assembly);
-
-            // Arguments
-            var index = 0;
-            foreach (var arg in args)
-            {
-                trapFile.compilation_args(this, index++, arg);
-            }
-
-            // Files
-            index = 0;
-            foreach (var file in cx.Compilation.SyntaxTrees.Select(tree => Extraction.Entities.File.Create(cx, tree.FilePath)))
-            {
-                trapFile.compilation_compiling_files(this, index++, file);
-            }
-
-            // References
-            index = 0;
-            foreach (var file in cx.Compilation.References.OfType<PortableExecutableReference>().Select(r => Extraction.Entities.File.Create(cx, r.FilePath)))
-            {
-                trapFile.compilation_referencing_files(this, index++, file);
-            }
-
-            // Diagnostics
-            index = 0;
-            foreach (var diag in cx.Compilation.GetDiagnostics().Select(d => new Diagnostic(cx, d)))
-            {
-                trapFile.diagnostic_for(diag, this, 0, index++);
-            }
-        }
-
-        public void PopulatePerformance(PerformanceMetrics p)
-        {
-            var trapFile = cx.TrapWriter.Writer;
-            var index = 0;
-            foreach (var metric in p.Metrics)
-            {
-                trapFile.compilation_time(this, -1, index++, metric);
-            }
-            trapFile.compilation_finished(this, (float)p.Total.Cpu.TotalSeconds, (float)p.Total.Elapsed.TotalSeconds);
-        }
-
-        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-    }
-
-    internal class Diagnostic : FreshEntity
-    {
-        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-
-        private readonly Microsoft.CodeAnalysis.Diagnostic diagnostic;
-
-        public Diagnostic(Context cx, Microsoft.CodeAnalysis.Diagnostic diag) : base(cx)
-        {
-            diagnostic = diag;
-            TryPopulate();
-        }
-
-        protected override void Populate(TextWriter trapFile)
-        {
-            trapFile.diagnostics(this, (int)diagnostic.Severity, diagnostic.Id, diagnostic.Descriptor.Title.ToString(),
-                diagnostic.GetMessage(), Extraction.Entities.Location.Create(cx, diagnostic.Location));
-        }
-    }
-
-    public struct Timings
-    {
-        public TimeSpan Elapsed { get; set; }
-        public TimeSpan Cpu { get; set; }
-        public TimeSpan User { get; set; }
-    }
-
-    /// <summary>
-    /// The various performance metrics to log.
-    /// </summary>
-    public struct PerformanceMetrics
-    {
-        public Timings Frontend { get; set; }
-        public Timings Extractor { get; set; }
-        public Timings Total { get; set; }
-        public long PeakWorkingSet { get; set; }
-
-        /// <summary>
-        /// These are in database order (0 indexed)
-        /// </summary>
-        public IEnumerable<float> Metrics
-        {
-            get
-            {
-                yield return (float)Frontend.Cpu.TotalSeconds;
-                yield return (float)Frontend.Elapsed.TotalSeconds;
-                yield return (float)Extractor.Cpu.TotalSeconds;
-                yield return (float)Extractor.Elapsed.TotalSeconds;
-                yield return (float)Frontend.User.TotalSeconds;
-                yield return (float)Extractor.User.TotalSeconds;
-                yield return PeakWorkingSet / 1024.0f / 1024.0f;
-            }
-        }
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
new file mode 100644
index 00000000000..800e35d5ff4
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
@@ -0,0 +1,105 @@
+using Microsoft.CodeAnalysis;
+using System;
+using System.IO;
+using System.Linq;
+using Semmle.Util;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    public class Compilation : CachedEntity<object>
+    {
+        private static (string Cwd, string[] Args) settings;
+        private static int hashCode;
+
+        public static (string Cwd, string[] Args) Settings
+        {
+            get { return settings; }
+            set
+            {
+                settings = value;
+                hashCode = settings.Cwd.GetHashCode();
+                for (var i = 0; i < settings.Args.Length; i++)
+                {
+                    hashCode = HashCode.Combine(hashCode, settings.Args[i].GetHashCode());
+                }
+            }
+        }
+
+        private Compilation(Context cx) : base(cx, null)
+        {
+        }
+
+        public override void Populate(TextWriter trapFile)
+        {
+            var assembly = Extraction.Entities.Assembly.CreateOutputAssembly(Context);
+
+            trapFile.compilations(this, FileUtils.ConvertToUnix(Compilation.Settings.Cwd));
+            trapFile.compilation_assembly(this, assembly);
+
+            // Arguments
+            var index = 0;
+            foreach (var arg in Compilation.Settings.Args)
+            {
+                trapFile.compilation_args(this, index++, arg);
+            }
+
+            // Files
+            index = 0;
+            foreach (var file in Context.Compilation.SyntaxTrees.Select(tree => Extraction.Entities.File.Create(Context, tree.FilePath)))
+            {
+                trapFile.compilation_compiling_files(this, index++, file);
+            }
+
+            // References
+            index = 0;
+            foreach (var file in Context.Compilation.References
+                .OfType<PortableExecutableReference>()
+                .Select(r => Extraction.Entities.File.Create(Context, r.FilePath)))
+            {
+                trapFile.compilation_referencing_files(this, index++, file);
+            }
+
+            // Diagnostics
+            index = 0;
+            foreach (var diag in Context.Compilation.GetDiagnostics().Select(d => new Diagnostic(Context, d)))
+            {
+                trapFile.diagnostic_for(diag, this, 0, index++);
+            }
+        }
+
+        public void PopulatePerformance(PerformanceMetrics p)
+        {
+            var trapFile = Context.TrapWriter.Writer;
+            var index = 0;
+            foreach (var metric in p.Metrics)
+            {
+                trapFile.compilation_time(this, -1, index++, metric);
+            }
+            trapFile.compilation_finished(this, (float)p.Total.Cpu.TotalSeconds, (float)p.Total.Elapsed.TotalSeconds);
+        }
+
+        public override void WriteId(TextWriter trapFile)
+        {
+            trapFile.Write(hashCode);
+            trapFile.Write(";compilation");
+        }
+
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        public override Location ReportingLocation => throw new NotImplementedException();
+
+        public override bool NeedsPopulation => Context.IsAssemblyScope;
+
+        private class CompilationFactory : ICachedEntityFactory<object, Compilation>
+        {
+            public static CompilationFactory Instance { get; } = new CompilationFactory();
+
+            public Compilation Create(Context cx, object init) => new Compilation(cx);
+        }
+
+        private static readonly object compilationCacheKey = new object();
+
+        public static Compilation Create(Context cx)
+            => CompilationFactory.Instance.CreateEntity(cx, compilationCacheKey, null);
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
new file mode 100644
index 00000000000..2900e5b0ae0
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
@@ -0,0 +1,23 @@
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class Diagnostic : FreshEntity
+    {
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        private readonly Microsoft.CodeAnalysis.Diagnostic diagnostic;
+
+        public Diagnostic(Context cx, Microsoft.CodeAnalysis.Diagnostic diag) : base(cx)
+        {
+            diagnostic = diag;
+            TryPopulate();
+        }
+
+        protected override void Populate(TextWriter trapFile)
+        {
+            trapFile.diagnostics(this, (int)diagnostic.Severity, diagnostic.Id, diagnostic.Descriptor.Title.ToString(),
+                diagnostic.GetMessage(), Extraction.Entities.Location.Create(cx, diagnostic.Location));
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/PerformanceMetrics.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/PerformanceMetrics.cs
new file mode 100644
index 00000000000..67aa2f25a88
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/PerformanceMetrics.cs
@@ -0,0 +1,32 @@
+using System.Collections.Generic;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// The various performance metrics to log.
+    /// </summary>
+    public struct PerformanceMetrics
+    {
+        public Timings Frontend { get; set; }
+        public Timings Extractor { get; set; }
+        public Timings Total { get; set; }
+        public long PeakWorkingSet { get; set; }
+
+        /// <summary>
+        /// These are in database order (0 indexed)
+        /// </summary>
+        public IEnumerable<float> Metrics
+        {
+            get
+            {
+                yield return (float)Frontend.Cpu.TotalSeconds;
+                yield return (float)Frontend.Elapsed.TotalSeconds;
+                yield return (float)Extractor.Cpu.TotalSeconds;
+                yield return (float)Extractor.Elapsed.TotalSeconds;
+                yield return (float)Frontend.User.TotalSeconds;
+                yield return (float)Extractor.User.TotalSeconds;
+                yield return PeakWorkingSet / 1024.0f / 1024.0f;
+            }
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Timings.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Timings.cs
new file mode 100644
index 00000000000..43f22922309
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Timings.cs
@@ -0,0 +1,11 @@
+using System;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    public struct Timings
+    {
+        public TimeSpan Elapsed { get; set; }
+        public TimeSpan Cpu { get; set; }
+        public TimeSpan User { get; set; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
index 62c70b3360e..6ea6172a2d3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -27,8 +27,8 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (!cx.Extractor.Standalone)
             {
-                var assembly = Assembly.CreateOutputAssembly(cx);
-                trapFile.preprocessor_directive_assembly(this, assembly);
+                var compilation = Compilation.Create(cx);
+                trapFile.preprocessor_directive_compilation(this, compilation);
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs
index cf991e0930a..2f979863dd0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs
@@ -68,7 +68,10 @@ namespace Semmle.Extraction.CSharp
         {
             var stopwatch = new Stopwatch();
             stopwatch.Start();
-            var commandLineArguments = Options.CreateWithEnvironment(args);
+
+            Entities.Compilation.Settings = (Directory.GetCurrentDirectory(), args);
+
+            var commandLineArguments = Options.CreateWithEnvironment(Entities.Compilation.Settings.Args);
             var fileLogger = new FileLogger(commandLineArguments.Verbosity, GetCSharpLogPath());
             using var logger = commandLineArguments.Console
                 ? new CombinedLogger(new ConsoleLogger(commandLineArguments.Verbosity), fileLogger)
@@ -95,10 +98,9 @@ namespace Semmle.Extraction.CSharp
                     return ExitCode.Ok;
                 }
 
-                var cwd = Directory.GetCurrentDirectory();
                 var compilerArguments = CSharpCommandLineParser.Default.Parse(
                     compilerVersion.ArgsWithResponse,
-                    cwd,
+                    Entities.Compilation.Settings.Cwd,
                     compilerVersion.FrameworkPath,
                     compilerVersion.AdditionalReferenceDirectories
                     );
@@ -106,7 +108,7 @@ namespace Semmle.Extraction.CSharp
                 if (compilerArguments == null)
                 {
                     var sb = new StringBuilder();
-                    sb.Append("  Failed to parse command line: ").AppendList(" ", args);
+                    sb.Append("  Failed to parse command line: ").AppendList(" ", Entities.Compilation.Settings.Args);
                     logger.Log(Severity.Error, sb.ToString());
                     ++analyser.CompilationErrors;
                     return ExitCode.Failed;
@@ -159,7 +161,7 @@ namespace Semmle.Extraction.CSharp
                     );
 
                 analyser.EndInitialize(compilerArguments, commandLineArguments, compilation);
-                analyser.AnalyseCompilation(cwd, args);
+                analyser.AnalyseCompilation();
                 analyser.AnalyseReferences();
 
                 foreach (var tree in compilation.SyntaxTrees)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 82416e64978..0d88451c075 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -600,11 +600,11 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("preprocessor_directive_location", directive, location);
         }
 
-        internal static void preprocessor_directive_assembly<TDirective>(this TextWriter trapFile,
-            PreprocessorDirective<TDirective> directive, Assembly assembly)
+        internal static void preprocessor_directive_compilation<TDirective>(this TextWriter trapFile,
+            PreprocessorDirective<TDirective> directive, Compilation compilation)
             where TDirective : DirectiveTriviaSyntax
         {
-            trapFile.WriteTuple("preprocessor_directive_assembly", directive, assembly);
+            trapFile.WriteTuple("preprocessor_directive_compilation", directive, compilation);
         }
 
         internal static void preprocessor_directive_active<TDirective>(this TextWriter trapFile,
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index cbb68e1a936..a70a17ddaf2 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -246,7 +246,9 @@ namespace Semmle.Extraction
 
         public ICommentGenerator CommentGenerator { get; } = new CommentProcessor();
 
-        private IExtractionScope scope { get; }
+        private IExtractionScope scope;
+
+        public bool IsAssemblyScope => scope is AssemblyScope;
 
         public SyntaxTree? SourceTree => scope is SourceScope sc ? sc.SourceTree : null;
 
@@ -368,9 +370,9 @@ namespace Semmle.Extraction
                     throw new InternalError("Unexpected TrapStackBehaviour");
             }
 
-            var a = duplicationGuard && this.Create(entity.ReportingLocation) is NonGeneratedSourceLocation loc ?
-                (Action)(() => WithDuplicationGuard(new Key(entity, loc), () => entity.Populate(TrapWriter.Writer))) :
-                (Action)(() => this.Try(null, optionalSymbol, () => entity.Populate(TrapWriter.Writer)));
+            var a = duplicationGuard && this.Create(entity.ReportingLocation) is NonGeneratedSourceLocation loc
+                ? (Action)(() => WithDuplicationGuard(new Key(entity, loc), () => entity.Populate(TrapWriter.Writer)))
+                : (Action)(() => this.Try(null, optionalSymbol, () => entity.Populate(TrapWriter.Writer)));
 
             if (deferred)
                 populateQueue.Enqueue(a);
@@ -384,7 +386,7 @@ namespace Semmle.Extraction
         /// </summary>
         public void WithDuplicationGuard(Key key, Action a)
         {
-            if (scope is AssemblyScope)
+            if (IsAssemblyScope)
             {
                 // No need for a duplication guard when extracting assemblies,
                 // and the duplication guard could lead to method bodies being missed
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 8548db264fd..776c136d672 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -3,6 +3,7 @@
  */
 
 import Element
+private import semmle.code.csharp.commons.Compilation
 
 /**
  * A preprocessor directive, such as `PragmaWarningDirective`, `PragmaChecksumDirective`,
@@ -17,9 +18,10 @@ class PreprocessorDirective extends Element, @preprocessor_directive {
    */
   predicate isActive() { preprocessor_directive_active(this, 1) }
 
-  override Location getALocation() {
-    preprocessor_directive_location(this, result) or preprocessor_directive_assembly(this, result)
-  }
+  override Location getALocation() { preprocessor_directive_location(this, result) }
+
+  /** Gets the compilation this directive belongs to, if any. */
+  Compilation getCompilation() { preprocessor_directive_compilation(this, result) }
 }
 
 /**
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index f5d3daf62b8..fd73e34aa99 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -424,9 +424,9 @@ preprocessor_directive_location(
   unique int id: @preprocessor_directive ref,
   int loc: @location ref);
 
-preprocessor_directive_assembly(
+preprocessor_directive_compilation(
   unique int id: @preprocessor_directive ref,
-  int loc: @assembly ref);
+  int compilation: @compilation ref);
 
 preprocessor_directive_active(
   unique int id: @preprocessor_directive ref,
diff --git a/csharp/ql/test/library-tests/comments/Directives.expected b/csharp/ql/test/library-tests/comments/Directives.expected
index 2fa3a1acae3..191954695da 100644
--- a/csharp/ql/test/library-tests/comments/Directives.expected
+++ b/csharp/ql/test/library-tests/comments/Directives.expected
@@ -1,60 +1,62 @@
-| trivia.cs:4:1:4:13 | #define ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
+directives
 | trivia.cs:4:1:4:13 | #define ... | trivia.cs:4:1:4:13 | trivia.cs:4:1:4:13 | active |
-| trivia.cs:6:1:6:12 | #undef ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:6:1:6:12 | #undef ... | trivia.cs:6:1:6:12 | trivia.cs:6:1:6:12 | active |
-| trivia.cs:12:1:12:35 | #pragma warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:12:1:12:35 | #pragma warning ... | trivia.cs:12:1:12:35 | trivia.cs:12:1:12:35 | active |
-| trivia.cs:13:1:13:98 | #pragma checksum ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:13:1:13:98 | #pragma checksum ... | trivia.cs:13:1:13:98 | trivia.cs:13:1:13:98 | active |
-| trivia.cs:18:1:18:19 | #line ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:18:1:18:19 | #line ... | trivia.cs:18:1:18:19 | trivia.cs:18:1:18:19 | active |
-| trivia.cs:21:1:21:13 | #line default | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:21:1:21:13 | #line default | trivia.cs:21:1:21:13 | trivia.cs:21:1:21:13 | active |
-| trivia.cs:23:1:23:23 | #pragma warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:23:1:23:23 | #pragma warning ... | trivia.cs:23:1:23:23 | trivia.cs:23:1:23:23 | active |
-| trivia.cs:25:1:25:38 | #line hidden | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:25:1:25:38 | #line hidden | trivia.cs:25:1:25:38 | trivia.cs:25:1:25:38 | active |
-| trivia.cs:27:1:27:9 | #line ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:27:1:27:9 | #line ... | trivia.cs:27:1:27:9 | trivia.cs:27:1:27:9 | active |
-| trivia.cs:36:9:36:22 | #region ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:36:9:36:22 | #region ... | trivia.cs:36:9:36:22 | trivia.cs:36:9:36:22 | active |
-| trivia.cs:38:9:38:22 | #region ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:38:9:38:22 | #region ... | trivia.cs:38:9:38:22 | trivia.cs:38:9:38:22 | active |
-| trivia.cs:40:9:40:18 | #endregion | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:40:9:40:18 | #endregion | trivia.cs:40:9:40:18 | trivia.cs:40:9:40:18 | active |
-| trivia.cs:41:9:41:18 | #endregion | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:41:9:41:18 | #endregion | trivia.cs:41:9:41:18 | trivia.cs:41:9:41:18 | active |
-| trivia.cs:49:1:49:82 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:49:1:49:82 | #nullable ... | trivia.cs:49:1:49:82 | trivia.cs:49:1:49:82 | active |
-| trivia.cs:50:1:50:80 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:50:1:50:80 | #nullable ... | trivia.cs:50:1:50:80 | trivia.cs:50:1:50:80 | active |
-| trivia.cs:51:1:51:94 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:51:1:51:94 | #nullable ... | trivia.cs:51:1:51:94 | trivia.cs:51:1:51:94 | active |
-| trivia.cs:52:1:52:81 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:52:1:52:81 | #nullable ... | trivia.cs:52:1:52:81 | trivia.cs:52:1:52:81 | active |
-| trivia.cs:53:1:53:79 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:53:1:53:79 | #nullable ... | trivia.cs:53:1:53:79 | trivia.cs:53:1:53:79 | active |
-| trivia.cs:54:1:54:93 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:54:1:54:93 | #nullable ... | trivia.cs:54:1:54:93 | trivia.cs:54:1:54:93 | active |
-| trivia.cs:55:1:55:75 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:55:1:55:75 | #nullable ... | trivia.cs:55:1:55:75 | trivia.cs:55:1:55:75 | active |
-| trivia.cs:56:1:56:73 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:56:1:56:73 | #nullable ... | trivia.cs:56:1:56:73 | trivia.cs:56:1:56:73 | active |
-| trivia.cs:57:1:57:87 | #nullable ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:57:1:57:87 | #nullable ... | trivia.cs:57:1:57:87 | trivia.cs:57:1:57:87 | active |
-| trivia.cs:65:1:65:9 | #if ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:65:1:65:9 | #if ... | trivia.cs:65:1:65:9 | trivia.cs:65:1:65:9 | active |
-| trivia.cs:66:1:66:23 | #error ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
 | trivia.cs:66:1:66:23 | #error ... | trivia.cs:66:1:66:23 | trivia.cs:66:1:66:23 | inactive |
-| trivia.cs:68:1:68:10 | #if ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
 | trivia.cs:68:1:68:10 | #if ... | trivia.cs:68:1:68:10 | trivia.cs:68:1:68:10 | inactive |
-| trivia.cs:70:1:70:6 | #endif | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | inactive |
 | trivia.cs:70:1:70:6 | #endif | trivia.cs:70:1:70:6 | trivia.cs:70:1:70:6 | inactive |
-| trivia.cs:71:1:71:35 | #elif ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:71:1:71:35 | #elif ... | trivia.cs:71:1:71:35 | trivia.cs:71:1:71:35 | active |
-| trivia.cs:72:1:72:43 | #warning ... | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:72:1:72:43 | #warning ... | trivia.cs:72:1:72:43 | trivia.cs:72:1:72:43 | active |
-| trivia.cs:74:1:74:5 | #else | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:74:1:74:5 | #else | trivia.cs:74:1:74:5 | trivia.cs:74:1:74:5 | active |
-| trivia.cs:76:1:76:6 | #endif | comments2.dll:0:0:0:0 | comments2, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | active |
 | trivia.cs:76:1:76:6 | #endif | trivia.cs:76:1:76:6 | trivia.cs:76:1:76:6 | active |
+comp
+| trivia.cs:4:1:4:13 | #define ... | compilation |
+| trivia.cs:6:1:6:12 | #undef ... | compilation |
+| trivia.cs:12:1:12:35 | #pragma warning ... | compilation |
+| trivia.cs:13:1:13:98 | #pragma checksum ... | compilation |
+| trivia.cs:18:1:18:19 | #line ... | compilation |
+| trivia.cs:21:1:21:13 | #line default | compilation |
+| trivia.cs:23:1:23:23 | #pragma warning ... | compilation |
+| trivia.cs:25:1:25:38 | #line hidden | compilation |
+| trivia.cs:27:1:27:9 | #line ... | compilation |
+| trivia.cs:36:9:36:22 | #region ... | compilation |
+| trivia.cs:38:9:38:22 | #region ... | compilation |
+| trivia.cs:40:9:40:18 | #endregion | compilation |
+| trivia.cs:41:9:41:18 | #endregion | compilation |
+| trivia.cs:49:1:49:82 | #nullable ... | compilation |
+| trivia.cs:50:1:50:80 | #nullable ... | compilation |
+| trivia.cs:51:1:51:94 | #nullable ... | compilation |
+| trivia.cs:52:1:52:81 | #nullable ... | compilation |
+| trivia.cs:53:1:53:79 | #nullable ... | compilation |
+| trivia.cs:54:1:54:93 | #nullable ... | compilation |
+| trivia.cs:55:1:55:75 | #nullable ... | compilation |
+| trivia.cs:56:1:56:73 | #nullable ... | compilation |
+| trivia.cs:57:1:57:87 | #nullable ... | compilation |
+| trivia.cs:65:1:65:9 | #if ... | compilation |
+| trivia.cs:66:1:66:23 | #error ... | compilation |
+| trivia.cs:68:1:68:10 | #if ... | compilation |
+| trivia.cs:70:1:70:6 | #endif | compilation |
+| trivia.cs:71:1:71:35 | #elif ... | compilation |
+| trivia.cs:72:1:72:43 | #warning ... | compilation |
+| trivia.cs:74:1:74:5 | #else | compilation |
+| trivia.cs:76:1:76:6 | #endif | compilation |
diff --git a/csharp/ql/test/library-tests/comments/Directives.ql b/csharp/ql/test/library-tests/comments/Directives.ql
index 3af699b9a0c..4811692a9fc 100644
--- a/csharp/ql/test/library-tests/comments/Directives.ql
+++ b/csharp/ql/test/library-tests/comments/Directives.ql
@@ -1,6 +1,9 @@
 import csharp
+private import semmle.code.csharp.commons.Compilation
 
 query predicate directives(PreprocessorDirective d, Location l, string isActive) {
   d.getALocation() = l and
   if d.isActive() then isActive = "active" else isActive = "inactive"
 }
+
+query predicate comp(PreprocessorDirective d, Compilation c) { d.getCompilation() = c }

From a1d227dbbbecc23b33d9f77b3caf19120322c97e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 22 Jan 2021 14:51:32 +0100
Subject: [PATCH 132/429] C#: Follow line directives when getting element
 location

---
 .../PreprocessorDirectives/LineDirective.cs   |  8 +++-
 .../PragmaChecksumDirective.cs                |  3 +-
 .../Semmle.Extraction.CSharp/Tuples.cs        | 11 +++--
 csharp/extractor/Semmle.Extraction/Context.cs |  6 ---
 .../Semmle.Extraction/Entities/File.cs        | 40 ++++++++++++++++---
 .../Entities/SourceLocation.cs                | 13 +++++-
 csharp/extractor/Semmle.Extraction/Tuples.cs  |  5 +++
 .../semmle/code/csharp/ExprOrStmtParent.qll   |  9 ++++-
 csharp/ql/src/semmle/code/csharp/Location.qll |  3 ++
 .../src/semmle/code/csharp/Preprocessor.qll   | 11 ++---
 csharp/ql/src/semmlecode.csharp.dbscheme      | 16 ++++++--
 .../comments/BindingAfter.expected            |  2 +-
 .../library-tests/comments/Bindings.expected  |  2 +-
 .../library-tests/comments/Comments.expected  |  2 +-
 .../comments/Directives.expected              | 12 +++---
 .../comments/LineDirectives.expected          | 21 +++++++---
 .../library-tests/comments/LineDirectives.ql  | 11 +++--
 .../comments/PragmaChecksums.expected         |  2 +-
 .../library-tests/comments/PragmaChecksums.ql |  2 +-
 .../library-tests/comments/PrintAst.expected  | 12 ++++--
 .../ql/test/library-tests/comments/trivia.cs  |  6 +--
 21 files changed, 139 insertions(+), 58 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
index 2ca34d6c7a1..54681d317e9 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
@@ -27,7 +27,13 @@ namespace Semmle.Extraction.CSharp.Entities
             if (trivia.Line.IsKind(SyntaxKind.NumericLiteralToken))
             {
                 var value = (int)trivia.Line.Value;
-                trapFile.directive_line_values(this, value, trivia.File.ValueText);
+                trapFile.directive_line_value(this, value);
+
+                if (!string.IsNullOrWhiteSpace(trivia.File.ValueText))
+                {
+                    var file = Extraction.Entities.File.Create(cx, trivia.File.ValueText);
+                    trapFile.directive_line_file(this, file);
+                }
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
index 9de67176e54..dff901fa826 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
@@ -12,7 +12,8 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            trapFile.pragma_checksums(this, trivia.File.ToString(), trivia.Guid.ToString(), trivia.Bytes.ToString());
+            var file = Extraction.Entities.File.Create(cx, trivia.File.ValueText);
+            trapFile.pragma_checksums(this, file, trivia.Guid.ToString(), trivia.Bytes.ToString());
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 0d88451c075..ec2bd66d32e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -624,7 +624,7 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("pragma_warning_error_codes", pragma, errorCode, child);
         }
 
-        internal static void pragma_checksums(this TextWriter trapFile, PragmaChecksumDirective pragma, string file, string guid, string bytes)
+        internal static void pragma_checksums(this TextWriter trapFile, PragmaChecksumDirective pragma, Extraction.Entities.File file, string guid, string bytes)
         {
             trapFile.WriteTuple("pragma_checksums", pragma, file, guid, bytes);
         }
@@ -659,9 +659,14 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("directive_lines", directive, kind);
         }
 
-        internal static void directive_line_values(this TextWriter trapFile, LineDirective directive, int line, string file)
+        internal static void directive_line_value(this TextWriter trapFile, LineDirective directive, int line)
         {
-            trapFile.WriteTuple("directive_line_values", directive, line, file);
+            trapFile.WriteTuple("directive_line_value", directive, line);
+        }
+
+        internal static void directive_line_file(this TextWriter trapFile, LineDirective directive, Extraction.Entities.File file)
+        {
+            trapFile.WriteTuple("directive_line_file", directive, file);
         }
 
         internal static void directive_regions(this TextWriter trapFile, RegionDirective directive, string name)
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index a70a17ddaf2..10a24990a13 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -262,12 +262,6 @@ namespace Semmle.Extraction
             !SymbolEqualityComparer.Default.Equals(symbol, symbol.OriginalDefinition) ||
             scope.InScope(symbol);
 
-        /// <summary>
-        /// Whether the current extraction context defines a given file.
-        /// </summary>
-        /// <param name="path">The path to query.</param>
-        public bool DefinesFile(string path) => scope.InFileScope(path);
-
         private int currentRecursiveDepth = 0;
         private const int maxRecursiveDepth = 150;
 
diff --git a/csharp/extractor/Semmle.Extraction/Entities/File.cs b/csharp/extractor/Semmle.Extraction/Entities/File.cs
index 80bc3ad0533..72d0ea8e986 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/File.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.Entities
         private readonly Lazy<PathTransformer.ITransformedPath> transformedPathLazy;
         private PathTransformer.ITransformedPath TransformedPath => transformedPathLazy.Value;
 
-        public override bool NeedsPopulation => Context.DefinesFile(originalPath) || originalPath == Context.Extractor.OutputPath;
+        public override bool NeedsPopulation => true;
 
         public override void Populate(TextWriter trapFile)
         {
@@ -27,12 +27,11 @@ namespace Semmle.Extraction.Entities
             if (TransformedPath.ParentDirectory is PathTransformer.ITransformedPath dir)
                 trapFile.containerparent(Folder.Create(Context, dir), this);
 
-            var fromSource = TransformedPath.Extension.ToLowerInvariant().Equals("cs");
-            if (fromSource)
+            var trees = Context.Compilation.SyntaxTrees.Where(t => t.FilePath == originalPath);
+
+            if (trees.Any())
             {
-                foreach (var text in Context.Compilation.SyntaxTrees
-                    .Where(t => t.FilePath == originalPath)
-                    .Select(tree => tree.GetText()))
+                foreach (var text in trees.Select(tree => tree.GetText()))
                 {
                     var rawText = text.ToString() ?? "";
                     var lineCounts = LineCounter.ComputeLineCounts(rawText);
@@ -43,10 +42,39 @@ namespace Semmle.Extraction.Entities
                     Context.TrapWriter.Archive(originalPath, TransformedPath, text.Encoding ?? System.Text.Encoding.Default);
                 }
             }
+            else if (IsPossiblyTextFile())
+            {
+                try
+                {
+                    System.Text.Encoding encoding;
+                    var lineCount = 0;
+                    using (var sr = new StreamReader(originalPath, detectEncodingFromByteOrderMarks: true))
+                    {
+                        while (sr.ReadLine() != null)
+                        {
+                            lineCount++;
+                        }
+                        encoding = sr.CurrentEncoding;
+                    }
+
+                    trapFile.numlines(this, new LineCounts() { Total = lineCount, Code = 0, Comment = 0 });
+                    Context.TrapWriter.Archive(originalPath, TransformedPath, encoding ?? System.Text.Encoding.Default);
+                }
+                catch (Exception exc)
+                {
+                    Context.ExtractionError($"Couldn't read file", originalPath, null, exc.StackTrace);
+                }
+            }
 
             trapFile.file_extraction_mode(this, Context.Extractor.Standalone ? 1 : 0);
         }
 
+        private bool IsPossiblyTextFile()
+        {
+            var extension = TransformedPath.Extension.ToLowerInvariant();
+            return !extension.Equals("dll") && !extension.Equals("exe");
+        }
+
         public override void WriteId(System.IO.TextWriter trapFile)
         {
             trapFile.Write(TransformedPath.DatabaseId);
diff --git a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
index 2697049dce2..41688033f04 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
@@ -28,8 +28,17 @@ namespace Semmle.Extraction.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.locations_default(this, FileEntity, Position.Span.Start.Line + 1, Position.Span.Start.Character + 1,
-                    Position.Span.End.Line + 1, Position.Span.End.Character);
+            trapFile.locations_default(this, FileEntity,
+                Position.Span.Start.Line + 1, Position.Span.Start.Character + 1,
+                Position.Span.End.Line + 1, Position.Span.End.Character);
+
+            var mapped = symbol.GetMappedLineSpan();
+            if (mapped.HasMappedPath && mapped.IsValid)
+            {
+                var mappedLoc = Create(Context, Microsoft.CodeAnalysis.Location.Create(mapped.Path, default, mapped.Span));
+
+                trapFile.locations_mapped(this, mappedLoc);
+            }
         }
 
         public FileLinePositionSpan Position
diff --git a/csharp/extractor/Semmle.Extraction/Tuples.cs b/csharp/extractor/Semmle.Extraction/Tuples.cs
index 0a71ba6b3d9..8e9016cb6b6 100644
--- a/csharp/extractor/Semmle.Extraction/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction/Tuples.cs
@@ -43,6 +43,11 @@ namespace Semmle.Extraction
             trapFile.WriteTuple("locations_default", label, file, startLine, startCol, endLine, endCol);
         }
 
+        public static void locations_mapped(this System.IO.TextWriter trapFile, SourceLocation l1, Location l2)
+        {
+            trapFile.WriteTuple("locations_mapped", l1, l2);
+        }
+
         public static void numlines(this System.IO.TextWriter trapFile, IEntity label, LineCounts lineCounts)
         {
             trapFile.WriteTuple("numlines", label, lineCounts.Total, lineCounts.Code, lineCounts.Comment);
diff --git a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
index 80029612a7c..5d140b17968 100644
--- a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
@@ -57,7 +57,14 @@ cached
 private module Cached {
   cached
   Location bestLocation(Element e) {
-    result = e.getALocation().(SourceLocation)
+    result = e.getALocation().(SourceLocation) and
+    (
+      not exists(e.getALocation().(SourceLocation).getMappedLocation()) or
+      e instanceof LineDirective
+    )
+    or
+    result = e.getALocation().(SourceLocation).getMappedLocation() and
+    not e instanceof LineDirective
     or
     hasNoSourceLocation(e) and
     result = min(Location l | l = e.getALocation() | l order by l.getFile().toString())
diff --git a/csharp/ql/src/semmle/code/csharp/Location.qll b/csharp/ql/src/semmle/code/csharp/Location.qll
index ac9a120849c..5d35933f246 100644
--- a/csharp/ql/src/semmle/code/csharp/Location.qll
+++ b/csharp/ql/src/semmle/code/csharp/Location.qll
@@ -62,6 +62,9 @@ class EmptyLocation extends Location {
  * within the file.
  */
 class SourceLocation extends Location, @location_default {
+  /** Gets the location that takes into account `#line` directives, if any. */
+  Location getMappedLocation() { locations_mapped(this, result) }
+
   override File getFile() { locations_default(this, result, _, _, _, _) }
 
   override predicate hasLocationInfo(
diff --git a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
index 776c136d672..daf4978da53 100644
--- a/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
+++ b/csharp/ql/src/semmle/code/csharp/Preprocessor.qll
@@ -50,7 +50,7 @@ class PragmaWarningDirective extends PreprocessorDirective, @pragma_warning {
  */
 class PragmaChecksumDirective extends PreprocessorDirective, @pragma_checksum {
   /** Gets the file name of this directive. */
-  string getFileName() { pragma_checksums(this, result, _, _) }
+  File getReferencedFile() { pragma_checksums(this, result, _, _) }
 
   /** Gets the GUID of this directive. */
   string getGuid() { pragma_checksums(this, _, result, _) }
@@ -215,13 +215,10 @@ class NumericLineDirective extends LineDirective {
   NumericLineDirective() { directive_lines(this, 2) }
 
   /** Gets the line number of this directive. */
-  int getLine() { directive_line_values(this, result, _) }
+  int getLine() { directive_line_value(this, result) }
 
-  /** Holds if this directive specifies a file name. */
-  predicate hasFileName() { exists(this.getFileName()) }
-
-  /** Gets the file name of this directive, if any. */
-  string getFileName() { directive_line_values(this, _, result) and result != "" }
+  /** Gets the referenced file of this directive. */
+  File getReferencedFile() { directive_line_file(this, result) }
 
   override string getAPrimaryQlClass() { result = "NumericLineDirective" }
 }
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index fd73e34aa99..68db341c2ed 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -247,6 +247,10 @@ locations_default(
   int endLine: int ref,
   int endColumn: int ref);
 
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
 @sourceline = @file | @callable | @xmllocatable;
 
 numlines(
@@ -378,10 +382,14 @@ directive_lines(
   unique int id: @directive_line,
   int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
 
-directive_line_values(
+directive_line_value(
   unique int id: @directive_line ref,
-  int line: int ref,
-  string file: string ref);
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
 
 directive_nullables(
   unique int id: @directive_nullable,
@@ -406,7 +414,7 @@ directive_defines(
 
 pragma_checksums(
   unique int id: @pragma_checksum,
-  string file: string ref,
+  int file: @file ref,
   string guid: string ref,
   string bytes: string ref);
 
diff --git a/csharp/ql/test/library-tests/comments/BindingAfter.expected b/csharp/ql/test/library-tests/comments/BindingAfter.expected
index df5cd92ade0..59b784aa196 100644
--- a/csharp/ql/test/library-tests/comments/BindingAfter.expected
+++ b/csharp/ql/test/library-tests/comments/BindingAfter.expected
@@ -56,5 +56,5 @@
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:128:9:128:17 | return ...; | x |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:14:7:14:9 | Tr1 |  |
-| trivia.cs:13:84:13:98 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
+| trivia.cs:13:89:13:103 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
 | trivia.cs:25:14:25:38 | // ... | trivia.cs:26:9:26:17 | ... ...; | numbering not affected |
diff --git a/csharp/ql/test/library-tests/comments/Bindings.expected b/csharp/ql/test/library-tests/comments/Bindings.expected
index 90889ddeda0..6822c9411a6 100644
--- a/csharp/ql/test/library-tests/comments/Bindings.expected
+++ b/csharp/ql/test/library-tests/comments/Bindings.expected
@@ -49,7 +49,7 @@
 | comments2.cs:121:17:121:20 | // ... | comments2.cs:121:13:121:13 | f | f |
 | comments2.cs:124:5:124:16 | // ... | comments2.cs:125:9:125:20 | GenericFn | GenericFn |
 | comments2.cs:127:20:127:23 | // ... | comments2.cs:127:9:127:18 | ... ...; | x |
-| trivia.cs:13:84:13:98 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
+| trivia.cs:13:89:13:103 | // ... | trivia.cs:14:7:14:9 | Tr1 | New checksum |
 | trivia.cs:25:14:25:38 | // ... | trivia.cs:17:5:29:5 | {...} | numbering not affected |
 | trivia.cs:49:18:49:82 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to disabled. |
 | trivia.cs:50:17:50:80 | // ... | trivia.cs:48:5:58:5 | {...} | Sets the nullable annotation and warning contexts to enabled. |
diff --git a/csharp/ql/test/library-tests/comments/Comments.expected b/csharp/ql/test/library-tests/comments/Comments.expected
index a6df0ef7bc6..a0ff83a59be 100644
--- a/csharp/ql/test/library-tests/comments/Comments.expected
+++ b/csharp/ql/test/library-tests/comments/Comments.expected
@@ -73,7 +73,7 @@ singlelineComment
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:1:1:1:2 | // ... | 3 |  | // |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:2:1:2:21 | // ... | 3 | Start of trivia.cs | // Start of trivia.cs |
 | trivia.cs:1:1:3:15 | // ... | trivia.cs:3:1:3:15 | // ... | 3 | Unassociated | // Unassociated |
-| trivia.cs:13:84:13:98 | // ... | trivia.cs:13:84:13:98 | // ... | 1 | New checksum | // New checksum |
+| trivia.cs:13:89:13:103 | // ... | trivia.cs:13:89:13:103 | // ... | 1 | New checksum | // New checksum |
 | trivia.cs:25:14:25:38 | // ... | trivia.cs:25:14:25:38 | // ... | 1 | numbering not affected | // numbering not affected |
 | trivia.cs:49:18:49:82 | // ... | trivia.cs:49:18:49:82 | // ... | 1 | Sets the nullable annotation and warning contexts to disabled. | // Sets the nullable annotation and warning contexts to disabled. |
 | trivia.cs:50:17:50:80 | // ... | trivia.cs:50:17:50:80 | // ... | 1 | Sets the nullable annotation and warning contexts to enabled. | // Sets the nullable annotation and warning contexts to enabled. |
diff --git a/csharp/ql/test/library-tests/comments/Directives.expected b/csharp/ql/test/library-tests/comments/Directives.expected
index 191954695da..c6d0a12ffb6 100644
--- a/csharp/ql/test/library-tests/comments/Directives.expected
+++ b/csharp/ql/test/library-tests/comments/Directives.expected
@@ -2,12 +2,12 @@ directives
 | trivia.cs:4:1:4:13 | #define ... | trivia.cs:4:1:4:13 | trivia.cs:4:1:4:13 | active |
 | trivia.cs:6:1:6:12 | #undef ... | trivia.cs:6:1:6:12 | trivia.cs:6:1:6:12 | active |
 | trivia.cs:12:1:12:35 | #pragma warning ... | trivia.cs:12:1:12:35 | trivia.cs:12:1:12:35 | active |
-| trivia.cs:13:1:13:98 | #pragma checksum ... | trivia.cs:13:1:13:98 | trivia.cs:13:1:13:98 | active |
-| trivia.cs:18:1:18:19 | #line ... | trivia.cs:18:1:18:19 | trivia.cs:18:1:18:19 | active |
+| trivia.cs:13:1:13:103 | #pragma checksum ... | trivia.cs:13:1:13:103 | trivia.cs:13:1:13:103 | active |
+| trivia.cs:18:1:18:22 | #line ... | trivia.cs:18:1:18:22 | trivia.cs:18:1:18:22 | active |
 | trivia.cs:21:1:21:13 | #line default | trivia.cs:21:1:21:13 | trivia.cs:21:1:21:13 | active |
 | trivia.cs:23:1:23:23 | #pragma warning ... | trivia.cs:23:1:23:23 | trivia.cs:23:1:23:23 | active |
 | trivia.cs:25:1:25:38 | #line hidden | trivia.cs:25:1:25:38 | trivia.cs:25:1:25:38 | active |
-| trivia.cs:27:1:27:9 | #line ... | trivia.cs:27:1:27:9 | trivia.cs:27:1:27:9 | active |
+| trivia.cs:27:1:27:7 | #line ... | trivia.cs:27:1:27:7 | trivia.cs:27:1:27:7 | active |
 | trivia.cs:36:9:36:22 | #region ... | trivia.cs:36:9:36:22 | trivia.cs:36:9:36:22 | active |
 | trivia.cs:38:9:38:22 | #region ... | trivia.cs:38:9:38:22 | trivia.cs:38:9:38:22 | active |
 | trivia.cs:40:9:40:18 | #endregion | trivia.cs:40:9:40:18 | trivia.cs:40:9:40:18 | active |
@@ -33,12 +33,12 @@ comp
 | trivia.cs:4:1:4:13 | #define ... | compilation |
 | trivia.cs:6:1:6:12 | #undef ... | compilation |
 | trivia.cs:12:1:12:35 | #pragma warning ... | compilation |
-| trivia.cs:13:1:13:98 | #pragma checksum ... | compilation |
-| trivia.cs:18:1:18:19 | #line ... | compilation |
+| trivia.cs:13:1:13:103 | #pragma checksum ... | compilation |
+| trivia.cs:18:1:18:22 | #line ... | compilation |
 | trivia.cs:21:1:21:13 | #line default | compilation |
 | trivia.cs:23:1:23:23 | #pragma warning ... | compilation |
 | trivia.cs:25:1:25:38 | #line hidden | compilation |
-| trivia.cs:27:1:27:9 | #line ... | compilation |
+| trivia.cs:27:1:27:7 | #line ... | compilation |
 | trivia.cs:36:9:36:22 | #region ... | compilation |
 | trivia.cs:38:9:38:22 | #region ... | compilation |
 | trivia.cs:40:9:40:18 | #endregion | compilation |
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.expected b/csharp/ql/test/library-tests/comments/LineDirectives.expected
index c8be4e27890..58b54de85e6 100644
--- a/csharp/ql/test/library-tests/comments/LineDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.expected
@@ -2,12 +2,21 @@ default
 | trivia.cs:21:1:21:13 | #line default |
 hidden
 | trivia.cs:25:1:25:38 | #line hidden |
-lines
-| trivia.cs:18:1:18:19 | #line ... | 200 | Special |
-| trivia.cs:27:1:27:9 | #line ... | 300 | no file |
+lines_file
+| trivia.cs:18:1:18:22 | #line ... | 1 | comments1.cs:0:0:0:0 | comments1.cs |
+lines_no_file
+| trivia.cs:27:1:27:7 | #line ... | 5 |
 succ
-| trivia.cs:18:1:18:19 | #line ... | trivia.cs:21:1:21:13 | #line default |
+| trivia.cs:18:1:18:22 | #line ... | trivia.cs:21:1:21:13 | #line default |
 | trivia.cs:21:1:21:13 | #line default | trivia.cs:25:1:25:38 | #line hidden |
-| trivia.cs:25:1:25:38 | #line hidden | trivia.cs:27:1:27:9 | #line ... |
+| trivia.cs:25:1:25:38 | #line hidden | trivia.cs:27:1:27:7 | #line ... |
 last
-| trivia.cs:27:1:27:9 | #line ... |
+| trivia.cs:27:1:27:7 | #line ... |
+mapped
+| trivia.cs:19:9:19:11 | trivia.cs:19:9:19:11 | comments1.cs:1:9:1:11 | comments1.cs:1:9:1:11 |
+| trivia.cs:19:9:19:14 | trivia.cs:19:9:19:14 | comments1.cs:1:9:1:14 | comments1.cs:1:9:1:14 |
+| trivia.cs:19:13:19:13 | trivia.cs:19:13:19:13 | comments1.cs:1:13:1:13 | comments1.cs:1:13:1:13 |
+| trivia.cs:20:9:20:11 | trivia.cs:20:9:20:11 | comments1.cs:2:9:2:11 | comments1.cs:2:9:2:11 |
+| trivia.cs:20:9:20:14 | trivia.cs:20:9:20:14 | comments1.cs:2:9:2:14 | comments1.cs:2:9:2:14 |
+| trivia.cs:20:13:20:13 | trivia.cs:20:13:20:13 | comments1.cs:2:13:2:13 | comments1.cs:2:13:2:13 |
+| trivia.cs:21:1:21:13 | trivia.cs:21:1:21:13 | comments1.cs:3:1:3:13 | comments1.cs:3:1:3:13 |
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.ql b/csharp/ql/test/library-tests/comments/LineDirectives.ql
index 4fa2adedb9d..5b009f0b4b8 100644
--- a/csharp/ql/test/library-tests/comments/LineDirectives.ql
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.ql
@@ -4,11 +4,16 @@ query predicate default(DefaultLineDirective line) { any() }
 
 query predicate hidden(HiddenLineDirective line) { any() }
 
-query predicate lines(NumericLineDirective line, int l, string file) {
-  line.getLine() = l and
-  if line.hasFileName() then line.getFileName() = file else file = "no file"
+query predicate lines_file(NumericLineDirective line, int l, File file) {
+  line.getLine() = l and line.getReferencedFile() = file
+}
+
+query predicate lines_no_file(NumericLineDirective line, int l) {
+  line.getLine() = l and not exists(line.getReferencedFile())
 }
 
 query predicate succ(LineDirective d, LineDirective succ) { d.getSuccLineDirective() = succ }
 
 query predicate last(LineDirective d) { not d.hasSuccLineDirective() }
+
+query predicate mapped(SourceLocation l1, Location l2) { l1.getMappedLocation() = l2 }
diff --git a/csharp/ql/test/library-tests/comments/PragmaChecksums.expected b/csharp/ql/test/library-tests/comments/PragmaChecksums.expected
index 185e834cbdf..d3700c13aa0 100644
--- a/csharp/ql/test/library-tests/comments/PragmaChecksums.expected
+++ b/csharp/ql/test/library-tests/comments/PragmaChecksums.expected
@@ -1 +1 @@
-| trivia.cs:13:1:13:98 | #pragma checksum ... | "file.cs" | "{406EA660-64CF-4C82-B6F0-42D48172A799}" | "ab007f1d23d9" |
+| trivia.cs:13:1:13:103 | #pragma checksum ... | comments1.cs:0:0:0:0 | comments1.cs | "{406EA660-64CF-4C82-B6F0-42D48172A799}" | "ab007f1d23d9" |
diff --git a/csharp/ql/test/library-tests/comments/PragmaChecksums.ql b/csharp/ql/test/library-tests/comments/PragmaChecksums.ql
index 7d3f10ab3b5..8de177f5215 100644
--- a/csharp/ql/test/library-tests/comments/PragmaChecksums.ql
+++ b/csharp/ql/test/library-tests/comments/PragmaChecksums.ql
@@ -1,4 +1,4 @@
 import csharp
 
 from PragmaChecksumDirective p
-select p, p.getFileName(), p.getGuid(), p.getBytes()
+select p, p.getReferencedFile(), p.getGuid(), p.getBytes()
diff --git a/csharp/ql/test/library-tests/comments/PrintAst.expected b/csharp/ql/test/library-tests/comments/PrintAst.expected
index 96f0f088501..eeb7993eaef 100644
--- a/csharp/ql/test/library-tests/comments/PrintAst.expected
+++ b/csharp/ql/test/library-tests/comments/PrintAst.expected
@@ -132,11 +132,15 @@ trivia.cs:
 #   16|   5: [Method] M1
 #   16|     -1: [TypeMention] Void
 #   17|     4: [BlockStmt] {...}
-#   19|       0: [LocalVariableDeclStmt] ... ...;
-#   19|         0: [LocalVariableDeclExpr] Int32 i
+comments1.cs:
+#    1|       0: [LocalVariableDeclStmt] ... ...;
+#    1|         0: [LocalVariableDeclExpr] Int32 i
+trivia.cs:
 #   19|           0: [TypeMention] int
-#   20|       1: [LocalVariableDeclStmt] ... ...;
-#   20|         0: [LocalVariableDeclExpr] Int32 j
+comments1.cs:
+#    2|       1: [LocalVariableDeclStmt] ... ...;
+#    2|         0: [LocalVariableDeclExpr] Int32 j
+trivia.cs:
 #   20|           0: [TypeMention] int
 #   22|       2: [LocalVariableDeclStmt] ... ...;
 #   22|         0: [LocalVariableDeclExpr] Char c
diff --git a/csharp/ql/test/library-tests/comments/trivia.cs b/csharp/ql/test/library-tests/comments/trivia.cs
index 61cfe454409..be670eac1c4 100644
--- a/csharp/ql/test/library-tests/comments/trivia.cs
+++ b/csharp/ql/test/library-tests/comments/trivia.cs
@@ -10,12 +10,12 @@ using System.Collections;
 using System.Collections.Generic;
 
 #pragma warning disable 414, CS3021
-#pragma checksum "file.cs" "{406EA660-64CF-4C82-B6F0-42D48172A799}" "ab007f1d23d9" // New checksum
+#pragma checksum "comments1.cs" "{406EA660-64CF-4C82-B6F0-42D48172A799}" "ab007f1d23d9" // New checksum
 class Tr1
 {
     static void M1()
     {
-#line 200 "Special"
+#line 1 "comments1.cs"
         int i;
         int j;
 #line default
@@ -24,7 +24,7 @@ class Tr1
         float f;
 #line hidden // numbering not affected
         string s;
-#line 300
+#line 5
         double d;
     }
 }

From 899e52a68ac82df1c6a97a9998f452139ad9006b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 28 Jan 2021 15:51:48 +0100
Subject: [PATCH 133/429] Adjust getMappedLocation to not include line
 directives

---
 csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll     | 8 ++------
 csharp/ql/src/semmle/code/csharp/Location.qll             | 5 ++++-
 .../test/library-tests/comments/LineDirectives.expected   | 1 -
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
index 5d140b17968..c7c7bfe00e8 100644
--- a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
@@ -58,13 +58,9 @@ private module Cached {
   cached
   Location bestLocation(Element e) {
     result = e.getALocation().(SourceLocation) and
-    (
-      not exists(e.getALocation().(SourceLocation).getMappedLocation()) or
-      e instanceof LineDirective
-    )
+    not exists(e.getALocation().(SourceLocation).getMappedLocation())
     or
-    result = e.getALocation().(SourceLocation).getMappedLocation() and
-    not e instanceof LineDirective
+    result = e.getALocation().(SourceLocation).getMappedLocation()
     or
     hasNoSourceLocation(e) and
     result = min(Location l | l = e.getALocation() | l order by l.getFile().toString())
diff --git a/csharp/ql/src/semmle/code/csharp/Location.qll b/csharp/ql/src/semmle/code/csharp/Location.qll
index 5d35933f246..97f9302c474 100644
--- a/csharp/ql/src/semmle/code/csharp/Location.qll
+++ b/csharp/ql/src/semmle/code/csharp/Location.qll
@@ -63,7 +63,10 @@ class EmptyLocation extends Location {
  */
 class SourceLocation extends Location, @location_default {
   /** Gets the location that takes into account `#line` directives, if any. */
-  Location getMappedLocation() { locations_mapped(this, result) }
+  Location getMappedLocation() {
+    locations_mapped(this, result) and
+    not exists(LineDirective l | l.getALocation() = this)
+  }
 
   override File getFile() { locations_default(this, result, _, _, _, _) }
 
diff --git a/csharp/ql/test/library-tests/comments/LineDirectives.expected b/csharp/ql/test/library-tests/comments/LineDirectives.expected
index 58b54de85e6..13c3658fe82 100644
--- a/csharp/ql/test/library-tests/comments/LineDirectives.expected
+++ b/csharp/ql/test/library-tests/comments/LineDirectives.expected
@@ -19,4 +19,3 @@ mapped
 | trivia.cs:20:9:20:11 | trivia.cs:20:9:20:11 | comments1.cs:2:9:2:11 | comments1.cs:2:9:2:11 |
 | trivia.cs:20:9:20:14 | trivia.cs:20:9:20:14 | comments1.cs:2:9:2:14 | comments1.cs:2:9:2:14 |
 | trivia.cs:20:13:20:13 | trivia.cs:20:13:20:13 | comments1.cs:2:13:2:13 | comments1.cs:2:13:2:13 |
-| trivia.cs:21:1:21:13 | trivia.cs:21:1:21:13 | comments1.cs:3:1:3:13 | comments1.cs:3:1:3:13 |

From fd09883bfeed4e69ad891f0e4d175d8274885d4f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 1 Feb 2021 09:33:52 +0100
Subject: [PATCH 134/429] Add change notes for preprocessor directives

---
 csharp/change-notes/2021-02-01-Preprocessor-directives.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 csharp/change-notes/2021-02-01-Preprocessor-directives.md

diff --git a/csharp/change-notes/2021-02-01-Preprocessor-directives.md b/csharp/change-notes/2021-02-01-Preprocessor-directives.md
new file mode 100644
index 00000000000..d81979c36cd
--- /dev/null
+++ b/csharp/change-notes/2021-02-01-Preprocessor-directives.md
@@ -0,0 +1,8 @@
+lgtm,codescanning
+* The `PreprocessorDirective` class and its base classes have been added to support
+preprocessor directives, such as `#if`, `#define`, `#undef`, `#line`, `#region`,
+`#warning`, `#error`, `#pragma warning`, `#pragma checksum` and `#nullable`. Furthermore,
+`#line` directives are now taken into account when querying the location of any
+code construct. Files referenced in preprocessor directives are also included in the
+extraction sources. This change is expected to lead to better error reporting locations
+in generated code, such as generated code from `.cshtml` files in ASP.NET Core.

From dbe656fe6a2da2b1dbd79d6d2f1499c668fbf5cb Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 1 Feb 2021 09:48:18 +0100
Subject: [PATCH 135/429] Add DB upgrade folder for preprocessor directives

---
 .../old.dbscheme                              | 1959 ++++++++++++++++
 .../semmlecode.csharp.dbscheme                | 2070 +++++++++++++++++
 .../upgrade.properties                        |    5 +
 3 files changed, 4034 insertions(+)
 create mode 100644 csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/old.dbscheme
 create mode 100644 csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/semmlecode.csharp.dbscheme
 create mode 100644 csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/upgrade.properties

diff --git a/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/old.dbscheme b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/old.dbscheme
new file mode 100644
index 00000000000..efcd69e086a
--- /dev/null
+++ b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/old.dbscheme
@@ -0,0 +1,1959 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/semmlecode.csharp.dbscheme b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/semmlecode.csharp.dbscheme
new file mode 100644
index 00000000000..68db341c2ed
--- /dev/null
+++ b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/semmlecode.csharp.dbscheme
@@ -0,0 +1,2070 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+#keyset[id, start]
+directive_endregions(
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_value(
+  unique int id: @directive_line ref,
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  int file: @file ref,
+  string guid: string ref,
+  string bytes: string ref);
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_compilation(
+  unique int id: @preprocessor_directive ref,
+  int compilation: @compilation ref);
+
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/upgrade.properties b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/upgrade.properties
new file mode 100644
index 00000000000..14ab5d3a87c
--- /dev/null
+++ b/csharp/upgrades/efcd69e086a26dd33395f2ddb3113b2849399040/upgrade.properties
@@ -0,0 +1,5 @@
+description: Add '@preprocessor_directive' to store preprocessor directives. Add
+'locations_mapped' relation to store location that take into account '#line'
+directives. Finally, the '@define_symbol_expr' expression was added to represent
+symbols inside conditions of '#if' and '#elif' directives.
+compatibility: backwards

From d3244fe298b3886e3e508ec4b61de633e6f11748 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 1 Feb 2021 13:24:41 +0100
Subject: [PATCH 136/429] Add new .stats file

---
 .../ql/src/semmlecode.csharp.dbscheme.stats   | 18048 +++++++++-------
 1 file changed, 10097 insertions(+), 7951 deletions(-)

diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme.stats b/csharp/ql/src/semmlecode.csharp.dbscheme.stats
index 5cddf1536bb..c294897e009 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme.stats
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme.stats
@@ -1,7 +1,7 @@
 <dbstats>
   <typesizes><e>
 <k>@compilation</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>@diagnostic</k>
@@ -9,7 +9,7 @@
 </e>
 <e>
 <k>@extractor_message</k>
-<v>7611</v>
+<v>750</v>
 </e>
 <e>
 <k>@externalDefect</k>
@@ -21,11 +21,11 @@
 </e>
 <e>
 <k>@externalDataElement</k>
-<v>29</v>
+<v>15</v>
 </e>
 <e>
 <k>@duplication</k>
-<v>22736</v>
+<v>11701</v>
 </e>
 <e>
 <k>@similarity</k>
@@ -33,139 +33,195 @@
 </e>
 <e>
 <k>@location_default</k>
-<v>14071994</v>
+<v>11326677</v>
 </e>
 <e>
 <k>@assembly</k>
-<v>4198</v>
+<v>2160</v>
 </e>
 <e>
 <k>@file</k>
-<v>42467</v>
+<v>24351</v>
 </e>
 <e>
 <k>@folder</k>
-<v>16940</v>
+<v>9177</v>
 </e>
 <e>
 <k>@namespace</k>
-<v>21942</v>
+<v>11293</v>
 </e>
 <e>
 <k>@namespace_declaration</k>
-<v>19760</v>
+<v>8355</v>
 </e>
 <e>
 <k>@using_namespace_directive</k>
-<v>144253</v>
+<v>66100</v>
 </e>
 <e>
 <k>@using_static_directive</k>
-<v>390</v>
+<v>199</v>
+</e>
+<e>
+<k>@directive_if</k>
+<v>2550</v>
+</e>
+<e>
+<k>@directive_elif</k>
+<v>7</v>
+</e>
+<e>
+<k>@directive_else</k>
+<v>1140</v>
+</e>
+<e>
+<k>@directive_endif</k>
+<v>2550</v>
+</e>
+<e>
+<k>@directive_region</k>
+<v>565</v>
+</e>
+<e>
+<k>@directive_endregion</k>
+<v>565</v>
+</e>
+<e>
+<k>@directive_line</k>
+<v>128896</v>
+</e>
+<e>
+<k>@directive_nullable</k>
+<v>83477</v>
+</e>
+<e>
+<k>@directive_warning</k>
+<v>1</v>
+</e>
+<e>
+<k>@directive_error</k>
+<v>1</v>
+</e>
+<e>
+<k>@directive_undefine</k>
+<v>1</v>
+</e>
+<e>
+<k>@directive_define</k>
+<v>5</v>
+</e>
+<e>
+<k>@pragma_checksum</k>
+<v>2494</v>
+</e>
+<e>
+<k>@pragma_warning</k>
+<v>14725</v>
 </e>
 <e>
 <k>@bool_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@char_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@decimal_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@sbyte_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@short_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@int_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@long_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@byte_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@ushort_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@uint_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@ulong_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@float_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@double_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@enum_type</k>
-<v>11952</v>
+<v>6141</v>
 </e>
 <e>
 <k>@struct_type</k>
-<v>49665</v>
+<v>24822</v>
 </e>
 <e>
 <k>@class_type</k>
-<v>305101</v>
+<v>154426</v>
 </e>
 <e>
 <k>@interface_type</k>
-<v>178114</v>
+<v>88664</v>
 </e>
 <e>
 <k>@delegate_type</k>
-<v>107568</v>
+<v>52237</v>
 </e>
 <e>
 <k>@null_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@type_parameter</k>
-<v>202599</v>
+<v>102321</v>
 </e>
 <e>
 <k>@pointer_type</k>
-<v>219</v>
+<v>112</v>
 </e>
 <e>
 <k>@nullable_type</k>
-<v>979</v>
+<v>550</v>
 </e>
 <e>
 <k>@array_type</k>
-<v>9122</v>
+<v>4384</v>
 </e>
 <e>
 <k>@void_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@int_ptr_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@tuple_type</k>
-<v>1782</v>
+<v>857</v>
 </e>
 <e>
 <k>@uint_ptr_type</k>
@@ -173,7 +229,7 @@
 </e>
 <e>
 <k>@dynamic_type</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@arglist_type</k>
@@ -185,495 +241,495 @@
 </e>
 <e>
 <k>@function_pointer_type</k>
-<v>11</v>
+<v>9</v>
 </e>
 <e>
 <k>@typeref</k>
-<v>234794</v>
+<v>120781</v>
 </e>
 <e>
 <k>@attribute</k>
-<v>745432</v>
+<v>368399</v>
 </e>
 <e>
 <k>@type_mention</k>
-<v>1248753</v>
+<v>622003</v>
 </e>
 <e>
 <k>@oblivious</k>
-<v>1315</v>
+<v>664</v>
 </e>
 <e>
 <k>@not_annotated</k>
-<v>618</v>
+<v>300</v>
 </e>
 <e>
 <k>@annotated</k>
-<v>113</v>
+<v>75</v>
 </e>
 <e>
 <k>@type_parameter_constraints</k>
-<v>591856</v>
+<v>273733</v>
 </e>
 <e>
 <k>@modifier</k>
-<v>82</v>
+<v>42</v>
 </e>
 <e>
 <k>@property</k>
-<v>423531</v>
+<v>212542</v>
 </e>
 <e>
 <k>@indexer</k>
-<v>17042</v>
+<v>7590</v>
 </e>
 <e>
 <k>@getter</k>
-<v>440340</v>
+<v>220012</v>
 </e>
 <e>
 <k>@setter</k>
-<v>127528</v>
+<v>64470</v>
 </e>
 <e>
 <k>@event</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>@add_event_accessor</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>@remove_event_accessor</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>@operator</k>
-<v>12410</v>
+<v>6201</v>
 </e>
 <e>
 <k>@method</k>
-<v>1116872</v>
+<v>549172</v>
 </e>
 <e>
 <k>@constructor</k>
-<v>277641</v>
+<v>138720</v>
 </e>
 <e>
 <k>@destructor</k>
-<v>443</v>
+<v>225</v>
 </e>
 <e>
 <k>@local_function</k>
-<v>1801</v>
+<v>488</v>
 </e>
 <e>
 <k>@addressable_field</k>
-<v>370470</v>
+<v>188270</v>
 </e>
 <e>
 <k>@constant</k>
-<v>185215</v>
+<v>95194</v>
 </e>
 <e>
 <k>@addressable_local_variable</k>
-<v>162452</v>
+<v>72587</v>
 </e>
 <e>
 <k>@local_constant</k>
-<v>799</v>
+<v>373</v>
 </e>
 <e>
 <k>@local_variable_ref</k>
-<v>265</v>
+<v>67</v>
 </e>
 <e>
 <k>@parameter</k>
-<v>2417684</v>
+<v>1189134</v>
 </e>
 <e>
 <k>@block_stmt</k>
-<v>307634</v>
+<v>159797</v>
 </e>
 <e>
 <k>@expr_stmt</k>
-<v>367212</v>
+<v>178398</v>
 </e>
 <e>
 <k>@return_stmt</k>
-<v>94725</v>
+<v>40051</v>
 </e>
 <e>
 <k>@using_block_stmt</k>
-<v>1145</v>
+<v>517</v>
 </e>
 <e>
 <k>@var_decl_stmt</k>
-<v>147598</v>
+<v>67553</v>
 </e>
 <e>
 <k>@if_stmt</k>
-<v>118155</v>
+<v>50740</v>
 </e>
 <e>
 <k>@switch_stmt</k>
-<v>3077</v>
+<v>1447</v>
 </e>
 <e>
 <k>@while_stmt</k>
-<v>4464</v>
+<v>1984</v>
 </e>
 <e>
 <k>@do_stmt</k>
-<v>985</v>
+<v>386</v>
 </e>
 <e>
 <k>@for_stmt</k>
-<v>6820</v>
+<v>3124</v>
 </e>
 <e>
 <k>@foreach_stmt</k>
-<v>5352</v>
+<v>1910</v>
 </e>
 <e>
 <k>@break_stmt</k>
-<v>11046</v>
+<v>5413</v>
 </e>
 <e>
 <k>@continue_stmt</k>
-<v>2226</v>
+<v>1168</v>
 </e>
 <e>
 <k>@goto_stmt</k>
-<v>2744</v>
+<v>1045</v>
 </e>
 <e>
 <k>@goto_case_stmt</k>
-<v>330</v>
+<v>154</v>
 </e>
 <e>
 <k>@goto_default_stmt</k>
-<v>145</v>
+<v>61</v>
 </e>
 <e>
 <k>@throw_stmt</k>
-<v>75420</v>
+<v>50988</v>
 </e>
 <e>
 <k>@yield_stmt</k>
-<v>680</v>
+<v>194</v>
 </e>
 <e>
 <k>@try_stmt</k>
-<v>4310</v>
+<v>2011</v>
 </e>
 <e>
 <k>@checked_stmt</k>
-<v>254</v>
+<v>146</v>
 </e>
 <e>
 <k>@unchecked_stmt</k>
-<v>104</v>
+<v>36</v>
 </e>
 <e>
 <k>@lock_stmt</k>
-<v>1529</v>
+<v>496</v>
 </e>
 <e>
 <k>@const_decl_stmt</k>
-<v>799</v>
+<v>373</v>
 </e>
 <e>
 <k>@empty_stmt</k>
-<v>352</v>
+<v>115</v>
 </e>
 <e>
 <k>@unsafe_stmt</k>
-<v>183</v>
+<v>53</v>
 </e>
 <e>
 <k>@fixed_stmt</k>
-<v>1152</v>
+<v>496</v>
 </e>
 <e>
 <k>@label_stmt</k>
-<v>1021</v>
+<v>423</v>
 </e>
 <e>
 <k>@catch</k>
-<v>3432</v>
+<v>1719</v>
 </e>
 <e>
 <k>@case_stmt</k>
-<v>22805</v>
+<v>10966</v>
 </e>
 <e>
 <k>@local_function_stmt</k>
-<v>1792</v>
+<v>488</v>
 </e>
 <e>
 <k>@using_decl_stmt</k>
-<v>551</v>
+<v>189</v>
 </e>
 <e>
 <k>@bool_literal_expr</k>
-<v>69557</v>
+<v>40242</v>
 </e>
 <e>
 <k>@int_literal_expr</k>
-<v>753725</v>
+<v>408062</v>
 </e>
 <e>
 <k>@long_literal_expr</k>
-<v>333</v>
+<v>153</v>
 </e>
 <e>
 <k>@double_literal_expr</k>
-<v>868</v>
+<v>337</v>
 </e>
 <e>
 <k>@string_literal_expr</k>
-<v>411647</v>
+<v>207177</v>
 </e>
 <e>
 <k>@null_literal_expr</k>
-<v>108228</v>
+<v>64946</v>
 </e>
 <e>
 <k>@local_variable_access_expr</k>
-<v>522589</v>
+<v>233847</v>
 </e>
 <e>
 <k>@parameter_access_expr</k>
-<v>355035</v>
+<v>146824</v>
 </e>
 <e>
 <k>@field_access_expr</k>
-<v>459632</v>
+<v>226547</v>
 </e>
 <e>
 <k>@property_access_expr</k>
-<v>359107</v>
+<v>168128</v>
 </e>
 <e>
 <k>@type_access_expr</k>
-<v>346630</v>
+<v>170095</v>
 </e>
 <e>
 <k>@typeof_expr</k>
-<v>30028</v>
+<v>23893</v>
 </e>
 <e>
 <k>@method_invocation_expr</k>
-<v>547069</v>
+<v>259436</v>
 </e>
 <e>
 <k>@cast_expr</k>
-<v>265245</v>
+<v>107752</v>
 </e>
 <e>
 <k>@object_creation_expr</k>
-<v>62749</v>
+<v>28063</v>
 </e>
 <e>
 <k>@array_creation_expr</k>
-<v>180004</v>
+<v>90105</v>
 </e>
 <e>
 <k>@array_init_expr</k>
-<v>179553</v>
+<v>89964</v>
 </e>
 <e>
 <k>@local_var_decl_expr</k>
-<v>163320</v>
+<v>72969</v>
 </e>
 <e>
 <k>@char_literal_expr</k>
-<v>16245</v>
+<v>8057</v>
 </e>
 <e>
 <k>@decimal_literal_expr</k>
-<v>93</v>
+<v>49</v>
 </e>
 <e>
 <k>@uint_literal_expr</k>
-<v>2416</v>
+<v>811</v>
 </e>
 <e>
 <k>@ulong_literal_expr</k>
-<v>391</v>
+<v>189</v>
 </e>
 <e>
 <k>@float_literal_expr</k>
-<v>456</v>
+<v>123</v>
 </e>
 <e>
 <k>@this_access_expr</k>
-<v>591822</v>
+<v>293267</v>
 </e>
 <e>
 <k>@base_access_expr</k>
-<v>2851</v>
+<v>1617</v>
 </e>
 <e>
 <k>@method_access_expr</k>
-<v>9222</v>
+<v>3188</v>
 </e>
 <e>
 <k>@event_access_expr</k>
-<v>435</v>
+<v>162</v>
 </e>
 <e>
 <k>@indexer_access_expr</k>
-<v>30758</v>
+<v>14740</v>
 </e>
 <e>
 <k>@array_access_expr</k>
-<v>19431</v>
+<v>10091</v>
 </e>
 <e>
 <k>@delegate_invocation_expr</k>
-<v>2009</v>
+<v>783</v>
 </e>
 <e>
 <k>@operator_invocation_expr</k>
-<v>29946</v>
+<v>12666</v>
 </e>
 <e>
 <k>@explicit_delegate_creation_expr</k>
-<v>682</v>
+<v>482</v>
 </e>
 <e>
 <k>@implicit_delegate_creation_expr</k>
-<v>5109</v>
+<v>2546</v>
 </e>
 <e>
 <k>@default_expr</k>
-<v>6168</v>
+<v>3354</v>
 </e>
 <e>
 <k>@plus_expr</k>
-<v>46</v>
+<v>12</v>
 </e>
 <e>
 <k>@minus_expr</k>
-<v>7096</v>
+<v>2658</v>
 </e>
 <e>
 <k>@bit_not_expr</k>
-<v>740</v>
+<v>264</v>
 </e>
 <e>
 <k>@log_not_expr</k>
-<v>26384</v>
+<v>12491</v>
 </e>
 <e>
 <k>@post_incr_expr</k>
-<v>12359</v>
+<v>5382</v>
 </e>
 <e>
 <k>@post_decr_expr</k>
-<v>1703</v>
+<v>698</v>
 </e>
 <e>
 <k>@pre_incr_expr</k>
-<v>1266</v>
+<v>671</v>
 </e>
 <e>
 <k>@pre_decr_expr</k>
-<v>407</v>
+<v>125</v>
 </e>
 <e>
 <k>@mul_expr</k>
-<v>4645</v>
+<v>1387</v>
 </e>
 <e>
 <k>@div_expr</k>
-<v>1798</v>
+<v>612</v>
 </e>
 <e>
 <k>@rem_expr</k>
-<v>707</v>
+<v>276</v>
 </e>
 <e>
 <k>@add_expr</k>
-<v>27859</v>
+<v>12723</v>
 </e>
 <e>
 <k>@sub_expr</k>
-<v>12621</v>
+<v>4948</v>
 </e>
 <e>
 <k>@lshift_expr</k>
-<v>4137</v>
+<v>914</v>
 </e>
 <e>
 <k>@rshift_expr</k>
-<v>1769</v>
+<v>707</v>
 </e>
 <e>
 <k>@lt_expr</k>
-<v>15983</v>
+<v>6804</v>
 </e>
 <e>
 <k>@gt_expr</k>
-<v>9416</v>
+<v>3980</v>
 </e>
 <e>
 <k>@le_expr</k>
-<v>3844</v>
+<v>1422</v>
 </e>
 <e>
 <k>@ge_expr</k>
-<v>6037</v>
+<v>2380</v>
 </e>
 <e>
 <k>@eq_expr</k>
-<v>53720</v>
+<v>23261</v>
 </e>
 <e>
 <k>@ne_expr</k>
-<v>37361</v>
+<v>16042</v>
 </e>
 <e>
 <k>@bit_and_expr</k>
-<v>6322</v>
+<v>2303</v>
 </e>
 <e>
 <k>@bit_xor_expr</k>
-<v>530</v>
+<v>217</v>
 </e>
 <e>
 <k>@bit_or_expr</k>
-<v>15286</v>
+<v>6954</v>
 </e>
 <e>
 <k>@log_and_expr</k>
-<v>20460</v>
+<v>9148</v>
 </e>
 <e>
 <k>@log_or_expr</k>
-<v>14050</v>
+<v>6420</v>
 </e>
 <e>
 <k>@is_expr</k>
-<v>6511</v>
+<v>3108</v>
 </e>
 <e>
 <k>@as_expr</k>
-<v>2739</v>
+<v>1363</v>
 </e>
 <e>
 <k>@null_coalescing_expr</k>
-<v>3629</v>
+<v>1422</v>
 </e>
 <e>
 <k>@conditional_expr</k>
-<v>9007</v>
+<v>3413</v>
 </e>
 <e>
 <k>@simple_assign_expr</k>
-<v>167204</v>
+<v>79093</v>
 </e>
 <e>
 <k>@assign_add_expr</k>
@@ -681,67 +737,67 @@
 </e>
 <e>
 <k>@assign_sub_expr</k>
-<v>1025</v>
+<v>434</v>
 </e>
 <e>
 <k>@assign_mul_expr</k>
-<v>183</v>
+<v>81</v>
 </e>
 <e>
 <k>@assign_div_expr</k>
-<v>99</v>
+<v>44</v>
 </e>
 <e>
 <k>@assign_rem_expr</k>
-<v>14</v>
+<v>3</v>
 </e>
 <e>
 <k>@assign_and_expr</k>
-<v>341</v>
+<v>103</v>
 </e>
 <e>
 <k>@assign_xor_expr</k>
-<v>114</v>
+<v>49</v>
 </e>
 <e>
 <k>@assign_or_expr</k>
-<v>1418</v>
+<v>562</v>
 </e>
 <e>
 <k>@assign_lshift_expr</k>
-<v>118</v>
+<v>31</v>
 </e>
 <e>
 <k>@assign_rshift_expr</k>
-<v>217</v>
+<v>64</v>
 </e>
 <e>
 <k>@object_init_expr</k>
-<v>7685</v>
+<v>3456</v>
 </e>
 <e>
 <k>@collection_init_expr</k>
-<v>594</v>
+<v>265</v>
 </e>
 <e>
 <k>@checked_expr</k>
-<v>328</v>
+<v>140</v>
 </e>
 <e>
 <k>@unchecked_expr</k>
-<v>1426</v>
+<v>609</v>
 </e>
 <e>
 <k>@constructor_init_expr</k>
-<v>5818</v>
+<v>3163</v>
 </e>
 <e>
 <k>@add_event_expr</k>
-<v>173</v>
+<v>63</v>
 </e>
 <e>
 <k>@remove_event_expr</k>
-<v>122</v>
+<v>53</v>
 </e>
 <e>
 <k>@par_expr</k>
@@ -749,11 +805,11 @@
 </e>
 <e>
 <k>@lambda_expr</k>
-<v>48769</v>
+<v>23125</v>
 </e>
 <e>
 <k>@anonymous_method_expr</k>
-<v>86</v>
+<v>41</v>
 </e>
 <e>
 <k>@namespace_expr</k>
@@ -761,35 +817,35 @@
 </e>
 <e>
 <k>@dynamic_element_access_expr</k>
-<v>331</v>
+<v>117</v>
 </e>
 <e>
 <k>@dynamic_member_access_expr</k>
-<v>6843</v>
+<v>2975</v>
 </e>
 <e>
 <k>@pointer_indirection_expr</k>
-<v>4157</v>
+<v>1878</v>
 </e>
 <e>
 <k>@address_of_expr</k>
-<v>1294</v>
+<v>475</v>
 </e>
 <e>
 <k>@sizeof_expr</k>
-<v>1065</v>
+<v>255</v>
 </e>
 <e>
 <k>@await_expr</k>
-<v>54750</v>
+<v>25782</v>
 </e>
 <e>
 <k>@nameof_expr</k>
-<v>15644</v>
+<v>5774</v>
 </e>
 <e>
 <k>@interpolated_string_expr</k>
-<v>3042</v>
+<v>894</v>
 </e>
 <e>
 <k>@unknown_expr</k>
@@ -797,71 +853,71 @@
 </e>
 <e>
 <k>@throw_expr</k>
-<v>1532</v>
+<v>643</v>
 </e>
 <e>
 <k>@tuple_expr</k>
-<v>1450</v>
+<v>440</v>
 </e>
 <e>
 <k>@local_function_invocation_expr</k>
-<v>7490</v>
+<v>1187</v>
 </e>
 <e>
 <k>@ref_expr</k>
-<v>461</v>
+<v>124</v>
 </e>
 <e>
 <k>@discard_expr</k>
-<v>903</v>
+<v>317</v>
 </e>
 <e>
 <k>@range_expr</k>
-<v>33</v>
+<v>15</v>
 </e>
 <e>
 <k>@index_expr</k>
-<v>47</v>
+<v>21</v>
 </e>
 <e>
 <k>@switch_expr</k>
-<v>510</v>
+<v>199</v>
 </e>
 <e>
 <k>@recursive_pattern_expr</k>
-<v>1011</v>
+<v>199</v>
 </e>
 <e>
 <k>@property_pattern_expr</k>
-<v>836</v>
+<v>154</v>
 </e>
 <e>
 <k>@positional_pattern_expr</k>
-<v>172</v>
+<v>45</v>
 </e>
 <e>
 <k>@switch_case_expr</k>
-<v>4350</v>
+<v>2068</v>
 </e>
 <e>
 <k>@assign_coalesce_expr</k>
-<v>546</v>
+<v>183</v>
 </e>
 <e>
 <k>@suppress_nullable_warning_expr</k>
-<v>13902</v>
+<v>5940</v>
 </e>
 <e>
 <k>@namespace_access_expr</k>
-<v>20</v>
+<v>11</v>
 </e>
 <e>
 <k>@lt_pattern_expr</k>
-<v>2</v>
+<v>1</v>
 </e>
 <e>
 <k>@gt_pattern_expr</k>
-<v>5</v>
+<v>2</v>
 </e>
 <e>
 <k>@le_pattern_expr</k>
@@ -873,23 +929,27 @@
 </e>
 <e>
 <k>@not_pattern_expr</k>
-<v>71</v>
+<v>19</v>
 </e>
 <e>
 <k>@and_pattern_expr</k>
-<v>3</v>
+<v>2</v>
 </e>
 <e>
 <k>@or_pattern_expr</k>
-<v>34</v>
+<v>21</v>
 </e>
 <e>
 <k>@function_pointer_invocation_expr</k>
 <v>4</v>
 </e>
 <e>
+<k>@define_symbol_expr</k>
+<v>3314</v>
+</e>
+<e>
 <k>@xmldtd</k>
-<v>6</v>
+<v>5</v>
 </e>
 <e>
 <k>@xmlelement</k>
@@ -913,19 +973,19 @@
 </e>
 <e>
 <k>@singlelinecomment</k>
-<v>189286</v>
+<v>86064</v>
 </e>
 <e>
 <k>@multilinecomment</k>
-<v>22654</v>
+<v>7533</v>
 </e>
 <e>
 <k>@xmldoccomment</k>
-<v>208748</v>
+<v>638</v>
 </e>
 <e>
 <k>@commentblock</k>
-<v>147866</v>
+<v>42325</v>
 </e>
 <e>
 <k>@asp_close_tag</k>
@@ -965,7 +1025,7 @@
 </e>
 <e>
 <k>@cil_nop</k>
-<v>840543</v>
+<v>712327</v>
 </e>
 <e>
 <k>@cil_break</k>
@@ -973,147 +1033,147 @@
 </e>
 <e>
 <k>@cil_ldarg_0</k>
-<v>3969685</v>
+<v>2043128</v>
 </e>
 <e>
 <k>@cil_ldarg_1</k>
-<v>1214962</v>
+<v>625320</v>
 </e>
 <e>
 <k>@cil_ldarg_2</k>
-<v>443257</v>
+<v>228137</v>
 </e>
 <e>
 <k>@cil_ldarg_3</k>
-<v>208872</v>
+<v>107503</v>
 </e>
 <e>
 <k>@cil_ldloc_0</k>
-<v>927959</v>
+<v>477604</v>
 </e>
 <e>
 <k>@cil_ldloc_1</k>
-<v>493235</v>
+<v>253859</v>
 </e>
 <e>
 <k>@cil_ldloc_2</k>
-<v>288317</v>
+<v>148392</v>
 </e>
 <e>
 <k>@cil_ldloc_3</k>
-<v>191791</v>
+<v>98711</v>
 </e>
 <e>
 <k>@cil_stloc_0</k>
-<v>524232</v>
+<v>269813</v>
 </e>
 <e>
 <k>@cil_stloc_1</k>
-<v>260145</v>
+<v>133892</v>
 </e>
 <e>
 <k>@cil_stloc_2</k>
-<v>198035</v>
+<v>101925</v>
 </e>
 <e>
 <k>@cil_stloc_3</k>
-<v>138107</v>
+<v>71081</v>
 </e>
 <e>
 <k>@cil_ldarg_s</k>
-<v>264149</v>
+<v>135953</v>
 </e>
 <e>
 <k>@cil_ldarga_s</k>
-<v>74666</v>
+<v>38429</v>
 </e>
 <e>
 <k>@cil_starg_s</k>
-<v>37124</v>
+<v>19107</v>
 </e>
 <e>
 <k>@cil_ldloc_s</k>
-<v>685421</v>
+<v>352774</v>
 </e>
 <e>
 <k>@cil_ldloca_s</k>
-<v>628376</v>
+<v>323414</v>
 </e>
 <e>
 <k>@cil_stloc_s</k>
-<v>480182</v>
+<v>247141</v>
 </e>
 <e>
 <k>@cil_ldnull</k>
-<v>602888</v>
+<v>310296</v>
 </e>
 <e>
 <k>@cil_ldc_i4_m1</k>
-<v>126027</v>
+<v>64864</v>
 </e>
 <e>
 <k>@cil_ldc_i4_0</k>
-<v>624723</v>
+<v>321534</v>
 </e>
 <e>
 <k>@cil_ldc_i4_1</k>
-<v>493975</v>
+<v>254240</v>
 </e>
 <e>
 <k>@cil_ldc_i4_2</k>
-<v>120865</v>
+<v>62207</v>
 </e>
 <e>
 <k>@cil_ldc_i4_3</k>
-<v>64063</v>
+<v>32972</v>
 </e>
 <e>
 <k>@cil_ldc_i4_4</k>
-<v>58798</v>
+<v>30262</v>
 </e>
 <e>
 <k>@cil_ldc_i4_5</k>
-<v>38629</v>
+<v>19881</v>
 </e>
 <e>
 <k>@cil_ldc_i4_6</k>
-<v>23232</v>
+<v>11957</v>
 </e>
 <e>
 <k>@cil_ldc_i4_7</k>
-<v>20724</v>
+<v>10666</v>
 </e>
 <e>
 <k>@cil_ldc_i4_8</k>
-<v>33436</v>
+<v>17209</v>
 </e>
 <e>
 <k>@cil_ldc_i4_s</k>
-<v>422752</v>
+<v>217583</v>
 </e>
 <e>
 <k>@cil_ldc_i4</k>
-<v>510151</v>
+<v>262565</v>
 </e>
 <e>
 <k>@cil_ldc_i8</k>
-<v>4880</v>
+<v>2511</v>
 </e>
 <e>
 <k>@cil_ldc_r4</k>
-<v>10247</v>
+<v>5274</v>
 </e>
 <e>
 <k>@cil_ldc_r8</k>
-<v>10316</v>
+<v>5309</v>
 </e>
 <e>
 <k>@cil_dup</k>
-<v>841033</v>
+<v>432865</v>
 </e>
 <e>
 <k>@cil_pop</k>
-<v>256113</v>
+<v>131816</v>
 </e>
 <e>
 <k>@cil_jmp</k>
@@ -1121,7 +1181,7 @@
 </e>
 <e>
 <k>@cil_call</k>
-<v>2738046</v>
+<v>1409225</v>
 </e>
 <e>
 <k>@cil_calli</k>
@@ -1129,283 +1189,283 @@
 </e>
 <e>
 <k>@cil_ret</k>
-<v>1784218</v>
+<v>918306</v>
 </e>
 <e>
 <k>@cil_br_s</k>
-<v>345387</v>
+<v>191079</v>
 </e>
 <e>
 <k>@cil_brfalse_s</k>
-<v>465385</v>
+<v>239525</v>
 </e>
 <e>
 <k>@cil_brtrue_s</k>
-<v>430170</v>
+<v>221401</v>
 </e>
 <e>
 <k>@cil_beq_s</k>
-<v>82158</v>
+<v>42285</v>
 </e>
 <e>
 <k>@cil_bge_s</k>
-<v>34883</v>
+<v>17953</v>
 </e>
 <e>
 <k>@cil_bgt_s</k>
-<v>16477</v>
+<v>8480</v>
 </e>
 <e>
 <k>@cil_ble_s</k>
-<v>29165</v>
+<v>15010</v>
 </e>
 <e>
 <k>@cil_blt_s</k>
-<v>60858</v>
+<v>31322</v>
 </e>
 <e>
 <k>@cil_bne_un_s</k>
-<v>102531</v>
+<v>52771</v>
 </e>
 <e>
 <k>@cil_bge_un_s</k>
-<v>2182</v>
+<v>1123</v>
 </e>
 <e>
 <k>@cil_bgt_un_s</k>
-<v>8723</v>
+<v>4489</v>
 </e>
 <e>
 <k>@cil_ble_un_s</k>
-<v>6112</v>
+<v>3146</v>
 </e>
 <e>
 <k>@cil_blt_un_s</k>
-<v>1466</v>
+<v>754</v>
 </e>
 <e>
 <k>@cil_br</k>
-<v>96039</v>
+<v>49429</v>
 </e>
 <e>
 <k>@cil_brfalse</k>
-<v>32355</v>
+<v>16652</v>
 </e>
 <e>
 <k>@cil_brtrue</k>
-<v>27299</v>
+<v>14050</v>
 </e>
 <e>
 <k>@cil_beq</k>
-<v>21484</v>
+<v>11057</v>
 </e>
 <e>
 <k>@cil_bge</k>
-<v>1388</v>
+<v>714</v>
 </e>
 <e>
 <k>@cil_bgt</k>
-<v>1461</v>
+<v>752</v>
 </e>
 <e>
 <k>@cil_ble</k>
-<v>4636</v>
+<v>2386</v>
 </e>
 <e>
 <k>@cil_blt</k>
-<v>7924</v>
+<v>4078</v>
 </e>
 <e>
 <k>@cil_bne_un</k>
-<v>7228</v>
+<v>3720</v>
 </e>
 <e>
 <k>@cil_bge_un</k>
-<v>143</v>
+<v>140</v>
 </e>
 <e>
 <k>@cil_bgt_un</k>
-<v>691</v>
+<v>355</v>
 </e>
 <e>
 <k>@cil_ble_un</k>
-<v>1100</v>
+<v>566</v>
 </e>
 <e>
 <k>@cil_blt_un</k>
-<v>180</v>
+<v>92</v>
 </e>
 <e>
 <k>@cil_switch</k>
-<v>23851</v>
+<v>12275</v>
 </e>
 <e>
 <k>@cil_ldind_i1</k>
-<v>88</v>
+<v>75</v>
 </e>
 <e>
 <k>@cil_ldind_u1</k>
-<v>5503</v>
+<v>3165</v>
 </e>
 <e>
 <k>@cil_ldind_i2</k>
-<v>511</v>
-</e>
-<e>
-<k>@cil_ldind_u2</k>
-<v>2505</v>
-</e>
-<e>
-<k>@cil_ldind_i4</k>
-<v>9765</v>
-</e>
-<e>
-<k>@cil_ldind_u4</k>
-<v>1480</v>
-</e>
-<e>
-<k>@cil_ldind_i8</k>
-<v>1967</v>
-</e>
-<e>
-<k>@cil_ldind_i</k>
-<v>250</v>
-</e>
-<e>
-<k>@cil_ldind_r4</k>
-<v>701</v>
-</e>
-<e>
-<k>@cil_ldind_r8</k>
 <v>263</v>
 </e>
 <e>
+<k>@cil_ldind_u2</k>
+<v>2123</v>
+</e>
+<e>
+<k>@cil_ldind_i4</k>
+<v>5026</v>
+</e>
+<e>
+<k>@cil_ldind_u4</k>
+<v>762</v>
+</e>
+<e>
+<k>@cil_ldind_i8</k>
+<v>1012</v>
+</e>
+<e>
+<k>@cil_ldind_i</k>
+<v>212</v>
+</e>
+<e>
+<k>@cil_ldind_r4</k>
+<v>360</v>
+</e>
+<e>
+<k>@cil_ldind_r8</k>
+<v>135</v>
+</e>
+<e>
 <k>@cil_ldind_ref</k>
-<v>6648</v>
+<v>3421</v>
 </e>
 <e>
 <k>@cil_stind_ref</k>
-<v>16915</v>
+<v>8706</v>
 </e>
 <e>
 <k>@cil_stind_i1</k>
-<v>8513</v>
+<v>4381</v>
 </e>
 <e>
 <k>@cil_stind_i2</k>
-<v>1410</v>
+<v>1195</v>
 </e>
 <e>
 <k>@cil_stind_i4</k>
-<v>10350</v>
+<v>5705</v>
 </e>
 <e>
 <k>@cil_stind_i8</k>
-<v>2342</v>
+<v>1205</v>
 </e>
 <e>
 <k>@cil_stind_r4</k>
-<v>185</v>
+<v>105</v>
 </e>
 <e>
 <k>@cil_stind_r8</k>
-<v>224</v>
+<v>115</v>
 </e>
 <e>
 <k>@cil_add</k>
-<v>223713</v>
+<v>115141</v>
 </e>
 <e>
 <k>@cil_sub</k>
-<v>85182</v>
+<v>43842</v>
 </e>
 <e>
 <k>@cil_mul</k>
-<v>29915</v>
+<v>15396</v>
 </e>
 <e>
 <k>@cil_div</k>
-<v>9112</v>
+<v>4690</v>
 </e>
 <e>
 <k>@cil_div_un</k>
-<v>253</v>
+<v>194</v>
 </e>
 <e>
 <k>@cil_rem</k>
-<v>3404</v>
+<v>1752</v>
 </e>
 <e>
 <k>@cil_rem_un</k>
-<v>228</v>
+<v>117</v>
 </e>
 <e>
 <k>@cil_and</k>
-<v>59265</v>
+<v>30503</v>
 </e>
 <e>
 <k>@cil_or</k>
-<v>22122</v>
+<v>11386</v>
 </e>
 <e>
 <k>@cil_xor</k>
-<v>22687</v>
+<v>11676</v>
 </e>
 <e>
 <k>@cil_shl</k>
-<v>18946</v>
+<v>9751</v>
 </e>
 <e>
 <k>@cil_shr</k>
-<v>9166</v>
+<v>4717</v>
 </e>
 <e>
 <k>@cil_shr_un</k>
-<v>26077</v>
+<v>13421</v>
 </e>
 <e>
 <k>@cil_neg</k>
-<v>2333</v>
+<v>1200</v>
 </e>
 <e>
 <k>@cil_not</k>
-<v>1456</v>
+<v>749</v>
 </e>
 <e>
 <k>@cil_conv_i1</k>
-<v>1383</v>
+<v>711</v>
 </e>
 <e>
 <k>@cil_conv_i2</k>
-<v>1446</v>
+<v>744</v>
 </e>
 <e>
 <k>@cil_conv_i4</k>
-<v>59709</v>
+<v>30731</v>
 </e>
 <e>
 <k>@cil_conv_i8</k>
-<v>50230</v>
+<v>25852</v>
 </e>
 <e>
 <k>@cil_conv_r4</k>
-<v>2464</v>
+<v>1268</v>
 </e>
 <e>
 <k>@cil_conv_r8</k>
-<v>5274</v>
+<v>2714</v>
 </e>
 <e>
 <k>@cil_conv_u4</k>
-<v>7822</v>
+<v>4025</v>
 </e>
 <e>
 <k>@cil_conv_u8</k>
-<v>19521</v>
+<v>10047</v>
 </e>
 <e>
 <k>@cil_callvirt</k>
-<v>2048017</v>
+<v>1054079</v>
 </e>
 <e>
 <k>@cil_cpobj</k>
@@ -1413,27 +1473,27 @@
 </e>
 <e>
 <k>@cil_ldobj</k>
-<v>12639</v>
+<v>6505</v>
 </e>
 <e>
 <k>@cil_ldstr</k>
-<v>925665</v>
+<v>476424</v>
 </e>
 <e>
 <k>@cil_newobj</k>
-<v>656304</v>
+<v>337788</v>
 </e>
 <e>
 <k>@cil_castclass</k>
-<v>96955</v>
+<v>49901</v>
 </e>
 <e>
 <k>@cil_isinst</k>
-<v>56382</v>
+<v>29019</v>
 </e>
 <e>
 <k>@cil_conv_r_un</k>
-<v>263</v>
+<v>135</v>
 </e>
 <e>
 <k>@cil_unbox</k>
@@ -1441,59 +1501,59 @@
 </e>
 <e>
 <k>@cil_throw</k>
-<v>380781</v>
+<v>271796</v>
 </e>
 <e>
 <k>@cil_ldfld</k>
-<v>1674741</v>
+<v>861960</v>
 </e>
 <e>
 <k>@cil_ldflda</k>
-<v>300353</v>
+<v>154586</v>
 </e>
 <e>
 <k>@cil_stfld</k>
-<v>1071843</v>
+<v>551659</v>
 </e>
 <e>
 <k>@cil_ldsfld</k>
-<v>406864</v>
+<v>209405</v>
 </e>
 <e>
 <k>@cil_ldsflda</k>
-<v>2527</v>
+<v>1301</v>
 </e>
 <e>
 <k>@cil_stsfld</k>
-<v>130767</v>
+<v>67303</v>
 </e>
 <e>
 <k>@cil_stobj</k>
-<v>7013</v>
+<v>3609</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i1_un</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i2_un</k>
-<v>14</v>
+<v>7</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i4_un</k>
-<v>170</v>
+<v>87</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i8_un</k>
-<v>29</v>
+<v>15</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u1_un</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u2_un</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u4_un</k>
@@ -1505,7 +1565,7 @@
 </e>
 <e>
 <k>@cil_conv_ovf_i_un</k>
-<v>131</v>
+<v>67</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u_un</k>
@@ -1513,139 +1573,139 @@
 </e>
 <e>
 <k>@cil_box</k>
-<v>79747</v>
+<v>41044</v>
 </e>
 <e>
 <k>@cil_newarr</k>
-<v>111980</v>
+<v>57634</v>
 </e>
 <e>
 <k>@cil_ldlen</k>
-<v>55267</v>
+<v>28445</v>
 </e>
 <e>
 <k>@cil_ldelema</k>
-<v>9858</v>
+<v>5073</v>
 </e>
 <e>
 <k>@cil_ldelem_i1</k>
-<v>175</v>
+<v>90</v>
 </e>
 <e>
 <k>@cil_ldelem_u1</k>
-<v>15556</v>
+<v>8006</v>
 </e>
 <e>
 <k>@cil_ldelem_i2</k>
-<v>428</v>
+<v>220</v>
 </e>
 <e>
 <k>@cil_ldelem_u2</k>
-<v>6083</v>
+<v>3131</v>
 </e>
 <e>
 <k>@cil_ldelem_i4</k>
-<v>17563</v>
+<v>9039</v>
 </e>
 <e>
 <k>@cil_ldelem_u4</k>
-<v>19092</v>
+<v>9826</v>
 </e>
 <e>
 <k>@cil_ldelem_i8</k>
-<v>11908</v>
+<v>6129</v>
 </e>
 <e>
 <k>@cil_ldelem_i</k>
-<v>14</v>
+<v>7</v>
 </e>
 <e>
 <k>@cil_ldelem_r4</k>
-<v>282</v>
+<v>145</v>
 </e>
 <e>
 <k>@cil_ldelem_r8</k>
-<v>457</v>
+<v>235</v>
 </e>
 <e>
 <k>@cil_ldelem_ref</k>
-<v>30665</v>
+<v>15783</v>
 </e>
 <e>
 <k>@cil_stelem_i</k>
-<v>14</v>
+<v>11</v>
 </e>
 <e>
 <k>@cil_stelem_i1</k>
-<v>8781</v>
+<v>4519</v>
 </e>
 <e>
 <k>@cil_stelem_i2</k>
-<v>8976</v>
+<v>4620</v>
 </e>
 <e>
 <k>@cil_stelem_i4</k>
-<v>22799</v>
+<v>11734</v>
 </e>
 <e>
 <k>@cil_stelem_i8</k>
-<v>9414</v>
+<v>4845</v>
 </e>
 <e>
 <k>@cil_stelem_r4</k>
-<v>199</v>
+<v>102</v>
 </e>
 <e>
 <k>@cil_stelem_r8</k>
-<v>477</v>
+<v>245</v>
 </e>
 <e>
 <k>@cil_stelem_ref</k>
-<v>362526</v>
+<v>186586</v>
 </e>
 <e>
 <k>@cil_ldelem</k>
-<v>2274</v>
+<v>1170</v>
 </e>
 <e>
 <k>@cil_stelem</k>
-<v>53557</v>
+<v>27565</v>
 </e>
 <e>
 <k>@cil_unbox_any</k>
-<v>14373</v>
+<v>7397</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i1</k>
-<v>24</v>
+<v>12</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u1</k>
-<v>112</v>
+<v>57</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i2</k>
-<v>77</v>
+<v>40</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u2</k>
-<v>53</v>
+<v>27</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i4</k>
-<v>287</v>
+<v>147</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u4</k>
-<v>77</v>
+<v>40</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i8</k>
-<v>14</v>
+<v>7</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u8</k>
-<v>29</v>
+<v>23</v>
 </e>
 <e>
 <k>@cil_refanyval</k>
@@ -1661,23 +1721,23 @@
 </e>
 <e>
 <k>@cil_ldtoken</k>
-<v>71233</v>
+<v>36662</v>
 </e>
 <e>
 <k>@cil_conv_u2</k>
-<v>4334</v>
+<v>2231</v>
 </e>
 <e>
 <k>@cil_conv_u1</k>
-<v>11246</v>
+<v>5788</v>
 </e>
 <e>
 <k>@cil_conv_i</k>
-<v>3754</v>
+<v>3181</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i</k>
-<v>267</v>
+<v>137</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u</k>
@@ -1685,47 +1745,47 @@
 </e>
 <e>
 <k>@cil_add_ovf</k>
-<v>1729</v>
+<v>889</v>
 </e>
 <e>
 <k>@cil_add_ovf_un</k>
-<v>150</v>
+<v>77</v>
 </e>
 <e>
 <k>@cil_mul_ovf</k>
-<v>443</v>
+<v>228</v>
 </e>
 <e>
 <k>@cil_mul_ovf_un</k>
-<v>253</v>
+<v>195</v>
 </e>
 <e>
 <k>@cil_sub_ovf</k>
-<v>1110</v>
+<v>571</v>
 </e>
 <e>
 <k>@cil_sub_ovf_un</k>
-<v>29</v>
+<v>15</v>
 </e>
 <e>
 <k>@cil_endfinally</k>
-<v>56835</v>
+<v>29252</v>
 </e>
 <e>
 <k>@cil_leave</k>
-<v>66786</v>
+<v>34373</v>
 </e>
 <e>
 <k>@cil_leave_s</k>
-<v>149173</v>
+<v>76776</v>
 </e>
 <e>
 <k>@cil_stind_i</k>
-<v>128</v>
+<v>108</v>
 </e>
 <e>
 <k>@cil_conv_u</k>
-<v>5954</v>
+<v>5046</v>
 </e>
 <e>
 <k>@cil_arglist</k>
@@ -1733,31 +1793,31 @@
 </e>
 <e>
 <k>@cil_ceq</k>
-<v>99414</v>
+<v>84249</v>
 </e>
 <e>
 <k>@cil_cgt</k>
-<v>11858</v>
+<v>10049</v>
 </e>
 <e>
 <k>@cil_cgt_un</k>
-<v>37633</v>
+<v>31892</v>
 </e>
 <e>
 <k>@cil_clt</k>
-<v>20013</v>
+<v>16960</v>
 </e>
 <e>
 <k>@cil_clt_un</k>
-<v>1347</v>
+<v>1141</v>
 </e>
 <e>
 <k>@cil_ldftn</k>
-<v>79839</v>
+<v>41092</v>
 </e>
 <e>
 <k>@cil_ldvirtftn</k>
-<v>1110</v>
+<v>571</v>
 </e>
 <e>
 <k>@cil_ldarg</k>
@@ -1785,11 +1845,11 @@
 </e>
 <e>
 <k>@cil_localloc</k>
-<v>1002</v>
+<v>849</v>
 </e>
 <e>
 <k>@cil_endfilter</k>
-<v>808</v>
+<v>416</v>
 </e>
 <e>
 <k>@cil_unaligned</k>
@@ -1797,7 +1857,7 @@
 </e>
 <e>
 <k>@cil_volatile</k>
-<v>8528</v>
+<v>4389</v>
 </e>
 <e>
 <k>@cil_tail</k>
@@ -1805,27 +1865,27 @@
 </e>
 <e>
 <k>@cil_initobj</k>
-<v>101660</v>
+<v>52322</v>
 </e>
 <e>
 <k>@cil_constrained</k>
-<v>25283</v>
+<v>13012</v>
 </e>
 <e>
 <k>@cil_cpblk</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>@cil_initblk</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>@cil_rethrow</k>
-<v>3765</v>
+<v>1937</v>
 </e>
 <e>
 <k>@cil_sizeof</k>
-<v>1729</v>
+<v>889</v>
 </e>
 <e>
 <k>@cil_refanytype</k>
@@ -1833,23 +1893,23 @@
 </e>
 <e>
 <k>@cil_readonly</k>
-<v>34</v>
+<v>17</v>
 </e>
 <e>
 <k>@cil_valueorreftype</k>
-<v>595251</v>
+<v>306365</v>
 </e>
 <e>
 <k>@cil_typeparameter</k>
-<v>184753</v>
+<v>95089</v>
 </e>
 <e>
 <k>@cil_array_type</k>
-<v>14168</v>
+<v>7292</v>
 </e>
 <e>
 <k>@cil_pointer_type</k>
-<v>599</v>
+<v>308</v>
 </e>
 <e>
 <k>@cil_function_pointer_type</k>
@@ -1857,64 +1917,64 @@
 </e>
 <e>
 <k>@cil_method</k>
-<v>2311748</v>
+<v>1189816</v>
 </e>
 <e>
 <k>@cil_method_implementation</k>
-<v>1725702</v>
+<v>888189</v>
 </e>
 <e>
 <k>@cil_field</k>
-<v>1008310</v>
+<v>518960</v>
 </e>
 <e>
 <k>@cil_parameter</k>
-<v>4546452</v>
+<v>2339980</v>
 </e>
 <e>
 <k>@cil_property</k>
-<v>379895</v>
+<v>195525</v>
 </e>
 <e>
 <k>@cil_event</k>
-<v>20841</v>
+<v>10726</v>
 </e>
 <e>
 <k>@cil_local_variable</k>
-<v>1150606</v>
+<v>592197</v>
 </e>
 <e>
 <k>@cil_catch_handler</k>
-<v>43806</v>
+<v>22546</v>
 </e>
 <e>
 <k>@cil_filter_handler</k>
-<v>808</v>
+<v>416</v>
 </e>
 <e>
 <k>@cil_finally_handler</k>
-<v>55364</v>
+<v>28495</v>
 </e>
 <e>
 <k>@cil_fault_handler</k>
-<v>1470</v>
+<v>757</v>
 </e>
 <e>
 <k>@cil_attribute</k>
-<v>328261</v>
+<v>168950</v>
 </e>
 </typesizes>
   <stats><relation>
 <name>compilations</name>
-<cardinality>1095</cardinality>
+<cardinality>564</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>cwd</k>
-<v>784</v>
+<v>403</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -1928,7 +1988,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -1944,12 +2004,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>472</v>
+<v>243</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>311</v>
+<v>160</v>
 </b>
 </bs>
 </hist>
@@ -1959,19 +2019,19 @@
 </relation>
 <relation>
 <name>compilation_args</name>
-<cardinality>4904</cardinality>
+<cardinality>2524</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>num</k>
-<v>24</v>
+<v>12</v>
 </e>
 <e>
 <k>arg</k>
-<v>1120</v>
+<v>576</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -1985,12 +2045,12 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>574</v>
+<v>295</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>521</v>
+<v>268</v>
 </b>
 </bs>
 </hist>
@@ -2006,12 +2066,12 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>574</v>
+<v>295</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>521</v>
+<v>268</v>
 </b>
 </bs>
 </hist>
@@ -2027,12 +2087,12 @@
 <b>
 <a>107</a>
 <b>108</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>225</a>
 <b>226</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -2048,17 +2108,17 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>107</a>
 <b>108</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>119</a>
 <b>120</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -2074,850 +2134,720 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
-</b>
-<b>
-<a>107</a>
-<b>226</b>
-<v>24</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>arg</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1110</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>9</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>compilation_compiling_files</name>
-<cardinality>22585</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>1095</v>
-</e>
-<e>
-<k>num</k>
-<v>711</v>
-</e>
-<e>
-<k>file</k>
-<v>22580</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>3</b>
-<v>48</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>58</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>82</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>87</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>68</v>
-</b>
-<b>
-<a>7</a>
-<b>9</b>
-<v>97</v>
-</b>
-<b>
-<a>9</a>
-<b>12</b>
-<v>87</v>
-</b>
-<b>
-<a>12</a>
-<b>15</b>
-<v>82</v>
-</b>
-<b>
-<a>15</a>
-<b>17</b>
-<v>82</v>
-</b>
-<b>
-<a>17</a>
-<b>21</b>
-<v>82</v>
-</b>
-<b>
-<a>21</a>
-<b>27</b>
-<v>87</v>
-</b>
-<b>
-<a>28</a>
-<b>37</b>
-<v>82</v>
-</b>
-<b>
-<a>37</a>
-<b>65</b>
-<v>82</v>
-</b>
-<b>
-<a>67</a>
-<b>147</b>
-<v>63</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>id</src>
-<trg>file</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>3</b>
-<v>48</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>58</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>82</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>87</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>68</v>
-</b>
-<b>
-<a>7</a>
-<b>9</b>
-<v>97</v>
-</b>
-<b>
-<a>9</a>
-<b>12</b>
-<v>87</v>
-</b>
-<b>
-<a>12</a>
-<b>15</b>
-<v>82</v>
-</b>
-<b>
-<a>15</a>
-<b>17</b>
-<v>82</v>
-</b>
-<b>
-<a>17</a>
-<b>21</b>
-<v>82</v>
-</b>
-<b>
-<a>21</a>
-<b>27</b>
-<v>87</v>
-</b>
-<b>
-<a>28</a>
-<b>37</b>
-<v>82</v>
-</b>
-<b>
-<a>37</a>
-<b>65</b>
-<v>82</v>
-</b>
-<b>
-<a>67</a>
-<b>147</b>
-<v>63</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>num</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>3</b>
-<v>43</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>29</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>58</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>9</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>97</v>
-</b>
-<b>
-<a>7</a>
-<b>11</b>
-<v>53</v>
-</b>
-<b>
-<a>11</a>
-<b>12</b>
-<v>77</v>
-</b>
-<b>
-<a>12</a>
-<b>18</b>
-<v>63</v>
-</b>
-<b>
-<a>18</a>
-<b>24</b>
-<v>53</v>
-</b>
-<b>
-<a>25</a>
-<b>33</b>
-<v>53</v>
-</b>
-<b>
-<a>38</a>
-<b>52</b>
-<v>53</v>
-</b>
-<b>
-<a>56</a>
-<b>103</b>
-<v>53</v>
-</b>
-<b>
-<a>108</a>
-<b>216</b>
-<v>53</v>
-</b>
-<b>
-<a>217</a>
-<b>226</b>
-<v>9</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>num</src>
-<trg>file</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>3</b>
-<v>43</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>29</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>58</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>9</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>97</v>
-</b>
-<b>
-<a>7</a>
-<b>11</b>
-<v>53</v>
-</b>
-<b>
-<a>11</a>
-<b>12</b>
-<v>77</v>
-</b>
-<b>
-<a>12</a>
-<b>18</b>
-<v>63</v>
-</b>
-<b>
-<a>18</a>
-<b>24</b>
-<v>53</v>
-</b>
-<b>
-<a>25</a>
-<b>33</b>
-<v>53</v>
-</b>
-<b>
-<a>38</a>
-<b>52</b>
-<v>53</v>
-</b>
-<b>
-<a>56</a>
-<b>103</b>
-<v>53</v>
-</b>
-<b>
-<a>108</a>
-<b>216</b>
-<v>53</v>
-</b>
-<b>
-<a>217</a>
-<b>226</b>
-<v>9</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>file</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>22575</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>file</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>22575</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>compilation_referencing_files</name>
-<cardinality>359263</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>1095</v>
-</e>
-<e>
-<k>num</k>
-<v>2742</v>
-</e>
-<e>
-<k>file</k>
-<v>3414</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>5</a>
-<b>284</b>
-<v>92</v>
-</b>
-<b>
-<a>284</a>
-<b>288</b>
-<v>87</v>
-</b>
-<b>
-<a>288</a>
-<b>292</b>
-<v>92</v>
-</b>
-<b>
-<a>293</a>
-<b>309</b>
-<v>87</v>
-</b>
-<b>
-<a>309</a>
-<b>311</b>
-<v>92</v>
-</b>
-<b>
-<a>311</a>
-<b>328</b>
-<v>82</v>
-</b>
-<b>
-<a>328</a>
-<b>344</b>
-<v>73</v>
-</b>
-<b>
-<a>344</a>
-<b>346</b>
-<v>97</v>
-</b>
-<b>
-<a>346</a>
-<b>349</b>
-<v>87</v>
-</b>
-<b>
-<a>349</a>
-<b>353</b>
-<v>87</v>
-</b>
-<b>
-<a>353</a>
-<b>359</b>
-<v>92</v>
-</b>
-<b>
-<a>359</a>
-<b>369</b>
-<v>82</v>
-</b>
-<b>
-<a>369</a>
-<b>564</b>
-<v>38</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>id</src>
-<trg>file</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>5</a>
-<b>284</b>
-<v>92</v>
-</b>
-<b>
-<a>284</a>
-<b>288</b>
-<v>87</v>
-</b>
-<b>
-<a>288</a>
-<b>292</b>
-<v>92</v>
-</b>
-<b>
-<a>293</a>
-<b>309</b>
-<v>87</v>
-</b>
-<b>
-<a>309</a>
-<b>311</b>
-<v>92</v>
-</b>
-<b>
-<a>311</a>
-<b>328</b>
-<v>82</v>
-</b>
-<b>
-<a>328</a>
-<b>344</b>
-<v>73</v>
-</b>
-<b>
-<a>344</a>
-<b>346</b>
-<v>97</v>
-</b>
-<b>
-<a>346</a>
-<b>349</b>
-<v>87</v>
-</b>
-<b>
-<a>349</a>
-<b>353</b>
-<v>87</v>
-</b>
-<b>
-<a>353</a>
-<b>359</b>
-<v>92</v>
-</b>
-<b>
-<a>359</a>
-<b>369</b>
-<v>82</v>
-</b>
-<b>
-<a>369</a>
-<b>564</b>
-<v>38</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>num</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>4</b>
-<v>219</v>
-</b>
-<b>
-<a>4</a>
-<b>7</b>
-<v>29</v>
-</b>
-<b>
-<a>7</a>
-<b>8</b>
-<v>696</v>
-</b>
-<b>
-<a>8</a>
-<b>118</b>
-<v>219</v>
-</b>
-<b>
-<a>118</a>
-<b>214</b>
-<v>204</v>
-</b>
-<b>
-<a>222</a>
-<b>223</b>
-<v>638</v>
-</b>
-<b>
-<a>224</a>
-<b>225</b>
-<v>711</v>
-</b>
-<b>
-<a>225</a>
-<b>226</b>
-<v>24</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>num</src>
-<trg>file</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>4</b>
-<v>219</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>579</v>
-</b>
-<b>
-<a>6</a>
-<b>16</b>
-<v>214</v>
-</b>
-<b>
-<a>16</a>
-<b>23</b>
-<v>224</v>
-</b>
-<b>
-<a>23</a>
-<b>29</b>
-<v>214</v>
-</b>
-<b>
-<a>29</a>
-<b>34</b>
-<v>209</v>
-</b>
-<b>
-<a>34</a>
-<b>43</b>
-<v>243</v>
-</b>
-<b>
-<a>43</a>
-<b>55</b>
-<v>209</v>
-</b>
-<b>
-<a>55</a>
-<b>61</b>
-<v>209</v>
-</b>
-<b>
-<a>61</a>
-<b>64</b>
-<v>219</v>
-</b>
-<b>
-<a>64</a>
-<b>72</b>
-<v>189</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>file</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>526</v>
-</b>
-<b>
-<a>2</a>
-<b>5</b>
-<v>258</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>4</v>
-</b>
-<b>
-<a>7</a>
-<b>8</b>
-<v>316</v>
-</b>
-<b>
-<a>8</a>
-<b>10</b>
-<v>277</v>
-</b>
-<b>
-<a>10</a>
-<b>23</b>
-<v>258</v>
-</b>
-<b>
-<a>23</a>
-<b>122</b>
-<v>258</v>
-</b>
-<b>
-<a>124</a>
-<b>214</b>
-<v>243</v>
-</b>
-<b>
-<a>220</a>
-<b>221</b>
-<v>73</v>
-</b>
-<b>
-<a>222</a>
-<b>223</b>
-<v>482</v>
-</b>
-<b>
-<a>224</a>
-<b>225</b>
-<v>715</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>file</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
 <v>564</v>
 </b>
 <b>
+<a>107</a>
+<b>226</b>
+<v>12</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>arg</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>571</v>
+</b>
+<b>
 <a>2</a>
+<b>3</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>compilation_compiling_files</name>
+<cardinality>12395</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>548</v>
+</e>
+<e>
+<k>num</k>
+<v>1435</v>
+</e>
+<e>
+<k>file</k>
+<v>10384</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
+<a>4</a>
 <b>5</b>
-<v>253</v>
+<v>155</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>165</v>
+<v>151</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>311</v>
+<v>36</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>272</v>
+<v>43</v>
 </b>
 <b>
 <a>10</a>
+<b>17</b>
+<v>41</v>
+</b>
+<b>
+<a>17</a>
+<b>31</b>
+<v>41</v>
+</b>
+<b>
+<a>31</a>
+<b>59</b>
+<v>41</v>
+</b>
+<b>
+<a>59</a>
+<b>1359</b>
+<v>36</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>155</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>151</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>36</v>
+</b>
+<b>
+<a>7</a>
+<b>10</b>
+<v>43</v>
+</b>
+<b>
+<a>10</a>
+<b>17</b>
+<v>41</v>
+</b>
+<b>
+<a>17</a>
+<b>31</b>
+<v>41</v>
+</b>
+<b>
+<a>31</a>
+<b>59</b>
+<v>41</v>
+</b>
+<b>
+<a>59</a>
+<b>1359</b>
+<v>36</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>num</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>739</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>411</v>
+</b>
+<b>
+<a>3</a>
+<b>17</b>
+<v>118</v>
+</b>
+<b>
+<a>17</a>
+<b>38</b>
+<v>108</v>
+</b>
+<b>
+<a>38</a>
+<b>520</b>
+<v>57</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>num</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>739</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>411</v>
+</b>
+<b>
+<a>3</a>
+<b>16</b>
+<v>116</v>
+</b>
+<b>
+<a>16</a>
+<b>36</b>
+<v>109</v>
+</b>
+<b>
+<a>36</a>
+<b>476</b>
+<v>58</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>9343</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>822</v>
+</b>
+<b>
+<a>3</a>
+<b>187</b>
+<v>218</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>9831</v>
+</b>
+<b>
+<a>2</a>
+<b>78</b>
+<v>552</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>compilation_referencing_files</name>
+<cardinality>184906</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>564</v>
+</e>
+<e>
+<k>num</k>
+<v>1411</v>
+</e>
+<e>
+<k>file</k>
+<v>1757</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>5</a>
+<b>284</b>
+<v>47</v>
+</b>
+<b>
+<a>284</a>
+<b>288</b>
+<v>45</v>
+</b>
+<b>
+<a>288</a>
+<b>292</b>
+<v>47</v>
+</b>
+<b>
+<a>293</a>
+<b>309</b>
+<v>45</v>
+</b>
+<b>
+<a>309</a>
+<b>311</b>
+<v>47</v>
+</b>
+<b>
+<a>311</a>
+<b>328</b>
+<v>42</v>
+</b>
+<b>
+<a>328</a>
+<b>344</b>
+<v>37</v>
+</b>
+<b>
+<a>344</a>
+<b>346</b>
+<v>50</v>
+</b>
+<b>
+<a>346</a>
+<b>349</b>
+<v>45</v>
+</b>
+<b>
+<a>349</a>
+<b>353</b>
+<v>45</v>
+</b>
+<b>
+<a>353</a>
+<b>359</b>
+<v>47</v>
+</b>
+<b>
+<a>359</a>
+<b>369</b>
+<v>42</v>
+</b>
+<b>
+<a>369</a>
+<b>564</b>
+<v>20</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>5</a>
+<b>284</b>
+<v>47</v>
+</b>
+<b>
+<a>284</a>
+<b>288</b>
+<v>45</v>
+</b>
+<b>
+<a>288</a>
+<b>292</b>
+<v>47</v>
+</b>
+<b>
+<a>293</a>
+<b>309</b>
+<v>45</v>
+</b>
+<b>
+<a>309</a>
+<b>311</b>
+<v>47</v>
+</b>
+<b>
+<a>311</a>
+<b>328</b>
+<v>42</v>
+</b>
+<b>
+<a>328</a>
+<b>344</b>
+<v>37</v>
+</b>
+<b>
+<a>344</a>
+<b>346</b>
+<v>50</v>
+</b>
+<b>
+<a>346</a>
+<b>349</b>
+<v>45</v>
+</b>
+<b>
+<a>349</a>
+<b>353</b>
+<v>45</v>
+</b>
+<b>
+<a>353</a>
+<b>359</b>
+<v>47</v>
+</b>
+<b>
+<a>359</a>
+<b>369</b>
+<v>42</v>
+</b>
+<b>
+<a>369</a>
+<b>564</b>
+<v>20</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>num</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>4</b>
+<v>112</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>15</v>
+</b>
+<b>
+<a>7</a>
+<b>8</b>
+<v>358</v>
+</b>
+<b>
+<a>8</a>
+<b>118</b>
+<v>112</v>
+</b>
+<b>
+<a>118</a>
+<b>214</b>
+<v>105</v>
+</b>
+<b>
+<a>222</a>
+<b>223</b>
+<v>328</v>
+</b>
+<b>
+<a>224</a>
+<b>225</b>
+<v>365</v>
+</b>
+<b>
+<a>225</a>
+<b>226</b>
+<v>12</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>num</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>4</b>
+<v>112</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>5</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>338</v>
+</b>
+<b>
+<a>6</a>
 <b>20</b>
-<v>287</v>
+<v>125</v>
+</b>
+<b>
+<a>20</a>
+<b>27</b>
+<v>115</v>
+</b>
+<b>
+<a>27</a>
+<b>32</b>
+<v>122</v>
+</b>
+<b>
+<a>32</a>
+<b>38</b>
+<v>112</v>
+</b>
+<b>
+<a>38</a>
+<b>50</b>
+<v>107</v>
+</b>
+<b>
+<a>50</a>
+<b>60</b>
+<v>112</v>
+</b>
+<b>
+<a>60</a>
+<b>62</b>
+<v>100</v>
+</b>
+<b>
+<a>62</a>
+<b>65</b>
+<v>110</v>
+</b>
+<b>
+<a>65</a>
+<b>71</b>
+<v>47</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>270</v>
+</b>
+<b>
+<a>2</a>
+<b>5</b>
+<v>132</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>2</v>
+</b>
+<b>
+<a>7</a>
+<b>8</b>
+<v>162</v>
+</b>
+<b>
+<a>8</a>
+<b>10</b>
+<v>142</v>
+</b>
+<b>
+<a>10</a>
+<b>23</b>
+<v>132</v>
+</b>
+<b>
+<a>23</a>
+<b>122</b>
+<v>132</v>
+</b>
+<b>
+<a>124</a>
+<b>214</b>
+<v>125</v>
+</b>
+<b>
+<a>220</a>
+<b>221</b>
+<v>37</v>
+</b>
+<b>
+<a>222</a>
+<b>223</b>
+<v>248</v>
+</b>
+<b>
+<a>224</a>
+<b>225</b>
+<v>368</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>290</v>
+</b>
+<b>
+<a>2</a>
+<b>5</b>
+<v>155</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>95</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>155</v>
+</b>
+<b>
+<a>7</a>
+<b>11</b>
+<v>135</v>
+</b>
+<b>
+<a>11</a>
+<b>20</b>
+<v>137</v>
 </b>
 <b>
 <a>20</a>
 <b>25</b>
-<v>311</v>
+<v>132</v>
 </b>
 <b>
 <a>25</a>
-<b>30</b>
-<v>287</v>
+<b>29</b>
+<v>135</v>
 </b>
 <b>
-<a>30</a>
-<b>59</b>
-<v>258</v>
+<a>29</a>
+<b>48</b>
+<v>132</v>
 </b>
 <b>
-<a>59</a>
-<b>63</b>
-<v>272</v>
+<a>49</a>
+<b>62</b>
+<v>120</v>
 </b>
 <b>
-<a>63</a>
-<b>65</b>
-<v>185</v>
+<a>62</a>
+<b>64</b>
+<v>105</v>
 </b>
 <b>
-<a>65</a>
-<b>78</b>
-<v>243</v>
+<a>64</a>
+<b>68</b>
+<v>150</v>
+</b>
+<b>
+<a>68</a>
+<b>72</b>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -2927,23 +2857,23 @@
 </relation>
 <relation>
 <name>compilation_time</name>
-<cardinality>7671</cardinality>
+<cardinality>3948</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>num</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>kind</k>
-<v>34</v>
+<v>17</v>
 </e>
 <e>
 <k>seconds</k>
-<v>5523</v>
+<v>2862</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -2957,7 +2887,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -2973,7 +2903,7 @@
 <b>
 <a>7</a>
 <b>8</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -2987,9 +2917,14 @@
 <budget>12</budget>
 <bs>
 <b>
+<a>6</a>
+<b>7</b>
+<v>2</v>
+</b>
+<b>
 <a>7</a>
 <b>8</b>
-<v>1095</v>
+<v>561</v>
 </b>
 </bs>
 </hist>
@@ -3005,7 +2940,7 @@
 <b>
 <a>225</a>
 <b>226</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -3021,7 +2956,7 @@
 <b>
 <a>7</a>
 <b>8</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -3035,9 +2970,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1134</a>
-<b>1135</b>
-<v>4</v>
+<a>1142</a>
+<b>1143</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -3053,7 +2988,7 @@
 <b>
 <a>225</a>
 <b>226</b>
-<v>34</v>
+<v>17</v>
 </b>
 </bs>
 </hist>
@@ -3069,7 +3004,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>34</v>
+<v>17</v>
 </b>
 </bs>
 </hist>
@@ -3083,29 +3018,24 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>159</a>
-<b>160</b>
-<v>4</v>
+<a>158</a>
+<b>159</b>
+<v>2</v>
 </b>
 <b>
 <a>161</a>
 <b>162</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>176</a>
-<b>177</b>
-<v>4</v>
-</b>
-<b>
-<a>179</a>
-<b>180</b>
-<v>4</v>
+<a>174</a>
+<b>175</b>
+<v>5</v>
 </b>
 <b>
 <a>225</a>
 <b>226</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -3121,22 +3051,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4378</v>
+<v>2243</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>569</v>
+<v>353</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>472</v>
+<b>6</b>
+<v>248</v>
 </b>
 <b>
-<a>5</a>
-<b>10</b>
-<v>102</v>
+<a>6</a>
+<b>9</b>
+<v>17</v>
 </b>
 </bs>
 </hist>
@@ -3152,7 +3082,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5523</v>
+<v>2862</v>
 </b>
 </bs>
 </hist>
@@ -3168,17 +3098,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4607</v>
+<v>2436</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>784</v>
+<v>353</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>131</v>
+<v>72</v>
 </b>
 </bs>
 </hist>
@@ -4421,11 +4351,11 @@
 </relation>
 <relation>
 <name>extractor_messages</name>
-<cardinality>7611</cardinality>
+<cardinality>750</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7611</v>
+<v>750</v>
 </e>
 <e>
 <k>severity</k>
@@ -4441,15 +4371,15 @@
 </e>
 <e>
 <k>entity</k>
-<v>5273</v>
+<v>541</v>
 </e>
 <e>
 <k>location</k>
-<v>6681</v>
+<v>622</v>
 </e>
 <e>
 <k>stack_trace</k>
-<v>295</v>
+<v>121</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -4463,7 +4393,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4479,7 +4409,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4495,7 +4425,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4511,7 +4441,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4527,7 +4457,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4543,7 +4473,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7611</v>
+<v>750</v>
 </b>
 </bs>
 </hist>
@@ -4567,8 +4497,8 @@
 <v>1</v>
 </b>
 <b>
-<a>7582</a>
-<b>7583</b>
+<a>721</a>
+<b>722</b>
 <v>1</v>
 </b>
 </bs>
@@ -4630,8 +4560,8 @@
 <v>1</v>
 </b>
 <b>
-<a>5267</a>
-<b>5268</b>
+<a>535</a>
+<b>536</b>
 <v>1</v>
 </b>
 </bs>
@@ -4656,8 +4586,8 @@
 <v>1</v>
 </b>
 <b>
-<a>6669</a>
-<b>6670</b>
+<a>610</a>
+<b>611</b>
 <v>1</v>
 </b>
 </bs>
@@ -4677,8 +4607,8 @@
 <v>2</v>
 </b>
 <b>
-<a>294</a>
-<b>295</b>
+<a>120</a>
+<b>121</b>
 <v>1</v>
 </b>
 </bs>
@@ -4693,8 +4623,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7611</a>
-<b>7612</b>
+<a>750</a>
+<b>751</b>
 <v>1</v>
 </b>
 </bs>
@@ -4741,8 +4671,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>5273</a>
-<b>5274</b>
+<a>541</a>
+<b>542</b>
 <v>1</v>
 </b>
 </bs>
@@ -4757,8 +4687,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>6681</a>
-<b>6682</b>
+<a>622</a>
+<b>623</b>
 <v>1</v>
 </b>
 </bs>
@@ -4773,8 +4703,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>295</a>
-<b>296</b>
+<a>121</a>
+<b>122</b>
 <v>1</v>
 </b>
 </bs>
@@ -4789,8 +4719,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 <b>
@@ -4799,8 +4734,13 @@
 <v>1</v>
 </b>
 <b>
-<a>11</a>
-<b>12</b>
+<a>16</a>
+<b>17</b>
+<v>1</v>
+</b>
+<b>
+<a>19</a>
+<b>20</b>
 <v>1</v>
 </b>
 <b>
@@ -4809,33 +4749,23 @@
 <v>2</v>
 </b>
 <b>
-<a>38</a>
-<b>39</b>
+<a>30</a>
+<b>31</b>
 <v>1</v>
 </b>
 <b>
-<a>104</a>
-<b>105</b>
+<a>49</a>
+<b>50</b>
 <v>1</v>
 </b>
 <b>
-<a>216</a>
-<b>217</b>
+<a>244</a>
+<b>245</b>
 <v>1</v>
 </b>
 <b>
-<a>326</a>
-<b>327</b>
-<v>1</v>
-</b>
-<b>
-<a>2411</a>
-<b>2412</b>
-<v>1</v>
-</b>
-<b>
-<a>4451</a>
-<b>4452</b>
+<a>334</a>
+<b>335</b>
 <v>1</v>
 </b>
 </bs>
@@ -4887,11 +4817,21 @@
 <v>3</v>
 </b>
 <b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
 <a>5</a>
 <b>6</b>
 <v>1</v>
 </b>
 <b>
+<a>8</a>
+<b>9</b>
+<v>1</v>
+</b>
+<b>
 <a>11</a>
 <b>12</b>
 <v>1</v>
@@ -4902,28 +4842,18 @@
 <v>1</v>
 </b>
 <b>
-<a>47</a>
-<b>48</b>
+<a>20</a>
+<b>21</b>
 <v>1</v>
 </b>
 <b>
-<a>51</a>
-<b>52</b>
+<a>189</a>
+<b>190</b>
 <v>1</v>
 </b>
 <b>
-<a>275</a>
-<b>276</b>
-<v>1</v>
-</b>
-<b>
-<a>1647</a>
-<b>1648</b>
-<v>1</v>
-</b>
-<b>
-<a>3224</a>
-<b>3225</b>
+<a>284</a>
+<b>285</b>
 <v>1</v>
 </b>
 </bs>
@@ -4943,8 +4873,13 @@
 <v>3</v>
 </b>
 <b>
-<a>11</a>
-<b>12</b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
 <v>1</v>
 </b>
 <b>
@@ -4958,28 +4893,23 @@
 <v>1</v>
 </b>
 <b>
-<a>104</a>
-<b>105</b>
+<a>26</a>
+<b>27</b>
 <v>1</v>
 </b>
 <b>
-<a>113</a>
-<b>114</b>
+<a>30</a>
+<b>31</b>
 <v>1</v>
 </b>
 <b>
-<a>326</a>
-<b>327</b>
+<a>216</a>
+<b>217</b>
 <v>1</v>
 </b>
 <b>
-<a>2017</a>
-<b>2018</b>
-<v>1</v>
-</b>
-<b>
-<a>4077</a>
-<b>4078</b>
+<a>306</a>
+<b>307</b>
 <v>1</v>
 </b>
 </bs>
@@ -4996,11 +4926,11 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 <b>
-<a>2</a>
-<b>3</b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 <b>
@@ -5009,18 +4939,13 @@
 <v>2</v>
 </b>
 <b>
-<a>11</a>
-<b>12</b>
+<a>34</a>
+<b>35</b>
 <v>1</v>
 </b>
 <b>
-<a>77</a>
-<b>78</b>
-<v>1</v>
-</b>
-<b>
-<a>193</a>
-<b>194</b>
+<a>71</a>
+<b>72</b>
 <v>1</v>
 </b>
 </bs>
@@ -5037,17 +4962,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4192</v>
+<v>425</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>792</v>
+<v>92</v>
 </b>
 <b>
 <a>3</a>
-<b>133</b>
-<v>289</v>
+<b>25</b>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -5063,7 +4988,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5273</v>
+<v>541</v>
 </b>
 </bs>
 </hist>
@@ -5079,7 +5004,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5273</v>
+<v>541</v>
 </b>
 </bs>
 </hist>
@@ -5095,12 +5020,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5264</v>
+<v>540</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -5116,17 +5041,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4589</v>
+<v>490</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>478</v>
+<b>4</b>
+<v>47</v>
 </b>
 <b>
-<a>3</a>
-<b>67</b>
-<v>206</v>
+<a>4</a>
+<b>17</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -5142,12 +5067,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5074</v>
+<v>512</v>
 </b>
 <b>
 <a>2</a>
-<b>8</b>
-<v>199</v>
+<b>6</b>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -5163,12 +5088,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5778</v>
+<v>521</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>902</v>
+<v>100</v>
 </b>
 <b>
 <a>29</a>
@@ -5189,7 +5114,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6680</v>
+<v>621</v>
 </b>
 <b>
 <a>2</a>
@@ -5210,7 +5135,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6681</v>
+<v>622</v>
 </b>
 </bs>
 </hist>
@@ -5226,7 +5151,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6680</v>
+<v>621</v>
 </b>
 <b>
 <a>2</a>
@@ -5247,7 +5172,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6680</v>
+<v>621</v>
 </b>
 <b>
 <a>2</a>
@@ -5268,12 +5193,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6509</v>
+<v>596</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>172</v>
+<v>26</v>
 </b>
 </bs>
 </hist>
@@ -5289,47 +5214,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92</v>
+<v>42</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>42</v>
+<v>22</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>21</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>22</v>
+<v>11</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>23</v>
+<b>6</b>
+<v>6</v>
 </b>
 <b>
-<a>7</a>
-<b>11</b>
-<v>27</v>
+<a>6</a>
+<b>9</b>
+<v>11</v>
 </b>
 <b>
-<a>11</a>
-<b>29</b>
-<v>24</v>
+<a>9</a>
+<b>21</b>
+<v>10</v>
 </b>
 <b>
-<a>29</a>
-<b>73</b>
-<v>23</v>
-</b>
-<b>
-<a>77</a>
-<b>726</b>
-<v>21</v>
+<a>21</a>
+<b>76</b>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -5345,7 +5265,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>294</v>
+<v>120</v>
 </b>
 <b>
 <a>2</a>
@@ -5366,7 +5286,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>295</v>
+<v>121</v>
 </b>
 </bs>
 </hist>
@@ -5382,7 +5302,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>294</v>
+<v>120</v>
 </b>
 <b>
 <a>2</a>
@@ -5403,47 +5323,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107</v>
+<v>55</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>41</v>
+<v>17</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>27</v>
+<v>10</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>16</v>
+<v>8</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>24</v>
+<b>6</b>
+<v>6</v>
 </b>
 <b>
-<a>7</a>
-<b>12</b>
-<v>25</v>
+<a>6</a>
+<b>9</b>
+<v>11</v>
 </b>
 <b>
-<a>12</a>
-<b>33</b>
-<v>23</v>
+<a>9</a>
+<b>21</b>
+<v>10</v>
 </b>
 <b>
-<a>34</a>
-<b>114</b>
-<v>23</v>
-</b>
-<b>
-<a>195</a>
-<b>584</b>
-<v>9</v>
+<a>25</a>
+<b>76</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -5459,47 +5374,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>99</v>
+<v>50</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>40</v>
+<v>18</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>26</v>
+<v>8</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>20</v>
+<v>10</v>
 </b>
 <b>
 <a>5</a>
-<b>8</b>
-<v>27</v>
+<b>6</b>
+<v>6</v>
 </b>
 <b>
-<a>8</a>
-<b>13</b>
-<v>24</v>
+<a>6</a>
+<b>9</b>
+<v>11</v>
 </b>
 <b>
-<a>13</a>
-<b>37</b>
-<v>23</v>
+<a>9</a>
+<b>19</b>
+<v>10</v>
 </b>
 <b>
-<a>37</a>
-<b>111</b>
-<v>23</v>
-</b>
-<b>
-<a>115</a>
-<b>726</b>
-<v>13</v>
+<a>20</a>
+<b>76</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -5509,19 +5419,19 @@
 </relation>
 <relation>
 <name>compilation_finished</name>
-<cardinality>1095</cardinality>
+<cardinality>564</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>cpu_seconds</k>
-<v>944</v>
+<v>501</v>
 </e>
 <e>
 <k>elapsed_seconds</k>
-<v>1095</v>
+<v>564</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -5535,7 +5445,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -5551,7 +5461,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -5567,17 +5477,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>808</v>
+<v>448</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>126</v>
+<v>47</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
+<b>6</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -5593,17 +5503,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>808</v>
+<v>448</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>126</v>
+<v>47</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
+<b>6</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -5619,7 +5529,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -5635,7 +5545,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -5645,15 +5555,15 @@
 </relation>
 <relation>
 <name>compilation_assembly</name>
-<cardinality>1095</cardinality>
+<cardinality>564</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1095</v>
+<v>564</v>
 </e>
 <e>
 <k>assembly</k>
-<v>1095</v>
+<v>564</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -5667,7 +5577,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -5683,7 +5593,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -6107,23 +6017,23 @@
 </relation>
 <relation>
 <name>externalData</name>
-<cardinality>58</cardinality>
+<cardinality>30</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>29</v>
+<v>15</v>
 </e>
 <e>
 <k>path</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>column</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>value</k>
-<v>58</v>
+<v>30</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -6137,7 +6047,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -6153,7 +6063,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -6169,7 +6079,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -6185,7 +6095,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -6201,7 +6111,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -6217,7 +6127,7 @@
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -6233,7 +6143,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -6249,7 +6159,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -6265,7 +6175,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -6281,7 +6191,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>58</v>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -6297,7 +6207,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>58</v>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -6313,7 +6223,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>58</v>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -6323,41 +6233,41 @@
 </relation>
 <relation>
 <name>snapshotDate</name>
-<cardinality>4</cardinality>
+<cardinality>2</cardinality>
 <columnsizes>
 <e>
 <k>snapshotDate</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>sourceLocationPrefix</name>
-<cardinality>4</cardinality>
+<cardinality>2</cardinality>
 <columnsizes>
 <e>
 <k>prefix</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>duplicateCode</name>
-<cardinality>22736</cardinality>
+<cardinality>11701</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>22736</v>
+<v>11701</v>
 </e>
 <e>
 <k>relativePath</k>
-<v>3803</v>
+<v>1957</v>
 </e>
 <e>
 <k>equivClass</k>
-<v>7008</v>
+<v>3607</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -6371,7 +6281,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22736</v>
+<v>11701</v>
 </b>
 </bs>
 </hist>
@@ -6387,7 +6297,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22736</v>
+<v>11701</v>
 </b>
 </bs>
 </hist>
@@ -6403,52 +6313,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1061</v>
+<v>546</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>564</v>
+<v>290</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>423</v>
+<v>218</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>219</v>
+<v>112</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>219</v>
+<v>112</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>336</v>
+<v>172</v>
 </b>
 <b>
 <a>8</a>
 <b>10</b>
-<v>277</v>
+<v>142</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>316</v>
+<v>162</v>
 </b>
 <b>
 <a>14</a>
 <b>28</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>29</a>
 <b>77</b>
-<v>97</v>
+<v>50</v>
 </b>
 </bs>
 </hist>
@@ -6464,52 +6374,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1129</v>
+<v>581</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>521</v>
+<v>268</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>443</v>
+<v>228</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>228</v>
+<v>117</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>326</v>
+<v>167</v>
 </b>
 <b>
 <a>8</a>
 <b>10</b>
-<v>277</v>
+<v>142</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>311</v>
+<v>160</v>
 </b>
 <b>
 <a>14</a>
 <b>32</b>
-<v>292</v>
+<v>150</v>
 </b>
 <b>
 <a>33</a>
 <b>45</b>
-<v>38</v>
+<v>20</v>
 </b>
 </bs>
 </hist>
@@ -6525,32 +6435,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>3765</v>
+<v>1937</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1144</v>
+<v>589</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>784</v>
+<v>403</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>428</v>
+<v>220</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>569</v>
+<v>293</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>316</v>
+<v>162</v>
 </b>
 </bs>
 </hist>
@@ -6566,37 +6476,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>677</v>
+<v>348</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3438</v>
+<v>1769</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1076</v>
+<v>554</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>677</v>
+<v>348</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>384</v>
+<v>198</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>579</v>
+<v>298</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>175</v>
+<v>90</v>
 </b>
 </bs>
 </hist>
@@ -8674,31 +8584,31 @@
 </relation>
 <relation>
 <name>locations_default</name>
-<cardinality>14071994</cardinality>
+<cardinality>11326677</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>14071994</v>
+<v>11326677</v>
 </e>
 <e>
 <k>file</k>
-<v>6231</v>
+<v>6232</v>
 </e>
 <e>
 <k>beginLine</k>
-<v>164761</v>
+<v>157416</v>
 </e>
 <e>
 <k>beginColumn</k>
-<v>1456</v>
+<v>1453</v>
 </e>
 <e>
 <k>endLine</k>
-<v>177711</v>
+<v>175851</v>
 </e>
 <e>
 <k>endColumn</k>
-<v>1641</v>
+<v>1620</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -8712,7 +8622,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14071994</v>
+<v>11326677</v>
 </b>
 </bs>
 </hist>
@@ -8728,7 +8638,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14071994</v>
+<v>11326677</v>
 </b>
 </bs>
 </hist>
@@ -8744,7 +8654,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14071994</v>
+<v>11326677</v>
 </b>
 </bs>
 </hist>
@@ -8760,7 +8670,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14071994</v>
+<v>11326677</v>
 </b>
 </bs>
 </hist>
@@ -8776,7 +8686,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14071994</v>
+<v>11326677</v>
 </b>
 </bs>
 </hist>
@@ -8791,73 +8701,73 @@
 <bs>
 <b>
 <a>1</a>
-<b>19</b>
-<v>483</v>
+<b>5</b>
+<v>420</v>
 </b>
 <b>
-<a>19</a>
-<b>34</b>
-<v>472</v>
+<a>5</a>
+<b>7</b>
+<v>419</v>
 </b>
 <b>
-<a>34</a>
-<b>50</b>
-<v>491</v>
+<a>7</a>
+<b>9</b>
+<v>444</v>
 </b>
 <b>
-<a>50</a>
-<b>74</b>
-<v>470</v>
+<a>9</a>
+<b>12</b>
+<v>461</v>
 </b>
 <b>
-<a>74</a>
-<b>106</b>
-<v>471</v>
+<a>12</a>
+<b>17</b>
+<v>496</v>
 </b>
 <b>
-<a>106</a>
-<b>150</b>
-<v>478</v>
+<a>17</a>
+<b>28</b>
+<v>488</v>
 </b>
 <b>
-<a>150</a>
-<b>208</b>
-<v>471</v>
+<a>28</a>
+<b>45</b>
+<v>515</v>
 </b>
 <b>
-<a>208</a>
-<b>296</b>
-<v>468</v>
+<a>45</a>
+<b>76</b>
+<v>474</v>
 </b>
 <b>
-<a>296</a>
-<b>445</b>
-<v>468</v>
-</b>
-<b>
-<a>445</a>
-<b>685</b>
+<a>76</a>
+<b>129</b>
 <v>469</v>
 </b>
 <b>
-<a>685</a>
-<b>1200</b>
+<a>129</a>
+<b>218</b>
 <v>468</v>
 </b>
 <b>
-<a>1200</a>
-<b>2633</b>
+<a>218</a>
+<b>424</b>
 <v>468</v>
 </b>
 <b>
-<a>2635</a>
-<b>42820</b>
-<v>494</v>
+<a>424</a>
+<b>1086</b>
+<v>468</v>
 </b>
 <b>
-<a>43085</a>
+<a>1087</a>
+<b>28809</b>
+<v>468</v>
+</b>
+<b>
+<a>31722</a>
 <b>474768</b>
-<v>60</v>
+<v>174</v>
 </b>
 </bs>
 </hist>
@@ -8872,68 +8782,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>12</b>
-<v>576</v>
+<b>5</b>
+<v>569</v>
 </b>
 <b>
-<a>12</a>
+<a>5</a>
+<b>7</b>
+<v>499</v>
+</b>
+<b>
+<a>7</a>
+<b>9</b>
+<v>447</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>392</v>
+</b>
+<b>
+<a>11</a>
+<b>14</b>
+<v>504</v>
+</b>
+<b>
+<a>14</a>
 <b>19</b>
-<v>508</v>
+<v>521</v>
 </b>
 <b>
 <a>19</a>
-<b>27</b>
-<v>518</v>
+<b>28</b>
+<v>533</v>
 </b>
 <b>
-<a>27</a>
-<b>35</b>
-<v>476</v>
+<a>28</a>
+<b>40</b>
+<v>488</v>
 </b>
 <b>
-<a>35</a>
-<b>46</b>
-<v>515</v>
+<a>40</a>
+<b>60</b>
+<v>480</v>
 </b>
 <b>
-<a>46</a>
-<b>62</b>
-<v>498</v>
+<a>60</a>
+<b>94</b>
+<v>475</v>
 </b>
 <b>
-<a>62</a>
-<b>82</b>
-<v>478</v>
-</b>
-<b>
-<a>82</a>
-<b>114</b>
-<v>470</v>
-</b>
-<b>
-<a>114</a>
-<b>168</b>
-<v>471</v>
-</b>
-<b>
-<a>168</a>
-<b>273</b>
-<v>468</v>
-</b>
-<b>
-<a>273</a>
-<b>504</b>
-<v>479</v>
-</b>
-<b>
-<a>504</a>
-<b>1747</b>
+<a>94</a>
+<b>205</b>
 <v>469</v>
 </b>
 <b>
-<a>1749</a>
+<a>205</a>
+<b>658</b>
+<v>468</v>
+</b>
+<b>
+<a>662</a>
 <b>143014</b>
-<v>305</v>
+<v>387</v>
 </b>
 </bs>
 </hist>
@@ -8948,68 +8858,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>7</b>
-<v>563</v>
+<b>3</b>
+<v>143</v>
 </b>
 <b>
-<a>7</a>
+<a>3</a>
+<b>4</b>
+<v>606</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>675</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>461</v>
+</b>
+<b>
+<a>6</a>
+<b>8</b>
+<v>533</v>
+</b>
+<b>
+<a>8</a>
 <b>13</b>
-<v>499</v>
+<v>535</v>
 </b>
 <b>
 <a>13</a>
-<b>19</b>
-<v>491</v>
+<b>20</b>
+<v>535</v>
 </b>
 <b>
-<a>19</a>
-<b>26</b>
-<v>481</v>
+<a>20</a>
+<b>30</b>
+<v>486</v>
 </b>
 <b>
-<a>26</a>
-<b>34</b>
-<v>517</v>
-</b>
-<b>
-<a>34</a>
+<a>30</a>
 <b>43</b>
-<v>498</v>
+<v>500</v>
 </b>
 <b>
 <a>43</a>
-<b>53</b>
-<v>482</v>
-</b>
-<b>
-<a>53</a>
-<b>64</b>
-<v>482</v>
-</b>
-<b>
-<a>64</a>
-<b>76</b>
+<b>59</b>
 <v>479</v>
 </b>
 <b>
-<a>76</a>
-<b>91</b>
+<a>59</a>
+<b>82</b>
 <v>474</v>
 </b>
 <b>
-<a>91</a>
-<b>112</b>
-<v>476</v>
+<a>82</a>
+<b>127</b>
+<v>469</v>
 </b>
 <b>
-<a>112</a>
-<b>166</b>
-<v>473</v>
-</b>
-<b>
-<a>166</a>
+<a>127</a>
 <b>930</b>
-<v>316</v>
+<v>336</v>
 </b>
 </bs>
 </hist>
@@ -9024,73 +8934,68 @@
 <bs>
 <b>
 <a>1</a>
+<b>5</b>
+<v>561</v>
+</b>
+<b>
+<a>5</a>
+<b>7</b>
+<v>504</v>
+</b>
+<b>
+<a>7</a>
+<b>9</b>
+<v>449</v>
+</b>
+<b>
+<a>9</a>
 <b>12</b>
-<v>515</v>
+<v>546</v>
 </b>
 <b>
 <a>12</a>
-<b>18</b>
-<v>483</v>
+<b>16</b>
+<v>573</v>
 </b>
 <b>
-<a>18</a>
-<b>25</b>
-<v>470</v>
+<a>16</a>
+<b>22</b>
+<v>499</v>
 </b>
 <b>
-<a>25</a>
-<b>34</b>
-<v>492</v>
+<a>22</a>
+<b>33</b>
+<v>489</v>
 </b>
 <b>
-<a>34</a>
-<b>44</b>
+<a>33</a>
+<b>46</b>
+<v>489</v>
+</b>
+<b>
+<a>46</a>
+<b>73</b>
+<v>484</v>
+</b>
+<b>
+<a>73</a>
+<b>129</b>
+<v>487</v>
+</b>
+<b>
+<a>129</a>
+<b>326</b>
 <v>468</v>
 </b>
 <b>
-<a>44</a>
-<b>56</b>
-<v>477</v>
-</b>
-<b>
-<a>56</a>
-<b>76</b>
+<a>326</a>
+<b>2738</b>
 <v>468</v>
 </b>
 <b>
-<a>76</a>
-<b>104</b>
-<v>470</v>
-</b>
-<b>
-<a>104</a>
-<b>146</b>
-<v>471</v>
-</b>
-<b>
-<a>146</a>
-<b>231</b>
-<v>469</v>
-</b>
-<b>
-<a>231</a>
-<b>411</b>
-<v>469</v>
-</b>
-<b>
-<a>411</a>
-<b>884</b>
-<v>468</v>
-</b>
-<b>
-<a>888</a>
-<b>46288</b>
-<v>508</v>
-</b>
-<b>
-<a>55259</a>
+<a>2749</a>
 <b>171760</b>
-<v>3</v>
+<v>215</v>
 </b>
 </bs>
 </hist>
@@ -9105,68 +9010,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>15</b>
-<v>487</v>
+<b>5</b>
+<v>442</v>
 </b>
 <b>
-<a>15</a>
+<a>5</a>
+<b>7</b>
+<v>534</v>
+</b>
+<b>
+<a>7</a>
+<b>9</b>
+<v>416</v>
+</b>
+<b>
+<a>9</a>
+<b>12</b>
+<v>536</v>
+</b>
+<b>
+<a>12</a>
+<b>16</b>
+<v>469</v>
+</b>
+<b>
+<a>16</a>
 <b>23</b>
-<v>477</v>
+<v>499</v>
 </b>
 <b>
 <a>23</a>
-<b>32</b>
-<v>472</v>
+<b>34</b>
+<v>498</v>
 </b>
 <b>
-<a>32</a>
-<b>43</b>
-<v>509</v>
-</b>
-<b>
-<a>43</a>
-<b>54</b>
-<v>528</v>
-</b>
-<b>
-<a>54</a>
-<b>66</b>
-<v>488</v>
-</b>
-<b>
-<a>66</a>
-<b>77</b>
+<a>34</a>
+<b>48</b>
 <v>470</v>
 </b>
 <b>
-<a>77</a>
-<b>91</b>
-<v>480</v>
-</b>
-<b>
-<a>91</a>
-<b>105</b>
-<v>492</v>
-</b>
-<b>
-<a>105</a>
-<b>123</b>
+<a>48</a>
+<b>64</b>
 <v>482</v>
 </b>
 <b>
-<a>123</a>
-<b>148</b>
-<v>470</v>
+<a>64</a>
+<b>82</b>
+<v>475</v>
 </b>
 <b>
-<a>148</a>
-<b>186</b>
-<v>471</v>
+<a>82</a>
+<b>109</b>
+<v>472</v>
 </b>
 <b>
-<a>186</a>
+<a>109</a>
+<b>161</b>
+<v>485</v>
+</b>
+<b>
+<a>161</a>
 <b>1038</b>
-<v>405</v>
+<v>454</v>
 </b>
 </bs>
 </hist>
@@ -9182,62 +9087,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4162</v>
+<v>2678</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30683</v>
+<v>41791</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>15895</v>
+<v>15680</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>16240</v>
+<v>16871</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>9901</v>
+<v>8775</v>
 </b>
 <b>
 <a>6</a>
-<b>8</b>
-<v>13419</v>
+<b>9</b>
+<v>12511</v>
 </b>
 <b>
-<a>8</a>
-<b>13</b>
-<v>13922</v>
+<a>9</a>
+<b>99</b>
+<v>11909</v>
 </b>
 <b>
-<a>13</a>
-<b>101</b>
-<v>14156</v>
+<a>99</a>
+<b>109</b>
+<v>11941</v>
 </b>
 <b>
-<a>101</a>
-<b>117</b>
-<v>12388</v>
+<a>109</a>
+<b>164</b>
+<v>11942</v>
 </b>
 <b>
-<a>117</a>
-<b>182</b>
-<v>12566</v>
+<a>164</a>
+<b>250</b>
+<v>11862</v>
 </b>
 <b>
-<a>182</a>
-<b>301</b>
-<v>12379</v>
-</b>
-<b>
-<a>301</a>
-<b>10779</b>
-<v>9050</v>
+<a>250</a>
+<b>7392</b>
+<v>11456</v>
 </b>
 </bs>
 </hist>
@@ -9253,37 +9153,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72393</v>
+<v>92520</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>30311</v>
+<b>18</b>
+<v>11816</v>
 </b>
 <b>
-<a>3</a>
-<b>38</b>
-<v>12530</v>
+<a>18</a>
+<b>50</b>
+<v>6689</v>
 </b>
 <b>
-<a>38</a>
-<b>52</b>
-<v>14355</v>
+<a>50</a>
+<b>51</b>
+<v>10035</v>
 </b>
 <b>
-<a>52</a>
-<b>78</b>
-<v>12367</v>
+<a>51</a>
+<b>65</b>
+<v>12205</v>
 </b>
 <b>
-<a>78</a>
-<b>118</b>
-<v>12665</v>
+<a>65</a>
+<b>105</b>
+<v>12183</v>
 </b>
 <b>
-<a>118</a>
-<b>6164</b>
-<v>10140</v>
+<a>105</a>
+<b>708</b>
+<v>11807</v>
+</b>
+<b>
+<a>709</a>
+<b>5267</b>
+<v>161</v>
 </b>
 </bs>
 </hist>
@@ -9299,57 +9204,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>23472</v>
+<v>28742</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30017</v>
+<v>36135</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11007</v>
+<v>6197</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>22184</v>
+<v>27310</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>10198</v>
+<v>6023</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>11742</v>
+<v>11735</v>
 </b>
 <b>
 <a>7</a>
-<b>9</b>
-<v>13753</v>
-</b>
-<b>
-<a>9</a>
-<b>12</b>
+<b>10</b>
 <v>13098</v>
 </b>
 <b>
-<a>12</a>
-<b>19</b>
-<v>12775</v>
+<a>10</a>
+<b>16</b>
+<v>12302</v>
 </b>
 <b>
-<a>19</a>
-<b>66</b>
-<v>12384</v>
+<a>16</a>
+<b>48</b>
+<v>11897</v>
 </b>
 <b>
-<a>66</a>
-<b>352</b>
-<v>4131</v>
+<a>48</a>
+<b>335</b>
+<v>3977</v>
 </b>
 </bs>
 </hist>
@@ -9365,32 +9265,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>67387</v>
+<v>72276</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>51814</v>
+<v>48541</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>18655</v>
+<v>14456</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>13945</v>
+<v>12667</v>
 </b>
 <b>
 <a>6</a>
-<b>35</b>
-<v>12405</v>
-</b>
-<b>
-<a>35</a>
 <b>306</b>
-<v>555</v>
+<v>9476</v>
 </b>
 </bs>
 </hist>
@@ -9406,62 +9301,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4192</v>
+<v>2731</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>31626</v>
+<v>43580</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>16669</v>
+<v>16640</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>18712</v>
+<v>20845</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>12090</v>
+<v>11859</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>10186</v>
+<v>9405</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>14627</v>
+<v>11941</v>
 </b>
 <b>
 <a>9</a>
-<b>12</b>
-<v>14502</v>
+<b>14</b>
+<v>13283</v>
 </b>
 <b>
-<a>12</a>
-<b>17</b>
-<v>13374</v>
+<a>14</a>
+<b>24</b>
+<v>12004</v>
 </b>
 <b>
-<a>17</a>
-<b>29</b>
-<v>12449</v>
+<a>24</a>
+<b>94</b>
+<v>11811</v>
 </b>
 <b>
-<a>29</a>
-<b>111</b>
-<v>12415</v>
-</b>
-<b>
-<a>111</a>
-<b>389</b>
-<v>3919</v>
+<a>94</a>
+<b>378</b>
+<v>3317</v>
 </b>
 </bs>
 </hist>
@@ -9477,22 +9367,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>352</v>
+<v>351</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>184</v>
+<v>185</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>101</v>
+<v>100</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>129</v>
+<v>128</v>
 </b>
 <b>
 <a>6</a>
@@ -9501,33 +9391,33 @@
 </b>
 <b>
 <a>13</a>
-<b>40</b>
-<v>111</v>
+<b>39</b>
+<v>109</v>
 </b>
 <b>
-<a>40</a>
-<b>110</b>
-<v>111</v>
+<a>39</a>
+<b>106</b>
+<v>109</v>
 </b>
 <b>
-<a>112</a>
-<b>476</b>
-<v>110</v>
+<a>106</a>
+<b>392</b>
+<v>109</v>
 </b>
 <b>
-<a>490</a>
-<b>5416</b>
-<v>110</v>
+<a>400</a>
+<b>3801</b>
+<v>109</v>
 </b>
 <b>
-<a>5448</a>
-<b>74978</b>
-<v>110</v>
+<a>4033</a>
+<b>35252</b>
+<v>109</v>
 </b>
 <b>
-<a>76214</a>
-<b>2221217</b>
-<v>24</v>
+<a>37256</a>
+<b>1800792</b>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -9543,17 +9433,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>482</v>
+<v>481</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>187</v>
+<v>188</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>115</v>
+<v>113</v>
 </b>
 <b>
 <a>4</a>
@@ -9563,31 +9453,31 @@
 <b>
 <a>6</a>
 <b>11</b>
-<v>115</v>
+<v>117</v>
 </b>
 <b>
 <a>11</a>
-<b>58</b>
+<b>59</b>
 <v>110</v>
 </b>
 <b>
-<a>58</a>
-<b>194</b>
-<v>110</v>
+<a>59</a>
+<b>177</b>
+<v>109</v>
 </b>
 <b>
-<a>195</a>
-<b>1097</b>
-<v>110</v>
+<a>177</a>
+<b>695</b>
+<v>109</v>
 </b>
 <b>
-<a>1112</a>
-<b>3851</b>
-<v>110</v>
+<a>698</a>
+<b>2521</b>
+<v>109</v>
 </b>
 <b>
-<a>3881</a>
-<b>6230</b>
+<a>2548</a>
+<b>6053</b>
 <v>8</v>
 </b>
 </bs>
@@ -9614,12 +9504,12 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>114</v>
+<v>112</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>110</v>
+<v>109</v>
 </b>
 <b>
 <a>7</a>
@@ -9628,28 +9518,28 @@
 </b>
 <b>
 <a>18</a>
-<b>54</b>
-<v>113</v>
+<b>53</b>
+<v>111</v>
 </b>
 <b>
-<a>54</a>
-<b>139</b>
-<v>110</v>
+<a>53</a>
+<b>128</b>
+<v>109</v>
 </b>
 <b>
-<a>140</a>
-<b>803</b>
-<v>110</v>
+<a>128</a>
+<b>585</b>
+<v>109</v>
 </b>
 <b>
-<a>804</a>
-<b>6771</b>
-<v>110</v>
+<a>602</a>
+<b>4407</b>
+<v>109</v>
 </b>
 <b>
-<a>6786</a>
+<a>4493</a>
 <b>116262</b>
-<v>79</v>
+<v>84</v>
 </b>
 </bs>
 </hist>
@@ -9675,12 +9565,12 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>114</v>
+<v>112</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>110</v>
+<v>109</v>
 </b>
 <b>
 <a>7</a>
@@ -9689,28 +9579,28 @@
 </b>
 <b>
 <a>18</a>
-<b>54</b>
-<v>113</v>
+<b>53</b>
+<v>111</v>
 </b>
 <b>
-<a>54</a>
-<b>139</b>
-<v>110</v>
+<a>53</a>
+<b>129</b>
+<v>109</v>
 </b>
 <b>
-<a>140</a>
-<b>797</b>
-<v>110</v>
+<a>129</a>
+<b>586</b>
+<v>109</v>
 </b>
 <b>
-<a>803</a>
-<b>6771</b>
-<v>110</v>
+<a>603</a>
+<b>4408</b>
+<v>109</v>
 </b>
 <b>
-<a>6783</a>
-<b>124736</b>
-<v>79</v>
+<a>4493</a>
+<b>124735</b>
+<v>84</v>
 </b>
 </bs>
 </hist>
@@ -9726,17 +9616,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>423</v>
+<v>422</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>229</v>
+<v>230</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>96</v>
+<v>93</v>
 </b>
 <b>
 <a>4</a>
@@ -9750,28 +9640,28 @@
 </b>
 <b>
 <a>12</a>
-<b>25</b>
-<v>114</v>
+<b>24</b>
+<v>112</v>
 </b>
 <b>
-<a>25</a>
-<b>53</b>
+<a>24</a>
+<b>48</b>
 <v>110</v>
 </b>
 <b>
-<a>53</a>
-<b>108</b>
-<v>111</v>
+<a>48</a>
+<b>103</b>
+<v>109</v>
 </b>
 <b>
-<a>108</a>
-<b>204</b>
-<v>111</v>
+<a>103</a>
+<b>176</b>
+<v>110</v>
 </b>
 <b>
-<a>204</a>
-<b>727</b>
-<v>38</v>
+<a>176</a>
+<b>724</b>
+<v>43</v>
 </b>
 </bs>
 </hist>
@@ -9787,62 +9677,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30737</v>
+<v>43052</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14516</v>
+<v>15495</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>16816</v>
+<v>16141</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12515</v>
+<v>11843</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>10358</v>
+<b>7</b>
+<v>15117</v>
 </b>
 <b>
-<a>6</a>
-<b>9</b>
-<v>14908</v>
-</b>
-<b>
-<a>9</a>
+<a>7</a>
 <b>51</b>
-<v>14736</v>
+<v>13292</v>
 </b>
 <b>
 <a>51</a>
-<b>64</b>
-<v>13405</v>
+<b>67</b>
+<v>13277</v>
 </b>
 <b>
-<a>64</a>
-<b>109</b>
-<v>13432</v>
+<a>67</a>
+<b>108</b>
+<v>13666</v>
 </b>
 <b>
-<a>109</a>
+<a>108</a>
 <b>170</b>
-<v>13423</v>
+<v>13281</v>
 </b>
 <b>
 <a>170</a>
-<b>277</b>
-<v>13376</v>
+<b>273</b>
+<v>13192</v>
 </b>
 <b>
-<a>277</a>
-<b>10684</b>
-<v>9489</v>
+<a>273</a>
+<b>6927</b>
+<v>7495</v>
 </b>
 </bs>
 </hist>
@@ -9858,37 +9743,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74588</v>
+<v>102373</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>32294</v>
+<b>50</b>
+<v>10686</v>
 </b>
 <b>
-<a>3</a>
+<a>50</a>
 <b>51</b>
-<v>15349</v>
+<v>14316</v>
 </b>
 <b>
 <a>51</a>
-<b>53</b>
-<v>14844</v>
+<b>61</b>
+<v>13298</v>
 </b>
 <b>
-<a>53</a>
-<b>91</b>
-<v>13581</v>
+<a>61</a>
+<b>105</b>
+<v>13198</v>
 </b>
 <b>
-<a>91</a>
-<b>136</b>
-<v>14119</v>
+<a>105</a>
+<b>140</b>
+<v>13318</v>
 </b>
 <b>
-<a>136</a>
-<b>5697</b>
-<v>12936</v>
+<a>140</a>
+<b>5438</b>
+<v>8662</v>
 </b>
 </bs>
 </hist>
@@ -9904,27 +9789,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94269</v>
+<v>108963</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>38081</v>
+<v>30801</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>18056</v>
+<v>14008</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>14158</v>
+<b>7</b>
+<v>15017</v>
 </b>
 <b>
-<a>6</a>
-<b>61</b>
-<v>13147</v>
+<a>7</a>
+<b>50</b>
+<v>7062</v>
 </b>
 </bs>
 </hist>
@@ -9940,57 +9825,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31574</v>
+<v>44241</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>28818</v>
+<v>33451</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>12788</v>
+<v>9654</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>19691</v>
+<v>22023</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>11851</v>
+<v>9633</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>11679</v>
+<v>10956</v>
 </b>
 <b>
 <a>7</a>
-<b>9</b>
-<v>15127</v>
+<b>10</b>
+<v>15510</v>
 </b>
 <b>
-<a>9</a>
-<b>12</b>
-<v>14463</v>
+<a>10</a>
+<b>16</b>
+<v>13744</v>
 </b>
 <b>
-<a>12</a>
-<b>18</b>
-<v>13365</v>
+<a>16</a>
+<b>55</b>
+<v>13266</v>
 </b>
 <b>
-<a>18</a>
-<b>58</b>
-<v>13379</v>
-</b>
-<b>
-<a>58</a>
-<b>353</b>
-<v>4976</v>
+<a>55</a>
+<b>334</b>
+<v>3373</v>
 </b>
 </bs>
 </hist>
@@ -10006,62 +9886,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31277</v>
+<v>43633</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18344</v>
+<v>19238</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>19309</v>
+<v>20512</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>15250</v>
+<v>15969</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>13461</v>
+<v>14483</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>9784</v>
+<v>8953</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>14539</v>
+<v>12318</v>
 </b>
 <b>
 <a>9</a>
-<b>12</b>
-<v>13944</v>
+<b>14</b>
+<v>13943</v>
 </b>
 <b>
-<a>12</a>
-<b>17</b>
-<v>13345</v>
+<a>14</a>
+<b>27</b>
+<v>13475</v>
 </b>
 <b>
-<a>17</a>
-<b>32</b>
-<v>13515</v>
+<a>27</a>
+<b>206</b>
+<v>13190</v>
 </b>
 <b>
-<a>32</a>
-<b>156</b>
-<v>13332</v>
-</b>
-<b>
-<a>156</a>
-<b>388</b>
-<v>1611</v>
+<a>206</a>
+<b>378</b>
+<v>137</v>
 </b>
 </bs>
 </hist>
@@ -10077,12 +9952,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>406</v>
+<v>393</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>205</v>
+<v>202</v>
 </b>
 <b>
 <a>3</a>
@@ -10092,42 +9967,42 @@
 <b>
 <a>4</a>
 <b>7</b>
-<v>126</v>
+<v>122</v>
 </b>
 <b>
 <a>7</a>
 <b>51</b>
-<v>124</v>
+<v>123</v>
 </b>
 <b>
 <a>51</a>
-<b>122</b>
-<v>126</v>
-</b>
-<b>
-<a>122</a>
-<b>325</b>
+<b>121</b>
 <v>124</v>
 </b>
 <b>
-<a>328</a>
-<b>1118</b>
-<v>124</v>
+<a>121</a>
+<b>301</b>
+<v>122</v>
 </b>
 <b>
-<a>1126</a>
-<b>9599</b>
-<v>124</v>
+<a>311</a>
+<b>1031</b>
+<v>122</v>
 </b>
 <b>
-<a>9617</a>
-<b>82632</b>
-<v>124</v>
+<a>1037</a>
+<b>6674</b>
+<v>122</v>
 </b>
 <b>
-<a>82675</a>
-<b>908062</b>
-<v>42</v>
+<a>6754</a>
+<b>56985</b>
+<v>122</v>
+</b>
+<b>
+<a>57295</a>
+<b>866412</b>
+<v>52</v>
 </b>
 </bs>
 </hist>
@@ -10143,52 +10018,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>521</v>
+<v>507</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>186</v>
+<v>182</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>119</v>
+<v>120</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>130</v>
-</b>
-<b>
-<a>9</a>
-<b>62</b>
-<v>132</v>
-</b>
-<b>
-<a>62</a>
-<b>128</b>
 <v>127</v>
 </b>
 <b>
-<a>129</a>
-<b>222</b>
-<v>124</v>
+<a>9</a>
+<b>61</b>
+<v>125</v>
 </b>
 <b>
-<a>222</a>
-<b>710</b>
-<v>124</v>
+<a>61</a>
+<b>124</b>
+<v>123</v>
 </b>
 <b>
-<a>716</a>
-<b>3687</b>
-<v>124</v>
+<a>124</a>
+<b>205</b>
+<v>122</v>
 </b>
 <b>
-<a>3691</a>
-<b>5367</b>
-<v>54</v>
+<a>206</a>
+<b>441</b>
+<v>122</v>
+</b>
+<b>
+<a>441</a>
+<b>1921</b>
+<v>122</v>
+</b>
+<b>
+<a>1944</a>
+<b>4225</b>
+<v>70</v>
 </b>
 </bs>
 </hist>
@@ -10204,12 +10079,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>414</v>
+<v>400</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>211</v>
+<v>209</v>
 </b>
 <b>
 <a>3</a>
@@ -10219,42 +10094,42 @@
 <b>
 <a>4</a>
 <b>6</b>
-<v>127</v>
+<v>123</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>131</v>
+<v>130</v>
 </b>
 <b>
 <a>14</a>
-<b>44</b>
-<v>125</v>
+<b>43</b>
+<v>123</v>
 </b>
 <b>
-<a>44</a>
-<b>124</b>
-<v>124</v>
+<a>43</a>
+<b>120</b>
+<v>123</v>
 </b>
 <b>
-<a>126</a>
-<b>541</b>
-<v>124</v>
+<a>121</a>
+<b>466</b>
+<v>122</v>
 </b>
 <b>
-<a>549</a>
-<b>5838</b>
-<v>124</v>
+<a>471</a>
+<b>4055</b>
+<v>122</v>
 </b>
 <b>
-<a>6139</a>
-<b>19147</b>
-<v>124</v>
+<a>4055</a>
+<b>13772</b>
+<v>122</v>
 </b>
 <b>
-<a>19459</a>
-<b>47830</b>
-<v>14</v>
+<a>13909</a>
+<b>47532</b>
+<v>23</v>
 </b>
 </bs>
 </hist>
@@ -10270,22 +10145,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>518</v>
+<v>502</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>232</v>
+<v>231</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>96</v>
+<v>95</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>147</v>
+<v>146</v>
 </b>
 <b>
 <a>7</a>
@@ -10294,28 +10169,28 @@
 </b>
 <b>
 <a>16</a>
-<b>34</b>
-<v>124</v>
-</b>
-<b>
-<a>34</a>
-<b>83</b>
-<v>128</v>
-</b>
-<b>
-<a>83</a>
-<b>114</b>
-<v>125</v>
-</b>
-<b>
-<a>114</a>
-<b>164</b>
+<b>33</b>
 <v>127</v>
 </b>
 <b>
-<a>164</a>
-<b>338</b>
-<v>11</v>
+<a>33</a>
+<b>78</b>
+<v>122</v>
+</b>
+<b>
+<a>78</a>
+<b>107</b>
+<v>122</v>
+</b>
+<b>
+<a>107</a>
+<b>151</b>
+<v>124</v>
+</b>
+<b>
+<a>151</a>
+<b>337</b>
+<v>18</v>
 </b>
 </bs>
 </hist>
@@ -10331,7 +10206,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>416</v>
+<v>400</v>
 </b>
 <b>
 <a>2</a>
@@ -10346,42 +10221,95 @@
 <b>
 <a>4</a>
 <b>6</b>
-<v>127</v>
+<v>123</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>131</v>
+<v>130</v>
 </b>
 <b>
 <a>14</a>
-<b>44</b>
-<v>125</v>
+<b>43</b>
+<v>123</v>
 </b>
 <b>
-<a>44</a>
-<b>124</b>
-<v>124</v>
+<a>43</a>
+<b>120</b>
+<v>123</v>
 </b>
 <b>
-<a>126</a>
-<b>537</b>
-<v>124</v>
+<a>121</a>
+<b>466</b>
+<v>122</v>
 </b>
 <b>
-<a>541</a>
-<b>5829</b>
-<v>124</v>
+<a>475</a>
+<b>4050</b>
+<v>122</v>
 </b>
 <b>
-<a>6123</a>
-<b>19057</b>
-<v>124</v>
+<a>4064</a>
+<b>13686</b>
+<v>122</v>
 </b>
 <b>
-<a>19443</a>
-<b>47820</b>
-<v>14</v>
+<a>13833</a>
+<b>47528</b>
+<v>23</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>locations_mapped</name>
+<cardinality>248620</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>248620</v>
+</e>
+<e>
+<k>mapped_to</k>
+<v>211461</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>mapped_to</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>248620</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>mapped_to</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>205510</v>
+</b>
+<b>
+<a>2</a>
+<b>119</b>
+<v>5951</v>
 </b>
 </bs>
 </hist>
@@ -10391,23 +10319,23 @@
 </relation>
 <relation>
 <name>numlines</name>
-<cardinality>4585662</cardinality>
+<cardinality>4532217</cardinality>
 <columnsizes>
 <e>
 <k>element_id</k>
-<v>4585655</v>
+<v>4532216</v>
 </e>
 <e>
 <k>num_lines</k>
-<v>1354</v>
+<v>1349</v>
 </e>
 <e>
 <k>num_code</k>
-<v>1247</v>
+<v>1242</v>
 </e>
 <e>
 <k>num_comment</k>
-<v>637</v>
+<v>635</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -10421,12 +10349,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4585648</v>
+<v>4532215</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -10442,12 +10370,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4585648</v>
+<v>4532215</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -10463,12 +10391,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4585651</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4</v>
+<v>4532216</v>
 </b>
 </bs>
 </hist>
@@ -10484,37 +10407,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>651</v>
+<v>660</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>207</v>
+<v>208</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>97</v>
+<v>94</v>
 </b>
 <b>
 <a>4</a>
-<b>7</b>
-<v>125</v>
+<b>6</b>
+<v>94</v>
 </b>
 <b>
-<a>7</a>
-<b>19</b>
-<v>105</v>
+<a>6</a>
+<b>12</b>
+<v>108</v>
 </b>
 <b>
-<a>19</a>
-<b>121</b>
-<v>102</v>
+<a>12</a>
+<b>50</b>
+<v>104</v>
 </b>
 <b>
-<a>126</a>
-<b>1600586</b>
-<v>67</v>
+<a>52</a>
+<b>1598592</b>
+<v>81</v>
 </b>
 </bs>
 </hist>
@@ -10530,37 +10453,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>723</v>
+<v>733</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>194</v>
+<v>198</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>106</v>
+<v>99</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>111</v>
+<v>121</v>
 </b>
 <b>
 <a>7</a>
-<b>16</b>
-<v>103</v>
+<b>15</b>
+<v>102</v>
 </b>
 <b>
-<a>16</a>
-<b>35</b>
-<v>104</v>
-</b>
-<b>
-<a>35</a>
-<b>39</b>
-<v>13</v>
+<a>15</a>
+<b>34</b>
+<v>96</v>
 </b>
 </bs>
 </hist>
@@ -10576,37 +10494,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>723</v>
+<v>733</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>196</v>
+<v>198</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>102</v>
+<v>97</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>105</v>
+<v>118</v>
 </b>
 <b>
 <a>7</a>
 <b>17</b>
-<v>104</v>
+<v>109</v>
 </b>
 <b>
 <a>17</a>
-<b>32</b>
-<v>106</v>
-</b>
-<b>
-<a>32</a>
 <b>81</b>
-<v>18</v>
+<v>94</v>
 </b>
 </bs>
 </hist>
@@ -10622,37 +10535,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>647</v>
+<v>651</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>152</v>
+<v>149</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>79</v>
+<v>83</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>93</v>
+<v>99</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>98</v>
+<v>102</v>
 </b>
 <b>
 <a>14</a>
-<b>50</b>
-<v>95</v>
+<b>77</b>
+<v>94</v>
 </b>
 <b>
-<a>52</a>
-<b>1614463</b>
-<v>83</v>
+<a>83</a>
+<b>1607845</b>
+<v>64</v>
 </b>
 </bs>
 </hist>
@@ -10668,37 +10581,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>723</v>
+<v>728</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>143</v>
+<v>140</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>82</v>
+<v>84</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>100</v>
+<v>107</v>
 </b>
 <b>
 <a>7</a>
-<b>19</b>
+<b>18</b>
 <v>96</v>
 </b>
 <b>
-<a>19</a>
-<b>43</b>
-<v>94</v>
-</b>
-<b>
-<a>43</a>
-<b>49</b>
-<v>9</v>
+<a>18</a>
+<b>42</b>
+<v>87</v>
 </b>
 </bs>
 </hist>
@@ -10714,37 +10622,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>723</v>
+<v>728</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>145</v>
+<v>141</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>77</v>
+<v>80</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>102</v>
+<v>106</v>
 </b>
 <b>
 <a>7</a>
-<b>16</b>
-<v>95</v>
-</b>
-<b>
-<a>16</a>
-<b>50</b>
+<b>15</b>
 <v>94</v>
 </b>
 <b>
-<a>50</a>
-<b>85</b>
-<v>11</v>
+<a>15</a>
+<b>83</b>
+<v>93</v>
 </b>
 </bs>
 </hist>
@@ -10765,12 +10668,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>131</v>
+<v>134</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>56</v>
+<v>55</v>
 </b>
 <b>
 <a>4</a>
@@ -10780,17 +10683,17 @@
 <b>
 <a>6</a>
 <b>14</b>
-<v>49</v>
+<v>50</v>
 </b>
 <b>
 <a>14</a>
-<b>173</b>
+<b>178</b>
 <v>48</v>
 </b>
 <b>
-<a>215</a>
-<b>4549173</b>
-<v>19</v>
+<a>178</a>
+<b>4511467</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -10811,32 +10714,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>135</v>
+<v>138</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>57</v>
+<v>56</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>51</v>
+<v>50</v>
 </b>
 <b>
 <a>6</a>
-<b>16</b>
+<b>15</b>
 <v>49</v>
 </b>
 <b>
-<a>16</a>
-<b>128</b>
-<v>48</v>
+<a>15</a>
+<b>119</b>
+<v>49</v>
 </b>
 <b>
-<a>136</a>
-<b>746</b>
-<v>12</v>
+<a>131</a>
+<b>738</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -10857,32 +10760,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>135</v>
+<v>139</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>56</v>
+<v>54</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>53</v>
+<v>51</v>
 </b>
 <b>
 <a>6</a>
-<b>16</b>
+<b>15</b>
 <v>48</v>
 </b>
 <b>
-<a>16</a>
-<b>117</b>
-<v>48</v>
+<a>15</a>
+<b>103</b>
+<v>49</v>
 </b>
 <b>
-<a>118</a>
-<b>739</b>
-<v>12</v>
+<a>116</a>
+<b>731</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -10892,27 +10795,27 @@
 </relation>
 <relation>
 <name>assemblies</name>
-<cardinality>4198</cardinality>
+<cardinality>2160</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4198</v>
+<v>2160</v>
 </e>
 <e>
 <k>file</k>
-<v>4198</v>
+<v>2160</v>
 </e>
 <e>
 <k>fullname</k>
-<v>3438</v>
+<v>1769</v>
 </e>
 <e>
 <k>name</k>
-<v>3170</v>
+<v>1631</v>
 </e>
 <e>
 <k>version</k>
-<v>370</v>
+<v>190</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -10926,7 +10829,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -10942,7 +10845,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -10958,7 +10861,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -10974,7 +10877,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -10990,7 +10893,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -11006,7 +10909,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -11022,7 +10925,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -11038,7 +10941,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4198</v>
+<v>2160</v>
 </b>
 </bs>
 </hist>
@@ -11054,12 +10957,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2678</v>
+<v>1378</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>759</v>
+<v>391</v>
 </b>
 </bs>
 </hist>
@@ -11075,12 +10978,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2678</v>
+<v>1378</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>759</v>
+<v>391</v>
 </b>
 </bs>
 </hist>
@@ -11096,7 +10999,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3438</v>
+<v>1769</v>
 </b>
 </bs>
 </hist>
@@ -11112,7 +11015,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3438</v>
+<v>1769</v>
 </b>
 </bs>
 </hist>
@@ -11128,17 +11031,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2186</v>
+<v>1125</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>940</v>
+<v>483</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>43</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -11154,17 +11057,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2186</v>
+<v>1125</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>940</v>
+<v>483</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>43</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -11180,12 +11083,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2946</v>
+<v>1516</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>224</v>
+<v>115</v>
 </b>
 </bs>
 </hist>
@@ -11201,12 +11104,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2946</v>
+<v>1516</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>224</v>
+<v>115</v>
 </b>
 </bs>
 </hist>
@@ -11222,32 +11125,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>34</v>
+<v>17</v>
 </b>
 <b>
 <a>11</a>
 <b>37</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>50</a>
 <b>386</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -11263,32 +11166,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>34</v>
+<v>17</v>
 </b>
 <b>
 <a>11</a>
 <b>37</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>50</a>
 <b>386</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -11304,32 +11207,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>209</v>
+<v>107</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>34</v>
+<v>17</v>
 </b>
 <b>
 <a>11</a>
 <b>36</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>50</a>
 <b>234</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -11345,32 +11248,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>209</v>
+<v>107</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>34</v>
+<v>17</v>
 </b>
 <b>
 <a>11</a>
 <b>36</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>50</a>
 <b>234</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -11380,27 +11283,27 @@
 </relation>
 <relation>
 <name>files</name>
-<cardinality>42467</cardinality>
+<cardinality>24351</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42467</v>
+<v>24351</v>
 </e>
 <e>
 <k>name</k>
-<v>42467</v>
+<v>24351</v>
 </e>
 <e>
 <k>simple</k>
-<v>22935</v>
+<v>13679</v>
 </e>
 <e>
 <k>ext</k>
-<v>38</v>
+<v>22</v>
 </e>
 <e>
 <k>fromSource</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -11414,7 +11317,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11430,7 +11333,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11446,7 +11349,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11462,7 +11365,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11478,7 +11381,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11494,7 +11397,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11510,7 +11413,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11526,7 +11429,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42467</v>
+<v>24351</v>
 </b>
 </bs>
 </hist>
@@ -11542,12 +11445,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>21528</v>
+<v>12787</v>
 </b>
 <b>
 <a>2</a>
 <b>154</b>
-<v>1407</v>
+<v>892</v>
 </b>
 </bs>
 </hist>
@@ -11563,12 +11466,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>21528</v>
+<v>12787</v>
 </b>
 <b>
 <a>2</a>
 <b>154</b>
-<v>1407</v>
+<v>892</v>
 </b>
 </bs>
 </hist>
@@ -11584,12 +11487,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22146</v>
+<v>13168</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>789</v>
+<v>511</v>
 </b>
 </bs>
 </hist>
@@ -11605,7 +11508,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22935</v>
+<v>13679</v>
 </b>
 </bs>
 </hist>
@@ -11621,42 +11524,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>861</a>
 <b>862</b>
-<v>4</v>
+<v>2</v>
+</b>
+<b>
+<a>995</a>
+<b>996</b>
+<v>2</v>
 </b>
 <b>
 <a>2875</a>
 <b>2876</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4635</a>
 <b>4636</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11672,42 +11580,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>861</a>
 <b>862</b>
-<v>4</v>
+<v>2</v>
+</b>
+<b>
+<a>995</a>
+<b>996</b>
+<v>2</v>
 </b>
 <b>
 <a>2875</a>
 <b>2876</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4635</a>
 <b>4636</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11723,37 +11636,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>169</a>
 <b>170</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>214</a>
 <b>215</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>650</a>
 <b>651</b>
-<v>4</v>
+<v>2</v>
+</b>
+<b>
+<a>790</a>
+<b>791</b>
+<v>2</v>
 </b>
 <b>
 <a>3818</a>
 <b>3819</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11769,7 +11687,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -11783,9 +11701,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>8719</a>
-<b>8720</b>
-<v>4</v>
+<a>9714</a>
+<b>9715</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11799,9 +11717,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>8719</a>
-<b>8720</b>
-<v>4</v>
+<a>9714</a>
+<b>9715</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11815,9 +11733,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>4709</a>
-<b>4710</b>
-<v>4</v>
+<a>5457</a>
+<b>5458</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11831,9 +11749,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>8</a>
-<b>9</b>
-<v>4</v>
+<a>9</a>
+<b>10</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -11843,19 +11761,19 @@
 </relation>
 <relation>
 <name>folders</name>
-<cardinality>16940</cardinality>
+<cardinality>9177</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>16940</v>
+<v>9177</v>
 </e>
 <e>
 <k>name</k>
-<v>14723</v>
+<v>8036</v>
 </e>
 <e>
 <k>simple</k>
-<v>2776</v>
+<v>1428</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -11869,7 +11787,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16940</v>
+<v>9177</v>
 </b>
 </bs>
 </hist>
@@ -11885,7 +11803,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16940</v>
+<v>9177</v>
 </b>
 </bs>
 </hist>
@@ -11901,7 +11819,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14723</v>
+<v>8036</v>
 </b>
 </bs>
 </hist>
@@ -11917,12 +11835,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12507</v>
+<v>6896</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2216</v>
+<v>1140</v>
 </b>
 </bs>
 </hist>
@@ -11938,27 +11856,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1821</v>
+<v>842</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>375</v>
+<v>278</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>204</v>
+<v>107</v>
 </b>
 <b>
 <a>4</a>
-<b>11</b>
-<v>209</v>
+<b>10</b>
+<v>107</v>
 </b>
 <b>
-<a>11</a>
+<a>10</a>
 <b>383</b>
-<v>165</v>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -11974,27 +11892,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1821</v>
+<v>842</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>375</v>
+<v>278</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>204</v>
+<v>107</v>
 </b>
 <b>
 <a>4</a>
-<b>11</b>
-<v>209</v>
+<b>10</b>
+<v>107</v>
 </b>
 <b>
-<a>11</a>
+<a>10</a>
 <b>383</b>
-<v>165</v>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -12004,15 +11922,15 @@
 </relation>
 <relation>
 <name>containerparent</name>
-<cardinality>57181</cardinality>
+<cardinality>32383</cardinality>
 <columnsizes>
 <e>
 <k>parent</k>
-<v>14723</v>
+<v>8036</v>
 </e>
 <e>
 <k>child</k>
-<v>57181</v>
+<v>32383</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12026,37 +11944,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8255</v>
+<v>4356</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1938</v>
+<v>1070</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>769</v>
+<v>486</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>969</v>
+<v>541</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>1105</v>
+<v>629</v>
 </b>
 <b>
 <a>9</a>
-<b>18</b>
-<v>1139</v>
+<b>17</b>
+<v>609</v>
 </b>
 <b>
-<a>18</a>
+<a>17</a>
 <b>170</b>
-<v>545</v>
+<v>343</v>
 </b>
 </bs>
 </hist>
@@ -12072,7 +11990,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>57181</v>
+<v>32383</v>
 </b>
 </bs>
 </hist>
@@ -12082,15 +12000,15 @@
 </relation>
 <relation>
 <name>file_extraction_mode</name>
-<cardinality>26778</cardinality>
+<cardinality>16276</cardinality>
 <columnsizes>
 <e>
 <k>file</k>
-<v>26778</v>
+<v>16276</v>
 </e>
 <e>
 <k>mode</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12104,7 +12022,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26778</v>
+<v>16276</v>
 </b>
 </bs>
 </hist>
@@ -12118,9 +12036,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>5498</a>
-<b>5499</b>
-<v>4</v>
+<a>6493</a>
+<b>6494</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -12130,15 +12048,15 @@
 </relation>
 <relation>
 <name>namespaces</name>
-<cardinality>21942</cardinality>
+<cardinality>11293</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>21942</v>
+<v>11293</v>
 </e>
 <e>
 <k>name</k>
-<v>4890</v>
+<v>2516</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12152,7 +12070,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>21942</v>
+<v>11293</v>
 </b>
 </bs>
 </hist>
@@ -12168,37 +12086,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3492</v>
+<v>1797</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>623</v>
+<v>320</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>370</v>
+<v>190</v>
 </b>
 <b>
 <a>10</a>
 <b>101</b>
-<v>370</v>
+<v>190</v>
 </b>
 <b>
 <a>110</a>
 <b>139</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -12208,15 +12126,15 @@
 </relation>
 <relation>
 <name>namespace_declarations</name>
-<cardinality>19760</cardinality>
+<cardinality>8355</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>19760</v>
+<v>8355</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>3886</v>
+<v>1774</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12230,7 +12148,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19760</v>
+<v>8355</v>
 </b>
 </bs>
 </hist>
@@ -12246,42 +12164,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1397</v>
+<v>669</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>798</v>
+<v>406</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>414</v>
+<v>175</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>306</v>
+<v>140</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>224</v>
+<v>110</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>331</v>
+<v>140</v>
 </b>
 <b>
 <a>9</a>
-<b>17</b>
-<v>301</v>
-</b>
-<b>
-<a>17</a>
 <b>996</b>
-<v>112</v>
+<v>132</v>
 </b>
 </bs>
 </hist>
@@ -12291,15 +12204,15 @@
 </relation>
 <relation>
 <name>namespace_declaration_location</name>
-<cardinality>19760</cardinality>
+<cardinality>8355</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>19760</v>
+<v>8355</v>
 </e>
 <e>
 <k>loc</k>
-<v>19760</v>
+<v>8355</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12313,7 +12226,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19760</v>
+<v>8355</v>
 </b>
 </bs>
 </hist>
@@ -12329,7 +12242,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19760</v>
+<v>8355</v>
 </b>
 </bs>
 </hist>
@@ -12339,15 +12252,15 @@
 </relation>
 <relation>
 <name>parent_namespace</name>
-<cardinality>777067</cardinality>
+<cardinality>388662</cardinality>
 <columnsizes>
 <e>
 <k>child_id</k>
-<v>777067</v>
+<v>388662</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>13554</v>
+<v>6974</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12361,7 +12274,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>777067</v>
+<v>388662</v>
 </b>
 </bs>
 </hist>
@@ -12377,57 +12290,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3326</v>
+<v>1709</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1626</v>
+<v>842</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1027</v>
+<v>531</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>915</v>
+<v>468</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>1251</v>
+<v>641</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>1091</v>
+<v>561</v>
 </b>
 <b>
 <a>10</a>
 <b>15</b>
-<v>1139</v>
+<v>589</v>
 </b>
 <b>
 <a>15</a>
 <b>23</b>
-<v>1061</v>
+<v>546</v>
 </b>
 <b>
 <a>23</a>
 <b>51</b>
-<v>1027</v>
+<v>523</v>
 </b>
 <b>
 <a>51</a>
 <b>835</b>
-<v>1017</v>
+<v>523</v>
 </b>
 <b>
 <a>900</a>
-<b>35556</b>
-<v>68</v>
+<b>34743</b>
+<v>35</v>
 </b>
 </bs>
 </hist>
@@ -12437,15 +12350,15 @@
 </relation>
 <relation>
 <name>parent_namespace_declaration</name>
-<cardinality>88304</cardinality>
+<cardinality>43445</cardinality>
 <columnsizes>
 <e>
 <k>child_id</k>
-<v>87788</v>
+<v>43212</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>19760</v>
+<v>8355</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12459,12 +12372,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>87637</v>
+<v>43145</v>
 </b>
 <b>
 <a>2</a>
 <b>60</b>
-<v>150</v>
+<v>67</v>
 </b>
 </bs>
 </hist>
@@ -12480,32 +12393,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13779</v>
+<v>5412</v>
 </b>
 <b>
 <a>2</a>
 <b>9</b>
-<v>1714</v>
+<v>747</v>
 </b>
 <b>
 <a>9</a>
 <b>13</b>
-<v>1276</v>
+<v>656</v>
 </b>
 <b>
 <a>13</a>
 <b>16</b>
-<v>1427</v>
+<v>734</v>
 </b>
 <b>
 <a>16</a>
-<b>32</b>
-<v>1509</v>
+<b>21</b>
+<v>508</v>
 </b>
 <b>
-<a>32</a>
+<a>31</a>
 <b>33</b>
-<v>53</v>
+<v>295</v>
 </b>
 </bs>
 </hist>
@@ -12515,15 +12428,15 @@
 </relation>
 <relation>
 <name>using_namespace_directives</name>
-<cardinality>144253</cardinality>
+<cardinality>66100</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>144253</v>
+<v>66100</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>4227</v>
+<v>1990</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12537,7 +12450,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144253</v>
+<v>66100</v>
 </b>
 </bs>
 </hist>
@@ -12553,52 +12466,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1495</v>
+<v>696</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>472</v>
+<v>285</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>297</v>
+<v>115</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>238</v>
+<b>6</b>
+<v>182</v>
 </b>
 <b>
-<a>5</a>
-<b>8</b>
-<v>365</v>
+<a>6</a>
+<b>11</b>
+<v>177</v>
 </b>
 <b>
-<a>8</a>
-<b>14</b>
-<v>336</v>
+<a>11</a>
+<b>21</b>
+<v>177</v>
 </b>
 <b>
-<a>14</a>
-<b>25</b>
-<v>321</v>
+<a>21</a>
+<b>45</b>
+<v>152</v>
 </b>
 <b>
-<a>25</a>
-<b>63</b>
-<v>326</v>
+<a>48</a>
+<b>206</b>
+<v>150</v>
 </b>
 <b>
-<a>64</a>
-<b>465</b>
-<v>321</v>
-</b>
-<b>
-<a>510</a>
-<b>2519</b>
-<v>53</v>
+<a>214</a>
+<b>2199</b>
+<v>50</v>
 </b>
 </bs>
 </hist>
@@ -12608,15 +12516,15 @@
 </relation>
 <relation>
 <name>using_static_directives</name>
-<cardinality>390</cardinality>
+<cardinality>199</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>390</v>
+<v>199</v>
 </e>
 <e>
 <k>type_id</k>
-<v>54</v>
+<v>32</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12630,7 +12538,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>390</v>
+<v>199</v>
 </b>
 </bs>
 </hist>
@@ -12646,46 +12554,46 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>15</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>1</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5</v>
+<v>3</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
+<b>7</b>
 <v>2</v>
 </b>
 <b>
-<a>6</a>
-<b>7</b>
-<v>5</v>
-</b>
-<b>
-<a>8</a>
+<a>7</a>
 <b>9</b>
-<v>7</v>
+<v>2</v>
 </b>
 <b>
-<a>12</a>
+<a>16</a>
+<b>23</b>
+<v>2</v>
+</b>
+<b>
+<a>26</a>
+<b>27</b>
+<v>1</v>
+</b>
+<b>
+<a>30</a>
 <b>31</b>
-<v>5</v>
-</b>
-<b>
-<a>46</a>
-<b>71</b>
 <v>2</v>
 </b>
 </bs>
@@ -12696,15 +12604,15 @@
 </relation>
 <relation>
 <name>using_directive_location</name>
-<cardinality>144312</cardinality>
+<cardinality>74275</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>144312</v>
+<v>74275</v>
 </e>
 <e>
 <k>loc</k>
-<v>144268</v>
+<v>74252</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12718,7 +12626,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144312</v>
+<v>74275</v>
 </b>
 </bs>
 </hist>
@@ -12734,12 +12642,2175 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144224</v>
+<v>74229</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43</v>
+<v>22</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_ifs</name>
+<cardinality>2550</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>2550</v>
+</e>
+<e>
+<k>branchTaken</k>
+<v>2</v>
+</e>
+<e>
+<k>conditionValue</k>
+<v>2</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2550</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2550</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1194</a>
+<b>1195</b>
+<v>1</v>
+</b>
+<b>
+<a>1219</a>
+<b>1220</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1199</a>
+<b>1200</b>
+<v>1</v>
+</b>
+<b>
+<a>1214</a>
+<b>1215</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_elifs</name>
+<cardinality>7</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>7</v>
+</e>
+<e>
+<k>branchTaken</k>
+<v>1</v>
+</e>
+<e>
+<k>conditionValue</k>
+<v>2</v>
+</e>
+<e>
+<k>parent</k>
+<v>7</v>
+</e>
+<e>
+<k>index</k>
+<v>1</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>conditionValue</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>conditionValue</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_elses</name>
+<cardinality>1140</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1140</v>
+</e>
+<e>
+<k>branchTaken</k>
+<v>2</v>
+</e>
+<e>
+<k>parent</k>
+<v>1140</v>
+</e>
+<e>
+<k>index</k>
+<v>2</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>329</a>
+<b>330</b>
+<v>1</v>
+</b>
+<b>
+<a>750</a>
+<b>751</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>329</a>
+<b>330</b>
+<v>1</v>
+</b>
+<b>
+<a>750</a>
+<b>751</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>branchTaken</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>parent</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1140</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+<b>
+<a>1072</a>
+<b>1073</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>branchTaken</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>7</a>
+<b>8</b>
+<v>1</v>
+</b>
+<b>
+<a>1072</a>
+<b>1073</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_endifs</name>
+<cardinality>2550</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>2550</v>
+</e>
+<e>
+<k>start</k>
+<v>2550</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>start</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2550</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>start</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2550</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_define_symbols</name>
+<cardinality>3314</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>3314</v>
+</e>
+<e>
+<k>name</k>
+<v>86</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>3314</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>17</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>8</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>10</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>8</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>7</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>5</v>
+</b>
+<b>
+<a>7</a>
+<b>12</b>
+<v>7</v>
+</b>
+<b>
+<a>13</a>
+<b>23</b>
+<v>6</v>
+</b>
+<b>
+<a>24</a>
+<b>55</b>
+<v>7</v>
+</b>
+<b>
+<a>97</a>
+<b>656</b>
+<v>7</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_regions</name>
+<cardinality>565</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>565</v>
+</e>
+<e>
+<k>name</k>
+<v>216</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>565</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>6</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>175</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>26</v>
+</b>
+<b>
+<a>6</a>
+<b>31</b>
+<v>8</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_endregions</name>
+<cardinality>565</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>565</v>
+</e>
+<e>
+<k>start</k>
+<v>565</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>start</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>565</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>start</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>565</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_lines</name>
+<cardinality>128896</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>128896</v>
+</e>
+<e>
+<k>kind</k>
+<v>7</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>128896</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>kind</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>16650</a>
+<b>16651</b>
+<v>5</v>
+</b>
+<b>
+<a>18118</a>
+<b>18119</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_line_value</name>
+<cardinality>41738</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>41738</v>
+</e>
+<e>
+<k>line</k>
+<v>709</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>line</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>41738</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>line</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>147</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>70</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>55</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>65</v>
+</b>
+<b>
+<a>7</a>
+<b>11</b>
+<v>60</v>
+</b>
+<b>
+<a>11</a>
+<b>15</b>
+<v>55</v>
+</b>
+<b>
+<a>15</a>
+<b>27</b>
+<v>62</v>
+</b>
+<b>
+<a>27</a>
+<b>46</b>
+<v>55</v>
+</b>
+<b>
+<a>46</a>
+<b>104</b>
+<v>55</v>
+</b>
+<b>
+<a>106</a>
+<b>549</b>
+<v>55</v>
+</b>
+<b>
+<a>569</a>
+<b>727</b>
+<v>27</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_line_file</name>
+<cardinality>41738</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>41738</v>
+</e>
+<e>
+<k>file</k>
+<v>2396</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>41738</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>308</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>396</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>255</v>
+</b>
+<b>
+<a>4</a>
+<b>6</b>
+<v>205</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>110</v>
+</b>
+<b>
+<a>7</a>
+<b>9</b>
+<v>200</v>
+</b>
+<b>
+<a>9</a>
+<b>12</b>
+<v>180</v>
+</b>
+<b>
+<a>12</a>
+<b>16</b>
+<v>205</v>
+</b>
+<b>
+<a>16</a>
+<b>27</b>
+<v>185</v>
+</b>
+<b>
+<a>27</a>
+<b>42</b>
+<v>188</v>
+</b>
+<b>
+<a>42</a>
+<b>2665</b>
+<v>160</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_nullables</name>
+<cardinality>83477</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>83477</v>
+</e>
+<e>
+<k>setting</k>
+<v>5</v>
+</e>
+<e>
+<k>target</k>
+<v>2</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>setting</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>83477</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>target</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>83477</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>setting</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>16650</a>
+<b>16651</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>setting</src>
+<trg>target</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>target</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>33300</a>
+<b>33301</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>target</src>
+<trg>setting</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_warnings</name>
+<cardinality>1</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1</v>
+</e>
+<e>
+<k>message</k>
+<v>1</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>message</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>message</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_errors</name>
+<cardinality>1</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1</v>
+</e>
+<e>
+<k>message</k>
+<v>1</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>message</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>message</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_undefines</name>
+<cardinality>1</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1</v>
+</e>
+<e>
+<k>name</k>
+<v>1</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>directive_defines</name>
+<cardinality>5</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>5</v>
+</e>
+<e>
+<k>name</k>
+<v>5</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>pragma_checksums</name>
+<cardinality>2494</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>2494</v>
+</e>
+<e>
+<k>file</k>
+<v>2494</v>
+</e>
+<e>
+<k>guid</k>
+<v>2</v>
+</e>
+<e>
+<k>bytes</k>
+<v>2338</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>guid</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>bytes</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>guid</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>file</src>
+<trg>bytes</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2494</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>guid</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>995</a>
+<b>996</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>guid</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>995</a>
+<b>996</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>guid</src>
+<trg>bytes</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>933</a>
+<b>934</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>bytes</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2288</v>
+</b>
+<b>
+<a>2</a>
+<b>19</b>
+<v>50</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>bytes</src>
+<trg>file</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2288</v>
+</b>
+<b>
+<a>2</a>
+<b>19</b>
+<v>50</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>bytes</src>
+<trg>guid</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2338</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>pragma_warnings</name>
+<cardinality>14725</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>14725</v>
+</e>
+<e>
+<k>kind</k>
+<v>5</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>14725</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>kind</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2937</a>
+<b>2938</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>pragma_warning_error_codes</name>
+<cardinality>14730</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>14725</v>
+</e>
+<e>
+<k>errorCode</k>
+<v>15</v>
+</e>
+<e>
+<k>index</k>
+<v>5</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>errorCode</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>14720</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>14720</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>errorCode</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>5</v>
+</b>
+<b>
+<a>946</a>
+<b>947</b>
+<v>5</v>
+</b>
+<b>
+<a>1990</a>
+<b>1991</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>errorCode</src>
+<trg>index</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>15</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2</v>
+</b>
+<b>
+<a>5874</a>
+<b>5875</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>index</src>
+<trg>errorCode</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>preprocessor_directive_location</name>
+<cardinality>229688</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>229688</v>
+</e>
+<e>
+<k>loc</k>
+<v>229688</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>loc</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>229688</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>loc</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>229688</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>preprocessor_directive_compilation</name>
+<cardinality>229688</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>229688</v>
+</e>
+<e>
+<k>compilation</k>
+<v>172</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>compilation</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>229688</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>compilation</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>4</a>
+<b>11</b>
+<v>12</v>
+</b>
+<b>
+<a>16</a>
+<b>62</b>
+<v>15</v>
+</b>
+<b>
+<a>75</a>
+<b>144</b>
+<v>15</v>
+</b>
+<b>
+<a>149</a>
+<b>226</b>
+<v>15</v>
+</b>
+<b>
+<a>248</a>
+<b>317</b>
+<v>15</v>
+</b>
+<b>
+<a>342</a>
+<b>459</b>
+<v>15</v>
+</b>
+<b>
+<a>503</a>
+<b>665</b>
+<v>15</v>
+</b>
+<b>
+<a>772</a>
+<b>1090</b>
+<v>15</v>
+</b>
+<b>
+<a>1155</a>
+<b>1276</b>
+<v>15</v>
+</b>
+<b>
+<a>1343</a>
+<b>2001</b>
+<v>15</v>
+</b>
+<b>
+<a>2121</a>
+<b>4115</b>
+<v>15</v>
+</b>
+<b>
+<a>6086</a>
+<b>19444</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>preprocessor_directive_active</name>
+<cardinality>229688</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>229688</v>
+</e>
+<e>
+<k>active</k>
+<v>2</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>active</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>229688</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>active</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>91625</a>
+<b>91626</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -12749,19 +14820,19 @@
 </relation>
 <relation>
 <name>types</name>
-<cardinality>867174</cardinality>
+<cardinality>434504</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>867174</v>
+<v>434504</v>
 </e>
 <e>
 <k>kind</k>
-<v>131</v>
+<v>67</v>
 </e>
 <e>
 <k>name</k>
-<v>366861</v>
+<v>184347</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12775,7 +14846,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>867174</v>
+<v>434504</v>
 </b>
 </bs>
 </hist>
@@ -12791,7 +14862,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>867174</v>
+<v>434504</v>
 </b>
 </bs>
 </hist>
@@ -12807,32 +14878,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>82</v>
+<v>42</v>
 </b>
 <b>
 <a>45</a>
-<b>199</b>
-<v>9</v>
+<b>198</b>
+<v>5</v>
 </b>
 <b>
-<a>366</a>
-<b>1874</b>
-<v>9</v>
+<a>342</a>
+<b>1750</b>
+<v>5</v>
 </b>
 <b>
-<a>2454</a>
-<b>10198</b>
-<v>9</v>
+<a>2450</a>
+<b>9903</b>
+<v>5</v>
 </b>
 <b>
-<a>22085</a>
-<b>36570</b>
-<v>9</v>
+<a>20838</a>
+<b>35370</b>
+<v>5</v>
 </b>
 <b>
-<a>41596</a>
-<b>62642</b>
-<v>9</v>
+<a>40817</a>
+<b>61603</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -12848,32 +14919,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>82</v>
+<v>42</v>
 </b>
 <b>
 <a>45</a>
-<b>158</b>
-<v>9</v>
+<b>154</b>
+<v>5</v>
 </b>
 <b>
-<a>169</a>
+<a>168</a>
 <b>701</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
-<a>1086</a>
+<a>1043</a>
 <b>2228</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
-<a>6598</a>
-<b>10563</b>
-<v>9</v>
+<a>6467</a>
+<b>9921</b>
+<v>5</v>
 </b>
 <b>
-<a>18339</a>
-<b>35727</b>
-<v>9</v>
+<a>17642</a>
+<b>35459</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -12889,17 +14960,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>324613</v>
+<v>163114</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>28839</v>
+<v>14629</v>
 </b>
 <b>
 <a>5</a>
-<b>6356</b>
-<v>13408</v>
+<b>6327</b>
+<v>6603</v>
 </b>
 </bs>
 </hist>
@@ -12915,12 +14986,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>365424</v>
+<v>183613</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>1436</v>
+<v>734</v>
 </b>
 </bs>
 </hist>
@@ -12930,15 +15001,15 @@
 </relation>
 <relation>
 <name>typerefs</name>
-<cardinality>234794</cardinality>
+<cardinality>120781</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>234794</v>
+<v>120781</v>
 </e>
 <e>
 <k>name</k>
-<v>176984</v>
+<v>91080</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12952,7 +15023,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>234794</v>
+<v>120781</v>
 </b>
 </bs>
 </hist>
@@ -12968,17 +15039,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>162435</v>
+<v>83592</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>13481</v>
+<v>6938</v>
 </b>
 <b>
 <a>7</a>
 <b>2183</b>
-<v>1066</v>
+<v>548</v>
 </b>
 </bs>
 </hist>
@@ -12988,15 +15059,15 @@
 </relation>
 <relation>
 <name>typeref_type</name>
-<cardinality>234613</cardinality>
+<cardinality>120694</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>234613</v>
+<v>120694</v>
 </e>
 <e>
 <k>typeId</k>
-<v>234613</v>
+<v>120694</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13010,7 +15081,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>234613</v>
+<v>120694</v>
 </b>
 </bs>
 </hist>
@@ -13026,7 +15097,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>234613</v>
+<v>120694</v>
 </b>
 </bs>
 </hist>
@@ -13036,23 +15107,23 @@
 </relation>
 <relation>
 <name>array_element_type</name>
-<cardinality>9122</cardinality>
+<cardinality>4384</cardinality>
 <columnsizes>
 <e>
 <k>array</k>
-<v>9122</v>
+<v>4384</v>
 </e>
 <e>
 <k>dimension</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>rank</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>element</k>
-<v>9112</v>
+<v>4379</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13066,7 +15137,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9122</v>
+<v>4384</v>
 </b>
 </bs>
 </hist>
@@ -13082,7 +15153,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9122</v>
+<v>4384</v>
 </b>
 </bs>
 </hist>
@@ -13098,7 +15169,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9122</v>
+<v>4384</v>
 </b>
 </bs>
 </hist>
@@ -13114,12 +15185,12 @@
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1853</a>
-<b>1854</b>
-<v>4</v>
+<a>1729</a>
+<b>1730</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13135,12 +15206,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13156,12 +15227,12 @@
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1851</a>
-<b>1852</b>
-<v>4</v>
+<a>1727</a>
+<b>1728</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13177,12 +15248,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1871</a>
-<b>1872</b>
-<v>4</v>
+<a>1747</a>
+<b>1748</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13198,12 +15269,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13219,12 +15290,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1871</a>
-<b>1872</b>
-<v>4</v>
+<a>1747</a>
+<b>1748</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13240,12 +15311,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9103</v>
+<v>4374</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -13261,7 +15332,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9112</v>
+<v>4379</v>
 </b>
 </bs>
 </hist>
@@ -13277,12 +15348,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9103</v>
+<v>4374</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -13292,15 +15363,15 @@
 </relation>
 <relation>
 <name>nullable_underlying_type</name>
-<cardinality>979</cardinality>
+<cardinality>550</cardinality>
 <columnsizes>
 <e>
 <k>nullable</k>
-<v>979</v>
+<v>550</v>
 </e>
 <e>
 <k>underlying</k>
-<v>979</v>
+<v>550</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13314,7 +15385,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>979</v>
+<v>550</v>
 </b>
 </bs>
 </hist>
@@ -13330,7 +15401,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>979</v>
+<v>550</v>
 </b>
 </bs>
 </hist>
@@ -13340,15 +15411,15 @@
 </relation>
 <relation>
 <name>pointer_referent_type</name>
-<cardinality>219</cardinality>
+<cardinality>112</cardinality>
 <columnsizes>
 <e>
 <k>pointer</k>
-<v>219</v>
+<v>112</v>
 </e>
 <e>
 <k>referent</k>
-<v>219</v>
+<v>112</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13362,7 +15433,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>219</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -13378,7 +15449,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>219</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -13388,15 +15459,15 @@
 </relation>
 <relation>
 <name>enum_underlying_type</name>
-<cardinality>11952</cardinality>
+<cardinality>6141</cardinality>
 <columnsizes>
 <e>
 <k>enum_id</k>
-<v>11952</v>
+<v>6141</v>
 </e>
 <e>
 <k>underlying_type_id</k>
-<v>38</v>
+<v>20</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13410,7 +15481,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11952</v>
+<v>6141</v>
 </b>
 </bs>
 </hist>
@@ -13426,37 +15497,37 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>23</a>
 <b>24</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>172</a>
 <b>173</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1898</a>
-<b>1899</b>
-<v>4</v>
+<a>1894</a>
+<b>1895</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13466,15 +15537,15 @@
 </relation>
 <relation>
 <name>delegate_return_type</name>
-<cardinality>107553</cardinality>
+<cardinality>52229</cardinality>
 <columnsizes>
 <e>
 <k>delegate_id</k>
-<v>107553</v>
+<v>52229</v>
 </e>
 <e>
 <k>return_type_id</k>
-<v>55510</v>
+<v>26697</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13488,7 +15559,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107553</v>
+<v>52229</v>
 </b>
 </bs>
 </hist>
@@ -13504,12 +15575,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52198</v>
+<v>25171</v>
 </b>
 <b>
 <a>2</a>
-<b>4178</b>
-<v>3312</v>
+<b>4000</b>
+<v>1526</v>
 </b>
 </bs>
 </hist>
@@ -13519,15 +15590,15 @@
 </relation>
 <relation>
 <name>function_pointer_return_type</name>
-<cardinality>11</cardinality>
+<cardinality>9</cardinality>
 <columnsizes>
 <e>
 <k>function_pointer_id</k>
-<v>11</v>
+<v>9</v>
 </e>
 <e>
 <k>return_type_id</k>
-<v>3</v>
+<v>6</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13541,7 +15612,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -13555,14 +15626,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>2</a>
-<b>3</b>
-<v>1</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
+<a>1</a>
+<b>2</b>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
@@ -13577,15 +15643,15 @@
 </relation>
 <relation>
 <name>extend</name>
-<cardinality>323488</cardinality>
+<cardinality>160600</cardinality>
 <columnsizes>
 <e>
 <k>sub</k>
-<v>323488</v>
+<v>160600</v>
 </e>
 <e>
 <k>super</k>
-<v>31566</v>
+<v>16246</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13599,7 +15665,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>323488</v>
+<v>160600</v>
 </b>
 </bs>
 </hist>
@@ -13615,27 +15681,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22629</v>
+<v>11646</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3979</v>
+<v>2050</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2415</v>
+<v>1240</v>
 </b>
 <b>
 <a>5</a>
 <b>70</b>
-<v>2376</v>
+<v>1223</v>
 </b>
 <b>
 <a>70</a>
-<b>22083</b>
-<v>165</v>
+<b>20836</b>
+<v>85</v>
 </b>
 </bs>
 </hist>
@@ -13645,26 +15711,26 @@
 </relation>
 <relation>
 <name>anonymous_types</name>
-<cardinality>1212</cardinality>
+<cardinality>571</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1212</v>
+<v>571</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>implement</name>
-<cardinality>541717</cardinality>
+<cardinality>266554</cardinality>
 <columnsizes>
 <e>
 <k>sub</k>
-<v>226353</v>
+<v>112586</v>
 </e>
 <e>
 <k>super</k>
-<v>122545</v>
+<v>60780</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13678,27 +15744,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>100773</v>
+<v>51182</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>57044</v>
+<v>27933</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>36110</v>
+<v>17643</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>18971</v>
+<v>9373</v>
 </b>
 <b>
 <a>7</a>
 <b>21</b>
-<v>13452</v>
+<v>6455</v>
 </b>
 </bs>
 </hist>
@@ -13714,27 +15780,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>66951</v>
+<v>33561</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>29783</v>
+<v>14692</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10247</v>
+<v>4983</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>8694</v>
+<v>4168</v>
 </b>
 <b>
 <a>6</a>
-<b>21807</b>
-<v>6867</v>
+<b>20685</b>
+<v>3374</v>
 </b>
 </bs>
 </hist>
@@ -13744,15 +15810,15 @@
 </relation>
 <relation>
 <name>type_location</name>
-<cardinality>553694</cardinality>
+<cardinality>277271</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>466968</v>
+<v>237743</v>
 </e>
 <e>
 <k>loc</k>
-<v>29876</v>
+<v>12499</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13766,17 +15832,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>407390</v>
+<v>209975</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>39233</v>
+<v>19400</v>
 </b>
 <b>
 <a>3</a>
 <b>638</b>
-<v>20344</v>
+<v>8367</v>
 </b>
 </bs>
 </hist>
@@ -13792,17 +15858,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26004</v>
+<v>10568</v>
 </b>
 <b>
 <a>2</a>
-<b>26</b>
-<v>2269</v>
+<b>20</b>
+<v>962</v>
 </b>
 <b>
-<a>26</a>
+<a>20</a>
+<b>1759</b>
+<v>937</v>
+</b>
+<b>
+<a>1782</a>
 <b>12195</b>
-<v>1602</v>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -13812,15 +15883,15 @@
 </relation>
 <relation>
 <name>tuple_underlying_type</name>
-<cardinality>1782</cardinality>
+<cardinality>857</cardinality>
 <columnsizes>
 <e>
 <k>tuple</k>
-<v>1782</v>
+<v>857</v>
 </e>
 <e>
 <k>struct</k>
-<v>1139</v>
+<v>574</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13834,7 +15905,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1782</v>
+<v>857</v>
 </b>
 </bs>
 </hist>
@@ -13850,17 +15921,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>642</v>
+<v>333</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>423</v>
+<v>213</v>
 </b>
 <b>
 <a>3</a>
-<b>9</b>
-<v>73</v>
+<b>6</b>
+<v>27</v>
 </b>
 </bs>
 </hist>
@@ -13870,19 +15941,19 @@
 </relation>
 <relation>
 <name>tuple_element</name>
-<cardinality>6789</cardinality>
+<cardinality>3374</cardinality>
 <columnsizes>
 <e>
 <k>tuple</k>
-<v>1777</v>
+<v>854</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>field</k>
-<v>6789</v>
+<v>3374</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13896,37 +15967,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1134</v>
+<v>523</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>146</v>
+<v>75</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>107</v>
+<v>55</v>
 </b>
 </bs>
 </hist>
@@ -13942,37 +16013,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1134</v>
+<v>523</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>146</v>
+<v>75</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>107</v>
+<v>55</v>
 </b>
 </bs>
 </hist>
@@ -13988,107 +16059,107 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>18</a>
 <b>19</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>26</a>
 <b>27</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>30</a>
 <b>31</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>34</a>
 <b>35</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>38</a>
 <b>39</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>59</a>
 <b>60</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>80</a>
 <b>81</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>93</a>
 <b>94</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>356</a>
-<b>357</b>
-<v>4</v>
+<a>332</a>
+<b>333</b>
+<v>2</v>
 </b>
 <b>
-<a>365</a>
-<b>366</b>
-<v>4</v>
+<a>341</a>
+<b>342</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -14104,107 +16175,107 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>18</a>
 <b>19</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>26</a>
 <b>27</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>30</a>
 <b>31</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>34</a>
 <b>35</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>38</a>
 <b>39</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>59</a>
 <b>60</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>80</a>
 <b>81</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>93</a>
 <b>94</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>356</a>
-<b>357</b>
-<v>4</v>
+<a>332</a>
+<b>333</b>
+<v>2</v>
 </b>
 <b>
-<a>365</a>
-<b>366</b>
-<v>4</v>
+<a>341</a>
+<b>342</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -14220,7 +16291,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6789</v>
+<v>3374</v>
 </b>
 </bs>
 </hist>
@@ -14236,7 +16307,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6789</v>
+<v>3374</v>
 </b>
 </bs>
 </hist>
@@ -14246,19 +16317,19 @@
 </relation>
 <relation>
 <name>attributes</name>
-<cardinality>745432</cardinality>
+<cardinality>368399</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>745432</v>
+<v>368399</v>
 </e>
 <e>
 <k>type_id</k>
-<v>1685</v>
+<v>867</v>
 </e>
 <e>
 <k>target</k>
-<v>427033</v>
+<v>219716</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14272,7 +16343,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>745432</v>
+<v>368399</v>
 </b>
 </bs>
 </hist>
@@ -14288,7 +16359,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>745432</v>
+<v>368399</v>
 </b>
 </bs>
 </hist>
@@ -14304,67 +16375,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>189</v>
+<v>115</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>194</v>
+<v>85</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>150</v>
+<b>9</b>
+<v>62</v>
 </b>
 <b>
-<a>10</a>
-<b>18</b>
-<v>131</v>
+<a>9</a>
+<b>16</b>
+<v>67</v>
 </b>
 <b>
-<a>18</a>
-<b>28</b>
-<v>131</v>
+<a>16</a>
+<b>23</b>
+<v>65</v>
 </b>
 <b>
-<a>28</a>
-<b>54</b>
-<v>131</v>
+<a>23</a>
+<b>50</b>
+<v>65</v>
 </b>
 <b>
-<a>55</a>
-<b>119</b>
-<v>126</v>
+<a>50</a>
+<b>87</b>
+<v>65</v>
 </b>
 <b>
-<a>119</a>
-<b>232</b>
-<v>126</v>
+<a>90</a>
+<b>188</b>
+<v>65</v>
 </b>
 <b>
-<a>237</a>
-<b>608</b>
-<v>126</v>
+<a>194</a>
+<b>466</b>
+<v>65</v>
 </b>
 <b>
-<a>616</a>
-<b>4825</b>
-<v>126</v>
+<a>498</a>
+<b>1735</b>
+<v>65</v>
 </b>
 <b>
-<a>5142</a>
-<b>41859</b>
-<v>19</v>
+<a>1785</a>
+<b>41857</b>
+<v>27</v>
 </b>
 </bs>
 </hist>
@@ -14380,62 +16451,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>316</v>
+<v>165</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>131</v>
+<v>67</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>77</v>
+<v>40</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>141</v>
+<v>72</v>
 </b>
 <b>
 <a>9</a>
 <b>15</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
 <a>15</a>
-<b>25</b>
-<v>126</v>
+<b>26</b>
+<v>67</v>
 </b>
 <b>
-<a>25</a>
-<b>47</b>
-<v>131</v>
+<a>26</a>
+<b>48</b>
+<v>65</v>
 </b>
 <b>
-<a>47</a>
-<b>81</b>
-<v>126</v>
+<a>48</a>
+<b>82</b>
+<v>67</v>
 </b>
 <b>
-<a>81</a>
-<b>176</b>
-<v>126</v>
+<a>82</a>
+<b>182</b>
+<v>65</v>
 </b>
 <b>
-<a>180</a>
-<b>563</b>
-<v>126</v>
+<a>183</a>
+<b>607</b>
+<v>65</v>
 </b>
 <b>
-<a>596</a>
-<b>39379</b>
-<v>112</v>
+<a>607</a>
+<b>39377</b>
+<v>52</v>
 </b>
 </bs>
 </hist>
@@ -14451,17 +16522,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>365083</v>
+<v>188082</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47483</v>
+<v>24348</v>
 </b>
 <b>
 <a>3</a>
 <b>957</b>
-<v>14465</v>
+<v>7284</v>
 </b>
 </bs>
 </hist>
@@ -14477,17 +16548,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>394293</v>
+<v>202865</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>32370</v>
+<v>16660</v>
 </b>
 <b>
 <a>16</a>
 <b>20</b>
-<v>370</v>
+<v>190</v>
 </b>
 </bs>
 </hist>
@@ -14497,15 +16568,15 @@
 </relation>
 <relation>
 <name>attribute_location</name>
-<cardinality>813489</cardinality>
+<cardinality>403061</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>745432</v>
+<v>368399</v>
 </e>
 <e>
 <k>loc</k>
-<v>72329</v>
+<v>36840</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14519,12 +16590,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>677374</v>
+<v>333737</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>68057</v>
+<v>34662</v>
 </b>
 </bs>
 </hist>
@@ -14540,12 +16611,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>68125</v>
+<v>34677</v>
 </b>
 <b>
 <a>4</a>
-<b>26598</b>
-<v>4203</v>
+<b>22087</b>
+<v>2163</v>
 </b>
 </bs>
 </hist>
@@ -14555,19 +16626,19 @@
 </relation>
 <relation>
 <name>type_mention</name>
-<cardinality>1248753</cardinality>
+<cardinality>622003</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1248753</v>
+<v>622003</v>
 </e>
 <e>
 <k>type_id</k>
-<v>35320</v>
+<v>21696</v>
 </e>
 <e>
 <k>parent</k>
-<v>1030328</v>
+<v>541633</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14581,7 +16652,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1248753</v>
+<v>622003</v>
 </b>
 </bs>
 </hist>
@@ -14597,7 +16668,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1248753</v>
+<v>622003</v>
 </b>
 </bs>
 </hist>
@@ -14613,52 +16684,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5816</v>
+<v>5029</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7141</v>
+<v>4912</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3606</v>
+<v>1876</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4008</v>
+<v>1650</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2068</v>
+<v>1080</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>2769</v>
+<v>1622</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>2851</v>
+<v>1671</v>
 </b>
 <b>
 <a>12</a>
-<b>22</b>
-<v>2719</v>
+<b>24</b>
+<v>1673</v>
 </b>
 <b>
-<a>22</a>
-<b>69</b>
-<v>2650</v>
+<a>24</a>
+<b>119</b>
+<v>1633</v>
 </b>
 <b>
-<a>69</a>
-<b>80289</b>
-<v>1690</v>
+<a>119</a>
+<b>44145</b>
+<v>547</v>
 </b>
 </bs>
 </hist>
@@ -14674,52 +16745,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10023</v>
+<v>6457</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5791</v>
+<v>4662</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3445</v>
+<v>1635</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2998</v>
+<v>1239</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>2033</v>
+<b>7</b>
+<v>1984</v>
 </b>
 <b>
-<a>6</a>
-<b>8</b>
-<v>2535</v>
+<a>7</a>
+<b>11</b>
+<v>1965</v>
 </b>
 <b>
-<a>8</a>
-<b>13</b>
-<v>2755</v>
+<a>11</a>
+<b>22</b>
+<v>1628</v>
 </b>
 <b>
-<a>13</a>
-<b>29</b>
-<v>2680</v>
+<a>22</a>
+<b>120</b>
+<v>1627</v>
 </b>
 <b>
-<a>29</a>
-<b>263</b>
-<v>2649</v>
-</b>
-<b>
-<a>263</a>
-<b>66416</b>
-<v>407</v>
+<a>120</a>
+<b>38647</b>
+<v>494</v>
 </b>
 </bs>
 </hist>
@@ -14735,17 +16801,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>876054</v>
+<v>480732</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>138071</v>
+<v>55624</v>
 </b>
 <b>
 <a>3</a>
-<b>182</b>
-<v>16201</v>
+<b>187</b>
+<v>5276</v>
 </b>
 </bs>
 </hist>
@@ -14761,12 +16827,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1011022</v>
+<v>532606</v>
 </b>
 <b>
 <a>2</a>
 <b>22</b>
-<v>19306</v>
+<v>9026</v>
 </b>
 </bs>
 </hist>
@@ -14776,15 +16842,15 @@
 </relation>
 <relation>
 <name>type_mention_location</name>
-<cardinality>1248753</cardinality>
+<cardinality>626999</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1248753</v>
+<v>626999</v>
 </e>
 <e>
 <k>loc</k>
-<v>1167809</v>
+<v>593108</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14798,7 +16864,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1248753</v>
+<v>626999</v>
 </b>
 </bs>
 </hist>
@@ -14814,12 +16880,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1139400</v>
+<v>572155</v>
 </b>
 <b>
 <a>2</a>
-<b>199</b>
-<v>28408</v>
+<b>187</b>
+<v>20953</v>
 </b>
 </bs>
 </hist>
@@ -14829,15 +16895,15 @@
 </relation>
 <relation>
 <name>type_annotation</name>
-<cardinality>50927</cardinality>
+<cardinality>25557</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>50927</v>
+<v>25557</v>
 </e>
 <e>
 <k>annotation</k>
-<v>14</v>
+<v>7</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14851,7 +16917,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50927</v>
+<v>25557</v>
 </b>
 </bs>
 </hist>
@@ -14865,19 +16931,19 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1306</a>
-<b>1307</b>
-<v>4</v>
+<a>1305</a>
+<b>1306</b>
+<v>2</v>
 </b>
 <b>
-<a>2047</a>
-<b>2048</b>
-<v>4</v>
+<a>2046</a>
+<b>2047</b>
+<v>2</v>
 </b>
 <b>
-<a>7103</a>
-<b>7104</b>
-<v>4</v>
+<a>6844</a>
+<b>6845</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -14887,15 +16953,15 @@
 </relation>
 <relation>
 <name>nullability</name>
-<cardinality>1996</cardinality>
+<cardinality>997</cardinality>
 <columnsizes>
 <e>
 <k>nullability</k>
-<v>1996</v>
+<v>997</v>
 </e>
 <e>
 <k>kind</k>
-<v>14</v>
+<v>7</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14909,7 +16975,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1996</v>
+<v>997</v>
 </b>
 </bs>
 </hist>
@@ -14925,17 +16991,17 @@
 <b>
 <a>13</a>
 <b>14</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>127</a>
-<b>128</b>
-<v>4</v>
+<a>120</a>
+<b>121</b>
+<v>2</v>
 </b>
 <b>
-<a>270</a>
-<b>271</b>
-<v>4</v>
+<a>265</a>
+<b>266</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -14945,19 +17011,19 @@
 </relation>
 <relation>
 <name>nullability_parent</name>
-<cardinality>6278</cardinality>
+<cardinality>3146</cardinality>
 <columnsizes>
 <e>
 <k>nullability</k>
-<v>521</v>
+<v>265</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>parent</k>
-<v>1982</v>
+<v>990</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14971,22 +17037,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>340</v>
+<v>172</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>116</v>
+<v>60</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>34</v>
+<v>17</v>
 </b>
 <b>
 <a>5</a>
 <b>22</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -15002,37 +17068,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>92</v>
+<v>47</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>53</v>
+<v>30</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>38</v>
+<v>15</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>38</v>
+<v>22</v>
 </b>
 <b>
 <a>8</a>
-<b>44</b>
-<v>43</v>
+<b>41</b>
+<v>20</v>
 </b>
 <b>
-<a>138</a>
-<b>207</b>
-<v>9</v>
+<a>136</a>
+<b>201</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -15048,37 +17114,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>17</a>
 <b>18</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>39</a>
 <b>40</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>88</a>
-<b>89</b>
-<v>4</v>
+<a>87</a>
+<b>88</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15094,97 +17160,97 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>44</a>
 <b>45</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>52</a>
-<b>53</b>
-<v>4</v>
+<a>51</a>
+<b>52</b>
+<v>2</v>
 </b>
 <b>
-<a>69</a>
-<b>70</b>
-<v>4</v>
+<a>67</a>
+<b>68</b>
+<v>2</v>
 </b>
 <b>
-<a>97</a>
-<b>98</b>
-<v>4</v>
+<a>94</a>
+<b>95</b>
+<v>2</v>
 </b>
 <b>
-<a>157</a>
-<b>158</b>
-<v>4</v>
+<a>151</a>
+<b>152</b>
+<v>2</v>
 </b>
 <b>
-<a>305</a>
-<b>306</b>
-<v>4</v>
+<a>295</a>
+<b>296</b>
+<v>2</v>
 </b>
 <b>
-<a>407</a>
-<b>408</b>
-<v>4</v>
+<a>395</a>
+<b>396</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15200,17 +17266,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>594</v>
+<v>295</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1227</v>
+<v>616</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>160</v>
+<v>77</v>
 </b>
 </bs>
 </hist>
@@ -15226,37 +17292,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>496</v>
+<v>250</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>720</v>
+<v>360</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>292</v>
+<v>142</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>136</v>
+<v>67</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>141</v>
+<v>67</v>
 </b>
 <b>
 <a>8</a>
-<b>15</b>
-<v>155</v>
+<b>14</b>
+<v>75</v>
 </b>
 <b>
-<a>15</a>
+<a>14</a>
 <b>22</b>
-<v>38</v>
+<v>25</v>
 </b>
 </bs>
 </hist>
@@ -15266,15 +17332,15 @@
 </relation>
 <relation>
 <name>type_nullability</name>
-<cardinality>4590375</cardinality>
+<cardinality>2271603</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4523440</v>
+<v>2238788</v>
 </e>
 <e>
 <k>nullability</k>
-<v>954</v>
+<v>601</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15288,12 +17354,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4462909</v>
+<v>2209099</v>
 </b>
 <b>
 <a>2</a>
 <b>9</b>
-<v>60531</v>
+<v>29689</v>
 </b>
 </bs>
 </hist>
@@ -15309,62 +17375,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>161</v>
+<v>131</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>141</v>
+<v>81</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>62</v>
+<v>35</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>66</v>
+<v>38</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>80</v>
+<v>48</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>69</v>
+<v>48</v>
 </b>
 <b>
 <a>10</a>
-<b>14</b>
-<v>73</v>
+<b>13</b>
+<v>46</v>
 </b>
 <b>
-<a>14</a>
+<a>13</a>
 <b>23</b>
-<v>76</v>
+<v>50</v>
 </b>
 <b>
 <a>23</a>
-<b>41</b>
-<v>72</v>
+<b>61</b>
+<v>46</v>
 </b>
 <b>
-<a>41</a>
-<b>123</b>
-<v>72</v>
+<a>63</a>
+<b>224</b>
+<v>46</v>
 </b>
 <b>
-<a>123</a>
-<b>4090</b>
-<v>72</v>
-</b>
-<b>
-<a>4576</a>
-<b>3672417</b>
-<v>10</v>
+<a>278</a>
+<b>1814893</b>
+<v>32</v>
 </b>
 </bs>
 </hist>
@@ -15374,11 +17435,11 @@
 </relation>
 <relation>
 <name>expr_flowstate</name>
-<cardinality>2981562</cardinality>
+<cardinality>1300115</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2981562</v>
+<v>1300115</v>
 </e>
 <e>
 <k>state</k>
@@ -15396,7 +17457,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2981562</v>
+<v>1300115</v>
 </b>
 </bs>
 </hist>
@@ -15410,13 +17471,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>197309</a>
-<b>197310</b>
+<a>116006</a>
+<b>116007</b>
 <v>1</v>
 </b>
 <b>
-<a>2193026</a>
-<b>2193027</b>
+<a>1113915</a>
+<b>1113916</b>
 <v>1</v>
 </b>
 </bs>
@@ -15427,23 +17488,23 @@
 </relation>
 <relation>
 <name>type_parameters</name>
-<cardinality>202686</cardinality>
+<cardinality>102354</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>202686</v>
+<v>102354</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>generic_id</k>
-<v>103705</v>
+<v>51560</v>
 </e>
 <e>
 <k>variance</k>
-<v>14</v>
+<v>7</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15457,7 +17518,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>202686</v>
+<v>102354</v>
 </b>
 </bs>
 </hist>
@@ -15473,7 +17534,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>202686</v>
+<v>102354</v>
 </b>
 </bs>
 </hist>
@@ -15489,7 +17550,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>202686</v>
+<v>102354</v>
 </b>
 </bs>
 </hist>
@@ -15505,107 +17566,107 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>48</a>
 <b>49</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>170</a>
 <b>171</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>298</a>
 <b>299</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>429</a>
 <b>430</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>560</a>
 <b>561</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>691</a>
 <b>692</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>822</a>
 <b>823</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>954</a>
 <b>955</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1089</a>
 <b>1090</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1240</a>
 <b>1241</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1385</a>
 <b>1386</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1539</a>
 <b>1540</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1757</a>
-<b>1758</b>
-<v>4</v>
+<a>1753</a>
+<b>1754</b>
+<v>2</v>
 </b>
 <b>
-<a>2015</a>
-<b>2016</b>
-<v>4</v>
+<a>2007</a>
+<b>2008</b>
+<v>2</v>
 </b>
 <b>
-<a>2536</a>
-<b>2537</b>
-<v>4</v>
+<a>2524</a>
+<b>2525</b>
+<v>2</v>
 </b>
 <b>
-<a>4744</a>
-<b>4745</b>
-<v>4</v>
+<a>4710</a>
+<b>4711</b>
+<v>2</v>
 </b>
 <b>
-<a>21279</a>
-<b>21280</b>
-<v>4</v>
+<a>20558</a>
+<b>20559</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15621,107 +17682,107 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>48</a>
 <b>49</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>170</a>
 <b>171</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>298</a>
 <b>299</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>429</a>
 <b>430</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>560</a>
 <b>561</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>691</a>
 <b>692</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>822</a>
 <b>823</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>954</a>
 <b>955</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1089</a>
 <b>1090</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1240</a>
 <b>1241</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1385</a>
 <b>1386</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1539</a>
 <b>1540</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1757</a>
-<b>1758</b>
-<v>4</v>
+<a>1753</a>
+<b>1754</b>
+<v>2</v>
 </b>
 <b>
-<a>2015</a>
-<b>2016</b>
-<v>4</v>
+<a>2007</a>
+<b>2008</b>
+<v>2</v>
 </b>
 <b>
-<a>2536</a>
-<b>2537</b>
-<v>4</v>
+<a>2524</a>
+<b>2525</b>
+<v>2</v>
 </b>
 <b>
-<a>4748</a>
-<b>4749</b>
-<v>4</v>
+<a>4712</a>
+<b>4713</b>
+<v>2</v>
 </b>
 <b>
-<a>21292</a>
-<b>21293</b>
-<v>4</v>
+<a>20568</a>
+<b>20569</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15737,17 +17798,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>77</v>
+<v>40</v>
 </b>
 </bs>
 </hist>
@@ -15763,22 +17824,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>80579</v>
+<v>39748</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10773</v>
+<v>5484</v>
 </b>
 <b>
 <a>3</a>
-<b>11</b>
-<v>8348</v>
+<b>10</b>
+<v>3935</v>
 </b>
 <b>
-<a>11</a>
+<a>10</a>
 <b>22</b>
-<v>4003</v>
+<v>2391</v>
 </b>
 </bs>
 </hist>
@@ -15794,22 +17855,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>80579</v>
+<v>39748</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10773</v>
+<v>5484</v>
 </b>
 <b>
 <a>3</a>
-<b>11</b>
-<v>8348</v>
+<b>10</b>
+<v>3935</v>
 </b>
 <b>
-<a>11</a>
+<a>10</a>
 <b>22</b>
-<v>4003</v>
+<v>2391</v>
 </b>
 </bs>
 </hist>
@@ -15825,12 +17886,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>103554</v>
+<v>51482</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>150</v>
+<v>77</v>
 </b>
 </bs>
 </hist>
@@ -15846,17 +17907,17 @@
 <b>
 <a>68</a>
 <b>69</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>310</a>
 <b>311</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>41219</a>
-<b>41220</b>
-<v>4</v>
+<a>40440</a>
+<b>40441</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15872,17 +17933,17 @@
 <b>
 <a>16</a>
 <b>17</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>17</a>
 <b>18</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15898,17 +17959,17 @@
 <b>
 <a>65</a>
 <b>66</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>72</a>
 <b>73</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>21186</a>
-<b>21187</b>
-<v>4</v>
+<a>20462</a>
+<b>20463</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -15918,19 +17979,19 @@
 </relation>
 <relation>
 <name>type_arguments</name>
-<cardinality>643772</cardinality>
+<cardinality>315219</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>273252</v>
+<v>136875</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>constructed_id</k>
-<v>412879</v>
+<v>201248</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15944,17 +18005,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>234662</v>
+<v>119004</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>37114</v>
+<v>17166</v>
 </b>
 <b>
 <a>3</a>
 <b>21</b>
-<v>1475</v>
+<v>704</v>
 </b>
 </bs>
 </hist>
@@ -15970,27 +18031,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>173930</v>
+<v>88393</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>56470</v>
+<v>27419</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>20568</v>
+<v>10305</v>
 </b>
 <b>
 <a>5</a>
-<b>23</b>
-<v>20651</v>
+<b>25</b>
+<v>10278</v>
 </b>
 <b>
-<a>23</a>
-<b>2800</b>
-<v>1631</v>
+<a>25</a>
+<b>2394</b>
+<v>478</v>
 </b>
 </bs>
 </hist>
@@ -16006,97 +18067,97 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>55</a>
 <b>56</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>167</a>
 <b>168</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>283</a>
 <b>284</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>402</a>
 <b>403</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>521</a>
 <b>522</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>640</a>
 <b>641</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>759</a>
 <b>760</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>883</a>
 <b>884</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1002</a>
 <b>1003</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1232</a>
 <b>1233</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1327</a>
 <b>1328</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1515</a>
-<b>1516</b>
-<v>4</v>
+<a>1510</a>
+<b>1511</b>
+<v>2</v>
 </b>
 <b>
-<a>1729</a>
-<b>1730</b>
-<v>4</v>
+<a>1717</a>
+<b>1718</b>
+<v>2</v>
 </b>
 <b>
-<a>2010</a>
-<b>2011</b>
-<v>4</v>
+<a>1979</a>
+<b>1980</b>
+<v>2</v>
 </b>
 <b>
-<a>4190</a>
-<b>4191</b>
-<v>4</v>
+<a>3839</a>
+<b>3840</b>
+<v>2</v>
 </b>
 <b>
-<a>14311</a>
-<b>14312</b>
-<v>4</v>
+<a>13565</a>
+<b>13566</b>
+<v>2</v>
 </b>
 <b>
-<a>33697</a>
-<b>33698</b>
-<v>4</v>
+<a>32507</a>
+<b>32508</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -16112,97 +18173,97 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>96</a>
 <b>97</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>227</a>
 <b>228</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>365</a>
 <b>366</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>503</a>
 <b>504</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>641</a>
 <b>642</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>779</a>
 <b>780</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>917</a>
 <b>918</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1061</a>
 <b>1062</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1201</a>
 <b>1202</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1456</a>
 <b>1457</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1643</a>
-<b>1644</b>
-<v>4</v>
+<a>1641</a>
+<b>1642</b>
+<v>2</v>
 </b>
 <b>
-<a>1866</a>
-<b>1867</b>
-<v>4</v>
+<a>1859</a>
+<b>1860</b>
+<v>2</v>
 </b>
 <b>
-<a>2254</a>
-<b>2255</b>
-<v>4</v>
+<a>2240</a>
+<b>2241</b>
+<v>2</v>
 </b>
 <b>
-<a>3022</a>
-<b>3023</b>
-<v>4</v>
+<a>2987</a>
+<b>2988</b>
+<v>2</v>
 </b>
 <b>
-<a>5701</a>
-<b>5702</b>
-<v>4</v>
+<a>5285</a>
+<b>5286</b>
+<v>2</v>
 </b>
 <b>
-<a>25663</a>
-<b>25664</b>
-<v>4</v>
+<a>24196</a>
+<b>24197</b>
+<v>2</v>
 </b>
 <b>
-<a>84769</a>
-<b>84770</b>
-<v>4</v>
+<a>80280</a>
+<b>80281</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -16218,17 +18279,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>290046</v>
+<v>141661</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>96229</v>
+<v>46887</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>26603</v>
+<v>12699</v>
 </b>
 </bs>
 </hist>
@@ -16244,17 +18305,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>287884</v>
+<v>140593</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>97227</v>
+<v>47406</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>27767</v>
+<v>13248</v>
 </b>
 </bs>
 </hist>
@@ -16264,15 +18325,15 @@
 </relation>
 <relation>
 <name>constructed_generic</name>
-<cardinality>412879</cardinality>
+<cardinality>201248</cardinality>
 <columnsizes>
 <e>
 <k>constructed</k>
-<v>412879</v>
+<v>201248</v>
 </e>
 <e>
 <k>generic</k>
-<v>8577</v>
+<v>4256</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16286,7 +18347,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>412879</v>
+<v>201248</v>
 </b>
 </bs>
 </hist>
@@ -16302,47 +18363,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3443</v>
+<v>1737</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1154</v>
+<v>551</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>618</v>
+<v>293</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>652</v>
+<v>330</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>725</v>
+<v>350</v>
 </b>
 <b>
 <a>11</a>
-<b>26</b>
-<v>647</v>
+<b>25</b>
+<v>328</v>
 </b>
 <b>
-<a>26</a>
-<b>63</b>
-<v>657</v>
+<a>25</a>
+<b>61</b>
+<v>320</v>
 </b>
 <b>
-<a>63</a>
-<b>2866</b>
-<v>647</v>
+<a>61</a>
+<b>2054</b>
+<v>320</v>
 </b>
 <b>
-<a>2964</a>
-<b>11327</b>
-<v>29</v>
+<a>2323</a>
+<b>10856</b>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -16352,15 +18413,15 @@
 </relation>
 <relation>
 <name>type_parameter_constraints</name>
-<cardinality>591856</cardinality>
+<cardinality>273733</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>591856</v>
+<v>273733</v>
 </e>
 <e>
 <k>param_id</k>
-<v>202599</v>
+<v>102321</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16374,7 +18435,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>591856</v>
+<v>273733</v>
 </b>
 </bs>
 </hist>
@@ -16390,22 +18451,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>167248</v>
+<v>86049</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19984</v>
+<v>9393</v>
 </b>
 <b>
 <a>3</a>
-<b>307</b>
-<v>15201</v>
-</b>
-<b>
-<a>310</a>
-<b>2107</b>
-<v>165</v>
+<b>1740</b>
+<v>6878</v>
 </b>
 </bs>
 </hist>
@@ -16451,11 +18507,11 @@
 </relation>
 <relation>
 <name>general_type_parameter_constraints</name>
-<cardinality>106710</cardinality>
+<cardinality>40912</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>60470</v>
+<v>23697</v>
 </e>
 <e>
 <k>kind</k>
@@ -16473,12 +18529,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14230</v>
+<v>6482</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>46240</v>
+<v>17215</v>
 </b>
 </bs>
 </hist>
@@ -16497,23 +18553,23 @@
 <v>1</v>
 </b>
 <b>
-<a>281</a>
-<b>282</b>
+<a>172</a>
+<b>173</b>
 <v>1</v>
 </b>
 <b>
-<a>5846</a>
-<b>5847</b>
+<a>2708</a>
+<b>2709</b>
 <v>1</v>
 </b>
 <b>
-<a>46183</a>
-<b>46184</b>
+<a>17170</a>
+<b>17171</b>
 <v>1</v>
 </b>
 <b>
-<a>54396</a>
-<b>54397</b>
+<a>20858</a>
+<b>20859</b>
 <v>1</v>
 </b>
 </bs>
@@ -16524,15 +18580,15 @@
 </relation>
 <relation>
 <name>specific_type_parameter_constraints</name>
-<cardinality>46374</cardinality>
+<cardinality>20140</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>45669</v>
+<v>19736</v>
 </e>
 <e>
 <k>base_id</k>
-<v>1286</v>
+<v>787</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16546,12 +18602,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>45010</v>
+<v>19370</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>659</v>
+<v>366</v>
 </b>
 </bs>
 </hist>
@@ -16572,58 +18628,48 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>257</v>
+<v>181</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>73</v>
+<v>57</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>91</v>
+<v>87</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>58</v>
-</b>
-<b>
-<a>6</a>
 <b>7</b>
-<v>138</v>
+<v>70</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>108</v>
+<v>53</v>
 </b>
 <b>
 <a>10</a>
 <b>15</b>
-<v>99</v>
+<v>63</v>
 </b>
 <b>
 <a>15</a>
-<b>21</b>
-<v>111</v>
-</b>
-<b>
-<a>21</a>
-<b>37</b>
-<v>97</v>
-</b>
-<b>
-<a>37</a>
-<b>106</b>
-<v>97</v>
-</b>
-<b>
-<a>108</a>
-<b>4906</b>
+<b>26</b>
 <v>60</v>
 </b>
+<b>
+<a>26</a>
+<b>55</b>
+<v>61</v>
+</b>
+<b>
+<a>56</a>
+<b>3216</b>
+<v>58</v>
+</b>
 </bs>
 </hist>
 </val>
@@ -16632,19 +18678,19 @@
 </relation>
 <relation>
 <name>specific_type_parameter_nullability</name>
-<cardinality>31513</cardinality>
+<cardinality>13207</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>31366</v>
+<v>13161</v>
 </e>
 <e>
 <k>base_id</k>
-<v>911</v>
+<v>506</v>
 </e>
 <e>
 <k>nullability</k>
-<v>17</v>
+<v>11</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16658,12 +18704,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31219</v>
+<v>13115</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>147</v>
+<v>46</v>
 </b>
 </bs>
 </hist>
@@ -16679,7 +18725,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31366</v>
+<v>13161</v>
 </b>
 </bs>
 </hist>
@@ -16695,67 +18741,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>97</v>
+<v>99</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>150</v>
+<v>107</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>48</v>
+<v>37</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>41</v>
+<v>31</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>52</v>
+<v>16</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>102</v>
+<v>41</v>
 </b>
 <b>
 <a>7</a>
-<b>9</b>
-<v>72</v>
+<b>10</b>
+<v>32</v>
 </b>
 <b>
-<a>9</a>
-<b>12</b>
-<v>46</v>
+<a>10</a>
+<b>13</b>
+<v>39</v>
 </b>
 <b>
-<a>12</a>
-<b>16</b>
-<v>69</v>
+<a>13</a>
+<b>26</b>
+<v>38</v>
 </b>
 <b>
-<a>16</a>
-<b>22</b>
-<v>71</v>
+<a>26</a>
+<b>82</b>
+<v>40</v>
 </b>
 <b>
-<a>22</a>
-<b>39</b>
-<v>71</v>
-</b>
-<b>
-<a>39</a>
-<b>186</b>
-<v>69</v>
-</b>
-<b>
-<a>190</a>
-<b>4327</b>
-<v>23</v>
+<a>84</a>
+<b>2385</b>
+<v>26</v>
 </b>
 </bs>
 </hist>
@@ -16771,12 +18807,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>889</v>
+<v>497</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -16797,37 +18833,17 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>1</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>3</v>
+<v>1</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>1</v>
-</b>
-<b>
-<a>10</a>
-<b>11</b>
-<v>1</v>
-</b>
-<b>
-<a>12</a>
-<b>13</b>
-<v>1</v>
-</b>
-<b>
-<a>16</a>
-<b>17</b>
-<v>1</v>
-</b>
-<b>
-<a>18</a>
-<b>19</b>
-<v>1</v>
+<v>2</v>
 </b>
 <b>
 <a>24</a>
@@ -16835,28 +18851,18 @@
 <v>1</v>
 </b>
 <b>
-<a>64</a>
-<b>65</b>
+<a>41</a>
+<b>42</b>
 <v>1</v>
 </b>
 <b>
-<a>72</a>
-<b>73</b>
+<a>132</a>
+<b>133</b>
 <v>1</v>
 </b>
 <b>
-<a>117</a>
-<b>118</b>
-<v>1</v>
-</b>
-<b>
-<a>386</a>
-<b>387</b>
-<v>1</v>
-</b>
-<b>
-<a>30613</a>
-<b>30614</b>
+<a>12930</a>
+<b>12931</b>
 <v>1</v>
 </b>
 </bs>
@@ -16873,12 +18879,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3</v>
+<v>4</v>
 </b>
 <b>
 <a>3</a>
@@ -16888,26 +18894,21 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>1</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>1</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
-</b>
-<b>
-<a>12</a>
-<b>13</b>
 <v>1</v>
 </b>
 <b>
-<a>43</a>
-<b>44</b>
-<v>1</v>
-</b>
-<b>
-<a>835</a>
-<b>836</b>
+<a>482</a>
+<b>483</b>
 <v>1</v>
 </b>
 </bs>
@@ -16918,15 +18919,15 @@
 </relation>
 <relation>
 <name>function_pointer_calling_conventions</name>
-<cardinality>11</cardinality>
+<cardinality>9</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>11</v>
+<v>9</v>
 </e>
 <e>
 <k>kind</k>
-<v>1</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16940,7 +18941,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -16954,8 +18955,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>9</a>
-<b>10</b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
 <v>1</v>
 </b>
 </bs>
@@ -17046,15 +19052,15 @@
 </relation>
 <relation>
 <name>modifiers</name>
-<cardinality>82</cardinality>
+<cardinality>42</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>82</v>
+<v>42</v>
 </e>
 <e>
 <k>name</k>
-<v>82</v>
+<v>42</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17068,7 +19074,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>82</v>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -17084,7 +19090,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>82</v>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -17094,15 +19100,15 @@
 </relation>
 <relation>
 <name>has_modifiers</name>
-<cardinality>5495911</cardinality>
+<cardinality>2748133</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>3690851</v>
+<v>1841097</v>
 </e>
 <e>
 <k>mod_id</k>
-<v>82</v>
+<v>40</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17116,17 +19122,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2021272</v>
+<v>1002460</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1535937</v>
+<v>771185</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>133640</v>
+<v>67451</v>
 </b>
 </bs>
 </hist>
@@ -17140,89 +19146,84 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>4</v>
-</b>
-<b>
-<a>15</a>
-<b>16</b>
-<v>4</v>
+<a>5</a>
+<b>6</b>
+<v>2</v>
 </b>
 <b>
 <a>28</a>
 <b>29</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>151</a>
-<b>152</b>
-<v>4</v>
+<a>149</a>
+<b>150</b>
+<v>2</v>
 </b>
 <b>
 <a>360</a>
 <b>361</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>6163</a>
-<b>6164</b>
-<v>4</v>
+<a>5658</a>
+<b>5659</b>
+<v>2</v>
 </b>
 <b>
-<a>16387</a>
-<b>16388</b>
-<v>4</v>
+<a>16373</a>
+<b>16374</b>
+<v>2</v>
 </b>
 <b>
-<a>23881</a>
-<b>23882</b>
-<v>4</v>
+<a>22977</a>
+<b>22978</b>
+<v>2</v>
 </b>
 <b>
-<a>30035</a>
-<b>30036</b>
-<v>4</v>
+<a>29954</a>
+<b>29955</b>
+<v>2</v>
 </b>
 <b>
-<a>30699</a>
-<b>30700</b>
-<v>4</v>
+<a>30538</a>
+<b>30539</b>
+<v>2</v>
 </b>
 <b>
-<a>38027</a>
-<b>38028</b>
-<v>4</v>
+<a>37974</a>
+<b>37975</b>
+<v>2</v>
 </b>
 <b>
-<a>62139</a>
-<b>62140</b>
-<v>4</v>
+<a>60421</a>
+<b>60422</b>
+<v>2</v>
 </b>
 <b>
-<a>63917</a>
-<b>63918</b>
-<v>4</v>
+<a>63249</a>
+<b>63250</b>
+<v>2</v>
 </b>
 <b>
-<a>68706</a>
-<b>68707</b>
-<v>4</v>
+<a>68508</a>
+<b>68509</b>
+<v>2</v>
 </b>
 <b>
-<a>83361</a>
-<b>83362</b>
-<v>4</v>
+<a>78672</a>
+<b>78673</b>
+<v>2</v>
 </b>
 <b>
-<a>95562</a>
-<b>95563</b>
-<v>4</v>
+<a>89979</a>
+<b>89980</b>
+<v>2</v>
 </b>
 <b>
-<a>608943</a>
-<b>608944</b>
-<v>4</v>
+<a>591411</a>
+<b>591412</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -17232,26 +19233,26 @@
 </relation>
 <relation>
 <name>compiler_generated</name>
-<cardinality>135842</cardinality>
+<cardinality>64039</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>135842</v>
+<v>64039</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>exprorstmt_name</name>
-<cardinality>3765</cardinality>
+<cardinality>1469</cardinality>
 <columnsizes>
 <e>
 <k>parent_id</k>
-<v>3765</v>
+<v>1469</v>
 </e>
 <e>
 <k>name</k>
-<v>375</v>
+<v>118</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17265,7 +19266,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3765</v>
+<v>1469</v>
 </b>
 </bs>
 </hist>
@@ -17281,47 +19282,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>111</v>
+<v>43</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>56</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>51</v>
+<v>12</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>34</v>
+<b>7</b>
+<v>10</v>
 </b>
 <b>
-<a>6</a>
-<b>8</b>
-<v>32</v>
+<a>7</a>
+<b>9</b>
+<v>9</v>
 </b>
 <b>
-<a>8</a>
-<b>12</b>
-<v>28</v>
+<a>10</a>
+<b>15</b>
+<v>9</v>
 </b>
 <b>
-<a>12</a>
-<b>23</b>
-<v>31</v>
+<a>16</a>
+<b>26</b>
+<v>7</v>
 </b>
 <b>
-<a>25</a>
-<b>214</b>
-<v>28</v>
+<a>26</a>
+<b>52</b>
+<v>10</v>
 </b>
 <b>
-<a>239</a>
-<b>240</b>
-<v>1</v>
+<a>54</a>
+<b>131</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -17331,19 +19332,19 @@
 </relation>
 <relation>
 <name>nested_types</name>
-<cardinality>111932</cardinality>
+<cardinality>57075</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>111932</v>
+<v>57075</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>40596</v>
+<v>20621</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>81115</v>
+<v>41748</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17357,7 +19358,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>111932</v>
+<v>57075</v>
 </b>
 </bs>
 </hist>
@@ -17373,7 +19374,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>111932</v>
+<v>57075</v>
 </b>
 </bs>
 </hist>
@@ -17389,32 +19390,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>23486</v>
+<v>11922</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6336</v>
+<v>3253</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3229</v>
+<v>1566</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>3355</v>
+<v>1732</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>3092</v>
+<v>1581</v>
 </b>
 <b>
 <a>12</a>
 <b>262</b>
-<v>1095</v>
+<v>564</v>
 </b>
 </bs>
 </hist>
@@ -17430,32 +19431,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>23520</v>
+<v>11940</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6419</v>
+<v>3296</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3146</v>
+<v>1524</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>3385</v>
+<v>1742</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>3078</v>
+<v>1579</v>
 </b>
 <b>
 <a>12</a>
 <b>206</b>
-<v>1047</v>
+<v>538</v>
 </b>
 </bs>
 </hist>
@@ -17471,12 +19472,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>78100</v>
+<v>40237</v>
 </b>
 <b>
 <a>2</a>
 <b>415</b>
-<v>3014</v>
+<v>1511</v>
 </b>
 </bs>
 </hist>
@@ -17492,12 +19493,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>78841</v>
+<v>40613</v>
 </b>
 <b>
 <a>2</a>
 <b>415</b>
-<v>2274</v>
+<v>1135</v>
 </b>
 </bs>
 </hist>
@@ -17507,27 +19508,27 @@
 </relation>
 <relation>
 <name>properties</name>
-<cardinality>423531</cardinality>
+<cardinality>212542</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>423531</v>
+<v>212542</v>
 </e>
 <e>
 <k>name</k>
-<v>84359</v>
+<v>43400</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>116374</v>
+<v>58256</v>
 </e>
 <e>
 <k>type_id</k>
-<v>52125</v>
+<v>26015</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>333843</v>
+<v>171648</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17541,7 +19542,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>423531</v>
+<v>212542</v>
 </b>
 </bs>
 </hist>
@@ -17557,7 +19558,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>423531</v>
+<v>212542</v>
 </b>
 </bs>
 </hist>
@@ -17573,7 +19574,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>423531</v>
+<v>212542</v>
 </b>
 </bs>
 </hist>
@@ -17589,7 +19590,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>423531</v>
+<v>212542</v>
 </b>
 </bs>
 </hist>
@@ -17605,32 +19606,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50752</v>
+<v>26111</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13993</v>
+<v>7204</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5752</v>
+<v>2970</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>6648</v>
+<v>3414</v>
 </b>
 <b>
 <a>7</a>
-<b>49</b>
-<v>6336</v>
+<b>50</b>
+<v>3276</v>
 </b>
 <b>
-<a>49</a>
-<b>2611</b>
-<v>876</v>
+<a>50</a>
+<b>2493</b>
+<v>423</v>
 </b>
 </bs>
 </hist>
@@ -17646,32 +19647,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50752</v>
+<v>26111</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14061</v>
+<v>7239</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5737</v>
+<v>2963</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>6682</v>
+<v>3431</v>
 </b>
 <b>
 <a>7</a>
-<b>51</b>
-<v>6331</v>
+<b>52</b>
+<v>3256</v>
 </b>
 <b>
-<a>51</a>
-<b>2578</b>
-<v>793</v>
+<a>52</a>
+<b>2224</b>
+<v>398</v>
 </b>
 </bs>
 </hist>
@@ -17687,17 +19688,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72835</v>
+<v>37474</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6930</v>
+<v>3569</v>
 </b>
 <b>
 <a>3</a>
-<b>524</b>
-<v>4593</v>
+<b>522</b>
+<v>2356</v>
 </b>
 </bs>
 </hist>
@@ -17713,32 +19714,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51180</v>
+<v>26331</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14256</v>
+<v>7340</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5737</v>
+<v>2963</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>6443</v>
+<v>3304</v>
 </b>
 <b>
 <a>7</a>
-<b>68</b>
-<v>6326</v>
+<b>70</b>
+<v>3256</v>
 </b>
 <b>
-<a>68</a>
+<a>70</a>
 <b>2018</b>
-<v>414</v>
+<v>205</v>
 </b>
 </bs>
 </hist>
@@ -17754,42 +19755,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>39384</v>
+<v>19786</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>29866</v>
+<v>14574</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10900</v>
+<v>5590</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7841</v>
+<v>4013</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7130</v>
+<v>3629</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9327</v>
+<v>4670</v>
 </b>
 <b>
 <a>8</a>
-<b>16</b>
-<v>9565</v>
+<b>15</b>
+<v>4396</v>
 </b>
 <b>
-<a>16</a>
+<a>15</a>
 <b>250</b>
-<v>2357</v>
+<v>1594</v>
 </b>
 </bs>
 </hist>
@@ -17805,42 +19806,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43894</v>
+<v>22107</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25434</v>
+<v>12293</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10895</v>
+<v>5587</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7861</v>
+<v>4023</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7145</v>
+<v>3637</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9283</v>
+<v>4647</v>
 </b>
 <b>
 <a>8</a>
-<b>14</b>
-<v>8742</v>
+<b>15</b>
+<v>4605</v>
 </b>
 <b>
-<a>14</a>
+<a>15</a>
 <b>250</b>
-<v>3117</v>
+<v>1353</v>
 </b>
 </bs>
 </hist>
@@ -17856,32 +19857,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>45447</v>
+<v>22884</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>32613</v>
+<v>15963</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>13837</v>
+<v>6963</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7544</v>
+<v>3873</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>9380</v>
+<v>4828</v>
 </b>
 <b>
 <a>7</a>
 <b>48</b>
-<v>7549</v>
+<v>3742</v>
 </b>
 </bs>
 </hist>
@@ -17897,42 +19898,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>39384</v>
+<v>19786</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>29866</v>
+<v>14574</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10900</v>
+<v>5590</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7841</v>
+<v>4013</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7130</v>
+<v>3629</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9327</v>
+<v>4670</v>
 </b>
 <b>
 <a>8</a>
-<b>16</b>
-<v>9565</v>
+<b>15</b>
+<v>4396</v>
 </b>
 <b>
-<a>16</a>
+<a>15</a>
 <b>250</b>
-<v>2357</v>
+<v>1594</v>
 </b>
 </bs>
 </hist>
@@ -17948,27 +19949,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31415</v>
+<v>15635</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10778</v>
+<v>5319</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>4631</v>
+<v>2353</v>
 </b>
 <b>
 <a>5</a>
-<b>21</b>
-<v>3945</v>
+<b>19</b>
+<v>1955</v>
 </b>
 <b>
-<a>21</a>
-<b>12516</b>
-<v>1354</v>
+<a>19</a>
+<b>11856</b>
+<v>752</v>
 </b>
 </bs>
 </hist>
@@ -17984,17 +19985,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>44074</v>
+<v>21932</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4398</v>
+<v>2213</v>
 </b>
 <b>
 <a>3</a>
 <b>3289</b>
-<v>3652</v>
+<v>1870</v>
 </b>
 </bs>
 </hist>
@@ -18010,27 +20011,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32599</v>
+<v>16244</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10481</v>
+<v>5169</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>4422</v>
+<v>2243</v>
 </b>
 <b>
 <a>5</a>
-<b>33</b>
-<v>3911</v>
+<b>30</b>
+<v>1952</v>
 </b>
 <b>
-<a>33</a>
-<b>6176</b>
-<v>711</v>
+<a>30</a>
+<b>5894</b>
+<v>406</v>
 </b>
 </bs>
 </hist>
@@ -18046,27 +20047,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31556</v>
+<v>15707</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10910</v>
+<v>5392</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>4666</v>
+<v>2356</v>
 </b>
 <b>
 <a>5</a>
-<b>22</b>
-<v>3911</v>
+<b>21</b>
+<v>1975</v>
 </b>
 <b>
-<a>22</a>
-<b>10632</b>
-<v>1081</v>
+<a>21</a>
+<b>10599</b>
+<v>584</v>
 </b>
 </bs>
 </hist>
@@ -18082,12 +20083,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>328670</v>
+<v>169043</v>
 </b>
 <b>
 <a>2</a>
-<b>705</b>
-<v>5172</v>
+<b>585</b>
+<v>2604</v>
 </b>
 </bs>
 </hist>
@@ -18103,7 +20104,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>333843</v>
+<v>171648</v>
 </b>
 </bs>
 </hist>
@@ -18119,12 +20120,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>328670</v>
+<v>169043</v>
 </b>
 <b>
 <a>2</a>
-<b>705</b>
-<v>5172</v>
+<b>585</b>
+<v>2604</v>
 </b>
 </bs>
 </hist>
@@ -18140,12 +20141,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>332635</v>
+<v>171048</v>
 </b>
 <b>
 <a>2</a>
-<b>439</b>
-<v>1207</v>
+<b>438</b>
+<v>599</v>
 </b>
 </bs>
 </hist>
@@ -18155,15 +20156,15 @@
 </relation>
 <relation>
 <name>property_location</name>
-<cardinality>534450</cardinality>
+<cardinality>263937</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>423531</v>
+<v>212542</v>
 </e>
 <e>
 <k>loc</k>
-<v>52895</v>
+<v>24308</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18177,17 +20178,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>338105</v>
+<v>171527</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>64102</v>
+<v>32779</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>21323</v>
+<v>8234</v>
 </b>
 </bs>
 </hist>
@@ -18203,12 +20204,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49412</v>
+<v>22594</v>
 </b>
 <b>
 <a>2</a>
 <b>7080</b>
-<v>3482</v>
+<v>1714</v>
 </b>
 </bs>
 </hist>
@@ -18218,27 +20219,27 @@
 </relation>
 <relation>
 <name>indexers</name>
-<cardinality>17042</cardinality>
+<cardinality>7590</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>17042</v>
+<v>7590</v>
 </e>
 <e>
 <k>name</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>13550</v>
+<v>6071</v>
 </e>
 <e>
 <k>type_id</k>
-<v>3969</v>
+<v>1817</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>4437</v>
+<v>2283</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18252,7 +20253,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17042</v>
+<v>7590</v>
 </b>
 </bs>
 </hist>
@@ -18268,7 +20269,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17042</v>
+<v>7590</v>
 </b>
 </bs>
 </hist>
@@ -18284,7 +20285,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17042</v>
+<v>7590</v>
 </b>
 </bs>
 </hist>
@@ -18300,7 +20301,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17042</v>
+<v>7590</v>
 </b>
 </bs>
 </hist>
@@ -18316,22 +20317,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>3488</a>
-<b>3489</b>
-<v>4</v>
+<a>3017</a>
+<b>3018</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18347,22 +20348,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>2775</a>
-<b>2776</b>
-<v>4</v>
+<a>2415</a>
+<b>2416</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18378,17 +20379,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>810</a>
-<b>811</b>
-<v>4</v>
+<a>720</a>
+<b>721</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18404,22 +20405,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>900</a>
 <b>901</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18435,17 +20436,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10505</v>
+<v>4770</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2747</v>
+<v>1160</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>297</v>
+<v>140</v>
 </b>
 </bs>
 </hist>
@@ -18461,12 +20462,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13540</v>
+<v>6066</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -18482,12 +20483,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11046</v>
+<v>5046</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2503</v>
+<v>1025</v>
 </b>
 </bs>
 </hist>
@@ -18503,17 +20504,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10505</v>
+<v>4770</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2747</v>
+<v>1160</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>297</v>
+<v>140</v>
 </b>
 </bs>
 </hist>
@@ -18529,32 +20530,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>876</v>
+<v>461</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>871</v>
+<v>423</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1626</v>
+<v>674</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>267</v>
+<v>120</v>
 </b>
 <b>
 <a>6</a>
-<b>18</b>
-<v>301</v>
-</b>
-<b>
-<a>18</a>
-<b>1020</b>
-<v>24</v>
+<b>886</b>
+<v>137</v>
 </b>
 </bs>
 </hist>
@@ -18570,12 +20566,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3964</v>
+<v>1814</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18591,27 +20587,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1032</v>
+<v>541</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>779</v>
+<v>376</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1660</v>
+<v>691</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>238</v>
+<b>7</b>
+<v>165</v>
 </b>
 <b>
-<a>6</a>
-<b>978</b>
-<v>258</v>
+<a>7</a>
+<b>845</b>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -18627,27 +20623,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>876</v>
+<v>461</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>871</v>
+<v>423</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1651</v>
+<v>686</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>267</v>
+<v>120</v>
 </b>
 <b>
 <a>6</a>
 <b>198</b>
-<v>301</v>
+<v>125</v>
 </b>
 </bs>
 </hist>
@@ -18663,12 +20659,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4101</v>
+<v>2118</v>
 </b>
 <b>
 <a>2</a>
-<b>452</b>
-<v>336</v>
+<b>384</b>
+<v>165</v>
 </b>
 </bs>
 </hist>
@@ -18684,7 +20680,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4437</v>
+<v>2283</v>
 </b>
 </bs>
 </hist>
@@ -18700,12 +20696,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4101</v>
+<v>2118</v>
 </b>
 <b>
 <a>2</a>
-<b>452</b>
-<v>336</v>
+<b>384</b>
+<v>165</v>
 </b>
 </bs>
 </hist>
@@ -18721,12 +20717,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4247</v>
+<v>2190</v>
 </b>
 <b>
 <a>2</a>
-<b>452</b>
-<v>189</v>
+<b>384</b>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -18736,15 +20732,15 @@
 </relation>
 <relation>
 <name>indexer_location</name>
-<cardinality>23715</cardinality>
+<cardinality>12780</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>12621</v>
+<v>6439</v>
 </e>
 <e>
 <k>loc</k>
-<v>220</v>
+<v>183</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18758,27 +20754,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4492</v>
+<v>2232</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6616</v>
+<v>3081</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>284</v>
+<v>283</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>1115</v>
+<v>774</v>
 </b>
 <b>
 <a>5</a>
-<b>13</b>
-<v>114</v>
+<b>11</b>
+<v>69</v>
 </b>
 </bs>
 </hist>
@@ -18794,17 +20790,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75</v>
+<v>49</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>20</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>18</v>
+<v>19</v>
 </b>
 <b>
 <a>4</a>
@@ -18814,32 +20810,32 @@
 <b>
 <a>5</a>
 <b>8</b>
-<v>18</v>
+<v>14</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>16</v>
+<v>14</v>
 </b>
 <b>
 <a>13</a>
-<b>21</b>
-<v>18</v>
+<b>20</b>
+<v>14</v>
 </b>
 <b>
-<a>23</a>
-<b>45</b>
-<v>19</v>
+<a>20</a>
+<b>35</b>
+<v>14</v>
 </b>
 <b>
-<a>47</a>
-<b>2230</b>
-<v>17</v>
+<a>36</a>
+<b>112</b>
+<v>14</v>
 </b>
 <b>
-<a>3540</a>
-<b>5425</b>
-<v>3</v>
+<a>124</a>
+<b>2196</b>
+<v>11</v>
 </b>
 </bs>
 </hist>
@@ -18849,27 +20845,27 @@
 </relation>
 <relation>
 <name>accessors</name>
-<cardinality>567868</cardinality>
+<cardinality>284483</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>567868</v>
+<v>284483</v>
 </e>
 <e>
 <k>kind</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>name</k>
-<v>121244</v>
+<v>62337</v>
 </e>
 <e>
 <k>declaring_member_id</k>
-<v>440574</v>
+<v>220132</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>440423</v>
+<v>226384</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18883,7 +20879,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>567868</v>
+<v>284483</v>
 </b>
 </bs>
 </hist>
@@ -18899,7 +20895,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>567868</v>
+<v>284483</v>
 </b>
 </bs>
 </hist>
@@ -18915,7 +20911,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>567868</v>
+<v>284483</v>
 </b>
 </bs>
 </hist>
@@ -18931,7 +20927,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>567868</v>
+<v>284483</v>
 </b>
 </bs>
 </hist>
@@ -18945,14 +20941,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>26183</a>
-<b>26184</b>
-<v>4</v>
+<a>25718</a>
+<b>25719</b>
+<v>2</v>
 </b>
 <b>
-<a>90407</a>
-<b>90408</b>
-<v>4</v>
+<a>87765</a>
+<b>87766</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18966,14 +20962,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>6520</a>
-<b>6521</b>
-<v>4</v>
+<a>6501</a>
+<b>6502</b>
+<v>2</v>
 </b>
 <b>
-<a>18373</a>
-<b>18374</b>
-<v>4</v>
+<a>18366</a>
+<b>18367</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -18987,14 +20983,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>26182</a>
-<b>26183</b>
-<v>4</v>
+<a>25717</a>
+<b>25718</b>
+<v>2</v>
 </b>
 <b>
-<a>90406</a>
-<b>90407</b>
-<v>4</v>
+<a>87764</a>
+<b>87765</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -19008,14 +21004,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>21018</a>
-<b>21019</b>
-<v>4</v>
+<a>20971</a>
+<b>20972</b>
+<v>2</v>
 </b>
 <b>
-<a>69406</a>
-<b>69407</b>
-<v>4</v>
+<a>69336</a>
+<b>69337</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -19031,27 +21027,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75192</v>
+<v>38650</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19950</v>
+<v>10267</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7929</v>
+<v>4103</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>10126</v>
+<v>5186</v>
 </b>
 <b>
 <a>8</a>
-<b>2558</b>
-<v>8046</v>
+<b>2204</b>
+<v>4128</v>
 </b>
 </bs>
 </hist>
@@ -19067,7 +21063,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>121244</v>
+<v>62337</v>
 </b>
 </bs>
 </hist>
@@ -19083,27 +21079,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75202</v>
+<v>38655</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19940</v>
+<v>10262</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7929</v>
+<v>4103</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>10126</v>
+<v>5186</v>
 </b>
 <b>
 <a>8</a>
-<b>2558</b>
-<v>8046</v>
+<b>2204</b>
+<v>4128</v>
 </b>
 </bs>
 </hist>
@@ -19119,27 +21115,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75840</v>
+<v>38981</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>20617</v>
+<v>10611</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7763</v>
+<v>4020</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>9653</v>
+<v>4933</v>
 </b>
 <b>
 <a>8</a>
 <b>1202</b>
-<v>7369</v>
+<v>3790</v>
 </b>
 </bs>
 </hist>
@@ -19155,17 +21151,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>313289</v>
+<v>155787</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>127279</v>
+<v>64342</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -19181,12 +21177,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>313289</v>
+<v>155787</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>127284</v>
+<v>64345</v>
 </b>
 </bs>
 </hist>
@@ -19202,12 +21198,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>313289</v>
+<v>155787</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>127284</v>
+<v>64345</v>
 </b>
 </bs>
 </hist>
@@ -19223,17 +21219,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>313289</v>
+<v>155787</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>127279</v>
+<v>64342</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -19249,12 +21245,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>433759</v>
+<v>223033</v>
 </b>
 <b>
 <a>2</a>
-<b>705</b>
-<v>6663</v>
+<b>585</b>
+<v>3351</v>
 </b>
 </bs>
 </hist>
@@ -19270,7 +21266,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>440423</v>
+<v>226384</v>
 </b>
 </bs>
 </hist>
@@ -19286,7 +21282,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>440423</v>
+<v>226384</v>
 </b>
 </bs>
 </hist>
@@ -19302,12 +21298,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>433759</v>
+<v>223033</v>
 </b>
 <b>
 <a>2</a>
-<b>705</b>
-<v>6663</v>
+<b>585</b>
+<v>3351</v>
 </b>
 </bs>
 </hist>
@@ -19328,15 +21324,15 @@
 </relation>
 <relation>
 <name>accessor_location</name>
-<cardinality>747775</cardinality>
+<cardinality>367482</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>567868</v>
+<v>284483</v>
 </e>
 <e>
 <k>loc</k>
-<v>93214</v>
+<v>43067</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19350,17 +21346,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>432707</v>
+<v>219889</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>98396</v>
+<v>50297</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>36763</v>
+<v>14296</v>
 </b>
 </bs>
 </hist>
@@ -19376,12 +21372,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>89610</v>
+<v>41305</v>
 </b>
 <b>
 <a>2</a>
-<b>8294</b>
-<v>3604</v>
+<b>7862</b>
+<v>1762</v>
 </b>
 </bs>
 </hist>
@@ -19391,27 +21387,27 @@
 </relation>
 <relation>
 <name>events</name>
-<cardinality>15230</cardinality>
+<cardinality>7838</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>name</k>
-<v>12990</v>
+<v>6685</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>1227</v>
+<v>631</v>
 </e>
 <e>
 <k>type_id</k>
-<v>6365</v>
+<v>3276</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>15220</v>
+<v>7833</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19425,7 +21421,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -19441,7 +21437,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -19457,7 +21453,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -19473,7 +21469,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -19489,17 +21485,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12001</v>
+<v>6176</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>978</v>
+<v>503</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19515,17 +21511,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12001</v>
+<v>6176</v>
 </b>
 <b>
 <a>2</a>
 <b>10</b>
-<v>978</v>
+<v>503</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19541,12 +21537,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12848</v>
+<v>6613</v>
 </b>
 <b>
 <a>2</a>
 <b>10</b>
-<v>141</v>
+<v>72</v>
 </b>
 </bs>
 </hist>
@@ -19562,17 +21558,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12001</v>
+<v>6176</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>978</v>
+<v>503</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19588,32 +21584,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>618</v>
+<v>318</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>228</v>
+<v>117</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>97</v>
+<v>50</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>107</v>
+<v>55</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -19629,32 +21625,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>618</v>
+<v>318</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>92</v>
+<v>47</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -19670,27 +21666,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>769</v>
+<v>396</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>199</v>
+<v>102</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>5</a>
 <b>11</b>
-<v>92</v>
+<v>47</v>
 </b>
 <b>
 <a>12</a>
 <b>181</b>
-<v>77</v>
+<v>40</v>
 </b>
 </bs>
 </hist>
@@ -19706,32 +21702,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>618</v>
+<v>318</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>228</v>
+<v>117</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>97</v>
+<v>50</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>107</v>
+<v>55</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -19747,22 +21743,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4412</v>
+<v>2271</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1164</v>
+<v>599</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>516</v>
+<v>265</v>
 </b>
 <b>
 <a>6</a>
 <b>318</b>
-<v>272</v>
+<v>140</v>
 </b>
 </bs>
 </hist>
@@ -19778,22 +21774,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4802</v>
+<v>2471</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>915</v>
+<v>471</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>501</v>
+<v>258</v>
 </b>
 <b>
 <a>8</a>
 <b>242</b>
-<v>146</v>
+<v>75</v>
 </b>
 </bs>
 </hist>
@@ -19809,17 +21805,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5752</v>
+<v>2960</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>521</v>
+<v>268</v>
 </b>
 <b>
 <a>4</a>
 <b>27</b>
-<v>92</v>
+<v>47</v>
 </b>
 </bs>
 </hist>
@@ -19835,22 +21831,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4412</v>
+<v>2271</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1164</v>
+<v>599</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>516</v>
+<v>265</v>
 </b>
 <b>
 <a>6</a>
 <b>318</b>
-<v>272</v>
+<v>140</v>
 </b>
 </bs>
 </hist>
@@ -19866,12 +21862,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15211</v>
+<v>7828</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19887,7 +21883,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15220</v>
+<v>7833</v>
 </b>
 </bs>
 </hist>
@@ -19903,12 +21899,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15211</v>
+<v>7828</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19924,12 +21920,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15211</v>
+<v>7828</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -19939,15 +21935,15 @@
 </relation>
 <relation>
 <name>event_location</name>
-<cardinality>15868</cardinality>
+<cardinality>8167</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>loc</k>
-<v>326</v>
+<v>167</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19961,12 +21957,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14592</v>
+<v>7510</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>638</v>
+<v>328</v>
 </b>
 </bs>
 </hist>
@@ -19982,57 +21978,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>12</a>
 <b>16</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>16</a>
 <b>31</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>64</a>
 <b>2199</b>
-<v>24</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -20042,27 +22038,27 @@
 </relation>
 <relation>
 <name>event_accessors</name>
-<cardinality>30461</cardinality>
+<cardinality>15677</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>30461</v>
+<v>15677</v>
 </e>
 <e>
 <k>kind</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>name</k>
-<v>26691</v>
+<v>13737</v>
 </e>
 <e>
 <k>declaring_event_id</k>
-<v>15230</v>
+<v>7838</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>30441</v>
+<v>15667</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20076,7 +22072,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30461</v>
+<v>15677</v>
 </b>
 </bs>
 </hist>
@@ -20092,7 +22088,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30461</v>
+<v>15677</v>
 </b>
 </bs>
 </hist>
@@ -20108,7 +22104,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30461</v>
+<v>15677</v>
 </b>
 </bs>
 </hist>
@@ -20124,7 +22120,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30461</v>
+<v>15677</v>
 </b>
 </bs>
 </hist>
@@ -20140,7 +22136,7 @@
 <b>
 <a>3127</a>
 <b>3128</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -20156,7 +22152,7 @@
 <b>
 <a>2740</a>
 <b>2741</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -20172,7 +22168,7 @@
 <b>
 <a>3127</a>
 <b>3128</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -20188,7 +22184,7 @@
 <b>
 <a>3125</a>
 <b>3126</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -20204,12 +22200,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24703</v>
+<v>12714</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1987</v>
+<v>1022</v>
 </b>
 </bs>
 </hist>
@@ -20225,7 +22221,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26691</v>
+<v>13737</v>
 </b>
 </bs>
 </hist>
@@ -20241,12 +22237,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24703</v>
+<v>12714</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1987</v>
+<v>1022</v>
 </b>
 </bs>
 </hist>
@@ -20262,12 +22258,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24703</v>
+<v>12714</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1987</v>
+<v>1022</v>
 </b>
 </bs>
 </hist>
@@ -20283,7 +22279,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -20299,7 +22295,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -20315,7 +22311,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -20331,7 +22327,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15230</v>
+<v>7838</v>
 </b>
 </bs>
 </hist>
@@ -20347,12 +22343,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30422</v>
+<v>15657</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -20368,7 +22364,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30441</v>
+<v>15667</v>
 </b>
 </bs>
 </hist>
@@ -20384,7 +22380,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30441</v>
+<v>15667</v>
 </b>
 </bs>
 </hist>
@@ -20400,12 +22396,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30422</v>
+<v>15657</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -20415,15 +22411,15 @@
 </relation>
 <relation>
 <name>event_accessor_location</name>
-<cardinality>31737</cardinality>
+<cardinality>16334</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>30461</v>
+<v>15677</v>
 </e>
 <e>
 <k>loc</k>
-<v>326</v>
+<v>167</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20437,12 +22433,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>29184</v>
+<v>15020</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1276</v>
+<v>656</v>
 </b>
 </bs>
 </hist>
@@ -20458,57 +22454,57 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>12</a>
 <b>15</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>24</a>
 <b>31</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>32</a>
 <b>61</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>128</a>
 <b>4397</b>
-<v>24</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -20518,31 +22514,31 @@
 </relation>
 <relation>
 <name>operators</name>
-<cardinality>12410</cardinality>
+<cardinality>6201</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>12410</v>
+<v>6201</v>
 </e>
 <e>
 <k>name</k>
-<v>126</v>
+<v>65</v>
 </e>
 <e>
 <k>symbol</k>
-<v>116</v>
+<v>60</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>3024</v>
+<v>1448</v>
 </e>
 <e>
 <k>type_id</k>
-<v>1621</v>
+<v>809</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>11655</v>
+<v>5903</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20556,7 +22552,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12410</v>
+<v>6201</v>
 </b>
 </bs>
 </hist>
@@ -20572,7 +22568,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12410</v>
+<v>6201</v>
 </b>
 </bs>
 </hist>
@@ -20588,7 +22584,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12410</v>
+<v>6201</v>
 </b>
 </bs>
 </hist>
@@ -20604,7 +22600,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12410</v>
+<v>6201</v>
 </b>
 </bs>
 </hist>
@@ -20620,7 +22616,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12410</v>
+<v>6201</v>
 </b>
 </bs>
 </hist>
@@ -20636,72 +22632,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
+<b>4</b>
+<v>5</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>9</v>
+<v>7</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
+<a>10</a>
+<b>17</b>
+<v>5</v>
 </b>
 <b>
-<a>17</a>
-<b>27</b>
-<v>9</v>
-</b>
-<b>
-<a>45</a>
+<a>26</a>
 <b>46</b>
-<v>4</v>
+<v>5</v>
 </b>
 <b>
 <a>54</a>
 <b>55</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>57</a>
 <b>58</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
-<a>66</a>
-<b>74</b>
-<v>9</v>
+<a>65</a>
+<b>73</b>
+<v>5</v>
 </b>
 <b>
-<a>85</a>
-<b>437</b>
-<v>9</v>
+<a>80</a>
+<b>436</b>
+<v>5</v>
 </b>
 <b>
-<a>459</a>
-<b>532</b>
-<v>9</v>
+<a>454</a>
+<b>500</b>
+<v>5</v>
 </b>
 <b>
-<a>532</a>
-<b>533</b>
-<v>4</v>
+<a>506</a>
+<b>507</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -20717,7 +22708,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>126</v>
+<v>65</v>
 </b>
 </bs>
 </hist>
@@ -20733,74 +22724,374 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
+<b>4</b>
+<v>5</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>9</v>
+<v>7</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
+<a>10</a>
+<b>15</b>
+<v>5</v>
 </b>
 <b>
-<a>15</a>
-<b>27</b>
-<v>9</v>
+<a>26</a>
+<b>32</b>
+<v>5</v>
+</b>
+<b>
+<a>36</a>
+<b>50</b>
+<v>5</v>
+</b>
+<b>
+<a>50</a>
+<b>52</b>
+<v>5</v>
+</b>
+<b>
+<a>52</a>
+<b>53</b>
+<v>5</v>
+</b>
+<b>
+<a>63</a>
+<b>120</b>
+<v>5</v>
+</b>
+<b>
+<a>201</a>
+<b>444</b>
+<v>5</v>
+</b>
+<b>
+<a>451</a>
+<b>452</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>20</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>5</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>2</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>7</v>
+</b>
+<b>
+<a>10</a>
+<b>15</b>
+<v>5</v>
+</b>
+<b>
+<a>26</a>
+<b>32</b>
+<v>5</v>
+</b>
+<b>
+<a>37</a>
+<b>52</b>
+<v>5</v>
+</b>
+<b>
+<a>63</a>
+<b>155</b>
+<v>5</v>
+</b>
+<b>
+<a>181</a>
+<b>182</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>5</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>2</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>7</v>
+</b>
+<b>
+<a>10</a>
+<b>17</b>
+<v>5</v>
+</b>
+<b>
+<a>26</a>
+<b>46</b>
+<v>5</v>
+</b>
+<b>
+<a>53</a>
+<b>54</b>
+<v>5</v>
+</b>
+<b>
+<a>56</a>
+<b>57</b>
+<v>5</v>
+</b>
+<b>
+<a>65</a>
+<b>73</b>
+<v>5</v>
+</b>
+<b>
+<a>80</a>
+<b>415</b>
+<v>5</v>
+</b>
+<b>
+<a>416</a>
+<b>472</b>
+<v>5</v>
+</b>
+<b>
+<a>478</a>
+<b>479</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>5</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>7</v>
+</b>
+<b>
+<a>10</a>
+<b>17</b>
+<v>5</v>
+</b>
+<b>
+<a>45</a>
+<b>46</b>
+<v>2</v>
+</b>
+<b>
+<a>54</a>
+<b>55</b>
+<v>5</v>
+</b>
+<b>
+<a>57</a>
+<b>58</b>
+<v>5</v>
+</b>
+<b>
+<a>72</a>
+<b>86</b>
+<v>5</v>
+</b>
+<b>
+<a>91</a>
+<b>436</b>
+<v>5</v>
+</b>
+<b>
+<a>454</a>
+<b>500</b>
+<v>5</v>
+</b>
+<b>
+<a>506</a>
+<b>507</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>55</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>5</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>declaring_type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>5</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>7</v>
+</b>
+<b>
+<a>10</a>
+<b>15</b>
+<v>5</v>
 </b>
 <b>
 <a>31</a>
-<b>38</b>
-<v>9</v>
+<b>37</b>
+<v>5</v>
 </b>
 <b>
 <a>49</a>
 <b>51</b>
-<v>9</v>
+<v>5</v>
+</b>
+<b>
+<a>51</a>
+<b>52</b>
+<v>2</v>
 </b>
 <b>
 <a>52</a>
 <b>53</b>
-<v>14</v>
+<v>5</v>
 </b>
 <b>
-<a>68</a>
-<b>121</b>
-<v>9</v>
+<a>63</a>
+<b>120</b>
+<v>5</v>
 </b>
 <b>
-<a>206</a>
-<b>476</b>
-<v>9</v>
+<a>201</a>
+<b>444</b>
+<v>5</v>
 </b>
 <b>
-<a>477</a>
-<b>478</b>
-<v>4</v>
+<a>451</a>
+<b>452</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
 </val>
 </dep>
 <dep>
-<src>name</src>
+<src>symbol</src>
 <trg>type_id</trg>
 <val>
 <hist>
@@ -20809,59 +23100,49 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>38</v>
+<v>20</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>4</v>
+<b>4</b>
+<v>5</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>9</v>
+<v>7</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>15</a>
-<b>27</b>
-<v>9</v>
+<a>10</a>
+<b>15</b>
+<v>5</v>
 </b>
 <b>
 <a>31</a>
-<b>39</b>
-<v>9</v>
+<b>38</b>
+<v>5</v>
 </b>
 <b>
-<a>52</a>
-<b>69</b>
-<v>9</v>
+<a>51</a>
+<b>64</b>
+<v>5</v>
 </b>
 <b>
-<a>155</a>
-<b>186</b>
-<v>9</v>
+<a>154</a>
+<b>182</b>
+<v>5</v>
 </b>
 </bs>
 </hist>
 </val>
 </dep>
 <dep>
-<src>name</src>
+<src>symbol</src>
 <trg>unbound_id</trg>
 <val>
 <hist>
@@ -20870,362 +23151,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>10</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>4</v>
+<b>4</b>
+<v>5</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>9</v>
+<v>7</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>17</a>
-<b>27</b>
-<v>9</v>
+<a>10</a>
+<b>17</b>
+<v>5</v>
 </b>
 <b>
 <a>45</a>
 <b>46</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>53</a>
 <b>54</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>56</a>
 <b>57</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
-<a>66</a>
-<b>74</b>
-<v>9</v>
+<a>72</a>
+<b>86</b>
+<v>5</v>
 </b>
 <b>
-<a>85</a>
+<a>91</a>
 <b>415</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>416</a>
-<b>489</b>
-<v>9</v>
+<b>472</b>
+<v>5</v>
 </b>
 <b>
-<a>489</a>
-<b>490</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>4</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>19</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
-</b>
-<b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>17</a>
-<b>46</b>
-<v>9</v>
-</b>
-<b>
-<a>54</a>
-<b>55</b>
-<v>9</v>
-</b>
-<b>
-<a>57</a>
-<b>58</b>
-<v>9</v>
-</b>
-<b>
-<a>73</a>
-<b>91</b>
-<v>9</v>
-</b>
-<b>
-<a>92</a>
-<b>437</b>
-<v>9</v>
-</b>
-<b>
-<a>459</a>
-<b>532</b>
-<v>9</v>
-</b>
-<b>
-<a>532</a>
-<b>533</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>107</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>9</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>declaring_type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>4</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>19</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
-</b>
-<b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>15</a>
-<b>32</b>
-<v>9</v>
-</b>
-<b>
-<a>37</a>
-<b>50</b>
-<v>9</v>
-</b>
-<b>
-<a>50</a>
-<b>51</b>
-<v>4</v>
-</b>
-<b>
-<a>52</a>
-<b>53</b>
-<v>14</v>
-</b>
-<b>
-<a>68</a>
-<b>121</b>
-<v>9</v>
-</b>
-<b>
-<a>206</a>
-<b>476</b>
-<v>9</v>
-</b>
-<b>
-<a>477</a>
-<b>478</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>14</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>38</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
-</b>
-<b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>15</a>
-<b>32</b>
-<v>9</v>
-</b>
-<b>
-<a>38</a>
-<b>53</b>
-<v>9</v>
-</b>
-<b>
-<a>68</a>
-<b>156</b>
-<v>9</v>
-</b>
-<b>
-<a>185</a>
-<b>186</b>
-<v>4</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>4</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>19</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>9</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
-</b>
-<b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
-</b>
-<b>
-<a>17</a>
-<b>46</b>
-<v>9</v>
-</b>
-<b>
-<a>53</a>
-<b>54</b>
-<v>9</v>
-</b>
-<b>
-<a>56</a>
-<b>57</b>
-<v>9</v>
-</b>
-<b>
-<a>73</a>
-<b>91</b>
-<v>9</v>
-</b>
-<b>
-<a>92</a>
-<b>415</b>
-<v>9</v>
-</b>
-<b>
-<a>416</a>
-<b>489</b>
-<v>9</v>
-</b>
-<b>
-<a>489</a>
-<b>490</b>
-<v>4</v>
+<a>478</a>
+<b>479</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -21241,37 +23222,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>472</v>
+<v>200</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1568</v>
+<v>742</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>4</a>
+<b>5</b>
+<v>115</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>267</v>
+<v>22</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>7</a>
-<b>16</b>
-<v>228</v>
+<b>15</b>
+<v>112</v>
 </b>
 <b>
-<a>16</a>
+<a>15</a>
 <b>73</b>
-<v>112</v>
+<v>62</v>
 </b>
 </bs>
 </hist>
@@ -21287,32 +23273,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>628</v>
+<v>280</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1539</v>
+<v>726</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>272</v>
+<v>142</v>
 </b>
 <b>
 <a>5</a>
 <b>10</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>10</a>
 <b>24</b>
-<v>97</v>
+<v>47</v>
 </b>
 </bs>
 </hist>
@@ -21328,32 +23314,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>628</v>
+<v>280</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1543</v>
+<v>729</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>272</v>
+<v>142</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>228</v>
+<v>115</v>
 </b>
 <b>
 <a>9</a>
 <b>22</b>
-<v>112</v>
+<v>57</v>
 </b>
 </bs>
 </hist>
@@ -21369,27 +23355,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2021</v>
+<v>945</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>418</v>
+<v>203</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>292</v>
+<v>150</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>243</v>
+<b>5</b>
+<v>112</v>
 </b>
 <b>
-<a>8</a>
+<a>5</a>
 <b>39</b>
-<v>48</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -21405,37 +23391,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>472</v>
+<v>200</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1568</v>
+<v>742</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>4</a>
+<b>5</b>
+<v>115</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>267</v>
+<v>22</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>7</a>
-<b>16</b>
-<v>228</v>
+<b>15</b>
+<v>112</v>
 </b>
 <b>
-<a>16</a>
+<a>15</a>
 <b>73</b>
-<v>112</v>
+<v>62</v>
 </b>
 </bs>
 </hist>
@@ -21451,32 +23442,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>793</v>
+<v>383</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>370</v>
+<v>190</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>121</v>
+<v>62</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
-<a>19</a>
-<b>1227</b>
-<v>82</v>
+<a>18</a>
+<b>1167</b>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -21492,27 +23483,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1207</v>
+<v>596</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>150</v>
+<v>77</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>116</v>
+<v>60</v>
 </b>
 <b>
 <a>5</a>
 <b>13</b>
-<v>131</v>
+<v>70</v>
 </b>
 <b>
 <a>13</a>
 <b>18</b>
-<v>14</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -21528,27 +23519,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1207</v>
+<v>596</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160</v>
+<v>82</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
 <a>5</a>
 <b>14</b>
-<v>121</v>
+<v>62</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -21564,22 +23555,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1266</v>
+<v>626</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>121</v>
+<v>62</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
 <a>6</a>
-<b>501</b>
-<v>107</v>
+<b>463</b>
+<v>55</v>
 </b>
 </bs>
 </hist>
@@ -21595,32 +23586,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>793</v>
+<v>383</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>370</v>
+<v>190</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>121</v>
+<v>62</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>126</v>
+<v>65</v>
 </b>
 <b>
-<a>19</a>
-<b>1137</b>
-<v>82</v>
+<a>18</a>
+<b>1107</b>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -21636,12 +23627,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11509</v>
+<v>5828</v>
 </b>
 <b>
 <a>2</a>
-<b>26</b>
-<v>146</v>
+<b>21</b>
+<v>75</v>
 </b>
 </bs>
 </hist>
@@ -21657,7 +23648,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11655</v>
+<v>5903</v>
 </b>
 </bs>
 </hist>
@@ -21673,7 +23664,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11655</v>
+<v>5903</v>
 </b>
 </bs>
 </hist>
@@ -21689,12 +23680,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11509</v>
+<v>5828</v>
 </b>
 <b>
 <a>2</a>
-<b>26</b>
-<v>146</v>
+<b>21</b>
+<v>75</v>
 </b>
 </bs>
 </hist>
@@ -21710,12 +23701,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11597</v>
+<v>5873</v>
 </b>
 <b>
 <a>2</a>
-<b>22</b>
-<v>58</v>
+<b>21</b>
+<v>30</v>
 </b>
 </bs>
 </hist>
@@ -21725,15 +23716,15 @@
 </relation>
 <relation>
 <name>operator_location</name>
-<cardinality>22843</cardinality>
+<cardinality>11639</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>5785</v>
+<v>1989</v>
 </e>
 <e>
 <k>loc</k>
-<v>3241</v>
+<v>1713</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21747,32 +23738,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>861</v>
+<v>438</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3233</v>
+<v>221</v>
 </b>
 <b>
 <a>3</a>
+<b>6</b>
+<v>182</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>41</v>
+</b>
+<b>
+<a>7</a>
+<b>8</b>
+<v>257</v>
+</b>
+<b>
+<a>8</a>
 <b>9</b>
-<v>396</v>
+<v>122</v>
 </b>
 <b>
 <a>9</a>
-<b>11</b>
-<v>461</v>
+<b>10</b>
+<v>495</v>
 </b>
 <b>
-<a>11</a>
+<a>10</a>
 <b>12</b>
-<v>597</v>
+<v>119</v>
 </b>
 <b>
 <a>12</a>
-<b>14</b>
-<v>234</v>
+<b>13</b>
+<v>108</v>
 </b>
 </bs>
 </hist>
@@ -21788,17 +23794,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2841</v>
+<v>1403</v>
 </b>
 <b>
 <a>2</a>
-<b>9</b>
-<v>243</v>
+<b>3</b>
+<v>115</v>
 </b>
 <b>
-<a>9</a>
-<b>2695</b>
-<v>157</v>
+<a>3</a>
+<b>15</b>
+<v>131</v>
+</b>
+<b>
+<a>21</a>
+<b>793</b>
+<v>63</v>
 </b>
 </bs>
 </hist>
@@ -21808,15 +23819,15 @@
 </relation>
 <relation>
 <name>constant_value</name>
-<cardinality>185352</cardinality>
+<cardinality>95257</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>185240</v>
+<v>95199</v>
 </e>
 <e>
 <k>value</k>
-<v>47854</v>
+<v>24531</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21830,12 +23841,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>185128</v>
+<v>95141</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>112</v>
+<v>57</v>
 </b>
 </bs>
 </hist>
@@ -21851,27 +23862,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32891</v>
+<v>16848</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7218</v>
+<v>3705</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3886</v>
+<v>1995</v>
 </b>
 <b>
 <a>4</a>
-<b>61</b>
-<v>3589</v>
+<b>60</b>
+<v>1842</v>
 </b>
 <b>
-<a>61</a>
+<a>60</a>
 <b>2421</b>
-<v>267</v>
+<v>140</v>
 </b>
 </bs>
 </hist>
@@ -21881,27 +23892,27 @@
 </relation>
 <relation>
 <name>methods</name>
-<cardinality>1116872</cardinality>
+<cardinality>549172</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1116872</v>
+<v>549172</v>
 </e>
 <e>
 <k>name</k>
-<v>133791</v>
+<v>68273</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>202248</v>
+<v>101140</v>
 </e>
 <e>
 <k>type_id</k>
-<v>112877</v>
+<v>54054</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>696794</v>
+<v>357745</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21915,7 +23926,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1116872</v>
+<v>549172</v>
 </b>
 </bs>
 </hist>
@@ -21931,7 +23942,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1116872</v>
+<v>549172</v>
 </b>
 </bs>
 </hist>
@@ -21947,7 +23958,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1116872</v>
+<v>549172</v>
 </b>
 </bs>
 </hist>
@@ -21963,7 +23974,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1116872</v>
+<v>549172</v>
 </b>
 </bs>
 </hist>
@@ -21979,32 +23990,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>69318</v>
+<v>35183</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>23632</v>
+<v>12138</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10842</v>
+<v>5557</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>10423</v>
+<v>5404</v>
 </b>
 <b>
 <a>6</a>
 <b>12</b>
-<v>10569</v>
+<v>5429</v>
 </b>
 <b>
 <a>12</a>
-<b>5621</b>
-<v>9005</v>
+<b>5061</b>
+<v>4559</v>
 </b>
 </bs>
 </hist>
@@ -22020,32 +24031,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>79688</v>
+<v>40500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19355</v>
+<v>9934</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11324</v>
+<v>5820</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>11046</v>
+<v>5698</v>
 </b>
 <b>
 <a>7</a>
-<b>33</b>
-<v>10106</v>
+<b>32</b>
+<v>5131</v>
 </b>
 <b>
-<a>33</a>
+<a>32</a>
 <b>4959</b>
-<v>2269</v>
+<v>1188</v>
 </b>
 </bs>
 </hist>
@@ -22061,22 +24072,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>113057</v>
+<v>57652</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10593</v>
+<v>5432</v>
 </b>
 <b>
 <a>3</a>
-<b>209</b>
-<v>10038</v>
+<b>126</b>
+<v>5121</v>
 </b>
 <b>
-<a>222</a>
-<b>2703</b>
-<v>102</v>
+<a>137</a>
+<b>2143</b>
+<v>67</v>
 </b>
 </bs>
 </hist>
@@ -22092,32 +24103,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>71057</v>
+<v>36040</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24499</v>
+<v>12589</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10915</v>
+<v>5607</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>10720</v>
+<v>5512</v>
 </b>
 <b>
 <a>6</a>
-<b>13</b>
-<v>10720</v>
+<b>12</b>
+<v>5149</v>
 </b>
 <b>
-<a>13</a>
+<a>12</a>
 <b>4958</b>
-<v>5878</v>
+<v>3374</v>
 </b>
 </bs>
 </hist>
@@ -22133,42 +24144,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>59918</v>
+<v>30224</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43002</v>
+<v>21964</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>31293</v>
+<v>15156</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14251</v>
+<v>7172</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>14787</v>
+<v>7264</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>16097</v>
+<v>8104</v>
 </b>
 <b>
 <a>10</a>
 <b>23</b>
-<v>15654</v>
+<v>7831</v>
 </b>
 <b>
 <a>23</a>
-<b>1309</b>
-<v>7242</v>
+<b>1055</b>
+<v>3421</v>
 </b>
 </bs>
 </hist>
@@ -22184,37 +24195,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>64984</v>
+<v>32832</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44688</v>
+<v>22819</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>34391</v>
+<v>16580</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>18191</v>
+<v>9122</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>18157</v>
+<v>8951</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>15249</v>
+<v>7600</v>
 </b>
 <b>
 <a>18</a>
 <b>457</b>
-<v>6585</v>
+<v>3233</v>
 </b>
 </bs>
 </hist>
@@ -22230,32 +24241,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>98011</v>
+<v>49695</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>48906</v>
+<v>23712</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22945</v>
+<v>11686</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11621</v>
+<v>5946</v>
 </b>
 <b>
 <a>5</a>
-<b>10</b>
-<v>15206</v>
+<b>11</b>
+<v>7863</v>
 </b>
 <b>
-<a>10</a>
-<b>738</b>
-<v>5557</v>
+<a>11</a>
+<b>595</b>
+<v>2236</v>
 </b>
 </bs>
 </hist>
@@ -22271,42 +24282,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>60025</v>
+<v>30277</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43080</v>
+<v>21994</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>31293</v>
+<v>15158</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14285</v>
+<v>7184</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>14806</v>
+<v>7267</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>16014</v>
+<v>8069</v>
 </b>
 <b>
 <a>10</a>
 <b>23</b>
-<v>16112</v>
+<v>8069</v>
 </b>
 <b>
 <a>23</a>
 <b>698</b>
-<v>6628</v>
+<v>3118</v>
 </b>
 </bs>
 </hist>
@@ -22322,27 +24333,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75436</v>
+<v>35802</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14480</v>
+<v>6943</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8309</v>
+<v>4078</v>
 </b>
 <b>
 <a>4</a>
-<b>10</b>
-<v>8825</v>
+<b>9</b>
+<v>4086</v>
 </b>
 <b>
-<a>10</a>
-<b>62181</b>
-<v>5825</v>
+<a>9</a>
+<b>59685</b>
+<v>3143</v>
 </b>
 </bs>
 </hist>
@@ -22358,22 +24369,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>91568</v>
+<v>43794</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9614</v>
+<v>4717</v>
 </b>
 <b>
 <a>3</a>
-<b>8</b>
-<v>8664</v>
+<b>9</b>
+<v>4203</v>
 </b>
 <b>
-<a>8</a>
-<b>7691</b>
-<v>3029</v>
+<a>9</a>
+<b>7612</b>
+<v>1338</v>
 </b>
 </bs>
 </hist>
@@ -22389,22 +24400,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>87393</v>
+<v>41733</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13978</v>
+<v>6603</v>
 </b>
 <b>
 <a>3</a>
-<b>8</b>
-<v>8801</v>
+<b>7</b>
+<v>4101</v>
 </b>
 <b>
-<a>8</a>
-<b>19662</b>
-<v>2703</v>
+<a>7</a>
+<b>19179</b>
+<v>1616</v>
 </b>
 </bs>
 </hist>
@@ -22420,27 +24431,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75548</v>
+<v>35852</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14538</v>
+<v>6984</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8382</v>
+<v>4103</v>
 </b>
 <b>
 <a>4</a>
-<b>10</b>
-<v>8762</v>
+<b>9</b>
+<v>4061</v>
 </b>
 <b>
-<a>10</a>
-<b>44512</b>
-<v>5645</v>
+<a>9</a>
+<b>44405</b>
+<v>3053</v>
 </b>
 </bs>
 </hist>
@@ -22456,12 +24467,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>669961</v>
+<v>344231</v>
 </b>
 <b>
 <a>2</a>
-<b>1367</b>
-<v>26832</v>
+<b>1207</b>
+<v>13514</v>
 </b>
 </bs>
 </hist>
@@ -22477,7 +24488,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>696794</v>
+<v>357745</v>
 </b>
 </bs>
 </hist>
@@ -22493,12 +24504,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>671827</v>
+<v>345048</v>
 </b>
 <b>
 <a>2</a>
-<b>1367</b>
-<v>24966</v>
+<b>1207</b>
+<v>12697</v>
 </b>
 </bs>
 </hist>
@@ -22514,12 +24525,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>686429</v>
+<v>352528</v>
 </b>
 <b>
 <a>2</a>
-<b>1367</b>
-<v>10364</v>
+<b>1207</b>
+<v>5216</v>
 </b>
 </bs>
 </hist>
@@ -22529,15 +24540,15 @@
 </relation>
 <relation>
 <name>method_location</name>
-<cardinality>1280608</cardinality>
+<cardinality>622013</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1116872</v>
+<v>549172</v>
 </e>
 <e>
 <k>loc</k>
-<v>40830</v>
+<v>15472</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22551,17 +24562,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>986500</v>
+<v>488331</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>98235</v>
+<v>49469</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>32136</v>
+<v>11371</v>
 </b>
 </bs>
 </hist>
@@ -22577,17 +24588,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>36218</v>
+<v>13409</v>
 </b>
 <b>
 <a>2</a>
-<b>51</b>
-<v>3078</v>
+<b>37</b>
+<v>1160</v>
 </b>
 <b>
-<a>51</a>
-<b>27729</b>
-<v>1534</v>
+<a>37</a>
+<b>23908</b>
+<v>902</v>
 </b>
 </bs>
 </hist>
@@ -22597,23 +24608,23 @@
 </relation>
 <relation>
 <name>constructors</name>
-<cardinality>277641</cardinality>
+<cardinality>138720</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>277641</v>
+<v>138720</v>
 </e>
 <e>
 <k>name</k>
-<v>133465</v>
+<v>68664</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>211980</v>
+<v>107588</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>223250</v>
+<v>114690</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22627,7 +24638,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>277641</v>
+<v>138720</v>
 </b>
 </bs>
 </hist>
@@ -22643,7 +24654,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>277641</v>
+<v>138720</v>
 </b>
 </bs>
 </hist>
@@ -22659,7 +24670,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>277641</v>
+<v>138720</v>
 </b>
 </bs>
 </hist>
@@ -22675,22 +24686,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102186</v>
+<v>52686</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19170</v>
+<v>9766</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>10247</v>
+<v>5271</v>
 </b>
 <b>
 <a>8</a>
 <b>2183</b>
-<v>1860</v>
+<v>940</v>
 </b>
 </bs>
 </hist>
@@ -22706,17 +24717,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>122482</v>
+<v>63031</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>10082</v>
+<v>5181</v>
 </b>
 <b>
 <a>11</a>
 <b>2183</b>
-<v>901</v>
+<v>451</v>
 </b>
 </bs>
 </hist>
@@ -22732,22 +24743,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>103067</v>
+<v>53132</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19326</v>
+<v>9846</v>
 </b>
 <b>
 <a>3</a>
 <b>10</b>
-<v>10087</v>
+<v>5179</v>
 </b>
 <b>
 <a>10</a>
 <b>2183</b>
-<v>983</v>
+<v>506</v>
 </b>
 </bs>
 </hist>
@@ -22763,17 +24774,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>179312</v>
+<v>91484</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19750</v>
+<v>9914</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>12916</v>
+<v>6189</v>
 </b>
 </bs>
 </hist>
@@ -22789,7 +24800,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>211980</v>
+<v>107588</v>
 </b>
 </bs>
 </hist>
@@ -22805,17 +24816,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>179312</v>
+<v>91484</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19750</v>
+<v>9914</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>12916</v>
+<v>6189</v>
 </b>
 </bs>
 </hist>
@@ -22831,12 +24842,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>220820</v>
+<v>113489</v>
 </b>
 <b>
 <a>2</a>
-<b>780</b>
-<v>2430</v>
+<b>612</b>
+<v>1200</v>
 </b>
 </bs>
 </hist>
@@ -22852,7 +24863,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>223250</v>
+<v>114690</v>
 </b>
 </bs>
 </hist>
@@ -22868,12 +24879,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>220820</v>
+<v>113489</v>
 </b>
 <b>
 <a>2</a>
-<b>780</b>
-<v>2430</v>
+<b>612</b>
+<v>1200</v>
 </b>
 </bs>
 </hist>
@@ -22883,15 +24894,15 @@
 </relation>
 <relation>
 <name>constructor_location</name>
-<cardinality>321369</cardinality>
+<cardinality>159509</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>277641</v>
+<v>138720</v>
 </e>
 <e>
 <k>loc</k>
-<v>24772</v>
+<v>10914</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22905,17 +24916,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>238320</v>
+<v>120137</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>37640</v>
+<v>17760</v>
 </b>
 <b>
 <a>3</a>
 <b>87</b>
-<v>1680</v>
+<v>822</v>
 </b>
 </bs>
 </hist>
@@ -22931,22 +24942,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19000</v>
+<v>8122</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3180</v>
+<v>1484</v>
 </b>
 <b>
 <a>3</a>
-<b>59</b>
-<v>1865</v>
+<b>38</b>
+<v>819</v>
 </b>
 <b>
-<a>59</a>
-<b>4796</b>
-<v>725</v>
+<a>38</a>
+<b>3935</b>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -22956,23 +24967,23 @@
 </relation>
 <relation>
 <name>destructors</name>
-<cardinality>443</cardinality>
+<cardinality>225</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>443</v>
+<v>225</v>
 </e>
 <e>
 <k>name</k>
-<v>414</v>
+<v>213</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>443</v>
+<v>225</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>428</v>
+<v>220</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22986,7 +24997,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23002,7 +25013,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23018,7 +25029,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23034,12 +25045,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>394</v>
+<v>203</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -23055,12 +25066,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>394</v>
+<v>203</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>19</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -23076,12 +25087,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>399</v>
+<v>205</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -23097,7 +25108,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23113,7 +25124,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23129,7 +25140,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>443</v>
+<v>225</v>
 </b>
 </bs>
 </hist>
@@ -23145,12 +25156,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>418</v>
+<v>218</v>
 </b>
 <b>
-<a>2</a>
+<a>3</a>
 <b>4</b>
-<v>9</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -23166,7 +25177,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>428</v>
+<v>220</v>
 </b>
 </bs>
 </hist>
@@ -23182,12 +25193,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>418</v>
+<v>218</v>
 </b>
 <b>
-<a>2</a>
+<a>3</a>
 <b>4</b>
-<v>9</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -23197,15 +25208,15 @@
 </relation>
 <relation>
 <name>destructor_location</name>
-<cardinality>662</cardinality>
+<cardinality>494</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>165</v>
+<v>125</v>
 </e>
 <e>
 <k>loc</k>
-<v>330</v>
+<v>230</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23219,47 +25230,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32</v>
+<v>34</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44</v>
+<v>17</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>6</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>16</v>
+<v>14</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>6</v>
+<v>17</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>29</v>
+<v>13</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>12</v>
+<v>9</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>12</v>
-</b>
-<b>
-<a>11</a>
-<b>12</b>
-<v>1</v>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -23275,22 +25281,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>260</v>
+<v>175</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>28</v>
+<b>4</b>
+<v>12</v>
 </b>
 <b>
-<a>5</a>
-<b>27</b>
-<v>21</v>
+<a>4</a>
+<b>9</b>
+<v>19</v>
+</b>
+<b>
+<a>9</a>
+<b>26</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -23300,15 +25311,15 @@
 </relation>
 <relation>
 <name>overrides</name>
-<cardinality>273929</cardinality>
+<cardinality>140510</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>273905</v>
+<v>140498</v>
 </e>
 <e>
 <k>base_id</k>
-<v>65402</v>
+<v>33661</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23322,12 +25333,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>273881</v>
+<v>140485</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -23343,32 +25354,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>40250</v>
+<v>20716</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10471</v>
+<v>5389</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4286</v>
+<v>2206</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>5338</v>
+<v>2752</v>
 </b>
 <b>
 <a>7</a>
-<b>184</b>
-<v>4909</v>
+<b>216</b>
+<v>2526</v>
 </b>
 <b>
-<a>215</a>
-<b>1329</b>
-<v>146</v>
+<a>217</a>
+<b>1317</b>
+<v>70</v>
 </b>
 </bs>
 </hist>
@@ -23378,15 +25389,15 @@
 </relation>
 <relation>
 <name>explicitly_implements</name>
-<cardinality>155943</cardinality>
+<cardinality>74568</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>155943</v>
+<v>74568</v>
 </e>
 <e>
 <k>interface_id</k>
-<v>13282</v>
+<v>6111</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23400,7 +25411,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155943</v>
+<v>74568</v>
 </b>
 </bs>
 </hist>
@@ -23416,37 +25427,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6770</v>
+<v>3171</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2488</v>
+<v>1057</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1183</v>
+<v>604</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>457</v>
+<v>210</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>1207</v>
+<v>491</v>
 </b>
 <b>
 <a>7</a>
-<b>58</b>
-<v>998</v>
+<b>41</b>
+<v>458</v>
 </b>
 <b>
-<a>58</a>
+<a>42</a>
 <b>7851</b>
-<v>175</v>
+<v>117</v>
 </b>
 </bs>
 </hist>
@@ -23456,23 +25467,23 @@
 </relation>
 <relation>
 <name>local_functions</name>
-<cardinality>1801</cardinality>
+<cardinality>488</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1801</v>
+<v>488</v>
 </e>
 <e>
 <k>name</k>
-<v>1034</v>
+<v>271</v>
 </e>
 <e>
 <k>return_type</k>
-<v>184</v>
+<v>47</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>1792</v>
+<v>488</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23486,7 +25497,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1801</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23502,7 +25513,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1801</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23518,7 +25529,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1801</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23534,177 +25545,21 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>892</v>
+<v>227</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>80</v>
+<v>18</v>
 </b>
 <b>
 <a>3</a>
-<b>137</b>
-<v>62</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>return_type</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1026</v>
+<b>14</b>
+<v>22</v>
 </b>
 <b>
-<a>2</a>
-<b>4</b>
-<v>8</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>894</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>82</v>
-</b>
-<b>
-<a>3</a>
-<b>137</b>
-<v>58</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>return_type</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>128</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>29</v>
-</b>
-<b>
-<a>3</a>
-<b>7</b>
-<v>15</v>
-</b>
-<b>
-<a>7</a>
-<b>1134</b>
-<v>12</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>return_type</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>136</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>25</v>
-</b>
-<b>
-<a>3</a>
-<b>9</b>
-<v>14</v>
-</b>
-<b>
-<a>9</a>
-<b>427</b>
-<v>9</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>return_type</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>128</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>30</v>
-</b>
-<b>
-<a>3</a>
-<b>7</b>
-<v>14</v>
-</b>
-<b>
-<a>7</a>
-<b>1132</b>
-<v>12</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>unbound_id</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1788</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
+<a>14</a>
+<b>38</b>
 <v>4</v>
 </b>
 </bs>
@@ -23712,6 +25567,177 @@
 </val>
 </dep>
 <dep>
+<src>name</src>
+<trg>return_type</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>269</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>227</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>18</v>
+</b>
+<b>
+<a>3</a>
+<b>14</b>
+<v>22</v>
+</b>
+<b>
+<a>14</a>
+<b>38</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>return_type</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>30</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>7</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>3</v>
+</b>
+<b>
+<a>4</a>
+<b>11</b>
+<v>4</v>
+</b>
+<b>
+<a>26</a>
+<b>336</b>
+<v>3</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>return_type</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>33</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>7</v>
+</b>
+<b>
+<a>3</a>
+<b>6</b>
+<v>4</v>
+</b>
+<b>
+<a>26</a>
+<b>136</b>
+<v>3</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>return_type</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>30</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>7</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>3</v>
+</b>
+<b>
+<a>4</a>
+<b>11</b>
+<v>4</v>
+</b>
+<b>
+<a>26</a>
+<b>336</b>
+<v>3</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>unbound_id</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>488</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
 <src>unbound_id</src>
 <trg>name</trg>
 <val>
@@ -23721,7 +25747,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1792</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23737,12 +25763,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1791</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23752,15 +25773,15 @@
 </relation>
 <relation>
 <name>local_function_stmts</name>
-<cardinality>1792</cardinality>
+<cardinality>488</cardinality>
 <columnsizes>
 <e>
 <k>fn</k>
-<v>1792</v>
+<v>488</v>
 </e>
 <e>
 <k>stmt</k>
-<v>1792</v>
+<v>488</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23774,7 +25795,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1792</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23790,7 +25811,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1792</v>
+<v>488</v>
 </b>
 </bs>
 </hist>
@@ -23800,31 +25821,31 @@
 </relation>
 <relation>
 <name>fields</name>
-<cardinality>555686</cardinality>
+<cardinality>283465</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>555686</v>
+<v>283465</v>
 </e>
 <e>
 <k>kind</k>
-<v>9</v>
+<v>5</v>
 </e>
 <e>
 <k>name</k>
-<v>218219</v>
+<v>111604</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>103579</v>
+<v>52465</v>
 </e>
 <e>
 <k>type_id</k>
-<v>89512</v>
+<v>45611</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>547991</v>
+<v>279953</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23838,7 +25859,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555686</v>
+<v>283465</v>
 </b>
 </bs>
 </hist>
@@ -23854,7 +25875,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555686</v>
+<v>283465</v>
 </b>
 </bs>
 </hist>
@@ -23870,7 +25891,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555686</v>
+<v>283465</v>
 </b>
 </bs>
 </hist>
@@ -23886,7 +25907,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555686</v>
+<v>283465</v>
 </b>
 </bs>
 </hist>
@@ -23902,7 +25923,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555686</v>
+<v>283465</v>
 </b>
 </bs>
 </hist>
@@ -23916,14 +25937,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>38027</a>
-<b>38028</b>
-<v>4</v>
+<a>37974</a>
+<b>37975</b>
+<v>2</v>
 </b>
 <b>
-<a>76062</a>
-<b>76063</b>
-<v>4</v>
+<a>75103</a>
+<b>75104</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -23937,14 +25958,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>17662</a>
-<b>17663</b>
-<v>4</v>
+<a>17417</a>
+<b>17418</b>
+<v>2</v>
 </b>
 <b>
-<a>29062</a>
-<b>29063</b>
-<v>4</v>
+<a>29019</a>
+<b>29020</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -23958,14 +25979,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3335</a>
-<b>3336</b>
-<v>4</v>
+<a>3310</a>
+<b>3311</b>
+<v>2</v>
 </b>
 <b>
-<a>18155</a>
-<b>18156</b>
-<v>4</v>
+<a>17817</a>
+<b>17818</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -23981,12 +26002,12 @@
 <b>
 <a>2463</a>
 <b>2464</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>16366</a>
-<b>16367</b>
-<v>4</v>
+<a>16181</a>
+<b>16182</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -24000,14 +26021,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>38015</a>
-<b>38016</b>
-<v>4</v>
+<a>37962</a>
+<b>37963</b>
+<v>2</v>
 </b>
 <b>
-<a>74494</a>
-<b>74495</b>
-<v>4</v>
+<a>73714</a>
+<b>73715</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -24023,131 +26044,131 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>176171</v>
+<v>90218</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22565</v>
-</b>
-<b>
-<a>3</a>
-<b>14</b>
-<v>16555</v>
-</b>
-<b>
-<a>14</a>
-<b>4800</b>
-<v>2927</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>208862</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>9356</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>declaring_type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>176195</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>22551</v>
-</b>
-<b>
-<a>3</a>
-<b>14</b>
-<v>16545</v>
-</b>
-<b>
-<a>14</a>
-<b>4800</b>
-<v>2927</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>188678</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>17656</v>
-</b>
-<b>
-<a>3</a>
-<b>2459</b>
-<v>11884</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>176560</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>22570</v>
+<v>11538</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>16472</v>
+<v>8500</v>
 </b>
 <b>
 <a>15</a>
 <b>4800</b>
-<v>2615</v>
+<v>1346</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>106801</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>4803</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>declaring_type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>90231</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>11531</v>
+</b>
+<b>
+<a>3</a>
+<b>15</b>
+<v>8498</v>
+</b>
+<b>
+<a>15</a>
+<b>4800</b>
+<v>1343</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>96495</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>9032</v>
+</b>
+<b>
+<a>3</a>
+<b>2459</b>
+<v>6076</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>90406</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>11536</v>
+</b>
+<b>
+<a>3</a>
+<b>16</b>
+<v>8412</v>
+</b>
+<b>
+<a>16</a>
+<b>4800</b>
+<v>1248</v>
 </b>
 </bs>
 </hist>
@@ -24163,42 +26184,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27319</v>
+<v>13760</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21148</v>
+<v>10719</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>12571</v>
+<v>6297</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>10101</v>
+<v>5139</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7934</v>
+<v>4061</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9273</v>
+<v>4712</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>8148</v>
+<v>4143</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>7081</v>
+<v>3632</v>
 </b>
 </bs>
 </hist>
@@ -24214,12 +26235,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102488</v>
+<v>51969</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1091</v>
+<v>496</v>
 </b>
 </bs>
 </hist>
@@ -24235,42 +26256,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27319</v>
+<v>13760</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21153</v>
+<v>10721</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>12575</v>
+<v>6299</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>10096</v>
+<v>5136</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7934</v>
+<v>4061</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9278</v>
+<v>4715</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>8148</v>
+<v>4143</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>7072</v>
+<v>3627</v>
 </b>
 </bs>
 </hist>
@@ -24286,37 +26307,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>44527</v>
+<v>22594</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21201</v>
+<v>10699</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9434</v>
+<v>4720</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7364</v>
+<v>3742</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>6161</v>
+<v>3141</v>
 </b>
 <b>
 <a>6</a>
-<b>9</b>
-<v>9590</v>
+<b>8</b>
+<v>3675</v>
 </b>
 <b>
-<a>9</a>
+<a>8</a>
 <b>132</b>
-<v>5299</v>
+<v>3893</v>
 </b>
 </bs>
 </hist>
@@ -24332,42 +26353,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27319</v>
+<v>13760</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21148</v>
+<v>10719</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>12571</v>
+<v>6297</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>10101</v>
+<v>5139</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7934</v>
+<v>4061</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>9273</v>
+<v>4712</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>8148</v>
+<v>4143</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>7081</v>
+<v>3632</v>
 </b>
 </bs>
 </hist>
@@ -24383,32 +26404,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55798</v>
+<v>28425</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10881</v>
+<v>5530</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6210</v>
+<v>3193</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>7968</v>
+<v>4046</v>
 </b>
 <b>
 <a>7</a>
-<b>27</b>
-<v>6789</v>
+<b>26</b>
+<v>3421</v>
 </b>
 <b>
-<a>27</a>
-<b>9290</b>
-<v>1865</v>
+<a>26</a>
+<b>9160</b>
+<v>995</v>
 </b>
 </bs>
 </hist>
@@ -24424,12 +26445,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>87316</v>
+<v>44486</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2196</v>
+<v>1125</v>
 </b>
 </bs>
 </hist>
@@ -24445,27 +26466,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>63727</v>
+<v>32473</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9317</v>
+<v>4712</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>7885</v>
+<v>4020</v>
 </b>
 <b>
 <a>5</a>
-<b>18</b>
-<v>6838</v>
+<b>17</b>
+<v>3436</v>
 </b>
 <b>
-<a>18</a>
-<b>5213</b>
-<v>1743</v>
+<a>17</a>
+<b>5144</b>
+<v>967</v>
 </b>
 </bs>
 </hist>
@@ -24481,22 +26502,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>68310</v>
+<v>34857</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10038</v>
+<v>5091</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>7232</v>
+<v>3680</v>
 </b>
 <b>
 <a>7</a>
-<b>5746</b>
-<v>3930</v>
+<b>5706</b>
+<v>1982</v>
 </b>
 </bs>
 </hist>
@@ -24512,32 +26533,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55841</v>
+<v>28445</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11207</v>
+<v>5693</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5922</v>
+<v>3050</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>7944</v>
+<v>4033</v>
 </b>
 <b>
 <a>7</a>
 <b>27</b>
-<v>6745</v>
+<v>3441</v>
 </b>
 <b>
 <a>27</a>
-<b>9185</b>
-<v>1850</v>
+<b>9081</b>
+<v>947</v>
 </b>
 </bs>
 </hist>
@@ -24553,12 +26574,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>547080</v>
+<v>279539</v>
 </b>
 <b>
 <a>2</a>
-<b>234</b>
-<v>910</v>
+<b>210</b>
+<v>413</v>
 </b>
 </bs>
 </hist>
@@ -24574,7 +26595,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>547991</v>
+<v>279953</v>
 </b>
 </bs>
 </hist>
@@ -24590,7 +26611,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>547991</v>
+<v>279953</v>
 </b>
 </bs>
 </hist>
@@ -24606,12 +26627,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>547080</v>
+<v>279539</v>
 </b>
 <b>
 <a>2</a>
-<b>234</b>
-<v>910</v>
+<b>210</b>
+<v>413</v>
 </b>
 </bs>
 </hist>
@@ -24627,12 +26648,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>547494</v>
+<v>279717</v>
 </b>
 <b>
 <a>2</a>
 <b>138</b>
-<v>496</v>
+<v>235</v>
 </b>
 </bs>
 </hist>
@@ -24642,15 +26663,15 @@
 </relation>
 <relation>
 <name>field_location</name>
-<cardinality>636442</cardinality>
+<cardinality>321998</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>548322</v>
+<v>279660</v>
 </e>
 <e>
 <k>loc</k>
-<v>52846</v>
+<v>24689</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24664,17 +26685,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>466217</v>
+<v>240001</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>78095</v>
+<v>37935</v>
 </b>
 <b>
 <a>3</a>
 <b>57</b>
-<v>4008</v>
+<v>1722</v>
 </b>
 </bs>
 </hist>
@@ -24690,12 +26711,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49339</v>
+<v>23072</v>
 </b>
 <b>
 <a>2</a>
 <b>8882</b>
-<v>3506</v>
+<v>1616</v>
 </b>
 </bs>
 </hist>
@@ -24705,11 +26726,11 @@
 </relation>
 <relation>
 <name>localvars</name>
-<cardinality>163269</cardinality>
+<cardinality>72963</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>163269</v>
+<v>72963</v>
 </e>
 <e>
 <k>kind</k>
@@ -24717,7 +26738,7 @@
 </e>
 <e>
 <k>name</k>
-<v>22591</v>
+<v>9135</v>
 </e>
 <e>
 <k>implicitly_typed</k>
@@ -24725,11 +26746,11 @@
 </e>
 <e>
 <k>type_id</k>
-<v>7298</v>
+<v>3535</v>
 </e>
 <e>
 <k>parent_id</k>
-<v>163269</v>
+<v>72963</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24743,7 +26764,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -24759,7 +26780,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -24775,7 +26796,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -24791,7 +26812,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -24807,7 +26828,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -24821,18 +26842,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>18</a>
-<b>19</b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 <b>
-<a>799</a>
-<b>800</b>
+<a>373</a>
+<b>374</b>
 <v>1</v>
 </b>
 <b>
-<a>162452</a>
-<b>162453</b>
+<a>72587</a>
+<b>72588</b>
 <v>1</v>
 </b>
 </bs>
@@ -24847,18 +26868,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>12</a>
-<b>13</b>
+<a>2</a>
+<b>3</b>
 <v>1</v>
 </b>
 <b>
-<a>293</a>
-<b>294</b>
+<a>115</a>
+<b>116</b>
 <v>1</v>
 </b>
 <b>
-<a>22378</a>
-<b>22379</b>
+<a>9057</a>
+<b>9058</b>
 <v>1</v>
 </b>
 </bs>
@@ -24894,18 +26915,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>10</a>
-<b>11</b>
+<a>2</a>
+<b>3</b>
 <v>1</v>
 </b>
 <b>
-<a>25</a>
-<b>26</b>
+<a>8</a>
+<b>9</b>
 <v>1</v>
 </b>
 <b>
-<a>7293</a>
-<b>7294</b>
+<a>3533</a>
+<b>3534</b>
 <v>1</v>
 </b>
 </bs>
@@ -24920,18 +26941,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>18</a>
-<b>19</b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 <b>
-<a>799</a>
-<b>800</b>
+<a>373</a>
+<b>374</b>
 <v>1</v>
 </b>
 <b>
-<a>162452</a>
-<b>162453</b>
+<a>72587</a>
+<b>72588</b>
 <v>1</v>
 </b>
 </bs>
@@ -24948,344 +26969,354 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14112</v>
+<v>5625</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3482</v>
+<v>1400</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1462</v>
-</b>
-<b>
-<a>4</a>
-<b>8</b>
-<v>1876</v>
-</b>
-<b>
-<a>8</a>
-<b>15750</b>
-<v>1659</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>22499</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>92</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>implicitly_typed</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>19931</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>2660</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>19221</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1909</v>
-</b>
-<b>
-<a>3</a>
-<b>678</b>
-<v>1461</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>parent_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>14112</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>3482</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1462</v>
-</b>
-<b>
-<a>4</a>
-<b>8</b>
-<v>1876</v>
-</b>
-<b>
-<a>8</a>
-<b>15750</b>
-<v>1659</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>implicitly_typed</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>36626</a>
-<b>36627</b>
-<v>1</v>
-</b>
-<b>
-<a>126643</a>
-<b>126644</b>
-<v>1</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>implicitly_typed</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>implicitly_typed</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>8549</a>
-<b>8550</b>
-<v>1</v>
-</b>
-<b>
-<a>16702</a>
-<b>16703</b>
-<v>1</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>implicitly_typed</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>2805</a>
-<b>2806</b>
-<v>1</v>
-</b>
-<b>
-<a>6179</a>
-<b>6180</b>
-<v>1</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>implicitly_typed</src>
-<trg>parent_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>36626</a>
-<b>36627</b>
-<v>1</v>
-</b>
-<b>
-<a>126643</a>
-<b>126644</b>
-<v>1</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>3308</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1138</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>772</v>
-</b>
-<b>
-<a>4</a>
-<b>6</b>
-<v>624</v>
-</b>
-<b>
-<a>6</a>
-<b>11</b>
-<v>591</v>
-</b>
-<b>
-<a>11</a>
-<b>35</b>
-<v>548</v>
-</b>
-<b>
-<a>35</a>
-<b>37230</b>
-<v>317</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>7269</v>
-</b>
-<b>
-<a>2</a>
-<b>4</b>
-<v>29</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>4172</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1328</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>522</v>
+<v>559</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>643</v>
+<v>690</v>
+</b>
+<b>
+<a>7</a>
+<b>46</b>
+<v>691</v>
+</b>
+<b>
+<a>46</a>
+<b>7564</b>
+<v>170</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>9096</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>39</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>implicitly_typed</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>8300</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>835</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>7770</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>727</v>
+</b>
+<b>
+<a>3</a>
+<b>494</b>
+<v>638</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>parent_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5625</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1400</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>559</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>690</v>
+</b>
+<b>
+<a>7</a>
+<b>46</b>
+<v>691</v>
+</b>
+<b>
+<a>46</a>
+<b>7564</b>
+<v>170</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>implicitly_typed</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>13942</a>
+<b>13943</b>
+<v>1</v>
+</b>
+<b>
+<a>59021</a>
+<b>59022</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>implicitly_typed</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>implicitly_typed</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2512</a>
+<b>2513</b>
+<v>1</v>
+</b>
+<b>
+<a>7458</a>
+<b>7459</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>implicitly_typed</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1244</a>
+<b>1245</b>
+<v>1</v>
+</b>
+<b>
+<a>2982</a>
+<b>2983</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>implicitly_typed</src>
+<trg>parent_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>13942</a>
+<b>13943</b>
+<v>1</v>
+</b>
+<b>
+<a>59021</a>
+<b>59022</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1585</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>519</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>460</v>
+</b>
+<b>
+<a>4</a>
+<b>6</b>
+<v>301</v>
+</b>
+<b>
+<a>6</a>
+<b>11</b>
+<v>279</v>
+</b>
+<b>
+<a>11</a>
+<b>47</b>
+<v>267</v>
+</b>
+<b>
+<a>47</a>
+<b>17427</b>
+<v>124</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>3527</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>8</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1956</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>733</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>238</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>310</v>
 </b>
 <b>
 <a>7</a>
 <b>49</b>
-<v>549</v>
+<v>266</v>
 </b>
 <b>
-<a>49</a>
-<b>1937</b>
-<v>84</v>
+<a>51</a>
+<b>900</b>
+<v>32</v>
 </b>
 </bs>
 </hist>
@@ -25301,12 +27332,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5612</v>
+<v>2844</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1686</v>
+<v>691</v>
 </b>
 </bs>
 </hist>
@@ -25322,37 +27353,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3308</v>
+<v>1585</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1138</v>
+<v>519</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>772</v>
+<v>460</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>624</v>
+<v>301</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>591</v>
+<v>279</v>
 </b>
 <b>
 <a>11</a>
-<b>35</b>
-<v>548</v>
+<b>47</b>
+<v>267</v>
 </b>
 <b>
-<a>35</a>
-<b>37230</b>
-<v>317</v>
+<a>47</a>
+<b>17427</b>
+<v>124</v>
 </b>
 </bs>
 </hist>
@@ -25368,7 +27399,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25384,7 +27415,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25400,7 +27431,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25416,7 +27447,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25432,7 +27463,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25442,15 +27473,15 @@
 </relation>
 <relation>
 <name>localvar_location</name>
-<cardinality>163269</cardinality>
+<cardinality>72963</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>163269</v>
+<v>72963</v>
 </e>
 <e>
 <k>loc</k>
-<v>163189</v>
+<v>72932</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25464,7 +27495,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163269</v>
+<v>72963</v>
 </b>
 </bs>
 </hist>
@@ -25480,12 +27511,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163109</v>
+<v>72901</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>80</v>
+<v>31</v>
 </b>
 </bs>
 </hist>
@@ -25495,35 +27526,35 @@
 </relation>
 <relation>
 <name>params</name>
-<cardinality>2417684</cardinality>
+<cardinality>1189134</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2417684</v>
+<v>1189134</v>
 </e>
 <e>
 <k>name</k>
-<v>80808</v>
+<v>41432</v>
 </e>
 <e>
 <k>type_id</k>
-<v>330575</v>
+<v>164897</v>
 </e>
 <e>
 <k>index</k>
-<v>199</v>
+<v>102</v>
 </e>
 <e>
 <k>mode</k>
-<v>29</v>
+<v>15</v>
 </e>
 <e>
 <k>parent_id</k>
-<v>1369834</v>
+<v>671887</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>1435188</v>
+<v>734670</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25537,7 +27568,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25553,7 +27584,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25569,7 +27600,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25585,7 +27616,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25601,7 +27632,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25617,7 +27648,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2417684</v>
+<v>1189134</v>
 </b>
 </bs>
 </hist>
@@ -25633,42 +27664,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31113</v>
+<v>15950</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13852</v>
+<v>7116</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7057</v>
+<v>3622</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4836</v>
+<v>2469</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>6648</v>
+<v>3409</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>6891</v>
+<v>3534</v>
 </b>
 <b>
 <a>13</a>
 <b>41</b>
-<v>6083</v>
+<v>3123</v>
 </b>
 <b>
 <a>41</a>
-<b>46351</b>
-<v>4325</v>
+<b>45301</b>
+<v>2206</v>
 </b>
 </bs>
 </hist>
@@ -25684,22 +27715,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>64209</v>
+<v>32939</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>8158</v>
+<v>4178</v>
 </b>
 <b>
 <a>3</a>
 <b>12</b>
-<v>6171</v>
+<v>3153</v>
 </b>
 <b>
 <a>12</a>
-<b>6855</b>
-<v>2269</v>
+<b>6754</b>
+<v>1160</v>
 </b>
 </bs>
 </hist>
@@ -25715,22 +27746,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55004</v>
+<v>28201</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14563</v>
+<v>7467</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5513</v>
+<v>2820</v>
 </b>
 <b>
 <a>4</a>
 <b>33</b>
-<v>5727</v>
+<v>2943</v>
 </b>
 </bs>
 </hist>
@@ -25746,12 +27777,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75777</v>
+<v>38848</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>5031</v>
+<v>2584</v>
 </b>
 </bs>
 </hist>
@@ -25767,42 +27798,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31113</v>
+<v>15950</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13852</v>
+<v>7116</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7057</v>
+<v>3622</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4836</v>
+<v>2469</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>6648</v>
+<v>3409</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>6891</v>
+<v>3534</v>
 </b>
 <b>
 <a>13</a>
 <b>41</b>
-<v>6083</v>
+<v>3123</v>
 </b>
 <b>
 <a>41</a>
-<b>46351</b>
-<v>4325</v>
+<b>45301</b>
+<v>2206</v>
 </b>
 </bs>
 </hist>
@@ -25818,42 +27849,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31503</v>
+<v>16151</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14081</v>
+<v>7222</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7072</v>
+<v>3639</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4953</v>
+<v>2519</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>6477</v>
+<v>3324</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>6906</v>
+<v>3544</v>
 </b>
 <b>
 <a>13</a>
 <b>43</b>
-<v>6156</v>
+<v>3158</v>
 </b>
 <b>
 <a>43</a>
-<b>36753</b>
-<v>3657</v>
+<b>36702</b>
+<v>1872</v>
 </b>
 </bs>
 </hist>
@@ -25869,27 +27900,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>227561</v>
+<v>114442</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>38940</v>
+<v>19498</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>30081</v>
+<v>14283</v>
 </b>
 <b>
 <a>6</a>
-<b>24</b>
-<v>25059</v>
+<b>25</b>
+<v>12476</v>
 </b>
 <b>
-<a>24</a>
-<b>48953</b>
-<v>8932</v>
+<a>25</a>
+<b>47259</b>
+<v>4196</v>
 </b>
 </bs>
 </hist>
@@ -25905,17 +27936,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>289087</v>
+<v>144619</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>30490</v>
+<v>14880</v>
 </b>
 <b>
 <a>4</a>
-<b>2470</b>
-<v>10997</v>
+<b>2452</b>
+<v>5397</v>
 </b>
 </bs>
 </hist>
@@ -25931,17 +27962,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>292150</v>
+<v>146130</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25074</v>
+<v>12346</v>
 </b>
 <b>
 <a>3</a>
 <b>36</b>
-<v>13350</v>
+<v>6420</v>
 </b>
 </bs>
 </hist>
@@ -25957,12 +27988,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>321866</v>
+<v>160670</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>8708</v>
+<v>4226</v>
 </b>
 </bs>
 </hist>
@@ -25978,27 +28009,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>230059</v>
+<v>115728</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>36982</v>
+<v>18487</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>30495</v>
+<v>14459</v>
 </b>
 <b>
 <a>6</a>
-<b>25</b>
-<v>25020</v>
+<b>26</b>
+<v>12479</v>
 </b>
 <b>
-<a>25</a>
-<b>40410</b>
-<v>8017</v>
+<a>26</a>
+<b>38813</b>
+<v>3742</v>
 </b>
 </bs>
 </hist>
@@ -26014,27 +28045,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>233250</v>
+<v>117385</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>34903</v>
+<v>17404</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>25741</v>
+<v>12270</v>
 </b>
 <b>
 <a>5</a>
-<b>16</b>
-<v>25302</v>
+<b>17</b>
+<v>12554</v>
 </b>
 <b>
-<a>16</a>
-<b>33991</b>
-<v>11377</v>
+<a>17</a>
+<b>33727</b>
+<v>5281</v>
 </b>
 </bs>
 </hist>
@@ -26050,67 +28081,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>52</a>
 <b>71</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>81</a>
 <b>266</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>431</a>
 <b>785</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>986</a>
 <b>1520</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>1960</a>
-<b>3521</b>
-<v>14</v>
+<b>3510</b>
+<v>7</v>
 </b>
 <b>
-<a>5421</a>
-<b>21238</b>
-<v>14</v>
+<a>5391</a>
+<b>20664</b>
+<v>7</v>
 </b>
 <b>
-<a>47756</a>
-<b>281050</b>
-<v>14</v>
+<a>45851</a>
+<b>267875</b>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -26126,72 +28157,72 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>10</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>12</a>
 <b>14</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>17</a>
 <b>20</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>20</a>
 <b>22</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>23</a>
 <b>27</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>29</a>
 <b>46</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>55</a>
 <b>66</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>86</a>
 <b>143</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>202</a>
 <b>435</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>630</a>
-<b>1620</b>
-<v>14</v>
+<b>1616</b>
+<v>7</v>
 </b>
 <b>
-<a>2712</a>
-<b>6835</b>
-<v>14</v>
+<a>2706</a>
+<b>6807</b>
+<v>7</v>
 </b>
 <b>
-<a>8088</a>
-<b>8089</b>
-<v>4</v>
+<a>8049</a>
+<b>8050</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26207,77 +28238,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>13</a>
 <b>14</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>14</a>
 <b>20</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>23</a>
 <b>40</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>161</a>
 <b>418</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>558</a>
 <b>841</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>1010</a>
 <b>1444</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>1705</a>
-<b>2798</b>
-<v>14</v>
+<b>2786</b>
+<v>7</v>
 </b>
 <b>
-<a>4226</a>
-<b>15732</b>
-<v>14</v>
+<a>4142</a>
+<b>15101</b>
+<v>7</v>
 </b>
 <b>
-<a>40518</a>
-<b>40519</b>
-<v>4</v>
+<a>38776</a>
+<b>38777</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26293,32 +28324,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92</v>
+<v>47</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26334,67 +28365,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>52</a>
 <b>71</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>81</a>
 <b>266</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>431</a>
 <b>785</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>986</a>
 <b>1520</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>1960</a>
-<b>3521</b>
-<v>14</v>
+<b>3510</b>
+<v>7</v>
 </b>
 <b>
-<a>5421</a>
-<b>21238</b>
-<v>14</v>
+<a>5391</a>
+<b>20664</b>
+<v>7</v>
 </b>
 <b>
-<a>47756</a>
-<b>281050</b>
-<v>14</v>
+<a>45851</a>
+<b>267875</b>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -26410,67 +28441,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>52</a>
 <b>70</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>79</a>
 <b>141</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>178</a>
 <b>266</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>334</a>
 <b>601</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>891</a>
-<b>2069</b>
-<v>14</v>
+<b>2068</b>
+<v>7</v>
 </b>
 <b>
-<a>3526</a>
-<b>13874</b>
-<v>14</v>
+<a>3523</a>
+<b>13842</b>
+<v>7</v>
 </b>
 <b>
-<a>29619</a>
-<b>168470</b>
-<v>14</v>
+<a>29502</a>
+<b>167307</b>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -26486,32 +28517,32 @@
 <b>
 <a>1253</a>
 <b>1254</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>2019</a>
-<b>2020</b>
-<v>4</v>
+<a>2018</a>
+<b>2019</b>
+<v>2</v>
 </b>
 <b>
-<a>2345</a>
-<b>2346</b>
-<v>4</v>
+<a>2317</a>
+<b>2318</b>
+<v>2</v>
 </b>
 <b>
-<a>7103</a>
-<b>7104</b>
-<v>4</v>
+<a>6844</a>
+<b>6845</b>
+<v>2</v>
 </b>
 <b>
-<a>10553</a>
-<b>10554</b>
-<v>4</v>
+<a>10051</a>
+<b>10052</b>
+<v>2</v>
 </b>
 <b>
-<a>473106</a>
-<b>473107</b>
-<v>4</v>
+<a>451874</a>
+<b>451875</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26527,32 +28558,32 @@
 <b>
 <a>110</a>
 <b>111</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>244</a>
 <b>245</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>283</a>
-<b>284</b>
-<v>4</v>
+<a>282</a>
+<b>283</b>
+<v>2</v>
 </b>
 <b>
 <a>524</a>
 <b>525</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1119</a>
-<b>1120</b>
-<v>4</v>
+<a>1118</a>
+<b>1119</b>
+<v>2</v>
 </b>
 <b>
-<a>15632</a>
-<b>15633</b>
-<v>4</v>
+<a>15568</a>
+<b>15569</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26568,32 +28599,32 @@
 <b>
 <a>227</a>
 <b>228</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>258</a>
-<b>259</b>
-<v>4</v>
+<a>257</a>
+<b>258</b>
+<v>2</v>
 </b>
 <b>
-<a>370</a>
-<b>371</b>
-<v>4</v>
+<a>358</a>
+<b>359</b>
+<v>2</v>
 </b>
 <b>
-<a>1224</a>
-<b>1225</b>
-<v>4</v>
+<a>1180</a>
+<b>1181</b>
+<v>2</v>
 </b>
 <b>
-<a>3184</a>
-<b>3185</b>
-<v>4</v>
+<a>3107</a>
+<b>3108</b>
+<v>2</v>
 </b>
 <b>
-<a>64542</a>
-<b>64543</b>
-<v>4</v>
+<a>62478</a>
+<b>62479</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26609,32 +28640,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26650,32 +28681,32 @@
 <b>
 <a>1100</a>
 <b>1101</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1881</a>
-<b>1882</b>
-<v>4</v>
+<a>1880</a>
+<b>1881</b>
+<v>2</v>
 </b>
 <b>
-<a>2345</a>
-<b>2346</b>
-<v>4</v>
+<a>2317</a>
+<b>2318</b>
+<v>2</v>
 </b>
 <b>
-<a>5653</a>
-<b>5654</b>
-<v>4</v>
+<a>5409</a>
+<b>5410</b>
+<v>2</v>
 </b>
 <b>
-<a>10553</a>
-<b>10554</b>
-<v>4</v>
+<a>10051</a>
+<b>10052</b>
+<v>2</v>
 </b>
 <b>
-<a>274248</a>
-<b>274249</b>
-<v>4</v>
+<a>261309</a>
+<b>261310</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26691,32 +28722,32 @@
 <b>
 <a>1167</a>
 <b>1168</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1568</a>
 <b>1569</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>1960</a>
-<b>1961</b>
-<v>4</v>
+<a>1959</a>
+<b>1960</b>
+<v>2</v>
 </b>
 <b>
-<a>6114</a>
-<b>6115</b>
-<v>4</v>
+<a>6113</a>
+<b>6114</b>
+<v>2</v>
 </b>
 <b>
-<a>8401</a>
-<b>8402</b>
-<v>4</v>
+<a>8393</a>
+<b>8394</b>
+<v>2</v>
 </b>
 <b>
-<a>275451</a>
-<b>275452</b>
-<v>4</v>
+<a>273867</a>
+<b>273868</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -26732,27 +28763,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>804742</v>
+<v>396310</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>332635</v>
+<v>160705</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>129188</v>
+<v>63147</v>
 </b>
 <b>
 <a>4</a>
-<b>17</b>
-<v>102755</v>
+<b>15</b>
+<v>50643</v>
 </b>
 <b>
-<a>17</a>
+<a>15</a>
 <b>42</b>
-<v>511</v>
+<v>1080</v>
 </b>
 </bs>
 </hist>
@@ -26768,27 +28799,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>804742</v>
+<v>396310</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>332635</v>
+<v>160705</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>129188</v>
+<v>63147</v>
 </b>
 <b>
 <a>4</a>
-<b>17</b>
-<v>102755</v>
+<b>15</b>
+<v>50643</v>
 </b>
 <b>
-<a>17</a>
+<a>15</a>
 <b>42</b>
-<v>511</v>
+<v>1080</v>
 </b>
 </bs>
 </hist>
@@ -26804,22 +28835,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>854291</v>
+<v>420682</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>332932</v>
+<v>161091</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>113276</v>
+<v>55521</v>
 </b>
 <b>
 <a>4</a>
 <b>23</b>
-<v>69333</v>
+<v>34591</v>
 </b>
 </bs>
 </hist>
@@ -26835,27 +28866,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>804742</v>
+<v>396310</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>332635</v>
+<v>160705</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>129188</v>
+<v>63147</v>
 </b>
 <b>
 <a>4</a>
-<b>17</b>
-<v>102755</v>
+<b>15</b>
+<v>50643</v>
 </b>
 <b>
-<a>17</a>
+<a>15</a>
 <b>42</b>
-<v>511</v>
+<v>1080</v>
 </b>
 </bs>
 </hist>
@@ -26871,12 +28902,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1301328</v>
+<v>637849</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>68505</v>
+<v>34037</v>
 </b>
 </bs>
 </hist>
@@ -26892,27 +28923,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>804742</v>
+<v>396310</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>332635</v>
+<v>160705</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>129188</v>
+<v>63147</v>
 </b>
 <b>
 <a>4</a>
-<b>17</b>
-<v>102755</v>
+<b>15</b>
+<v>50643</v>
 </b>
 <b>
-<a>17</a>
+<a>15</a>
 <b>42</b>
-<v>511</v>
+<v>1080</v>
 </b>
 </bs>
 </hist>
@@ -26928,12 +28959,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1384908</v>
+<v>709316</v>
 </b>
 <b>
 <a>2</a>
-<b>11328</b>
-<v>50279</v>
+<b>10857</b>
+<v>25354</v>
 </b>
 </bs>
 </hist>
@@ -26949,7 +28980,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1435188</v>
+<v>734670</v>
 </b>
 </bs>
 </hist>
@@ -26965,12 +28996,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1417084</v>
+<v>725656</v>
 </b>
 <b>
 <a>2</a>
-<b>3718</b>
-<v>18104</v>
+<b>3610</b>
+<v>9014</v>
 </b>
 </bs>
 </hist>
@@ -26986,7 +29017,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1435188</v>
+<v>734670</v>
 </b>
 </bs>
 </hist>
@@ -27002,7 +29033,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1435188</v>
+<v>734670</v>
 </b>
 </bs>
 </hist>
@@ -27018,12 +29049,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1384908</v>
+<v>709316</v>
 </b>
 <b>
 <a>2</a>
-<b>11328</b>
-<v>50279</v>
+<b>10857</b>
+<v>25354</v>
 </b>
 </bs>
 </hist>
@@ -27033,15 +29064,15 @@
 </relation>
 <relation>
 <name>param_location</name>
-<cardinality>2687352</cardinality>
+<cardinality>1316289</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2413992</v>
+<v>1187548</v>
 </e>
 <e>
 <k>loc</k>
-<v>137537</v>
+<v>56062</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27055,17 +29086,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2150827</v>
+<v>1063895</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>256361</v>
+<v>120308</v>
 </b>
 <b>
 <a>3</a>
 <b>60</b>
-<v>6804</v>
+<v>3344</v>
 </b>
 </bs>
 </hist>
@@ -27081,12 +29112,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>133216</v>
+<v>54295</v>
 </b>
 <b>
 <a>2</a>
-<b>99581</b>
-<v>4320</v>
+<b>88836</b>
+<v>1767</v>
 </b>
 </bs>
 </hist>
@@ -27096,15 +29127,15 @@
 </relation>
 <relation>
 <name>statements</name>
-<cardinality>986473</cardinality>
+<cardinality>472277</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>986473</v>
+<v>472277</v>
 </e>
 <e>
 <k>kind</k>
-<v>38</v>
+<v>32</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27118,7 +29149,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>986473</v>
+<v>472277</v>
 </b>
 </bs>
 </hist>
@@ -27132,83 +29163,83 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>57</a>
-<b>85</b>
+<a>15</a>
+<b>36</b>
 <v>2</v>
 </b>
 <b>
-<a>97</a>
-<b>148</b>
+<a>48</a>
+<b>52</b>
 <v>2</v>
 </b>
 <b>
-<a>204</a>
-<b>266</b>
+<a>58</a>
+<b>110</b>
 <v>2</v>
 </b>
 <b>
-<a>283</a>
-<b>308</b>
+<a>139</a>
+<b>143</b>
 <v>2</v>
 </b>
 <b>
-<a>312</a>
-<b>593</b>
+<a>146</a>
+<b>218</b>
 <v>2</v>
 </b>
 <b>
-<a>790</a>
-<b>820</b>
+<a>366</a>
+<b>402</b>
 <v>2</v>
 </b>
 <b>
-<a>918</a>
-<b>925</b>
+<a>470</a>
+<b>471</b>
 <v>2</v>
 </b>
 <b>
-<a>1226</a>
-<b>1786</b>
+<a>490</a>
+<b>990</b>
 <v>2</v>
 </b>
 <b>
-<a>2200</a>
-<b>2468</b>
+<a>1105</a>
+<b>1370</b>
 <v>2</v>
 </b>
 <b>
-<a>2752</a>
-<b>3192</b>
+<a>1601</a>
+<b>1628</b>
 <v>2</v>
 </b>
 <b>
-<a>3456</a>
-<b>3580</b>
+<a>1877</a>
+<b>1904</b>
 <v>2</v>
 </b>
 <b>
-<a>5468</a>
-<b>8857</b>
+<a>2956</a>
+<b>5122</b>
 <v>2</v>
 </b>
 <b>
-<a>18283</a>
-<b>60466</b>
+<a>10374</a>
+<b>32130</b>
 <v>2</v>
 </b>
 <b>
-<a>62424</a>
-<b>75943</b>
+<a>37889</a>
+<b>48002</b>
 <v>2</v>
 </b>
 <b>
-<a>94726</a>
-<b>191611</b>
+<a>48236</a>
+<b>97276</b>
 <v>2</v>
 </b>
 <b>
-<a>246632</a>
-<b>246633</b>
+<a>151170</a>
+<b>151171</b>
 <v>1</v>
 </b>
 </bs>
@@ -27219,19 +29250,19 @@
 </relation>
 <relation>
 <name>stmt_parent</name>
-<cardinality>814288</cardinality>
+<cardinality>370789</cardinality>
 <columnsizes>
 <e>
 <k>stmt</k>
-<v>814288</v>
+<v>370789</v>
 </e>
 <e>
 <k>index</k>
-<v>450</v>
+<v>246</v>
 </e>
 <e>
 <k>parent</k>
-<v>431423</v>
+<v>204384</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27245,7 +29276,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>814288</v>
+<v>370789</v>
 </b>
 </bs>
 </hist>
@@ -27261,7 +29292,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>814288</v>
+<v>370789</v>
 </b>
 </bs>
 </hist>
@@ -27277,62 +29308,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>114</v>
+<v>35</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>44</v>
+<b>4</b>
+<v>14</v>
 </b>
 <b>
-<a>3</a>
+<a>4</a>
 <b>5</b>
-<v>26</v>
+<v>45</v>
 </b>
 <b>
 <a>5</a>
-<b>8</b>
-<v>33</v>
+<b>11</b>
+<v>19</v>
 </b>
 <b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
+<a>11</a>
+<b>16</b>
+<v>15</v>
 </b>
 <b>
-<a>9</a>
-<b>10</b>
-<v>42</v>
+<a>16</a>
+<b>21</b>
+<v>22</v>
 </b>
 <b>
-<a>10</a>
-<b>26</b>
-<v>36</v>
+<a>21</a>
+<b>34</b>
+<v>19</v>
 </b>
 <b>
-<a>26</a>
-<b>45</b>
-<v>34</v>
+<a>37</a>
+<b>72</b>
+<v>19</v>
 </b>
 <b>
-<a>45</a>
-<b>95</b>
-<v>34</v>
+<a>78</a>
+<b>210</b>
+<v>19</v>
 </b>
 <b>
-<a>98</a>
-<b>472</b>
-<v>34</v>
+<a>229</a>
+<b>947</b>
+<v>19</v>
 </b>
 <b>
-<a>510</a>
-<b>78797</b>
-<v>34</v>
-</b>
-<b>
-<a>196051</a>
-<b>233226</b>
-<v>2</v>
+<a>1063</a>
+<b>135963</b>
+<v>16</v>
 </b>
 </bs>
 </hist>
@@ -27348,62 +29374,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>114</v>
+<v>35</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>44</v>
+<b>4</b>
+<v>14</v>
 </b>
 <b>
-<a>3</a>
+<a>4</a>
 <b>5</b>
-<v>26</v>
+<v>45</v>
 </b>
 <b>
 <a>5</a>
-<b>8</b>
-<v>33</v>
+<b>11</b>
+<v>19</v>
 </b>
 <b>
-<a>8</a>
-<b>9</b>
-<v>9</v>
+<a>11</a>
+<b>16</b>
+<v>15</v>
 </b>
 <b>
-<a>9</a>
-<b>10</b>
-<v>42</v>
+<a>16</a>
+<b>21</b>
+<v>22</v>
 </b>
 <b>
-<a>10</a>
-<b>26</b>
-<v>36</v>
+<a>21</a>
+<b>34</b>
+<v>19</v>
 </b>
 <b>
-<a>26</a>
-<b>45</b>
-<v>34</v>
+<a>37</a>
+<b>72</b>
+<v>19</v>
 </b>
 <b>
-<a>45</a>
-<b>95</b>
-<v>34</v>
+<a>78</a>
+<b>210</b>
+<v>19</v>
 </b>
 <b>
-<a>98</a>
-<b>472</b>
-<v>34</v>
+<a>229</a>
+<b>947</b>
+<v>19</v>
 </b>
 <b>
-<a>510</a>
-<b>78797</b>
-<v>34</v>
-</b>
-<b>
-<a>196051</a>
-<b>233226</b>
-<v>2</v>
+<a>1063</a>
+<b>135963</b>
+<v>16</v>
 </b>
 </bs>
 </hist>
@@ -27419,22 +29440,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>292109</v>
+<v>144057</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>74655</v>
+<v>32560</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>37594</v>
+<v>16168</v>
 </b>
 <b>
 <a>5</a>
-<b>361</b>
-<v>27063</v>
+<b>233</b>
+<v>11597</v>
 </b>
 </bs>
 </hist>
@@ -27450,22 +29471,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>292109</v>
+<v>144057</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>74655</v>
+<v>32560</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>37594</v>
+<v>16168</v>
 </b>
 <b>
 <a>5</a>
-<b>361</b>
-<v>27063</v>
+<b>233</b>
+<v>11597</v>
 </b>
 </bs>
 </hist>
@@ -27475,11 +29496,11 @@
 </relation>
 <relation>
 <name>stmt_parent_top_level</name>
-<cardinality>172184</cardinality>
+<cardinality>101488</cardinality>
 <columnsizes>
 <e>
 <k>stmt</k>
-<v>172184</v>
+<v>101488</v>
 </e>
 <e>
 <k>index</k>
@@ -27487,7 +29508,7 @@
 </e>
 <e>
 <k>parent</k>
-<v>126193</v>
+<v>83071</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27501,7 +29522,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>172184</v>
+<v>101488</v>
 </b>
 </bs>
 </hist>
@@ -27517,7 +29538,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>172184</v>
+<v>101488</v>
 </b>
 </bs>
 </hist>
@@ -27531,8 +29552,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>138041</a>
-<b>138042</b>
+<a>96009</a>
+<b>96010</b>
 <v>1</v>
 </b>
 </bs>
@@ -27547,8 +29568,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>101170</a>
-<b>101171</b>
+<a>78586</a>
+<b>78587</b>
 <v>1</v>
 </b>
 </bs>
@@ -27565,17 +29586,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>80853</v>
+<v>64837</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44695</v>
+<v>18049</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>643</v>
+<b>4</b>
+<v>183</v>
 </b>
 </bs>
 </hist>
@@ -27591,7 +29612,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>126193</v>
+<v>83071</v>
 </b>
 </bs>
 </hist>
@@ -27601,15 +29622,15 @@
 </relation>
 <relation>
 <name>stmt_location</name>
-<cardinality>986473</cardinality>
+<cardinality>472277</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>986473</v>
+<v>472277</v>
 </e>
 <e>
 <k>loc</k>
-<v>983578</v>
+<v>470073</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27623,7 +29644,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>986473</v>
+<v>472277</v>
 </b>
 </bs>
 </hist>
@@ -27639,12 +29660,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>980683</v>
+<v>467869</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2895</v>
+<v>2203</v>
 </b>
 </bs>
 </hist>
@@ -27654,15 +29675,15 @@
 </relation>
 <relation>
 <name>catch_type</name>
-<cardinality>3432</cardinality>
+<cardinality>1719</cardinality>
 <columnsizes>
 <e>
 <k>catch_id</k>
-<v>3432</v>
+<v>1719</v>
 </e>
 <e>
 <k>type_id</k>
-<v>129</v>
+<v>79</v>
 </e>
 <e>
 <k>kind</k>
@@ -27680,7 +29701,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3432</v>
+<v>1719</v>
 </b>
 </bs>
 </hist>
@@ -27696,7 +29717,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3432</v>
+<v>1719</v>
 </b>
 </bs>
 </hist>
@@ -27712,47 +29733,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32</v>
+<v>16</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>15</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12</v>
+<v>5</v>
 </b>
 <b>
 <a>5</a>
-<b>8</b>
-<v>9</v>
+<b>7</b>
+<v>3</v>
 </b>
 <b>
-<a>8</a>
-<b>13</b>
-<v>11</v>
+<a>7</a>
+<b>9</b>
+<v>6</v>
 </b>
 <b>
-<a>13</a>
-<b>24</b>
-<v>9</v>
+<a>10</a>
+<b>15</b>
+<v>6</v>
 </b>
 <b>
-<a>27</a>
-<b>47</b>
-<v>9</v>
+<a>15</a>
+<b>28</b>
+<v>6</v>
 </b>
 <b>
-<a>48</a>
-<b>702</b>
-<v>9</v>
+<a>29</a>
+<b>144</b>
+<v>6</v>
+</b>
+<b>
+<a>203</a>
+<b>316</b>
+<v>3</v>
 </b>
 </bs>
 </hist>
@@ -27768,7 +29794,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>129</v>
+<v>79</v>
 </b>
 </bs>
 </hist>
@@ -27782,13 +29808,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>492</a>
-<b>493</b>
+<a>278</a>
+<b>279</b>
 <v>1</v>
 </b>
 <b>
-<a>2260</a>
-<b>2261</b>
+<a>1349</a>
+<b>1350</b>
 <v>1</v>
 </b>
 </bs>
@@ -27808,8 +29834,8 @@
 <v>1</v>
 </b>
 <b>
-<a>103</a>
-<b>104</b>
+<a>74</a>
+<b>75</b>
 <v>1</v>
 </b>
 </bs>
@@ -27820,19 +29846,19 @@
 </relation>
 <relation>
 <name>expressions</name>
-<cardinality>4249670</cardinality>
+<cardinality>1967906</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4249670</v>
+<v>1967906</v>
 </e>
 <e>
 <k>kind</k>
-<v>404</v>
+<v>112</v>
 </e>
 <e>
 <k>type_id</k>
-<v>70297</v>
+<v>15377</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27846,7 +29872,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4249670</v>
+<v>1967906</v>
 </b>
 </bs>
 </hist>
@@ -27862,7 +29888,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4249670</v>
+<v>1967906</v>
 </b>
 </bs>
 </hist>
@@ -27876,69 +29902,74 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>19</v>
+<a>3</a>
+<b>17</b>
+<v>8</v>
 </b>
 <b>
-<a>2</a>
-<b>7</b>
-<v>34</v>
+<a>18</a>
+<b>61</b>
+<v>8</v>
 </b>
 <b>
-<a>7</a>
-<b>14</b>
-<v>34</v>
+<a>61</a>
+<b>134</b>
+<v>8</v>
 </b>
 <b>
-<a>16</a>
-<b>40</b>
-<v>29</v>
+<a>145</a>
+<b>243</b>
+<v>8</v>
 </b>
 <b>
-<a>41</a>
-<b>56</b>
-<v>34</v>
+<a>250</a>
+<b>457</b>
+<v>8</v>
 </b>
 <b>
-<a>58</a>
-<b>166</b>
-<v>34</v>
+<a>532</a>
+<b>643</b>
+<v>8</v>
 </b>
 <b>
-<a>166</a>
-<b>302</b>
-<v>34</v>
+<a>661</a>
+<b>1291</b>
+<v>8</v>
 </b>
 <b>
-<a>315</a>
-<b>813</b>
-<v>34</v>
+<a>1313</a>
+<b>2180</b>
+<v>8</v>
 </b>
 <b>
-<a>995</a>
-<b>1589</b>
-<v>34</v>
+<a>2252</a>
+<b>3767</b>
+<v>8</v>
 </b>
 <b>
-<a>3359</a>
-<b>9531</b>
-<v>34</v>
+<a>4681</a>
+<b>6580</b>
+<v>8</v>
 </b>
 <b>
-<a>10013</a>
-<b>21777</b>
-<v>34</v>
+<a>7133</a>
+<b>22007</b>
+<v>8</v>
 </b>
 <b>
-<a>28621</a>
-<b>87094</b>
-<v>34</v>
+<a>22297</a>
+<b>62473</b>
+<v>8</v>
 </b>
 <b>
-<a>94368</a>
-<b>127999</b>
-<v>14</v>
+<a>72642</a>
+<b>169972</b>
+<v>8</v>
+</b>
+<b>
+<a>174284</a>
+<b>252450</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -27954,47 +29985,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155</v>
+<v>31</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>38</v>
+<b>4</b>
+<v>8</v>
 </b>
 <b>
-<a>3</a>
-<b>6</b>
-<v>34</v>
+<a>5</a>
+<b>8</b>
+<v>9</v>
 </b>
 <b>
-<a>7</a>
-<b>23</b>
-<v>34</v>
+<a>8</a>
+<b>16</b>
+<v>8</v>
 </b>
 <b>
-<a>25</a>
-<b>54</b>
-<v>34</v>
+<a>16</a>
+<b>37</b>
+<v>8</v>
 </b>
 <b>
-<a>63</a>
-<b>117</b>
-<v>34</v>
+<a>38</a>
+<b>71</b>
+<v>8</v>
 </b>
 <b>
-<a>252</a>
-<b>1822</b>
-<v>34</v>
+<a>77</a>
+<b>137</b>
+<v>8</v>
 </b>
 <b>
-<a>1908</a>
-<b>3347</b>
-<v>34</v>
+<a>137</a>
+<b>337</b>
+<v>8</v>
 </b>
 <b>
-<a>5303</a>
-<b>5304</b>
-<v>4</v>
+<a>384</a>
+<b>790</b>
+<v>8</v>
+</b>
+<b>
+<a>1764</a>
+<b>3948</b>
+<v>8</v>
+</b>
+<b>
+<a>4410</a>
+<b>7388</b>
+<v>3</v>
 </b>
 </bs>
 </hist>
@@ -28010,47 +30051,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12834</v>
+<v>2149</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21635</v>
+<v>1894</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3336</v>
+<v>786</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5596</v>
+<v>984</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>5606</v>
+<b>6</b>
+<v>970</v>
 </b>
 <b>
-<a>7</a>
-<b>11</b>
-<v>5591</v>
+<a>6</a>
+<b>8</b>
+<v>1167</v>
 </b>
 <b>
-<a>11</a>
-<b>20</b>
-<v>5537</v>
+<a>8</a>
+<b>12</b>
+<v>1337</v>
 </b>
 <b>
-<a>20</a>
-<b>51</b>
-<v>5309</v>
+<a>12</a>
+<b>19</b>
+<v>1299</v>
 </b>
 <b>
-<a>51</a>
-<b>139922</b>
-<v>4851</v>
+<a>19</a>
+<b>30</b>
+<v>1215</v>
+</b>
+<b>
+<a>30</a>
+<b>50</b>
+<v>1164</v>
+</b>
+<b>
+<a>50</a>
+<b>113</b>
+<v>1161</v>
+</b>
+<b>
+<a>113</a>
+<b>1379</b>
+<v>1154</v>
+</b>
+<b>
+<a>1383</a>
+<b>318203</b>
+<v>93</v>
 </b>
 </bs>
 </hist>
@@ -28066,27 +30127,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31181</v>
+<v>5687</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24937</v>
+<v>2551</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5270</v>
+<v>1979</v>
 </b>
 <b>
 <a>4</a>
+<b>5</b>
+<v>1305</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>5104</v>
+<v>933</v>
 </b>
 <b>
 <a>6</a>
-<b>34</b>
-<v>3803</v>
+<b>8</b>
+<v>1320</v>
+</b>
+<b>
+<a>8</a>
+<b>12</b>
+<v>1227</v>
+</b>
+<b>
+<a>12</a>
+<b>57</b>
+<v>372</v>
 </b>
 </bs>
 </hist>
@@ -28096,19 +30172,19 @@
 </relation>
 <relation>
 <name>expr_parent</name>
-<cardinality>3927027</cardinality>
+<cardinality>1745009</cardinality>
 <columnsizes>
 <e>
 <k>expr</k>
-<v>3927027</v>
+<v>1745009</v>
 </e>
 <e>
 <k>index</k>
-<v>81755</v>
+<v>11825</v>
 </e>
 <e>
 <k>parent</k>
-<v>2575444</v>
+<v>1152644</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28122,7 +30198,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3927027</v>
+<v>1745009</v>
 </b>
 </bs>
 </hist>
@@ -28138,7 +30214,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3927027</v>
+<v>1745009</v>
 </b>
 </bs>
 </hist>
@@ -28154,22 +30230,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>67800</v>
+<v>3162</v>
 </b>
 <b>
 <a>2</a>
+<b>3</b>
+<v>439</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1589</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>186</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>6347</v>
+<v>1234</v>
 </b>
 <b>
 <a>6</a>
-<b>13</b>
-<v>6188</v>
+<b>7</b>
+<v>2909</v>
 </b>
 <b>
-<a>13</a>
-<b>1585226</b>
-<v>1419</v>
+<a>8</a>
+<b>10</b>
+<v>1020</v>
+</b>
+<b>
+<a>10</a>
+<b>18</b>
+<v>895</v>
+</b>
+<b>
+<a>18</a>
+<b>837462</b>
+<v>387</v>
 </b>
 </bs>
 </hist>
@@ -28185,22 +30286,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>67800</v>
+<v>3162</v>
 </b>
 <b>
 <a>2</a>
+<b>3</b>
+<v>439</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1589</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>186</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>6347</v>
+<v>1234</v>
 </b>
 <b>
 <a>6</a>
-<b>13</b>
-<v>6188</v>
+<b>7</b>
+<v>2909</v>
 </b>
 <b>
-<a>13</a>
-<b>1585226</b>
-<v>1419</v>
+<a>8</a>
+<b>10</b>
+<v>1020</v>
+</b>
+<b>
+<a>10</a>
+<b>18</b>
+<v>895</v>
+</b>
+<b>
+<a>18</a>
+<b>837462</b>
+<v>387</v>
 </b>
 </bs>
 </hist>
@@ -28216,17 +30342,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1617409</v>
+<v>726174</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>830338</v>
+<v>372615</v>
 </b>
 <b>
 <a>3</a>
-<b>65537</b>
-<v>127696</v>
+<b>11185</b>
+<v>53853</v>
 </b>
 </bs>
 </hist>
@@ -28242,17 +30368,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1617409</v>
+<v>726174</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>830338</v>
+<v>372615</v>
 </b>
 <b>
 <a>3</a>
-<b>65537</b>
-<v>127696</v>
+<b>11185</b>
+<v>53853</v>
 </b>
 </bs>
 </hist>
@@ -28262,19 +30388,19 @@
 </relation>
 <relation>
 <name>expr_parent_top_level</name>
-<cardinality>499981</cardinality>
+<cardinality>239881</cardinality>
 <columnsizes>
 <e>
 <k>expr</k>
-<v>499981</v>
+<v>239881</v>
 </e>
 <e>
 <k>index</k>
-<v>43</v>
+<v>22</v>
 </e>
 <e>
 <k>parent</k>
-<v>431797</v>
+<v>204873</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28288,7 +30414,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>499981</v>
+<v>239881</v>
 </b>
 </bs>
 </hist>
@@ -28304,7 +30430,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>499981</v>
+<v>239881</v>
 </b>
 </bs>
 </hist>
@@ -28320,47 +30446,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>113</a>
 <b>114</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>166</a>
-<b>167</b>
-<v>4</v>
+<a>125</a>
+<b>126</b>
+<v>2</v>
 </b>
 <b>
 <a>250</a>
 <b>251</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>884</a>
 <b>885</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>4465</a>
-<b>4466</b>
-<v>4</v>
+<a>4456</a>
+<b>4457</b>
+<v>2</v>
 </b>
 <b>
-<a>8472</a>
-<b>8473</b>
-<v>4</v>
+<a>8335</a>
+<b>8336</b>
+<v>2</v>
 </b>
 <b>
-<a>88257</a>
-<b>88258</b>
-<v>4</v>
+<a>81483</a>
+<b>81484</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -28376,47 +30502,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>113</a>
 <b>114</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>166</a>
-<b>167</b>
-<v>4</v>
+<a>125</a>
+<b>126</b>
+<v>2</v>
 </b>
 <b>
 <a>250</a>
 <b>251</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>884</a>
 <b>885</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
-<a>4465</a>
-<b>4466</b>
-<v>4</v>
+<a>4456</a>
+<b>4457</b>
+<v>2</v>
 </b>
 <b>
-<a>8472</a>
-<b>8473</b>
-<v>4</v>
+<a>8335</a>
+<b>8336</b>
+<v>2</v>
 </b>
 <b>
-<a>88193</a>
-<b>88194</b>
-<v>4</v>
+<a>81419</a>
+<b>81420</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -28432,17 +30558,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>391784</v>
+<v>184342</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>35648</v>
+<v>18284</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>4364</v>
+<v>2246</v>
 </b>
 </bs>
 </hist>
@@ -28458,17 +30584,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>391964</v>
+<v>184435</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>35526</v>
+<v>18222</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>4305</v>
+<v>2216</v>
 </b>
 </bs>
 </hist>
@@ -28478,59 +30604,59 @@
 </relation>
 <relation>
 <name>implicitly_typed_array_creation</name>
-<cardinality>10813</cardinality>
+<cardinality>3866</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>10813</v>
+<v>3866</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>explicitly_sized_array_creation</name>
-<cardinality>4278</cardinality>
+<cardinality>1913</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4278</v>
+<v>1913</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>stackalloc_array_creation</name>
-<cardinality>835</cardinality>
+<cardinality>170</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>835</v>
+<v>170</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>implicitly_typed_object_creation</name>
-<cardinality>769</cardinality>
+<cardinality>405</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>769</v>
+<v>405</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>mutator_invocation_mode</name>
-<cardinality>4</cardinality>
+<cardinality>2</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4</v>
+<v>2</v>
 </e>
 <e>
 <k>mode</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28544,7 +30670,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -28560,7 +30686,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -28570,26 +30696,26 @@
 </relation>
 <relation>
 <name>expr_compiler_generated</name>
-<cardinality>1629444</cardinality>
+<cardinality>759849</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1629444</v>
+<v>759849</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>expr_value</name>
-<cardinality>1400280</cardinality>
+<cardinality>719515</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1400280</v>
+<v>719515</v>
 </e>
 <e>
 <k>value</k>
-<v>102868</v>
+<v>52225</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28603,7 +30729,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1400280</v>
+<v>719515</v>
 </b>
 </bs>
 </hist>
@@ -28619,27 +30745,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72296</v>
+<v>36487</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14943</v>
+<v>6531</v>
 </b>
 <b>
 <a>3</a>
-<b>6</b>
-<v>7876</v>
+<b>5</b>
+<v>4017</v>
 </b>
 <b>
-<a>6</a>
-<b>2253</b>
-<v>7716</v>
+<a>5</a>
+<b>25</b>
+<v>3927</v>
 </b>
 <b>
-<a>2258</a>
-<b>272851</b>
-<v>37</v>
+<a>25</a>
+<b>148925</b>
+<v>1263</v>
 </b>
 </bs>
 </hist>
@@ -28649,15 +30775,15 @@
 </relation>
 <relation>
 <name>expr_call</name>
-<cardinality>677205</cardinality>
+<cardinality>304738</cardinality>
 <columnsizes>
 <e>
 <k>caller_id</k>
-<v>677205</v>
+<v>304738</v>
 </e>
 <e>
 <k>target_id</k>
-<v>53764</v>
+<v>22603</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28671,7 +30797,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>677205</v>
+<v>304738</v>
 </b>
 </bs>
 </hist>
@@ -28687,32 +30813,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28802</v>
+<v>12775</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10037</v>
+<v>3512</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4351</v>
+<v>1884</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>4653</v>
+<v>1846</v>
 </b>
 <b>
 <a>7</a>
 <b>24</b>
-<v>4065</v>
+<v>1714</v>
 </b>
 <b>
 <a>24</a>
-<b>43831</b>
-<v>1856</v>
+<b>23696</b>
+<v>872</v>
 </b>
 </bs>
 </hist>
@@ -28722,15 +30848,15 @@
 </relation>
 <relation>
 <name>expr_access</name>
-<cardinality>1380403</cardinality>
+<cardinality>603781</cardinality>
 <columnsizes>
 <e>
 <k>accesser_id</k>
-<v>1380403</v>
+<v>603781</v>
 </e>
 <e>
 <k>target_id</k>
-<v>339492</v>
+<v>151428</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28744,7 +30870,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1380403</v>
+<v>603781</v>
 </b>
 </bs>
 </hist>
@@ -28760,37 +30886,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>110513</v>
+<v>49895</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>71310</v>
+<v>33117</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>54805</v>
+<v>23450</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>33178</v>
+<v>14681</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>19897</v>
+<v>8746</v>
 </b>
 <b>
 <a>6</a>
-<b>9</b>
-<v>25746</v>
+<b>10</b>
+<v>12743</v>
 </b>
 <b>
-<a>9</a>
-<b>7782</b>
-<v>24041</v>
+<a>10</a>
+<b>4570</b>
+<v>8794</v>
 </b>
 </bs>
 </hist>
@@ -28800,15 +30926,15 @@
 </relation>
 <relation>
 <name>expr_location</name>
-<cardinality>4249670</cardinality>
+<cardinality>1970785</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4249670</v>
+<v>1970785</v>
 </e>
 <e>
 <k>loc</k>
-<v>3004477</v>
+<v>1481488</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28822,7 +30948,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4249670</v>
+<v>1970785</v>
 </b>
 </bs>
 </hist>
@@ -28838,17 +30964,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2758234</v>
+<v>1266804</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>241589</v>
+<v>207105</v>
 </b>
 <b>
 <a>3</a>
-<b>542807</b>
-<v>4654</v>
+<b>62488</b>
+<v>7578</v>
 </b>
 </bs>
 </hist>
@@ -28858,15 +30984,15 @@
 </relation>
 <relation>
 <name>dynamic_member_name</name>
-<cardinality>13628</cardinality>
+<cardinality>6116</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>13628</v>
+<v>6116</v>
 </e>
 <e>
 <k>name</k>
-<v>1407</v>
+<v>629</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -28880,7 +31006,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13628</v>
+<v>6116</v>
 </b>
 </bs>
 </hist>
@@ -28896,47 +31022,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409</v>
+<v>172</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>248</v>
+<v>107</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>160</v>
+<v>82</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>112</v>
+<v>50</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>116</v>
+<v>47</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>121</v>
+<v>50</v>
 </b>
 <b>
 <a>11</a>
-<b>19</b>
-<v>107</v>
+<b>18</b>
+<v>50</v>
 </b>
 <b>
-<a>20</a>
-<b>97</b>
-<v>107</v>
+<a>18</a>
+<b>47</b>
+<v>50</v>
 </b>
 <b>
-<a>122</a>
-<b>304</b>
-<v>24</v>
+<a>70</a>
+<b>303</b>
+<v>17</v>
 </b>
 </bs>
 </hist>
@@ -28946,22 +31072,22 @@
 </relation>
 <relation>
 <name>conditional_access</name>
-<cardinality>3073</cardinality>
+<cardinality>1323</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>3073</v>
+<v>1323</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>expr_argument</name>
-<cardinality>873865</cardinality>
+<cardinality>409033</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>873865</v>
+<v>409033</v>
 </e>
 <e>
 <k>mode</k>
@@ -28979,7 +31105,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>873865</v>
+<v>409033</v>
 </b>
 </bs>
 </hist>
@@ -28993,23 +31119,23 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>213</a>
-<b>214</b>
+<a>93</a>
+<b>94</b>
 <v>1</v>
 </b>
 <b>
-<a>4293</a>
-<b>4294</b>
+<a>764</a>
+<b>765</b>
 <v>1</v>
 </b>
 <b>
-<a>5670</a>
-<b>5671</b>
+<a>1980</a>
+<b>1981</b>
 <v>1</v>
 </b>
 <b>
-<a>863689</a>
-<b>863690</b>
+<a>406196</a>
+<b>406197</b>
 <v>1</v>
 </b>
 </bs>
@@ -29020,15 +31146,15 @@
 </relation>
 <relation>
 <name>expr_argument_name</name>
-<cardinality>60805</cardinality>
+<cardinality>27657</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>60805</v>
+<v>27657</v>
 </e>
 <e>
 <k>name</k>
-<v>2738</v>
+<v>1049</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29042,7 +31168,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>60805</v>
+<v>27657</v>
 </b>
 </bs>
 </hist>
@@ -29058,42 +31184,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>895</v>
+<v>344</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>486</v>
+<v>172</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>281</v>
+<v>101</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>195</v>
+<v>71</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>251</v>
+<v>96</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>232</v>
+<v>89</v>
 </b>
 <b>
 <a>13</a>
-<b>28</b>
-<v>207</v>
+<b>26</b>
+<v>81</v>
 </b>
 <b>
-<a>28</a>
-<b>11230</b>
-<v>191</v>
+<a>26</a>
+<b>187</b>
+<v>79</v>
+</b>
+<b>
+<a>212</a>
+<b>4751</b>
+<v>16</v>
 </b>
 </bs>
 </hist>
@@ -29151,11 +31282,11 @@
 </relation>
 <relation>
 <name>xmlDTDs</name>
-<cardinality>6</cardinality>
+<cardinality>5</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>6</v>
+<v>5</v>
 </e>
 <e>
 <k>root</k>
@@ -29171,7 +31302,7 @@
 </e>
 <e>
 <k>fileid</k>
-<v>6</v>
+<v>5</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29185,7 +31316,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29201,7 +31332,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29217,7 +31348,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29233,7 +31364,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29451,7 +31582,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29467,7 +31598,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29483,7 +31614,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -29499,7 +31630,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -33562,11 +35693,11 @@
 </relation>
 <relation>
 <name>commentline</name>
-<cardinality>420689</cardinality>
+<cardinality>94236</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>420689</v>
+<v>94236</v>
 </e>
 <e>
 <k>kind</k>
@@ -33574,11 +35705,11 @@
 </e>
 <e>
 <k>text</k>
-<v>201809</v>
+<v>52841</v>
 </e>
 <e>
 <k>rawtext</k>
-<v>204485</v>
+<v>53561</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -33592,7 +35723,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420689</v>
+<v>94236</v>
 </b>
 </bs>
 </hist>
@@ -33608,7 +35739,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420689</v>
+<v>94236</v>
 </b>
 </bs>
 </hist>
@@ -33624,7 +35755,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420689</v>
+<v>94236</v>
 </b>
 </bs>
 </hist>
@@ -33638,18 +35769,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>18162</a>
-<b>18163</b>
+<a>604</a>
+<b>605</b>
 <v>1</v>
 </b>
 <b>
-<a>151752</a>
-<b>151753</b>
+<a>7127</a>
+<b>7128</b>
 <v>1</v>
 </b>
 <b>
-<a>167355</a>
-<b>167356</b>
+<a>81418</a>
+<b>81419</b>
 <v>1</v>
 </b>
 </bs>
@@ -33664,18 +35795,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>12037</a>
-<b>12038</b>
+<a>156</a>
+<b>157</b>
 <v>1</v>
 </b>
 <b>
-<a>60681</a>
-<b>60682</b>
+<a>4531</a>
+<b>4532</b>
 <v>1</v>
 </b>
 <b>
-<a>89979</a>
-<b>89980</b>
+<a>45654</a>
+<b>45655</b>
 <v>1</v>
 </b>
 </bs>
@@ -33690,18 +35821,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>12704</a>
-<b>12705</b>
+<a>157</a>
+<b>158</b>
 <v>1</v>
 </b>
 <b>
-<a>60920</a>
-<b>60921</b>
+<a>4678</a>
+<b>4679</b>
 <v>1</v>
 </b>
 <b>
-<a>90313</a>
-<b>90314</b>
+<a>45835</a>
+<b>45836</b>
 <v>1</v>
 </b>
 </bs>
@@ -33718,17 +35849,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>165358</v>
+<v>44757</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24053</v>
+<v>5919</v>
 </b>
 <b>
 <a>3</a>
-<b>24462</b>
-<v>12397</v>
+<b>6105</b>
+<v>2164</v>
 </b>
 </bs>
 </hist>
@@ -33744,12 +35875,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>200693</v>
+<v>52470</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>1116</v>
+<v>371</v>
 </b>
 </bs>
 </hist>
@@ -33765,12 +35896,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>199683</v>
+<v>52264</v>
 </b>
 <b>
 <a>2</a>
-<b>51</b>
-<v>2126</v>
+<b>35</b>
+<v>577</v>
 </b>
 </bs>
 </hist>
@@ -33786,17 +35917,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>168762</v>
+<v>45738</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>23575</v>
+<v>5679</v>
 </b>
 <b>
 <a>3</a>
-<b>24457</b>
-<v>12146</v>
+<b>5512</b>
+<v>2143</v>
 </b>
 </bs>
 </hist>
@@ -33812,7 +35943,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>204485</v>
+<v>53561</v>
 </b>
 </bs>
 </hist>
@@ -33828,7 +35959,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>204485</v>
+<v>53561</v>
 </b>
 </bs>
 </hist>
@@ -33838,15 +35969,15 @@
 </relation>
 <relation>
 <name>commentline_location</name>
-<cardinality>420689</cardinality>
+<cardinality>94236</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>420689</v>
+<v>94236</v>
 </e>
 <e>
 <k>loc</k>
-<v>420689</v>
+<v>94236</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -33860,7 +35991,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420689</v>
+<v>94236</v>
 </b>
 </bs>
 </hist>
@@ -33876,7 +36007,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420689</v>
+<v>94236</v>
 </b>
 </bs>
 </hist>
@@ -33886,26 +36017,26 @@
 </relation>
 <relation>
 <name>commentblock</name>
-<cardinality>147866</cardinality>
+<cardinality>42325</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>147866</v>
+<v>42325</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>commentblock_location</name>
-<cardinality>147866</cardinality>
+<cardinality>42325</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>147866</v>
+<v>42325</v>
 </e>
 <e>
 <k>loc</k>
-<v>147866</v>
+<v>42325</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -33919,7 +36050,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>147866</v>
+<v>42325</v>
 </b>
 </bs>
 </hist>
@@ -33935,7 +36066,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>147866</v>
+<v>42325</v>
 </b>
 </bs>
 </hist>
@@ -33945,15 +36076,15 @@
 </relation>
 <relation>
 <name>commentblock_binding</name>
-<cardinality>512139</cardinality>
+<cardinality>133597</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>147806</v>
+<v>42288</v>
 </e>
 <e>
 <k>entity</k>
-<v>221346</v>
+<v>65144</v>
 </e>
 <e>
 <k>bindtype</k>
@@ -33971,22 +36102,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>18500</v>
+<v>9049</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>29767</v>
+<v>10673</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>99239</v>
+<v>22336</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>298</v>
+<v>228</v>
 </b>
 </bs>
 </hist>
@@ -34002,22 +36133,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13274</v>
+<v>7568</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5349</v>
+<v>1533</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>29720</v>
+<v>10676</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>99461</v>
+<v>22509</v>
 </b>
 </bs>
 </hist>
@@ -34033,17 +36164,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>162214</v>
+<v>50257</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43096</v>
+<v>10921</v>
 </b>
 <b>
 <a>3</a>
-<b>9895</b>
-<v>16035</v>
+<b>525</b>
+<v>3965</v>
 </b>
 </bs>
 </hist>
@@ -34059,22 +36190,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>96638</v>
+<v>32218</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>95048</v>
+<v>25063</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>28767</v>
+<v>7689</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>891</v>
+<v>173</v>
 </b>
 </bs>
 </hist>
@@ -34088,23 +36219,23 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>83794</a>
-<b>83795</b>
+<a>23541</a>
+<b>23542</b>
 <v>1</v>
 </b>
 <b>
-<a>104319</a>
-<b>104320</b>
+<a>32035</a>
+<b>32036</b>
 <v>1</v>
 </b>
 <b>
-<a>107785</a>
-<b>107786</b>
+<a>32822</a>
+<b>32823</b>
 <v>1</v>
 </b>
 <b>
-<a>113759</a>
-<b>113760</b>
+<a>37140</a>
+<b>37141</b>
 <v>1</v>
 </b>
 </bs>
@@ -34119,23 +36250,23 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>35897</a>
-<b>35898</b>
+<a>15869</a>
+<b>15870</b>
 <v>1</v>
 </b>
 <b>
-<a>77379</a>
-<b>77380</b>
+<a>21711</a>
+<b>21712</b>
 <v>1</v>
 </b>
 <b>
-<a>86313</a>
-<b>86314</b>
+<a>29111</a>
+<b>29112</b>
 <v>1</v>
 </b>
 <b>
-<a>102338</a>
-<b>102339</b>
+<a>33686</a>
+<b>33687</b>
 <v>1</v>
 </b>
 </bs>
@@ -34146,19 +36277,19 @@
 </relation>
 <relation>
 <name>commentblock_child</name>
-<cardinality>557212</cardinality>
+<cardinality>132682</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>147866</v>
+<v>42325</v>
 </e>
 <e>
 <k>commentline</k>
-<v>420600</v>
+<v>94161</v>
 </e>
 <e>
 <k>index</k>
-<v>5111</v>
+<v>1200</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -34172,32 +36303,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>78789</v>
+<v>26814</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>20407</v>
+<v>9030</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>19444</v>
-</b>
-<b>
-<a>4</a>
 <b>5</b>
-<v>9185</v>
+<v>3555</v>
 </b>
 <b>
 <a>5</a>
-<b>8</b>
-<v>11757</v>
-</b>
-<b>
-<a>8</a>
-<b>4098</b>
-<v>8281</v>
+<b>1136</b>
+<v>2923</v>
 </b>
 </bs>
 </hist>
@@ -34213,37 +36334,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4309</v>
+<v>2277</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>75404</v>
+<v>24975</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22200</v>
+<v>8866</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>17648</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>8834</v>
+<v>3376</v>
 </b>
 <b>
 <a>6</a>
-<b>9</b>
-<v>11470</v>
-</b>
-<b>
-<a>9</a>
-<b>4099</b>
-<v>7997</v>
+<b>1137</b>
+<v>2828</v>
 </b>
 </bs>
 </hist>
@@ -34259,12 +36370,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420592</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>8</v>
+<v>94161</v>
 </b>
 </bs>
 </hist>
@@ -34280,12 +36386,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283998</v>
+<v>55641</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>136602</v>
+<v>38520</v>
 </b>
 </bs>
 </hist>
@@ -34301,32 +36407,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2281</v>
+<v>286</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>1413</v>
+<b>6</b>
+<v>71</v>
 </b>
 <b>
-<a>3</a>
+<a>6</a>
 <b>7</b>
-<v>407</v>
+<v>300</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>450</v>
+<v>77</v>
+</b>
+<b>
+<a>10</a>
+<b>11</b>
+<v>145</v>
 </b>
 <b>
 <a>11</a>
-<b>28</b>
-<v>389</v>
+<b>15</b>
+<v>64</v>
 </b>
 <b>
-<a>28</a>
-<b>118546</b>
-<v>169</v>
+<a>15</a>
+<b>17</b>
+<v>101</v>
+</b>
+<b>
+<a>17</a>
+<b>40</b>
+<v>99</v>
+</b>
+<b>
+<a>40</a>
+<b>40041</b>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -34342,32 +36463,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2281</v>
+<v>286</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>1413</v>
+<b>6</b>
+<v>71</v>
 </b>
 <b>
-<a>3</a>
+<a>6</a>
 <b>7</b>
-<v>407</v>
+<v>300</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>450</v>
+<v>77</v>
+</b>
+<b>
+<a>10</a>
+<b>11</b>
+<v>145</v>
 </b>
 <b>
 <a>11</a>
-<b>28</b>
-<v>389</v>
+<b>15</b>
+<v>64</v>
 </b>
 <b>
-<a>28</a>
-<b>118539</b>
-<v>169</v>
+<a>15</a>
+<b>17</b>
+<v>101</v>
+</b>
+<b>
+<a>17</a>
+<b>40</b>
+<v>99</v>
+</b>
+<b>
+<a>40</a>
+<b>40041</b>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -34839,7 +36975,7 @@
 </e>
 <e>
 <k>name</k>
-<v>2</v>
+<v>1</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -34867,13 +37003,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>1</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 </bs>
@@ -35171,7 +37302,7 @@
 </e>
 <e>
 <k>name</k>
-<v>3</v>
+<v>6</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35199,9 +37330,19 @@
 <budget>12</budget>
 <bs>
 <b>
+<a>1</a>
+<b>2</b>
+<v>4</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+<b>
 <a>3</a>
 <b>4</b>
-<v>3</v>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -35222,23 +37363,23 @@
 </relation>
 <relation>
 <name>cil_instruction</name>
-<cardinality>32160713</cardinality>
+<cardinality>16552562</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>32160713</v>
+<v>16552562</v>
 </e>
 <e>
 <k>opcode</k>
-<v>964</v>
+<v>496</v>
 </e>
 <e>
 <k>index</k>
-<v>332323</v>
+<v>171041</v>
 </e>
 <e>
 <k>impl</k>
-<v>1725702</v>
+<v>888189</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35252,7 +37393,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32160713</v>
+<v>16552562</v>
 </b>
 </bs>
 </hist>
@@ -35268,7 +37409,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32160713</v>
+<v>16552562</v>
 </b>
 </bs>
 </hist>
@@ -35284,7 +37425,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32160713</v>
+<v>16552562</v>
 </b>
 </bs>
 </hist>
@@ -35300,72 +37441,72 @@
 <b>
 <a>1</a>
 <b>7</b>
-<v>77</v>
+<v>40</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>46</a>
 <b>106</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>128</a>
 <b>302</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>304</a>
 <b>953</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>1002</a>
 <b>1752</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>1791</a>
 <b>2952</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>3194</a>
 <b>4898</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>5191</a>
 <b>11577</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>11669</a>
 <b>19719</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>19906</a>
 <b>53412</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>54233</a>
 <b>104298</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>104740</a>
 <b>420483</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>562153</a>
 <b>815024</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -35381,67 +37522,67 @@
 <b>
 <a>1</a>
 <b>7</b>
-<v>82</v>
+<v>42</v>
 </b>
 <b>
 <a>10</a>
 <b>31</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>32</a>
 <b>68</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>75</a>
 <b>148</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>150</a>
 <b>214</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>214</a>
 <b>313</b>
-<v>77</v>
+<v>40</v>
 </b>
 <b>
 <a>323</a>
 <b>468</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>486</a>
 <b>699</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>714</a>
 <b>872</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>879</a>
 <b>1176</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>1185</a>
 <b>1360</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>1382</a>
 <b>2349</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>2641</a>
 <b>31606</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -35457,72 +37598,72 @@
 <b>
 <a>1</a>
 <b>6</b>
-<v>77</v>
+<v>40</v>
 </b>
 <b>
 <a>7</a>
 <b>22</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>26</a>
 <b>58</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>62</a>
 <b>191</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>192</a>
 <b>422</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>434</a>
 <b>696</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>703</a>
 <b>993</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>1012</a>
 <b>2698</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>2754</a>
 <b>5088</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>5150</a>
 <b>9841</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>10112</a>
 <b>16999</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>18955</a>
 <b>42845</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>44005</a>
 <b>171634</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>243198</a>
 <b>301111</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -35538,22 +37679,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>260306</v>
+<v>133975</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>30587</v>
+<v>15742</v>
 </b>
 <b>
 <a>11</a>
 <b>25</b>
-<v>25483</v>
+<v>13115</v>
 </b>
 <b>
 <a>25</a>
 <b>354308</b>
-<v>15946</v>
+<v>8207</v>
 </b>
 </bs>
 </hist>
@@ -35569,27 +37710,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>260900</v>
+<v>134281</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17675</v>
+<v>9097</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>28722</v>
+<v>14782</v>
 </b>
 <b>
 <a>5</a>
 <b>160</b>
-<v>24927</v>
+<v>12829</v>
 </b>
 <b>
 <a>160</a>
 <b>169</b>
-<v>97</v>
+<v>50</v>
 </b>
 </bs>
 </hist>
@@ -35605,22 +37746,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>260306</v>
+<v>133975</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>30587</v>
+<v>15742</v>
 </b>
 <b>
 <a>11</a>
 <b>25</b>
-<v>25483</v>
+<v>13115</v>
 </b>
 <b>
 <a>25</a>
 <b>354308</b>
-<v>15946</v>
+<v>8207</v>
 </b>
 </bs>
 </hist>
@@ -35636,57 +37777,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83979</v>
+<v>43222</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>251744</v>
+<v>129568</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>332211</v>
+<v>170983</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>195794</v>
+<v>100772</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>107022</v>
+<v>55082</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>157925</v>
+<v>81281</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>150936</v>
+<v>77684</v>
 </b>
 <b>
 <a>14</a>
 <b>21</b>
-<v>133786</v>
+<v>68857</v>
 </b>
 <b>
 <a>21</a>
 <b>35</b>
-<v>131439</v>
+<v>67649</v>
 </b>
 <b>
 <a>35</a>
 <b>106</b>
-<v>129466</v>
+<v>66634</v>
 </b>
 <b>
 <a>106</a>
 <b>68231</b>
-<v>51395</v>
+<v>26452</v>
 </b>
 </bs>
 </hist>
@@ -35702,57 +37843,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83979</v>
+<v>43222</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>252031</v>
+<v>129716</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>338178</v>
+<v>174054</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>239362</v>
+<v>123195</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>132379</v>
+<v>68133</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>96287</v>
+<v>49557</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>147721</v>
+<v>76029</v>
 </b>
 <b>
 <a>9</a>
 <b>12</b>
-<v>128804</v>
+<v>66293</v>
 </b>
 <b>
 <a>12</a>
 <b>17</b>
-<v>135749</v>
+<v>69868</v>
 </b>
 <b>
 <a>17</a>
 <b>33</b>
-<v>132033</v>
+<v>67955</v>
 </b>
 <b>
 <a>33</a>
 <b>74</b>
-<v>39174</v>
+<v>20162</v>
 </b>
 </bs>
 </hist>
@@ -35768,57 +37909,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83979</v>
+<v>43222</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>251744</v>
+<v>129568</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>332211</v>
+<v>170983</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>195794</v>
+<v>100772</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>107022</v>
+<v>55082</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>157925</v>
+<v>81281</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>150936</v>
+<v>77684</v>
 </b>
 <b>
 <a>14</a>
 <b>21</b>
-<v>133786</v>
+<v>68857</v>
 </b>
 <b>
 <a>21</a>
 <b>35</b>
-<v>131439</v>
+<v>67649</v>
 </b>
 <b>
 <a>35</a>
 <b>106</b>
-<v>129466</v>
+<v>66634</v>
 </b>
 <b>
 <a>106</a>
 <b>68231</b>
-<v>51395</v>
+<v>26452</v>
 </b>
 </bs>
 </hist>
@@ -35828,15 +37969,15 @@
 </relation>
 <relation>
 <name>cil_jump</name>
-<cardinality>2003363</cardinality>
+<cardinality>1031096</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>2003363</v>
+<v>1031096</v>
 </e>
 <e>
 <k>target</k>
-<v>1604487</v>
+<v>825801</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35850,7 +37991,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2003363</v>
+<v>1031096</v>
 </b>
 </bs>
 </hist>
@@ -35866,17 +38007,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1390890</v>
+<v>715866</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>143683</v>
+<v>73951</v>
 </b>
 <b>
 <a>3</a>
 <b>360</b>
-<v>69913</v>
+<v>35983</v>
 </b>
 </bs>
 </hist>
@@ -35886,15 +38027,15 @@
 </relation>
 <relation>
 <name>cil_access</name>
-<cardinality>11925038</cardinality>
+<cardinality>6137610</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>11925038</v>
+<v>6137610</v>
 </e>
 <e>
 <k>target</k>
-<v>2664641</v>
+<v>1371444</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35908,7 +38049,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11925038</v>
+<v>6137610</v>
 </b>
 </bs>
 </hist>
@@ -35924,37 +38065,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>944943</v>
+<v>486346</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>739982</v>
+<v>380856</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>269054</v>
+<v>138477</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>187125</v>
+<v>96310</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>226689</v>
+<v>116673</v>
 </b>
 <b>
 <a>7</a>
 <b>14</b>
-<v>203539</v>
+<v>104758</v>
 </b>
 <b>
 <a>14</a>
 <b>25741</b>
-<v>93306</v>
+<v>48023</v>
 </b>
 </bs>
 </hist>
@@ -35964,15 +38105,15 @@
 </relation>
 <relation>
 <name>cil_value</name>
-<cardinality>1884013</cardinality>
+<cardinality>969669</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>1884013</v>
+<v>969669</v>
 </e>
 <e>
 <k>value</k>
-<v>494852</v>
+<v>254691</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35986,7 +38127,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1884013</v>
+<v>969669</v>
 </b>
 </bs>
 </hist>
@@ -36002,27 +38143,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>334369</v>
+<v>172094</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>79006</v>
+<v>40663</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>40708</v>
+<v>20952</v>
 </b>
 <b>
 <a>6</a>
 <b>33</b>
-<v>37250</v>
+<v>19172</v>
 </b>
 <b>
 <a>33</a>
 <b>86799</b>
-<v>3516</v>
+<v>1809</v>
 </b>
 </bs>
 </hist>
@@ -36032,19 +38173,19 @@
 </relation>
 <relation>
 <name>cil_switch</name>
-<cardinality>194401</cardinality>
+<cardinality>100055</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>23851</v>
+<v>12275</v>
 </e>
 <e>
 <k>index</k>
-<v>2518</v>
+<v>1296</v>
 </e>
 <e>
 <k>target</k>
-<v>130606</v>
+<v>67220</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36058,47 +38199,47 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>7018</v>
+<v>3612</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4593</v>
+<v>2363</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>3229</v>
+<v>1662</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>1685</v>
+<v>867</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>1441</v>
+<v>742</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>2157</v>
+<v>1110</v>
 </b>
 <b>
 <a>11</a>
 <b>17</b>
-<v>1845</v>
+<v>950</v>
 </b>
 <b>
 <a>17</a>
 <b>128</b>
-<v>1792</v>
+<v>922</v>
 </b>
 <b>
 <a>141</a>
 <b>518</b>
-<v>87</v>
+<v>45</v>
 </b>
 </bs>
 </hist>
@@ -36114,42 +38255,42 @@
 <b>
 <a>1</a>
 <b>3</b>
-<v>1056</v>
+<v>543</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8245</v>
+<v>4244</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5489</v>
+<v>2825</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2571</v>
+<v>1323</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>1841</v>
+<v>947</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>1699</v>
+<v>874</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>1797</v>
+<v>925</v>
 </b>
 <b>
 <a>14</a>
 <b>204</b>
-<v>1149</v>
+<v>591</v>
 </b>
 </bs>
 </hist>
@@ -36165,52 +38306,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>988</v>
+<v>508</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>360</v>
+<v>185</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>18</a>
 <b>24</b>
-<v>189</v>
+<v>97</v>
 </b>
 <b>
 <a>25</a>
 <b>47</b>
-<v>199</v>
+<v>102</v>
 </b>
 <b>
 <a>47</a>
 <b>225</b>
-<v>189</v>
+<v>97</v>
 </b>
 <b>
 <a>238</a>
 <b>4898</b>
-<v>107</v>
+<v>55</v>
 </b>
 </bs>
 </hist>
@@ -36226,52 +38367,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38</v>
+<v>20</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>974</v>
+<v>501</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>97</v>
+<v>50</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>311</v>
+<v>160</v>
 </b>
 <b>
 <a>5</a>
 <b>11</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>209</v>
+<v>107</v>
 </b>
 <b>
 <a>18</a>
 <b>24</b>
-<v>204</v>
+<v>105</v>
 </b>
 <b>
 <a>24</a>
 <b>47</b>
-<v>194</v>
+<v>100</v>
 </b>
 <b>
 <a>47</a>
 <b>271</b>
-<v>189</v>
+<v>97</v>
 </b>
 <b>
 <a>289</a>
 <b>4830</b>
-<v>92</v>
+<v>47</v>
 </b>
 </bs>
 </hist>
@@ -36287,12 +38428,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>128974</v>
+<v>66381</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>1631</v>
+<v>839</v>
 </b>
 </bs>
 </hist>
@@ -36308,17 +38449,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>118215</v>
+<v>60843</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>9999</v>
+<v>5146</v>
 </b>
 <b>
 <a>7</a>
 <b>253</b>
-<v>2391</v>
+<v>1230</v>
 </b>
 </bs>
 </hist>
@@ -36396,15 +38537,15 @@
 </relation>
 <relation>
 <name>cil_type_location</name>
-<cardinality>277344</cardinality>
+<cardinality>142744</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>254973</v>
+<v>131230</v>
 </e>
 <e>
 <k>loc</k>
-<v>3414</v>
+<v>1757</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36418,12 +38559,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>232602</v>
+<v>119716</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22370</v>
+<v>11513</v>
 </b>
 </bs>
 </hist>
@@ -36439,67 +38580,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>219</v>
+<v>112</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>297</v>
+<v>152</v>
 </b>
 <b>
 <a>9</a>
 <b>13</b>
-<v>272</v>
+<v>140</v>
 </b>
 <b>
 <a>13</a>
 <b>17</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>17</a>
 <b>23</b>
-<v>282</v>
+<v>145</v>
 </b>
 <b>
 <a>23</a>
 <b>32</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>32</a>
 <b>43</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>43</a>
 <b>66</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>66</a>
 <b>110</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>112</a>
 <b>238</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>239</a>
 <b>2419</b>
-<v>243</v>
+<v>125</v>
 </b>
 </bs>
 </hist>
@@ -36509,15 +38650,15 @@
 </relation>
 <relation>
 <name>cil_method_location</name>
-<cardinality>1883969</cardinality>
+<cardinality>969646</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1796560</v>
+<v>924658</v>
 </e>
 <e>
 <k>loc</k>
-<v>3126</v>
+<v>1609</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36531,12 +38672,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1709152</v>
+<v>879671</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>87408</v>
+<v>44987</v>
 </b>
 </bs>
 </hist>
@@ -36552,67 +38693,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>11</a>
 <b>23</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>23</a>
 <b>38</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>38</a>
 <b>53</b>
-<v>253</v>
+<v>130</v>
 </b>
 <b>
 <a>53</a>
 <b>79</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>80</a>
 <b>107</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>107</a>
 <b>138</b>
-<v>248</v>
+<v>127</v>
 </b>
 <b>
 <a>140</a>
 <b>204</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>204</a>
 <b>278</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>281</a>
 <b>385</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>388</a>
 <b>734</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>735</a>
 <b>1631</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>1646</a>
 <b>33686</b>
-<v>204</v>
+<v>105</v>
 </b>
 </bs>
 </hist>
@@ -36622,27 +38763,27 @@
 </relation>
 <relation>
 <name>cil_type</name>
-<cardinality>794772</cardinality>
+<cardinality>409055</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>794772</v>
+<v>409055</v>
 </e>
 <e>
 <k>name</k>
-<v>179044</v>
+<v>92151</v>
 </e>
 <e>
 <k>kind</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>parent</k>
-<v>155427</v>
+<v>79995</v>
 </e>
 <e>
 <k>sourceDecl</k>
-<v>464615</v>
+<v>239129</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36656,7 +38797,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>794772</v>
+<v>409055</v>
 </b>
 </bs>
 </hist>
@@ -36672,7 +38813,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>794772</v>
+<v>409055</v>
 </b>
 </bs>
 </hist>
@@ -36688,7 +38829,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>794772</v>
+<v>409055</v>
 </b>
 </bs>
 </hist>
@@ -36704,7 +38845,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>794772</v>
+<v>409055</v>
 </b>
 </bs>
 </hist>
@@ -36720,22 +38861,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>137634</v>
+<v>70838</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22473</v>
+<v>11566</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>14168</v>
+<v>7292</v>
 </b>
 <b>
 <a>7</a>
 <b>21324</b>
-<v>4768</v>
+<v>2454</v>
 </b>
 </bs>
 </hist>
@@ -36751,7 +38892,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>179044</v>
+<v>92151</v>
 </b>
 </bs>
 </hist>
@@ -36767,17 +38908,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>162396</v>
+<v>83582</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>13642</v>
+<v>7021</v>
 </b>
 <b>
 <a>4</a>
 <b>21324</b>
-<v>3005</v>
+<v>1546</v>
 </b>
 </bs>
 </hist>
@@ -36793,17 +38934,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>146094</v>
+<v>75192</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22497</v>
+<v>11579</v>
 </b>
 <b>
 <a>3</a>
 <b>21324</b>
-<v>10452</v>
+<v>5379</v>
 </b>
 </bs>
 </hist>
@@ -36819,22 +38960,22 @@
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2909</a>
 <b>2910</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>37932</a>
 <b>37933</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>122212</a>
 <b>122213</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -36850,22 +38991,22 @@
 <b>
 <a>21</a>
 <b>22</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>101</a>
 <b>102</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1188</a>
 <b>1189</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>35450</a>
 <b>35451</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -36881,22 +39022,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>31</a>
 <b>32</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11217</a>
 <b>11218</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -36912,22 +39053,22 @@
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2464</a>
 <b>2465</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>37932</a>
 <b>37933</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>54872</a>
 <b>54873</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -36943,27 +39084,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101776</v>
+<v>52382</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>26793</v>
+<v>13790</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>13340</v>
+<v>6866</v>
 </b>
 <b>
 <a>6</a>
 <b>33</b>
-<v>11699</v>
+<v>6021</v>
 </b>
 <b>
 <a>33</a>
 <b>26079</b>
-<v>1816</v>
+<v>935</v>
 </b>
 </bs>
 </hist>
@@ -36979,27 +39120,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102351</v>
+<v>52678</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27212</v>
+<v>14005</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>13238</v>
+<v>6813</v>
 </b>
 <b>
 <a>6</a>
 <b>38</b>
-<v>11684</v>
+<v>6013</v>
 </b>
 <b>
 <a>38</a>
 <b>1426</b>
-<v>940</v>
+<v>483</v>
 </b>
 </bs>
 </hist>
@@ -37015,12 +39156,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>152227</v>
+<v>78348</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>3200</v>
+<v>1646</v>
 </b>
 </bs>
 </hist>
@@ -37036,27 +39177,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102249</v>
+<v>52625</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27231</v>
+<v>14015</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>13145</v>
+<v>6765</v>
 </b>
 <b>
 <a>6</a>
 <b>38</b>
-<v>11665</v>
+<v>6003</v>
 </b>
 <b>
 <a>38</a>
 <b>3476</b>
-<v>1134</v>
+<v>584</v>
 </b>
 </bs>
 </hist>
@@ -37072,12 +39213,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>437831</v>
+<v>225344</v>
 </b>
 <b>
 <a>2</a>
 <b>3705</b>
-<v>26783</v>
+<v>13785</v>
 </b>
 </bs>
 </hist>
@@ -37093,7 +39234,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>464615</v>
+<v>239129</v>
 </b>
 </bs>
 </hist>
@@ -37109,7 +39250,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>464615</v>
+<v>239129</v>
 </b>
 </bs>
 </hist>
@@ -37125,12 +39266,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>456291</v>
+<v>234845</v>
 </b>
 <b>
 <a>2</a>
 <b>225</b>
-<v>8323</v>
+<v>4284</v>
 </b>
 </bs>
 </hist>
@@ -37140,15 +39281,15 @@
 </relation>
 <relation>
 <name>cil_pointer_type</name>
-<cardinality>599</cardinality>
+<cardinality>308</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>599</v>
+<v>308</v>
 </e>
 <e>
 <k>pointee</k>
-<v>599</v>
+<v>308</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37162,7 +39303,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>599</v>
+<v>308</v>
 </b>
 </bs>
 </hist>
@@ -37178,7 +39319,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>599</v>
+<v>308</v>
 </b>
 </bs>
 </hist>
@@ -37188,19 +39329,19 @@
 </relation>
 <relation>
 <name>cil_array_type</name>
-<cardinality>14168</cardinality>
+<cardinality>7292</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>14168</v>
+<v>7292</v>
 </e>
 <e>
 <k>element_type</k>
-<v>14090</v>
+<v>7252</v>
 </e>
 <e>
 <k>rank</k>
-<v>14</v>
+<v>7</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37214,7 +39355,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14168</v>
+<v>7292</v>
 </b>
 </bs>
 </hist>
@@ -37230,7 +39371,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14168</v>
+<v>7292</v>
 </b>
 </bs>
 </hist>
@@ -37246,12 +39387,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14017</v>
+<v>7214</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -37267,12 +39408,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14017</v>
+<v>7214</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>73</v>
+<v>37</v>
 </b>
 </bs>
 </hist>
@@ -37288,17 +39429,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2892</a>
 <b>2893</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -37314,17 +39455,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2892</a>
 <b>2893</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -37387,23 +39528,23 @@
 </relation>
 <relation>
 <name>cil_method</name>
-<cardinality>2311748</cardinality>
+<cardinality>1189816</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2311748</v>
+<v>1189816</v>
 </e>
 <e>
 <k>name</k>
-<v>439624</v>
+<v>226266</v>
 </e>
 <e>
 <k>parent</k>
-<v>379900</v>
+<v>195528</v>
 </e>
 <e>
 <k>return_type</k>
-<v>213850</v>
+<v>110065</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37417,7 +39558,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2311748</v>
+<v>1189816</v>
 </b>
 </bs>
 </hist>
@@ -37433,7 +39574,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2311748</v>
+<v>1189816</v>
 </b>
 </bs>
 </hist>
@@ -37449,7 +39590,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2311748</v>
+<v>1189816</v>
 </b>
 </bs>
 </hist>
@@ -37465,27 +39606,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>270861</v>
+<v>139407</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>79561</v>
+<v>40949</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25020</v>
+<v>12877</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>33475</v>
+<v>17229</v>
 </b>
 <b>
 <a>7</a>
 <b>64064</b>
-<v>30704</v>
+<v>15803</v>
 </b>
 </bs>
 </hist>
@@ -37501,27 +39642,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>284864</v>
+<v>146614</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>76522</v>
+<v>39384</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>39846</v>
+<v>20508</v>
 </b>
 <b>
 <a>5</a>
 <b>25</b>
-<v>33139</v>
+<v>17056</v>
 </b>
 <b>
 <a>25</a>
 <b>52725</b>
-<v>5250</v>
+<v>2702</v>
 </b>
 </bs>
 </hist>
@@ -37537,17 +39678,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>383884</v>
+<v>197578</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>40207</v>
+<v>20693</v>
 </b>
 <b>
 <a>4</a>
 <b>2803</b>
-<v>15532</v>
+<v>7994</v>
 </b>
 </bs>
 </hist>
@@ -37563,42 +39704,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107909</v>
+<v>55538</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>84456</v>
+<v>43468</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>49919</v>
+<v>25692</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>28551</v>
+<v>14695</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>30850</v>
+<v>15878</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>32896</v>
+<v>16931</v>
 </b>
 <b>
 <a>11</a>
 <b>21</b>
-<v>28936</v>
+<v>14893</v>
 </b>
 <b>
 <a>21</a>
 <b>3536</b>
-<v>16379</v>
+<v>8430</v>
 </b>
 </bs>
 </hist>
@@ -37614,42 +39755,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>114294</v>
+<v>58825</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>86609</v>
+<v>44576</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>50474</v>
+<v>25978</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>28897</v>
+<v>14873</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>32852</v>
+<v>16908</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>29993</v>
+<v>15437</v>
 </b>
 <b>
 <a>11</a>
 <b>26</b>
-<v>28673</v>
+<v>14757</v>
 </b>
 <b>
 <a>26</a>
 <b>1885</b>
-<v>8104</v>
+<v>4171</v>
 </b>
 </bs>
 </hist>
@@ -37665,32 +39806,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>162060</v>
+<v>83409</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>93633</v>
+<v>48191</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>46363</v>
+<v>23862</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>23281</v>
+<v>11982</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>28376</v>
+<v>14604</v>
 </b>
 <b>
 <a>7</a>
 <b>1924</b>
-<v>26184</v>
+<v>13476</v>
 </b>
 </bs>
 </hist>
@@ -37706,27 +39847,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>131882</v>
+<v>67877</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>38215</v>
+<v>19668</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>18829</v>
+<v>9691</v>
 </b>
 <b>
 <a>5</a>
 <b>13</b>
-<v>16555</v>
+<v>8520</v>
 </b>
 <b>
 <a>13</a>
 <b>190707</b>
-<v>8367</v>
+<v>4306</v>
 </b>
 </bs>
 </hist>
@@ -37742,22 +39883,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>153439</v>
+<v>78972</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30324</v>
+<v>15607</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>19131</v>
+<v>9846</v>
 </b>
 <b>
 <a>6</a>
 <b>28461</b>
-<v>10954</v>
+<v>5637</v>
 </b>
 </bs>
 </hist>
@@ -37773,22 +39914,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>145296</v>
+<v>74781</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>35365</v>
+<v>18202</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>17539</v>
+<v>9027</v>
 </b>
 <b>
 <a>5</a>
 <b>62018</b>
-<v>15649</v>
+<v>8054</v>
 </b>
 </bs>
 </hist>
@@ -37798,15 +39939,15 @@
 </relation>
 <relation>
 <name>cil_method_source_declaration</name>
-<cardinality>2105637</cardinality>
+<cardinality>1083735</cardinality>
 <columnsizes>
 <e>
 <k>method</k>
-<v>2105637</v>
+<v>1083735</v>
 </e>
 <e>
 <k>source</k>
-<v>1863186</v>
+<v>958949</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37820,7 +39961,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2105637</v>
+<v>1083735</v>
 </b>
 </bs>
 </hist>
@@ -37836,12 +39977,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1758316</v>
+<v>904975</v>
 </b>
 <b>
 <a>2</a>
 <b>1021</b>
-<v>104869</v>
+<v>53974</v>
 </b>
 </bs>
 </hist>
@@ -37851,19 +39992,19 @@
 </relation>
 <relation>
 <name>cil_method_implementation</name>
-<cardinality>1725702</cardinality>
+<cardinality>888189</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1725702</v>
+<v>888189</v>
 </e>
 <e>
 <k>method</k>
-<v>1638937</v>
+<v>843532</v>
 </e>
 <e>
 <k>location</k>
-<v>3092</v>
+<v>1591</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37877,7 +40018,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1725702</v>
+<v>888189</v>
 </b>
 </bs>
 </hist>
@@ -37893,7 +40034,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1725702</v>
+<v>888189</v>
 </b>
 </bs>
 </hist>
@@ -37909,12 +40050,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1552171</v>
+<v>798875</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>86765</v>
+<v>44656</v>
 </b>
 </bs>
 </hist>
@@ -37930,12 +40071,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1552171</v>
+<v>798875</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>86765</v>
+<v>44656</v>
 </b>
 </bs>
 </hist>
@@ -37951,67 +40092,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>272</v>
+<v>140</v>
 </b>
 <b>
 <a>11</a>
 <b>22</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>22</a>
 <b>36</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>36</a>
 <b>50</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>50</a>
 <b>74</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>74</a>
 <b>104</b>
-<v>248</v>
+<v>127</v>
 </b>
 <b>
 <a>104</a>
 <b>133</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>133</a>
 <b>192</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>192</a>
 <b>271</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>271</a>
 <b>365</b>
-<v>248</v>
+<v>127</v>
 </b>
 <b>
 <a>372</a>
 <b>654</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>682</a>
 <b>1597</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>1599</a>
 <b>33053</b>
-<v>189</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -38027,67 +40168,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>272</v>
+<v>140</v>
 </b>
 <b>
 <a>11</a>
 <b>22</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>22</a>
 <b>36</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>36</a>
 <b>50</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>50</a>
 <b>74</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>74</a>
 <b>104</b>
-<v>248</v>
+<v>127</v>
 </b>
 <b>
 <a>104</a>
 <b>133</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>133</a>
 <b>192</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>192</a>
 <b>271</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>271</a>
 <b>365</b>
-<v>248</v>
+<v>127</v>
 </b>
 <b>
 <a>372</a>
 <b>654</b>
-<v>233</v>
+<v>120</v>
 </b>
 <b>
 <a>682</a>
 <b>1597</b>
-<v>238</v>
+<v>122</v>
 </b>
 <b>
 <a>1599</a>
 <b>33053</b>
-<v>189</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -38097,15 +40238,15 @@
 </relation>
 <relation>
 <name>cil_implements</name>
-<cardinality>107051</cardinality>
+<cardinality>55097</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>106292</v>
+<v>54706</v>
 </e>
 <e>
 <k>decl</k>
-<v>17719</v>
+<v>9119</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38119,12 +40260,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>105532</v>
+<v>54315</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>759</v>
+<v>391</v>
 </b>
 </bs>
 </hist>
@@ -38140,27 +40281,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11533</v>
+<v>5936</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2703</v>
+<v>1391</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>1578</v>
+<v>812</v>
 </b>
 <b>
 <a>5</a>
 <b>18</b>
-<v>1329</v>
+<v>684</v>
 </b>
 <b>
 <a>18</a>
 <b>2180</b>
-<v>574</v>
+<v>295</v>
 </b>
 </bs>
 </hist>
@@ -38170,23 +40311,23 @@
 </relation>
 <relation>
 <name>cil_field</name>
-<cardinality>1008310</cardinality>
+<cardinality>518960</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1008310</v>
+<v>518960</v>
 </e>
 <e>
 <k>parent</k>
-<v>201113</v>
+<v>103509</v>
 </e>
 <e>
 <k>name</k>
-<v>360807</v>
+<v>185701</v>
 </e>
 <e>
 <k>field_type</k>
-<v>165835</v>
+<v>85352</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38200,7 +40341,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1008310</v>
+<v>518960</v>
 </b>
 </bs>
 </hist>
@@ -38216,7 +40357,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1008310</v>
+<v>518960</v>
 </b>
 </bs>
 </hist>
@@ -38232,7 +40373,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1008310</v>
+<v>518960</v>
 </b>
 </bs>
 </hist>
@@ -38248,47 +40389,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>60610</v>
+<v>31195</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>41025</v>
+<v>21115</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22288</v>
+<v>11471</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>15478</v>
+<v>7966</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>11709</v>
+<v>6026</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>16944</v>
+<v>8721</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>17850</v>
+<v>9187</v>
 </b>
 <b>
 <a>12</a>
 <b>227</b>
-<v>15089</v>
+<v>7766</v>
 </b>
 <b>
 <a>237</a>
 <b>4205</b>
-<v>116</v>
+<v>60</v>
 </b>
 </bs>
 </hist>
@@ -38304,47 +40445,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>60610</v>
+<v>31195</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>41025</v>
+<v>21115</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22288</v>
+<v>11471</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>15478</v>
+<v>7966</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>11709</v>
+<v>6026</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>16944</v>
+<v>8721</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>17850</v>
+<v>9187</v>
 </b>
 <b>
 <a>12</a>
 <b>227</b>
-<v>15089</v>
+<v>7766</v>
 </b>
 <b>
 <a>237</a>
 <b>4205</b>
-<v>116</v>
+<v>60</v>
 </b>
 </bs>
 </hist>
@@ -38360,37 +40501,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>70395</v>
+<v>36231</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>59748</v>
+<v>30751</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>20417</v>
+<v>10508</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11460</v>
+<v>5898</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>15683</v>
+<v>8072</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>16053</v>
+<v>8262</v>
 </b>
 <b>
 <a>11</a>
 <b>132</b>
-<v>7354</v>
+<v>3785</v>
 </b>
 </bs>
 </hist>
@@ -38406,22 +40547,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>261811</v>
+<v>134749</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>55345</v>
+<v>28485</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>30066</v>
+<v>15474</v>
 </b>
 <b>
 <a>7</a>
 <b>5664</b>
-<v>13584</v>
+<v>6991</v>
 </b>
 </bs>
 </hist>
@@ -38437,22 +40578,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>261811</v>
+<v>134749</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>55345</v>
+<v>28485</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>30066</v>
+<v>15474</v>
 </b>
 <b>
 <a>7</a>
 <b>5664</b>
-<v>13584</v>
+<v>6991</v>
 </b>
 </bs>
 </hist>
@@ -38468,17 +40609,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>305355</v>
+<v>157161</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>34050</v>
+<v>17525</v>
 </b>
 <b>
 <a>3</a>
 <b>2790</b>
-<v>21401</v>
+<v>11015</v>
 </b>
 </bs>
 </hist>
@@ -38494,32 +40635,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>82606</v>
+<v>42515</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43757</v>
+<v>22521</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8957</v>
+<v>4610</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>15254</v>
+<v>7851</v>
 </b>
 <b>
 <a>7</a>
 <b>31</b>
-<v>12537</v>
+<v>6452</v>
 </b>
 <b>
 <a>31</a>
 <b>21103</b>
-<v>2722</v>
+<v>1401</v>
 </b>
 </bs>
 </hist>
@@ -38535,22 +40676,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>96682</v>
+<v>49760</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44483</v>
+<v>22894</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>14227</v>
+<v>7322</v>
 </b>
 <b>
 <a>6</a>
 <b>12257</b>
-<v>10442</v>
+<v>5374</v>
 </b>
 </bs>
 </hist>
@@ -38566,27 +40707,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>119793</v>
+<v>61655</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17958</v>
+<v>9242</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>13238</v>
+<v>6813</v>
 </b>
 <b>
 <a>5</a>
 <b>20</b>
-<v>12463</v>
+<v>6414</v>
 </b>
 <b>
 <a>20</a>
 <b>8901</b>
-<v>2381</v>
+<v>1225</v>
 </b>
 </bs>
 </hist>
@@ -38596,23 +40737,23 @@
 </relation>
 <relation>
 <name>cil_parameter</name>
-<cardinality>4546452</cardinality>
+<cardinality>2339980</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4546452</v>
+<v>2339980</v>
 </e>
 <e>
 <k>parameterizable</k>
-<v>2220248</v>
+<v>1142723</v>
 </e>
 <e>
 <k>index</k>
-<v>199</v>
+<v>102</v>
 </e>
 <e>
 <k>param_type</k>
-<v>552491</v>
+<v>284357</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38626,7 +40767,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4546452</v>
+<v>2339980</v>
 </b>
 </bs>
 </hist>
@@ -38642,7 +40783,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4546452</v>
+<v>2339980</v>
 </b>
 </bs>
 </hist>
@@ -38658,7 +40799,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4546452</v>
+<v>2339980</v>
 </b>
 </bs>
 </hist>
@@ -38674,27 +40815,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>900533</v>
+<v>463488</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>787383</v>
+<v>405252</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>324613</v>
+<v>167073</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>174919</v>
+<v>90027</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>32798</v>
+<v>16881</v>
 </b>
 </bs>
 </hist>
@@ -38710,27 +40851,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>900533</v>
+<v>463488</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>787383</v>
+<v>405252</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>324613</v>
+<v>167073</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>174919</v>
+<v>90027</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>32798</v>
+<v>16881</v>
 </b>
 </bs>
 </hist>
@@ -38746,22 +40887,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>948562</v>
+<v>488208</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>797889</v>
+<v>410659</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>312977</v>
+<v>161084</v>
 </b>
 <b>
 <a>4</a>
 <b>23</b>
-<v>160818</v>
+<v>82770</v>
 </b>
 </bs>
 </hist>
@@ -38777,67 +40918,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>18</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>20</a>
 <b>35</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>44</a>
 <b>53</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>61</a>
 <b>78</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>87</a>
 <b>122</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>150</a>
 <b>293</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>378</a>
 <b>632</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>810</a>
 <b>2528</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3263</a>
 <b>6735</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>11503</a>
 <b>42648</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>109294</a>
 <b>455844</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -38853,67 +40994,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>18</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>20</a>
 <b>35</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>44</a>
 <b>53</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>61</a>
 <b>78</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>87</a>
 <b>122</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>150</a>
 <b>293</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>378</a>
 <b>632</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>810</a>
 <b>2528</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3263</a>
 <b>6735</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>11503</a>
 <b>42648</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>109294</a>
 <b>455844</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -38929,72 +41070,72 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3</a>
 <b>11</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>11</a>
 <b>16</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>16</a>
 <b>18</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>19</a>
 <b>21</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>22</a>
 <b>28</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>34</a>
 <b>88</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>129</a>
 <b>233</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>290</a>
 <b>447</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>554</a>
 <b>928</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>1321</a>
 <b>3323</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>6167</a>
 <b>43422</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>83818</a>
 <b>83819</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -39010,42 +41151,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>185391</v>
+<v>95417</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>137055</v>
+<v>70539</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>45014</v>
+<v>23168</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>38448</v>
+<v>19788</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>43850</v>
+<v>22569</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>42759</v>
+<v>22007</v>
 </b>
 <b>
 <a>11</a>
 <b>27</b>
-<v>41877</v>
+<v>21553</v>
 </b>
 <b>
 <a>27</a>
 <b>58010</b>
-<v>18094</v>
+<v>9312</v>
 </b>
 </bs>
 </hist>
@@ -39061,42 +41202,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>188596</v>
+<v>97067</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>135754</v>
+<v>69870</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>45428</v>
+<v>23381</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>37231</v>
+<v>19162</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>44298</v>
+<v>22799</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>42817</v>
+<v>22037</v>
 </b>
 <b>
 <a>11</a>
 <b>28</b>
-<v>41717</v>
+<v>21471</v>
 </b>
 <b>
 <a>28</a>
 <b>46068</b>
-<v>16647</v>
+<v>8568</v>
 </b>
 </bs>
 </hist>
@@ -39112,22 +41253,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>385560</v>
+<v>198441</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>109823</v>
+<v>56524</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>44464</v>
+<v>22884</v>
 </b>
 <b>
 <a>4</a>
 <b>36</b>
-<v>12644</v>
+<v>6507</v>
 </b>
 </bs>
 </hist>
@@ -39137,37 +41278,37 @@
 </relation>
 <relation>
 <name>cil_parameter_in</name>
-<cardinality>32350</cardinality>
+<cardinality>16650</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>32350</v>
+<v>16650</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_parameter_out</name>
-<cardinality>46022</cardinality>
+<cardinality>23687</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>46022</v>
+<v>23687</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_setter</name>
-<cardinality>106754</cardinality>
+<cardinality>54944</cardinality>
 <columnsizes>
 <e>
 <k>prop</k>
-<v>106754</v>
+<v>54944</v>
 </e>
 <e>
 <k>method</k>
-<v>106754</v>
+<v>54944</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39181,7 +41322,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>106754</v>
+<v>54944</v>
 </b>
 </bs>
 </hist>
@@ -39197,7 +41338,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>106754</v>
+<v>54944</v>
 </b>
 </bs>
 </hist>
@@ -39207,19 +41348,19 @@
 </relation>
 <relation>
 <name>cil_custom_modifiers</name>
-<cardinality>4105</cardinality>
+<cardinality>2113</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>4105</v>
+<v>2113</v>
 </e>
 <e>
 <k>modifier</k>
-<v>53</v>
+<v>27</v>
 </e>
 <e>
 <k>kind</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39233,7 +41374,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4105</v>
+<v>2113</v>
 </b>
 </bs>
 </hist>
@@ -39249,7 +41390,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4105</v>
+<v>2113</v>
 </b>
 </bs>
 </hist>
@@ -39265,57 +41406,57 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>19</a>
 <b>20</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>29</a>
 <b>30</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>68</a>
 <b>69</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>87</a>
 <b>88</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>94</a>
 <b>95</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>444</a>
 <b>445</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -39331,7 +41472,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53</v>
+<v>27</v>
 </b>
 </bs>
 </hist>
@@ -39347,7 +41488,7 @@
 <b>
 <a>843</a>
 <b>844</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -39363,7 +41504,7 @@
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -39373,15 +41514,15 @@
 </relation>
 <relation>
 <name>cil_type_annotation</name>
-<cardinality>196057</cardinality>
+<cardinality>100907</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>196057</v>
+<v>100907</v>
 </e>
 <e>
 <k>annotation</k>
-<v>4</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39395,7 +41536,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>196057</v>
+<v>100907</v>
 </b>
 </bs>
 </hist>
@@ -39411,7 +41552,7 @@
 <b>
 <a>40253</a>
 <b>40254</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -39421,15 +41562,15 @@
 </relation>
 <relation>
 <name>cil_getter</name>
-<cardinality>379350</cardinality>
+<cardinality>195244</cardinality>
 <columnsizes>
 <e>
 <k>prop</k>
-<v>379350</v>
+<v>195244</v>
 </e>
 <e>
 <k>method</k>
-<v>379350</v>
+<v>195244</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39443,7 +41584,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>379350</v>
+<v>195244</v>
 </b>
 </bs>
 </hist>
@@ -39459,7 +41600,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>379350</v>
+<v>195244</v>
 </b>
 </bs>
 </hist>
@@ -39469,15 +41610,15 @@
 </relation>
 <relation>
 <name>cil_adder</name>
-<cardinality>20870</cardinality>
+<cardinality>10741</cardinality>
 <columnsizes>
 <e>
 <k>event</k>
-<v>20870</v>
+<v>10741</v>
 </e>
 <e>
 <k>method</k>
-<v>20870</v>
+<v>10741</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39491,7 +41632,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20870</v>
+<v>10741</v>
 </b>
 </bs>
 </hist>
@@ -39507,7 +41648,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20870</v>
+<v>10741</v>
 </b>
 </bs>
 </hist>
@@ -39517,15 +41658,15 @@
 </relation>
 <relation>
 <name>cil_remover</name>
-<cardinality>20870</cardinality>
+<cardinality>10741</cardinality>
 <columnsizes>
 <e>
 <k>event</k>
-<v>20870</v>
+<v>10741</v>
 </e>
 <e>
 <k>method</k>
-<v>20870</v>
+<v>10741</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39539,7 +41680,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20870</v>
+<v>10741</v>
 </b>
 </bs>
 </hist>
@@ -39555,7 +41696,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20870</v>
+<v>10741</v>
 </b>
 </bs>
 </hist>
@@ -39613,23 +41754,23 @@
 </relation>
 <relation>
 <name>cil_property</name>
-<cardinality>379895</cardinality>
+<cardinality>195525</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>379895</v>
+<v>195525</v>
 </e>
 <e>
 <k>parent</k>
-<v>93647</v>
+<v>48198</v>
 </e>
 <e>
 <k>name</k>
-<v>106228</v>
+<v>54674</v>
 </e>
 <e>
 <k>property_type</k>
-<v>49821</v>
+<v>25642</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39643,7 +41784,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>379895</v>
+<v>195525</v>
 </b>
 </bs>
 </hist>
@@ -39659,7 +41800,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>379895</v>
+<v>195525</v>
 </b>
 </bs>
 </hist>
@@ -39675,7 +41816,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>379895</v>
+<v>195525</v>
 </b>
 </bs>
 </hist>
@@ -39691,42 +41832,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28863</v>
+<v>14855</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22273</v>
+<v>11463</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11411</v>
+<v>5873</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>8450</v>
+<v>4349</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>5737</v>
+<v>2953</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>8660</v>
+<v>4457</v>
 </b>
 <b>
 <a>9</a>
 <b>25</b>
-<v>7096</v>
+<v>3652</v>
 </b>
 <b>
 <a>25</a>
 <b>1883</b>
-<v>1154</v>
+<v>594</v>
 </b>
 </bs>
 </hist>
@@ -39742,42 +41883,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>33607</v>
+<v>17297</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17787</v>
+<v>9154</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11309</v>
+<v>5820</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>8460</v>
+<v>4354</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>5718</v>
+<v>2943</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>6624</v>
+<v>3409</v>
 </b>
 <b>
 <a>8</a>
 <b>15</b>
-<v>7213</v>
+<v>3712</v>
 </b>
 <b>
 <a>15</a>
 <b>1883</b>
-<v>2927</v>
+<v>1506</v>
 </b>
 </bs>
 </hist>
@@ -39793,32 +41934,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35054</v>
+<v>18041</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25755</v>
+<v>13256</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>13472</v>
+<v>6933</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>8099</v>
+<v>4168</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>7754</v>
+<v>3990</v>
 </b>
 <b>
 <a>8</a>
 <b>50</b>
-<v>3511</v>
+<v>1807</v>
 </b>
 </bs>
 </hist>
@@ -39834,27 +41975,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>62626</v>
+<v>32232</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21430</v>
+<v>11030</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6477</v>
+<v>3334</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>8757</v>
+<v>4507</v>
 </b>
 <b>
 <a>8</a>
 <b>2134</b>
-<v>6935</v>
+<v>3569</v>
 </b>
 </bs>
 </hist>
@@ -39870,27 +42011,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>62626</v>
+<v>32232</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21503</v>
+<v>11067</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6453</v>
+<v>3321</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>8772</v>
+<v>4514</v>
 </b>
 <b>
 <a>8</a>
 <b>1400</b>
-<v>6872</v>
+<v>3537</v>
 </b>
 </bs>
 </hist>
@@ -39906,17 +42047,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>89400</v>
+<v>46012</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10968</v>
+<v>5645</v>
 </b>
 <b>
 <a>3</a>
 <b>568</b>
-<v>5859</v>
+<v>3015</v>
 </b>
 </bs>
 </hist>
@@ -39932,27 +42073,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31415</v>
+<v>16169</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7515</v>
+<v>3868</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3180</v>
+<v>1636</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>4364</v>
+<v>2246</v>
 </b>
 <b>
 <a>8</a>
 <b>15452</b>
-<v>3346</v>
+<v>1722</v>
 </b>
 </bs>
 </hist>
@@ -39968,27 +42109,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>33203</v>
+<v>17089</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7028</v>
+<v>3617</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3044</v>
+<v>1566</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>3862</v>
+<v>1987</v>
 </b>
 <b>
 <a>8</a>
 <b>5858</b>
-<v>2683</v>
+<v>1381</v>
 </b>
 </bs>
 </hist>
@@ -40004,22 +42145,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>39924</v>
+<v>20548</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5309</v>
+<v>2732</v>
 </b>
 <b>
 <a>3</a>
 <b>12</b>
-<v>3799</v>
+<v>1955</v>
 </b>
 <b>
 <a>12</a>
 <b>6253</b>
-<v>789</v>
+<v>406</v>
 </b>
 </bs>
 </hist>
@@ -40029,23 +42170,23 @@
 </relation>
 <relation>
 <name>cil_event</name>
-<cardinality>20841</cardinality>
+<cardinality>10726</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>20841</v>
+<v>10726</v>
 </e>
 <e>
 <k>parent</k>
-<v>6458</v>
+<v>3324</v>
 </e>
 <e>
 <k>name</k>
-<v>13063</v>
+<v>6723</v>
 </e>
 <e>
 <k>event_type</k>
-<v>6794</v>
+<v>3497</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40059,7 +42200,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20841</v>
+<v>10726</v>
 </b>
 </bs>
 </hist>
@@ -40075,7 +42216,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20841</v>
+<v>10726</v>
 </b>
 </bs>
 </hist>
@@ -40091,7 +42232,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20841</v>
+<v>10726</v>
 </b>
 </bs>
 </hist>
@@ -40107,17 +42248,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5742</v>
+<v>2955</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>491</v>
+<v>253</v>
 </b>
 <b>
 <a>7</a>
 <b>465</b>
-<v>224</v>
+<v>115</v>
 </b>
 </bs>
 </hist>
@@ -40133,17 +42274,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5742</v>
+<v>2955</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>491</v>
+<v>253</v>
 </b>
 <b>
 <a>7</a>
 <b>465</b>
-<v>224</v>
+<v>115</v>
 </b>
 </bs>
 </hist>
@@ -40159,17 +42300,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5917</v>
+<v>3045</v>
 </b>
 <b>
 <a>2</a>
 <b>20</b>
-<v>487</v>
+<v>250</v>
 </b>
 <b>
 <a>30</a>
 <b>181</b>
-<v>53</v>
+<v>27</v>
 </b>
 </bs>
 </hist>
@@ -40185,162 +42326,162 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11655</v>
+<v>5998</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>964</v>
-</b>
-<b>
-<a>4</a>
-<b>566</b>
-<v>443</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>parent</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>11655</v>
-</b>
-<b>
-<a>2</a>
-<b>4</b>
-<v>964</v>
-</b>
-<b>
-<a>4</a>
-<b>566</b>
-<v>443</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>event_type</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>12468</v>
-</b>
-<b>
-<a>2</a>
-<b>566</b>
-<v>594</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>event_type</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>944</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4515</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>584</v>
-</b>
-<b>
-<a>4</a>
-<b>8</b>
-<v>574</v>
-</b>
-<b>
-<a>8</a>
-<b>318</b>
-<v>175</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>event_type</src>
-<trg>parent</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1422</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>5084</v>
-</b>
-<b>
-<a>3</a>
-<b>32</b>
-<v>287</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>event_type</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1310</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4344</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
 <v>496</v>
 </b>
 <b>
 <a>4</a>
+<b>566</b>
+<v>228</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5998</v>
+</b>
+<b>
+<a>2</a>
+<b>4</b>
+<v>496</v>
+</b>
+<b>
+<a>4</a>
+<b>566</b>
+<v>228</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>event_type</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>6417</v>
+</b>
+<b>
+<a>2</a>
+<b>566</b>
+<v>305</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>event_type</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>486</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2323</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>300</v>
+</b>
+<b>
+<a>4</a>
+<b>8</b>
+<v>295</v>
+</b>
+<b>
+<a>8</a>
+<b>318</b>
+<v>90</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>event_type</src>
+<trg>parent</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>731</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2617</v>
+</b>
+<b>
+<a>3</a>
+<b>32</b>
+<v>147</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>event_type</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>674</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2236</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>255</v>
+</b>
+<b>
+<a>4</a>
 <b>10</b>
-<v>530</v>
+<v>273</v>
 </b>
 <b>
 <a>10</a>
 <b>243</b>
-<v>112</v>
+<v>57</v>
 </b>
 </bs>
 </hist>
@@ -40350,23 +42491,23 @@
 </relation>
 <relation>
 <name>cil_local_variable</name>
-<cardinality>1150606</cardinality>
+<cardinality>592197</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1150606</v>
+<v>592197</v>
 </e>
 <e>
 <k>impl</k>
-<v>348611</v>
+<v>179424</v>
 </e>
 <e>
 <k>index</k>
-<v>691</v>
+<v>355</v>
 </e>
 <e>
 <k>var_type</k>
-<v>154214</v>
+<v>79371</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40380,7 +42521,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1150606</v>
+<v>592197</v>
 </b>
 </bs>
 </hist>
@@ -40396,7 +42537,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1150606</v>
+<v>592197</v>
 </b>
 </bs>
 </hist>
@@ -40412,7 +42553,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1150606</v>
+<v>592197</v>
 </b>
 </bs>
 </hist>
@@ -40428,37 +42569,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>139889</v>
+<v>71998</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>62027</v>
+<v>31924</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>49315</v>
+<v>25381</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>23471</v>
+<v>12080</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>31873</v>
+<v>16404</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>28853</v>
+<v>14850</v>
 </b>
 <b>
 <a>12</a>
 <b>143</b>
-<v>13179</v>
+<v>6783</v>
 </b>
 </bs>
 </hist>
@@ -40474,37 +42615,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>139889</v>
+<v>71998</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>62027</v>
+<v>31924</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>49315</v>
+<v>25381</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>23471</v>
+<v>12080</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>31873</v>
+<v>16404</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>28853</v>
+<v>14850</v>
 </b>
 <b>
 <a>12</a>
 <b>143</b>
-<v>13179</v>
+<v>6783</v>
 </b>
 </bs>
 </hist>
@@ -40520,32 +42661,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>168339</v>
+<v>86641</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>70112</v>
+<v>36085</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>37932</v>
+<v>19523</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>20641</v>
+<v>10623</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>27665</v>
+<v>14238</v>
 </b>
 <b>
 <a>7</a>
 <b>47</b>
-<v>23919</v>
+<v>12311</v>
 </b>
 </bs>
 </hist>
@@ -40561,62 +42702,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>68</v>
+<v>35</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>13</a>
 <b>19</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>21</a>
 <b>51</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>56</a>
 <b>167</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>182</a>
 <b>829</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>1008</a>
 <b>8631</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>11398</a>
 <b>71575</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -40632,62 +42773,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>68</v>
+<v>35</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>87</v>
+<v>45</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>48</v>
+<v>25</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>63</v>
+<v>32</v>
 </b>
 <b>
 <a>13</a>
 <b>19</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>21</a>
 <b>51</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>56</a>
 <b>167</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>182</a>
 <b>829</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>1008</a>
 <b>8631</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>11398</a>
 <b>71575</b>
-<v>29</v>
+<v>15</v>
 </b>
 </bs>
 </hist>
@@ -40703,67 +42844,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>73</v>
+<v>37</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>92</v>
+<v>47</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>58</v>
+<v>30</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>24</v>
+<v>12</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>58</v>
+<v>30</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>58</v>
+<v>30</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>43</v>
+<v>22</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>19</a>
 <b>42</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>52</a>
 <b>110</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>143</a>
 <b>539</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>599</a>
 <b>4919</b>
-<v>53</v>
+<v>27</v>
 </b>
 <b>
 <a>7226</a>
 <b>19498</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -40779,37 +42920,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>81286</v>
+<v>41836</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27236</v>
+<v>14018</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8372</v>
+<v>4309</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11821</v>
+<v>6084</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>12785</v>
+<v>6580</v>
 </b>
 <b>
 <a>8</a>
 <b>76</b>
-<v>11572</v>
+<v>5956</v>
 </b>
 <b>
 <a>76</a>
 <b>35712</b>
-<v>1139</v>
+<v>586</v>
 </b>
 </bs>
 </hist>
@@ -40825,32 +42966,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>85314</v>
+<v>43909</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30977</v>
+<v>15943</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8382</v>
+<v>4314</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11699</v>
+<v>6021</v>
 </b>
 <b>
 <a>5</a>
 <b>14</b>
-<v>12020</v>
+<v>6186</v>
 </b>
 <b>
 <a>14</a>
 <b>21451</b>
-<v>5820</v>
+<v>2995</v>
 </b>
 </bs>
 </hist>
@@ -40866,27 +43007,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>96614</v>
+<v>49725</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>28673</v>
+<v>14757</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>13769</v>
+<v>7086</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>11860</v>
+<v>6104</v>
 </b>
 <b>
 <a>9</a>
 <b>122</b>
-<v>3297</v>
+<v>1697</v>
 </b>
 </bs>
 </hist>
@@ -40949,35 +43090,35 @@
 </relation>
 <relation>
 <name>cil_handler</name>
-<cardinality>101450</cardinality>
+<cardinality>52214</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>101450</v>
+<v>52214</v>
 </e>
 <e>
 <k>impl</k>
-<v>71423</v>
+<v>36760</v>
 </e>
 <e>
 <k>index</k>
-<v>77</v>
+<v>40</v>
 </e>
 <e>
 <k>kind</k>
-<v>19</v>
+<v>10</v>
 </e>
 <e>
 <k>try_start</k>
-<v>97612</v>
+<v>50239</v>
 </e>
 <e>
 <k>try_end</k>
-<v>99828</v>
+<v>51380</v>
 </e>
 <e>
 <k>handler_start</k>
-<v>101450</v>
+<v>52214</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40991,7 +43132,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41007,7 +43148,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41023,7 +43164,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41039,7 +43180,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41055,7 +43196,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41071,7 +43212,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -41087,22 +43228,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53776</v>
+<v>27677</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11153</v>
+<v>5740</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>5425</v>
+<v>2792</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>1066</v>
+<v>548</v>
 </b>
 </bs>
 </hist>
@@ -41118,22 +43259,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53776</v>
+<v>27677</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11153</v>
+<v>5740</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>5425</v>
+<v>2792</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>1066</v>
+<v>548</v>
 </b>
 </bs>
 </hist>
@@ -41149,17 +43290,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>61862</v>
+<v>31839</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9337</v>
+<v>4805</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>224</v>
+<v>115</v>
 </b>
 </bs>
 </hist>
@@ -41175,22 +43316,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54804</v>
+<v>28206</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10846</v>
+<v>5582</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>5528</v>
+<v>2845</v>
 </b>
 <b>
 <a>7</a>
 <b>15</b>
-<v>243</v>
+<v>125</v>
 </b>
 </bs>
 </hist>
@@ -41206,22 +43347,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54327</v>
+<v>27961</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11066</v>
+<v>5695</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>5523</v>
+<v>2842</v>
 </b>
 <b>
 <a>6</a>
 <b>16</b>
-<v>506</v>
+<v>260</v>
 </b>
 </bs>
 </hist>
@@ -41237,22 +43378,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53776</v>
+<v>27677</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11153</v>
+<v>5740</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>5425</v>
+<v>2792</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>1066</v>
+<v>548</v>
 </b>
 </bs>
 </hist>
@@ -41268,77 +43409,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41354,77 +43495,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41440,22 +43581,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>29</v>
+<v>15</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>24</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -41471,77 +43612,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41557,77 +43698,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41643,77 +43784,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41729,22 +43870,22 @@
 <b>
 <a>166</a>
 <b>167</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8994</a>
 <b>8995</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41760,22 +43901,22 @@
 <b>
 <a>148</a>
 <b>149</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>7560</a>
 <b>7561</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8663</a>
 <b>8664</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41791,22 +43932,22 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41822,22 +43963,22 @@
 <b>
 <a>159</a>
 <b>160</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8695</a>
 <b>8696</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11363</a>
 <b>11364</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41853,22 +43994,22 @@
 <b>
 <a>159</a>
 <b>160</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8704</a>
 <b>8705</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41884,22 +44025,22 @@
 <b>
 <a>166</a>
 <b>167</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>8994</a>
 <b>8995</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -41915,12 +44056,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94315</v>
+<v>48542</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>3297</v>
+<v>1697</v>
 </b>
 </bs>
 </hist>
@@ -41936,7 +44077,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>97612</v>
+<v>50239</v>
 </b>
 </bs>
 </hist>
@@ -41952,12 +44093,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94315</v>
+<v>48542</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>3297</v>
+<v>1697</v>
 </b>
 </bs>
 </hist>
@@ -41973,12 +44114,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95352</v>
+<v>49076</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>2259</v>
+<v>1163</v>
 </b>
 </bs>
 </hist>
@@ -41994,12 +44135,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95396</v>
+<v>49098</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2216</v>
+<v>1140</v>
 </b>
 </bs>
 </hist>
@@ -42015,12 +44156,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94315</v>
+<v>48542</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>3297</v>
+<v>1697</v>
 </b>
 </bs>
 </hist>
@@ -42036,12 +44177,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>98601</v>
+<v>50748</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>1227</v>
+<v>631</v>
 </b>
 </bs>
 </hist>
@@ -42057,7 +44198,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>99828</v>
+<v>51380</v>
 </b>
 </bs>
 </hist>
@@ -42073,12 +44214,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>98601</v>
+<v>50748</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>1227</v>
+<v>631</v>
 </b>
 </bs>
 </hist>
@@ -42094,12 +44235,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>99653</v>
+<v>51289</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>175</v>
+<v>90</v>
 </b>
 </bs>
 </hist>
@@ -42115,7 +44256,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>99828</v>
+<v>51380</v>
 </b>
 </bs>
 </hist>
@@ -42131,12 +44272,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>98601</v>
+<v>50748</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>1227</v>
+<v>631</v>
 </b>
 </bs>
 </hist>
@@ -42152,7 +44293,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42168,7 +44309,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42184,7 +44325,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42200,7 +44341,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42216,7 +44357,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42232,7 +44373,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101450</v>
+<v>52214</v>
 </b>
 </bs>
 </hist>
@@ -42242,15 +44383,15 @@
 </relation>
 <relation>
 <name>cil_handler_filter</name>
-<cardinality>808</cardinality>
+<cardinality>416</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>808</v>
+<v>416</v>
 </e>
 <e>
 <k>filter_start</k>
-<v>808</v>
+<v>416</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42264,7 +44405,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>808</v>
+<v>416</v>
 </b>
 </bs>
 </hist>
@@ -42280,7 +44421,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>808</v>
+<v>416</v>
 </b>
 </bs>
 </hist>
@@ -42290,15 +44431,15 @@
 </relation>
 <relation>
 <name>cil_handler_type</name>
-<cardinality>43806</cardinality>
+<cardinality>22546</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>43806</v>
+<v>22546</v>
 </e>
 <e>
 <k>catch_type</k>
-<v>1261</v>
+<v>649</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42312,7 +44453,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43806</v>
+<v>22546</v>
 </b>
 </bs>
 </hist>
@@ -42328,42 +44469,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>438</v>
+<v>225</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>150</v>
+<v>77</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>97</v>
+<v>50</v>
 </b>
 <b>
 <a>8</a>
 <b>16</b>
-<v>102</v>
+<v>52</v>
 </b>
 <b>
 <a>16</a>
 <b>2589</b>
-<v>97</v>
+<v>50</v>
 </b>
 <b>
 <a>3495</a>
 <b>3496</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -42373,15 +44514,15 @@
 </relation>
 <relation>
 <name>cil_method_stack_size</name>
-<cardinality>1725702</cardinality>
+<cardinality>888189</cardinality>
 <columnsizes>
 <e>
 <k>method</k>
-<v>1725702</v>
+<v>888189</v>
 </e>
 <e>
 <k>size</k>
-<v>160</v>
+<v>82</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42395,7 +44536,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1725702</v>
+<v>888189</v>
 </b>
 </bs>
 </hist>
@@ -42411,62 +44552,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>14</a>
 <b>19</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>54</a>
 <b>75</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>99</a>
 <b>326</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>814</a>
 <b>2665</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>3004</a>
 <b>5050</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>8726</a>
 <b>20803</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>23498</a>
 <b>270374</b>
-<v>9</v>
+<v>5</v>
 </b>
 </bs>
 </hist>
@@ -42476,110 +44617,110 @@
 </relation>
 <relation>
 <name>cil_public</name>
-<cardinality>1909891</cardinality>
+<cardinality>982987</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1909891</v>
+<v>982987</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_private</name>
-<cardinality>928271</cardinality>
+<cardinality>477765</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>928271</v>
+<v>477765</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_protected</name>
-<cardinality>1817300</cardinality>
+<cardinality>935332</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1817300</v>
+<v>935332</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_internal</name>
-<cardinality>41663</cardinality>
+<cardinality>23052</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>41663</v>
+<v>23052</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_static</name>
-<cardinality>794484</cardinality>
+<cardinality>408907</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>794484</v>
+<v>408907</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_sealed</name>
-<cardinality>356365</cardinality>
+<cardinality>183415</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>356365</v>
+<v>183415</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_virtual</name>
-<cardinality>677238</cardinality>
+<cardinality>348562</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>677238</v>
+<v>348562</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_abstract</name>
-<cardinality>165095</cardinality>
+<cardinality>84971</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>165095</v>
+<v>84971</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_class</name>
-<cardinality>238432</cardinality>
+<cardinality>122717</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>238432</v>
+<v>122717</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_interface</name>
-<cardinality>16540</cardinality>
+<cardinality>8513</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>16540</v>
+<v>8513</v>
 </e>
 </columnsizes>
 <dependencies/>
@@ -42608,37 +44749,37 @@
 </relation>
 <relation>
 <name>cil_specialname</name>
-<cardinality>810557</cardinality>
+<cardinality>417180</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>810557</v>
+<v>417180</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_newslot</name>
-<cardinality>422046</cardinality>
+<cardinality>217219</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>422046</v>
+<v>217219</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_base_class</name>
-<cardinality>235451</cardinality>
+<cardinality>121182</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>235451</v>
+<v>121182</v>
 </e>
 <e>
 <k>base</k>
-<v>21396</v>
+<v>11012</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42652,7 +44793,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>235451</v>
+<v>121182</v>
 </b>
 </bs>
 </hist>
@@ -42668,32 +44809,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12308</v>
+<v>6334</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3857</v>
+<v>1985</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1612</v>
+<v>829</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>1889</v>
+<v>972</v>
 </b>
 <b>
 <a>7</a>
 <b>84</b>
-<v>1607</v>
+<v>827</v>
 </b>
 <b>
 <a>86</a>
 <b>23834</b>
-<v>121</v>
+<v>62</v>
 </b>
 </bs>
 </hist>
@@ -42703,15 +44844,15 @@
 </relation>
 <relation>
 <name>cil_base_interface</name>
-<cardinality>125136</cardinality>
+<cardinality>64405</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>68559</v>
+<v>35286</v>
 </e>
 <e>
 <k>base</k>
-<v>31176</v>
+<v>16046</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42725,27 +44866,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>47668</v>
+<v>24534</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>8109</v>
+<v>4173</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>6258</v>
+<v>3221</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>5372</v>
+<v>2765</v>
 </b>
 <b>
 <a>9</a>
 <b>25</b>
-<v>1149</v>
+<v>591</v>
 </b>
 </bs>
 </hist>
@@ -42761,27 +44902,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22463</v>
+<v>11561</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3428</v>
+<v>1764</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2518</v>
+<v>1296</v>
 </b>
 <b>
 <a>5</a>
 <b>30</b>
-<v>2342</v>
+<v>1205</v>
 </b>
 <b>
 <a>30</a>
 <b>2180</b>
-<v>423</v>
+<v>218</v>
 </b>
 </bs>
 </hist>
@@ -42791,15 +44932,15 @@
 </relation>
 <relation>
 <name>cil_enum_underlying_type</name>
-<cardinality>14061</cardinality>
+<cardinality>7237</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>14061</v>
+<v>7237</v>
 </e>
 <e>
 <k>underlying</k>
-<v>38</v>
+<v>20</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42813,7 +44954,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14061</v>
+<v>7237</v>
 </b>
 </bs>
 </hist>
@@ -42829,42 +44970,42 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>31</a>
 <b>32</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>291</a>
 <b>292</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2315</a>
 <b>2316</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -42874,19 +45015,19 @@
 </relation>
 <relation>
 <name>cil_type_parameter</name>
-<cardinality>184753</cardinality>
+<cardinality>95089</cardinality>
 <columnsizes>
 <e>
 <k>unbound</k>
-<v>103856</v>
+<v>53453</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>param</k>
-<v>184753</v>
+<v>95089</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42900,22 +45041,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74944</v>
+<v>38572</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18990</v>
+<v>9774</v>
 </b>
 <b>
 <a>3</a>
 <b>13</b>
-<v>8153</v>
+<v>4196</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>1768</v>
+<v>909</v>
 </b>
 </bs>
 </hist>
@@ -42931,22 +45072,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74944</v>
+<v>38572</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18990</v>
+<v>9774</v>
 </b>
 <b>
 <a>3</a>
 <b>13</b>
-<v>8153</v>
+<v>4196</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>1768</v>
+<v>909</v>
 </b>
 </bs>
 </hist>
@@ -42962,107 +45103,107 @@
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>65</a>
 <b>66</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>132</a>
 <b>133</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>207</a>
 <b>208</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>363</a>
 <b>364</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>441</a>
 <b>442</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>519</a>
 <b>520</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>598</a>
 <b>599</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>680</a>
 <b>681</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>791</a>
 <b>792</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>891</a>
 <b>892</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1012</a>
 <b>1013</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1173</a>
 <b>1174</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1409</a>
 <b>1410</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2037</a>
 <b>2038</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>5936</a>
 <b>5937</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -43078,107 +45219,107 @@
 <b>
 <a>8</a>
 <b>9</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>65</a>
 <b>66</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>132</a>
 <b>133</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>207</a>
 <b>208</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>363</a>
 <b>364</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>441</a>
 <b>442</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>519</a>
 <b>520</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>598</a>
 <b>599</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>680</a>
 <b>681</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>791</a>
 <b>792</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>891</a>
 <b>892</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1012</a>
 <b>1013</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1173</a>
 <b>1174</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1409</a>
 <b>1410</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2037</a>
 <b>2038</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>5936</a>
 <b>5937</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -43194,7 +45335,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>184753</v>
+<v>95089</v>
 </b>
 </bs>
 </hist>
@@ -43210,7 +45351,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>184753</v>
+<v>95089</v>
 </b>
 </bs>
 </hist>
@@ -43220,19 +45361,19 @@
 </relation>
 <relation>
 <name>cil_type_argument</name>
-<cardinality>736976</cardinality>
+<cardinality>379309</cardinality>
 <columnsizes>
 <e>
 <k>bound</k>
-<v>481263</v>
+<v>247697</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>52</v>
 </e>
 <e>
 <k>t</k>
-<v>252158</v>
+<v>129781</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -43246,17 +45387,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>336123</v>
+<v>172996</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>117338</v>
+<v>60392</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>27801</v>
+<v>14309</v>
 </b>
 </bs>
 </hist>
@@ -43272,17 +45413,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>341027</v>
+<v>175521</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>115224</v>
+<v>59304</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>25010</v>
+<v>12872</v>
 </b>
 </bs>
 </hist>
@@ -43298,97 +45439,97 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>9</v>
+<v>5</v>
 </b>
 <b>
 <a>84</a>
 <b>85</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>205</a>
 <b>206</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>343</a>
 <b>344</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>482</a>
 <b>483</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>621</a>
 <b>622</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>760</a>
 <b>761</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>899</a>
 <b>900</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1044</a>
 <b>1045</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1189</a>
 <b>1190</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1601</a>
 <b>1602</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1810</a>
 <b>1811</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2091</a>
 <b>2092</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2513</a>
 <b>2514</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>3338</a>
 <b>3339</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>5708</a>
 <b>5709</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>29799</a>
 <b>29800</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>98809</a>
 <b>98810</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -43404,97 +45545,97 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>14</v>
+<v>7</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>49</a>
 <b>50</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>116</a>
 <b>117</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>185</a>
 <b>186</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>254</a>
 <b>255</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>322</a>
 <b>323</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>390</a>
 <b>391</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>457</a>
 <b>458</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>531</a>
 <b>532</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>602</a>
 <b>603</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>925</a>
 <b>926</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>927</a>
 <b>928</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1083</a>
 <b>1084</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1307</a>
 <b>1308</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>1645</a>
 <b>1646</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2968</a>
 <b>2969</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>14488</a>
 <b>14489</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>39680</a>
 <b>39681</b>
-<v>4</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -43510,27 +45651,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>100301</v>
+<v>51623</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>72738</v>
+<v>37437</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>42481</v>
+<v>21864</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>20101</v>
+<v>10345</v>
 </b>
 <b>
 <a>6</a>
 <b>4208</b>
-<v>16535</v>
+<v>8510</v>
 </b>
 </bs>
 </hist>
@@ -43546,17 +45687,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>190773</v>
+<v>98187</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>55476</v>
+<v>28552</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>5908</v>
+<v>3040</v>
 </b>
 </bs>
 </hist>
@@ -43657,19 +45798,19 @@
 </relation>
 <relation>
 <name>cil_attribute</name>
-<cardinality>328261</cardinality>
+<cardinality>168950</cardinality>
 <columnsizes>
 <e>
 <k>attributeid</k>
-<v>328261</v>
+<v>168950</v>
 </e>
 <e>
 <k>element</k>
-<v>248568</v>
+<v>127933</v>
 </e>
 <e>
 <k>constructor</k>
-<v>3375</v>
+<v>1737</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -43683,7 +45824,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>328261</v>
+<v>168950</v>
 </b>
 </bs>
 </hist>
@@ -43699,7 +45840,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>328261</v>
+<v>168950</v>
 </b>
 </bs>
 </hist>
@@ -43715,17 +45856,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>197324</v>
+<v>101559</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>36690</v>
+<v>18883</v>
 </b>
 <b>
 <a>3</a>
 <b>92</b>
-<v>14553</v>
+<v>7490</v>
 </b>
 </bs>
 </hist>
@@ -43741,17 +45882,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>213178</v>
+<v>109719</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30991</v>
+<v>15950</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>4398</v>
+<v>2263</v>
 </b>
 </bs>
 </hist>
@@ -43767,57 +45908,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>555</v>
+<v>285</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>399</v>
+<v>205</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>316</v>
+<v>162</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>306</v>
+<v>157</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>11</a>
 <b>19</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>19</a>
 <b>33</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>33</a>
 <b>64</b>
-<v>253</v>
+<v>130</v>
 </b>
 <b>
 <a>64</a>
 <b>179</b>
-<v>253</v>
+<v>130</v>
 </b>
 <b>
 <a>187</a>
 <b>15289</b>
-<v>214</v>
+<v>110</v>
 </b>
 </bs>
 </hist>
@@ -43833,57 +45974,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>599</v>
+<v>308</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>384</v>
+<v>198</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>282</v>
+<v>145</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>316</v>
+<v>162</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>243</v>
+<v>125</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>282</v>
+<v>145</v>
 </b>
 <b>
 <a>10</a>
 <b>17</b>
-<v>253</v>
+<v>130</v>
 </b>
 <b>
 <a>17</a>
 <b>31</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>31</a>
 <b>50</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>50</a>
 <b>151</b>
-<v>253</v>
+<v>130</v>
 </b>
 <b>
 <a>152</a>
 <b>15028</b>
-<v>238</v>
+<v>122</v>
 </b>
 </bs>
 </hist>
@@ -43893,19 +46034,19 @@
 </relation>
 <relation>
 <name>cil_attribute_named_argument</name>
-<cardinality>10939</cardinality>
+<cardinality>7973</cardinality>
 <columnsizes>
 <e>
 <k>attribute_id</k>
-<v>7978</v>
+<v>4938</v>
 </e>
 <e>
 <k>param</k>
-<v>155</v>
+<v>25</v>
 </e>
 <e>
 <k>value</k>
-<v>1095</v>
+<v>128</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -43919,17 +46060,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5089</v>
+<v>1911</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2815</v>
+<v>3020</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>73</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -43945,17 +46086,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6560</v>
+<v>3839</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1402</v>
+<v>1095</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>14</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43971,67 +46112,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>34</v>
+<v>3</v>
 </b>
 <b>
 <a>2</a>
-<b>4</b>
-<v>9</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>9</v>
+<b>3</b>
+<v>2</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>14</v>
+<b>7</b>
+<v>2</v>
 </b>
 <b>
 <a>7</a>
-<b>8</b>
-<v>4</v>
-</b>
-<b>
-<a>8</a>
 <b>9</b>
-<v>14</v>
+<v>2</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>9</v>
+<a>11</a>
+<b>14</b>
+<v>2</v>
 </b>
 <b>
 <a>14</a>
-<b>30</b>
-<v>9</v>
+<b>19</b>
+<v>2</v>
 </b>
 <b>
-<a>32</a>
-<b>43</b>
-<v>9</v>
+<a>19</a>
+<b>20</b>
+<v>1</v>
 </b>
 <b>
-<a>46</a>
-<b>47</b>
-<v>9</v>
+<a>22</a>
+<b>23</b>
+<v>2</v>
 </b>
 <b>
-<a>47</a>
-<b>48</b>
-<v>9</v>
+<a>26</a>
+<b>39</b>
+<v>2</v>
 </b>
 <b>
-<a>96</a>
-<b>308</b>
-<v>9</v>
+<a>55</a>
+<b>61</b>
+<v>2</v>
 </b>
 <b>
-<a>725</a>
-<b>731</b>
-<v>9</v>
+<a>347</a>
+<b>348</b>
+<v>2</v>
+</b>
+<b>
+<a>2859</a>
+<b>3660</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -44047,37 +46183,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>77</v>
+<v>8</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19</v>
+<v>5</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>19</v>
+<v>2</v>
 </b>
 <b>
 <a>4</a>
-<b>8</b>
-<v>9</v>
+<b>6</b>
+<v>2</v>
 </b>
 <b>
-<a>10</a>
-<b>14</b>
-<v>9</v>
+<a>6</a>
+<b>7</b>
+<v>1</v>
+</b>
+<b>
+<a>7</a>
+<b>8</b>
+<v>2</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>2</v>
 </b>
 <b>
 <a>26</a>
-<b>45</b>
-<v>9</v>
-</b>
-<b>
-<a>47</a>
-<b>56</b>
-<v>9</v>
+<b>39</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -44093,22 +46234,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>720</v>
+<v>71</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>238</v>
+<v>25</v>
 </b>
 <b>
 <a>3</a>
-<b>5</b>
-<v>82</v>
+<b>4</b>
+<v>6</v>
 </b>
 <b>
-<a>5</a>
-<b>866</b>
-<v>53</v>
+<a>4</a>
+<b>7</b>
+<v>11</v>
+</b>
+<b>
+<a>8</a>
+<b>301</b>
+<v>10</v>
+</b>
+<b>
+<a>347</a>
+<b>3871</b>
+<v>3</v>
 </b>
 </bs>
 </hist>
@@ -44124,12 +46275,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1066</v>
+<v>120</v>
 </b>
 <b>
 <a>2</a>
-<b>10</b>
-<v>29</v>
+<b>7</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -44139,19 +46290,19 @@
 </relation>
 <relation>
 <name>cil_attribute_positional_argument</name>
-<cardinality>103140</cardinality>
+<cardinality>58735</cardinality>
 <columnsizes>
 <e>
 <k>attribute_id</k>
-<v>97018</v>
+<v>57269</v>
 </e>
 <e>
 <k>index</k>
-<v>29</v>
+<v>5</v>
 </e>
 <e>
 <k>value</k>
-<v>17261</v>
+<v>4430</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44165,12 +46316,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92337</v>
+<v>55901</v>
 </b>
 <b>
 <a>2</a>
-<b>7</b>
-<v>4680</v>
+<b>6</b>
+<v>1368</v>
 </b>
 </bs>
 </hist>
@@ -44186,12 +46337,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92347</v>
+<v>55905</v>
 </b>
 <b>
 <a>2</a>
-<b>7</b>
-<v>4670</v>
+<b>5</b>
+<v>1364</v>
 </b>
 </bs>
 </hist>
@@ -44205,34 +46356,29 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>14</a>
-<b>15</b>
-<v>4</v>
+<a>20</a>
+<b>21</b>
+<v>1</v>
 </b>
 <b>
-<a>24</a>
-<b>25</b>
-<v>4</v>
+<a>21</a>
+<b>22</b>
+<v>1</v>
 </b>
 <b>
-<a>117</a>
-<b>118</b>
-<v>4</v>
+<a>57</a>
+<b>58</b>
+<v>1</v>
 </b>
 <b>
-<a>141</a>
-<b>142</b>
-<v>4</v>
+<a>1368</a>
+<b>1369</b>
+<v>1</v>
 </b>
 <b>
-<a>961</a>
-<b>962</b>
-<v>4</v>
-</b>
-<b>
-<a>19919</a>
-<b>19920</b>
-<v>4</v>
+<a>57269</a>
+<b>57270</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -44246,29 +46392,24 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>4</a>
-<b>5</b>
-<v>4</v>
+<a>3</a>
+<b>4</b>
+<v>2</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>9</v>
+<v>1</v>
 </b>
 <b>
-<a>25</a>
-<b>26</b>
-<v>4</v>
+<a>110</a>
+<b>111</b>
+<v>1</v>
 </b>
 <b>
-<a>433</a>
-<b>434</b>
-<v>4</v>
-</b>
-<b>
-<a>3150</a>
-<b>3151</b>
-<v>4</v>
+<a>4331</a>
+<b>4332</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -44284,22 +46425,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12298</v>
+<v>2894</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2527</v>
+<v>723</v>
 </b>
 <b>
 <a>3</a>
-<b>6</b>
-<v>1446</v>
+<b>4</b>
+<v>215</v>
 </b>
 <b>
-<a>6</a>
-<b>5556</b>
-<v>988</v>
+<a>4</a>
+<b>9</b>
+<v>382</v>
+</b>
+<b>
+<a>9</a>
+<b>17524</b>
+<v>216</v>
 </b>
 </bs>
 </hist>
@@ -44315,12 +46461,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16935</v>
+<v>4414</v>
 </b>
 <b>
 <a>2</a>
 <b>6</b>
-<v>326</v>
+<v>16</v>
 </b>
 </bs>
 </hist>
@@ -44330,19 +46476,19 @@
 </relation>
 <relation>
 <name>metadata_handle</name>
-<cardinality>6175093</cardinality>
+<cardinality>3178070</cardinality>
 <columnsizes>
 <e>
 <k>entity</k>
-<v>5685301</v>
+<v>2925983</v>
 </e>
 <e>
 <k>location</k>
-<v>3414</v>
+<v>1757</v>
 </e>
 <e>
 <k>handle</k>
-<v>274022</v>
+<v>141034</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44356,17 +46502,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5213687</v>
+<v>2683251</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>462599</v>
+<v>238091</v>
 </b>
 <b>
 <a>3</a>
 <b>638</b>
-<v>9015</v>
+<v>4640</v>
 </b>
 </bs>
 </hist>
@@ -44382,12 +46528,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5445549</v>
+<v>2802586</v>
 </b>
 <b>
 <a>2</a>
 <b>59</b>
-<v>239752</v>
+<v>123396</v>
 </b>
 </bs>
 </hist>
@@ -44403,72 +46549,72 @@
 <b>
 <a>1</a>
 <b>3</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>3</a>
 <b>36</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>36</a>
 <b>79</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>79</a>
 <b>130</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>130</a>
 <b>200</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>200</a>
 <b>288</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>288</a>
 <b>400</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>403</a>
 <b>527</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>528</a>
 <b>744</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>747</a>
 <b>1109</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>1116</a>
 <b>1915</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>1920</a>
 <b>4051</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>4053</a>
 <b>50922</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>67370</a>
 <b>92454</b>
-<v>14</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -44484,67 +46630,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>287</v>
+<v>147</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>282</v>
+<v>145</v>
 </b>
 <b>
 <a>20</a>
 <b>46</b>
-<v>267</v>
+<v>137</v>
 </b>
 <b>
 <a>46</a>
 <b>76</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>77</a>
 <b>119</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>119</a>
 <b>176</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>176</a>
 <b>253</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>255</a>
 <b>332</b>
-<v>263</v>
+<v>135</v>
 </b>
 <b>
 <a>338</a>
 <b>481</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>483</a>
 <b>683</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>685</a>
 <b>1273</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>1295</a>
 <b>2685</b>
-<v>258</v>
+<v>132</v>
 </b>
 <b>
 <a>2710</a>
 <b>55264</b>
-<v>243</v>
+<v>125</v>
 </b>
 </bs>
 </hist>
@@ -44560,62 +46706,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>18927</v>
+<v>9741</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>45004</v>
+<v>23163</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>23905</v>
+<v>12303</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>17505</v>
+<v>9009</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>30124</v>
+<v>15504</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>18966</v>
+<v>9761</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>22078</v>
+<v>11363</v>
 </b>
 <b>
 <a>11</a>
 <b>13</b>
-<v>21026</v>
+<v>10822</v>
 </b>
 <b>
 <a>13</a>
 <b>21</b>
-<v>21455</v>
+<v>11042</v>
 </b>
 <b>
 <a>21</a>
 <b>39</b>
-<v>21119</v>
+<v>10869</v>
 </b>
 <b>
 <a>39</a>
 <b>83</b>
-<v>20563</v>
+<v>10583</v>
 </b>
 <b>
 <a>83</a>
-<b>1062</b>
-<v>13345</v>
+<b>1061</b>
+<v>6868</v>
 </b>
 </bs>
 </hist>
@@ -44631,52 +46777,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>62879</v>
+<v>32363</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21085</v>
+<v>10852</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>46967</v>
+<v>24173</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>18927</v>
+<v>9741</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>19390</v>
+<v>9979</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>22054</v>
+<v>11350</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>23281</v>
+<v>11982</v>
 </b>
 <b>
 <a>11</a>
 <b>19</b>
-<v>21986</v>
+<v>11315</v>
 </b>
 <b>
 <a>19</a>
 <b>41</b>
-<v>20846</v>
+<v>10729</v>
 </b>
 <b>
 <a>41</a>
 <b>702</b>
-<v>16604</v>
+<v>8545</v>
 </b>
 </bs>
 </hist>

From 7068a265a69e287d474ad5b661f2ea114e7b0514 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 3 Feb 2021 11:01:16 +0100
Subject: [PATCH 137/429] Fix XML comment processing

---
 csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs         | 2 +-
 .../Semmle.Extraction.CSharp/Populators/CommentPopulator.cs   | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index 75db5c0e951..f9e0d7c3806 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -393,7 +393,7 @@ namespace Semmle.Extraction.CSharp
             }
             catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
             {
-                extractor.Message(new Message("Unhandled exception processing syntax tree", tree.FilePath, null, ex.StackTrace));
+                extractor.Message(new Message($"Unhandled exception processing syntax tree. {ex.Message}", tree.FilePath, null, ex.StackTrace));
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
index 0574a11db5f..325746274ff 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CommentPopulator.cs
@@ -117,10 +117,6 @@ namespace Semmle.Extraction.CSharp.Populators
                         currentLocation = nextLineLocation;
                     }
                     break;
-                // Strangely, these are reported as SingleLineCommentTrivia.
-                case SyntaxKind.DocumentationCommentExteriorTrivia:
-                    cx.ModelError($"Unhandled comment type {trivia.Kind()} for {trivia}");
-                    break;
             }
         }
     }

From 88d1539d43e0e707e3e1a92abadbb06e46b0f1a1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 08:39:43 +0100
Subject: [PATCH 138/429] Fix file read error log message

---
 csharp/extractor/Semmle.Extraction/Entities/File.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction/Entities/File.cs b/csharp/extractor/Semmle.Extraction/Entities/File.cs
index 72d0ea8e986..4c339e49f7b 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/File.cs
@@ -62,7 +62,7 @@ namespace Semmle.Extraction.Entities
                 }
                 catch (Exception exc)
                 {
-                    Context.ExtractionError($"Couldn't read file", originalPath, null, exc.StackTrace);
+                    Context.ExtractionError($"Couldn't read file: {originalPath}", null, null, exc.StackTrace);
                 }
             }
 

From 543f5916c4605b37a107aa95c052195793682023 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 08:49:19 +0100
Subject: [PATCH 139/429] Fix expected test AST

---
 csharp/ql/test/library-tests/comments/PrintAst.expected | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/test/library-tests/comments/PrintAst.expected b/csharp/ql/test/library-tests/comments/PrintAst.expected
index eeb7993eaef..71d16cdf134 100644
--- a/csharp/ql/test/library-tests/comments/PrintAst.expected
+++ b/csharp/ql/test/library-tests/comments/PrintAst.expected
@@ -38,7 +38,7 @@ comments2.cs:
 #   34|           0: [LocalVariableAccess] access to local variable z
 #   34|           1: [IntLiteral] 0
 #   40|   8: [Class] C3
-#   48|   9: [IndexerProperty] S1
+#   48|   9: [Property] S1
 #   48|     -1: [TypeMention] string
 #   52|     3: [Getter] get_S1
 #   52|       4: [BlockStmt] {...}

From 7087904637a30be28fc6ffac17beb85cc20e666c Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 3 Feb 2021 19:37:57 +0000
Subject: [PATCH 140/429] C++: Solution.

---
 cpp/ql/src/semmle/code/cpp/commons/Printf.qll | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
index cf230beb8d2..8d9ad5c77e4 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
@@ -53,7 +53,12 @@ predicate primitiveVariadicFormatter(
   (
     if type = "" then outputParamIndex = -1 else outputParamIndex = 0 // Conveniently, these buffer parameters are all at index 0.
   ) and
-  not exists(f.getBlock()) // exclude functions with an implementation in the snapshot as they may not be standard implementations.
+  not (
+    // exclude functions with an implementation in the snapshot source
+    // directory, as they may not be standard implementations.
+    exists(f.getBlock()) and
+    exists(f.getFile().getRelativePath())
+  )
 }
 
 private predicate callsVariadicFormatter(

From 47ab9ba81b5aa29016a239b3cddbdef999fcb21e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 11:16:27 +0100
Subject: [PATCH 141/429] C++: emplace and emplace_back takes its arguments by
 universal references, so they should also specify flow as indirections.

---
 .../semmle/code/cpp/models/implementations/StdContainer.qll   | 4 ++--
 cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 7a38ede5fc6..e7abde30e8c 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([1 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and
     (
       output.isQualifierObject() or
       output.isReturnValue()
@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
     output.isQualifierObject()
   }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index 7e7fc8176ce..ec354da548c 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -491,8 +491,8 @@ void test_vector_emplace() {
 	std::vector<int> v1(10), v2(10);
 
 	v1.emplace_back(source());
-	sink(v1); // $ ast MISSING: ir
+	sink(v1); // $ ast,ir
 
 	v2.emplace(v2.begin(), source());
-	sink(v2); // $ ast MISSING: ir
+	sink(v2); // $ ast,ir
 }

From 55615586eed1a4162aeff56e2d0b0bb53e64e0c9 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 11:30:44 +0100
Subject: [PATCH 142/429] C++: Address review comments.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
index bf6430e548b..f4a80cbabac 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll
@@ -40,9 +40,6 @@ private class StrsetFunction extends ArrayFunction, DataFlowFunction, AliasFunct
     // flow from the input string to the output string
     input.isParameter(0) and
     output.isReturnValue()
-    or
-    input.isParameterDeref(0) and
-    output.isReturnValueDeref()
   }
 
   override predicate parameterNeverEscapes(int index) { none() }

From b77dd54618411876efcaff99f78b121a4de8e164 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 19:24:27 +0100
Subject: [PATCH 143/429] implement basic map get/set for immutable.js

---
 javascript/ql/src/javascript.qll              |   1 +
 .../javascript/dataflow/Configuration.qll     |   8 +-
 .../javascript/frameworks/Immutable.qll       | 100 ++++++++++++++++++
 .../frameworks/Immutable/immutable.js         |  15 +++
 .../frameworks/Immutable/tests.expected       |   5 +
 .../frameworks/Immutable/tests.ql             |  18 ++++
 6 files changed, 146 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
 create mode 100644 javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
 create mode 100644 javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
 create mode 100644 javascript/ql/test/library-tests/frameworks/Immutable/tests.ql

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 9cc8e112b5b..d5c459c4d5c 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -85,6 +85,7 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
+import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
index def92d07fe3..609dddf2a4b 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -659,9 +659,15 @@ module PseudoProperties {
    */
   pragma[inline]
   string mapValueKnownKey(DataFlow::Node key) {
-    result = pseudoProperty("mapValue", any(string s | key.mayHaveStringValue(s)))
+    result = mapValueKey(any(string s | key.mayHaveStringValue(s)))
   }
 
+  /**
+   * Gets a pseudo-property for the location of a map value where the key is `key`.
+   */
+  bindingset[key]
+  string mapValueKey(string key) { result = pseudoProperty("mapValue", key) }
+
   /**
    * Gets a pseudo-property for the location of a map value where the key is `key`.
    */
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
new file mode 100644
index 00000000000..7d6add1609d
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -0,0 +1,100 @@
+/**
+ * Provides classes and predicates for reasoning about [immutable](https://www.npmjs.com/package/immutable).
+ */
+
+import javascript
+
+/**
+ * Provides classes implementing data-flow for Immutable.
+ */
+private module Immutable {
+  private import DataFlow::PseudoProperties
+
+  /**
+   * An API entrypoint for the global `Immutable` variable.
+   */
+  private class ImmutableGlobalEntry extends API::EntryPoint {
+    ImmutableGlobalEntry() { this = "ImmutableGlobalEntry" }
+
+    override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("Immutable") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * An import of the `Immutable` library.
+   */
+  API::Node immutableImport() {
+    result = API::moduleImport("immutable")
+    or
+    result = API::root().getASuccessor(any(ImmutableGlobalEntry i))
+  }
+
+  /**
+   * An instance of an immutable map.
+   */
+  API::Node immutableMap() {
+    result = immutableImport().getMember("Map").getReturn()
+    or
+    result = immutableMap().getMember("set").getReturn()
+  }
+
+  /**
+   * Gets the immutable collection where `pred` has been stored using the pseudoproperty `prop`.
+   */
+  DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
+    exists(DataFlow::CallNode call, string key |
+      call = immutableImport().getMember("Map").getACall()
+    |
+      prop = mapValueKey(key) and
+      pred = call.getOptionArgument(0, key) and
+      result = call
+    )
+    // TODO: map set.
+  }
+
+  /**
+   * Gets the value that was stored in the immutable collection `pred` under the pseudoproperty `prop`.
+   */
+  DataFlow::Node loadStep(DataFlow::Node pred, string prop) {
+    // map.get()
+    exists(DataFlow::MethodCallNode call | call = immutableMap().getMember("get").getACall() |
+      pred = call.getReceiver() and
+      result = call and
+      prop = mapValue(call.getArgument(0))
+    )
+  }
+
+  /**
+   * Gets an immutable collection that contains all the elements from `pred`.
+   */
+  DataFlow::Node step(DataFlow::Node pred) {
+    // map.set() copies all existing values
+    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+      pred = call.getReceiver() and
+      result = call
+    )
+  }
+
+  /**
+   * A dataflow step for an immutable collection.
+   */
+  class ImmutableConstructionStep extends DataFlow::AdditionalFlowStep {
+    ImmutableConstructionStep() { this = [loadStep(_, _), storeStep(_, _), step(_)] }
+
+    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      this = loadStep(pred, prop) and
+      succ = this
+    }
+
+    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+      this = storeStep(pred, prop) and
+      succ = this
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      this = step(pred) and
+      succ = this
+    }
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
new file mode 100644
index 00000000000..6e11ed0b9e8
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -0,0 +1,15 @@
+var obj = { a: source("a"), b: source("b1") };
+sink(obj["a"]); // NOT OK
+
+const { Map } = require('immutable');
+
+const map1 = Map(obj);
+
+sink(map1.get("b")); // NOT OK
+
+const map2 = map1.set('c', "safe");
+sink(map1.get("a")); // NOT OK
+sink(map2.get("a")); // NOT OK
+sink(map2.get("b")); // OK - but still flagged [INCONSISTENCY]
+
+
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
new file mode 100644
index 00000000000..d71fe8e504c
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -0,0 +1,5 @@
+| immutable.js:1:16:1:26 | source("a") | immutable.js:2:6:2:13 | obj["a"] |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:11:6:11:18 | map1.get("a") |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:12:6:12:18 | map2.get("a") |
+| immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
+| immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.ql b/javascript/ql/test/library-tests/frameworks/Immutable/tests.ql
new file mode 100644
index 00000000000..58d12ea774f
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.ql
@@ -0,0 +1,18 @@
+import javascript
+private import semmle.javascript.dataflow.internal.StepSummary
+
+class Config extends DataFlow::Configuration {
+  Config() { this = "Config" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CallNode).getCalleeName() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(DataFlow::CallNode call | call.getCalleeName() = "sink" | call.getAnArgument() = sink)
+  }
+}
+
+query predicate dataFlow(DataFlow::Node pred, DataFlow::Node succ) {
+  any(Config c).hasFlow(pred, succ)
+}

From b1f092f052768c142c5f7e9c489dbebf08948c93 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 19:39:12 +0100
Subject: [PATCH 144/429] add support for map.set in Immutable model

---
 .../ql/src/semmle/javascript/frameworks/Immutable.qll      | 7 ++++++-
 .../test/library-tests/frameworks/Immutable/immutable.js   | 4 +++-
 .../test/library-tests/frameworks/Immutable/tests.expected | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index 7d6add1609d..c02c5b3c958 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -50,7 +50,12 @@ private module Immutable {
       pred = call.getOptionArgument(0, key) and
       result = call
     )
-    // TODO: map set.
+    or
+    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+      prop = mapValue(call.getArgument(0)) and
+      pred = call.getArgument(1) and
+      result = call
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index 6e11ed0b9e8..fd8dfab69b7 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -12,4 +12,6 @@ sink(map1.get("a")); // NOT OK
 sink(map2.get("a")); // NOT OK
 sink(map2.get("b")); // OK - but still flagged [INCONSISTENCY]
 
-
+const map3 = map2.set("d", source("d"));
+sink(map1.get("d")); // OK
+sink(map3.get("d")); // NOT OK
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index d71fe8e504c..fdc6e454e8b 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -3,3 +3,4 @@
 | immutable.js:1:16:1:26 | source("a") | immutable.js:12:6:12:18 | map2.get("a") |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
+| immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |

From 6cbe4caeccfcd39d1745cd8e5656adee8641345f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 19:46:16 +0100
Subject: [PATCH 145/429] support toJS() by using plain property names instead
 of pseudoproperties.

---
 .../javascript/frameworks/Immutable.qll       | 30 +++++++++++--------
 .../frameworks/Immutable/immutable.js         |  3 ++
 .../frameworks/Immutable/tests.expected       |  1 +
 3 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index c02c5b3c958..ac849ff7300 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -8,8 +8,6 @@ import javascript
  * Provides classes implementing data-flow for Immutable.
  */
 private module Immutable {
-  private import DataFlow::PseudoProperties
-
   /**
    * An API entrypoint for the global `Immutable` variable.
    */
@@ -40,33 +38,35 @@ private module Immutable {
   }
 
   /**
-   * Gets the immutable collection where `pred` has been stored using the pseudoproperty `prop`.
+   * An instance of any immutable collection.
+   */
+  API::Node immutableCollection() { result = immutableMap() }
+
+  /**
+   * Gets the immutable collection where `pred` has been stored using the name `prop`.
    */
   DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
-    exists(DataFlow::CallNode call, string key |
-      call = immutableImport().getMember("Map").getACall()
-    |
-      prop = mapValueKey(key) and
-      pred = call.getOptionArgument(0, key) and
+    exists(DataFlow::CallNode call | call = immutableImport().getMember("Map").getACall() |
+      pred = call.getOptionArgument(0, prop) and
       result = call
     )
     or
     exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
-      prop = mapValue(call.getArgument(0)) and
+      call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getArgument(1) and
       result = call
     )
   }
 
   /**
-   * Gets the value that was stored in the immutable collection `pred` under the pseudoproperty `prop`.
+   * Gets the value that was stored in the immutable collection `pred` under the name `prop`.
    */
   DataFlow::Node loadStep(DataFlow::Node pred, string prop) {
     // map.get()
     exists(DataFlow::MethodCallNode call | call = immutableMap().getMember("get").getACall() |
+      call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getReceiver() and
-      result = call and
-      prop = mapValue(call.getArgument(0))
+      result = call
     )
   }
 
@@ -79,6 +79,12 @@ private module Immutable {
       pred = call.getReceiver() and
       result = call
     )
+    or
+    // toJS() or any immutable collection converts it to a plain JavaScript object/array.
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("toJS").getACall() |
+      pred = call.getReceiver() and
+      result = call
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index fd8dfab69b7..c7a5741e812 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -15,3 +15,6 @@ sink(map2.get("b")); // OK - but still flagged [INCONSISTENCY]
 const map3 = map2.set("d", source("d"));
 sink(map1.get("d")); // OK
 sink(map3.get("d")); // NOT OK
+
+
+sink(map3.toJS()["a"]); // NOT OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index fdc6e454e8b..94827bb5316 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -1,6 +1,7 @@
 | immutable.js:1:16:1:26 | source("a") | immutable.js:2:6:2:13 | obj["a"] |
 | immutable.js:1:16:1:26 | source("a") | immutable.js:11:6:11:18 | map1.get("a") |
 | immutable.js:1:16:1:26 | source("a") | immutable.js:12:6:12:18 | map2.get("a") |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:20:6:20:21 | map3.toJS()["a"] |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
 | immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |

From a5c9492c872c7b4dfe74d7dc7f8a723819978be7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 3 Feb 2021 20:28:48 +0100
Subject: [PATCH 146/429] add support for fromJS in the Immutable model

---
 .../javascript/frameworks/Immutable.qll       | 31 +++++++++----------
 .../frameworks/Immutable/immutable.js         |  6 ++--
 .../frameworks/Immutable/tests.expected       |  1 +
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index ac849ff7300..b8cd8146b6d 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -28,30 +28,27 @@ private module Immutable {
     result = API::root().getASuccessor(any(ImmutableGlobalEntry i))
   }
 
-  /**
-   * An instance of an immutable map.
-   */
-  API::Node immutableMap() {
-    result = immutableImport().getMember("Map").getReturn()
-    or
-    result = immutableMap().getMember("set").getReturn()
-  }
-
   /**
    * An instance of any immutable collection.
    */
-  API::Node immutableCollection() { result = immutableMap() }
+  API::Node immutableCollection() {
+    result = immutableImport().getMember(["Map", "fromJS"]).getReturn()
+    or
+    result.getAnImmediateUse() = step(immutableCollection().getAUse())
+  }
 
   /**
    * Gets the immutable collection where `pred` has been stored using the name `prop`.
    */
   DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
-    exists(DataFlow::CallNode call | call = immutableImport().getMember("Map").getACall() |
+    exists(DataFlow::CallNode call |
+      call = immutableImport().getMember(["Map", "fromJS"]).getACall()
+    |
       pred = call.getOptionArgument(0, prop) and
       result = call
     )
     or
-    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
       call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getArgument(1) and
       result = call
@@ -63,7 +60,9 @@ private module Immutable {
    */
   DataFlow::Node loadStep(DataFlow::Node pred, string prop) {
     // map.get()
-    exists(DataFlow::MethodCallNode call | call = immutableMap().getMember("get").getACall() |
+    exists(DataFlow::MethodCallNode call |
+      call = immutableCollection().getMember("get").getACall()
+    |
       call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getReceiver() and
       result = call
@@ -73,14 +72,14 @@ private module Immutable {
   /**
    * Gets an immutable collection that contains all the elements from `pred`.
    */
-  DataFlow::Node step(DataFlow::Node pred) {
+  DataFlow::SourceNode step(DataFlow::Node pred) {
     // map.set() copies all existing values
-    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
       pred = call.getReceiver() and
       result = call
     )
     or
-    // toJS() or any immutable collection converts it to a plain JavaScript object/array.
+    // toJS() or any immutable collection converts it to a plain JavaScript object/array (and vice versa for `fromJS`).
     exists(DataFlow::CallNode call | call = immutableCollection().getMember("toJS").getACall() |
       pred = call.getReceiver() and
       result = call
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index c7a5741e812..2f3bf2fd495 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map } = require('immutable');
+const { Map, fromJS } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -17,4 +17,6 @@ sink(map1.get("d")); // OK
 sink(map3.get("d")); // NOT OK
 
 
-sink(map3.toJS()["a"]); // NOT OK
\ No newline at end of file
+sink(map3.toJS()["a"]); // NOT OK
+
+sink(fromJS({"e": source("e")}).get("e")); // NOT OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index 94827bb5316..23d217ac4b3 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -5,3 +5,4 @@
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
 | immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |
+| immutable.js:22:19:22:29 | source("e") | immutable.js:22:6:22:40 | fromJS( ... et("e") |

From 2e7bf9b53c69dad33b30afe97a1a50467186eae0 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 10:54:41 +0100
Subject: [PATCH 147/429] implement Immutable lists

---
 .../javascript/frameworks/Immutable.qll       | 40 ++++++++++++++++---
 .../frameworks/Immutable/immutable.js         | 15 ++++++-
 .../frameworks/Immutable/tests.expected       |  4 ++
 3 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index b8cd8146b6d..a0468f6843a 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -6,6 +6,8 @@ import javascript
 
 /**
  * Provides classes implementing data-flow for Immutable.
+ *
+ * The implemention rely on the flowsteps implemented in `Collections.qll`.
  */
 private module Immutable {
   /**
@@ -32,15 +34,17 @@ private module Immutable {
    * An instance of any immutable collection.
    */
   API::Node immutableCollection() {
-    result = immutableImport().getMember(["Map", "fromJS"]).getReturn()
+    // keep this list in sync with the constructors defined in `storeStep`.
+    result = immutableImport().getMember(["Map", "List", "fromJS"]).getReturn()
     or
-    result.getAnImmediateUse() = step(immutableCollection().getAUse())
+    result = immutableCollection().getMember(["set", "map", "filter", "push"]).getReturn()
   }
 
   /**
    * Gets the immutable collection where `pred` has been stored using the name `prop`.
    */
   DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
+    // Immutable.Map() and Immutable.fromJS().
     exists(DataFlow::CallNode call |
       call = immutableImport().getMember(["Map", "fromJS"]).getACall()
     |
@@ -48,11 +52,31 @@ private module Immutable {
       result = call
     )
     or
+    // Immutable.List()
+    exists(DataFlow::CallNode call, DataFlow::ArrayCreationNode arr |
+      call = immutableImport().getMember("List").getACall()
+    |
+      arr = call.getArgument(0).getALocalSource() and
+      exists(int i |
+        prop = DataFlow::PseudoProperties::arrayElement(i) and
+        pred = arr.getElement(i) and
+        result = call
+      )
+    )
+    or
+    // collection.set(key, value)
     exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
       call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getArgument(1) and
       result = call
     )
+    or
+    // list.push(x)
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("push").getACall() |
+      pred = call.getArgument(0) and
+      result = call and
+      prop = DataFlow::PseudoProperties::arrayElement()
+    )
   }
 
   /**
@@ -73,14 +97,18 @@ private module Immutable {
    * Gets an immutable collection that contains all the elements from `pred`.
    */
   DataFlow::SourceNode step(DataFlow::Node pred) {
-    // map.set() copies all existing values
-    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
+    // map.set() / list.push() copies all existing values
+    exists(DataFlow::CallNode call |
+      call = immutableCollection().getMember(["set", "push"]).getACall()
+    |
       pred = call.getReceiver() and
       result = call
     )
     or
-    // toJS() or any immutable collection converts it to a plain JavaScript object/array (and vice versa for `fromJS`).
-    exists(DataFlow::CallNode call | call = immutableCollection().getMember("toJS").getACall() |
+    // toJS()/toList() on any immutable collection converts it to a plain JavaScript object/array (and vice versa for `fromJS`).
+    exists(DataFlow::CallNode call |
+      call = immutableCollection().getMember(["toJS", "toList"]).getACall()
+    |
       pred = call.getReceiver() and
       result = call
     )
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index 2f3bf2fd495..68bf67b76d6 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS } = require('immutable');
+const { Map, fromJS, List } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -19,4 +19,15 @@ sink(map3.get("d")); // NOT OK
 
 sink(map3.toJS()["a"]); // NOT OK
 
-sink(fromJS({"e": source("e")}).get("e")); // NOT OK
\ No newline at end of file
+sink(fromJS({"e": source("e")}).get("e")); // NOT OK
+
+const l1 = List([source(), "foobar"]);
+l1.forEach(x => sink(x)); // NOT OK
+
+l1.map(x => "safe").forEach(x => sink(x)); // OK
+
+List(["safe"]).map(x => source()).forEach(x => sink(x)); // NOT OK
+
+List([source()]).map(x => x).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+List(["safe"]).push(source()).forEach(x => sink(x)); // NOT OK
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index 23d217ac4b3..f5080effdc2 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -6,3 +6,7 @@
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
 | immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |
 | immutable.js:22:19:22:29 | source("e") | immutable.js:22:6:22:40 | fromJS( ... et("e") |
+| immutable.js:24:18:24:25 | source() | immutable.js:25:22:25:22 | x |
+| immutable.js:29:25:29:32 | source() | immutable.js:29:53:29:53 | x |
+| immutable.js:31:7:31:14 | source() | immutable.js:31:75:31:75 | x |
+| immutable.js:33:21:33:28 | source() | immutable.js:33:49:33:49 | x |

From 609b16b1f77c7f0913ff97f4e526925110a408e4 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 11:02:50 +0100
Subject: [PATCH 148/429] implement Immutable OrderedMap

---
 .../ql/src/semmle/javascript/frameworks/Immutable.qll       | 4 ++--
 .../ql/test/library-tests/frameworks/Immutable/immutable.js | 6 +++++-
 .../test/library-tests/frameworks/Immutable/tests.expected  | 1 +
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index a0468f6843a..28e05f7f0e2 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -35,7 +35,7 @@ private module Immutable {
    */
   API::Node immutableCollection() {
     // keep this list in sync with the constructors defined in `storeStep`.
-    result = immutableImport().getMember(["Map", "List", "fromJS"]).getReturn()
+    result = immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS"]).getReturn()
     or
     result = immutableCollection().getMember(["set", "map", "filter", "push"]).getReturn()
   }
@@ -46,7 +46,7 @@ private module Immutable {
   DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
     // Immutable.Map() and Immutable.fromJS().
     exists(DataFlow::CallNode call |
-      call = immutableImport().getMember(["Map", "fromJS"]).getACall()
+      call = immutableImport().getMember(["Map", "OrderedMap", "fromJS"]).getACall()
     |
       pred = call.getOptionArgument(0, prop) and
       result = call
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index 68bf67b76d6..0b62c174039 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS, List } = require('immutable');
+const { Map, fromJS, List, OrderedMap } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -31,3 +31,7 @@ List(["safe"]).map(x => source()).forEach(x => sink(x)); // NOT OK
 List([source()]).map(x => x).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
 
 List(["safe"]).push(source()).forEach(x => sink(x)); // NOT OK
+
+
+const map4 = OrderedMap({}).set("f", source());
+sink(map4.get("f")); // NOT OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index f5080effdc2..de0b333cba9 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -10,3 +10,4 @@
 | immutable.js:29:25:29:32 | source() | immutable.js:29:53:29:53 | x |
 | immutable.js:31:7:31:14 | source() | immutable.js:31:75:31:75 | x |
 | immutable.js:33:21:33:28 | source() | immutable.js:33:49:33:49 | x |
+| immutable.js:36:38:36:45 | source() | immutable.js:37:6:37:18 | map4.get("f") |

From c0de6a3af2509b16512042d079fe7efafdc7c3da Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 11:15:08 +0100
Subject: [PATCH 149/429] add support for Immutable Record

---
 .../semmle/javascript/frameworks/Immutable.qll    | 15 ++++++++++++++-
 .../frameworks/Immutable/immutable.js             |  9 +++++++--
 .../frameworks/Immutable/tests.expected           |  2 ++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index 28e05f7f0e2..c6b6441f9d5 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -32,11 +32,15 @@ private module Immutable {
 
   /**
    * An instance of any immutable collection.
+   *
+   * This predicate keeps track of which values in the program are Immutable collections.
    */
   API::Node immutableCollection() {
-    // keep this list in sync with the constructors defined in `storeStep`.
+    // keep this predicate in sync with the constructors defined in `storeStep`.
     result = immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS"]).getReturn()
     or
+    result = immutableImport().getMember("Record").getReturn().getReturn()
+    or
     result = immutableCollection().getMember(["set", "map", "filter", "push"]).getReturn()
   }
 
@@ -77,6 +81,15 @@ private module Immutable {
       result = call and
       prop = DataFlow::PseudoProperties::arrayElement()
     )
+    or
+    // Immutable.Record({defaults})({values}).
+    exists(API::CallNode factoryCall, API::CallNode recordCall |
+      factoryCall = immutableImport().getMember("Record").getACall() and
+      recordCall = factoryCall.getReturn().getACall()
+    |
+      pred = [factoryCall, recordCall].getOptionArgument(0, prop) and
+      result = recordCall
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index 0b62c174039..38cdc3f2708 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS, List, OrderedMap } = require('immutable');
+const { Map, fromJS, List, OrderedMap, Record } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -34,4 +34,9 @@ List(["safe"]).push(source()).forEach(x => sink(x)); // NOT OK
 
 
 const map4 = OrderedMap({}).set("f", source());
-sink(map4.get("f")); // NOT OK
\ No newline at end of file
+sink(map4.get("f")); // NOT OK
+
+const map5 = Record({a: source(), b: null, c: null})({b: source()});
+sink(map5.get("a")); // NOT OK
+sink(map5.get("b")); // NOT OK
+sink(map5.get("c")); // OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index de0b333cba9..0686da007f0 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -11,3 +11,5 @@
 | immutable.js:31:7:31:14 | source() | immutable.js:31:75:31:75 | x |
 | immutable.js:33:21:33:28 | source() | immutable.js:33:49:33:49 | x |
 | immutable.js:36:38:36:45 | source() | immutable.js:37:6:37:18 | map4.get("f") |
+| immutable.js:39:25:39:32 | source() | immutable.js:40:6:40:18 | map5.get("a") |
+| immutable.js:39:58:39:65 | source() | immutable.js:41:6:41:18 | map5.get("b") |

From b74df66463ea5f17918797c42678b30089d6c6c7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 11:48:30 +0100
Subject: [PATCH 150/429] implement Immutable merge

---
 .../javascript/frameworks/Immutable.qll       | 19 ++++++++++++++++---
 .../frameworks/Immutable/immutable.js         | 10 ++++++++--
 .../frameworks/Immutable/tests.expected       |  2 ++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index c6b6441f9d5..a56aab93843 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -36,12 +36,13 @@ private module Immutable {
    * This predicate keeps track of which values in the program are Immutable collections.
    */
   API::Node immutableCollection() {
-    // keep this predicate in sync with the constructors defined in `storeStep`.
-    result = immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS"]).getReturn()
+    // keep this predicate in sync with the constructors defined in `storeStep`/`step`.
+    result =
+      immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS", "merge"]).getReturn()
     or
     result = immutableImport().getMember("Record").getReturn().getReturn()
     or
-    result = immutableCollection().getMember(["set", "map", "filter", "push"]).getReturn()
+    result = immutableCollection().getMember(["set", "map", "filter", "push", "merge"]).getReturn()
   }
 
   /**
@@ -125,6 +126,18 @@ private module Immutable {
       pred = call.getReceiver() and
       result = call
     )
+    or
+    // Immutable.merge(x, y)
+    exists(DataFlow::CallNode call | call = immutableImport().getMember("merge").getACall() |
+      pred = call.getAnArgument() and
+      result = call
+    )
+    or
+    // collection.merge(other)
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("merge").getACall() |
+      pred = [call.getAnArgument(), call.getReceiver()] and
+      result = call
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index 38cdc3f2708..f605d1e917f 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS, List, OrderedMap, Record } = require('immutable');
+const { Map, fromJS, List, OrderedMap, Record, merge } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -39,4 +39,10 @@ sink(map4.get("f")); // NOT OK
 const map5 = Record({a: source(), b: null, c: null})({b: source()});
 sink(map5.get("a")); // NOT OK
 sink(map5.get("b")); // NOT OK
-sink(map5.get("c")); // OK
\ No newline at end of file
+sink(map5.get("c")); // OK
+
+const map6 = merge(Map({}), Record({a: source()})());
+sink(map6.get("a")); // NOT OK
+
+const map7 = map6.merge(Map({b: source()}));
+sink(map7.get("b")); // NOT OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index 0686da007f0..cead857c6b7 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -13,3 +13,5 @@
 | immutable.js:36:38:36:45 | source() | immutable.js:37:6:37:18 | map4.get("f") |
 | immutable.js:39:25:39:32 | source() | immutable.js:40:6:40:18 | map5.get("a") |
 | immutable.js:39:58:39:65 | source() | immutable.js:41:6:41:18 | map5.get("b") |
+| immutable.js:44:40:44:47 | source() | immutable.js:45:6:45:18 | map6.get("a") |
+| immutable.js:47:33:47:40 | source() | immutable.js:48:6:48:18 | map7.get("b") |

From 6cbf7b3267df70be1f1b167e64269109e3eb16be Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 12:05:04 +0100
Subject: [PATCH 151/429] add `of` `Set`, `Stack` and similar to the Immutable
 model

---
 .../javascript/frameworks/Immutable.qll       | 25 +++++++++++++++++--
 .../frameworks/Immutable/immutable.js         | 14 +++++++++--
 .../frameworks/Immutable/tests.expected       |  5 ++++
 3 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
index a56aab93843..16cf7de2cc0 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -38,10 +38,18 @@ private module Immutable {
   API::Node immutableCollection() {
     // keep this predicate in sync with the constructors defined in `storeStep`/`step`.
     result =
-      immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS", "merge"]).getReturn()
+      immutableImport()
+          .getMember(["Map", "OrderedMap", "List", "Stack", "Set", "OrderedSet", "fromJS", "merge"])
+          .getReturn()
     or
     result = immutableImport().getMember("Record").getReturn().getReturn()
     or
+    result =
+      immutableImport()
+          .getMember(["List", "Set", "OrderedSet", "Stack"])
+          .getMember("of")
+          .getReturn()
+    or
     result = immutableCollection().getMember(["set", "map", "filter", "push", "merge"]).getReturn()
   }
 
@@ -59,7 +67,7 @@ private module Immutable {
     or
     // Immutable.List()
     exists(DataFlow::CallNode call, DataFlow::ArrayCreationNode arr |
-      call = immutableImport().getMember("List").getACall()
+      call = immutableImport().getMember(["List", "Stack", "Set", "OrderedSet"]).getACall()
     |
       arr = call.getArgument(0).getALocalSource() and
       exists(int i |
@@ -91,6 +99,19 @@ private module Immutable {
       pred = [factoryCall, recordCall].getOptionArgument(0, prop) and
       result = recordCall
     )
+    or
+    // List/Set/Stack.of(values)
+    exists(API::CallNode call |
+      call =
+        immutableImport()
+            .getMember(["List", "Set", "OrderedSet", "Stack"])
+            .getMember("of")
+            .getACall()
+    |
+      pred = call.getAnArgument() and
+      result = call and
+      prop = DataFlow::PseudoProperties::arrayElement()
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
index f605d1e917f..78104b6a20a 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS, List, OrderedMap, Record, merge } = require('immutable');
+const { Map, fromJS, List, OrderedMap, Record, merge, Stack, Set, OrderedSet } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -45,4 +45,14 @@ const map6 = merge(Map({}), Record({a: source()})());
 sink(map6.get("a")); // NOT OK
 
 const map7 = map6.merge(Map({b: source()}));
-sink(map7.get("b")); // NOT OK
\ No newline at end of file
+sink(map7.get("b")); // NOT OK
+
+Stack.of(source(), "foobar").forEach(x => sink(x)); // NOT OK
+
+List.of(source()).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+Set.of(source()).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+Set([source()]).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+OrderedSet([source()]).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
index cead857c6b7..6edc4ee1a96 100644
--- a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -15,3 +15,8 @@
 | immutable.js:39:58:39:65 | source() | immutable.js:41:6:41:18 | map5.get("b") |
 | immutable.js:44:40:44:47 | source() | immutable.js:45:6:45:18 | map6.get("a") |
 | immutable.js:47:33:47:40 | source() | immutable.js:48:6:48:18 | map7.get("b") |
+| immutable.js:50:10:50:17 | source() | immutable.js:50:48:50:48 | x |
+| immutable.js:52:9:52:16 | source() | immutable.js:52:64:52:64 | x |
+| immutable.js:54:8:54:15 | source() | immutable.js:54:63:54:63 | x |
+| immutable.js:56:6:56:13 | source() | immutable.js:56:62:56:62 | x |
+| immutable.js:58:13:58:20 | source() | immutable.js:58:69:58:69 | x |

From ac0f2d37db0db2942e4a60ffde58cca28cd3fd70 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 12:09:07 +0100
Subject: [PATCH 152/429] Python: Fix small typo in test-output

Spotted by yoff in https://github.com/github/codeql/pull/5069#discussion_r570063207
---
 python/ql/test/experimental/dataflow/import-helper/test4.py | 2 +-
 python/ql/test/experimental/dataflow/import-helper/test7.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/import-helper/test4.py b/python/ql/test/experimental/dataflow/import-helper/test4.py
index 88ed9a69864..9e7f4f66d27 100644
--- a/python/ql/test/experimental/dataflow/import-helper/test4.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test4.py
@@ -1,4 +1,4 @@
 import mypkg.foo as _foo
 import mypkg.bar as _bar
-print(_foo)  # <module 'mypkg.bar' ...
+print(_foo)  # <module 'mypkg.foo' ...
 print(_bar)  # <module 'mypkg.bar' ...
diff --git a/python/ql/test/experimental/dataflow/import-helper/test7.py b/python/ql/test/experimental/dataflow/import-helper/test7.py
index ea95961eb3d..ea6f083149c 100644
--- a/python/ql/test/experimental/dataflow/import-helper/test7.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test7.py
@@ -4,7 +4,7 @@ print(foo)  # 42
 
 import mypkg.foo
 print(foo)  # 42
-print(mypkg.foo)  # <module 'mypkg.bar' ...
+print(mypkg.foo)  # <module 'mypkg.foo' ...
 
 from mypkg import foo
-print(foo)  # <module 'mypkg.bar' ...
+print(foo)  # <module 'mypkg.foo' ...

From e5ec1e105cc1cd0f0054a20f0e03e8689a883bf3 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Thu, 4 Feb 2021 12:18:07 +0100
Subject: [PATCH 153/429] Python: Fix typos in test files

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/test/experimental/dataflow/ApiGraphs/test7.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test7.py b/python/ql/test/experimental/dataflow/ApiGraphs/test7.py
index 6ecb6e3e3f8..e74159efaed 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test7.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test7.py
@@ -4,7 +4,7 @@ print(foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
 
 import mypkg.foo #$ use=moduleImport("mypkg")
 print(foo) #$ use=moduleImport("mypkg").getMember("foo") // 42
-print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
+print(mypkg.foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.foo' ...
 
 from mypkg import foo #$ use=moduleImport("mypkg").getMember("foo")
-print(foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
+print(foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.foo' ...

From 4627799c936276c7eaf18ae885839e132c0f87d4 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Thu, 4 Feb 2021 12:41:17 +0100
Subject: [PATCH 154/429] Python: Fix more typos

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/test/experimental/dataflow/ApiGraphs/test4.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test4.py b/python/ql/test/experimental/dataflow/ApiGraphs/test4.py
index 200d3b820c7..c1790aa2263 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test4.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test4.py
@@ -1,4 +1,4 @@
 import mypkg.foo as _foo #$ use=moduleImport("mypkg").getMember("foo")
 import mypkg.bar as _bar #$ use=moduleImport("mypkg").getMember("bar")
-print(_foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.bar' ...
+print(_foo) #$ use=moduleImport("mypkg").getMember("foo") // <module 'mypkg.foo' ...
 print(_bar) #$ use=moduleImport("mypkg").getMember("bar") // <module 'mypkg.bar' ...

From ecfad6b5c77bb49ead6168a335a18c125e5a0e9a Mon Sep 17 00:00:00 2001
From: Julian Tibble <tibbes@github.com>
Date: Thu, 4 Feb 2021 11:45:15 +0000
Subject: [PATCH 155/429] Update CodeQL workflow

Bring the CodeQL workflow up to date with the latest recommended
configuration, which analyses the merge commit of pull requests (not the
head of the PR branch).
---
 .github/workflows/codeql-analysis.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f1844da86cf..97cd263364c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,16 +14,7 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-      
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

From 121ffbbfa8c78ec150fba7d4b203b52bbb065683 Mon Sep 17 00:00:00 2001
From: Julian Tibble <tibbes@github.com>
Date: Thu, 4 Feb 2021 11:49:15 +0000
Subject: [PATCH 156/429] Restrict triggers for CodeQL workflow

Analysing all branches on both 'push' and 'pull request' events causes
duplicate analysis. It is only necessary to analyse the _target_
branches of pull requests on push.
---
 .github/workflows/codeql-analysis.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 97cd263364c..7f218e99da4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -2,7 +2,13 @@ name: "Code scanning - action"
 
 on:
   push:
+    branches:
+      - main
+      - 'rc/*'
   pull_request:
+    branches:
+      - main
+      - 'rc/*'
   schedule:
     - cron: '0 9 * * 1'
 

From d01d7eea822a46121283fa123af02e72c8b3a6e0 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 13:08:19 +0100
Subject: [PATCH 157/429] Python: Add documentation from
 `DataFlowUtil::importNode`

---
 python/ql/src/semmle/python/ApiGraphs.qll | 43 ++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 49f1ee1303c..28918f438cb 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -257,7 +257,29 @@ module API {
       )
     }
 
-    /** Holds if `imp` is an import of a module named `name` */
+    /**
+     * Holds if `import_node` is an import of a module named `name`
+     *
+     * Ignores relative imports (`from ..foo import bar`).
+     *
+     * Note that for the statement `import pkg.mod`, the new variable introduced is `pkg` that is a
+     * reference to the module `pkg`.
+     *
+     * This predicate handles (with optional `... as <new-name>`):
+     * 1. `import <name>`
+     * 2. `from <package> import <module>` when `<name> = <package> + "." + <module>`
+     * 3. `from <module> import <member>` when `<name> = <module> + "." + <member>`
+     *
+     * Finally, in `from <module> import <member>` we consider the `ImportExpr` corresponding to
+     * `<module>` to be a reference to that module.
+     *
+     * Note:
+     * While it is technically possible that `import mypkg.foo` and `from mypkg import foo` can give different values,
+     * it's highly unlikely that this will be a problem in production level code.
+     *   Example: If `mypkg/__init__.py` contains `foo = 42`, then `from mypkg import foo` will not import the module
+     *   `mypkg/foo.py` but the variable `foo` containing `42` -- however, `import mypkg.foo` will always cause `mypkg.foo`
+     *   to refer to the module.
+     */
     private predicate imports(DataFlow::Node import_node, string name) {
       exists(Variable var, Import imp, Alias alias |
         alias = imp.getAName() and
@@ -271,6 +293,25 @@ module API {
         import_node.asExpr() = alias.getValue()
       )
       or
+      // Although it may seem superfluous to consider the `foo` part of `from foo import bar as baz` to
+      // be a reference to a module (since that reference only makes sense locally within the `import`
+      // statement), it's important for our use of type trackers to consider this local reference to
+      // also refer to the `foo` module. That way, if one wants to track references to the `bar`
+      // attribute using a type tracker, one can simply write
+      //
+      // ```ql
+      // DataFlow::Node bar_attr_tracker(TypeTracker t) {
+      //   t.startInAttr("bar") and
+      //   result = foo_module_tracker()
+      //   or
+      //   exists(TypeTracker t2 | result = bar_attr_tracker(t2).track(t2, t))
+      // }
+      // ```
+      //
+      // Where `foo_module_tracker` is a type tracker that tracks references to the `foo` module.
+      // Because named imports are modelled as `AttrRead`s, the statement `from foo import bar as baz`
+      // is interpreted as if it was an assignment `baz = foo.bar`, which means `baz` gets tracked as a
+      // reference to `foo.bar`, as desired.
       exists(ImportExpr imp_expr |
         not imp_expr.isRelative() and
         imp_expr.getName() = name and

From b55921a391a4a49bf3155b8d35057ffac49ecdff Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 13:25:02 +0100
Subject: [PATCH 158/429] Update
 cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 7b110ec24db..3de8ddefeaf 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -17,7 +17,7 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.controlflow.Guards
 
-/** Holds if `sub` will never be nonnegative. */
+/** Holds if `sub` will never be negative. */
 predicate nonNegative(SubExpr sub) {
   not exprMightOverflowNegatively(sub.getFullyConverted())
   or

From 2131f3580167e37e23daf77313bc4cde0a6b4615 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 4 Feb 2021 15:41:40 +0300
Subject: [PATCH 159/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql    | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 403d8388b17..0181744bb86 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -1,5 +1,5 @@
 /**
- * @name Сonfusion In Detecting And Handling Memory Allocation Errors
+ * @name onfusion In Detecting And Handling Memory Allocation Errors
  * @description --::operator new(std::size_t) throws an exception on error, and ::operator new(std::size_t, const std::nothrow_t &) returns zero on error.
  *              --the programmer can get confused when check the error that occurs when allocating memory incorrectly.
  * @kind problem
@@ -47,9 +47,7 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
    * Holds if handler `try ... catch` exists.
    */
   predicate isExistsTryCatchBlock() {
-    exists(TryStmt ts |
-      this.getEnclosingStmt() = ts.getStmt().getAChild*()
-    )
+    exists(TryStmt ts | this.getEnclosingStmt() = ts.getStmt().getAChild*())
   }
 
   /**

From a43167faf7cbb82cf0d4f3eaa5ca492818e7a9f0 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 4 Feb 2021 15:44:28 +0300
Subject: [PATCH 160/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
index c3e543a1b58..9e6cb2d89ce 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>When using the <code>new</code> operator to allocate memory, you need to pay attention to the different ways of detecting errors. <code>::operator new(std::size_t)</code> throws an exception on error, whereas <code>::operator new(std::size_t, const std::nothrow_t &)</code> returns zero on error. The programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
+<p>When using the <code>new</code> operator to allocate memory, you need to pay attention to the different ways of detecting errors. <code>::operator new(std::size_t)</code> throws an exception on error, whereas <code>::operator new(std::size_t, const std::nothrow_t &amp;)</code> returns zero on error. The programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
 
 </overview>
 <recommendation>

From 43045c1f034b9fe2eeeb7f6746f02a7392921725 Mon Sep 17 00:00:00 2001
From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Thu, 4 Feb 2021 15:47:16 +0300
Subject: [PATCH 161/429] Update
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 0181744bb86..dd9c16fac11 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -1,5 +1,5 @@
 /**
- * @name onfusion In Detecting And Handling Memory Allocation Errors
+ * @name Detect And Handle Memory Allocation Errors
  * @description --::operator new(std::size_t) throws an exception on error, and ::operator new(std::size_t, const std::nothrow_t &) returns zero on error.
  *              --the programmer can get confused when check the error that occurs when allocating memory incorrectly.
  * @kind problem

From 4af7bc8090e41da6c30df62b50694c7cb8f6a63f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 14:30:56 +0100
Subject: [PATCH 162/429] Docs: Use /blob/ instead of /tree/ for direct query
 link

It doesn't have a huge impact, since there is a working redirect in place, but
still more correct to use /blob/ :)

For example,

https://github.com/github/codeql/tree/main/python/ql/src/Security/CWE-094/CodeInjection.ql

redirects to

https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-094/CodeInjection.ql
---
 docs/codeql/query-help-markdown.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/query-help-markdown.py b/docs/codeql/query-help-markdown.py
index 9313d4b170d..350c9aefce2 100644
--- a/docs/codeql/query-help-markdown.py
+++ b/docs/codeql/query-help-markdown.py
@@ -188,10 +188,10 @@ for lang in languages:
             # Build a link to the query source file for display in the query help
             if "go" in prefix_repo_nwo(queryfile):
                 transform_link = prefix_repo_nwo(queryfile).replace(
-                    "codeql-go", "codeql-go/tree/main").replace(" ", "%20").replace("\\", "/")
+                    "codeql-go", "codeql-go/blob/main").replace(" ", "%20").replace("\\", "/")
             else:
                 transform_link = prefix_repo_nwo(queryfile).replace(
-                    "codeql", "codeql/tree/main").replace(" ", "%20").replace("\\", "/")
+                    "codeql", "codeql/blob/main").replace(" ", "%20").replace("\\", "/")
             query_link = "[Click to see the query in the CodeQL repository](https://github.com/" + \
                 transform_link + ")\n"
             

From ce27831b767c4050f150660ad6f050d362800284 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 14:43:51 +0100
Subject: [PATCH 163/429] C#: Fix nullable warnings and some code quality
 issues

---
 .../Semmle.Extraction.CIL/Entities/ConstructedType.cs |  1 -
 .../Semmle.Extraction.CIL/Entities/Instruction.cs     |  2 +-
 .../Entities/NamedTypeIdWriter.cs                     |  1 -
 .../NoMetadataHandleType.FullyQualifiedNameParser.cs  |  2 +-
 .../Entities/NoMetadataHandleType.cs                  |  2 +-
 .../Entities/SignatureDecoder.cs                      |  1 -
 .../Entities/TypeDefinitionType.cs                    |  4 +---
 .../Entities/TypeReferenceType.cs                     |  2 --
 .../Semmle.Extraction.CIL/PDB/MetadataPdbReader.cs    |  2 +-
 csharp/extractor/Semmle.Extraction.CIL/PDB/Method.cs  |  1 -
 .../Semmle.Extraction.CIL/PDB/NativePdbReader.cs      |  1 -
 .../extractor/Semmle.Extraction.CIL/PDB/PdbReader.cs  |  5 ++---
 .../Semmle.Extraction.CSharp.Driver/Driver.cs         |  2 +-
 .../Semmle.Extraction.CSharp/Entities/CommentLine.cs  |  4 +---
 .../Entities/LocalFunction.cs                         |  2 --
 .../Populators/DirectiveVisitor.cs                    |  1 -
 .../extractor/Semmle.Extraction/CommentProcessing.cs  | 11 +++++++----
 csharp/extractor/Semmle.Extraction/Context.cs         | 10 +++++-----
 .../extractor/Semmle.Extraction/Entities/Assembly.cs  |  2 +-
 .../Semmle.Extraction/Entities/ExtractionError.cs     |  3 ++-
 .../Semmle.Extraction/Entities/SourceLocation.cs      |  6 ++----
 csharp/extractor/Semmle.Extraction/Extractor.cs       |  1 -
 csharp/extractor/Semmle.Extraction/Message.cs         | 10 +++++-----
 csharp/extractor/Semmle.Util/Win32.cs                 |  2 +-
 24 files changed, 32 insertions(+), 46 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
index 5be671055eb..be2ab5da4d8 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
@@ -1,5 +1,4 @@
 using System;
-using Microsoft.CodeAnalysis;
 using System.Linq;
 using System.Collections.Generic;
 using System.IO;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
index 9512cfc5690..75d0aab454a 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
@@ -481,7 +481,7 @@ namespace Semmle.Extraction.CIL.Entities
                 // TODO: Find a solution to this.
 
                 // For now, just log the error
-                Cx.Cx.ExtractionError("A CIL instruction jumps outside the current method", "", Extraction.Entities.GeneratedLocation.Create(Cx.Cx), "", Util.Logging.Severity.Warning);
+                Cx.Cx.ExtractionError("A CIL instruction jumps outside the current method", null, Extraction.Entities.GeneratedLocation.Create(Cx.Cx), "", Util.Logging.Severity.Warning);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
index 35881b67257..98f9e94ec82 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
@@ -1,4 +1,3 @@
-using Microsoft.CodeAnalysis;
 using System.Linq;
 using System.IO;
 
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.FullyQualifiedNameParser.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.FullyQualifiedNameParser.cs
index d7940be6cc5..999259e9ad6 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.FullyQualifiedNameParser.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.FullyQualifiedNameParser.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CIL.Entities
         private class FullyQualifiedNameParser
         {
             public string ShortName { get; internal set; }
-            public string? AssemblyName { get; internal set; }
+            public string? AssemblyName { get; private set; }
             public IEnumerable<string>? TypeArguments { get; internal set; }
             public string? UnboundGenericTypeName { get; internal set; }
             public string ContainerName { get; internal set; }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
index fde969d12b9..c1259534f79 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
@@ -66,7 +66,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         private void Populate()
         {
-            if (isContainerNamespace)
+            if (ContainingNamespace is object)
             {
                 Cx.Populate(ContainingNamespace);
             }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
index a80f456df72..a955ef685c0 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
@@ -1,7 +1,6 @@
 using System.Reflection.Metadata;
 using System.Collections.Immutable;
 using System.IO;
-using System.Linq;
 
 namespace Semmle.Extraction.CIL.Entities
 {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
index 44bb9020813..461141ae719 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
@@ -1,12 +1,10 @@
 using System;
-using Microsoft.CodeAnalysis;
-using System.Reflection.Metadata;
-using System.Collections.Immutable;
 using System.Linq;
 using System.Collections.Generic;
 using System.Reflection;
 using System.IO;
 using System.Reflection.Metadata.Ecma335;
+using System.Reflection.Metadata;
 
 namespace Semmle.Extraction.CIL.Entities
 {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
index 2ffa9e9e5d8..49a15965dd0 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
@@ -1,7 +1,5 @@
 using System;
-using Microsoft.CodeAnalysis;
 using System.Reflection.Metadata;
-using System.Collections.Immutable;
 using System.Linq;
 using System.Collections.Generic;
 using System.IO;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/PDB/MetadataPdbReader.cs b/csharp/extractor/Semmle.Extraction.CIL/PDB/MetadataPdbReader.cs
index c6d02a119dc..81c91946657 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/PDB/MetadataPdbReader.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/PDB/MetadataPdbReader.cs
@@ -76,7 +76,7 @@ namespace Semmle.Extraction.PDB
                     out provider,
                     out _))
                 {
-                    return new MetadataPdbReader(provider);
+                    return new MetadataPdbReader(provider!);
                 }
             }
 
diff --git a/csharp/extractor/Semmle.Extraction.CIL/PDB/Method.cs b/csharp/extractor/Semmle.Extraction.CIL/PDB/Method.cs
index e0d41bed77a..6a534a4dd20 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/PDB/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/PDB/Method.cs
@@ -1,5 +1,4 @@
 using System.Collections.Generic;
-using System.Reflection.Metadata;
 using System.Linq;
 
 namespace Semmle.Extraction.PDB
diff --git a/csharp/extractor/Semmle.Extraction.CIL/PDB/NativePdbReader.cs b/csharp/extractor/Semmle.Extraction.CIL/PDB/NativePdbReader.cs
index 6d49dd8fd85..0a8479fb454 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/PDB/NativePdbReader.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/PDB/NativePdbReader.cs
@@ -6,7 +6,6 @@ using Microsoft.DiaSymReader;
 using System.Reflection.Metadata.Ecma335;
 using System.Reflection.Metadata;
 using System.IO;
-using System.Reflection;
 
 namespace Semmle.Extraction.PDB
 {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/PDB/PdbReader.cs b/csharp/extractor/Semmle.Extraction.CIL/PDB/PdbReader.cs
index c84cd6a824f..1f0f1b455dc 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/PDB/PdbReader.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/PDB/PdbReader.cs
@@ -1,9 +1,8 @@
-using System.Linq;
-using System.Reflection.PortableExecutable;
+using System.Reflection.PortableExecutable;
 
 namespace Semmle.Extraction.PDB
 {
-    internal class PdbReader
+    internal static class PdbReader
     {
         /// <summary>
         /// Returns the PDB information associated with an assembly.
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs b/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
index 5806bd375b1..1c4142097fe 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
@@ -3,7 +3,7 @@ namespace Semmle.Extraction.CSharp
     /// <summary>
     /// A command-line driver for the extractor.
     /// </summary>
-    public class Driver
+    public static class Driver
     {
         public static int Main(string[] args)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
index f6348211695..e390cb8c509 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
@@ -1,6 +1,4 @@
 using Semmle.Extraction.CommentProcessing;
-using Microsoft.CodeAnalysis;
-using Microsoft.CodeAnalysis.CSharp;
 using Semmle.Extraction.Entities;
 using System.IO;
 
@@ -21,7 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities
         public string Text { get { return symbol.Item2; } }
         public string RawText { get; private set; }
 
-        private Extraction.Entities.Location location;
+        private Location location;
 
         public override void Populate(TextWriter trapFile)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
index 921036250d1..b376566e841 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
@@ -1,8 +1,6 @@
 using Microsoft.CodeAnalysis;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
 using System;
 using System.IO;
-using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 4098576a86d..9ec8d095290 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -1,5 +1,4 @@
 using System.Collections.Generic;
-using System.Linq;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
diff --git a/csharp/extractor/Semmle.Extraction/CommentProcessing.cs b/csharp/extractor/Semmle.Extraction/CommentProcessing.cs
index f407f5703fe..201ac705136 100644
--- a/csharp/extractor/Semmle.Extraction/CommentProcessing.cs
+++ b/csharp/extractor/Semmle.Extraction/CommentProcessing.cs
@@ -53,7 +53,7 @@ namespace Semmle.Extraction.CommentProcessing
             if (l2 == null)
                 return 1;
 
-            var diff = l1.SourceTree == l2.SourceTree ? 0 : l1.SourceTree.FilePath.CompareTo(l2.SourceTree.FilePath);
+            var diff = l1.SourceTree == l2.SourceTree ? 0 : l1.SourceTree!.FilePath.CompareTo(l2.SourceTree!.FilePath);
             if (diff != 0)
                 return diff;
             diff = l1.SourceSpan.Start - l2.SourceSpan.Start;
@@ -384,9 +384,12 @@ namespace Semmle.Extraction.CommentProcessing
         /// <param name="line">The line to add.</param>
         public void AddCommentLine(ICommentLine line)
         {
-            Location = !lines.Any() ?
-                line.Location :
-                Location.Create(line.Location.SourceTree, new TextSpan(Location.SourceSpan.Start, line.Location.SourceSpan.End - Location.SourceSpan.Start));
+            Location = !lines.Any()
+                ? line.Location
+                : Location.Create(
+                    line.Location.SourceTree!,
+                    new TextSpan(Location.SourceSpan.Start, line.Location.SourceSpan.End - Location.SourceSpan.Start));
+
             lines.Add(line);
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index 10a24990a13..e6b4826f2ef 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -215,7 +215,7 @@ namespace Semmle.Extraction
                 }
                 catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
                 {
-                    ExtractionError("Uncaught exception", ex.Message, Entities.Location.Create(this), ex.StackTrace);
+                    ExtractionError($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(this), ex.StackTrace);
                 }
             }
         }
@@ -246,7 +246,7 @@ namespace Semmle.Extraction
 
         public ICommentGenerator CommentGenerator { get; } = new CommentProcessor();
 
-        private IExtractionScope scope;
+        private readonly IExtractionScope scope;
 
         public bool IsAssemblyScope => scope is AssemblyScope;
 
@@ -423,7 +423,7 @@ namespace Semmle.Extraction
         /// <param name="location">The location of the error.</param>
         /// <param name="stackTrace">An optional stack trace of the error, or null.</param>
         /// <param name="severity">The severity of the error.</param>
-        public void ExtractionError(string message, string entityText, Entities.Location location, string? stackTrace = null, Severity severity = Severity.Error)
+        public void ExtractionError(string message, string? entityText, Entities.Location? location, string? stackTrace = null, Severity severity = Severity.Error)
         {
             var msg = new Message(message, entityText, location, stackTrace, severity);
             ExtractionError(msg);
@@ -447,7 +447,7 @@ namespace Semmle.Extraction
             }
             else
             {
-                ExtractionError(message, "", Entities.Location.Create(this));
+                ExtractionError(message, null, Entities.Location.Create(this));
             }
         }
 
@@ -531,7 +531,7 @@ namespace Semmle.Extraction
                 }
                 else
                 {
-                    message = new Message("Uncaught exception", ex.Message, Entities.Location.Create(context), ex.StackTrace);
+                    message = new Message($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(context), ex.StackTrace);
                 }
 
                 context.ExtractionError(message);
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
index a6210356199..df3a5757618 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.Entities
             }
             else
             {
-                assembly = init.MetadataModule.ContainingAssembly;
+                assembly = init.MetadataModule!.ContainingAssembly;
                 var identity = assembly.Identity;
                 var idString = identity.Name + " " + identity.Version;
                 assemblyPath = cx.Extractor.GetAssemblyFile(idString);
diff --git a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
index 82257513260..3df0ce3bb61 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
@@ -14,7 +14,8 @@ namespace Semmle.Extraction.Entities
 
         protected override void Populate(TextWriter trapFile)
         {
-            trapFile.extractor_messages(this, msg.Severity, "C# extractor", msg.Text, msg.EntityText, msg.Location ?? Location.Create(cx), msg.StackTrace);
+            trapFile.extractor_messages(this, msg.Severity, "C# extractor", msg.Text, msg.EntityText ?? string.Empty,
+                msg.Location ?? Location.Create(cx), msg.StackTrace ?? string.Empty);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
diff --git a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
index 41688033f04..e7bc4e3ea44 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
@@ -15,11 +15,9 @@ namespace Semmle.Extraction.Entities
 
     public class NonGeneratedSourceLocation : SourceLocation
     {
-        protected NonGeneratedSourceLocation(Context cx, Microsoft.CodeAnalysis.Location? init)
+        protected NonGeneratedSourceLocation(Context cx, Microsoft.CodeAnalysis.Location init)
             : base(cx, init)
         {
-            if (init is null)
-                throw new ArgumentException("Location may not be null", nameof(init));
             Position = init.GetLineSpan();
             FileEntity = File.Create(Context, Position.Path);
         }
@@ -32,7 +30,7 @@ namespace Semmle.Extraction.Entities
                 Position.Span.Start.Line + 1, Position.Span.Start.Character + 1,
                 Position.Span.End.Line + 1, Position.Span.End.Character);
 
-            var mapped = symbol.GetMappedLineSpan();
+            var mapped = symbol!.GetMappedLineSpan();
             if (mapped.HasMappedPath && mapped.IsValid)
             {
                 var mappedLoc = Create(Context, Microsoft.CodeAnalysis.Location.Create(mapped.Path, default, mapped.Span));
diff --git a/csharp/extractor/Semmle.Extraction/Extractor.cs b/csharp/extractor/Semmle.Extraction/Extractor.cs
index 1931aeeeb33..4f5c27f3a90 100644
--- a/csharp/extractor/Semmle.Extraction/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction/Extractor.cs
@@ -1,4 +1,3 @@
-using System;
 using System.Collections.Generic;
 using Microsoft.CodeAnalysis;
 using Semmle.Util.Logging;
diff --git a/csharp/extractor/Semmle.Extraction/Message.cs b/csharp/extractor/Semmle.Extraction/Message.cs
index fbe91fb95e6..0a2a62e13a2 100644
--- a/csharp/extractor/Semmle.Extraction/Message.cs
+++ b/csharp/extractor/Semmle.Extraction/Message.cs
@@ -13,22 +13,22 @@ namespace Semmle.Extraction
     {
         public Severity Severity { get; }
         public string Text { get; }
-        public string StackTrace { get; }
-        public string EntityText { get; }
+        public string? StackTrace { get; }
+        public string? EntityText { get; }
         public Entities.Location? Location { get; }
 
-        public Message(string text, string entityText, Entities.Location? location, string? stackTrace = null, Severity severity = Severity.Error)
+        public Message(string text, string? entityText, Entities.Location? location, string? stackTrace = null, Severity severity = Severity.Error)
         {
             Severity = severity;
             Text = text;
-            StackTrace = stackTrace ?? "";
+            StackTrace = stackTrace;
             EntityText = entityText;
             Location = location;
         }
 
         public static Message Create(Context cx, string text, ISymbol symbol, string? stackTrace = null, Severity severity = Severity.Error)
         {
-            return new Message(text, symbol.ToString() ?? "", Entities.Location.Create(cx, symbol.Locations.FirstOrDefault()), stackTrace, severity);
+            return new Message(text, symbol.ToString(), Entities.Location.Create(cx, symbol.Locations.FirstOrDefault()), stackTrace, severity);
         }
 
         public static Message Create(Context cx, string text, SyntaxNode node, string? stackTrace = null, Severity severity = Severity.Error)
diff --git a/csharp/extractor/Semmle.Util/Win32.cs b/csharp/extractor/Semmle.Util/Win32.cs
index fe198b9612a..046a0957e87 100644
--- a/csharp/extractor/Semmle.Util/Win32.cs
+++ b/csharp/extractor/Semmle.Util/Win32.cs
@@ -8,7 +8,7 @@ namespace Semmle.Util
     /// <summary>
     /// Holder for various Win32 functions.
     /// </summary>
-    public class Win32
+    public static class Win32
     {
         [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
         public static extern int GetFinalPathNameByHandle(  // lgtm[cs/unmanaged-code]

From 5927ce5d69bd4df26e2774a5fb476ff575b95be5 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Thu, 4 Feb 2021 14:35:43 +0000
Subject: [PATCH 164/429] Add GoKit to Go supported library list

---
 docs/codeql/support/reusables/frameworks.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 4427407fe9d..867c0cce036 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -33,6 +33,7 @@ Go built-in support
    glog, Logging library
    go-restful, Web application framework
    go-sh, Utility library
+   GoKit, Microservice toolkit
    Gokogiri, XPath library
    golang.org/x/crypto/ssh, Network communicator
    golang.org/x/net/websocket, Network communicator

From 3fe715abb6e85538e43246eb1722d3558eee4a02 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 15:49:37 +0100
Subject: [PATCH 165/429] Python: Fix query names that inclde __ (dunder)

Without backticks, the text UNDERSCORE UNDERSCORE eq UNDERSCORE UNDERSCORE would
be considered to make things bold in our markdown output, making the query info
look strange.

Example https://codeql.github.com/codeql-query-help/python/py-slots-in-old-style-class/
---
 python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql     | 2 +-
 python/ql/src/Classes/InitCallsSubclassMethod.ql              | 4 ++--
 python/ql/src/Classes/MaybeUndefinedClassAttribute.ql         | 2 +-
 python/ql/src/Classes/MissingCallToDel.ql                     | 4 ++--
 python/ql/src/Classes/MissingCallToInit.ql                    | 4 ++--
 python/ql/src/Classes/MutatingDescriptor.ql                   | 2 +-
 python/ql/src/Classes/OverwritingAttributeInSuperClass.ql     | 2 +-
 python/ql/src/Classes/SlotsInOldStyleClass.ql                 | 4 ++--
 python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql     | 4 ++--
 python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql    | 4 ++--
 python/ql/src/Classes/UndefinedClassAttribute.ql              | 2 +-
 python/ql/src/Classes/UselessClass.ql                         | 2 +-
 .../src/Classes/WrongNumberArgumentsInClassInstantiation.ql   | 2 +-
 python/ql/src/Expressions/ExplicitCallToDel.ql                | 4 ++--
 python/ql/src/Expressions/IncorrectComparisonUsingIs.ql       | 2 +-
 python/ql/src/Expressions/NonPortableComparisonUsingIs.ql     | 2 +-
 python/ql/src/Functions/ExplicitReturnInInit.ql               | 4 ++--
 python/ql/src/Functions/InitIsGenerator.ql                    | 4 ++--
 python/ql/src/Functions/IterReturnsNonIterator.ql             | 4 ++--
 python/ql/src/Functions/IterReturnsNonSelf.ql                 | 4 ++--
 python/ql/src/Functions/OverlyComplexDelMethod.ql             | 4 ++--
 python/ql/src/Imports/UnintentionalImport.ql                  | 2 +-
 python/ql/src/Statements/TopLevelPrint.ql                     | 2 +-
 python/ql/src/Variables/UndefinedExport.ql                    | 2 +-
 24 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql b/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql
index 15d44f9a1eb..68542bbc243 100644
--- a/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql
+++ b/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql
@@ -1,5 +1,5 @@
 /**
- * @name __eq__ not overridden when adding attributes
+ * @name `__eq__` not overridden when adding attributes
  * @description When adding new attributes to instances of a class, equality for that class needs to be defined.
  * @kind problem
  * @tags reliability
diff --git a/python/ql/src/Classes/InitCallsSubclassMethod.ql b/python/ql/src/Classes/InitCallsSubclassMethod.ql
index 19865751c53..2fb6e90dd7d 100644
--- a/python/ql/src/Classes/InitCallsSubclassMethod.ql
+++ b/python/ql/src/Classes/InitCallsSubclassMethod.ql
@@ -1,6 +1,6 @@
 /**
- * @name __init__ method calls overridden method
- * @description Calling a method from __init__ that is overridden by a subclass may result in a partially
+ * @name `__init__` method calls overridden method
+ * @description Calling a method from `__init__` that is overridden by a subclass may result in a partially
  *              initialized instance being observed.
  * @kind problem
  * @tags reliability
diff --git a/python/ql/src/Classes/MaybeUndefinedClassAttribute.ql b/python/ql/src/Classes/MaybeUndefinedClassAttribute.ql
index 7f4e27801c2..70934185831 100644
--- a/python/ql/src/Classes/MaybeUndefinedClassAttribute.ql
+++ b/python/ql/src/Classes/MaybeUndefinedClassAttribute.ql
@@ -1,6 +1,6 @@
 /**
  * @name Maybe undefined class attribute
- * @description Accessing an attribute of 'self' that is not initialized in the __init__ method may cause an AttributeError at runtime
+ * @description Accessing an attribute of `self` that is not initialized in the `__init__` method may cause an AttributeError at runtime
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Classes/MissingCallToDel.ql b/python/ql/src/Classes/MissingCallToDel.ql
index e658dba1389..641968789d6 100644
--- a/python/ql/src/Classes/MissingCallToDel.ql
+++ b/python/ql/src/Classes/MissingCallToDel.ql
@@ -1,6 +1,6 @@
 /**
- * @name Missing call to __del__ during object destruction
- * @description An omitted call to a super-class __del__ method may lead to class instances not being cleaned up properly.
+ * @name Missing call to `__del__` during object destruction
+ * @description An omitted call to a super-class `__del__` method may lead to class instances not being cleaned up properly.
  * @kind problem
  * @tags efficiency
  *       correctness
diff --git a/python/ql/src/Classes/MissingCallToInit.ql b/python/ql/src/Classes/MissingCallToInit.ql
index 6daa06de79c..81d1916056e 100644
--- a/python/ql/src/Classes/MissingCallToInit.ql
+++ b/python/ql/src/Classes/MissingCallToInit.ql
@@ -1,6 +1,6 @@
 /**
- * @name Missing call to __init__ during object initialization
- * @description An omitted call to a super-class __init__ method may lead to objects of this class not being fully initialized.
+ * @name Missing call to `__init__` during object initialization
+ * @description An omitted call to a super-class `__init__` method may lead to objects of this class not being fully initialized.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Classes/MutatingDescriptor.ql b/python/ql/src/Classes/MutatingDescriptor.ql
index a7118883951..477ecc18206 100644
--- a/python/ql/src/Classes/MutatingDescriptor.ql
+++ b/python/ql/src/Classes/MutatingDescriptor.ql
@@ -1,5 +1,5 @@
 /**
- * @name Mutation of descriptor in __get__ or __set__ method.
+ * @name Mutation of descriptor in `__get__` or `__set__` method.
  * @description Descriptor objects can be shared across many instances. Mutating them can cause strange side effects or race conditions.
  * @kind problem
  * @tags reliability
diff --git a/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql b/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql
index e77d5ec481f..24887221141 100644
--- a/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql
+++ b/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql
@@ -1,6 +1,6 @@
 /**
  * @name Overwriting attribute in super-class or sub-class
- * @description Assignment to self attribute overwrites attribute previously defined in subclass or superclass __init__ method.
+ * @description Assignment to self attribute overwrites attribute previously defined in subclass or superclass `__init__` method.
  * @kind problem
  * @tags reliability
  *       maintainability
diff --git a/python/ql/src/Classes/SlotsInOldStyleClass.ql b/python/ql/src/Classes/SlotsInOldStyleClass.ql
index 78b9bd18f29..cd4f9dd5f1d 100644
--- a/python/ql/src/Classes/SlotsInOldStyleClass.ql
+++ b/python/ql/src/Classes/SlotsInOldStyleClass.ql
@@ -1,6 +1,6 @@
 /**
- * @name '__slots__' in old-style class
- * @description Overriding the class dictionary by declaring '__slots__' is not supported by old-style
+ * @name `__slots__` in old-style class
+ * @description Overriding the class dictionary by declaring `__slots__` is not supported by old-style
  *              classes.
  * @kind problem
  * @problem.severity error
diff --git a/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql b/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql
index f1ef04bb89a..da301b6422a 100644
--- a/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql
+++ b/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql
@@ -1,6 +1,6 @@
 /**
- * @name Multiple calls to __del__ during object destruction
- * @description A duplicated call to a super-class __del__ method may lead to class instances not be cleaned up properly.
+ * @name Multiple calls to `__del__` during object destruction
+ * @description A duplicated call to a super-class `__del__` method may lead to class instances not be cleaned up properly.
  * @kind problem
  * @tags efficiency
  *       correctness
diff --git a/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql b/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql
index cb90cb32510..ec94202c0f3 100644
--- a/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql
+++ b/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql
@@ -1,6 +1,6 @@
 /**
- * @name Multiple calls to __init__ during object initialization
- * @description A duplicated call to a super-class __init__ method may lead to objects of this class not being properly initialized.
+ * @name Multiple calls to `__init__` during object initialization
+ * @description A duplicated call to a super-class `__init__` method may lead to objects of this class not being properly initialized.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Classes/UndefinedClassAttribute.ql b/python/ql/src/Classes/UndefinedClassAttribute.ql
index 348daa7f9fb..ad66ecd1316 100644
--- a/python/ql/src/Classes/UndefinedClassAttribute.ql
+++ b/python/ql/src/Classes/UndefinedClassAttribute.ql
@@ -1,6 +1,6 @@
 /**
  * @name Undefined class attribute
- * @description Accessing an attribute of 'self' that is not initialized anywhere in the class in the __init__ method may cause an AttributeError at runtime
+ * @description Accessing an attribute of `self` that is not initialized anywhere in the class in the `__init__` method may cause an AttributeError at runtime
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Classes/UselessClass.ql b/python/ql/src/Classes/UselessClass.ql
index 24bf446fc6a..2695e9a7a1d 100644
--- a/python/ql/src/Classes/UselessClass.ql
+++ b/python/ql/src/Classes/UselessClass.ql
@@ -1,6 +1,6 @@
 /**
  * @name Useless class
- * @description Class only defines one public method (apart from __init__ or __new__) and should be replaced by a function
+ * @description Class only defines one public method (apart from `__init__` or `__new__`) and should be replaced by a function
  * @kind problem
  * @tags maintainability
  *       useless-code
diff --git a/python/ql/src/Classes/WrongNumberArgumentsInClassInstantiation.ql b/python/ql/src/Classes/WrongNumberArgumentsInClassInstantiation.ql
index 7afd344eacb..8b456c91dce 100644
--- a/python/ql/src/Classes/WrongNumberArgumentsInClassInstantiation.ql
+++ b/python/ql/src/Classes/WrongNumberArgumentsInClassInstantiation.ql
@@ -1,6 +1,6 @@
 /**
  * @name Wrong number of arguments in a class instantiation
- * @description Using too many or too few arguments in a call to the __init__
+ * @description Using too many or too few arguments in a call to the `__init__`
  *              method of a class will result in a TypeError at runtime.
  * @kind problem
  * @tags reliability
diff --git a/python/ql/src/Expressions/ExplicitCallToDel.ql b/python/ql/src/Expressions/ExplicitCallToDel.ql
index cb441ce0267..f60945ba05c 100644
--- a/python/ql/src/Expressions/ExplicitCallToDel.ql
+++ b/python/ql/src/Expressions/ExplicitCallToDel.ql
@@ -1,6 +1,6 @@
 /**
- * @name __del__ is called explicitly
- * @description The __del__ special method is called by the virtual machine when an object is being finalized. It should not be called explicitly.
+ * @name `__del__` is called explicitly
+ * @description The `__del__` special method is called by the virtual machine when an object is being finalized. It should not be called explicitly.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql b/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql
index ab45d6c15d9..5352dc9c9fa 100644
--- a/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql
+++ b/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql
@@ -1,5 +1,5 @@
 /**
- * @name Comparison using is when operands support __eq__
+ * @name Comparison using is when operands support `__eq__`
  * @description Comparison using 'is' when equivalence is not the same as identity
  * @kind problem
  * @tags reliability
diff --git a/python/ql/src/Expressions/NonPortableComparisonUsingIs.ql b/python/ql/src/Expressions/NonPortableComparisonUsingIs.ql
index db266020aeb..d9a0f701635 100644
--- a/python/ql/src/Expressions/NonPortableComparisonUsingIs.ql
+++ b/python/ql/src/Expressions/NonPortableComparisonUsingIs.ql
@@ -1,5 +1,5 @@
 /**
- * @name Non-portable comparison using is when operands support __eq__
+ * @name Non-portable comparison using is when operands support `__eq__`
  * @description Comparison using 'is' when equivalence is not the same as identity and may not be portable.
  * @kind problem
  * @tags portability
diff --git a/python/ql/src/Functions/ExplicitReturnInInit.ql b/python/ql/src/Functions/ExplicitReturnInInit.ql
index 0ce20249119..000c671396e 100644
--- a/python/ql/src/Functions/ExplicitReturnInInit.ql
+++ b/python/ql/src/Functions/ExplicitReturnInInit.ql
@@ -1,6 +1,6 @@
 /**
- * @name __init__ method returns a value
- * @description Explicitly returning a value from an __init__ method will raise a TypeError.
+ * @name `__init__` method returns a value
+ * @description Explicitly returning a value from an `__init__` method will raise a TypeError.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Functions/InitIsGenerator.ql b/python/ql/src/Functions/InitIsGenerator.ql
index 5e3f1ff574b..84bb935ad2e 100644
--- a/python/ql/src/Functions/InitIsGenerator.ql
+++ b/python/ql/src/Functions/InitIsGenerator.ql
@@ -1,6 +1,6 @@
 /**
- * @name __init__ method is a generator
- * @description __init__ method is a generator.
+ * @name `__init__` method is a generator
+ * @description `__init__` method is a generator.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Functions/IterReturnsNonIterator.ql b/python/ql/src/Functions/IterReturnsNonIterator.ql
index aba772c9ab7..ed4a240ec4d 100644
--- a/python/ql/src/Functions/IterReturnsNonIterator.ql
+++ b/python/ql/src/Functions/IterReturnsNonIterator.ql
@@ -1,6 +1,6 @@
 /**
- * @name __iter__ method returns a non-iterator
- * @description The '__iter__' method returns a non-iterator which, if used in a 'for' loop, would raise a 'TypeError'.
+ * @name `__iter__` method returns a non-iterator
+ * @description The `__iter__` method returns a non-iterator which, if used in a 'for' loop, would raise a 'TypeError'.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Functions/IterReturnsNonSelf.ql b/python/ql/src/Functions/IterReturnsNonSelf.ql
index 3d6c8c7da35..385677a5763 100644
--- a/python/ql/src/Functions/IterReturnsNonSelf.ql
+++ b/python/ql/src/Functions/IterReturnsNonSelf.ql
@@ -1,6 +1,6 @@
 /**
- * @name Iterator does not return self from __iter__ method
- * @description Iterator does not return self from __iter__ method, violating the iterator protocol.
+ * @name Iterator does not return self from `__iter__` method
+ * @description Iterator does not return self from `__iter__` method, violating the iterator protocol.
  * @kind problem
  * @tags reliability
  *       correctness
diff --git a/python/ql/src/Functions/OverlyComplexDelMethod.ql b/python/ql/src/Functions/OverlyComplexDelMethod.ql
index 2fc8789da34..19262332990 100644
--- a/python/ql/src/Functions/OverlyComplexDelMethod.ql
+++ b/python/ql/src/Functions/OverlyComplexDelMethod.ql
@@ -1,6 +1,6 @@
 /**
- * @name Overly complex __del__ method
- * @description __del__ methods may be called at arbitrary times, perhaps never called at all, and should be simple.
+ * @name Overly complex `__del__` method
+ * @description `__del__` methods may be called at arbitrary times, perhaps never called at all, and should be simple.
  * @kind problem
  * @tags efficiency
  *       maintainability
diff --git a/python/ql/src/Imports/UnintentionalImport.ql b/python/ql/src/Imports/UnintentionalImport.ql
index 2a3c2b6460b..cdbcec278dd 100644
--- a/python/ql/src/Imports/UnintentionalImport.ql
+++ b/python/ql/src/Imports/UnintentionalImport.ql
@@ -1,7 +1,7 @@
 /**
  * @name 'import *' may pollute namespace
  * @description Importing a module using 'import *' may unintentionally pollute the global
- *              namespace if the module does not define '__all__'
+ *              namespace if the module does not define `__all__`
  * @kind problem
  * @tags maintainability
  *       modularity
diff --git a/python/ql/src/Statements/TopLevelPrint.ql b/python/ql/src/Statements/TopLevelPrint.ql
index b2d111cce1f..8d35c7c942b 100644
--- a/python/ql/src/Statements/TopLevelPrint.ql
+++ b/python/ql/src/Statements/TopLevelPrint.ql
@@ -1,6 +1,6 @@
 /**
  * @name Use of a print statement at module level
- * @description Using a print statement at module scope (except when guarded by if __name__ == '__main__') will cause surprising output when the module is imported.
+ * @description Using a print statement at module scope (except when guarded by `if __name__ == '__main__'`) will cause surprising output when the module is imported.
  * @kind problem
  * @tags reliability
  *       maintainability
diff --git a/python/ql/src/Variables/UndefinedExport.ql b/python/ql/src/Variables/UndefinedExport.ql
index 52d51ce4f72..c53e920d477 100644
--- a/python/ql/src/Variables/UndefinedExport.ql
+++ b/python/ql/src/Variables/UndefinedExport.ql
@@ -1,6 +1,6 @@
 /**
  * @name Explicit export is not defined
- * @description Including an undefined attribute in __all__ causes an exception when
+ * @description Including an undefined attribute in `__all__` causes an exception when
  *              the module is imported using '*'
  * @kind problem
  * @tags reliability

From 32be53bf72a66f295c08eb02a97ae14429057b61 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 15:53:04 +0100
Subject: [PATCH 166/429] Python: Fix missing <code> in qhelp file

---
 python/ql/src/Classes/SlotsInOldStyleClass.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
index eb7208d6257..a8d89400622 100644
--- a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
+++ b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
@@ -6,7 +6,7 @@
 <overview>
 <p>The ability to override the class dictionary using a <code>__slots__</code> declaration
 is supported only by new-style classes. When you add a <code>__slots__</code> declaration to an 
-old-style class it just creates a class attribute called '__slots__'.</p>
+old-style class it just creates a class attribute called <code>__slots__</code>.</p>
 
 </overview>
 <recommendation>
@@ -17,9 +17,9 @@ You can convert an old-style class to a new-style class by inheriting from <code
 </recommendation>
 <example>
 <p>In the following example the <code>KeyedRef</code> class is an old-style class (no inheritance). The 
-<code>__slots__</code> declaration in this class creates a class attribute called '__slots__', the class 
 dictionary is unaffected. The <code>KeyedRef2</code> class is a new-style class so the 
 <code>__slots__</code> declaration causes special compact attributes to be created for each name in 
+<code>__slots__</code> declaration in this class creates a class attribute called <code>__slots__</code>, the class
 the slots list and saves space by not creating attribute dictionaries.</p>
 
 <sample src="SlotsInOldStyleClass.py" />

From dcb185b659b7871982de41ed9f5872d2fe3065d8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 15:53:23 +0100
Subject: [PATCH 167/429] Python: Fix trailing whitespace in a single qhelp
 file

Since I edited already, why not get this little bonus? :D
---
 python/ql/src/Classes/SlotsInOldStyleClass.qhelp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
index a8d89400622..8d861f4c4a2 100644
--- a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
+++ b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
@@ -5,21 +5,21 @@
 
 <overview>
 <p>The ability to override the class dictionary using a <code>__slots__</code> declaration
-is supported only by new-style classes. When you add a <code>__slots__</code> declaration to an 
+is supported only by new-style classes. When you add a <code>__slots__</code> declaration to an
 old-style class it just creates a class attribute called <code>__slots__</code>.</p>
 
 </overview>
 <recommendation>
 
-<p>If you want to override the dictionary for a class, then ensure that the class is a new-style class. 
+<p>If you want to override the dictionary for a class, then ensure that the class is a new-style class.
 You can convert an old-style class to a new-style class by inheriting from <code>object</code>.</p>
 
 </recommendation>
 <example>
-<p>In the following example the <code>KeyedRef</code> class is an old-style class (no inheritance). The 
-dictionary is unaffected. The <code>KeyedRef2</code> class is a new-style class so the 
-<code>__slots__</code> declaration causes special compact attributes to be created for each name in 
+<p>In the following example the <code>KeyedRef</code> class is an old-style class (no inheritance). The
 <code>__slots__</code> declaration in this class creates a class attribute called <code>__slots__</code>, the class
+dictionary is unaffected. The <code>KeyedRef2</code> class is a new-style class so the
+<code>__slots__</code> declaration causes special compact attributes to be created for each name in
 the slots list and saves space by not creating attribute dictionaries.</p>
 
 <sample src="SlotsInOldStyleClass.py" />
@@ -28,7 +28,7 @@ the slots list and saves space by not creating attribute dictionaries.</p>
 <references>
 
 <li>Python Glossary: <a href="http://docs.python.org/glossary.html#term-new-style-class">New-style class</a>.</li>
-<li>Python Language Reference: <a href="http://docs.python.org/2/reference/datamodel.html#newstyle">New-style and classic 
+<li>Python Language Reference: <a href="http://docs.python.org/2/reference/datamodel.html#newstyle">New-style and classic
 classes</a>,
  <a href="http://docs.python.org/reference/datamodel.html#__slots__">__slots__</a>.</li>
 

From 23d9e2646a27ffcfdca3ac1cac7eb62337ae8ae2 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 15:54:10 +0100
Subject: [PATCH 168/429] Python: Fix name of class in example of __slots__
 qhelp

---
 python/ql/src/Classes/SlotsInOldStyleClass.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
index 8d861f4c4a2..9ee18f8dd80 100644
--- a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
+++ b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
@@ -16,9 +16,9 @@ You can convert an old-style class to a new-style class by inheriting from <code
 
 </recommendation>
 <example>
-<p>In the following example the <code>KeyedRef</code> class is an old-style class (no inheritance). The
+<p>In the following example the <code>Point</code> class is an old-style class (no inheritance). The
 <code>__slots__</code> declaration in this class creates a class attribute called <code>__slots__</code>, the class
-dictionary is unaffected. The <code>KeyedRef2</code> class is a new-style class so the
+dictionary is unaffected. The <code>Point2</code> class is a new-style class so the
 <code>__slots__</code> declaration causes special compact attributes to be created for each name in
 the slots list and saves space by not creating attribute dictionaries.</p>
 

From b94658fd52b3dfd3b0157d878c37b9addd8e44c6 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 4 Feb 2021 15:54:37 +0100
Subject: [PATCH 169/429] Python: Highlight that __slots__ query is only for
 Python 2 in qhelp

Since I was already editing this file, it was easy to just add this extra bit of
info.
---
 python/ql/src/Classes/SlotsInOldStyleClass.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
index 9ee18f8dd80..27474b847e3 100644
--- a/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
+++ b/python/ql/src/Classes/SlotsInOldStyleClass.qhelp
@@ -16,7 +16,7 @@ You can convert an old-style class to a new-style class by inheriting from <code
 
 </recommendation>
 <example>
-<p>In the following example the <code>Point</code> class is an old-style class (no inheritance). The
+<p>In the following Python 2 example the <code>Point</code> class is an old-style class (no inheritance). The
 <code>__slots__</code> declaration in this class creates a class attribute called <code>__slots__</code>, the class
 dictionary is unaffected. The <code>Point2</code> class is a new-style class so the
 <code>__slots__</code> declaration causes special compact attributes to be created for each name in

From e54c925b70e28f2d24486103f996c7e5981d2411 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 15:58:15 +0100
Subject: [PATCH 170/429] Python: Greatly simplify `imports/2` predicate

---
 python/ql/src/semmle/python/ApiGraphs.qll | 67 +++--------------------
 1 file changed, 8 insertions(+), 59 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 28918f438cb..dc658dcc2be 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -258,67 +258,16 @@ module API {
     }
 
     /**
-     * Holds if `import_node` is an import of a module named `name`
+     * Holds if `imp` is a data-flow node inside an import statement that refers to a module by the
+     * name `name`.
      *
-     * Ignores relative imports (`from ..foo import bar`).
-     *
-     * Note that for the statement `import pkg.mod`, the new variable introduced is `pkg` that is a
-     * reference to the module `pkg`.
-     *
-     * This predicate handles (with optional `... as <new-name>`):
-     * 1. `import <name>`
-     * 2. `from <package> import <module>` when `<name> = <package> + "." + <module>`
-     * 3. `from <module> import <member>` when `<name> = <module> + "." + <member>`
-     *
-     * Finally, in `from <module> import <member>` we consider the `ImportExpr` corresponding to
-     * `<module>` to be a reference to that module.
-     *
-     * Note:
-     * While it is technically possible that `import mypkg.foo` and `from mypkg import foo` can give different values,
-     * it's highly unlikely that this will be a problem in production level code.
-     *   Example: If `mypkg/__init__.py` contains `foo = 42`, then `from mypkg import foo` will not import the module
-     *   `mypkg/foo.py` but the variable `foo` containing `42` -- however, `import mypkg.foo` will always cause `mypkg.foo`
-     *   to refer to the module.
+     * Ignores relative imports, such as `from ..foo.bar import baz`.
      */
-    private predicate imports(DataFlow::Node import_node, string name) {
-      exists(Variable var, Import imp, Alias alias |
-        alias = imp.getAName() and
-        alias.getAsname() = var.getAStore() and
-        (
-          name = alias.getValue().(ImportMember).getImportedModuleName()
-          or
-          name = alias.getValue().(ImportExpr).getImportedModuleName() and
-          not alias.getValue().(ImportExpr).isRelative()
-        ) and
-        import_node.asExpr() = alias.getValue()
-      )
-      or
-      // Although it may seem superfluous to consider the `foo` part of `from foo import bar as baz` to
-      // be a reference to a module (since that reference only makes sense locally within the `import`
-      // statement), it's important for our use of type trackers to consider this local reference to
-      // also refer to the `foo` module. That way, if one wants to track references to the `bar`
-      // attribute using a type tracker, one can simply write
-      //
-      // ```ql
-      // DataFlow::Node bar_attr_tracker(TypeTracker t) {
-      //   t.startInAttr("bar") and
-      //   result = foo_module_tracker()
-      //   or
-      //   exists(TypeTracker t2 | result = bar_attr_tracker(t2).track(t2, t))
-      // }
-      // ```
-      //
-      // Where `foo_module_tracker` is a type tracker that tracks references to the `foo` module.
-      // Because named imports are modelled as `AttrRead`s, the statement `from foo import bar as baz`
-      // is interpreted as if it was an assignment `baz = foo.bar`, which means `baz` gets tracked as a
-      // reference to `foo.bar`, as desired.
-      exists(ImportExpr imp_expr |
-        not imp_expr.isRelative() and
-        imp_expr.getName() = name and
-        import_node.asCfgNode().getNode() = imp_expr and
-        // in `import foo.bar` we DON'T want to give a result for `importNode("foo.bar")`,
-        // only for `importNode("foo")`. We exclude those cases with the following clause.
-        not exists(Import imp | imp.getAName().getValue() = imp_expr)
+    private predicate imports(DataFlow::Node imp, string name) {
+      exists(ImportExprNode iexpr |
+        imp.asCfgNode() = iexpr and
+        not iexpr.getNode().isRelative() and
+        name = iexpr.getNode().getName()
       )
     }
 

From 07ffa9f1ae40041417d495f7b44e65de083dbd66 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 15:59:00 +0100
Subject: [PATCH 171/429] Python: More documentation

---
 python/ql/src/semmle/python/ApiGraphs.qll | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index dc658dcc2be..8a0d4dfd7ef 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -60,8 +60,10 @@ module API {
     /**
      * Gets a node representing member `m` of this API component.
      *
-     * For example, modules have an `exports` member representing their exports, and objects have
-     * their properties as members.
+     * For example, a member can be:
+     *
+     * - A submodule of a module
+     * - An attribute of an object
      */
     bindingset[m]
     bindingset[result]
@@ -235,7 +237,11 @@ module API {
       MkRoot() or
       /** An abstract representative for imports of the module called `name`. */
       MkModuleImport(string name) {
-        imports(_, name) or name = any(ImportExpr e | not e.isRelative()).getAnImportedModuleName()
+        imports(_, name)
+        or
+        // When we `import foo.bar.baz` we want to create API graph nodes also for the prefixes
+        // `foo` and `foo.bar`:
+        name = any(ImportExpr e | not e.isRelative()).getAnImportedModuleName()
       } or
       /** A use of an API member at the node `nd`. */
       MkUse(DataFlow::Node nd) { use(_, _, nd) }

From c1c9f963b913a0daca89984902ace5cdfa6030cf Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 12:34:48 +0100
Subject: [PATCH 172/429] C++: Fix qhelp in
 cpp/unsigned-difference-expression-compared-zero.

---
 ...UnsignedDifferenceExpressionComparedZero.c | 16 +++++----------
 ...gnedDifferenceExpressionComparedZero.qhelp | 20 +++++++++----------
 ...nsignedDifferenceExpressionComparedZero.ql |  8 ++++----
 ...dDifferenceExpressionComparedZero.expected | 20 +++++++++----------
 4 files changed, 28 insertions(+), 36 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
index f6054226848..d2f2b76fddc 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
@@ -1,11 +1,5 @@
-unsigned long sizeArray;
-
-// BAD: let's consider several values, taking ULONG_MAX =18446744073709551615
-// sizeArray = 60; (sizeArray - 10) = 50; true
-// sizeArray = 10; (sizeArray - 10) = 0; false
-// sizeArray = 1; (sizeArray - 10) = 18446744073709551607; true
-// sizeArray = 0; (sizeArray - 10) = 18446744073709551606; true
-if (sizeArray - 10 > 0)
-
-// GOOD: Prevent overflow by checking the input
-if (sizeArray > 10)
+unsigned limit = get_limit();
+unsigned total = 0;
+while (limit - total > 0) { // wrong: if `total` is greater than `limit` this will underflow and continue executing the loop.
+  total += get_data();
+}
\ No newline at end of file
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
index 3bf28d13df4..575d37d3c85 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
@@ -3,23 +3,21 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The code compares the unsigned difference with zero. 
-It is highly probable that the condition is wrong if the difference expression has the unsigned type.  
-The condition holds in all the cases when difference is not equal to zero. 
-It means that we may use condition not equal. But the programmer probably wanted to compare the difference of elements.</p>
-
-<p>False positives include code in which the first difference element is always greater than or equal to the second. 
-For comparison, ">" such conditions are equivalent to "! =", And are recommended for replacement. 
-For comparison "> =", the conditions are always true and are recommended to be excluded.</p>
-
+<p>
+This rule finds relational comparisons between the result of an unsigned subtraction and the value <code>0</code>.
+Such comparisons are likely wrong as the value of an unsigned subtraction can never be negative. So the
+relational comparison ends up checking whether the result of the subtraction is equal to <code>0</code>.
+This is likely not what the programmer intended.
+</p>
 </overview>
 <recommendation>
 
-<p>Use a simple comparison of two elements, instead of comparing their difference to zero.</p>
+<p>If a relational comparison is intended, consider casting the result of the subtraction to a signed type.
+   If the intention was to test for equality, consider replacing the relational comparison with an equality test.
+</p>
 
 </recommendation>
 <example>
-<p>The following example demonstrates an erroneous and corrected use of comparison.</p>
 <sample src="UnsignedDifferenceExpressionComparedZero.c" />
 
 </example>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 3de8ddefeaf..8bab534344d 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -1,13 +1,12 @@
 /**
  * @name Unsigned difference expression compared to zero
- * @description It is highly probable that the condition is wrong if the difference expression has the unsigned type.
- *              The condition holds in all the cases when difference is not equal to zero. It means that we may use condition not equal.
- *              But the programmer probably wanted to compare the difference of elements.
+ * @description A subtraction with an unsigned result can never be negative. Using such an expression in a relational comparison with `0` is likely to be wrong.
  * @kind problem
  * @id cpp/unsigned-difference-expression-compared-zero
  * @problem.severity warning
  * @precision medium
  * @tags security
+ *       correctness
  *       external/cwe/cwe-191
  */
 
@@ -33,8 +32,9 @@ predicate nonNegative(SubExpr sub) {
 from RelationalOperation ro, SubExpr sub
 where
   not isFromMacroDefinition(ro) and
+  not isFromMacroDefinition(sub) and
   ro.getLesserOperand().getValue().toInt() = 0 and
   ro.getGreaterOperand() = sub and
   sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
   not nonNegative(sub)
-select ro, "Difference in condition is always greater than or equal to zero"
+select ro, "Unsigned subtraction can never be negative."
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 6e1b80a4c8c..2d28795d126 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,10 +1,10 @@
-| test.cpp:6:5:6:13 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:10:8:10:24 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:15:9:15:25 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:32:12:32:20 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:39:12:39:20 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:47:5:47:13 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:55:5:55:13 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:62:5:62:13 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:69:5:69:13 | ... > ... | Difference in condition is always greater than or equal to zero |
-| test.cpp:75:8:75:16 | ... > ... | Difference in condition is always greater than or equal to zero |
+| test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:15:9:15:25 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:39:12:39:20 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:47:5:47:13 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:55:5:55:13 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |

From fd596ebbbb773b17028f3fce165a94cb2ff7df58 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 16:00:56 +0100
Subject: [PATCH 173/429] C++: Move
 cpp/unsigned-difference-expression-compared-zero out of experimental.

---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c       | 0
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp   | 0
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql      | 0
 .../UnsignedDifferenceExpressionComparedZero.qlref               | 1 -
 .../UnsignedDifferenceExpressionComparedZero.expected            | 0
 .../UnsignedDifferenceExpressionComparedZero.qlref               | 1 +
 .../CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp    | 0
 7 files changed, 1 insertion(+), 1 deletion(-)
 rename cpp/ql/src/{experimental => }/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c (100%)
 rename cpp/ql/src/{experimental => }/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp (100%)
 rename cpp/ql/src/{experimental => }/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql (100%)
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
 rename cpp/ql/test/{experimental => }/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected (100%)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
 rename cpp/ql/test/{experimental => }/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp (100%)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
similarity index 100%
rename from cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
rename to cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
similarity index 100%
rename from cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
rename to cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
similarity index 100%
rename from cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
rename to cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
deleted file mode 100644
index 2d15983a540..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
rename to cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
new file mode 100644
index 00000000000..9681978c0ad
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
rename to cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp

From 707f532e107f5b6873b94850a097f2266171088b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 16:01:28 +0100
Subject: [PATCH 174/429] C++: Fix bad join-order using a poor man's unbind
 operator.

---
 ...UnsignedDifferenceExpressionComparedZero.ql | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 8bab534344d..36f2390e995 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -16,16 +16,24 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.controlflow.Guards
 
+/** Holds if `sub` is guarded by a condition which ensures that `left >= right`. */
+pragma[noinline]
+predicate isGuarded(SubExpr sub, Expr left, Expr right) {
+  exists(GuardCondition guard |
+    guard.controls(sub.getBasicBlock(), true) and
+    guard.ensuresLt(left, right, 0, sub.getBasicBlock(), false)
+  )
+}
+
 /** Holds if `sub` will never be negative. */
 predicate nonNegative(SubExpr sub) {
   not exprMightOverflowNegatively(sub.getFullyConverted())
   or
   // The subtraction is guarded by a check of the form `left >= right`.
-  exists(GuardCondition guard, Expr left, Expr right |
-    left = globalValueNumber(sub.getLeftOperand()).getAnExpr() and
-    right = globalValueNumber(sub.getRightOperand()).getAnExpr() and
-    guard.controls(sub.getBasicBlock(), true) and
-    guard.ensuresLt(left, right, 0, sub.getBasicBlock(), false)
+  exists(GVN left, GVN right |
+    strictcount([left, globalValueNumber(sub.getLeftOperand())]) = 1 and
+    strictcount([right, globalValueNumber(sub.getRightOperand())]) = 1 and
+    isGuarded(sub, left.getAnExpr(), right.getAnExpr())
   )
 }
 

From d9d82fc56aa6f2e9412af86a676ee0e601d9bbfa Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 16:24:56 +0100
Subject: [PATCH 175/429] C++: Update change-notes

---
 .../2020-02-04-unsigned-difference-expression-compared-zero.md  | 2 ++
 cpp/config/suites/cpp/correctness                               | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md

diff --git a/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
new file mode 100644
index 00000000000..e2726b5b574
--- /dev/null
+++ b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
@@ -0,0 +1,2 @@
+lgtm
+* A new query (`cpp/unsigned-difference-expression-compared-zero`) has been added. The query finds unsigned subtractions used in relational comparisons with the value 0.
\ No newline at end of file
diff --git a/cpp/config/suites/cpp/correctness b/cpp/config/suites/cpp/correctness
index bcdf94c94ce..55678a1dd37 100644
--- a/cpp/config/suites/cpp/correctness
+++ b/cpp/config/suites/cpp/correctness
@@ -10,6 +10,7 @@
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/OO/UnsafeUseOfThis.ql: /Correctness/Dangerous Conversions
++ semmlecode-cpp-queries/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql: /Correctness/Dangerous Conversions
   # Consistent Use
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use

From 305bfaba2d5e2de09ff0558e6f24d098be2fa19e Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 16:46:22 +0100
Subject: [PATCH 176/429] Python: Fix `imports/2`

---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 8a0d4dfd7ef..02cf31fc669 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -273,7 +273,7 @@ module API {
       exists(ImportExprNode iexpr |
         imp.asCfgNode() = iexpr and
         not iexpr.getNode().isRelative() and
-        name = iexpr.getNode().getName()
+        name = iexpr.getNode().getImportedModuleName()
       )
     }
 

From 161e5679a741753695827cc4ac9f1613f5eede18 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 16:47:45 +0100
Subject: [PATCH 177/429] Apply suggestions from code review

Co-authored-by: hubwriter <hubwriter@github.com>
---
 .../CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
index 575d37d3c85..965429bda8a 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp
@@ -5,9 +5,9 @@
 <overview>
 <p>
 This rule finds relational comparisons between the result of an unsigned subtraction and the value <code>0</code>.
-Such comparisons are likely wrong as the value of an unsigned subtraction can never be negative. So the
+Such comparisons are likely to be wrong as the value of an unsigned subtraction can never be negative. So the
 relational comparison ends up checking whether the result of the subtraction is equal to <code>0</code>.
-This is likely not what the programmer intended.
+This is probably not what the programmer intended.
 </p>
 </overview>
 <recommendation>
@@ -23,7 +23,7 @@ This is likely not what the programmer intended.
 </example>
 <references>
 
-<li>CERT C Coding Standard:
+<li>SEI CERT C Coding Standard:
 <a href="https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules">INT02-C. Understand integer conversion rules</a>.
 </li>
 

From 9d06c75aed2b707645387e1fd942dddba3ba4c7b Mon Sep 17 00:00:00 2001
From: alexet <alexet@semmle.com>
Date: Thu, 4 Feb 2021 15:48:10 +0000
Subject: [PATCH 178/429] Javascript: improve performance of
 ExplicitInvokeNode::getArgument

---
 .../ql/src/semmle/javascript/dataflow/DataFlow.qll  | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index a2b2d2deb66..f07a40e4f7e 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1079,8 +1079,19 @@ module DataFlow {
 
       override DataFlow::Node getCalleeNode() { result = DataFlow::valueNode(astNode.getCallee()) }
 
+      /**
+       * Whether i is an index that occurs after a spread argument.
+       */
+      pragma[nomagic]
+      private predicate isIndexAfterSpread(int i) {
+        astNode.isSpreadArgument(i)
+        or
+        exists(astNode.getArgument(i)) and
+        isIndexAfterSpread(i - 1)
+      }
+
       override DataFlow::Node getArgument(int i) {
-        not astNode.isSpreadArgument([0 .. i]) and
+        not isIndexAfterSpread(i) and
         result = DataFlow::valueNode(astNode.getArgument(i))
       }
 

From 6a97d02247578ee82fc03712918d957eee29ec8b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 17:24:14 +0100
Subject: [PATCH 179/429] C++: Address review comments.

---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 36f2390e995..007a4fd746d 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -31,6 +31,7 @@ predicate nonNegative(SubExpr sub) {
   or
   // The subtraction is guarded by a check of the form `left >= right`.
   exists(GVN left, GVN right |
+    // This is basically a poor man's version of a directional unbind operator.
     strictcount([left, globalValueNumber(sub.getLeftOperand())]) = 1 and
     strictcount([right, globalValueNumber(sub.getRightOperand())]) = 1 and
     isGuarded(sub, left.getAnExpr(), right.getAnExpr())

From aa7e9f0b56357d0446e7299869c67a419803fb53 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:00:57 +0100
Subject: [PATCH 180/429] Python: Add big explanatory comment about prefixes.

---
 python/ql/src/semmle/python/ApiGraphs.qll | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 02cf31fc669..cb78e3eb9ce 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -231,6 +231,60 @@ module API {
    */
   cached
   private module Impl {
+    /*
+     * Modeling imports is slightly tricky because of the way we handle dotted name imports in our
+     * libraries. In dotted imports such as
+     *
+     * ```python
+     * import foo.bar.baz as fbb
+     * from foo.bar.baz import quux as fbbq
+     * ```
+     *
+     * the dotted name is simply represented as a string. We would like `fbb.quux` and `fbbq` to
+     * be represented as API graph nodes with the following path:
+     *
+     * ```ql
+     * moduleImport("foo").getMember("bar").getMember("baz").getMember("quux")
+     * ```
+     *
+     * To do this, we produce an API graph node for each dotted name prefix we find in the set of
+     * imports. Thus, for the above two imports, we would get nodes for
+     *
+     * ```python
+     * foo
+     * foo.bar
+     * foo.bar.baz
+     * ```
+     *
+     * Only the first of these can act as the beginning of a path (and become a
+     * `moduleImport`-labeled edge from the global root node).
+     *
+     * (Using prefixes rather than simply `foo`, `bar`, and `baz` is important. We don't want
+     * potential crosstalk between `foo.bar.baz` and `ham.bar.eggs`.)
+     *
+     * We then add `getMember` edges between these prefixes: `foo` steps to `foo.bar` via an edge
+     * labeled `getMember("bar")` and so on.
+     *
+     * When we then see `import foo.bar.baz as fbb`, the data-flow node `fbb` gets marked as a use
+     * of the API graph node corresponding to the prefix `foo.bar.baz`. Because of the edges leading to
+     * this node, it is reachable via `moduleImport("foo").getMember("bar").getMember("baz")` and
+     * thus `fbb.quux` is reachable via the path mentioned above.
+     *
+     * When we see `from foo.bar.baz import quux as fbb` a similar thing happens. First, `foo.bar.baz`
+     * is seen as a use of the API graph node as before. Then `import quux as fbbq` is seen as
+     * a member lookup of `quux` on the API graph node for `foo.bar.baz`, and then finally the
+     * data-flow node `fbbq` is marked as a use of the same path mentioned above.
+     *
+     * Finally, in a non-aliased import such as
+     *
+     * ```python
+     * import foo.bar.baz
+     * ```
+     *
+     * we only consider this as a definition of the name `foo` (thus making it a use of the corresponding
+     * API graph node for the prefix `foo`), in accordance with the usual semantics of Python.
+     */
+
     cached
     newtype TApiNode =
       /** The root of the API graph. */

From 2524f23a46e2c4194fcb9619aa084f5c373ea003 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:05:33 +0100
Subject: [PATCH 181/429] Python: Add more test cases

There is now a bit of redundancy in the tests, but I thought it useful
to actually include some of the cases called out explicitly in the
documentation, so as to make it easy to see that the code actually
does what we expect (in these cases, anyway).
---
 .../test/experimental/dataflow/ApiGraphs/test.py   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index 8137066ad6f..27888cd9f9e 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -28,6 +28,14 @@ from a6 import m6 #$ use=moduleImport("a6").getMember("m6")
 
 x6 = m6().foo().bar() #$ use=moduleImport("a6").getMember("m6").getReturn().getMember("foo").getReturn().getMember("bar").getReturn()
 
+import foo.baz.baz as fbb #$ use=moduleImport("foo").getMember("baz").getMember("baz")
+from foo.bar.baz import quux as fbbq #$ use=moduleImport("foo").getMember("bar").getMember("baz").getMember("quux")
+from ham.bar.eggs import spam as hbes #$ use=moduleImport("ham").getMember("bar").getMember("eggs").getMember("spam")
+fbb.quux #$ use=moduleImport("foo").getMember("baz").getMember("baz").getMember("quux")
+fbbq #$ use=moduleImport("foo").getMember("bar").getMember("baz").getMember("quux")
+hbes #$ use=moduleImport("ham").getMember("bar").getMember("eggs").getMember("spam")
+
+import foo.bar.baz #$ use=moduleImport("foo")
 
 # Relative imports. These are ignored
 
@@ -65,3 +73,9 @@ def f():
     foo = NONSOURCE
     change_foo()
     sink(foo) #$ MISSING: use=moduleImport("danger").getMember("SOURCE")
+
+# Star imports
+
+from unknown import * #$ use=moduleImport("unknown")
+
+hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()

From f6e1ea5b2adcd367ac2b01216dec472c4f070040 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:07:13 +0100
Subject: [PATCH 182/429] Python: Fix missing global variable source nodes

In lieu of removing the offending flow (which would likely have
consequences for a lot of other tests), I opted to simply _include_
the relevant nodes directly.
---
 .../src/semmle/python/dataflow/new/internal/DataFlowPublic.qll  | 2 ++
 python/ql/test/experimental/dataflow/ApiGraphs/test.py          | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index b2e2298182e..dcc175276f8 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -446,6 +446,8 @@ class LocalSourceNode extends Node {
   LocalSourceNode() {
     not simpleLocalFlowStep+(any(CfgNode n), this) and
     not this instanceof ModuleVariableNode
+    or
+    this = any(ModuleVariableNode mvn).getARead()
   }
 
   /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index 27888cd9f9e..b250c7985e2 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -72,7 +72,7 @@ def f():
     sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")
     foo = NONSOURCE
     change_foo()
-    sink(foo) #$ MISSING: use=moduleImport("danger").getMember("SOURCE")
+    sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")
 
 # Star imports
 

From 4b9532c6f7cb6bcb5f7b35d724d9c39a0943095f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 18 Sep 2019 10:35:42 +0100
Subject: [PATCH 183/429] CPP: Examples Namespace.qll.

---
 cpp/ql/src/semmle/code/cpp/Namespace.qll | 43 +++++++++++++++++++-----
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Namespace.qll b/cpp/ql/src/semmle/code/cpp/Namespace.qll
index 6172c3af50c..d46abc6b4db 100644
--- a/cpp/ql/src/semmle/code/cpp/Namespace.qll
+++ b/cpp/ql/src/semmle/code/cpp/Namespace.qll
@@ -7,8 +7,21 @@ import semmle.code.cpp.Type
 import semmle.code.cpp.metrics.MetricNamespace
 
 /**
- * A C++ namespace.
+ * A C++ namespace. For example the (single) namespace `A` in the following
+ * code:
+ * ```
+ * namespace A
+ * {
+ *   // ...
+ * }
  *
+ * // ...
+ *
+ * namespace A
+ * {
+ *   // ...
+ * }
+ * ```
  * Note that namespaces are somewhat nebulous entities, as they do not in
  * general have a single well-defined location in the source code. The
  * related notion of a `NamespaceDeclarationEntry` is rather more concrete,
@@ -96,10 +109,22 @@ class Namespace extends NameQualifyingElement, @namespace {
 }
 
 /**
- * A declaration of (part of) a C++ namespace.
+ * A declaration of (part of) a C++ namespace. This corresponds to a single
+ * `namespace N { ... }` occurrence in the source code. For example the two
+ * mentions of `A` in the following code:
+ * ```
+ * namespace A
+ * {
+ *   // ...
+ * }
  *
- * This corresponds to a single `namespace N { ... }` occurrence in the
- * source code.
+ * // ...
+ *
+ * namespace A
+ * {
+ *   // ...
+ * }
+ * ```
  */
 class NamespaceDeclarationEntry extends Locatable, @namespace_decl {
   /**
@@ -143,8 +168,9 @@ class UsingEntry extends Locatable, @using {
 
 /**
  * A C++ `using` declaration. For example:
- *
- *   `using std::string;`
+ * ```
+ * using std::string;
+ * ```
  */
 class UsingDeclarationEntry extends UsingEntry {
   UsingDeclarationEntry() {
@@ -162,8 +188,9 @@ class UsingDeclarationEntry extends UsingEntry {
 
 /**
  * A C++ `using` directive. For example:
- *
- *   `using namespace std;`
+ * ```
+ * using namespace std;
+ * ```
  */
 class UsingDirectiveEntry extends UsingEntry {
   UsingDirectiveEntry() {

From 500097ca76e0abce3d47a414b720d0be01b78ed9 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 18 Sep 2019 16:03:35 +0100
Subject: [PATCH 184/429] CPP: Examples Preprocessor.qll.

---
 cpp/ql/src/semmle/code/cpp/Preprocessor.qll | 104 ++++++++++++++++----
 1 file changed, 84 insertions(+), 20 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Preprocessor.qll b/cpp/ql/src/semmle/code/cpp/Preprocessor.qll
index a9609922b74..2389db07f2a 100644
--- a/cpp/ql/src/semmle/code/cpp/Preprocessor.qll
+++ b/cpp/ql/src/semmle/code/cpp/Preprocessor.qll
@@ -2,9 +2,14 @@ import semmle.code.cpp.Location
 import semmle.code.cpp.Element
 
 /**
- * A C/C++ preprocessor directive.
- *
- * For example: `#ifdef`, `#line`, or `#pragma`.
+ * A C/C++ preprocessor directive. For example each of the following lines of
+ * code contains a `PreprocessorDirective`:
+ * ```
+ * #pragma once
+ * #ifdef MYDEFINE
+ * #include "myfile.h"
+ * #line 1 "source.c"
+ * ```
  */
 class PreprocessorDirective extends Locatable, @preprocdirect {
   override string toString() { result = "Preprocessor directive" }
@@ -98,9 +103,9 @@ class PreprocessorBranchDirective extends PreprocessorDirective, TPreprocessorBr
  * A C/C++ preprocessor branching directive: `#if`, `#ifdef`, `#ifndef`, or
  * `#elif`.
  *
- * A branching directive can have its condition evaluated at compile-time,
- * and as a result, the preprocessor will either take the branch, or not
- * take the branch.
+ * A branching directive has a condition and that condition may be evaluated
+ * at compile-time.  As a result, the preprocessor will either take the
+ * branch, or not take the branch.
  *
  * However, there are also situations in which a branch's condition isn't
  * evaluated.  The obvious case of this is when the directive is contained
@@ -136,8 +141,13 @@ class PreprocessorBranch extends PreprocessorBranchDirective, @ppd_branch {
 }
 
 /**
- * A C/C++ preprocessor `#if` directive.
- *
+ * A C/C++ preprocessor `#if` directive. For example there is a
+ * `PreprocessorIf` on the first line of the following code:
+ * ```
+ * #if defined(MYDEFINE)
+ * // ...
+ * #endif
+ * ```
  * For the related notion of a directive which causes branching (which
  * includes `#if`, plus also `#ifdef`, `#ifndef`, and `#elif`), see
  * `PreprocessorBranch`.
@@ -147,8 +157,13 @@ class PreprocessorIf extends PreprocessorBranch, @ppd_if {
 }
 
 /**
- * A C/C++ preprocessor `#ifdef` directive.
- *
+ * A C/C++ preprocessor `#ifdef` directive. For example there is a
+ * `PreprocessorIfdef` on the first line of the following code:
+ * ```
+ * #ifdef MYDEFINE
+ * // ...
+ * #endif
+ * ```
  * The syntax `#ifdef X` is shorthand for `#if defined(X)`.
  */
 class PreprocessorIfdef extends PreprocessorBranch, @ppd_ifdef {
@@ -158,8 +173,13 @@ class PreprocessorIfdef extends PreprocessorBranch, @ppd_ifdef {
 }
 
 /**
- * A C/C++ preprocessor `#ifndef` directive.
- *
+ * A C/C++ preprocessor `#ifndef` directive. For example there is a
+ * `PreprocessorIfndef` on the first line of the following code:
+ * ```
+ * #ifndef MYDEFINE
+ * // ...
+ * #endif
+ * ```
  * The syntax `#ifndef X` is shorthand for `#if !defined(X)`.
  */
 class PreprocessorIfndef extends PreprocessorBranch, @ppd_ifndef {
@@ -167,42 +187,80 @@ class PreprocessorIfndef extends PreprocessorBranch, @ppd_ifndef {
 }
 
 /**
- * A C/C++ preprocessor `#else` directive.
+ * A C/C++ preprocessor `#else` directive. For example there is a
+ * `PreprocessorElse` on the fifth line of the following code:
+ * ```
+ * #ifdef MYDEFINE1
+ * // ...
+ * #elif MYDEFINE2
+ * // ...
+ * #else
+ * // ...
+ * #endif
+ * ```
  */
 class PreprocessorElse extends PreprocessorBranchDirective, @ppd_else {
   override string toString() { result = "#else" }
 }
 
 /**
- * A C/C++ preprocessor `#elif` directive.
+ * A C/C++ preprocessor `#elif` directive. For example there is a
+ * `PreprocessorElif` on the third line of the following code:
+ * ```
+ * #ifdef MYDEFINE1
+ * // ...
+ * #elif MYDEFINE2
+ * // ...
+ * #else
+ * // ...
+ * #endif
+ * ```
  */
 class PreprocessorElif extends PreprocessorBranch, @ppd_elif {
   override string toString() { result = "#elif " + this.getHead() }
 }
 
 /**
- * A C/C++ preprocessor `#endif` directive.
+ * A C/C++ preprocessor `#endif` directive. For example there is a
+ * `PreprocessorEndif` on the third line of the following code:
+ * ```
+ * #ifdef MYDEFINE
+ * // ...
+ * #endif
+ * ```
  */
 class PreprocessorEndif extends PreprocessorBranchDirective, @ppd_endif {
   override string toString() { result = "#endif" }
 }
 
 /**
- * A C/C++ preprocessor `#warning` directive.
+ * A C/C++ preprocessor `#warning` directive. For example:
+ * ```
+ * #warning "This configuration is not supported."
+ * ```
  */
 class PreprocessorWarning extends PreprocessorDirective, @ppd_warning {
   override string toString() { result = "#warning " + this.getHead() }
 }
 
 /**
- * A C/C++ preprocessor `#error` directive.
+ * A C/C++ preprocessor `#error` directive. For example:
+ * ```
+ * #error "This configuration is not implemented."
+ * ```
  */
 class PreprocessorError extends PreprocessorDirective, @ppd_error {
   override string toString() { result = "#error " + this.getHead() }
 }
 
 /**
- * A C/C++ preprocessor `#undef` directive.
+ * A C/C++ preprocessor `#undef` directive. For example there is a
+ * `PreprocessorUndef` on the second line of the following code:
+ * ```
+ * #ifdef MYMACRO
+ * #undef MYMACRO
+ * #endif
+ * ```
  */
 class PreprocessorUndef extends PreprocessorDirective, @ppd_undef {
   override string toString() { result = "#undef " + this.getHead() }
@@ -214,7 +272,10 @@ class PreprocessorUndef extends PreprocessorDirective, @ppd_undef {
 }
 
 /**
- * A C/C++ preprocessor `#pragma` directive.
+ * A C/C++ preprocessor `#pragma` directive. For example:
+ * ```
+ * #pragma once
+ * ```
  */
 class PreprocessorPragma extends PreprocessorDirective, @ppd_pragma {
   override string toString() {
@@ -223,7 +284,10 @@ class PreprocessorPragma extends PreprocessorDirective, @ppd_pragma {
 }
 
 /**
- * A C/C++ preprocessor `#line` directive.
+ * A C/C++ preprocessor `#line` directive. For example:
+ * ```
+ * #line 1 "source.c"
+ * ```
  */
 class PreprocessorLine extends PreprocessorDirective, @ppd_line {
   override string toString() { result = "#line " + this.getHead() }

From 8ae01789b11923a82386257bda90c2855657c5b0 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 19 Sep 2019 09:44:22 +0100
Subject: [PATCH 185/429] CPP: Examples Specifier.qll.

---
 cpp/ql/src/semmle/code/cpp/Specifier.qll | 39 +++++++++++++++++++-----
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Specifier.qll b/cpp/ql/src/semmle/code/cpp/Specifier.qll
index 3d68fb374f1..43e6ef5d83c 100644
--- a/cpp/ql/src/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/src/semmle/code/cpp/Specifier.qll
@@ -29,6 +29,7 @@ class Specifier extends Element, @specifier {
 
 /**
  * A C/C++ function specifier: `inline`, `virtual`, or `explicit`.
+ * TODO
  */
 class FunctionSpecifier extends Specifier {
   FunctionSpecifier() {
@@ -43,6 +44,7 @@ class FunctionSpecifier extends Specifier {
 /**
  * A C/C++ storage class specifier: `auto`, `register`, `static`, `extern`,
  * or `mutable".
+ * TODO
  */
 class StorageClassSpecifier extends Specifier {
   StorageClassSpecifier() {
@@ -58,6 +60,7 @@ class StorageClassSpecifier extends Specifier {
 
 /**
  * A C++ access specifier: `public`, `protected`, or `private`.
+ * TODO
  */
 class AccessSpecifier extends Specifier {
   AccessSpecifier() {
@@ -146,12 +149,14 @@ class Attribute extends Element, @attribute {
 /**
  * An attribute introduced by GNU's `__attribute__((name))` syntax, for
  * example: `__attribute__((__noreturn__))`.
+ * TODO
  */
 class GnuAttribute extends Attribute, @gnuattribute { }
 
 /**
  * An attribute introduced by the C++11 standard `[[name]]` syntax, for
  * example: `[[clang::fallthrough]]`.
+ * TODO
  */
 class StdAttribute extends Attribute, @stdattribute {
   /**
@@ -171,13 +176,20 @@ class StdAttribute extends Attribute, @stdattribute {
 }
 
 /**
- * An attribute introduced by Microsoft's `__declspec(name)` syntax, for
- * example: `__declspec(dllimport)`.
+ * An attribute introduced by Microsoft's `__declspec(name)` syntax.  For
+ * example the attribute on the following declaration:
+ * ```
+ * __declspec(dllimport) void myFunction();
+ * ```
  */
 class Declspec extends Attribute, @declspec { }
 
 /**
- * An attribute introduced by Microsoft's "[name]" syntax, for example "[SA_Pre(Deref=1,Access=SA_Read)]".
+ * An attribute introduced by Microsoft's "[name]" syntax. For example
+ * ```
+ * [SA_Pre(Deref=1,Access=SA_Read)]
+ * TODO
+ * ```
  */
 class MicrosoftAttribute extends Attribute, @msattribute {
   AttributeArgument getNamedArgument(string name) {
@@ -186,8 +198,13 @@ class MicrosoftAttribute extends Attribute, @msattribute {
 }
 
 /**
- * A C++11 `alignas` construct.
- *
+ * A C++11 `alignas` construct. For example the attribute in the following
+ * code:
+ * ```
+ * struct alignas(16) MyStruct {
+ *   int x;
+ * };
+ * ```
  * Though it doesn't use the attribute syntax, `alignas(...)` is presented
  * as an `Attribute` for consistency with the `[[align(...)]]` attribute.
  */
@@ -197,7 +214,11 @@ class AlignAs extends Attribute, @alignas {
 
 /**
  * A GNU `format` attribute of the form `__attribute__((format(archetype, format-index, first-arg)))`
- * that declares a function to accept a `printf` style format string.
+ * that declares a function to accept a `printf` style format string.  For example the attribute
+ * on the following declaration:
+ * ``` 
+ * int myPrintf(const char *format, ...) __attribute__((format(printf, 1, 2)));
+ * ```
  */
 class FormatAttribute extends GnuAttribute {
   FormatAttribute() { getName() = "format" }
@@ -242,7 +263,11 @@ class FormatAttribute extends GnuAttribute {
 }
 
 /**
- * An argument to an `Attribute`.
+ * An argument to an `Attribute`. For example the argument "dllimport" on the
+ * attribute in the following code:
+ * ```
+ * __declspec(dllimport) void myFunction();
+ * ```
  */
 class AttributeArgument extends Element, @attribute_arg {
   /**

From 1f928c29104cde7db37bb7ff8fa2dcb277b1af5e Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 26 Sep 2019 17:23:45 +0100
Subject: [PATCH 186/429] CPP: Examples Element.qll.

---
 cpp/ql/src/semmle/code/cpp/Element.qll | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Element.qll b/cpp/ql/src/semmle/code/cpp/Element.qll
index f4c1bd972c6..66f23ea110f 100644
--- a/cpp/ql/src/semmle/code/cpp/Element.qll
+++ b/cpp/ql/src/semmle/code/cpp/Element.qll
@@ -270,7 +270,12 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
 }
 
 /**
- * A C++11 `static_assert` or C11 `_Static_assert` construct.
+ * A C++11 `static_assert` or C11 `_Static_assert` construct. For example each
+ * line in the following example contains a static assert:
+ * ```
+ * static_assert(sizeof(MyStruct) <= 4096);
+ * static_assert(sizeof(MyStruct) <= 4096, "MyStruct is too big!");
+ * ```
  */
 class StaticAssert extends Locatable, @static_assert {
   override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }

From 2160edc789d21bb398e6cee28730490025a55101 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 4 Feb 2021 17:14:49 +0000
Subject: [PATCH 187/429] C++: Clean up bits I didn't finish.

---
 cpp/ql/src/semmle/code/cpp/Specifier.qll | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Specifier.qll b/cpp/ql/src/semmle/code/cpp/Specifier.qll
index 43e6ef5d83c..8331d0dfacc 100644
--- a/cpp/ql/src/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/src/semmle/code/cpp/Specifier.qll
@@ -29,7 +29,6 @@ class Specifier extends Element, @specifier {
 
 /**
  * A C/C++ function specifier: `inline`, `virtual`, or `explicit`.
- * TODO
  */
 class FunctionSpecifier extends Specifier {
   FunctionSpecifier() {
@@ -44,7 +43,6 @@ class FunctionSpecifier extends Specifier {
 /**
  * A C/C++ storage class specifier: `auto`, `register`, `static`, `extern`,
  * or `mutable".
- * TODO
  */
 class StorageClassSpecifier extends Specifier {
   StorageClassSpecifier() {
@@ -60,7 +58,6 @@ class StorageClassSpecifier extends Specifier {
 
 /**
  * A C++ access specifier: `public`, `protected`, or `private`.
- * TODO
  */
 class AccessSpecifier extends Specifier {
   AccessSpecifier() {
@@ -149,14 +146,12 @@ class Attribute extends Element, @attribute {
 /**
  * An attribute introduced by GNU's `__attribute__((name))` syntax, for
  * example: `__attribute__((__noreturn__))`.
- * TODO
  */
 class GnuAttribute extends Attribute, @gnuattribute { }
 
 /**
  * An attribute introduced by the C++11 standard `[[name]]` syntax, for
  * example: `[[clang::fallthrough]]`.
- * TODO
  */
 class StdAttribute extends Attribute, @stdattribute {
   /**
@@ -185,11 +180,7 @@ class StdAttribute extends Attribute, @stdattribute {
 class Declspec extends Attribute, @declspec { }
 
 /**
- * An attribute introduced by Microsoft's "[name]" syntax. For example
- * ```
- * [SA_Pre(Deref=1,Access=SA_Read)]
- * TODO
- * ```
+ * An attribute introduced by Microsoft's "[name]" syntax, for example "[SA_Pre(Deref=1,Access=SA_Read)]".
  */
 class MicrosoftAttribute extends Attribute, @msattribute {
   AttributeArgument getNamedArgument(string name) {

From 3c7d9c3c4b5aac34ee2f777ce47734954baeeccb Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:33:50 +0100
Subject: [PATCH 188/429] Python: Fix typo

---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index cb78e3eb9ce..0fc92f22c94 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -88,7 +88,7 @@ module API {
      * Gets a node representing the result of the function represented by this node.
      *
      * This predicate may have multiple results when there are multiple invocations of this API component.
-     * Consider using `getACall()` if there is a need to distingiush between individual calls.
+     * Consider using `getACall()` if there is a need to distinguish between individual calls.
      */
     Node getReturn() { result = getASuccessor(Label::return()) }
 

From a505eb692237e540171e3b17f1b23149c2388d3f Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:34:06 +0100
Subject: [PATCH 189/429] Python: Adhere to QLDoc style guide

---
 python/ql/src/semmle/python/ApiGraphs.qll | 26 +++++++++++++----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 0fc92f22c94..6bacac72c3a 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -128,25 +128,29 @@ module API {
     DataFlow::Node getInducingNode() { this = Impl::MkUse(result) }
 
     /**
-     * Holds if this node is located in file `path` between line `startline`, column `startcol`,
-     * and line `endline`, column `endcol`.
-     *
-     * For nodes that do not have a meaningful location, `path` is the empty string and all other
-     * parameters are zero.
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://help.semmle.com/QL/learn-ql/locations.html).
      */
-    predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-      getInducingNode().hasLocationInfo(path, startline, startcol, endline, endcol)
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      getInducingNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
       or
+      // For nodes that do not have a meaningful location, `path` is the empty string and all other
+      // parameters are zero.
       not exists(getInducingNode()) and
-      path = "" and
+      filepath = "" and
       startline = 0 and
-      startcol = 0 and
+      startcolumn = 0 and
       endline = 0 and
-      endcol = 0
+      endcolumn = 0
     }
 
     /**
-     * Gets a textual representation of this node.
+     * Gets a textual representation of this element.
      */
     abstract string toString();
 

From d0359370837c53e3905504ee3141b56da78817a3 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 4 Feb 2021 18:43:44 +0100
Subject: [PATCH 190/429] Python: Add change note

---
 python/change-notes/2021-02-04-api-graphs.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-02-04-api-graphs.md

diff --git a/python/change-notes/2021-02-04-api-graphs.md b/python/change-notes/2021-02-04-api-graphs.md
new file mode 100644
index 00000000000..533a4b17c5a
--- /dev/null
+++ b/python/change-notes/2021-02-04-api-graphs.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for API graphs. Data-flow nodes referring to an external API component such as `flask.views.View` can now be found using `API::moduleImport("flask").getMember("views").getMember("View").getAUse()` when the `semmle.python.ApiGraphs` module has been imported.
\ No newline at end of file

From 979fdd2c6a9fe011d1ee43dce9e09e3c03da292d Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 10:23:01 -0800
Subject: [PATCH 191/429] Addressing multiple comments

---
 .../backdoor/DangerousNativeFunctionCall.ql               | 1 +
 .../Security Features/backdoor/PotentialTimeBomb.qhelp    | 8 ++++++++
 .../backdoor/ProcessNameToHashTaintFlow.qhelp             | 2 +-
 .../backdoor/ProcessNameToHashTaintFlow.ql                | 1 +
 ...Detection.qhelp => ModifiedFnvFunctionDetection.qhelp} | 0
 ...nctionDetection.ql => ModifiedFnvFunctionDetection.ql} | 0
 6 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
 rename csharp/ql/src/experimental/Security Features/campaign/Solorigate/{ModifedFnvFunctionDetection.qhelp => ModifiedFnvFunctionDetection.qhelp} (100%)
 rename csharp/ql/src/experimental/Security Features/campaign/Solorigate/{ModifedFnvFunctionDetection.ql => ModifiedFnvFunctionDetection.ql} (100%)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
index cc8f0bda367..f36f5b6ee2a 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
@@ -1,6 +1,7 @@
 /**
  * @name Potential dangerous use of native functions
  * @description Please review code for possible malicious intent or unsafe handling.
+ *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
  * @kind problem
  * @problem.severity warning
  * @precision low
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
new file mode 100644
index 00000000000..32f0e200c15
--- /dev/null
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
@@ -0,0 +1,8 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query finds if there exists a DataFlow from a file last modification date (very likely implant installation time) and an offset to a condition statement (the trigger) that controls code execution.</p>
+  </overview>
+</qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
index 39d21b32b72..7281ddb28bb 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query detects code flow from PorcessName property on the Process class into a hash function.</p>
+    <p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
     <p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
   </overview>
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index 4b1c657eff3..5b1f8faeaf6 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -1,6 +1,7 @@
 /**
  * @name ProcessName to hash function flow
  * @description Flow from a function retrieving process name to a hash function
+ *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
  * @kind problem
  * @tags security
  *       solorigate
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp
rename to csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql
rename to csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql

From 993abd44993b16a0e5941afc73f0a250777eeda0 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 4 Feb 2021 20:23:27 +0100
Subject: [PATCH 192/429] C++: Add query author and link to original PR in
 change-note.

---
 .../2020-02-04-unsigned-difference-expression-compared-zero.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
index e2726b5b574..31f2b035267 100644
--- a/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
+++ b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
@@ -1,2 +1,2 @@
 lgtm
-* A new query (`cpp/unsigned-difference-expression-compared-zero`) has been added. The query finds unsigned subtractions used in relational comparisons with the value 0.
\ No newline at end of file
+* A new query (`cpp/unsigned-difference-expression-compared-zero`) has been added. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.
\ No newline at end of file

From a6fd7a3203f564015a9cc35f7fbb2cc99f6720cc Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 18 Nov 2020 15:48:05 +0100
Subject: [PATCH 193/429] C#: Extract record declarations

---
 .../Populators/TypeContainerVisitor.cs        |   5 +
 csharp/ql/src/semmle/code/csharp/PrintAst.qll |   7 +-
 .../library-tests/csharp9/InitOnlyProperty.cs |   7 -
 .../library-tests/csharp9/IsExternalInit.cs   |   7 +
 .../library-tests/csharp9/PrintAst.expected   | 429 +++++++++++++++---
 .../ql/test/library-tests/csharp9/Record.cs   |  72 +++
 .../csharp9/initOnlyProperty.expected         |  15 +-
 .../library-tests/csharp9/record.expected     | 212 +++++++++
 .../ql/test/library-tests/csharp9/record.ql   |  18 +
 9 files changed, 684 insertions(+), 88 deletions(-)
 create mode 100644 csharp/ql/test/library-tests/csharp9/IsExternalInit.cs
 create mode 100644 csharp/ql/test/library-tests/csharp9/Record.cs
 create mode 100644 csharp/ql/test/library-tests/csharp9/record.expected
 create mode 100644 csharp/ql/test/library-tests/csharp9/record.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
index a45ede39501..6e5b45e9e3a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
@@ -43,6 +43,11 @@ namespace Semmle.Extraction.CSharp.Populators
             Entities.NamedType.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
         }
 
+        public override void VisitRecordDeclaration(RecordDeclarationSyntax node)
+        {
+            Entities.Type.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+        }
+
         public override void VisitClassDeclaration(ClassDeclarationSyntax classDecl)
         {
             Entities.Type.Create(cx, cx.GetModel(classDecl).GetDeclaredSymbol(classDecl)).ExtractRecursive(trapFile, parent);
diff --git a/csharp/ql/src/semmle/code/csharp/PrintAst.qll b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
index a4ab6f7632c..f623860ff2d 100644
--- a/csharp/ql/src/semmle/code/csharp/PrintAst.qll
+++ b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
@@ -102,15 +102,16 @@ private ValueOrRefType getAnInterestingBaseType(ValueOrRefType type) {
   not type instanceof ArrayType and
   not type instanceof NullableType and
   result = type.getABaseType() and
-  isInterestingBaseType(result)
+  isInterestingBaseType(type, result)
 }
 
-private predicate isInterestingBaseType(ValueOrRefType base) {
+private predicate isInterestingBaseType(ValueOrRefType type, ValueOrRefType base) {
   not base instanceof ObjectType and
   not base.getQualifiedName() = "System.ValueType" and
   not base.getQualifiedName() = "System.Delegate" and
   not base.getQualifiedName() = "System.MulticastDelegate" and
-  not base.getQualifiedName() = "System.Enum"
+  not base.getQualifiedName() = "System.Enum" and
+  exists(TypeMention tm | tm.getTarget() = type and tm.getType() = base)
 }
 
 /**
diff --git a/csharp/ql/test/library-tests/csharp9/InitOnlyProperty.cs b/csharp/ql/test/library-tests/csharp9/InitOnlyProperty.cs
index bb78e0790af..e5a27113566 100644
--- a/csharp/ql/test/library-tests/csharp9/InitOnlyProperty.cs
+++ b/csharp/ql/test/library-tests/csharp9/InitOnlyProperty.cs
@@ -1,12 +1,5 @@
 using System;
 
-namespace System.Runtime.CompilerServices
-{
-    public sealed class IsExternalInit
-    {
-    }
-}
-
 public class Base
 {
     public int Prop0 { get { return 1; } init { Prop1 = value; } }
diff --git a/csharp/ql/test/library-tests/csharp9/IsExternalInit.cs b/csharp/ql/test/library-tests/csharp9/IsExternalInit.cs
new file mode 100644
index 00000000000..354491fdec2
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/IsExternalInit.cs
@@ -0,0 +1,7 @@
+using System;
+using System.Text;
+
+namespace System.Runtime.CompilerServices
+{
+    public class IsExternalInit { }
+}
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index ef30aa13ece..4d4288d3649 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -287,87 +287,88 @@ FunctionPointer.cs:
 #-----|       3: (Base types)
 #   50|         0: [TypeMention] A
 InitOnlyProperty.cs:
-#    3| [NamespaceDeclaration] namespace ... { ... }
-#    5|   1: [Class] IsExternalInit
-#   10| [Class] Base
-#   12|   5: [Property] Prop0
-#   12|     -1: [TypeMention] int
-#   12|     3: [Getter] get_Prop0
-#   12|       4: [BlockStmt] {...}
-#   12|         0: [ReturnStmt] return ...;
-#   12|           0: [IntLiteral] 1
-#   12|     4: [Setter] set_Prop0
+#    3| [Class] Base
+#    5|   5: [Property] Prop0
+#    5|     -1: [TypeMention] int
+#    5|     3: [Getter] get_Prop0
+#    5|       4: [BlockStmt] {...}
+#    5|         0: [ReturnStmt] return ...;
+#    5|           0: [IntLiteral] 1
+#    5|     4: [Setter] set_Prop0
 #-----|       2: (Parameters)
-#   12|         0: [Parameter] value
-#   12|       4: [BlockStmt] {...}
-#   12|         0: [ExprStmt] ...;
-#   12|           0: [AssignExpr] ... = ...
-#   12|             0: [PropertyCall] access to property Prop1
-#   12|             1: [ParameterAccess] access to parameter value
-#   13|   6: [Property] Prop1
+#    5|         0: [Parameter] value
+#    5|       4: [BlockStmt] {...}
+#    5|         0: [ExprStmt] ...;
+#    5|           0: [AssignExpr] ... = ...
+#    5|             0: [PropertyCall] access to property Prop1
+#    5|             1: [ParameterAccess] access to parameter value
+#    6|   6: [Property] Prop1
+#    6|     -1: [TypeMention] int
+#    6|     3: [Getter] get_Prop1
+#    6|     4: [Setter] set_Prop1
+#-----|       2: (Parameters)
+#    6|         0: [Parameter] value
+#    7|   7: [Property] Prop2
+#    7|     -1: [TypeMention] int
+#    7|     3: [Getter] get_Prop2
+#    7|     4: [Setter] set_Prop2
+#-----|       2: (Parameters)
+#    7|         0: [Parameter] value
+#   11| [Class] Derived
+#-----|   3: (Base types)
+#   11|     0: [TypeMention] Base
+#   13|   5: [Property] Prop1
 #   13|     -1: [TypeMention] int
 #   13|     3: [Getter] get_Prop1
 #   13|     4: [Setter] set_Prop1
 #-----|       2: (Parameters)
 #   13|         0: [Parameter] value
-#   14|   7: [Property] Prop2
+#   14|   6: [Property] Prop2
 #   14|     -1: [TypeMention] int
-#   14|     3: [Getter] get_Prop2
-#   14|     4: [Setter] set_Prop2
+#   16|     3: [Getter] get_Prop2
+#   16|       4: [BlockStmt] {...}
+#   16|         0: [ReturnStmt] return ...;
+#   16|           0: [IntLiteral] 0
+#   17|     4: [Setter] set_Prop2
 #-----|       2: (Parameters)
-#   14|         0: [Parameter] value
-#   18| [Class] Derived
-#-----|   3: (Base types)
-#   18|     0: [TypeMention] Base
-#   20|   5: [Property] Prop1
-#   20|     -1: [TypeMention] int
-#   20|     3: [Getter] get_Prop1
-#   20|     4: [Setter] set_Prop1
-#-----|       2: (Parameters)
-#   20|         0: [Parameter] value
-#   21|   6: [Property] Prop2
-#   21|     -1: [TypeMention] int
-#   23|     3: [Getter] get_Prop2
-#   23|       4: [BlockStmt] {...}
-#   23|         0: [ReturnStmt] return ...;
-#   23|           0: [IntLiteral] 0
-#   24|     4: [Setter] set_Prop2
-#-----|       2: (Parameters)
-#   24|         0: [Parameter] value
-#   25|       4: [BlockStmt] {...}
-#   26|         0: [ExprStmt] ...;
-#   26|           0: [MethodCall] call to method WriteLine
-#   26|             -1: [TypeAccess] access to type Console
-#   26|               0: [TypeMention] Console
-#   26|             0: [ParameterAccess] access to parameter value
-#   27|         1: [ExprStmt] ...;
-#   27|           0: [AssignExpr] ... = ...
-#   27|             0: [PropertyCall] access to property Prop1
-#   27|             1: [ParameterAccess] access to parameter value
-#   28|         2: [ExprStmt] ...;
-#   28|           0: [AssignExpr] ... = ...
-#   28|             0: [PropertyCall] access to property Prop0
-#   28|             1: [ParameterAccess] access to parameter value
-#   33| [Class] C1
-#   35|   5: [Method] M1
-#   35|     -1: [TypeMention] Void
-#   36|     4: [BlockStmt] {...}
-#   37|       0: [LocalVariableDeclStmt] ... ...;
-#   37|         0: [LocalVariableDeclAndInitExpr] Derived d = ...
-#   37|           -1: [TypeMention] Derived
-#   37|           0: [LocalVariableAccess] access to local variable d
-#   37|           1: [ObjectCreation] object creation of type Derived
-#   37|             -2: [TypeMention] Derived
-#   38|             -1: [ObjectInitializer] { ..., ... }
-#   39|               0: [MemberInitializer] ... = ...
-#   39|                 0: [PropertyCall] access to property Prop1
-#   39|                 1: [IntLiteral] 1
-#   40|               1: [MemberInitializer] ... = ...
-#   40|                 0: [PropertyCall] access to property Prop2
-#   40|                 1: [IntLiteral] 2
-#   41|               2: [MemberInitializer] ... = ...
-#   41|                 0: [PropertyCall] access to property Prop0
-#   41|                 1: [IntLiteral] 0
+#   17|         0: [Parameter] value
+#   18|       4: [BlockStmt] {...}
+#   19|         0: [ExprStmt] ...;
+#   19|           0: [MethodCall] call to method WriteLine
+#   19|             -1: [TypeAccess] access to type Console
+#   19|               0: [TypeMention] Console
+#   19|             0: [ParameterAccess] access to parameter value
+#   20|         1: [ExprStmt] ...;
+#   20|           0: [AssignExpr] ... = ...
+#   20|             0: [PropertyCall] access to property Prop1
+#   20|             1: [ParameterAccess] access to parameter value
+#   21|         2: [ExprStmt] ...;
+#   21|           0: [AssignExpr] ... = ...
+#   21|             0: [PropertyCall] access to property Prop0
+#   21|             1: [ParameterAccess] access to parameter value
+#   26| [Class] C1
+#   28|   5: [Method] M1
+#   28|     -1: [TypeMention] Void
+#   29|     4: [BlockStmt] {...}
+#   30|       0: [LocalVariableDeclStmt] ... ...;
+#   30|         0: [LocalVariableDeclAndInitExpr] Derived d = ...
+#   30|           -1: [TypeMention] Derived
+#   30|           0: [LocalVariableAccess] access to local variable d
+#   30|           1: [ObjectCreation] object creation of type Derived
+#   30|             -2: [TypeMention] Derived
+#   31|             -1: [ObjectInitializer] { ..., ... }
+#   32|               0: [MemberInitializer] ... = ...
+#   32|                 0: [PropertyCall] access to property Prop1
+#   32|                 1: [IntLiteral] 1
+#   33|               1: [MemberInitializer] ... = ...
+#   33|                 0: [PropertyCall] access to property Prop2
+#   33|                 1: [IntLiteral] 2
+#   34|               2: [MemberInitializer] ... = ...
+#   34|                 0: [PropertyCall] access to property Prop0
+#   34|                 1: [IntLiteral] 0
+IsExternalInit.cs:
+#    4| [NamespaceDeclaration] namespace ... { ... }
+#    6|   1: [Class] IsExternalInit
 LambdaModifier.cs:
 #    4| [Class] Class1
 #    6|   5: [Method] M1
@@ -656,6 +657,288 @@ ParenthesizedPattern.cs:
 #   27|               0: [TypeAccessPatternExpr] access to type String
 #   27|                 0: [TypeMention] string
 #   27|               2: [IntLiteral] 5
+Record.cs:
+#    4| [Class] Person
+#    4|   11: [Property] EqualityContract
+#    4|     3: [Getter] get_EqualityContract
+#    4|   11: [NEOperator] !=
+#-----|     2: (Parameters)
+#    4|       0: [Parameter] r1
+#    4|       1: [Parameter] r2
+#    4|   11: [EQOperator] ==
+#-----|     2: (Parameters)
+#    4|       0: [Parameter] r1
+#    4|       1: [Parameter] r2
+#    6|   14: [IndexerProperty] LastName
+#    6|     -1: [TypeMention] string
+#    6|     3: [Getter] get_LastName
+#    7|   15: [IndexerProperty] FirstName
+#    7|     -1: [TypeMention] string
+#    7|     3: [Getter] get_FirstName
+#    9|   16: [InstanceConstructor] Person
+#-----|     2: (Parameters)
+#    9|       0: [Parameter] first
+#    9|         -1: [TypeMention] string
+#    9|       1: [Parameter] last
+#    9|         -1: [TypeMention] string
+#    9|     4: [AssignExpr] ... = ...
+#    9|       0: [TupleExpr] (..., ...)
+#    9|         0: [PropertyCall] access to property FirstName
+#    9|         1: [PropertyCall] access to property LastName
+#    9|       1: [TupleExpr] (..., ...)
+#    9|         0: [ParameterAccess] access to parameter first
+#    9|         1: [ParameterAccess] access to parameter last
+#   12| [Class] Teacher
+#   12|   12: [Property] EqualityContract
+#   12|     3: [Getter] get_EqualityContract
+#   12|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   12|       0: [Parameter] r1
+#   12|       1: [Parameter] r2
+#   12|   12: [EQOperator] ==
+#-----|     2: (Parameters)
+#   12|       0: [Parameter] r1
+#   12|       1: [Parameter] r2
+#   14|   15: [IndexerProperty] Subject
+#   14|     -1: [TypeMention] string
+#   14|     3: [Getter] get_Subject
+#   16|   16: [InstanceConstructor] Teacher
+#-----|     2: (Parameters)
+#   16|       0: [Parameter] first
+#   16|         -1: [TypeMention] string
+#   16|       1: [Parameter] last
+#   16|         -1: [TypeMention] string
+#   16|       2: [Parameter] sub
+#   16|         -1: [TypeMention] string
+#   17|     3: [ConstructorInitializer] call to constructor Person
+#   17|       0: [ParameterAccess] access to parameter first
+#   17|       1: [ParameterAccess] access to parameter last
+#   17|     4: [AssignExpr] ... = ...
+#   17|       0: [PropertyCall] access to property Subject
+#   17|       1: [ParameterAccess] access to parameter sub
+#   20| [Class] Student
+#   20|   12: [Property] EqualityContract
+#   20|     3: [Getter] get_EqualityContract
+#   20|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   20|       0: [Parameter] r1
+#   20|       1: [Parameter] r2
+#   20|   12: [EQOperator] ==
+#-----|     2: (Parameters)
+#   20|       0: [Parameter] r1
+#   20|       1: [Parameter] r2
+#   22|   15: [Property] Level
+#   22|     -1: [TypeMention] int
+#   22|     3: [Getter] get_Level
+#   24|   16: [InstanceConstructor] Student
+#-----|     2: (Parameters)
+#   24|       0: [Parameter] first
+#   24|         -1: [TypeMention] string
+#   24|       1: [Parameter] last
+#   24|         -1: [TypeMention] string
+#   24|       2: [Parameter] level
+#   24|         -1: [TypeMention] int
+#   24|     3: [ConstructorInitializer] call to constructor Person
+#   24|       0: [ParameterAccess] access to parameter first
+#   24|       1: [ParameterAccess] access to parameter last
+#   24|     4: [AssignExpr] ... = ...
+#   24|       0: [PropertyCall] access to property Level
+#   24|       1: [ParameterAccess] access to parameter level
+#   27| [Class] Person1
+#   27|   12: [Property] EqualityContract
+#   27|     3: [Getter] get_EqualityContract
+#   27|   12: [InstanceConstructor] Person1
+#-----|     2: (Parameters)
+#   27|       0: [Parameter] FirstName
+#   27|         -1: [TypeMention] string
+#   27|       1: [Parameter] LastName
+#   27|         -1: [TypeMention] string
+#   27|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   27|       0: [Parameter] r1
+#   27|       1: [Parameter] r2
+#   27|   12: [EQOperator] ==
+#-----|     2: (Parameters)
+#   27|       0: [Parameter] r1
+#   27|       1: [Parameter] r2
+#   27|   16: [IndexerProperty] FirstName
+#   27|     3: [Getter] get_FirstName
+#   27|     4: [Setter] set_FirstName
+#-----|       2: (Parameters)
+#   27|         0: [Parameter] value
+#   27|   17: [IndexerProperty] LastName
+#   27|     3: [Getter] get_LastName
+#   27|     4: [Setter] set_LastName
+#-----|       2: (Parameters)
+#   27|         0: [Parameter] value
+#   29| [Class] Teacher1
+#   29|   13: [Property] EqualityContract
+#   29|     3: [Getter] get_EqualityContract
+#   29|   13: [NEOperator] !=
+#-----|     2: (Parameters)
+#   29|       0: [Parameter] r1
+#   29|       1: [Parameter] r2
+#   29|   13: [EQOperator] ==
+#-----|     2: (Parameters)
+#   29|       0: [Parameter] r1
+#   29|       1: [Parameter] r2
+#   29|   13: [InstanceConstructor] Teacher1
+#-----|     2: (Parameters)
+#   29|       0: [Parameter] FirstName
+#   29|         -1: [TypeMention] string
+#   29|       1: [Parameter] LastName
+#   29|         -1: [TypeMention] string
+#   29|       2: [Parameter] Subject
+#   29|         -1: [TypeMention] string
+#   29|   17: [IndexerProperty] Subject
+#   29|     3: [Getter] get_Subject
+#   29|     4: [Setter] set_Subject
+#-----|       2: (Parameters)
+#   29|         0: [Parameter] value
+#   32| [Class] Student1
+#   32|   13: [Property] EqualityContract
+#   32|     3: [Getter] get_EqualityContract
+#   32|   13: [NEOperator] !=
+#-----|     2: (Parameters)
+#   32|       0: [Parameter] r1
+#   32|       1: [Parameter] r2
+#   32|   13: [EQOperator] ==
+#-----|     2: (Parameters)
+#   32|       0: [Parameter] r1
+#   32|       1: [Parameter] r2
+#   32|   13: [InstanceConstructor] Student1
+#-----|     2: (Parameters)
+#   32|       0: [Parameter] FirstName
+#   32|         -1: [TypeMention] string
+#   32|       1: [Parameter] LastName
+#   32|         -1: [TypeMention] string
+#   32|       2: [Parameter] Level
+#   32|         -1: [TypeMention] int
+#   32|   17: [Property] Level
+#   32|     3: [Getter] get_Level
+#   32|     4: [Setter] set_Level
+#-----|       2: (Parameters)
+#   32|         0: [Parameter] value
+#   35| [Class] Pet
+#   35|   12: [Property] EqualityContract
+#   35|     3: [Getter] get_EqualityContract
+#   35|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   35|       0: [Parameter] r1
+#   35|       1: [Parameter] r2
+#   35|   12: [EQOperator] ==
+#-----|     2: (Parameters)
+#   35|       0: [Parameter] r1
+#   35|       1: [Parameter] r2
+#   35|   12: [InstanceConstructor] Pet
+#-----|     2: (Parameters)
+#   35|       0: [Parameter] Name
+#   35|         -1: [TypeMention] string
+#   35|   16: [IndexerProperty] Name
+#   35|     3: [Getter] get_Name
+#   35|     4: [Setter] set_Name
+#-----|       2: (Parameters)
+#   35|         0: [Parameter] value
+#   37|   17: [Method] ShredTheFurniture
+#   37|     -1: [TypeMention] Void
+#   38|     4: [MethodCall] call to method WriteLine
+#   38|       -1: [TypeAccess] access to type Console
+#   38|         0: [TypeMention] Console
+#   38|       0: [StringLiteral] "Shredding furniture"
+#   41| [Class] Dog
+#   41|   12: [Property] EqualityContract
+#   41|     3: [Getter] get_EqualityContract
+#   41|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   41|       0: [Parameter] r1
+#   41|       1: [Parameter] r2
+#   41|   12: [EQOperator] ==
+#-----|     2: (Parameters)
+#   41|       0: [Parameter] r1
+#   41|       1: [Parameter] r2
+#   41|   12: [InstanceConstructor] Dog
+#-----|     2: (Parameters)
+#   41|       0: [Parameter] Name
+#   41|         -1: [TypeMention] string
+#   43|   16: [Method] WagTail
+#   43|     -1: [TypeMention] Void
+#   44|     4: [MethodCall] call to method WriteLine
+#   44|       -1: [TypeAccess] access to type Console
+#   44|         0: [TypeMention] Console
+#   44|       0: [StringLiteral] "It's tail wagging time"
+#   46|   17: [Method] ToString
+#   46|     -1: [TypeMention] string
+#   47|     4: [BlockStmt] {...}
+#   48|       0: [LocalVariableDeclStmt] ... ...;
+#   48|         0: [LocalVariableDeclAndInitExpr] StringBuilder s = ...
+#   48|           -1: [TypeMention] StringBuilder
+#   48|           0: [LocalVariableAccess] access to local variable s
+#   48|           1: [ObjectCreation] object creation of type StringBuilder
+#   48|             0: [TypeMention] StringBuilder
+#   49|       1: [ExprStmt] ...;
+#   49|         0: [MethodCall] call to method PrintMembers
+#   49|           -1: [BaseAccess] base access
+#   49|           0: [LocalVariableAccess] access to local variable s
+#   50|       2: [ReturnStmt] return ...;
+#   50|         0: [InterpolatedStringExpr] $"..."
+#   50|           0: [MethodCall] call to method ToString
+#   50|             -1: [LocalVariableAccess] access to local variable s
+#   50|           1: [StringLiteral] " is a dog"
+#   54| [Class] Record1
+#   56|   5: [Method] M1
+#   56|     -1: [TypeMention] Void
+#   57|     4: [BlockStmt] {...}
+#   58|       0: [LocalVariableDeclStmt] ... ...;
+#   58|         0: [LocalVariableDeclAndInitExpr] Person person = ...
+#   58|           -1: [TypeMention] Person
+#   58|           0: [LocalVariableAccess] access to local variable person
+#   58|           1: [ObjectCreation] object creation of type Person
+#   58|             -1: [TypeMention] Person
+#   58|             0: [StringLiteral] "Bill"
+#   58|             1: [StringLiteral] "Wagner"
+#   59|       1: [LocalVariableDeclStmt] ... ...;
+#   59|         0: [LocalVariableDeclAndInitExpr] Student student = ...
+#   59|           -1: [TypeMention] Student
+#   59|           0: [LocalVariableAccess] access to local variable student
+#   59|           1: [ObjectCreation] object creation of type Student
+#   59|             -1: [TypeMention] Student
+#   59|             0: [StringLiteral] "Bill"
+#   59|             1: [StringLiteral] "Wagner"
+#   59|             2: [IntLiteral] 11
+#   61|       2: [ExprStmt] ...;
+#   61|         0: [MethodCall] call to method WriteLine
+#   61|           -1: [TypeAccess] access to type Console
+#   61|             0: [TypeMention] Console
+#   61|           0: [OperatorCall] call to operator ==
+#   61|             0: [LocalVariableAccess] access to local variable student
+#   61|             1: [LocalVariableAccess] access to local variable person
+#   64|   6: [Method] M2
+#   64|     -1: [TypeMention] Void
+#   65|     4: [BlockStmt] {...}
+#   66|       0: [LocalVariableDeclStmt] ... ...;
+#   66|         0: [LocalVariableDeclAndInitExpr] Person1 person = ...
+#   66|           -1: [TypeMention] Person1
+#   66|           0: [LocalVariableAccess] access to local variable person
+#   66|           1: [ObjectCreation] object creation of type Person1
+#   66|             -1: [TypeMention] Person1
+#   66|             0: [StringLiteral] "Bill"
+#   66|             1: [StringLiteral] "Wagner"
+#   68|       1: [ExprStmt] ...;
+#   68|         0: [AssignExpr] ... = ...
+#   68|           0: [TupleExpr] (..., ...)
+#   68|             0: [LocalVariableDeclExpr] String first
+#   68|             1: [LocalVariableDeclExpr] String last
+#   68|           1: [LocalVariableAccess] access to local variable person
+#   69|       2: [ExprStmt] ...;
+#   69|         0: [MethodCall] call to method WriteLine
+#   69|           -1: [TypeAccess] access to type Console
+#   69|             0: [TypeMention] Console
+#   69|           0: [LocalVariableAccess] access to local variable first
+#   70|       3: [ExprStmt] ...;
+#   70|         0: [MethodCall] call to method WriteLine
+#   70|           -1: [TypeAccess] access to type Console
+#   70|             0: [TypeMention] Console
+#   70|           0: [LocalVariableAccess] access to local variable last
 RelationalPattern.cs:
 #    3| [Class] RelationalPattern
 #    5|   5: [Method] M1
diff --git a/csharp/ql/test/library-tests/csharp9/Record.cs b/csharp/ql/test/library-tests/csharp9/Record.cs
new file mode 100644
index 00000000000..45d1506c055
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/Record.cs
@@ -0,0 +1,72 @@
+using System;
+using System.Text;
+
+public record Person
+{
+    public string LastName { get; }
+    public string FirstName { get; }
+
+    public Person(string first, string last) => (FirstName, LastName) = (first, last);
+}
+
+public record Teacher : Person
+{
+    public string Subject { get; }
+
+    public Teacher(string first, string last, string sub)
+        : base(first, last) => Subject = sub;
+}
+
+public sealed record Student : Person
+{
+    public int Level { get; }
+
+    public Student(string first, string last, int level) : base(first, last) => Level = level;
+}
+
+public record Person1(string FirstName, string LastName);
+
+public record Teacher1(string FirstName, string LastName, string Subject)
+    : Person1(FirstName, LastName);
+
+public sealed record Student1(string FirstName, string LastName, int Level)
+    : Person1(FirstName, LastName);
+
+public record Pet(string Name)
+{
+    public void ShredTheFurniture() =>
+        Console.WriteLine("Shredding furniture");
+}
+
+public record Dog(string Name) : Pet(Name)
+{
+    public void WagTail() =>
+        Console.WriteLine("It's tail wagging time");
+
+    public override string ToString()
+    {
+        var s = new StringBuilder();
+        base.PrintMembers(s);
+        return $"{s.ToString()} is a dog";
+    }
+}
+
+public class Record1
+{
+    public void M1()
+    {
+        var person = new Person("Bill", "Wagner");
+        var student = new Student("Bill", "Wagner", 11);
+
+        Console.WriteLine(student == person);
+    }
+
+    public void M2()
+    {
+        var person = new Person1("Bill", "Wagner");
+
+        var (first, last) = person;
+        Console.WriteLine(first);
+        Console.WriteLine(last);
+    }
+}
diff --git a/csharp/ql/test/library-tests/csharp9/initOnlyProperty.expected b/csharp/ql/test/library-tests/csharp9/initOnlyProperty.expected
index eaa1dd96db1..ca27ad80532 100644
--- a/csharp/ql/test/library-tests/csharp9/initOnlyProperty.expected
+++ b/csharp/ql/test/library-tests/csharp9/initOnlyProperty.expected
@@ -1,8 +1,13 @@
 | AnonymousObjectCreation.cs:9:29:9:31 | set_Prop1 | set |
 | BinaryPattern.cs:5:26:5:28 | set_P1 | set |
-| InitOnlyProperty.cs:12:42:12:45 | set_Prop0 | init |
-| InitOnlyProperty.cs:13:37:13:40 | set_Prop1 | init |
-| InitOnlyProperty.cs:14:37:14:39 | set_Prop2 | set |
-| InitOnlyProperty.cs:20:38:20:41 | set_Prop1 | init |
-| InitOnlyProperty.cs:24:9:24:12 | set_Prop2 | init |
+| InitOnlyProperty.cs:5:42:5:45 | set_Prop0 | init |
+| InitOnlyProperty.cs:6:37:6:40 | set_Prop1 | init |
+| InitOnlyProperty.cs:7:37:7:39 | set_Prop2 | set |
+| InitOnlyProperty.cs:13:38:13:41 | set_Prop1 | init |
+| InitOnlyProperty.cs:17:9:17:12 | set_Prop2 | init |
+| Record.cs:27:30:27:38 | set_FirstName | init |
+| Record.cs:27:48:27:55 | set_LastName | init |
+| Record.cs:29:66:29:72 | set_Subject | init |
+| Record.cs:32:70:32:74 | set_Level | init |
+| Record.cs:35:26:35:29 | set_Name | init |
 | UnaryPattern.cs:5:26:5:28 | set_P1 | set |
diff --git a/csharp/ql/test/library-tests/csharp9/record.expected b/csharp/ql/test/library-tests/csharp9/record.expected
new file mode 100644
index 00000000000..d2a427d6554
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/record.expected
@@ -0,0 +1,212 @@
+types
+| Record.cs:4:1:10:1 | Person | IEquatable<Person> |
+| Record.cs:12:1:18:1 | Teacher | IEquatable<Teacher> |
+| Record.cs:20:1:25:1 | Student | IEquatable<Student> |
+| Record.cs:27:1:27:57 | Person1 | IEquatable<Person1> |
+| Record.cs:29:1:30:35 | Teacher1 | IEquatable<Teacher1> |
+| Record.cs:32:1:33:35 | Student1 | IEquatable<Student1> |
+| Record.cs:35:1:39:1 | Pet | IEquatable<Pet> |
+| Record.cs:41:1:52:1 | Dog | IEquatable<Dog> |
+members
+| Record.cs:4:1:10:1 | Person | Person.!=(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:4:1:10:1 | Person | Person.<Clone>$() | no location |
+| Record.cs:4:1:10:1 | Person | Person.==(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:4:1:10:1 | Person | Person.EqualityContract | Record.cs:4:15:4:20 |
+| Record.cs:4:1:10:1 | Person | Person.Equals(Person) | no location |
+| Record.cs:4:1:10:1 | Person | Person.Equals(object) | no location |
+| Record.cs:4:1:10:1 | Person | Person.FirstName | Record.cs:7:19:7:27 |
+| Record.cs:4:1:10:1 | Person | Person.GetHashCode() | no location |
+| Record.cs:4:1:10:1 | Person | Person.LastName | Record.cs:6:19:6:26 |
+| Record.cs:4:1:10:1 | Person | Person.Person(Person) | no location |
+| Record.cs:4:1:10:1 | Person | Person.Person(string, string) | Record.cs:9:12:9:17 |
+| Record.cs:4:1:10:1 | Person | Person.PrintMembers(StringBuilder) | no location |
+| Record.cs:4:1:10:1 | Person | Person.ToString() | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.Equals(object, object) | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.GetType() | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.MemberwiseClone() | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.Object() | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:4:1:10:1 | Person | System.Object.~Object() | no location |
+| Record.cs:12:1:18:1 | Teacher | Person.!=(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:12:1:18:1 | Teacher | Person.==(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:12:1:18:1 | Teacher | Person.FirstName | Record.cs:7:19:7:27 |
+| Record.cs:12:1:18:1 | Teacher | Person.LastName | Record.cs:6:19:6:26 |
+| Record.cs:12:1:18:1 | Teacher | Person.Person(Person) | no location |
+| Record.cs:12:1:18:1 | Teacher | Person.Person(string, string) | Record.cs:9:12:9:17 |
+| Record.cs:12:1:18:1 | Teacher | System.Object.Equals(object, object) | no location |
+| Record.cs:12:1:18:1 | Teacher | System.Object.GetType() | no location |
+| Record.cs:12:1:18:1 | Teacher | System.Object.MemberwiseClone() | no location |
+| Record.cs:12:1:18:1 | Teacher | System.Object.Object() | no location |
+| Record.cs:12:1:18:1 | Teacher | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:12:1:18:1 | Teacher | System.Object.~Object() | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.!=(Teacher, Teacher) | Record.cs:12:15:12:21 |
+| Record.cs:12:1:18:1 | Teacher | Teacher.<Clone>$() | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.==(Teacher, Teacher) | Record.cs:12:15:12:21 |
+| Record.cs:12:1:18:1 | Teacher | Teacher.EqualityContract | Record.cs:12:15:12:21 |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Equals(Person) | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Equals(Teacher) | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Equals(object) | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.GetHashCode() | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.PrintMembers(StringBuilder) | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Subject | Record.cs:14:19:14:25 |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Teacher(Teacher) | no location |
+| Record.cs:12:1:18:1 | Teacher | Teacher.Teacher(string, string, string) | Record.cs:16:12:16:18 |
+| Record.cs:12:1:18:1 | Teacher | Teacher.ToString() | no location |
+| Record.cs:20:1:25:1 | Student | Person.!=(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:20:1:25:1 | Student | Person.==(Person, Person) | Record.cs:4:15:4:20 |
+| Record.cs:20:1:25:1 | Student | Person.FirstName | Record.cs:7:19:7:27 |
+| Record.cs:20:1:25:1 | Student | Person.LastName | Record.cs:6:19:6:26 |
+| Record.cs:20:1:25:1 | Student | Person.Person(Person) | no location |
+| Record.cs:20:1:25:1 | Student | Person.Person(string, string) | Record.cs:9:12:9:17 |
+| Record.cs:20:1:25:1 | Student | Student.!=(Student, Student) | Record.cs:20:22:20:28 |
+| Record.cs:20:1:25:1 | Student | Student.<Clone>$() | no location |
+| Record.cs:20:1:25:1 | Student | Student.==(Student, Student) | Record.cs:20:22:20:28 |
+| Record.cs:20:1:25:1 | Student | Student.EqualityContract | Record.cs:20:22:20:28 |
+| Record.cs:20:1:25:1 | Student | Student.Equals(Person) | no location |
+| Record.cs:20:1:25:1 | Student | Student.Equals(Student) | no location |
+| Record.cs:20:1:25:1 | Student | Student.Equals(object) | no location |
+| Record.cs:20:1:25:1 | Student | Student.GetHashCode() | no location |
+| Record.cs:20:1:25:1 | Student | Student.Level | Record.cs:22:16:22:20 |
+| Record.cs:20:1:25:1 | Student | Student.PrintMembers(StringBuilder) | no location |
+| Record.cs:20:1:25:1 | Student | Student.Student(Student) | no location |
+| Record.cs:20:1:25:1 | Student | Student.Student(string, string, int) | Record.cs:24:12:24:18 |
+| Record.cs:20:1:25:1 | Student | Student.ToString() | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.Equals(object, object) | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.GetType() | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.MemberwiseClone() | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.Object() | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:20:1:25:1 | Student | System.Object.~Object() | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.!=(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:27:1:27:57 | Person1 | Person1.<Clone>$() | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.==(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:27:1:27:57 | Person1 | Person1.Deconstruct(out string, out string) | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.EqualityContract | Record.cs:27:15:27:21 |
+| Record.cs:27:1:27:57 | Person1 | Person1.Equals(Person1) | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.Equals(object) | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.FirstName | Record.cs:27:30:27:38 |
+| Record.cs:27:1:27:57 | Person1 | Person1.GetHashCode() | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.LastName | Record.cs:27:48:27:55 |
+| Record.cs:27:1:27:57 | Person1 | Person1.Person1(Person1) | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.Person1(string, string) | Record.cs:27:15:27:21 |
+| Record.cs:27:1:27:57 | Person1 | Person1.PrintMembers(StringBuilder) | no location |
+| Record.cs:27:1:27:57 | Person1 | Person1.ToString() | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.Equals(object, object) | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.GetType() | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.MemberwiseClone() | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.Object() | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:27:1:27:57 | Person1 | System.Object.~Object() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.!=(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.==(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.Deconstruct(out string, out string) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.FirstName | Record.cs:27:30:27:38 |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.LastName | Record.cs:27:48:27:55 |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.Person1(Person1) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Person1.Person1(string, string) | Record.cs:27:15:27:21 |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.Equals(object, object) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.GetType() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.MemberwiseClone() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.Object() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | System.Object.~Object() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.!=(Teacher1, Teacher1) | Record.cs:29:15:29:22 |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.<Clone>$() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.==(Teacher1, Teacher1) | Record.cs:29:15:29:22 |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Deconstruct(out string, out string, out string) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.EqualityContract | Record.cs:29:15:29:22 |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Equals(Person1) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Equals(Teacher1) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Equals(object) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.GetHashCode() | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.PrintMembers(StringBuilder) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Subject | Record.cs:29:66:29:72 |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Teacher1(Teacher1) | no location |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.Teacher1(string, string, string) | Record.cs:29:15:29:22 |
+| Record.cs:29:1:30:35 | Teacher1 | Teacher1.ToString() | no location |
+| Record.cs:32:1:33:35 | Student1 | Person1.!=(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:32:1:33:35 | Student1 | Person1.==(Person1, Person1) | Record.cs:27:15:27:21 |
+| Record.cs:32:1:33:35 | Student1 | Person1.Deconstruct(out string, out string) | no location |
+| Record.cs:32:1:33:35 | Student1 | Person1.FirstName | Record.cs:27:30:27:38 |
+| Record.cs:32:1:33:35 | Student1 | Person1.LastName | Record.cs:27:48:27:55 |
+| Record.cs:32:1:33:35 | Student1 | Person1.Person1(Person1) | no location |
+| Record.cs:32:1:33:35 | Student1 | Person1.Person1(string, string) | Record.cs:27:15:27:21 |
+| Record.cs:32:1:33:35 | Student1 | Student1.!=(Student1, Student1) | Record.cs:32:22:32:29 |
+| Record.cs:32:1:33:35 | Student1 | Student1.<Clone>$() | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.==(Student1, Student1) | Record.cs:32:22:32:29 |
+| Record.cs:32:1:33:35 | Student1 | Student1.Deconstruct(out string, out string, out int) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.EqualityContract | Record.cs:32:22:32:29 |
+| Record.cs:32:1:33:35 | Student1 | Student1.Equals(Person1) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.Equals(Student1) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.Equals(object) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.GetHashCode() | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.Level | Record.cs:32:70:32:74 |
+| Record.cs:32:1:33:35 | Student1 | Student1.PrintMembers(StringBuilder) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.Student1(Student1) | no location |
+| Record.cs:32:1:33:35 | Student1 | Student1.Student1(string, string, int) | Record.cs:32:22:32:29 |
+| Record.cs:32:1:33:35 | Student1 | Student1.ToString() | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.Equals(object, object) | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.GetType() | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.MemberwiseClone() | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.Object() | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:32:1:33:35 | Student1 | System.Object.~Object() | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.!=(Pet, Pet) | Record.cs:35:15:35:17 |
+| Record.cs:35:1:39:1 | Pet | Pet.<Clone>$() | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.==(Pet, Pet) | Record.cs:35:15:35:17 |
+| Record.cs:35:1:39:1 | Pet | Pet.Deconstruct(out string) | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.EqualityContract | Record.cs:35:15:35:17 |
+| Record.cs:35:1:39:1 | Pet | Pet.Equals(Pet) | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.Equals(object) | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.GetHashCode() | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.Name | Record.cs:35:26:35:29 |
+| Record.cs:35:1:39:1 | Pet | Pet.Pet(Pet) | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.Pet(string) | Record.cs:35:15:35:17 |
+| Record.cs:35:1:39:1 | Pet | Pet.PrintMembers(StringBuilder) | no location |
+| Record.cs:35:1:39:1 | Pet | Pet.ShredTheFurniture() | Record.cs:37:17:37:33 |
+| Record.cs:35:1:39:1 | Pet | Pet.ToString() | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.Equals(object, object) | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.GetType() | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.MemberwiseClone() | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.Object() | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:35:1:39:1 | Pet | System.Object.~Object() | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.!=(Dog, Dog) | Record.cs:41:15:41:17 |
+| Record.cs:41:1:52:1 | Dog | Dog.<Clone>$() | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.==(Dog, Dog) | Record.cs:41:15:41:17 |
+| Record.cs:41:1:52:1 | Dog | Dog.Deconstruct(out string) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.Dog(Dog) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.Dog(string) | Record.cs:41:15:41:17 |
+| Record.cs:41:1:52:1 | Dog | Dog.EqualityContract | Record.cs:41:15:41:17 |
+| Record.cs:41:1:52:1 | Dog | Dog.Equals(Dog) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.Equals(Pet) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.Equals(object) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.GetHashCode() | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.PrintMembers(StringBuilder) | no location |
+| Record.cs:41:1:52:1 | Dog | Dog.ToString() | Record.cs:46:28:46:35 |
+| Record.cs:41:1:52:1 | Dog | Dog.WagTail() | Record.cs:43:17:43:23 |
+| Record.cs:41:1:52:1 | Dog | Pet.!=(Pet, Pet) | Record.cs:35:15:35:17 |
+| Record.cs:41:1:52:1 | Dog | Pet.==(Pet, Pet) | Record.cs:35:15:35:17 |
+| Record.cs:41:1:52:1 | Dog | Pet.Deconstruct(out string) | no location |
+| Record.cs:41:1:52:1 | Dog | Pet.Name | Record.cs:35:26:35:29 |
+| Record.cs:41:1:52:1 | Dog | Pet.Pet(Pet) | no location |
+| Record.cs:41:1:52:1 | Dog | Pet.Pet(string) | Record.cs:35:15:35:17 |
+| Record.cs:41:1:52:1 | Dog | Pet.ShredTheFurniture() | Record.cs:37:17:37:33 |
+| Record.cs:41:1:52:1 | Dog | System.Object.Equals(object, object) | no location |
+| Record.cs:41:1:52:1 | Dog | System.Object.GetType() | no location |
+| Record.cs:41:1:52:1 | Dog | System.Object.MemberwiseClone() | no location |
+| Record.cs:41:1:52:1 | Dog | System.Object.Object() | no location |
+| Record.cs:41:1:52:1 | Dog | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:41:1:52:1 | Dog | System.Object.~Object() | no location |
+| Record.cs:54:14:54:20 | Record1 | Record1.M1() | Record.cs:56:17:56:18 |
+| Record.cs:54:14:54:20 | Record1 | Record1.M2() | Record.cs:64:17:64:18 |
+| Record.cs:54:14:54:20 | Record1 | Record1.Record1() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.Equals(object) | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.Equals(object, object) | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.GetHashCode() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.GetType() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.MemberwiseClone() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.Object() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.ReferenceEquals(object, object) | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.ToString() | no location |
+| Record.cs:54:14:54:20 | Record1 | System.Object.~Object() | no location |
diff --git a/csharp/ql/test/library-tests/csharp9/record.ql b/csharp/ql/test/library-tests/csharp9/record.ql
new file mode 100644
index 00000000000..5dce739deda
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/record.ql
@@ -0,0 +1,18 @@
+import csharp
+
+query predicate types(Class t, string i) {
+  t.getFile().getStem() = "Record" and
+  t.getABaseInterface().toStringWithTypes() = i
+}
+
+private string getMemberName(Member m) {
+  result = m.getDeclaringType().getQualifiedName() + "." + m.toStringWithTypes()
+}
+
+query predicate members(Class t, string ms, string l) {
+  t.getFile().getStem() = "Record" and
+  exists(Member m | t.hasMember(m) |
+    ms = getMemberName(m) and
+    if m.fromSource() then l = m.getLocation().toString() else l = "no location"
+  )
+}

From 9ffc38f5b1fc6abdbf75a9e3e85156e7942dad62 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 25 Jan 2021 11:56:25 +0100
Subject: [PATCH 194/429] Fix deterministic ordering of class members in
 PrintAst

---
 csharp/ql/src/semmle/code/csharp/PrintAst.qll |  5 +-
 .../library-tests/csharp9/PrintAst.expected   | 70 +++++++++----------
 2 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/PrintAst.qll b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
index f623860ff2d..024dfc2a05e 100644
--- a/csharp/ql/src/semmle/code/csharp/PrintAst.qll
+++ b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
@@ -571,11 +571,12 @@ final class TypeNode extends ElementNode {
     result.(BaseTypesNode).getValueOrRefType() = type
     or
     result.(ElementNode).getElement() =
-      rank[childIndex - 3](Member m, string file, int line, int column |
+      rank[childIndex - 3](Member m, string file, int line, int column, string name |
         m = type.getAMember() and
+        name = m.getName() and
         locationSortKeys(m, file, line, column)
       |
-        m order by file, line, column
+        m order by file, line, column, name
       )
   }
 }
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index 4d4288d3649..3ef4be8b9ce 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -659,16 +659,16 @@ ParenthesizedPattern.cs:
 #   27|               2: [IntLiteral] 5
 Record.cs:
 #    4| [Class] Person
-#    4|   11: [Property] EqualityContract
-#    4|     3: [Getter] get_EqualityContract
 #    4|   11: [NEOperator] !=
 #-----|     2: (Parameters)
 #    4|       0: [Parameter] r1
 #    4|       1: [Parameter] r2
-#    4|   11: [EQOperator] ==
+#    4|   12: [EQOperator] ==
 #-----|     2: (Parameters)
 #    4|       0: [Parameter] r1
 #    4|       1: [Parameter] r2
+#    4|   13: [Property] EqualityContract
+#    4|     3: [Getter] get_EqualityContract
 #    6|   14: [IndexerProperty] LastName
 #    6|     -1: [TypeMention] string
 #    6|     3: [Getter] get_LastName
@@ -689,16 +689,16 @@ Record.cs:
 #    9|         0: [ParameterAccess] access to parameter first
 #    9|         1: [ParameterAccess] access to parameter last
 #   12| [Class] Teacher
-#   12|   12: [Property] EqualityContract
-#   12|     3: [Getter] get_EqualityContract
 #   12|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   12|       0: [Parameter] r1
 #   12|       1: [Parameter] r2
-#   12|   12: [EQOperator] ==
+#   12|   13: [EQOperator] ==
 #-----|     2: (Parameters)
 #   12|       0: [Parameter] r1
 #   12|       1: [Parameter] r2
+#   12|   14: [Property] EqualityContract
+#   12|     3: [Getter] get_EqualityContract
 #   14|   15: [IndexerProperty] Subject
 #   14|     -1: [TypeMention] string
 #   14|     3: [Getter] get_Subject
@@ -717,16 +717,16 @@ Record.cs:
 #   17|       0: [PropertyCall] access to property Subject
 #   17|       1: [ParameterAccess] access to parameter sub
 #   20| [Class] Student
-#   20|   12: [Property] EqualityContract
-#   20|     3: [Getter] get_EqualityContract
 #   20|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   20|       0: [Parameter] r1
 #   20|       1: [Parameter] r2
-#   20|   12: [EQOperator] ==
+#   20|   13: [EQOperator] ==
 #-----|     2: (Parameters)
 #   20|       0: [Parameter] r1
 #   20|       1: [Parameter] r2
+#   20|   14: [Property] EqualityContract
+#   20|     3: [Getter] get_EqualityContract
 #   22|   15: [Property] Level
 #   22|     -1: [TypeMention] int
 #   22|     3: [Getter] get_Level
@@ -745,22 +745,22 @@ Record.cs:
 #   24|       0: [PropertyCall] access to property Level
 #   24|       1: [ParameterAccess] access to parameter level
 #   27| [Class] Person1
-#   27|   12: [Property] EqualityContract
+#   27|   12: [NEOperator] !=
+#-----|     2: (Parameters)
+#   27|       0: [Parameter] r1
+#   27|       1: [Parameter] r2
+#   27|   13: [EQOperator] ==
+#-----|     2: (Parameters)
+#   27|       0: [Parameter] r1
+#   27|       1: [Parameter] r2
+#   27|   14: [Property] EqualityContract
 #   27|     3: [Getter] get_EqualityContract
-#   27|   12: [InstanceConstructor] Person1
+#   27|   15: [InstanceConstructor] Person1
 #-----|     2: (Parameters)
 #   27|       0: [Parameter] FirstName
 #   27|         -1: [TypeMention] string
 #   27|       1: [Parameter] LastName
 #   27|         -1: [TypeMention] string
-#   27|   12: [NEOperator] !=
-#-----|     2: (Parameters)
-#   27|       0: [Parameter] r1
-#   27|       1: [Parameter] r2
-#   27|   12: [EQOperator] ==
-#-----|     2: (Parameters)
-#   27|       0: [Parameter] r1
-#   27|       1: [Parameter] r2
 #   27|   16: [IndexerProperty] FirstName
 #   27|     3: [Getter] get_FirstName
 #   27|     4: [Setter] set_FirstName
@@ -772,17 +772,17 @@ Record.cs:
 #-----|       2: (Parameters)
 #   27|         0: [Parameter] value
 #   29| [Class] Teacher1
-#   29|   13: [Property] EqualityContract
-#   29|     3: [Getter] get_EqualityContract
 #   29|   13: [NEOperator] !=
 #-----|     2: (Parameters)
 #   29|       0: [Parameter] r1
 #   29|       1: [Parameter] r2
-#   29|   13: [EQOperator] ==
+#   29|   14: [EQOperator] ==
 #-----|     2: (Parameters)
 #   29|       0: [Parameter] r1
 #   29|       1: [Parameter] r2
-#   29|   13: [InstanceConstructor] Teacher1
+#   29|   15: [Property] EqualityContract
+#   29|     3: [Getter] get_EqualityContract
+#   29|   16: [InstanceConstructor] Teacher1
 #-----|     2: (Parameters)
 #   29|       0: [Parameter] FirstName
 #   29|         -1: [TypeMention] string
@@ -796,17 +796,17 @@ Record.cs:
 #-----|       2: (Parameters)
 #   29|         0: [Parameter] value
 #   32| [Class] Student1
-#   32|   13: [Property] EqualityContract
-#   32|     3: [Getter] get_EqualityContract
 #   32|   13: [NEOperator] !=
 #-----|     2: (Parameters)
 #   32|       0: [Parameter] r1
 #   32|       1: [Parameter] r2
-#   32|   13: [EQOperator] ==
+#   32|   14: [EQOperator] ==
 #-----|     2: (Parameters)
 #   32|       0: [Parameter] r1
 #   32|       1: [Parameter] r2
-#   32|   13: [InstanceConstructor] Student1
+#   32|   15: [Property] EqualityContract
+#   32|     3: [Getter] get_EqualityContract
+#   32|   16: [InstanceConstructor] Student1
 #-----|     2: (Parameters)
 #   32|       0: [Parameter] FirstName
 #   32|         -1: [TypeMention] string
@@ -820,17 +820,17 @@ Record.cs:
 #-----|       2: (Parameters)
 #   32|         0: [Parameter] value
 #   35| [Class] Pet
-#   35|   12: [Property] EqualityContract
-#   35|     3: [Getter] get_EqualityContract
 #   35|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   35|       0: [Parameter] r1
 #   35|       1: [Parameter] r2
-#   35|   12: [EQOperator] ==
+#   35|   13: [EQOperator] ==
 #-----|     2: (Parameters)
 #   35|       0: [Parameter] r1
 #   35|       1: [Parameter] r2
-#   35|   12: [InstanceConstructor] Pet
+#   35|   14: [Property] EqualityContract
+#   35|     3: [Getter] get_EqualityContract
+#   35|   15: [InstanceConstructor] Pet
 #-----|     2: (Parameters)
 #   35|       0: [Parameter] Name
 #   35|         -1: [TypeMention] string
@@ -846,20 +846,20 @@ Record.cs:
 #   38|         0: [TypeMention] Console
 #   38|       0: [StringLiteral] "Shredding furniture"
 #   41| [Class] Dog
-#   41|   12: [Property] EqualityContract
-#   41|     3: [Getter] get_EqualityContract
 #   41|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   41|       0: [Parameter] r1
 #   41|       1: [Parameter] r2
-#   41|   12: [EQOperator] ==
+#   41|   13: [EQOperator] ==
 #-----|     2: (Parameters)
 #   41|       0: [Parameter] r1
 #   41|       1: [Parameter] r2
-#   41|   12: [InstanceConstructor] Dog
+#   41|   14: [InstanceConstructor] Dog
 #-----|     2: (Parameters)
 #   41|       0: [Parameter] Name
 #   41|         -1: [TypeMention] string
+#   41|   15: [Property] EqualityContract
+#   41|     3: [Getter] get_EqualityContract
 #   43|   16: [Method] WagTail
 #   43|     -1: [TypeMention] Void
 #   44|     4: [MethodCall] call to method WriteLine

From f0b0845f9fe7a910556c454c683b47d70ccea6f8 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 1 Feb 2021 16:29:37 +0100
Subject: [PATCH 195/429] Add 'record' QL class

---
 csharp/ql/src/semmle/code/cil/Declaration.qll | 23 +++++++------------
 csharp/ql/src/semmle/code/cil/Types.qll       |  5 ++++
 csharp/ql/src/semmle/code/csharp/Member.qll   | 14 +++++++++++
 csharp/ql/src/semmle/code/csharp/Type.qll     | 15 ++++++++++++
 .../ql/src/semmle/code/dotnet/Declaration.qll | 23 ++++++++++++++++++-
 csharp/ql/src/semmle/code/dotnet/Type.qll     | 12 ++++++++++
 .../library-tests/csharp9/PrintAst.expected   | 16 ++++++-------
 .../library-tests/csharp9/record.expected     | 12 ----------
 .../ql/test/library-tests/csharp9/record.ql   |  8 ++-----
 9 files changed, 86 insertions(+), 42 deletions(-)

diff --git a/csharp/ql/src/semmle/code/cil/Declaration.qll b/csharp/ql/src/semmle/code/cil/Declaration.qll
index 0c58d55caef..a747d4a6d80 100644
--- a/csharp/ql/src/semmle/code/cil/Declaration.qll
+++ b/csharp/ql/src/semmle/code/cil/Declaration.qll
@@ -51,30 +51,23 @@ private predicate toCSharpTypeParameterJoin(TypeParameter tp, int i, CS::Unbound
  * A member of a type. Either a type (`Type`), a method (`Method`), a property (`Property`), or an event (`Event`).
  */
 class Member extends DotNet::Member, Declaration, @cil_member {
-  /** Holds if this member is declared `public`. */
-  predicate isPublic() { cil_public(this) }
+  override predicate isPublic() { cil_public(this) }
 
-  /** Holds if this member is declared `protected.` */
-  predicate isProtected() { cil_protected(this) }
+  override predicate isProtected() { cil_protected(this) }
 
-  /** Holds if this member is `private`. */
-  predicate isPrivate() { cil_private(this) }
+  override predicate isPrivate() { cil_private(this) }
 
-  /** Holds if this member is `internal`. */
-  predicate isInternal() { cil_internal(this) }
+  override predicate isInternal() { cil_internal(this) }
 
-  /** Holds if this member is `sealed`. */
-  predicate isSealed() { cil_sealed(this) }
+  override predicate isSealed() { cil_sealed(this) }
 
-  /** Holds if this member is `abstract`. */
-  predicate isAbstract() { cil_abstract(this) }
+  override predicate isAbstract() { cil_abstract(this) }
+
+  override predicate isStatic() { cil_static(this) }
 
   /** Holds if this member has a security attribute. */
   predicate hasSecurity() { cil_security(this) }
 
-  /** Holds if this member is `static`. */
-  predicate isStatic() { cil_static(this) }
-
   override Location getLocation() { result = getDeclaringType().getLocation() }
 }
 
diff --git a/csharp/ql/src/semmle/code/cil/Types.qll b/csharp/ql/src/semmle/code/cil/Types.qll
index 0a07e78bb20..1bc74767d6b 100644
--- a/csharp/ql/src/semmle/code/cil/Types.qll
+++ b/csharp/ql/src/semmle/code/cil/Types.qll
@@ -60,6 +60,11 @@ class Class extends ValueOrRefType {
   Class() { this.isClass() }
 }
 
+/** A `record`. */
+class Record extends Class {
+  Record() { this.isRecord() }
+}
+
 /** An `interface`. */
 class Interface extends ValueOrRefType {
   Interface() { this.isInterface() }
diff --git a/csharp/ql/src/semmle/code/csharp/Member.qll b/csharp/ql/src/semmle/code/csharp/Member.qll
index 372e3c838a6..520df43cfb8 100644
--- a/csharp/ql/src/semmle/code/csharp/Member.qll
+++ b/csharp/ql/src/semmle/code/csharp/Member.qll
@@ -120,6 +120,20 @@ class Modifiable extends Declaration, @modifiable {
 class Member extends DotNet::Member, Modifiable, @member {
   /** Gets an access to this member. */
   MemberAccess getAnAccess() { result.getTarget() = this }
+
+  override predicate isPublic() { Modifiable.super.isPublic() }
+
+  override predicate isProtected() { Modifiable.super.isProtected() }
+
+  override predicate isPrivate() { Modifiable.super.isPrivate() }
+
+  override predicate isInternal() { Modifiable.super.isInternal() }
+
+  override predicate isSealed() { Modifiable.super.isSealed() }
+
+  override predicate isAbstract() { Modifiable.super.isAbstract() }
+
+  override predicate isStatic() { Modifiable.super.isStatic() }
 }
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/Type.qll b/csharp/ql/src/semmle/code/csharp/Type.qll
index b15f7b57392..c9e89da9943 100644
--- a/csharp/ql/src/semmle/code/csharp/Type.qll
+++ b/csharp/ql/src/semmle/code/csharp/Type.qll
@@ -736,6 +736,21 @@ class Class extends RefType, @class_type {
   override string getAPrimaryQlClass() { result = "Class" }
 }
 
+/**
+ * A `record`, for example
+ *
+ * ```csharp
+ * record R(object Prop) {
+ *   ...
+ * }
+ * ```
+ */
+class Record extends Class {
+  Record() { this.isRecord() }
+
+  override string getAPrimaryQlClass() { result = "Record" }
+}
+
 /**
  * A class generated by the compiler from an anonymous object creation.
  *
diff --git a/csharp/ql/src/semmle/code/dotnet/Declaration.qll b/csharp/ql/src/semmle/code/dotnet/Declaration.qll
index 301f7859c66..7d6227486b0 100644
--- a/csharp/ql/src/semmle/code/dotnet/Declaration.qll
+++ b/csharp/ql/src/semmle/code/dotnet/Declaration.qll
@@ -58,7 +58,28 @@ class Declaration extends NamedElement, @dotnet_declaration {
 }
 
 /** A member of a type. */
-class Member extends Declaration, @dotnet_member { }
+class Member extends Declaration, @dotnet_member {
+  /** Holds if this member is declared `public`. */
+  predicate isPublic() { none() }
+
+  /** Holds if this member is declared `protected.` */
+  predicate isProtected() { none() }
+
+  /** Holds if this member is `private`. */
+  predicate isPrivate() { none() }
+
+  /** Holds if this member is `internal`. */
+  predicate isInternal() { none() }
+
+  /** Holds if this member is `sealed`. */
+  predicate isSealed() { none() }
+
+  /** Holds if this member is `abstract`. */
+  predicate isAbstract() { none() }
+
+  /** Holds if this member is `static`. */
+  predicate isStatic() { none() }
+}
 
 /** A property. */
 class Property extends Member, @dotnet_property {
diff --git a/csharp/ql/src/semmle/code/dotnet/Type.qll b/csharp/ql/src/semmle/code/dotnet/Type.qll
index 32cd383f913..cfb6748cf7b 100644
--- a/csharp/ql/src/semmle/code/dotnet/Type.qll
+++ b/csharp/ql/src/semmle/code/dotnet/Type.qll
@@ -49,6 +49,18 @@ class ValueOrRefType extends Type, @dotnet_valueorreftype {
 
   /** Gets a base type of this type, if any. */
   ValueOrRefType getABaseType() { none() }
+
+  /** Holds if this type is a `record`. */
+  predicate isRecord() {
+    exists(Callable c |
+      c.getDeclaringType() = this and
+      c.hasName("<Clone>$") and
+      c.getNumberOfParameters() = 0 and
+      c.getReturnType() = this.getABaseType*() and
+      c.(Member).isPublic() and
+      not c.(Member).isStatic()
+    )
+  }
 }
 
 /**
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index 3ef4be8b9ce..59546adfbfe 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -658,7 +658,7 @@ ParenthesizedPattern.cs:
 #   27|                 0: [TypeMention] string
 #   27|               2: [IntLiteral] 5
 Record.cs:
-#    4| [Class] Person
+#    4| [Record] Person
 #    4|   11: [NEOperator] !=
 #-----|     2: (Parameters)
 #    4|       0: [Parameter] r1
@@ -688,7 +688,7 @@ Record.cs:
 #    9|       1: [TupleExpr] (..., ...)
 #    9|         0: [ParameterAccess] access to parameter first
 #    9|         1: [ParameterAccess] access to parameter last
-#   12| [Class] Teacher
+#   12| [Record] Teacher
 #   12|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   12|       0: [Parameter] r1
@@ -716,7 +716,7 @@ Record.cs:
 #   17|     4: [AssignExpr] ... = ...
 #   17|       0: [PropertyCall] access to property Subject
 #   17|       1: [ParameterAccess] access to parameter sub
-#   20| [Class] Student
+#   20| [Record] Student
 #   20|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   20|       0: [Parameter] r1
@@ -744,7 +744,7 @@ Record.cs:
 #   24|     4: [AssignExpr] ... = ...
 #   24|       0: [PropertyCall] access to property Level
 #   24|       1: [ParameterAccess] access to parameter level
-#   27| [Class] Person1
+#   27| [Record] Person1
 #   27|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   27|       0: [Parameter] r1
@@ -771,7 +771,7 @@ Record.cs:
 #   27|     4: [Setter] set_LastName
 #-----|       2: (Parameters)
 #   27|         0: [Parameter] value
-#   29| [Class] Teacher1
+#   29| [Record] Teacher1
 #   29|   13: [NEOperator] !=
 #-----|     2: (Parameters)
 #   29|       0: [Parameter] r1
@@ -795,7 +795,7 @@ Record.cs:
 #   29|     4: [Setter] set_Subject
 #-----|       2: (Parameters)
 #   29|         0: [Parameter] value
-#   32| [Class] Student1
+#   32| [Record] Student1
 #   32|   13: [NEOperator] !=
 #-----|     2: (Parameters)
 #   32|       0: [Parameter] r1
@@ -819,7 +819,7 @@ Record.cs:
 #   32|     4: [Setter] set_Level
 #-----|       2: (Parameters)
 #   32|         0: [Parameter] value
-#   35| [Class] Pet
+#   35| [Record] Pet
 #   35|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   35|       0: [Parameter] r1
@@ -845,7 +845,7 @@ Record.cs:
 #   38|       -1: [TypeAccess] access to type Console
 #   38|         0: [TypeMention] Console
 #   38|       0: [StringLiteral] "Shredding furniture"
-#   41| [Class] Dog
+#   41| [Record] Dog
 #   41|   12: [NEOperator] !=
 #-----|     2: (Parameters)
 #   41|       0: [Parameter] r1
diff --git a/csharp/ql/test/library-tests/csharp9/record.expected b/csharp/ql/test/library-tests/csharp9/record.expected
index d2a427d6554..69d7abddb31 100644
--- a/csharp/ql/test/library-tests/csharp9/record.expected
+++ b/csharp/ql/test/library-tests/csharp9/record.expected
@@ -198,15 +198,3 @@ members
 | Record.cs:41:1:52:1 | Dog | System.Object.Object() | no location |
 | Record.cs:41:1:52:1 | Dog | System.Object.ReferenceEquals(object, object) | no location |
 | Record.cs:41:1:52:1 | Dog | System.Object.~Object() | no location |
-| Record.cs:54:14:54:20 | Record1 | Record1.M1() | Record.cs:56:17:56:18 |
-| Record.cs:54:14:54:20 | Record1 | Record1.M2() | Record.cs:64:17:64:18 |
-| Record.cs:54:14:54:20 | Record1 | Record1.Record1() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.Equals(object) | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.Equals(object, object) | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.GetHashCode() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.GetType() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.MemberwiseClone() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.Object() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.ReferenceEquals(object, object) | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.ToString() | no location |
-| Record.cs:54:14:54:20 | Record1 | System.Object.~Object() | no location |
diff --git a/csharp/ql/test/library-tests/csharp9/record.ql b/csharp/ql/test/library-tests/csharp9/record.ql
index 5dce739deda..3c97ee1aa84 100644
--- a/csharp/ql/test/library-tests/csharp9/record.ql
+++ b/csharp/ql/test/library-tests/csharp9/record.ql
@@ -1,16 +1,12 @@
 import csharp
 
-query predicate types(Class t, string i) {
-  t.getFile().getStem() = "Record" and
-  t.getABaseInterface().toStringWithTypes() = i
-}
+query predicate types(Record t, string i) { t.getABaseInterface().toStringWithTypes() = i }
 
 private string getMemberName(Member m) {
   result = m.getDeclaringType().getQualifiedName() + "." + m.toStringWithTypes()
 }
 
-query predicate members(Class t, string ms, string l) {
-  t.getFile().getStem() = "Record" and
+query predicate members(Record t, string ms, string l) {
   exists(Member m | t.hasMember(m) |
     ms = getMemberName(m) and
     if m.fromSource() then l = m.getLocation().toString() else l = "no location"

From f555c0642efb7e3f9c96619a01fa818baaddb280 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 08:58:52 +0100
Subject: [PATCH 196/429] Add change note

---
 csharp/change-notes/2021-02-04-Records.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-02-04-Records.md

diff --git a/csharp/change-notes/2021-02-04-Records.md b/csharp/change-notes/2021-02-04-Records.md
new file mode 100644
index 00000000000..069737e5239
--- /dev/null
+++ b/csharp/change-notes/2021-02-04-Records.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Record types (`Record`) are extracted.

From 83f0fad01486921d68c326bbc0d5e70443a89ac8 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 09:01:43 +0100
Subject: [PATCH 197/429] Fix expected test AST

---
 .../test/library-tests/csharp9/PrintAst.expected   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index 59546adfbfe..ea3540ce4ce 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -669,10 +669,10 @@ Record.cs:
 #    4|       1: [Parameter] r2
 #    4|   13: [Property] EqualityContract
 #    4|     3: [Getter] get_EqualityContract
-#    6|   14: [IndexerProperty] LastName
+#    6|   14: [Property] LastName
 #    6|     -1: [TypeMention] string
 #    6|     3: [Getter] get_LastName
-#    7|   15: [IndexerProperty] FirstName
+#    7|   15: [Property] FirstName
 #    7|     -1: [TypeMention] string
 #    7|     3: [Getter] get_FirstName
 #    9|   16: [InstanceConstructor] Person
@@ -699,7 +699,7 @@ Record.cs:
 #   12|       1: [Parameter] r2
 #   12|   14: [Property] EqualityContract
 #   12|     3: [Getter] get_EqualityContract
-#   14|   15: [IndexerProperty] Subject
+#   14|   15: [Property] Subject
 #   14|     -1: [TypeMention] string
 #   14|     3: [Getter] get_Subject
 #   16|   16: [InstanceConstructor] Teacher
@@ -761,12 +761,12 @@ Record.cs:
 #   27|         -1: [TypeMention] string
 #   27|       1: [Parameter] LastName
 #   27|         -1: [TypeMention] string
-#   27|   16: [IndexerProperty] FirstName
+#   27|   16: [Property] FirstName
 #   27|     3: [Getter] get_FirstName
 #   27|     4: [Setter] set_FirstName
 #-----|       2: (Parameters)
 #   27|         0: [Parameter] value
-#   27|   17: [IndexerProperty] LastName
+#   27|   17: [Property] LastName
 #   27|     3: [Getter] get_LastName
 #   27|     4: [Setter] set_LastName
 #-----|       2: (Parameters)
@@ -790,7 +790,7 @@ Record.cs:
 #   29|         -1: [TypeMention] string
 #   29|       2: [Parameter] Subject
 #   29|         -1: [TypeMention] string
-#   29|   17: [IndexerProperty] Subject
+#   29|   17: [Property] Subject
 #   29|     3: [Getter] get_Subject
 #   29|     4: [Setter] set_Subject
 #-----|       2: (Parameters)
@@ -834,7 +834,7 @@ Record.cs:
 #-----|     2: (Parameters)
 #   35|       0: [Parameter] Name
 #   35|         -1: [TypeMention] string
-#   35|   16: [IndexerProperty] Name
+#   35|   16: [Property] Name
 #   35|     3: [Getter] get_Name
 #   35|     4: [Setter] set_Name
 #-----|       2: (Parameters)

From 8e85145df4bd1d09750ca976439ba81592a10bf5 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 12:51:31 -0800
Subject: [PATCH 198/429] Updated Readme file

---
 .../campaign/Solorigate-Readme.md             | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
index 471fd9ed6f8..9caa17d1f3d 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md	
@@ -1,10 +1,10 @@
 # Working with Solorigate queries
 
-These queries hunt for Indicators of Compromise (IoCs) associated with the malicious implant code that was inserted into the SolarWinds Orion product.  
+In early December, 2020 a sophisticated compromise campaign was uncovered, dubbed [Solorigate](https://aka.ms/solorigate).  A key feature of the campaign was a malicious software implant inserted into SolarWinds' Orion product on the build server. Studying the coding patterns and techniques used in the implant, Microsoft authored CodeQL queries as part of a larger effort to analyze our source code for any malicious modification - a brief summary of those efforts can be [found here](https://aka.ms/Solorigate-CodeQL-Blog). These queries here represent a mixture of techniques to look for code that shares features with the malicious Implant code.
 
 This ReadMe walks through what each query does and limitations of the approaches taken, suggestions for modifications, and general advice on using CodeQL to author backdoor hunting queries.  There are two approaches taken with the queries; the first is to look for syntactic characteristics used in the malicious implant, things like names and particular literals.  The second approach looks for semantic patterns – particular functionality and flow associated with the implant.  
 
-When editing this queries for open sourcing, we tried to find the right balance between detection capability and false positive rate, mindful that different organizations have differing resources to review the findings.  
+When editing this queries for open sourcing, we tried to find the right balance between detection capability and false positive rate, mindful that different organizations have differing resources to review the findings.  We also excluded queries that we found to be resource intensive when executing without providing significant detective value over these queries here.  In the coming weeks we will post on [our blog](https://aka.ms/CST-SE-Blog) a walk through of our experience authoring and tuning these queries, as well as discussing the challenges we saw with the queries we didn't open source.
 
 ## Syntactic queries
 
@@ -107,15 +107,15 @@ While the results of this query are useful on their own, both to cast a wide net
 
 The malicious modifications of SolarWinds’ code took place on the build server (more details from [CrowdStrike](https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/)), so CodeQL databases used for analysis should ideally be built from the same build servers.  CodeQL utilizes the same Roslyn Compiler as MSBuild, so absent the malicious actor specifically building checks for the presence of CodeQL, it is likely the injection technique utilized by the malicious actor would replicate when CodeQL was run.  Alternatively, if building CodeQL databases in an independent environment, other techniques can be used to validate that the code that was compiled into the final binaries is the same as the source code in the source repository.
 
-> ### FYI
->
-> While the step-by-step details are outside the scope of this ReadMe, if the build environment is configured to perform deterministic builds (not all compilers support this, nor default to this if they do), the binaries produced by the build environment can be compared to binaries produced from the same source compiled in a distinct environment.  Additionally, some compilers can be configured to emit a manifest of the source code hashes for the source files that were compiled (MSBuild puts them in the PDB files emitted during compilation), which can be compared to source hashes created in an independent environment.  If the comparison of either the deterministically built binaries or source hashes do not match, that is a clear indicator that further investigation is warranted.  These two techniques can be automated to provide ongoing validation of the build output.  
->
->If comparing source hashes, it is strongly recommended that SHA256 rather than weaker hashes be used.  This can be configured in the following Microsoft compilers by using the specified compiler flags below:
->
-> * cl.exe /ZH:SHA_256
-> * ml.exe /ZH:SHA_256
-> * ml64.exe /ZH:SHA_256
-> * armasm.exe -gh:SHA_256
-> * armasm64.exe -gh:SHA_256
-> * csc.exe /checksumalgorithm:SHA256
+### FYI
+
+While the step-by-step details are outside the scope of this ReadMe, if the build environment is configured to perform deterministic builds (not all compilers support this, nor default to this if they do), the binaries produced by the build environment can be compared to binaries produced from the same source compiled in a distinct environment.  Additionally, some compilers can be configured to emit a manifest of the source code hashes for the source files that were compiled (MSBuild puts them in the PDB files emitted during compilation), which can be compared to source hashes created in an independent environment.  If the comparison of either the deterministically built binaries or source hashes do not match, that is a clear indicator that further investigation is warranted.  These two techniques can be automated to provide ongoing validation of the build output.  
+
+If comparing source hashes, it is strongly recommended that SHA256 rather than weaker hashes be used.  This can be configured in the following Microsoft compilers by using the specified compiler flags below:
+
+* cl.exe /ZH:SHA_256
+* ml.exe /ZH:SHA_256
+* ml64.exe /ZH:SHA_256
+* armasm.exe -gh:SHA_256
+* armasm64.exe -gh:SHA_256
+* csc.exe /checksumalgorithm:SHA256

From 1d8f8286a5e58e582604c90f44cb6514a35c650b Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 13:25:43 -0800
Subject: [PATCH 199/429] Fixes to address some of the comments during PR

---
 .../backdoor/DangerousNativeFunctionCall.ql   |  2 +-
 .../ModifiedFnvFunctionDetection.qhelp        |  2 +-
 .../ModifiedFnvFunctionDetection.ql           |  4 +-
 .../NumberOfKnownCommandsAboveThreshold.ql    | 16 ++++++
 .../NumberOfKnownHashesAboveThreshold.ql      |  9 ++++
 .../NumberOfKnownLiteralsAboveThreshold.ql    |  9 ++++
 .../NumberOfKnownMethodNamesAboveThreshold.ql |  9 ++++
 .../campaign/Solorigate/Solorigate.qhelp      |  2 +-
 .../campaign/Solorigate/Solorigate.qll        | 49 ++++---------------
 9 files changed, 57 insertions(+), 45 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
index f36f5b6ee2a..af1500fb215 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
@@ -52,4 +52,4 @@ from MethodCall mc
 where
   isExternMethod(mc.getTarget()) and
   isDangerousMethod(mc.getTarget())
-select mc, "Call to an external method $@", mc, mc.toString()
+select mc, "Call to an external method '" + mc.getTarget().getName() + "'."
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
index d3abdc85f28..ffa32c5937d 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by 6605813339339102567 after computing the FNV-1A.</p>
+    <p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
     <p>This query detects FNV-like hash calculations where there is an additional xor (with any static value) after the hash calculation loop.</p>
   </overview>
 
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
index 2e94ea4ad4e..a6e5f571ebb 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql	
@@ -18,12 +18,12 @@ where
   maybeUsedInFNVFunction(v, _, _, loop) and
   (
     exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
       xor2.getAnOperand() = v.getAnAccess()
     )
     or
     exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
       xor2.getAnOperand() = v.getAnAccess()
     )
   )
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
index f60d4232004..34c773636ad 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
@@ -13,6 +13,22 @@
 import csharp
 import Solorigate
 
+/*
+ * Returns the total number of Solorigate-related commands in the given enum
+ *
+ * This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
+ * and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
+ */
+
+int countSolorigateCommandInEnum(Enum e) {
+  result =
+    count(string s, EnumConstant ec |
+      e.getAnEnumConstant() = ec and
+      s = ec.getName() and
+      s = solorigateSuspiciousCommandsInEnum()
+    )
+}
+
 from Enum e, int total
 where
   total = countSolorigateCommandInEnum(e) and
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
index 830a9b48c2a..392a0d97165 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
@@ -13,6 +13,15 @@
 import csharp
 import Solorigate
 
+/*
+ * Returns the total number of Solorigate-related literales found in the project
+ */
+
+int countSolorigateSuspiciousHash() {
+  result =
+    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
+}
+
 from Literal l, int total, int threshold
 where
   total = countSolorigateSuspiciousHash() and
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
index a280fefddfa..2055dda9946 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
@@ -13,6 +13,15 @@
 import csharp
 import Solorigate
 
+/*
+ * Returns the total number of Solorigate-related literales found in the project
+ */
+
+int countSolorigateSuspiciousLiterals() {
+  result =
+    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
+}
+
 from Literal l, int total, int threshold
 where
   total = countSolorigateSuspiciousLiterals() and
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
index 277d8c745bd..a3bac88cb78 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
@@ -13,6 +13,15 @@
 import csharp
 import Solorigate
 
+/*
+ * Returns the total number of Solorigate-related method names found in the project
+ */
+
+int countSolorigateSuspiciousMethodNames() {
+  result =
+    count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
+}
+
 from Method m, int total, int threshold
 where
   total = countSolorigateSuspiciousMethodNames() and
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
index 798ae65ba8b..19c5c2666cd 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
@@ -4,7 +4,7 @@
 <qhelp>
  <overview>
   <p>The nation-state supply chain attack on SolarWinds known as Solorigate or SunBurst gave nation-state actors access to some victims' networks.</p>
-  <p>The purpose of these rules is to identify poetntially tampered code that requires further analysis</p>
+  <p>The purpose of these rules is to identify potentially tampered code that requires further analysis</p>
 </overview> 
 <recommendation>
   <p>Any findings from these rules are only intended to indicate suspicious code that shares similarities with known portions of code used for this attack, but no certainty that the code is related or part of any attack.</p>
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
index 15444930fad..9a36ea4c673 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
@@ -11,7 +11,7 @@ import csharp
  * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
  */
 
-private string solorigateSuspiciousHashes() {
+string solorigateSuspiciousHashes() {
   result =
     [
       "10063651499895178962", "10235971842993272939", "10296494671777307979",
@@ -94,15 +94,6 @@ private string solorigateSuspiciousHashes() {
 
 predicate isSolorigateHash(Literal l) { l.getValue() = solorigateSuspiciousHashes() }
 
-/*
- * Returns the total number of Solorigate-related literales found in the project
- */
-
-int countSolorigateSuspiciousHash() {
-  result =
-    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
-}
-
 /*
  * Returns a list of Literals used by Solorigate
  *
@@ -110,7 +101,7 @@ int countSolorigateSuspiciousHash() {
  * and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
  */
 
-private string solorigateSuspiciousLiterals() {
+string solorigateSuspiciousLiterals() {
   result =
     [
       "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n",
@@ -157,22 +148,13 @@ private string solorigateSuspiciousLiterals() {
 
 predicate isSolorigateLiteral(Literal l) { l.getValue() = solorigateSuspiciousLiterals() }
 
-/*
- * Returns the total number of Solorigate-related literales found in the project
- */
-
-int countSolorigateSuspiciousLiterals() {
-  result =
-    count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
-}
-
 /*
  * Returns a list of method names used by Solorigate
  *
  * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
  */
 
-private string solorigateSuspiciousMethodNames() {
+string solorigateSuspiciousMethodNames() {
   result =
     [
       "Abort", "AddFileExecutionEngine", "AddRegistryExecutionEngine", "AdjustTokenPrivileges",
@@ -211,32 +193,19 @@ predicate isSolorigateSuspiciousMethodName(Method m) {
   m.getName() = solorigateSuspiciousMethodNames()
 }
 
-/*
- * Returns the total number of Solorigate-related method names found in the project
- */
-
-int countSolorigateSuspiciousMethodNames() {
-  result =
-    count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
-}
 
 /*
- * Returns the total number of Solorigate-related commands in the given enum
+ * Returns a list of enum values used by Solorigate to represent commands
  *
- * This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
- * and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
+ * This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
  */
 
-int countSolorigateCommandInEnum(Enum e) {
+string solorigateSuspiciousCommandsInEnum() {
   result =
-    count(string s, EnumConstant ec |
-      e.getAnEnumConstant() = ec and
-      s = ec.getName() and
-      s in [
+    [
           "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription",
           "RunTask", "GetProcessByDescription", "KillTask", "GetFileSystemEntries", "WriteFile",
           "FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue",
           "DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None"
-        ]
-    )
-}
+    ]
+}
\ No newline at end of file

From 9470a99092b2ba161c4c420c007ffe25d33611b5 Mon Sep 17 00:00:00 2001
From: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Date: Thu, 4 Feb 2021 13:32:09 -0800
Subject: [PATCH 200/429] Add KeGetCurrentProcessorNumberEx to CQE-457
 whitelist

Windows driver developers may call KeGetCurrentProcessorNumberEx in their driver.  This function optionally may initialize a provided structure, but this initialization always occurs.  The return value is the current processor being run on.  As such, this query incorrectly marks calls to KeGetCurrentProcessorNumberEx that initialize a structure that is later used as risky, even though in reality the initialization always succeeds.

See https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-kegetcurrentprocessornumberex
---
 cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll b/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
index 1a186cc4c5e..4739c7ad5cf 100644
--- a/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
+++ b/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
@@ -353,7 +353,9 @@ class InitializationFunction extends Function {
           // Destination range is zeroed out on failure, assuming first two parameters are valid
           "memcpy_s",
           // This zeroes the memory unconditionally
-          "SeCreateAccessState"
+          "SeCreateAccessState",
+          // Argument initialization is optional, but always succeeds
+          "KeGetCurrentProcessorNumberEx"
         ]
     )
   }

From d5c9db42de7a95ab5d991e7c46ed86fdbef7f4b9 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 14:26:03 -0800
Subject: [PATCH 201/429] Fixing format

---
 .../campaign/Solorigate/Solorigate.qll                | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
index 9a36ea4c673..6947fc05bb1 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll	
@@ -193,7 +193,6 @@ predicate isSolorigateSuspiciousMethodName(Method m) {
   m.getName() = solorigateSuspiciousMethodNames()
 }
 
-
 /*
  * Returns a list of enum values used by Solorigate to represent commands
  *
@@ -203,9 +202,9 @@ predicate isSolorigateSuspiciousMethodName(Method m) {
 string solorigateSuspiciousCommandsInEnum() {
   result =
     [
-          "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription",
-          "RunTask", "GetProcessByDescription", "KillTask", "GetFileSystemEntries", "WriteFile",
-          "FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue",
-          "DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None"
+      "Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription", "RunTask",
+      "GetProcessByDescription", "KillTask", "GetFileSystemEntries", "WriteFile", "FileExists",
+      "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue", "DeleteRegistryValue",
+      "GetRegistrySubKeyAndValueNames", "Reboot", "None"
     ]
-}
\ No newline at end of file
+}

From 9ef4aef28ed416a482ebb44a42622a0302dd093a Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 16:59:38 -0800
Subject: [PATCH 202/429] Changing location for NonCryptographicHash qll
 Changing the TimeBomb query to path-problem (any suggestions to improve it
 would be welcomed, no previous experience iwth path-problem queries)

---
 .../backdoor/PotentialTimeBomb.ql                  | 14 +++++++++-----
 .../backdoor/ProcessNameToHashTaintFlow.ql         |  2 +-
 .../Solorigate/ModifiedFnvFunctionDetection.ql     |  2 +-
 .../csharp/Cryptography/NonCryptographicHashes.qll |  0
 4 files changed, 11 insertions(+), 7 deletions(-)
 rename csharp/ql/src/{microsoft => experimental}/code/csharp/Cryptography/NonCryptographicHashes.qll (100%)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
index 3c83c0145f0..a077a372801 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -1,7 +1,7 @@
 /**
  * @name Potential Timebomb
  * @description Flow from a file last modification date (very likely implant installation time) and an offset to condition statement (the trigger)
- * @kind problem
+ * @kind path-problem
  * @precision Low
  * @problem.severity warning
  * @id cs/backdoor/potential-time-bomb
@@ -11,6 +11,7 @@
 
 import csharp
 import DataFlow
+import DataFlow::PathGraph
 
 /**
  * Class that will help to find the source for the trigger file-modification date.
@@ -121,6 +122,7 @@ private class FlowsFromTimeComparisonCallableToSelectionStatementCondition exten
  * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger
  */
 predicate isPotentialTimeBomb(
+  DataFlow::PathNode pathSource, DataFlow::PathNode pathSink,
   Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
   SelectionStmt selStatement
 ) {
@@ -129,6 +131,7 @@ predicate isPotentialTimeBomb(
     DateTimeStruct dateTime, FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2,
     Node sink2, FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3
   |
+    pathSource.getNode() = exprNode(getLastWriteTimeMethodCall) and 
     config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and
     timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
     timeArithmeticCall.getAChild*() = sink.asExpr() and
@@ -136,17 +139,18 @@ predicate isPotentialTimeBomb(
     timeComparisonCall = dateTime.getAComparisonCallable().getACall() and
     timeComparisonCall.getAnArgument().getAChild*() = sink2.asExpr() and
     config3.hasFlow(exprNode(timeComparisonCall), sink3) and
-    selStatement.getCondition().getAChild*() = sink3.asExpr()
+    selStatement.getCondition().getAChild*() = sink3.asExpr() and
+    pathSink.getNode() = sink3
   )
 }
 
-from
+from DataFlow::PathNode source, DataFlow::PathNode sink,
   Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
   SelectionStmt selStatement
 where
-  isPotentialTimeBomb(getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall,
+  isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall,
     selStatement)
-select selStatement,
+select selStatement, source, sink, 
   "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger.",
   timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "an offset",
   getLastWriteTimeMethodCall, "last modification time of a file"
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index 5b1f8faeaf6..277a6668a2d 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -12,7 +12,7 @@
 
 import csharp
 import DataFlow
-import microsoft.code.csharp.Cryptography.NonCryptographicHashes
+import experimental.code.csharp.Cryptography.NonCryptographicHashes
 
 class DataFlowFromMethodToHash extends TaintTracking::Configuration {
   DataFlowFromMethodToHash() { this = "DataFlowFromMethodNameToHashFunction" }
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
index a6e5f571ebb..e9f81596e04 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql	
@@ -11,7 +11,7 @@
 
 import csharp
 import Solorigate
-import microsoft.code.csharp.Cryptography.NonCryptographicHashes
+import experimental.code.csharp.Cryptography.NonCryptographicHashes
 
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
 where
diff --git a/csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll b/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
similarity index 100%
rename from csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
rename to csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll

From 3dc1b81d655d3b34cbfb4878c39c1a5cd8279c26 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 4 Feb 2021 17:54:35 -0800
Subject: [PATCH 203/429] Changing ProcessNameToHash query to path-problem. Any
 additional feedback will be welcomed

---
 .../backdoor/PotentialTimeBomb.ql             | 19 +++++++++----------
 .../backdoor/ProcessNameToHashTaintFlow.ql    | 12 ++++++------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
index a077a372801..7558a971657 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -122,16 +122,15 @@ private class FlowsFromTimeComparisonCallableToSelectionStatementCondition exten
  * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger
  */
 predicate isPotentialTimeBomb(
-  DataFlow::PathNode pathSource, DataFlow::PathNode pathSink,
-  Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
-  SelectionStmt selStatement
+  DataFlow::PathNode pathSource, DataFlow::PathNode pathSink, Call getLastWriteTimeMethodCall,
+  Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
 ) {
   exists(
     FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable config1, Node sink,
     DateTimeStruct dateTime, FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2,
     Node sink2, FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3
   |
-    pathSource.getNode() = exprNode(getLastWriteTimeMethodCall) and 
+    pathSource.getNode() = exprNode(getLastWriteTimeMethodCall) and
     config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and
     timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
     timeArithmeticCall.getAChild*() = sink.asExpr() and
@@ -144,13 +143,13 @@ predicate isPotentialTimeBomb(
   )
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink,
-  Call getLastWriteTimeMethodCall, Call timeArithmeticCall, Call timeComparisonCall,
-  SelectionStmt selStatement
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, Call getLastWriteTimeMethodCall,
+  Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
 where
-  isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall, timeComparisonCall,
-    selStatement)
-select selStatement, source, sink, 
+  isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall,
+    timeComparisonCall, selStatement)
+select selStatement, source, sink,
   "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger.",
   timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "an offset",
   getLastWriteTimeMethodCall, "last modification time of a file"
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index 277a6668a2d..96363bbadff 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -2,7 +2,7 @@
  * @name ProcessName to hash function flow
  * @description Flow from a function retrieving process name to a hash function
  *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
- * @kind problem
+ * @kind path-problem
  * @tags security
  *       solorigate
  * @problem.severity warning
@@ -11,7 +11,7 @@
  */
 
 import csharp
-import DataFlow
+import DataFlow::PathGraph
 import experimental.code.csharp.Cryptography.NonCryptographicHashes
 
 class DataFlowFromMethodToHash extends TaintTracking::Configuration {
@@ -49,8 +49,8 @@ predicate isSuspiciousPropertyName(PropertyRead pr) {
   pr.getTarget().getQualifiedName() = "System.Diagnostics.Process.ProcessName"
 }
 
-from Node src, Node sink, DataFlowFromMethodToHash conf
-where conf.hasFlow(src, sink)
-select src,
+from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlowFromMethodToHash conf
+where conf.hasFlow(src.getNode(), sink.getNode())
+select src.getNode(), src, sink,
   "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.",
-  sink, "here"
+  sink.getNode(), "here"

From a416a089b42d6924c9ee81eb9ffee7d3c69e8027 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 5 Feb 2021 09:48:54 +0100
Subject: [PATCH 204/429] Update
 cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md

Co-authored-by: Jonas Jensen <jbj@github.com>
---
 .../2020-02-04-unsigned-difference-expression-compared-zero.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
index 31f2b035267..d4a6ebafa0c 100644
--- a/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
+++ b/cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md
@@ -1,2 +1,2 @@
 lgtm
-* A new query (`cpp/unsigned-difference-expression-compared-zero`) has been added. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.
\ No newline at end of file
+* A new query (`cpp/unsigned-difference-expression-compared-zero`) is run but not yet displayed on LGTM. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.

From a66743192e72e7f12f7f214c74153d5ad783fc4a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 5 Feb 2021 10:58:47 +0100
Subject: [PATCH 205/429] Python: Fix typo in docs

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 6bacac72c3a..20d5c848a0d 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -274,7 +274,7 @@ module API {
      * this node, it is reachable via `moduleImport("foo").getMember("bar").getMember("baz")` and
      * thus `fbb.quux` is reachable via the path mentioned above.
      *
-     * When we see `from foo.bar.baz import quux as fbb` a similar thing happens. First, `foo.bar.baz`
+     * When we see `from foo.bar.baz import quux as fbbq` a similar thing happens. First, `foo.bar.baz`
      * is seen as a use of the API graph node as before. Then `import quux as fbbq` is seen as
      * a member lookup of `quux` on the API graph node for `foo.bar.baz`, and then finally the
      * data-flow node `fbbq` is marked as a use of the same path mentioned above.

From 55b0dbd7b89a2c10b4bc779dbc20e4661fa8e4db Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 5 Feb 2021 10:02:31 +0000
Subject: [PATCH 206/429] C++: Autoformat.

---
 cpp/ql/src/semmle/code/cpp/Specifier.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Specifier.qll b/cpp/ql/src/semmle/code/cpp/Specifier.qll
index 8331d0dfacc..1c1eb0c090a 100644
--- a/cpp/ql/src/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/src/semmle/code/cpp/Specifier.qll
@@ -207,7 +207,7 @@ class AlignAs extends Attribute, @alignas {
  * A GNU `format` attribute of the form `__attribute__((format(archetype, format-index, first-arg)))`
  * that declares a function to accept a `printf` style format string.  For example the attribute
  * on the following declaration:
- * ``` 
+ * ```
  * int myPrintf(const char *format, ...) __attribute__((format(printf, 1, 2)));
  * ```
  */

From 6c8dfb253d8e356b86c8a2354dae273a8bcfa5ac Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 5 Feb 2021 12:42:41 +0100
Subject: [PATCH 207/429] Python: Use `flowsTo` instead of `hasLocalSource`

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 .../python/dataflow/new/internal/DataFlowPublic.qll       | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index dcc175276f8..19677566be9 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -451,7 +451,7 @@ class LocalSourceNode extends Node {
   }
 
   /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */
-  cached
+  pragma[inline]
   predicate flowsTo(Node nodeTo) { Cached::hasLocalSource(nodeTo, this) }
 
   /**
@@ -509,7 +509,7 @@ private module Cached {
    */
   cached
   predicate namedAttrRef(LocalSourceNode base, string attr, AttrRef ref) {
-    hasLocalSource(ref.getObject(), base) and
+    base.flowsTo(ref.getObject()) and
     ref.getAttributeName() = attr
   }
 
@@ -518,7 +518,7 @@ private module Cached {
    */
   cached
   predicate dynamicAttrRef(LocalSourceNode base, AttrRef ref) {
-    hasLocalSource(ref.getObject(), base) and
+    base.flowsTo(ref.getObject()) and
     not exists(ref.getAttributeName())
   }
 
@@ -530,7 +530,7 @@ private module Cached {
     exists(CfgNode n, CallNode call_node |
       call.asCfgNode() = call_node and n.asCfgNode() = call_node.getFunction()
     |
-      hasLocalSource(n, func)
+      func.flowsTo(n)
     )
   }
 }

From 78cb53449d9f6c3a5c72ecd29796264c4f516bbd Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 12:47:26 +0100
Subject: [PATCH 208/429] Python: Slight cleanup of `Cached::call`

Makes it more similar to the other functions in this module.
---
 .../semmle/python/dataflow/new/internal/DataFlowPublic.qll | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 19677566be9..f2519192f27 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -527,10 +527,9 @@ private module Cached {
    */
   cached
   predicate call(LocalSourceNode func, Node call) {
-    exists(CfgNode n, CallNode call_node |
-      call.asCfgNode() = call_node and n.asCfgNode() = call_node.getFunction()
-    |
-      func.flowsTo(n)
+    exists(CfgNode n |
+      func.flowsTo(n) and
+      n.asCfgNode() = call.asCfgNode().(CallNode).getFunction()
     )
   }
 }

From 5f17fa83663a53ae1da5339a760cfc4f8e17b506 Mon Sep 17 00:00:00 2001
From: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Date: Thu, 21 Jan 2021 15:26:05 +0000
Subject: [PATCH 209/429] Docs: Add outline for CWE coverage page

---
 docs/codeql/query-help/codeql-cwe-coverage.md | 25 +++++++++++++++++++
 docs/codeql/query-help/conf.py                |  5 +++-
 docs/codeql/query-help/index.rst              |  4 +++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 docs/codeql/query-help/codeql-cwe-coverage.md

diff --git a/docs/codeql/query-help/codeql-cwe-coverage.md b/docs/codeql/query-help/codeql-cwe-coverage.md
new file mode 100644
index 00000000000..245318a5258
--- /dev/null
+++ b/docs/codeql/query-help/codeql-cwe-coverage.md
@@ -0,0 +1,25 @@
+# CodeQL CWE coverage
+
+An overview of the coverage of MITRE's Common Weakness Enumeration (CWE) for the latest release of CodeQL.
+
+## About CWEs
+
+The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types:
+
+- Weakness Class
+- Weakness Base
+- Weakness Variant
+- Compound Element
+
+Other types of CWE do not correspond directly to weaknesses, so are omitted.
+
+The CWE categorization includes relationships between entities, in particular a parent-child relationship.
+These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the "[Research View](https://cwe.mitre.org/data/definitions/1000.html)."
+
+Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query.
+Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+
diff --git a/docs/codeql/query-help/conf.py b/docs/codeql/query-help/conf.py
index 0016a489f07..f3d4090f952 100644
--- a/docs/codeql/query-help/conf.py
+++ b/docs/codeql/query-help/conf.py
@@ -23,7 +23,10 @@ master_doc = 'index'
 project = u'CodeQL query help'
 
 # Add md parser to process query help markdown files 
-extensions =['recommonmark']
+extensions = [
+    'recommonmark',
+    'sphinx_markdown_tables',
+]
 
 source_suffix = {
     '.rst': 'restructuredtext',
diff --git a/docs/codeql/query-help/index.rst b/docs/codeql/query-help/index.rst
index 5c523650d70..10e4b0dff20 100644
--- a/docs/codeql/query-help/index.rst
+++ b/docs/codeql/query-help/index.rst
@@ -20,6 +20,9 @@ View the query help for the queries included in the ``code-scanning``, ``securit
    - A link to the query in the `CodeQL repository <https://github.com/github/codeql>`__.
    - A description of the potential vulnerability that the query identifies and a recommendation for how to avoid introducing the problem to your code.
 
+
+For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE coverage <codeql-cwe-coverage>`." 
+
 .. toctree::
    :hidden:
    :titlesonly:
@@ -30,4 +33,5 @@ View the query help for the queries included in the ``code-scanning``, ``securit
    java
    javascript
    python
+   codeql-cwe-coverage
    

From 6a46be23798e70b508ad7cbe0567c0c0f9657460 Mon Sep 17 00:00:00 2001
From: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Date: Mon, 1 Feb 2021 16:17:44 +0000
Subject: [PATCH 210/429] Install sphinx extension for building markdown tables

---
 .github/workflows/generate-query-help-docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/generate-query-help-docs.yml b/.github/workflows/generate-query-help-docs.yml
index 031bf97e728..e3af19c6dea 100644
--- a/.github/workflows/generate-query-help-docs.yml
+++ b/.github/workflows/generate-query-help-docs.yml
@@ -50,7 +50,7 @@ jobs:
       uses: ammaraskar/sphinx-action@8b4f60114d7fd1faeba1a712269168508d4750d2 # v0.4
       with:
         docs-folder: "query-help/"
-        pre-build-command: "python -m pip install --upgrade recommonmark"
+        pre-build-command: "python -m pip install --upgrade recommonmark && python -m pip install --upgrade sphinx-markdown-tables"
         build-command: "sphinx-build -b dirhtml . _build" 
     - name: Upload HTML artifacts
       uses: actions/upload-artifact@v2

From b39cbf82c6982c4727c957720c427a7ee3215afa Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 14:41:42 +0100
Subject: [PATCH 211/429] Python: Port Flask models to use API graphs

Most of the type trackers in this model were easily replaceable with
uses of the API graph, but the ones for tracking subclasses are
problematic, as these take us out of the API graph.
---
 .../ql/src/semmle/python/frameworks/Flask.qll | 241 ++----------------
 1 file changed, 27 insertions(+), 214 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 68f81e32ceb..ecfdf2d5981 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.frameworks.Werkzeug
+private import semmle.python.ApiGraphs
 
 /**
  * Provides models for the `flask` PyPI package.
@@ -19,62 +20,20 @@ private module FlaskModel {
   // flask
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `flask` module. */
-  private DataFlow::Node flask(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("flask")
-    or
-    exists(DataFlow::TypeTracker t2 | result = flask(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `flask` module. */
-  DataFlow::Node flask() { result = flask(DataFlow::TypeTracker::end()) }
+  API::Node flask() { result = API::moduleImport("flask") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `flask` module.
-   * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node flask_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["request", "make_response", "Response", "views"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("flask" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = flask()
-    )
-    or
-    // Due to bad performance when using normal setup with `flask_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        flask_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate flask_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(flask_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `flask` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node flask_attr(string attr_name) {
-    result = flask_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node flask_attr(string attr_name) { result = flask().getMember(attr_name) }
 
   /** Provides models for the `flask` module. */
   module flask {
     /** Gets a reference to the `flask.request` object. */
-    DataFlow::Node request() { result = flask_attr("request") }
+    API::Node request() { result = flask_attr("request") }
 
     /** Gets a reference to the `flask.make_response` function. */
-    DataFlow::Node make_response() { result = flask_attr("make_response") }
+    DataFlow::Node make_response() { result = flask_attr("make_response").getAUse() }
 
     /**
      * Provides models for the `flask.Flask` class
@@ -83,157 +42,49 @@ private module FlaskModel {
      */
     module Flask {
       /** Gets a reference to the `flask.Flask` class. */
-      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("flask.Flask")
-        or
-        t.startInAttr("Flask") and
-        result = flask()
-        or
-        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `flask.Flask` class. */
-      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
-      /**
-       * A source of instances of `flask.Flask`, extend this class to model new instances.
-       *
-       * This can include instantiations of the class, return values from function
-       * calls, or a special parameter that will be set when functions are called by an external
-       * library.
-       *
-       * Use the predicate `Flask::instance()` to get references to instances of `flask.Flask`.
-       */
-      abstract class InstanceSource extends DataFlow::Node { }
-
-      /** A direct instantiation of `flask.Flask`. */
-      private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-        override CallNode node;
-
-        ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
-      }
+      API::Node classRef() { result = flask().getMember("Flask") }
 
       /** Gets a reference to an instance of `flask.Flask` (a flask application). */
-      private DataFlow::Node instance(DataFlow::TypeTracker t) {
-        t.start() and
-        result instanceof InstanceSource
-        or
-        exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-      }
-
-      /** Gets a reference to an instance of `flask.Flask` (a flask application). */
-      DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+      API::Node instance() { result = classRef().getReturn() }
 
       /**
        * Gets a reference to the attribute `attr_name` of an instance of `flask.Flask` (a flask application).
-       * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node instance_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["route", "add_url_rule", "make_response"] and
-        t.startInAttr(attr_name) and
-        result = flask::Flask::instance()
-        or
-        // Due to bad performance when using normal setup with `instance_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            instance_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate instance_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(instance_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of an instance of `flask.Flask` (a flask application).
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node instance_attr(string attr_name) {
-        result = instance_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node instance_attr(string attr_name) { result = instance().getMember(attr_name) }
 
       /** Gets a reference to the `route` method on an instance of `flask.Flask`. */
-      DataFlow::Node route() { result = instance_attr("route") }
+      API::Node route() { result = instance_attr("route") }
 
       /** Gets a reference to the `add_url_rule` method on an instance of `flask.Flask`. */
-      DataFlow::Node add_url_rule() { result = instance_attr("add_url_rule") }
+      API::Node add_url_rule() { result = instance_attr("add_url_rule") }
 
       /** Gets a reference to the `make_response` method on an instance of `flask.Flask`. */
       // HACK: We can't call this predicate `make_response` since shadowing is
       // completely disallowed in QL. I added an underscore to move things forward for
       // now :(
-      DataFlow::Node make_response_() { result = instance_attr("make_response") }
-
-      /** Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance. */
-      private DataFlow::Node response_class(DataFlow::TypeTracker t) {
-        t.startInAttr("response_class") and
-        result in [classRef(), instance()]
-        or
-        exists(DataFlow::TypeTracker t2 | result = response_class(t2).track(t2, t))
-      }
+      API::Node make_response_() { result = instance_attr("make_response") }
 
       /**
        * Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance.
        *
        * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.response_class
        */
-      DataFlow::Node response_class() { result = response_class(DataFlow::TypeTracker::end()) }
+      API::Node response_class() { result = [classRef(), instance()].getMember("response_class") }
     }
 
     // -------------------------------------------------------------------------
     // flask.views
     // -------------------------------------------------------------------------
     /** Gets a reference to the `flask.views` module. */
-    DataFlow::Node views() { result = flask_attr("views") }
+    DataFlow::Node views() { result = flask_attr("views").getAUse() }
 
     /** Provides models for the `flask.views` module */
     module views {
       /**
        * Gets a reference to the attribute `attr_name` of the `flask.views` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node views_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["View", "MethodView"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("flask.views" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = views()
-        )
-        or
-        // Due to bad performance when using normal setup with `views_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            views_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate views_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(views_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `flask.views` module.
-       * WARNING: Only holds for a few predefined attributes.
        */
       private DataFlow::Node views_attr(string attr_name) {
-        result = views_attr(DataFlow::TypeTracker::end(), attr_name)
+        result = flask().getMember("views").getMember(attr_name).getAUse()
       }
 
       /**
@@ -287,15 +138,7 @@ private module FlaskModel {
    */
   module Response {
     /** Gets a reference to the `flask.Response` class. */
-    private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-      t.start() and
-      result in [flask_attr("Response"), flask::Flask::response_class()]
-      or
-      exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `flask.Response` class. */
-    DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+    API::Node classRef() { result = [flask_attr("Response"), flask::Flask::response_class()] }
 
     /**
      * A source of instances of `flask.Response`, extend this class to model new instances.
@@ -312,7 +155,7 @@ private module FlaskModel {
     private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
       override CallNode node;
 
-      ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+      ClassInstantiation() { node.getFunction() = classRef().getAUse().asCfgNode() }
 
       override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
 
@@ -338,15 +181,7 @@ private module FlaskModel {
     }
 
     /** Gets a reference to an instance of `flask.Response`. */
-    private DataFlow::Node instance(DataFlow::TypeTracker t) {
-      t.start() and
-      result instanceof InstanceSource
-      or
-      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-    }
-
-    /** Gets a reference to an instance of `flask.Response`. */
-    DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+    API::Node instance() { result = classRef().getReturn() }
   }
 
   // ---------------------------------------------------------------------------
@@ -445,7 +280,7 @@ private module FlaskModel {
   private class FlaskAppRouteCall extends FlaskRouteSetup, DataFlow::CfgNode {
     override CallNode node;
 
-    FlaskAppRouteCall() { node.getFunction() = flask::Flask::route().asCfgNode() }
+    FlaskAppRouteCall() { node.getFunction() = flask::Flask::route().getAUse().asCfgNode() }
 
     override DataFlow::Node getUrlPatternArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("rule")]
@@ -462,7 +297,9 @@ private module FlaskModel {
   private class FlaskAppAddUrlRuleCall extends FlaskRouteSetup, DataFlow::CfgNode {
     override CallNode node;
 
-    FlaskAppAddUrlRuleCall() { node.getFunction() = flask::Flask::add_url_rule().asCfgNode() }
+    FlaskAppAddUrlRuleCall() {
+      node.getFunction() = flask::Flask::add_url_rule().getAUse().asCfgNode()
+    }
 
     override DataFlow::Node getUrlPatternArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("rule")]
@@ -511,41 +348,16 @@ private module FlaskModel {
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Request
    */
   private class RequestSource extends RemoteFlowSource::Range {
-    RequestSource() { this = flask::request() }
+    RequestSource() { this = flask::request().getAUse() }
 
     override string getSourceType() { result = "flask.request" }
   }
 
   private module FlaskRequestTracking {
-    /** Gets a reference to the `get_data` attribute of a Flask request. */
-    private DataFlow::Node get_data(DataFlow::TypeTracker t) {
-      t.startInAttr("get_data") and
-      result = flask::request()
-      or
-      exists(DataFlow::TypeTracker t2 | result = get_data(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `get_data` attribute of a Flask request. */
-    DataFlow::Node get_data() { result = get_data(DataFlow::TypeTracker::end()) }
-
-    /** Gets a reference to the `get_json` attribute of a Flask request. */
-    private DataFlow::Node get_json(DataFlow::TypeTracker t) {
-      t.startInAttr("get_json") and
-      result = flask::request()
-      or
-      exists(DataFlow::TypeTracker t2 | result = get_json(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `get_json` attribute of a Flask request. */
-    DataFlow::Node get_json() { result = get_json(DataFlow::TypeTracker::end()) }
-
     /** Gets a reference to either of the `get_json` or `get_data` attributes of a Flask request. */
     DataFlow::Node tainted_methods(string attr_name) {
-      result = get_data() and
-      attr_name = "get_data"
-      or
-      result = get_json() and
-      attr_name = "get_json"
+      attr_name in ["get_data", "get_json"] and
+      result = flask::request().getMember(attr_name).getAUse()
     }
   }
 
@@ -560,7 +372,8 @@ private module FlaskModel {
     RequestInputAccess() {
       // attributes
       exists(AttrNode attr |
-        this.asCfgNode() = attr and attr.getObject(attr_name) = flask::request().asCfgNode()
+        this.asCfgNode() = attr and
+        attr.getObject(attr_name) = flask::request().getAUse().asCfgNode()
       |
         attr_name in [
             // str
@@ -645,7 +458,7 @@ private module FlaskModel {
     FlaskMakeResponseCall() {
       node.getFunction() = flask::make_response().asCfgNode()
       or
-      node.getFunction() = flask::Flask::make_response_().asCfgNode()
+      node.getFunction() = flask::Flask::make_response_().getAUse().asCfgNode()
     }
 
     override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }

From ef600575cace741e796cf7c8fdcc33a45e7a52c1 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 16:51:29 +0100
Subject: [PATCH 212/429] Python: Add API graph support for subclasses

---
 python/ql/src/semmle/python/ApiGraphs.qll       | 13 +++++++++++++
 .../experimental/dataflow/ApiGraphs/test.py     | 17 +++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 20d5c848a0d..8f48be66650 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -92,6 +92,11 @@ module API {
      */
     Node getReturn() { result = getASuccessor(Label::return()) }
 
+    /**
+     * Gets a node representing a subclass of the class represented by this node.
+     */
+    Node getASubclass() { result = getASuccessor(Label::subclass()) }
+
     /**
      * Gets a string representation of the lexicographically least among all shortest access paths
      * from the root to this node.
@@ -358,6 +363,12 @@ module API {
         // Calling a node that is a use of `base`
         lbl = Label::return() and
         ref = pred.getACall()
+        or
+        // Subclassing a node
+        lbl = Label::subclass() and
+        exists(DataFlow::Node superclass | pred.flowsTo(superclass) |
+          ref.asExpr().(ClassExpr).getABase() = superclass.asExpr()
+        )
       )
     }
 
@@ -468,4 +479,6 @@ private module Label {
 
   /** Gets the `return` edge label. */
   string return() { result = "getReturn()" }
+
+  string subclass() { result = "getASubclass()" }
 }
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index b250c7985e2..8849253b477 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -79,3 +79,20 @@ def f():
 from unknown import * #$ use=moduleImport("unknown")
 
 hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
+
+
+# Subclasses
+
+from flask.views import View #$ use=moduleImport("flask").getMember("views").getMember("View")
+
+class MyView(View): #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass()
+    pass
+
+instance = MyView() #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass().getReturn()
+
+def internal():
+    from pflask.views import View #$ use=moduleImport("pflask").getMember("views").getMember("View")
+    class IntMyView(View): #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass()
+        pass
+
+    int_instance = IntMyView() #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass().getReturn()

From 681e6a9303d6ce3f98fd4ebc8c7c02e434c1da8e Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Fri, 5 Feb 2021 09:02:59 -0800
Subject: [PATCH 213/429] Adding Solorigate context for the generic backdoor
 queries.

---
 .../backdoor/DangerousNativeFunctionCall.qhelp              | 6 ++++++
 .../Security Features/backdoor/PotentialTimeBomb.qhelp      | 6 ++++++
 .../backdoor/ProcessNameToHashTaintFlow.qhelp               | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
index 8d1aff62988..75bd300601e 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp	
@@ -5,4 +5,10 @@
   <overview>
     <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices.</p>
   </overview>
+
+  <recommendation>
+    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
index 32f0e200c15..c9cecee8374 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
@@ -5,4 +5,10 @@
   <overview>
     <p>This query finds if there exists a DataFlow from a file last modification date (very likely implant installation time) and an offset to a condition statement (the trigger) that controls code execution.</p>
   </overview>
+
+  <recommendation>
+    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
index 7281ddb28bb..12eb83191ac 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
@@ -6,4 +6,10 @@
     <p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
     <p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
   </overview>
+
+  <recommendation>
+    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
 </qhelp>
\ No newline at end of file

From d48a713f3079e1a6805d95dfc04ead6a8881d674 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Fri, 5 Feb 2021 09:27:08 -0800
Subject: [PATCH 214/429] Fixing cutom edges predicate

---
 .../backdoor/PotentialTimeBomb.ql             | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
index 7558a971657..332df2d2a28 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -11,7 +11,32 @@
 
 import csharp
 import DataFlow
-import DataFlow::PathGraph
+
+query predicate nodes = PathGraph::nodes/3;
+
+query predicate edges(DataFlow::PathNode a, DataFlow::PathNode b) {
+  PathGraph::edges(a, b)
+  or
+  exists(
+    FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable conf1,
+    FlowsFromTimeSpanArithmeticToTimeComparisonCallable conf2
+  |
+    conf1 = a.getConfiguration() and
+    conf1.isSink(a.getNode()) and
+    conf2 = b.getConfiguration() and
+    b.isSource()
+  )
+  or
+  exists(
+    FlowsFromTimeSpanArithmeticToTimeComparisonCallable conf1,
+    FlowsFromTimeComparisonCallableToSelectionStatementCondition conf2
+  |
+    conf1 = a.getConfiguration() and
+    conf1.isSink(a.getNode()) and
+    conf2 = b.getConfiguration() and
+    b.isSource()
+  )
+}
 
 /**
  * Class that will help to find the source for the trigger file-modification date.

From 7f3c6acd086e18cfabfb083debc4718470e7b496 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 21:54:35 +0100
Subject: [PATCH 215/429] Python: Handle class attribute references in API
 graph

This is slightly dubious, and should really be in the currently
unimplemented "def" counterpart to the "use" bits we already have.

However, it seems to work correctly, and in the spirit of moving
things along, this seemed like the easier solution. We can always
replace the implementation with the "proper" approach at a later point.
---
 python/ql/src/semmle/python/ApiGraphs.qll              | 4 ++--
 python/ql/test/experimental/dataflow/ApiGraphs/test.py | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 8f48be66650..3169592c8b2 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -356,9 +356,9 @@ module API {
         // the relationship between `pred` and `ref`.
         use(base, src) and pred = trackUseNode(src)
       |
-        // Reading an attribute on a node that is a use of `base`:
+        // Referring to an attribute on a node that is a use of `base`:
         lbl = Label::memberFromRef(ref) and
-        ref = pred.getAnAttributeRead()
+        ref = pred.getAnAttributeReference()
         or
         // Calling a node that is a use of `base`
         lbl = Label::return() and
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index 8849253b477..179f0f522df 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -86,13 +86,17 @@ hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
 from flask.views import View #$ use=moduleImport("flask").getMember("views").getMember("View")
 
 class MyView(View): #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass()
-    pass
+    myvar = 45 #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass().getMember("myvar")
+    def my_method(self): #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass().getMember("my_method")
+        pass
 
 instance = MyView() #$ use=moduleImport("flask").getMember("views").getMember("View").getASubclass().getReturn()
 
 def internal():
     from pflask.views import View #$ use=moduleImport("pflask").getMember("views").getMember("View")
     class IntMyView(View): #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass()
-        pass
+        my_internal_var = 35 #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass().getMember("my_internal_var")
+        def my_internal_method(self): #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass().getMember("my_internal_method")
+            pass
 
     int_instance = IntMyView() #$ use=moduleImport("pflask").getMember("views").getMember("View").getASubclass().getReturn()

From 5bfde2c0f2845df08036084f49fa3824aebbd263 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 21:56:57 +0100
Subject: [PATCH 216/429] Python: Fix overly broad class attribute node class

This is not strictly necessary, but it was bothering me that this
simply covered _all_ nodes that were both definitions and names at the
same time. Now it actually encompasses what the documentation claims
it does.
---
 .../ql/src/semmle/python/dataflow/new/internal/Attributes.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll b/python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll
index cfe05cb3173..1bd5f961a36 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll
@@ -159,7 +159,9 @@ private class SetAttrCallAsAttrWrite extends AttrWrite, CfgNode {
  * Instances of this class correspond to the `NameNode` for `attr`, and also gives access to `value` by
  * virtue of being a `DefinitionNode`.
  */
-private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode { }
+private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode {
+  ClassAttributeAssignmentNode() { this.getScope() = any(ClassExpr c).getInnerScope() }
+}
 
 /**
  * An attribute assignment via a class field, e.g.

From 3d2548ed28c7902e7d085f54e8ceb67f295b6a7c Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 5 Feb 2021 21:58:08 +0100
Subject: [PATCH 217/429] Python: Get rid of remaining type trackers in Flask
 model

At this point, we may want to reconsider whether we really want the
deeply-nested module structure we had before (and which made the type
trackers somewhat bearable).

There's also a question of how we can make this a bit more
smooth. I think we need to consider exactly how we would like the
interface to this to work.
---
 .../ql/src/semmle/python/frameworks/Flask.qll | 85 ++++---------------
 1 file changed, 18 insertions(+), 67 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index ecfdf2d5981..178d089b2ea 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -76,17 +76,10 @@ private module FlaskModel {
     // flask.views
     // -------------------------------------------------------------------------
     /** Gets a reference to the `flask.views` module. */
-    DataFlow::Node views() { result = flask_attr("views").getAUse() }
+    API::Node views() { result = flask_attr("views") }
 
     /** Provides models for the `flask.views` module */
     module views {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `flask.views` module.
-       */
-      private DataFlow::Node views_attr(string attr_name) {
-        result = flask().getMember("views").getMember(attr_name).getAUse()
-      }
-
       /**
        * Provides models for the `flask.views.View` class and subclasses.
        *
@@ -94,18 +87,9 @@ private module FlaskModel {
        */
       module View {
         /** Gets a reference to the `flask.views.View` class or any subclass. */
-        private DataFlow::Node subclassRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = views_attr(["View", "MethodView"])
-          or
-          // subclasses in project code
-          result.asExpr().(ClassExpr).getABase() = subclassRef(t.continue()).asExpr()
-          or
-          exists(DataFlow::TypeTracker t2 | result = subclassRef(t2).track(t2, t))
+        API::Node subclassRef() {
+          result = views().getMember(["View", "MethodView"]).getASubclass*()
         }
-
-        /** Gets a reference to the `flask.views.View` class or any subclass. */
-        DataFlow::Node subclassRef() { result = subclassRef(DataFlow::TypeTracker::end()) }
       }
 
       /**
@@ -114,19 +98,8 @@ private module FlaskModel {
        * See https://flask.palletsprojects.com/en/1.1.x/views/#method-based-dispatching.
        */
       module MethodView {
-        /** Gets a reference to the `flask.views.View` class or any subclass. */
-        private DataFlow::Node subclassRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = views_attr("MethodView")
-          or
-          // subclasses in project code
-          result.asExpr().(ClassExpr).getABase() = subclassRef(t.continue()).asExpr()
-          or
-          exists(DataFlow::TypeTracker t2 | result = subclassRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `flask.views.View` class or any subclass. */
-        DataFlow::Node subclassRef() { result = subclassRef(DataFlow::TypeTracker::end()) }
+        /** Gets a reference to the `flask.views.MethodView` class or any subclass. */
+        API::Node subclassRef() { result = views().getMember("MethodView").getASubclass*() }
       }
     }
   }
@@ -155,7 +128,7 @@ private module FlaskModel {
     private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
       override CallNode node;
 
-      ClassInstantiation() { node.getFunction() = classRef().getAUse().asCfgNode() }
+      ClassInstantiation() { node = classRef().getACall().asCfgNode() }
 
       override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
 
@@ -189,7 +162,12 @@ private module FlaskModel {
   // ---------------------------------------------------------------------------
   /** A flask View class defined in project code. */
   class FlaskViewClassDef extends Class {
-    FlaskViewClassDef() { this.getABase() = flask::views::View::subclassRef().asExpr() }
+    API::Node api_node;
+
+    FlaskViewClassDef() {
+      this.getABase() = flask::views::View::subclassRef().getAUse().asExpr() and
+      api_node.getAnImmediateUse().asExpr().(ClassExpr) = this.getParent()
+    }
 
     /** Gets a function that could handle incoming requests, if any. */
     Function getARequestHandler() {
@@ -199,42 +177,15 @@ private module FlaskModel {
       result.getName() = "dispatch_request"
     }
 
-    /** Gets a reference to this class. */
-    private DataFlow::Node getARef(DataFlow::TypeTracker t) {
-      t.start() and
-      result.asExpr().(ClassExpr) = this.getParent()
-      or
-      exists(DataFlow::TypeTracker t2 | result = this.getARef(t2).track(t2, t))
-    }
-
-    /** Gets a reference to this class. */
-    DataFlow::Node getARef() { result = this.getARef(DataFlow::TypeTracker::end()) }
-
-    /** Gets a reference to the `as_view` classmethod of this class. */
-    private DataFlow::Node asViewRef(DataFlow::TypeTracker t) {
-      t.startInAttr("as_view") and
-      result = this.getARef()
-      or
-      exists(DataFlow::TypeTracker t2 | result = this.asViewRef(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `as_view` classmethod of this class. */
-    DataFlow::Node asViewRef() { result = this.asViewRef(DataFlow::TypeTracker::end()) }
-
     /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
-    private DataFlow::Node asViewResult(DataFlow::TypeTracker t) {
-      t.start() and
-      result.asCfgNode().(CallNode).getFunction() = this.asViewRef().asCfgNode()
-      or
-      exists(DataFlow::TypeTracker t2 | result = asViewResult(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
-    DataFlow::Node asViewResult() { result = asViewResult(DataFlow::TypeTracker::end()) }
+    API::Node asViewResult() { result = api_node.getMember("as_view").getReturn() }
   }
 
   class FlaskMethodViewClassDef extends FlaskViewClassDef {
-    FlaskMethodViewClassDef() { this.getABase() = flask::views::MethodView::subclassRef().asExpr() }
+    FlaskMethodViewClassDef() {
+      this.getABase() = flask::views::MethodView::subclassRef().getAUse().asExpr() and
+      api_node.getAnImmediateUse().asExpr().(ClassExpr) = this.getParent()
+    }
 
     override Function getARequestHandler() {
       result = super.getARequestHandler()
@@ -316,7 +267,7 @@ private module FlaskModel {
       )
       or
       exists(FlaskViewClassDef vc |
-        getViewArg() = vc.asViewResult() and
+        getViewArg() = vc.asViewResult().getAUse() and
         result = vc.getARequestHandler()
       )
     }

From d3a79ecff16c85f4adf92c6326d02b1059b932c0 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 5 Feb 2021 22:54:27 +0100
Subject: [PATCH 218/429] Update
 python/ql/src/semmle/python/frameworks/Flask.qll

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Flask.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 178d089b2ea..3baa394ebcd 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -128,7 +128,7 @@ private module FlaskModel {
     private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
       override CallNode node;
 
-      ClassInstantiation() { node = classRef().getACall().asCfgNode() }
+      ClassInstantiation() { this = classRef().getACall() }
 
       override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
 

From 236b7c5887fc4809863a8303e81e14d2ef7efdad Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 5 Feb 2021 21:54:50 +0000
Subject: [PATCH 219/429] JS: Tolerate JSON in script tags

---
 .../semmle/js/extractor/HTMLExtractor.java    |  5 ++-
 .../tests/html/input/json_in_script.html      |  5 +++
 .../html/output/trap/json_in_script.html.trap | 34 +++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 javascript/extractor/tests/html/input/json_in_script.html
 create mode 100644 javascript/extractor/tests/html/output/trap/json_in_script.html.trap

diff --git a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
index f18d3a8b337..561bbdb9171 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
@@ -331,7 +331,10 @@ public class HTMLExtractor implements IExtractor {
               textualExtractor.getMetrics(),
               textualExtractor.getExtractedFile());
       Pair<Label, LoCInfo> result = extractor.extract(tx, source, toplevelKind, scopeManager);
-      emitTopLevelXmlNodeBinding(parentHtmlNode, result.fst(), context, trapWriter);
+      Label toplevelLabel = result.fst();
+      if (toplevelLabel != null) { // can be null when script ends up being parsed as JSON
+        emitTopLevelXmlNodeBinding(parentHtmlNode, toplevelLabel, context, trapWriter);
+      }
       locInfo.add(result.snd());
     } catch (ParseError e) {
       e.setPosition(scriptLocationManager.translatePosition(e.getPosition()));
diff --git a/javascript/extractor/tests/html/input/json_in_script.html b/javascript/extractor/tests/html/input/json_in_script.html
new file mode 100644
index 00000000000..9c95c41c311
--- /dev/null
+++ b/javascript/extractor/tests/html/input/json_in_script.html
@@ -0,0 +1,5 @@
+<html>
+<script>
+{"Hello": 123}
+</script>
+</html>
\ No newline at end of file
diff --git a/javascript/extractor/tests/html/output/trap/json_in_script.html.trap b/javascript/extractor/tests/html/output/trap/json_in_script.html.trap
new file mode 100644
index 00000000000..f7855255420
--- /dev/null
+++ b/javascript/extractor/tests/html/output/trap/json_in_script.html.trap
@@ -0,0 +1,34 @@
+#10000=@"/json_in_script.html;sourcefile"
+files(#10000,"/json_in_script.html","json_in_script","html",0)
+#10001=@"/;folder"
+folders(#10001,"/","")
+containerparent(#10001,#10000)
+#10002=@"loc,{#10000},0,0,0,0"
+locations_default(#10002,#10000,0,0,0,0)
+hasLocation(#10000,#10002)
+#20000=@"global_scope"
+scopes(#20000,0)
+#20001=*
+json(#20001,5,#10000,0,"{""Hello"": 123}")
+#20002=@"loc,{#10000},3,1,3,14"
+locations_default(#20002,#10000,3,1,3,14)
+json_locations(#20001,#20002)
+#20003=*
+json(#20003,2,#20001,0,"123")
+#20004=@"loc,{#10000},3,11,3,13"
+locations_default(#20004,#10000,3,11,3,13)
+json_locations(#20003,#20004)
+json_literals("123","123",#20003)
+json_properties(#20001,"Hello",#20003)
+#20005=*
+xmlElements(#20005,"html",#10000,0,#10000)
+#20006=@"loc,{#10000},1,1,5,7"
+locations_default(#20006,#10000,1,1,5,7)
+xmllocations(#20005,#20006)
+#20007=*
+xmlElements(#20007,"script",#20005,0,#10000)
+#20008=@"loc,{#10000},2,1,4,9"
+locations_default(#20008,#10000,2,1,4,9)
+xmllocations(#20007,#20008)
+numlines(#10000,5,0,0)
+filetype(#10000,"html")

From 0ceb8aa6380c9305f1f2905f9c5f87893eb13df1 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 5 Feb 2021 21:55:43 +0000
Subject: [PATCH 220/429] JS: Bump extractor version

---
 javascript/extractor/src/com/semmle/js/extractor/Main.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/extractor/src/com/semmle/js/extractor/Main.java b/javascript/extractor/src/com/semmle/js/extractor/Main.java
index fa4c138842a..b9fb9237556 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -43,7 +43,7 @@ public class Main {
    * A version identifier that should be updated every time the extractor changes in such a way that
    * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
    */
-  public static final String EXTRACTOR_VERSION = "2020-12-11";
+  public static final String EXTRACTOR_VERSION = "2021-02-05";
 
   public static final Pattern NEWLINE = Pattern.compile("\n");
 

From d775528069c33dd727a2c0f50a781b751047c693 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Fri, 5 Feb 2021 14:09:26 -0800
Subject: [PATCH 221/429] Fixes on multiple files.

---
 .../backdoor/DangerousNativeFunctionCall.qhelp            | 4 ++--
 .../backdoor/DangerousNativeFunctionCall.ql               | 3 +--
 .../Security Features/backdoor/PotentialTimeBomb.qhelp    | 4 ++--
 .../Security Features/backdoor/PotentialTimeBomb.ql       | 2 +-
 .../backdoor/ProcessNameToHashTaintFlow.qhelp             | 4 ++--
 .../backdoor/ProcessNameToHashTaintFlow.ql                | 7 +++----
 .../Solorigate/ModifiedFnvFunctionDetection.qhelp         | 4 ++--
 .../Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp  | 4 ++--
 .../Solorigate/NumberOfKnownHashesAboveThreshold.ql       | 8 ++++----
 .../Solorigate/NumberOfKnownLiteralsAboveThreshold.ql     | 4 ++--
 .../Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql  | 2 +-
 .../campaign/Solorigate/Solorigate.qhelp                  | 2 +-
 .../Solorigate/SwallowEverythingExceptionHandler.qhelp    | 2 +-
 13 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
index 75bd300601e..f499eebfdbf 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp	
@@ -3,11 +3,11 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices.</p>
+    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices. This is an example of a query that may be useful for detecting potential backdoors. Solorigate is one example that uses this mechanism.</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
index af1500fb215..c9d247d69f3 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql	
@@ -1,7 +1,6 @@
 /**
  * @name Potential dangerous use of native functions
- * @description Please review code for possible malicious intent or unsafe handling.
- *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
+ * @description Detects the use of native functions that can be used for malicious intent or unsafe handling.
  * @kind problem
  * @problem.severity warning
  * @precision low
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
index c9cecee8374..fb619cb738e 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
@@ -3,11 +3,11 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query finds if there exists a DataFlow from a file last modification date (very likely implant installation time) and an offset to a condition statement (the trigger) that controls code execution.</p>
+    <p>This query checks for data flow from a file's last modification date and a condition statement that controls code execution. A malicious actor could have implanted code that triggers after a certain time, leading to a "time bomb".</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
index 332df2d2a28..31c00e8a378 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql	
@@ -1,6 +1,6 @@
 /**
  * @name Potential Timebomb
- * @description Flow from a file last modification date (very likely implant installation time) and an offset to condition statement (the trigger)
+ * @description If there is data flow from a file's last modification date and an offset to a condition statement, this could trigger a "time bomb".
  * @kind path-problem
  * @precision Low
  * @problem.severity warning
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
index 12eb83191ac..cb1faf86974 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp	
@@ -4,11 +4,11 @@
 <qhelp>
   <overview>
     <p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
-    <p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
+    <p>Such flow is often used in code backdoors to detect running processes and compare them to an obfuscated list of antivirus processes to avoid detection. Solorigate is one example that uses this mechanism.</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index 96363bbadff..d6fd090540e 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -1,7 +1,6 @@
 /**
  * @name ProcessName to hash function flow
- * @description Flow from a function retrieving process name to a hash function
- *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
+ * @description Flow from a function retrieving process name to a hash function.
  * @kind path-problem
  * @tags security
  *       solorigate
@@ -20,12 +19,12 @@ class DataFlowFromMethodToHash extends TaintTracking::Configuration {
   /**
    * Holds if `source` is a relevant data flow source.
    */
-  override predicate isSource(Node source) { isSuspiciousPropertyName(source.asExpr()) }
+  override predicate isSource(DataFlow::Node source) { isSuspiciousPropertyName(source.asExpr()) }
 
   /**
    * Holds if `sink` is a relevant data flow sink.
    */
-  override predicate isSink(Node sink) { isGetHash(sink.asExpr()) }
+  override predicate isSink(DataFlow::Node sink) { isGetHash(sink.asExpr()) }
 }
 
 predicate isGetHash(Expr arg) {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
index ffa32c5937d..8b639b14ab0 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
@@ -3,8 +3,8 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
-    <p>This query detects FNV-like hash calculations where there is an additional xor (with any static value) after the hash calculation loop.</p>
+    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
+    <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
   <include src="Solorigate.qhelp" />
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp
index 0db1732805d..9417cbb2645 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp	
@@ -3,8 +3,8 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query detects if there is an enum that includes various of the values used for the Solorigate commands.</p>
-    <p>Please notice that by themselves the names of these enum constants are not malign.</p>
+    <p>This query detects enumerations that include various commands that were also used in the Solorigate implant.</p>
+    <p>By themselves, the names of these enumeration constants are not malicious, so the query only detects enumerations that includes at least 10 of the 18 Solorigate commands.</p>
   </overview>
 
   <include src="Solorigate.qhelp" />
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
index 392a0d97165..541f3205c01 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql	
@@ -1,7 +1,7 @@
 /**
- * @name Number of Solorigate-related Hashes as literals is above the threshold
- * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
- *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincideentally
+ * @name Number of Solorigate-related hashes as literals is above the threshold
+ * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincidentally.
  * @kind problem
  * @tags security
  *       solorigate
@@ -14,7 +14,7 @@ import csharp
 import Solorigate
 
 /*
- * Returns the total number of Solorigate-related literales found in the project
+ * Returns the total number of Solorigate-related hashes found in the project
  */
 
 int countSolorigateSuspiciousHash() {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
index 2055dda9946..a18f0c40916 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql	
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related literals is above the threshold
- * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security
@@ -14,7 +14,7 @@ import csharp
 import Solorigate
 
 /*
- * Returns the total number of Solorigate-related literales found in the project
+ * Returns the total number of Solorigate-related literals found in the project
  */
 
 int countSolorigateSuspiciousLiterals() {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
index a3bac88cb78..c60281882b8 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related method names is above the threshold
- * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
index 19c5c2666cd..dcd7c0b9d74 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
@@ -7,7 +7,7 @@
   <p>The purpose of these rules is to identify potentially tampered code that requires further analysis</p>
 </overview> 
 <recommendation>
-  <p>Any findings from these rules are only intended to indicate suspicious code that shares similarities with known portions of code used for this attack, but no certainty that the code is related or part of any attack.</p>
+  <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
   <p>For more information, please visit https://aka.ms/solorigate. </p>
 </recommendation>
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
index 83fa8f8c58c..7be5a1f902e 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp	
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>The malicious code was wrapped in generic exception catch blocks that lacked any statements</p>
+    <p>In Solorigate, the malicious code was wrapped in generic exception catch blocks that lacked any statements. This made it harder to find any suspicious runtime exceptions.</p>
     <p>This query detects all generic exception empty catch blocks, but it is strongly suggested that the results for cs/catch-of-all-exceptions also be reviewed in the event that a malicious swallow everything exception handler was not empty</p>
   </overview>
 

From ddd362bc16eaf0049aeda6fc5e7204982404008a Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Fri, 5 Feb 2021 23:31:20 +0100
Subject: [PATCH 222/429] Update
 python/ql/src/semmle/python/frameworks/Django.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
---
 python/ql/src/semmle/python/frameworks/Django.qll | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 3832f5c410e..fd43d938806 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2314,6 +2314,13 @@ private module Django {
 
     DjangoShortcutsRedirectCall() { node.getFunction() = django::shortcuts::redirect().asCfgNode() }
 
+    /**
+     * Gets the data-flow node that specifies the location of this HTTP redirect response.
+     *
+     * Note: For `django.shortcuts.redirect`, the result might not be a full URL
+     * (as usually expected by this method), but could be a relative URL,
+     * a string identifying a view, or a Django model.
+     */
     override DataFlow::Node getRedirectLocation() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("to")]
     }

From 7c506f445ce8597cdd3bd66df777c49d93e19785 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 6 Nov 2020 13:02:41 +0100
Subject: [PATCH 223/429] C#: Extract underlying methods of foreach statements

---
 .../2021-02-02-foreach-underlying-methods.md  |   3 +
 .../Entities/Statements/ForEach.cs            |  14 ++-
 .../Semmle.Extraction.CSharp/Tuples.cs        |   6 +
 csharp/ql/src/Dead Code/DeadCode.qll          |   2 +
 .../raw/internal/desugar/Foreach.qll          |  39 +------
 csharp/ql/src/semmle/code/csharp/Stmt.qll     |  21 ++++
 csharp/ql/src/semmlecode.csharp.dbscheme      |   9 ++
 .../library-tests/csharp9/ForeachExtension.cs |  50 +++++++++
 .../library-tests/csharp9/PrintAst.expected   | 103 ++++++++++++++++++
 .../library-tests/csharp9/foreach.expected    |   4 +
 .../ql/test/library-tests/csharp9/foreach.ql  |  15 +++
 .../csharp9/typeParameterNullability.expected |   2 -
 .../csharp9/typeParameterNullability.ql       |   6 +-
 csharp/upgrades/TO_CHANGE/upgrade.properties  |   2 +
 14 files changed, 235 insertions(+), 41 deletions(-)
 create mode 100644 csharp/change-notes/2021-02-02-foreach-underlying-methods.md
 create mode 100644 csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
 create mode 100644 csharp/ql/test/library-tests/csharp9/foreach.expected
 create mode 100644 csharp/ql/test/library-tests/csharp9/foreach.ql
 create mode 100644 csharp/upgrades/TO_CHANGE/upgrade.properties

diff --git a/csharp/change-notes/2021-02-02-foreach-underlying-methods.md b/csharp/change-notes/2021-02-02-foreach-underlying-methods.md
new file mode 100644
index 00000000000..a9e934a0e5d
--- /dev/null
+++ b/csharp/change-notes/2021-02-02-foreach-underlying-methods.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The underlying methods of `foreach` statements are now explicitly extracted and
+they are made available on the `ForeachStmt` class.
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
index 262b3f0e328..ebd0f301b42 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
@@ -18,11 +18,12 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             return ret;
         }
 
-        protected override void PopulateStatement(TextWriter _)
+        protected override void PopulateStatement(TextWriter trapFile)
         {
             Expression.Create(cx, Stmt.Expression, this, 1);
 
-            var typeSymbol = cx.GetModel(Stmt).GetDeclaredSymbol(Stmt);
+            var semanticModel = cx.GetModel(Stmt);
+            var typeSymbol = semanticModel.GetDeclaredSymbol(Stmt);
             var type = typeSymbol.GetAnnotatedType();
 
             var location = cx.Create(Stmt.Identifier.GetLocation());
@@ -30,6 +31,15 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             Expressions.VariableDeclaration.Create(cx, typeSymbol, type, Stmt.Type, location, Stmt.Type.IsVar, this, 0);
 
             Statement.Create(cx, Stmt.Statement, this, 2);
+
+            var info = semanticModel.GetForEachStatementInfo(Stmt);
+            var getEnumerator = Method.Create(cx, info.GetEnumeratorMethod);
+            var currentProp = Property.Create(cx, info.CurrentProperty);
+            var moveNext = Method.Create(cx, info.MoveNextMethod);
+            var dispose = Method.Create(cx, info.DisposeMethod);
+            var elementType = Type.Create(cx, info.ElementType);
+
+            trapFile.foreach_stmt_info(this, elementType, getEnumerator, moveNext, dispose, currentProp, info.IsAsynchronous);
         }
     }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index ec2bd66d32e..cfb797f6ff7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -53,6 +53,12 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("catch_type", @catch, type, explicityCaught ? 1 : 2);
         }
 
+        internal static void foreach_stmt_info(this TextWriter trapFile, Entities.Statements.ForEach @foreach, Type element, Method getEnumerator,
+            Method moveNext, Method dispose, Property current, bool isAsync)
+        {
+            trapFile.WriteTuple("foreach_stmt_info", @foreach, element, getEnumerator, moveNext, dispose, current, isAsync ? 2 : 1);
+        }
+
         internal static void commentblock(this TextWriter trapFile, CommentBlock k)
         {
             trapFile.WriteTuple("commentblock", k);
diff --git a/csharp/ql/src/Dead Code/DeadCode.qll b/csharp/ql/src/Dead Code/DeadCode.qll
index e3584eaa1a4..efb7a76ee78 100644
--- a/csharp/ql/src/Dead Code/DeadCode.qll	
+++ b/csharp/ql/src/Dead Code/DeadCode.qll	
@@ -43,6 +43,8 @@ Expr getAMethodAccess(Method m) {
 predicate potentiallyAccessedByForEach(Method m) {
   m.hasName("GetEnumerator") and
   m.getDeclaringType().getABaseType+().hasQualifiedName("System.Collections.IEnumerable")
+  or
+  foreach_stmt_info(_, _, m, _, _, _, _)
 }
 
 predicate isRecursivelyLiveExpression(Expr e) {
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
index 9dee8221235..a526ec5bdcd 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
@@ -171,11 +171,7 @@ private class TranslatedForeachMoveNext extends TranslatedCompilerGeneratedCall,
 
   override Callable getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and
-    exists(Callable internal |
-      internal.getName() = "MoveNext" and
-      internal.getReturnType() instanceof BoolType and
-      result = internal
-    )
+    result = generatedBy.getMoveNext()
   }
 
   override Type getCallResultType() { result instanceof BoolType }
@@ -205,28 +201,9 @@ private class TranslatedForeachGetEnumerator extends TranslatedCompilerGenerated
     result = getInstructionFunction(CallTargetTag()).getReturnType()
   }
 
-  private Callable getEnumeratorCallable() {
-    if exists(generatedBy.getIterableExpr().getType().(ValueOrRefType).getAMember("GetEnumerator"))
-    then
-      result = generatedBy.getIterableExpr().getType().(ValueOrRefType).getAMember("GetEnumerator")
-    else
-      exists(Interface inter |
-        inter =
-          generatedBy
-              .getIterableExpr()
-              .getType()
-              .(ValueOrRefType)
-              // There could be some abstract base types until we reach `IEnumerable` (eg. `Array`)
-              .getABaseType*()
-              .getABaseInterface() and
-        inter.getName() = "IEnumerable" and
-        result = inter.getAMember("GetEnumerator")
-      )
-  }
-
   override Callable getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and
-    result = getEnumeratorCallable()
+    result = generatedBy.getGetEnumerator()
   }
 
   override TranslatedExpr getArgument(int id) { none() }
@@ -247,7 +224,7 @@ private class TranslatedForeachCurrent extends TranslatedCompilerGeneratedCall,
 
   TranslatedForeachCurrent() { this = TTranslatedCompilerGeneratedElement(generatedBy, 5) }
 
-  override Type getCallResultType() { result = generatedBy.getAVariable().getType() }
+  override Type getCallResultType() { result = generatedBy.getElementType() }
 
   override TranslatedExpr getArgument(int id) { none() }
 
@@ -262,10 +239,7 @@ private class TranslatedForeachCurrent extends TranslatedCompilerGeneratedCall,
 
   override Callable getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and
-    exists(Property prop |
-      prop.getName() = "Current" and
-      result = prop.getGetter()
-    )
+    result = generatedBy.getCurrent().getGetter()
   }
 }
 
@@ -280,10 +254,7 @@ private class TranslatedForeachDispose extends TranslatedCompilerGeneratedCall,
 
   override Callable getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and
-    exists(Callable dispose |
-      dispose.getName() = "Dispose" and
-      result = dispose
-    )
+    result = generatedBy.getDispose()
   }
 
   final override Type getCallResultType() { result instanceof VoidType }
diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index 8fadbc1267b..68e26ff0a8c 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -582,6 +582,27 @@ class ForeachStmt extends LoopStmt, @foreach_stmt {
    */
   Expr getIterableExpr() { result = this.getChild(1) }
 
+  /** Gets the called `GetEnumerator` method. */
+  Method getGetEnumerator() { foreach_stmt_info(this, _, result, _, _, _, _) }
+
+  /** Gets the called `MoveNext` or `MoveNextAsync` method. */
+  Method getMoveNext() { foreach_stmt_info(this, _, _, result, _, _, _) }
+
+  /** Gets the called `Dispose` or `DisposeAsync` method. */
+  Method getDispose() { foreach_stmt_info(this, _, _, _, result, _, _) }
+
+  /** Gets the called `Current` property. */
+  Property getCurrent() { foreach_stmt_info(this, _, _, _, _, result, _) }
+
+  /**
+   * Gets the intermediate type to which the `Current` property is converted before
+   * being converted to the iteration variable type.
+   */
+  Type getElementType() { foreach_stmt_info(this, result, _, _, _, _, _) }
+
+  /** Holds if this `foreach` statement is asynchronous. */
+  predicate isAsync() { foreach_stmt_info(this, _, _, _, _, _, 2) }
+
   override string toString() { result = "foreach (... ... in ...) ..." }
 
   override string getAPrimaryQlClass() { result = "ForeachStmt" }
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 68db341c2ed..bcfb223217d 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -982,6 +982,15 @@ catch_type(
   int type_id: @type_or_ref ref,
   int kind: int ref /* explicit = 1, implicit = 2 */);
 
+foreach_stmt_info(
+  unique int id: @foreach_stmt ref,
+  int element_type_id: @type_or_ref ref,
+  int getenumerator_id: @method ref,
+  int movenext_id: @method ref,
+  int dispose_id: @method ref,
+  int current_id: @property ref,
+  int kind: int ref /* non-async = 1, async = 2 */);
+
 /** EXPRESSIONS **/
 
 expressions(
diff --git a/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs b/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
new file mode 100644
index 00000000000..0ef36fbc7d9
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
@@ -0,0 +1,50 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+static class Extensions
+{
+    public static IEnumerator<T> GetEnumerator<T>(this IEnumerator<T> enumerator) => enumerator;
+    public static IAsyncEnumerator<T> GetAsyncEnumerator<T>(this IAsyncEnumerator<T> enumerator) => enumerator;
+    public static IEnumerator<int> GetEnumerator(this int count)
+    {
+        for (int i = 0; i < count; i++)
+        {
+            yield return i;
+        }
+    }
+}
+
+class Program
+{
+    async Task Main()
+    {
+        IEnumerator<int> enumerator1 = Enumerable.Range(0, 10).GetEnumerator();
+        foreach (var item in enumerator1)
+        {
+        }
+
+        IAsyncEnumerator<int> enumerator2 = GetAsyncEnumerator();
+        await foreach (var item in enumerator2)
+        {
+        }
+
+        foreach (var item in 42)
+        {
+        }
+
+        foreach (var i in new int[] { 1, 2, 3 }) // not extension
+        {
+        }
+    }
+
+    static async IAsyncEnumerator<int> GetAsyncEnumerator()
+    {
+        yield return 0;
+        await Task.Delay(1);
+        yield return 1;
+    }
+}
+
+// semmle-extractor-options: /r:System.Linq.dll
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index ea3540ce4ce..e203842664b 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -166,6 +166,109 @@ Discard.cs:
 #   10|             4: [BlockStmt] {...}
 #   10|               0: [ReturnStmt] return ...;
 #   10|                 0: [IntLiteral] 0
+ForeachExtension.cs:
+#    6| [Class] Extensions
+#    8|   4: [ExtensionMethod] GetEnumerator
+#    8|     -1: [TypeMention] IEnumerator<T>
+#    8|       1: [TypeMention] T
+#-----|     1: (Type parameters)
+#    8|       0: [TypeParameter] T
+#-----|     2: (Parameters)
+#    8|       0: [Parameter] enumerator
+#    8|         -1: [TypeMention] IEnumerator<T>
+#    8|           1: [TypeMention] T
+#    8|     4: [ParameterAccess] access to parameter enumerator
+#    9|   6: [ExtensionMethod] GetAsyncEnumerator
+#    9|     -1: [TypeMention] IAsyncEnumerator<T>
+#    9|       1: [TypeMention] T
+#-----|     1: (Type parameters)
+#    9|       0: [TypeParameter] T
+#-----|     2: (Parameters)
+#    9|       0: [Parameter] enumerator
+#    9|         -1: [TypeMention] IAsyncEnumerator<T>
+#    9|           1: [TypeMention] T
+#    9|     4: [ParameterAccess] access to parameter enumerator
+#   10|   8: [ExtensionMethod] GetEnumerator
+#   10|     -1: [TypeMention] IEnumerator<Int32>
+#   10|       1: [TypeMention] int
+#-----|     2: (Parameters)
+#   10|       0: [Parameter] count
+#   10|         -1: [TypeMention] int
+#   11|     4: [BlockStmt] {...}
+#   12|       0: [ForStmt] for (...;...;...) ...
+#   12|         -1: [LocalVariableDeclAndInitExpr] Int32 i = ...
+#   12|           -1: [TypeMention] int
+#   12|           0: [LocalVariableAccess] access to local variable i
+#   12|           1: [IntLiteral] 0
+#   12|         0: [LTExpr] ... < ...
+#   12|           0: [LocalVariableAccess] access to local variable i
+#   12|           1: [ParameterAccess] access to parameter count
+#   12|         1: [PostIncrExpr] ...++
+#   12|           0: [LocalVariableAccess] access to local variable i
+#   13|         2: [BlockStmt] {...}
+#   14|           0: [YieldReturnStmt] yield return ...;
+#   14|             0: [LocalVariableAccess] access to local variable i
+#   19| [Class] Program
+#   21|   5: [Method] Main
+#   21|     -1: [TypeMention] Task
+#   22|     4: [BlockStmt] {...}
+#   23|       0: [LocalVariableDeclStmt] ... ...;
+#   23|         0: [LocalVariableDeclAndInitExpr] IEnumerator<Int32> enumerator1 = ...
+#   23|           -1: [TypeMention] IEnumerator<Int32>
+#   23|             1: [TypeMention] int
+#   23|           0: [LocalVariableAccess] access to local variable enumerator1
+#   23|           1: [MethodCall] call to method GetEnumerator
+#   23|             -1: [MethodCall] call to method Range
+#   23|               -1: [TypeAccess] access to type Enumerable
+#   23|                 0: [TypeMention] Enumerable
+#   23|               0: [IntLiteral] 0
+#   23|               1: [IntLiteral] 10
+#   24|       1: [ForeachStmt] foreach (... ... in ...) ...
+#   24|         0: [LocalVariableDeclExpr] Int32 item
+#   24|           0: [TypeMention] int
+#   24|         1: [LocalVariableAccess] access to local variable enumerator1
+#   25|         2: [BlockStmt] {...}
+#   28|       2: [LocalVariableDeclStmt] ... ...;
+#   28|         0: [LocalVariableDeclAndInitExpr] IAsyncEnumerator<Int32> enumerator2 = ...
+#   28|           -1: [TypeMention] IAsyncEnumerator<Int32>
+#   28|             1: [TypeMention] int
+#   28|           0: [LocalVariableAccess] access to local variable enumerator2
+#   28|           1: [MethodCall] call to method GetAsyncEnumerator
+#   29|       3: [ForeachStmt] foreach (... ... in ...) ...
+#   29|         0: [LocalVariableDeclExpr] Int32 item
+#   29|           0: [TypeMention] int
+#   29|         1: [LocalVariableAccess] access to local variable enumerator2
+#   30|         2: [BlockStmt] {...}
+#   33|       4: [ForeachStmt] foreach (... ... in ...) ...
+#   33|         0: [LocalVariableDeclExpr] Int32 item
+#   33|           0: [TypeMention] int
+#   33|         1: [IntLiteral] 42
+#   34|         2: [BlockStmt] {...}
+#   37|       5: [ForeachStmt] foreach (... ... in ...) ...
+#   37|         0: [LocalVariableDeclExpr] Int32 i
+#   37|           0: [TypeMention] int
+#   37|         1: [ArrayCreation] array creation of type Int32[]
+#   37|           -2: [TypeMention] Int32[]
+#   37|             1: [TypeMention] int
+#   37|           -1: [ArrayInitializer] { ..., ... }
+#   37|             0: [IntLiteral] 1
+#   37|             1: [IntLiteral] 2
+#   37|             2: [IntLiteral] 3
+#   38|         2: [BlockStmt] {...}
+#   42|   6: [Method] GetAsyncEnumerator
+#   42|     -1: [TypeMention] IAsyncEnumerator<Int32>
+#   42|       1: [TypeMention] int
+#   43|     4: [BlockStmt] {...}
+#   44|       0: [YieldReturnStmt] yield return ...;
+#   44|         0: [IntLiteral] 0
+#   45|       1: [ExprStmt] ...;
+#   45|         0: [AwaitExpr] await ...
+#   45|           0: [MethodCall] call to method Delay
+#   45|             -1: [TypeAccess] access to type Task
+#   45|               0: [TypeMention] Task
+#   45|             0: [IntLiteral] 1
+#   46|       2: [YieldReturnStmt] yield return ...;
+#   46|         0: [IntLiteral] 1
 FunctionPointer.cs:
 #    5| [Class] FnPointer
 #    7|   5: [Class] Program
diff --git a/csharp/ql/test/library-tests/csharp9/foreach.expected b/csharp/ql/test/library-tests/csharp9/foreach.expected
new file mode 100644
index 00000000000..39694665cb0
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/foreach.expected
@@ -0,0 +1,4 @@
+| ForeachExtension.cs:24:9:26:9 | foreach (... ... in ...) ... | Int32 | sync | Extensions | ForeachExtension.cs:8:34:8:49 | System.Collections.Generic.IEnumerator<Int32> | - | System.Collections.IEnumerator | - |
+| ForeachExtension.cs:29:9:31:9 | foreach (... ... in ...) ... | Int32 | async | Extensions | ForeachExtension.cs:9:39:9:59 | System.Collections.Generic.IAsyncEnumerator<Int32> | - | System.Collections.Generic.IAsyncEnumerator<Int32> | - |
+| ForeachExtension.cs:33:9:35:9 | foreach (... ... in ...) ... | Int32 | sync | Extensions | ForeachExtension.cs:10:36:10:48 | System.Collections.Generic.IEnumerator<Int32> | - | System.Collections.IEnumerator | - |
+| ForeachExtension.cs:37:9:39:9 | foreach (... ... in ...) ... | Int32 | sync | System.Collections.IEnumerable | - | System.Collections.IEnumerator | - | System.Collections.IEnumerator | - |
diff --git a/csharp/ql/test/library-tests/csharp9/foreach.ql b/csharp/ql/test/library-tests/csharp9/foreach.ql
new file mode 100644
index 00000000000..38d431d762f
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/foreach.ql
@@ -0,0 +1,15 @@
+import csharp
+
+private string getLocation(Member m) {
+  if m.fromSource() then result = m.getALocation().(SourceLocation).toString() else result = "-"
+}
+
+private string getIsAsync(ForeachStmt f) {
+  if f.isAsync() then result = "async" else result = "sync"
+}
+
+from ForeachStmt f
+select f, f.getElementType().toString(), getIsAsync(f),
+  f.getGetEnumerator().getDeclaringType().getQualifiedName(), getLocation(f.getGetEnumerator()),
+  f.getCurrent().getDeclaringType().getQualifiedName(), getLocation(f.getCurrent()),
+  f.getMoveNext().getDeclaringType().getQualifiedName(), getLocation(f.getMoveNext())
diff --git a/csharp/ql/test/library-tests/csharp9/typeParameterNullability.expected b/csharp/ql/test/library-tests/csharp9/typeParameterNullability.expected
index cd42090259a..cfec2a5ca11 100644
--- a/csharp/ql/test/library-tests/csharp9/typeParameterNullability.expected
+++ b/csharp/ql/test/library-tests/csharp9/typeParameterNullability.expected
@@ -10,8 +10,6 @@ valueType
 | TypeParameterNullability.cs:19:29:19:29 | T |
 | TypeParameterNullability.cs:24:29:24:29 | T |
 valueOrRefType
-| FunctionPointer.cs:22:24:22:24 | T |
-| FunctionPointer.cs:34:24:34:24 | T |
 | TypeParameterNullability.cs:5:28:5:28 | T |
 | TypeParameterNullability.cs:9:28:9:28 | T |
 | TypeParameterNullability.cs:15:29:15:29 | T |
diff --git a/csharp/ql/test/library-tests/csharp9/typeParameterNullability.ql b/csharp/ql/test/library-tests/csharp9/typeParameterNullability.ql
index 58d3bfb8fb9..d8a966e2ff2 100644
--- a/csharp/ql/test/library-tests/csharp9/typeParameterNullability.ql
+++ b/csharp/ql/test/library-tests/csharp9/typeParameterNullability.ql
@@ -1,17 +1,17 @@
 import csharp
 
 query predicate refType(TypeParameter tp) {
-  tp.fromSource() and
+  tp.getFile().getStem() = "TypeParameterNullability" and
   tp.isRefType()
 }
 
 query predicate valueType(TypeParameter tp) {
-  tp.fromSource() and
+  tp.getFile().getStem() = "TypeParameterNullability" and
   tp.isValueType()
 }
 
 query predicate valueOrRefType(TypeParameter tp) {
-  tp.fromSource() and
+  tp.getFile().getStem() = "TypeParameterNullability" and
   not tp.isRefType() and
   not tp.isValueType()
 }
diff --git a/csharp/upgrades/TO_CHANGE/upgrade.properties b/csharp/upgrades/TO_CHANGE/upgrade.properties
new file mode 100644
index 00000000000..f9cd85e1661
--- /dev/null
+++ b/csharp/upgrades/TO_CHANGE/upgrade.properties
@@ -0,0 +1,2 @@
+description: Add 'foreach_stmt_info' relation.
+compatibility: backwards
\ No newline at end of file

From 63b0fe10e428a28c47dd8954d6370384007a3e5d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 4 Feb 2021 11:19:05 +0100
Subject: [PATCH 224/429] Rework foreach_stmt_info extraction

---
 .../Entities/Statements/ForEach.cs            | 52 ++++++++++++++++---
 .../Semmle.Extraction.CSharp/Tuples.cs        | 11 ++--
 csharp/ql/src/Dead Code/DeadCode.qll          |  2 +-
 csharp/ql/src/semmle/code/csharp/Stmt.qll     | 12 ++---
 csharp/ql/src/semmlecode.csharp.dbscheme      | 13 +++--
 csharp/upgrades/TO_CHANGE/upgrade.properties  |  2 +-
 6 files changed, 70 insertions(+), 22 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
index ebd0f301b42..6696086b19c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
@@ -8,6 +8,15 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 {
     internal class ForEach : Statement<ForEachStatementSyntax>
     {
+        internal enum ForeachSymbolType
+        {
+            GetEnumeratorMethod = 1,
+            CurrentProperty,
+            MoveNextMethod,
+            DisposeMethod,
+            ElementType
+        }
+
         private ForEach(Context cx, ForEachStatementSyntax stmt, IStatementParentEntity parent, int child)
             : base(cx, stmt, StmtKind.FOREACH, parent, child) { }
 
@@ -33,13 +42,44 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             Statement.Create(cx, Stmt.Statement, this, 2);
 
             var info = semanticModel.GetForEachStatementInfo(Stmt);
-            var getEnumerator = Method.Create(cx, info.GetEnumeratorMethod);
-            var currentProp = Property.Create(cx, info.CurrentProperty);
-            var moveNext = Method.Create(cx, info.MoveNextMethod);
-            var dispose = Method.Create(cx, info.DisposeMethod);
-            var elementType = Type.Create(cx, info.ElementType);
 
-            trapFile.foreach_stmt_info(this, elementType, getEnumerator, moveNext, dispose, currentProp, info.IsAsynchronous);
+            if (info.Equals(default))
+            {
+                cx.ExtractionError("Could not get foreach statement info", null, Location.Create(cx, this.ReportingLocation), severity: Util.Logging.Severity.Info);
+                return;
+            }
+
+            trapFile.foreach_stmt_info(this, info.IsAsynchronous);
+
+            if (info.GetEnumeratorMethod != null)
+            {
+                var m = Method.Create(cx, info.GetEnumeratorMethod);
+                trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.GetEnumeratorMethod);
+            }
+
+            if (info.MoveNextMethod != null)
+            {
+                var m = Method.Create(cx, info.MoveNextMethod);
+                trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.MoveNextMethod);
+            }
+
+            if (info.DisposeMethod != null)
+            {
+                var m = Method.Create(cx, info.DisposeMethod);
+                trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.DisposeMethod);
+            }
+
+            if (info.CurrentProperty != null)
+            {
+                var p = Property.Create(cx, info.CurrentProperty);
+                trapFile.foreach_stmt_desugar(this, p, ForeachSymbolType.CurrentProperty);
+            }
+
+            if (info.ElementType != null)
+            {
+                var t = Type.Create(cx, info.ElementType);
+                trapFile.foreach_stmt_desugar(this, t, ForeachSymbolType.ElementType);
+            }
         }
     }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index cfb797f6ff7..df39d6a836c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -53,10 +53,15 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("catch_type", @catch, type, explicityCaught ? 1 : 2);
         }
 
-        internal static void foreach_stmt_info(this TextWriter trapFile, Entities.Statements.ForEach @foreach, Type element, Method getEnumerator,
-            Method moveNext, Method dispose, Property current, bool isAsync)
+        internal static void foreach_stmt_info(this TextWriter trapFile, Entities.Statements.ForEach @foreach, bool isAsync)
         {
-            trapFile.WriteTuple("foreach_stmt_info", @foreach, element, getEnumerator, moveNext, dispose, current, isAsync ? 2 : 1);
+            trapFile.WriteTuple("foreach_stmt_info", @foreach, isAsync ? 2 : 1);
+        }
+
+        internal static void foreach_stmt_desugar(this TextWriter trapFile, Entities.Statements.ForEach @foreach, IEntity entity,
+            Entities.Statements.ForEach.ForeachSymbolType type)
+        {
+            trapFile.WriteTuple("foreach_stmt_desugar", @foreach, entity, (int)type);
         }
 
         internal static void commentblock(this TextWriter trapFile, CommentBlock k)
diff --git a/csharp/ql/src/Dead Code/DeadCode.qll b/csharp/ql/src/Dead Code/DeadCode.qll
index efb7a76ee78..dd0f6104e31 100644
--- a/csharp/ql/src/Dead Code/DeadCode.qll	
+++ b/csharp/ql/src/Dead Code/DeadCode.qll	
@@ -44,7 +44,7 @@ predicate potentiallyAccessedByForEach(Method m) {
   m.hasName("GetEnumerator") and
   m.getDeclaringType().getABaseType+().hasQualifiedName("System.Collections.IEnumerable")
   or
-  foreach_stmt_info(_, _, m, _, _, _, _)
+  foreach_stmt_desugar(_, m, 1)
 }
 
 predicate isRecursivelyLiveExpression(Expr e) {
diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index 68e26ff0a8c..2846c3255ea 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -583,25 +583,25 @@ class ForeachStmt extends LoopStmt, @foreach_stmt {
   Expr getIterableExpr() { result = this.getChild(1) }
 
   /** Gets the called `GetEnumerator` method. */
-  Method getGetEnumerator() { foreach_stmt_info(this, _, result, _, _, _, _) }
+  Method getGetEnumerator() { foreach_stmt_desugar(this, result, 1) }
 
   /** Gets the called `MoveNext` or `MoveNextAsync` method. */
-  Method getMoveNext() { foreach_stmt_info(this, _, _, result, _, _, _) }
+  Method getMoveNext() { foreach_stmt_desugar(this, result, 3) }
 
   /** Gets the called `Dispose` or `DisposeAsync` method. */
-  Method getDispose() { foreach_stmt_info(this, _, _, _, result, _, _) }
+  Method getDispose() { foreach_stmt_desugar(this, result, 4) }
 
   /** Gets the called `Current` property. */
-  Property getCurrent() { foreach_stmt_info(this, _, _, _, _, result, _) }
+  Property getCurrent() { foreach_stmt_desugar(this, result, 2) }
 
   /**
    * Gets the intermediate type to which the `Current` property is converted before
    * being converted to the iteration variable type.
    */
-  Type getElementType() { foreach_stmt_info(this, result, _, _, _, _, _) }
+  Type getElementType() { foreach_stmt_desugar(this, result, 5) }
 
   /** Holds if this `foreach` statement is asynchronous. */
-  predicate isAsync() { foreach_stmt_info(this, _, _, _, _, _, 2) }
+  predicate isAsync() { foreach_stmt_info(this, 2) }
 
   override string toString() { result = "foreach (... ... in ...) ..." }
 
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index bcfb223217d..16936565fbe 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -984,13 +984,16 @@ catch_type(
 
 foreach_stmt_info(
   unique int id: @foreach_stmt ref,
-  int element_type_id: @type_or_ref ref,
-  int getenumerator_id: @method ref,
-  int movenext_id: @method ref,
-  int dispose_id: @method ref,
-  int current_id: @property ref,
   int kind: int ref /* non-async = 1, async = 2 */);
 
+@foreach_symbol =  @method | @property | @type_or_ref;
+
+#keyset[id, kind]
+foreach_stmt_desugar(
+  int id: @foreach_stmt ref,
+  int symbol: @foreach_symbol ref,
+  int kind: int ref /* GetEnumeratorMethod = 1, CurrentProperty = 2, MoveNextMethod = 3, DisposeMethod = 4, ElementType = 5 */);
+
 /** EXPRESSIONS **/
 
 expressions(
diff --git a/csharp/upgrades/TO_CHANGE/upgrade.properties b/csharp/upgrades/TO_CHANGE/upgrade.properties
index f9cd85e1661..0b0c3a88460 100644
--- a/csharp/upgrades/TO_CHANGE/upgrade.properties
+++ b/csharp/upgrades/TO_CHANGE/upgrade.properties
@@ -1,2 +1,2 @@
-description: Add 'foreach_stmt_info' relation.
+description: Add 'foreach_stmt_info' and 'foreach_stmt_desugar' relations.
 compatibility: backwards
\ No newline at end of file

From 96248f88458b9469ca0de72839cfb4cf5d0e8715 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 5 Feb 2021 09:23:22 +0100
Subject: [PATCH 225/429] Add DB upgrade folder

---
 .../old.dbscheme                              | 2070 ++++++++++++++++
 .../semmlecode.csharp.dbscheme                | 2082 +++++++++++++++++
 .../upgrade.properties                        |    0
 3 files changed, 4152 insertions(+)
 create mode 100644 csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/old.dbscheme
 create mode 100644 csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/semmlecode.csharp.dbscheme
 rename csharp/upgrades/{TO_CHANGE => 68db341c2ed1693c2ae6e20ad533c84138cb275a}/upgrade.properties (100%)

diff --git a/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/old.dbscheme b/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/old.dbscheme
new file mode 100644
index 00000000000..68db341c2ed
--- /dev/null
+++ b/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/old.dbscheme
@@ -0,0 +1,2070 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+#keyset[id, start]
+directive_endregions(
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_value(
+  unique int id: @directive_line ref,
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  int file: @file ref,
+  string guid: string ref,
+  string bytes: string ref);
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_compilation(
+  unique int id: @preprocessor_directive ref,
+  int compilation: @compilation ref);
+
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/semmlecode.csharp.dbscheme b/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/semmlecode.csharp.dbscheme
new file mode 100644
index 00000000000..16936565fbe
--- /dev/null
+++ b/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/semmlecode.csharp.dbscheme
@@ -0,0 +1,2082 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+#keyset[id, start]
+directive_endregions(
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_value(
+  unique int id: @directive_line ref,
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  int file: @file ref,
+  string guid: string ref,
+  string bytes: string ref);
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_compilation(
+  unique int id: @preprocessor_directive ref,
+  int compilation: @compilation ref);
+
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+foreach_stmt_info(
+  unique int id: @foreach_stmt ref,
+  int kind: int ref /* non-async = 1, async = 2 */);
+
+@foreach_symbol =  @method | @property | @type_or_ref;
+
+#keyset[id, kind]
+foreach_stmt_desugar(
+  int id: @foreach_stmt ref,
+  int symbol: @foreach_symbol ref,
+  int kind: int ref /* GetEnumeratorMethod = 1, CurrentProperty = 2, MoveNextMethod = 3, DisposeMethod = 4, ElementType = 5 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/TO_CHANGE/upgrade.properties b/csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/upgrade.properties
similarity index 100%
rename from csharp/upgrades/TO_CHANGE/upgrade.properties
rename to csharp/upgrades/68db341c2ed1693c2ae6e20ad533c84138cb275a/upgrade.properties

From 6d908876e0ff3ea8648228326a06943d90f55f22 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 5 Feb 2021 09:31:16 +0100
Subject: [PATCH 226/429] Add new .stats file

---
 .../ql/src/semmlecode.csharp.dbscheme.stats   | 15991 ++++++++--------
 1 file changed, 8235 insertions(+), 7756 deletions(-)

diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme.stats b/csharp/ql/src/semmlecode.csharp.dbscheme.stats
index c294897e009..bb3e0fcb650 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme.stats
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme.stats
@@ -1,7 +1,7 @@
 <dbstats>
   <typesizes><e>
 <k>@compilation</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>@diagnostic</k>
@@ -9,7 +9,7 @@
 </e>
 <e>
 <k>@extractor_message</k>
-<v>750</v>
+<v>7638</v>
 </e>
 <e>
 <k>@externalDefect</k>
@@ -21,11 +21,11 @@
 </e>
 <e>
 <k>@externalDataElement</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>@duplication</k>
-<v>11701</v>
+<v>22735</v>
 </e>
 <e>
 <k>@similarity</k>
@@ -33,67 +33,67 @@
 </e>
 <e>
 <k>@location_default</k>
-<v>11326677</v>
+<v>14080010</v>
 </e>
 <e>
 <k>@assembly</k>
-<v>2160</v>
+<v>4198</v>
 </e>
 <e>
 <k>@file</k>
-<v>24351</v>
+<v>47312</v>
 </e>
 <e>
 <k>@folder</k>
-<v>9177</v>
+<v>17831</v>
 </e>
 <e>
 <k>@namespace</k>
-<v>11293</v>
+<v>21942</v>
 </e>
 <e>
 <k>@namespace_declaration</k>
-<v>8355</v>
+<v>19760</v>
 </e>
 <e>
 <k>@using_namespace_directive</k>
-<v>66100</v>
+<v>144252</v>
 </e>
 <e>
 <k>@using_static_directive</k>
-<v>199</v>
+<v>390</v>
 </e>
 <e>
 <k>@directive_if</k>
-<v>2550</v>
+<v>5161</v>
 </e>
 <e>
 <k>@directive_elif</k>
-<v>7</v>
+<v>59</v>
 </e>
 <e>
 <k>@directive_else</k>
-<v>1140</v>
+<v>2314</v>
 </e>
 <e>
 <k>@directive_endif</k>
-<v>2550</v>
+<v>5161</v>
 </e>
 <e>
 <k>@directive_region</k>
-<v>565</v>
+<v>1954</v>
 </e>
 <e>
 <k>@directive_endregion</k>
-<v>565</v>
+<v>1954</v>
 </e>
 <e>
 <k>@directive_line</k>
-<v>128896</v>
+<v>250436</v>
 </e>
 <e>
 <k>@directive_nullable</k>
-<v>83477</v>
+<v>162190</v>
 </e>
 <e>
 <k>@directive_warning</k>
@@ -101,7 +101,7 @@
 </e>
 <e>
 <k>@directive_error</k>
-<v>1</v>
+<v>28</v>
 </e>
 <e>
 <k>@directive_undefine</k>
@@ -109,119 +109,119 @@
 </e>
 <e>
 <k>@directive_define</k>
-<v>5</v>
+<v>22</v>
 </e>
 <e>
 <k>@pragma_checksum</k>
-<v>2494</v>
+<v>4846</v>
 </e>
 <e>
 <k>@pragma_warning</k>
-<v>14725</v>
+<v>28609</v>
 </e>
 <e>
 <k>@bool_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@char_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@decimal_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@sbyte_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@short_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@int_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@long_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@byte_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@ushort_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@uint_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@ulong_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@float_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@double_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@enum_type</k>
-<v>6141</v>
+<v>11952</v>
 </e>
 <e>
 <k>@struct_type</k>
-<v>24822</v>
+<v>49665</v>
 </e>
 <e>
 <k>@class_type</k>
-<v>154426</v>
+<v>305098</v>
 </e>
 <e>
 <k>@interface_type</k>
-<v>88664</v>
+<v>178112</v>
 </e>
 <e>
 <k>@delegate_type</k>
-<v>52237</v>
+<v>107567</v>
 </e>
 <e>
 <k>@null_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@type_parameter</k>
-<v>102321</v>
+<v>202597</v>
 </e>
 <e>
 <k>@pointer_type</k>
-<v>112</v>
+<v>219</v>
 </e>
 <e>
 <k>@nullable_type</k>
-<v>550</v>
+<v>979</v>
 </e>
 <e>
 <k>@array_type</k>
-<v>4384</v>
+<v>9122</v>
 </e>
 <e>
 <k>@void_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@int_ptr_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@tuple_type</k>
-<v>857</v>
+<v>1782</v>
 </e>
 <e>
 <k>@uint_ptr_type</k>
@@ -229,7 +229,7 @@
 </e>
 <e>
 <k>@dynamic_type</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@arglist_type</k>
@@ -241,495 +241,495 @@
 </e>
 <e>
 <k>@function_pointer_type</k>
-<v>9</v>
+<v>11</v>
 </e>
 <e>
 <k>@typeref</k>
-<v>120781</v>
+<v>234791</v>
 </e>
 <e>
 <k>@attribute</k>
-<v>368399</v>
+<v>745454</v>
 </e>
 <e>
 <k>@type_mention</k>
-<v>622003</v>
+<v>1252212</v>
 </e>
 <e>
 <k>@oblivious</k>
-<v>664</v>
+<v>1315</v>
 </e>
 <e>
 <k>@not_annotated</k>
-<v>300</v>
+<v>618</v>
 </e>
 <e>
 <k>@annotated</k>
-<v>75</v>
+<v>113</v>
 </e>
 <e>
 <k>@type_parameter_constraints</k>
-<v>273733</v>
+<v>594129</v>
 </e>
 <e>
 <k>@modifier</k>
-<v>42</v>
+<v>82</v>
 </e>
 <e>
 <k>@property</k>
-<v>212542</v>
+<v>425592</v>
 </e>
 <e>
 <k>@indexer</k>
-<v>7590</v>
+<v>17042</v>
 </e>
 <e>
 <k>@getter</k>
-<v>220012</v>
+<v>442401</v>
 </e>
 <e>
 <k>@setter</k>
-<v>64470</v>
+<v>127526</v>
 </e>
 <e>
 <k>@event</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>@add_event_accessor</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>@remove_event_accessor</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>@operator</k>
-<v>6201</v>
+<v>12410</v>
 </e>
 <e>
 <k>@method</k>
-<v>549172</v>
+<v>1117636</v>
 </e>
 <e>
 <k>@constructor</k>
-<v>138720</v>
+<v>277979</v>
 </e>
 <e>
 <k>@destructor</k>
-<v>225</v>
+<v>443</v>
 </e>
 <e>
 <k>@local_function</k>
-<v>488</v>
+<v>1801</v>
 </e>
 <e>
 <k>@addressable_field</k>
-<v>188270</v>
+<v>371421</v>
 </e>
 <e>
 <k>@constant</k>
-<v>95194</v>
+<v>185214</v>
 </e>
 <e>
 <k>@addressable_local_variable</k>
-<v>72587</v>
+<v>162452</v>
 </e>
 <e>
 <k>@local_constant</k>
-<v>373</v>
+<v>799</v>
 </e>
 <e>
 <k>@local_variable_ref</k>
-<v>67</v>
-</e>
-<e>
-<k>@parameter</k>
-<v>1189134</v>
-</e>
-<e>
-<k>@block_stmt</k>
-<v>159797</v>
-</e>
-<e>
-<k>@expr_stmt</k>
-<v>178398</v>
-</e>
-<e>
-<k>@return_stmt</k>
-<v>40051</v>
-</e>
-<e>
-<k>@using_block_stmt</k>
-<v>517</v>
-</e>
-<e>
-<k>@var_decl_stmt</k>
-<v>67553</v>
-</e>
-<e>
-<k>@if_stmt</k>
-<v>50740</v>
-</e>
-<e>
-<k>@switch_stmt</k>
-<v>1447</v>
-</e>
-<e>
-<k>@while_stmt</k>
-<v>1984</v>
-</e>
-<e>
-<k>@do_stmt</k>
-<v>386</v>
-</e>
-<e>
-<k>@for_stmt</k>
-<v>3124</v>
-</e>
-<e>
-<k>@foreach_stmt</k>
-<v>1910</v>
-</e>
-<e>
-<k>@break_stmt</k>
-<v>5413</v>
-</e>
-<e>
-<k>@continue_stmt</k>
-<v>1168</v>
-</e>
-<e>
-<k>@goto_stmt</k>
-<v>1045</v>
-</e>
-<e>
-<k>@goto_case_stmt</k>
-<v>154</v>
-</e>
-<e>
-<k>@goto_default_stmt</k>
-<v>61</v>
-</e>
-<e>
-<k>@throw_stmt</k>
-<v>50988</v>
-</e>
-<e>
-<k>@yield_stmt</k>
-<v>194</v>
-</e>
-<e>
-<k>@try_stmt</k>
-<v>2011</v>
-</e>
-<e>
-<k>@checked_stmt</k>
-<v>146</v>
-</e>
-<e>
-<k>@unchecked_stmt</k>
-<v>36</v>
-</e>
-<e>
-<k>@lock_stmt</k>
-<v>496</v>
-</e>
-<e>
-<k>@const_decl_stmt</k>
-<v>373</v>
-</e>
-<e>
-<k>@empty_stmt</k>
-<v>115</v>
-</e>
-<e>
-<k>@unsafe_stmt</k>
-<v>53</v>
-</e>
-<e>
-<k>@fixed_stmt</k>
-<v>496</v>
-</e>
-<e>
-<k>@label_stmt</k>
-<v>423</v>
-</e>
-<e>
-<k>@catch</k>
-<v>1719</v>
-</e>
-<e>
-<k>@case_stmt</k>
-<v>10966</v>
-</e>
-<e>
-<k>@local_function_stmt</k>
-<v>488</v>
-</e>
-<e>
-<k>@using_decl_stmt</k>
-<v>189</v>
-</e>
-<e>
-<k>@bool_literal_expr</k>
-<v>40242</v>
-</e>
-<e>
-<k>@int_literal_expr</k>
-<v>408062</v>
-</e>
-<e>
-<k>@long_literal_expr</k>
-<v>153</v>
-</e>
-<e>
-<k>@double_literal_expr</k>
-<v>337</v>
-</e>
-<e>
-<k>@string_literal_expr</k>
-<v>207177</v>
-</e>
-<e>
-<k>@null_literal_expr</k>
-<v>64946</v>
-</e>
-<e>
-<k>@local_variable_access_expr</k>
-<v>233847</v>
-</e>
-<e>
-<k>@parameter_access_expr</k>
-<v>146824</v>
-</e>
-<e>
-<k>@field_access_expr</k>
-<v>226547</v>
-</e>
-<e>
-<k>@property_access_expr</k>
-<v>168128</v>
-</e>
-<e>
-<k>@type_access_expr</k>
-<v>170095</v>
-</e>
-<e>
-<k>@typeof_expr</k>
-<v>23893</v>
-</e>
-<e>
-<k>@method_invocation_expr</k>
-<v>259436</v>
-</e>
-<e>
-<k>@cast_expr</k>
-<v>107752</v>
-</e>
-<e>
-<k>@object_creation_expr</k>
-<v>28063</v>
-</e>
-<e>
-<k>@array_creation_expr</k>
-<v>90105</v>
-</e>
-<e>
-<k>@array_init_expr</k>
-<v>89964</v>
-</e>
-<e>
-<k>@local_var_decl_expr</k>
-<v>72969</v>
-</e>
-<e>
-<k>@char_literal_expr</k>
-<v>8057</v>
-</e>
-<e>
-<k>@decimal_literal_expr</k>
-<v>49</v>
-</e>
-<e>
-<k>@uint_literal_expr</k>
-<v>811</v>
-</e>
-<e>
-<k>@ulong_literal_expr</k>
-<v>189</v>
-</e>
-<e>
-<k>@float_literal_expr</k>
-<v>123</v>
-</e>
-<e>
-<k>@this_access_expr</k>
-<v>293267</v>
-</e>
-<e>
-<k>@base_access_expr</k>
-<v>1617</v>
-</e>
-<e>
-<k>@method_access_expr</k>
-<v>3188</v>
-</e>
-<e>
-<k>@event_access_expr</k>
-<v>162</v>
-</e>
-<e>
-<k>@indexer_access_expr</k>
-<v>14740</v>
-</e>
-<e>
-<k>@array_access_expr</k>
-<v>10091</v>
-</e>
-<e>
-<k>@delegate_invocation_expr</k>
-<v>783</v>
-</e>
-<e>
-<k>@operator_invocation_expr</k>
-<v>12666</v>
-</e>
-<e>
-<k>@explicit_delegate_creation_expr</k>
-<v>482</v>
-</e>
-<e>
-<k>@implicit_delegate_creation_expr</k>
-<v>2546</v>
-</e>
-<e>
-<k>@default_expr</k>
-<v>3354</v>
-</e>
-<e>
-<k>@plus_expr</k>
-<v>12</v>
-</e>
-<e>
-<k>@minus_expr</k>
-<v>2658</v>
-</e>
-<e>
-<k>@bit_not_expr</k>
 <v>264</v>
 </e>
 <e>
+<k>@parameter</k>
+<v>2417427</v>
+</e>
+<e>
+<k>@block_stmt</k>
+<v>306459</v>
+</e>
+<e>
+<k>@expr_stmt</k>
+<v>367208</v>
+</e>
+<e>
+<k>@return_stmt</k>
+<v>94364</v>
+</e>
+<e>
+<k>@using_block_stmt</k>
+<v>1140</v>
+</e>
+<e>
+<k>@var_decl_stmt</k>
+<v>147598</v>
+</e>
+<e>
+<k>@if_stmt</k>
+<v>117703</v>
+</e>
+<e>
+<k>@switch_stmt</k>
+<v>3065</v>
+</e>
+<e>
+<k>@while_stmt</k>
+<v>4447</v>
+</e>
+<e>
+<k>@do_stmt</k>
+<v>981</v>
+</e>
+<e>
+<k>@for_stmt</k>
+<v>6794</v>
+</e>
+<e>
+<k>@foreach_stmt</k>
+<v>5352</v>
+</e>
+<e>
+<k>@break_stmt</k>
+<v>11004</v>
+</e>
+<e>
+<k>@continue_stmt</k>
+<v>2218</v>
+</e>
+<e>
+<k>@goto_stmt</k>
+<v>2733</v>
+</e>
+<e>
+<k>@goto_case_stmt</k>
+<v>329</v>
+</e>
+<e>
+<k>@goto_default_stmt</k>
+<v>145</v>
+</e>
+<e>
+<k>@throw_stmt</k>
+<v>75132</v>
+</e>
+<e>
+<k>@yield_stmt</k>
+<v>680</v>
+</e>
+<e>
+<k>@try_stmt</k>
+<v>4294</v>
+</e>
+<e>
+<k>@checked_stmt</k>
+<v>253</v>
+</e>
+<e>
+<k>@unchecked_stmt</k>
+<v>104</v>
+</e>
+<e>
+<k>@lock_stmt</k>
+<v>1523</v>
+</e>
+<e>
+<k>@const_decl_stmt</k>
+<v>799</v>
+</e>
+<e>
+<k>@empty_stmt</k>
+<v>351</v>
+</e>
+<e>
+<k>@unsafe_stmt</k>
+<v>182</v>
+</e>
+<e>
+<k>@fixed_stmt</k>
+<v>1149</v>
+</e>
+<e>
+<k>@label_stmt</k>
+<v>1017</v>
+</e>
+<e>
+<k>@catch</k>
+<v>3419</v>
+</e>
+<e>
+<k>@case_stmt</k>
+<v>22718</v>
+</e>
+<e>
+<k>@local_function_stmt</k>
+<v>1792</v>
+</e>
+<e>
+<k>@using_decl_stmt</k>
+<v>551</v>
+</e>
+<e>
+<k>@bool_literal_expr</k>
+<v>69328</v>
+</e>
+<e>
+<k>@int_literal_expr</k>
+<v>752491</v>
+</e>
+<e>
+<k>@long_literal_expr</k>
+<v>331</v>
+</e>
+<e>
+<k>@double_literal_expr</k>
+<v>864</v>
+</e>
+<e>
+<k>@string_literal_expr</k>
+<v>411643</v>
+</e>
+<e>
+<k>@null_literal_expr</k>
+<v>107815</v>
+</e>
+<e>
+<k>@local_variable_access_expr</k>
+<v>522589</v>
+</e>
+<e>
+<k>@parameter_access_expr</k>
+<v>353685</v>
+</e>
+<e>
+<k>@field_access_expr</k>
+<v>459628</v>
+</e>
+<e>
+<k>@property_access_expr</k>
+<v>359104</v>
+</e>
+<e>
+<k>@type_access_expr</k>
+<v>346616</v>
+</e>
+<e>
+<k>@typeof_expr</k>
+<v>33657</v>
+</e>
+<e>
+<k>@method_invocation_expr</k>
+<v>547072</v>
+</e>
+<e>
+<k>@cast_expr</k>
+<v>264239</v>
+</e>
+<e>
+<k>@object_creation_expr</k>
+<v>62511</v>
+</e>
+<e>
+<k>@array_creation_expr</k>
+<v>179799</v>
+</e>
+<e>
+<k>@array_init_expr</k>
+<v>179348</v>
+</e>
+<e>
+<k>@local_var_decl_expr</k>
+<v>163320</v>
+</e>
+<e>
+<k>@char_literal_expr</k>
+<v>16183</v>
+</e>
+<e>
+<k>@decimal_literal_expr</k>
+<v>93</v>
+</e>
+<e>
+<k>@uint_literal_expr</k>
+<v>2406</v>
+</e>
+<e>
+<k>@ulong_literal_expr</k>
+<v>390</v>
+</e>
+<e>
+<k>@float_literal_expr</k>
+<v>454</v>
+</e>
+<e>
+<k>@this_access_expr</k>
+<v>591816</v>
+</e>
+<e>
+<k>@base_access_expr</k>
+<v>2840</v>
+</e>
+<e>
+<k>@method_access_expr</k>
+<v>9222</v>
+</e>
+<e>
+<k>@event_access_expr</k>
+<v>433</v>
+</e>
+<e>
+<k>@indexer_access_expr</k>
+<v>30757</v>
+</e>
+<e>
+<k>@array_access_expr</k>
+<v>19356</v>
+</e>
+<e>
+<k>@delegate_invocation_expr</k>
+<v>2001</v>
+</e>
+<e>
+<k>@operator_invocation_expr</k>
+<v>29946</v>
+</e>
+<e>
+<k>@explicit_delegate_creation_expr</k>
+<v>679</v>
+</e>
+<e>
+<k>@implicit_delegate_creation_expr</k>
+<v>5109</v>
+</e>
+<e>
+<k>@default_expr</k>
+<v>6144</v>
+</e>
+<e>
+<k>@plus_expr</k>
+<v>45</v>
+</e>
+<e>
+<k>@minus_expr</k>
+<v>7069</v>
+</e>
+<e>
+<k>@bit_not_expr</k>
+<v>738</v>
+</e>
+<e>
 <k>@log_not_expr</k>
-<v>12491</v>
+<v>26384</v>
 </e>
 <e>
 <k>@post_incr_expr</k>
-<v>5382</v>
+<v>12312</v>
 </e>
 <e>
 <k>@post_decr_expr</k>
-<v>698</v>
+<v>1697</v>
 </e>
 <e>
 <k>@pre_incr_expr</k>
-<v>671</v>
+<v>1261</v>
 </e>
 <e>
 <k>@pre_decr_expr</k>
-<v>125</v>
+<v>406</v>
 </e>
 <e>
 <k>@mul_expr</k>
-<v>1387</v>
+<v>4626</v>
 </e>
 <e>
 <k>@div_expr</k>
-<v>612</v>
+<v>1791</v>
 </e>
 <e>
 <k>@rem_expr</k>
-<v>276</v>
+<v>704</v>
 </e>
 <e>
 <k>@add_expr</k>
-<v>12723</v>
+<v>27751</v>
 </e>
 <e>
 <k>@sub_expr</k>
-<v>4948</v>
+<v>12573</v>
 </e>
 <e>
 <k>@lshift_expr</k>
-<v>914</v>
+<v>4121</v>
 </e>
 <e>
 <k>@rshift_expr</k>
-<v>707</v>
+<v>1763</v>
 </e>
 <e>
 <k>@lt_expr</k>
-<v>6804</v>
+<v>15922</v>
 </e>
 <e>
 <k>@gt_expr</k>
-<v>3980</v>
+<v>9379</v>
 </e>
 <e>
 <k>@le_expr</k>
-<v>1422</v>
+<v>3829</v>
 </e>
 <e>
 <k>@ge_expr</k>
-<v>2380</v>
+<v>6014</v>
 </e>
 <e>
 <k>@eq_expr</k>
-<v>23261</v>
+<v>53515</v>
 </e>
 <e>
 <k>@ne_expr</k>
-<v>16042</v>
+<v>37219</v>
 </e>
 <e>
 <k>@bit_and_expr</k>
-<v>2303</v>
+<v>6298</v>
 </e>
 <e>
 <k>@bit_xor_expr</k>
-<v>217</v>
+<v>528</v>
 </e>
 <e>
 <k>@bit_or_expr</k>
-<v>6954</v>
+<v>15227</v>
 </e>
 <e>
 <k>@log_and_expr</k>
-<v>9148</v>
+<v>21263</v>
 </e>
 <e>
 <k>@log_or_expr</k>
-<v>6420</v>
+<v>14197</v>
 </e>
 <e>
 <k>@is_expr</k>
-<v>3108</v>
+<v>6486</v>
 </e>
 <e>
 <k>@as_expr</k>
-<v>1363</v>
+<v>2728</v>
 </e>
 <e>
 <k>@null_coalescing_expr</k>
-<v>1422</v>
+<v>3615</v>
 </e>
 <e>
 <k>@conditional_expr</k>
-<v>3413</v>
+<v>8972</v>
 </e>
 <e>
 <k>@simple_assign_expr</k>
-<v>79093</v>
+<v>167202</v>
 </e>
 <e>
 <k>@assign_add_expr</k>
@@ -737,67 +737,67 @@
 </e>
 <e>
 <k>@assign_sub_expr</k>
-<v>434</v>
+<v>1021</v>
 </e>
 <e>
 <k>@assign_mul_expr</k>
-<v>81</v>
+<v>182</v>
 </e>
 <e>
 <k>@assign_div_expr</k>
-<v>44</v>
+<v>99</v>
 </e>
 <e>
 <k>@assign_rem_expr</k>
-<v>3</v>
+<v>14</v>
 </e>
 <e>
 <k>@assign_and_expr</k>
-<v>103</v>
+<v>340</v>
 </e>
 <e>
 <k>@assign_xor_expr</k>
-<v>49</v>
+<v>114</v>
 </e>
 <e>
 <k>@assign_or_expr</k>
-<v>562</v>
+<v>1412</v>
 </e>
 <e>
 <k>@assign_lshift_expr</k>
-<v>31</v>
+<v>118</v>
 </e>
 <e>
 <k>@assign_rshift_expr</k>
-<v>64</v>
+<v>216</v>
 </e>
 <e>
 <k>@object_init_expr</k>
-<v>3456</v>
+<v>7685</v>
 </e>
 <e>
 <k>@collection_init_expr</k>
-<v>265</v>
+<v>594</v>
 </e>
 <e>
 <k>@checked_expr</k>
-<v>140</v>
+<v>326</v>
 </e>
 <e>
 <k>@unchecked_expr</k>
-<v>609</v>
+<v>1421</v>
 </e>
 <e>
 <k>@constructor_init_expr</k>
-<v>3163</v>
+<v>5796</v>
 </e>
 <e>
 <k>@add_event_expr</k>
-<v>63</v>
+<v>172</v>
 </e>
 <e>
 <k>@remove_event_expr</k>
-<v>53</v>
+<v>121</v>
 </e>
 <e>
 <k>@par_expr</k>
@@ -805,11 +805,11 @@
 </e>
 <e>
 <k>@lambda_expr</k>
-<v>23125</v>
+<v>48769</v>
 </e>
 <e>
 <k>@anonymous_method_expr</k>
-<v>41</v>
+<v>86</v>
 </e>
 <e>
 <k>@namespace_expr</k>
@@ -817,35 +817,35 @@
 </e>
 <e>
 <k>@dynamic_element_access_expr</k>
-<v>117</v>
+<v>331</v>
 </e>
 <e>
 <k>@dynamic_member_access_expr</k>
-<v>2975</v>
+<v>6843</v>
 </e>
 <e>
 <k>@pointer_indirection_expr</k>
-<v>1878</v>
+<v>4141</v>
 </e>
 <e>
 <k>@address_of_expr</k>
-<v>475</v>
+<v>1289</v>
 </e>
 <e>
 <k>@sizeof_expr</k>
-<v>255</v>
+<v>1061</v>
 </e>
 <e>
 <k>@await_expr</k>
-<v>25782</v>
+<v>54750</v>
 </e>
 <e>
 <k>@nameof_expr</k>
-<v>5774</v>
+<v>15584</v>
 </e>
 <e>
 <k>@interpolated_string_expr</k>
-<v>894</v>
+<v>3042</v>
 </e>
 <e>
 <k>@unknown_expr</k>
@@ -853,71 +853,71 @@
 </e>
 <e>
 <k>@throw_expr</k>
-<v>643</v>
+<v>1527</v>
 </e>
 <e>
 <k>@tuple_expr</k>
-<v>440</v>
+<v>1450</v>
 </e>
 <e>
 <k>@local_function_invocation_expr</k>
-<v>1187</v>
+<v>7490</v>
 </e>
 <e>
 <k>@ref_expr</k>
-<v>124</v>
+<v>459</v>
 </e>
 <e>
 <k>@discard_expr</k>
-<v>317</v>
+<v>903</v>
 </e>
 <e>
 <k>@range_expr</k>
-<v>15</v>
+<v>33</v>
 </e>
 <e>
 <k>@index_expr</k>
-<v>21</v>
+<v>47</v>
 </e>
 <e>
 <k>@switch_expr</k>
-<v>199</v>
+<v>508</v>
 </e>
 <e>
 <k>@recursive_pattern_expr</k>
-<v>199</v>
+<v>1011</v>
 </e>
 <e>
 <k>@property_pattern_expr</k>
-<v>154</v>
+<v>836</v>
 </e>
 <e>
 <k>@positional_pattern_expr</k>
-<v>45</v>
+<v>172</v>
 </e>
 <e>
 <k>@switch_case_expr</k>
-<v>2068</v>
+<v>4334</v>
 </e>
 <e>
 <k>@assign_coalesce_expr</k>
-<v>183</v>
+<v>544</v>
 </e>
 <e>
 <k>@suppress_nullable_warning_expr</k>
-<v>5940</v>
+<v>13849</v>
 </e>
 <e>
 <k>@namespace_access_expr</k>
-<v>11</v>
+<v>20</v>
 </e>
 <e>
 <k>@lt_pattern_expr</k>
-<v>1</v>
+<v>2</v>
 </e>
 <e>
 <k>@gt_pattern_expr</k>
-<v>2</v>
+<v>5</v>
 </e>
 <e>
 <k>@le_pattern_expr</k>
@@ -929,27 +929,27 @@
 </e>
 <e>
 <k>@not_pattern_expr</k>
-<v>19</v>
+<v>70</v>
 </e>
 <e>
 <k>@and_pattern_expr</k>
-<v>2</v>
+<v>3</v>
 </e>
 <e>
 <k>@or_pattern_expr</k>
-<v>21</v>
+<v>34</v>
 </e>
 <e>
 <k>@function_pointer_invocation_expr</k>
-<v>4</v>
+<v>6</v>
 </e>
 <e>
 <k>@define_symbol_expr</k>
-<v>3314</v>
+<v>6226</v>
 </e>
 <e>
 <k>@xmldtd</k>
-<v>5</v>
+<v>6</v>
 </e>
 <e>
 <k>@xmlelement</k>
@@ -973,19 +973,19 @@
 </e>
 <e>
 <k>@singlelinecomment</k>
-<v>86064</v>
+<v>189072</v>
 </e>
 <e>
 <k>@multilinecomment</k>
-<v>7533</v>
+<v>22567</v>
 </e>
 <e>
 <k>@xmldoccomment</k>
-<v>638</v>
+<v>207952</v>
 </e>
 <e>
 <k>@commentblock</k>
-<v>42325</v>
+<v>147802</v>
 </e>
 <e>
 <k>@asp_close_tag</k>
@@ -1025,7 +1025,7 @@
 </e>
 <e>
 <k>@cil_nop</k>
-<v>712327</v>
+<v>837337</v>
 </e>
 <e>
 <k>@cil_break</k>
@@ -1033,147 +1033,147 @@
 </e>
 <e>
 <k>@cil_ldarg_0</k>
-<v>2043128</v>
+<v>3969647</v>
 </e>
 <e>
 <k>@cil_ldarg_1</k>
-<v>625320</v>
+<v>1214950</v>
 </e>
 <e>
 <k>@cil_ldarg_2</k>
-<v>228137</v>
+<v>443253</v>
 </e>
 <e>
 <k>@cil_ldarg_3</k>
-<v>107503</v>
+<v>208870</v>
 </e>
 <e>
 <k>@cil_ldloc_0</k>
-<v>477604</v>
+<v>927950</v>
 </e>
 <e>
 <k>@cil_ldloc_1</k>
-<v>253859</v>
+<v>493230</v>
 </e>
 <e>
 <k>@cil_ldloc_2</k>
-<v>148392</v>
+<v>288314</v>
 </e>
 <e>
 <k>@cil_ldloc_3</k>
-<v>98711</v>
+<v>191789</v>
 </e>
 <e>
 <k>@cil_stloc_0</k>
-<v>269813</v>
+<v>524227</v>
 </e>
 <e>
 <k>@cil_stloc_1</k>
-<v>133892</v>
+<v>260143</v>
 </e>
 <e>
 <k>@cil_stloc_2</k>
-<v>101925</v>
+<v>198033</v>
 </e>
 <e>
 <k>@cil_stloc_3</k>
-<v>71081</v>
+<v>138105</v>
 </e>
 <e>
 <k>@cil_ldarg_s</k>
-<v>135953</v>
+<v>264147</v>
 </e>
 <e>
 <k>@cil_ldarga_s</k>
-<v>38429</v>
+<v>74666</v>
 </e>
 <e>
 <k>@cil_starg_s</k>
-<v>19107</v>
+<v>37123</v>
 </e>
 <e>
 <k>@cil_ldloc_s</k>
-<v>352774</v>
+<v>685414</v>
 </e>
 <e>
 <k>@cil_ldloca_s</k>
-<v>323414</v>
+<v>628370</v>
 </e>
 <e>
 <k>@cil_stloc_s</k>
-<v>247141</v>
+<v>480177</v>
 </e>
 <e>
 <k>@cil_ldnull</k>
-<v>310296</v>
+<v>602882</v>
 </e>
 <e>
 <k>@cil_ldc_i4_m1</k>
-<v>64864</v>
+<v>126026</v>
 </e>
 <e>
 <k>@cil_ldc_i4_0</k>
-<v>321534</v>
+<v>624717</v>
 </e>
 <e>
 <k>@cil_ldc_i4_1</k>
-<v>254240</v>
+<v>493970</v>
 </e>
 <e>
 <k>@cil_ldc_i4_2</k>
-<v>62207</v>
+<v>120863</v>
 </e>
 <e>
 <k>@cil_ldc_i4_3</k>
-<v>32972</v>
+<v>64062</v>
 </e>
 <e>
 <k>@cil_ldc_i4_4</k>
-<v>30262</v>
+<v>58797</v>
 </e>
 <e>
 <k>@cil_ldc_i4_5</k>
-<v>19881</v>
+<v>38628</v>
 </e>
 <e>
 <k>@cil_ldc_i4_6</k>
-<v>11957</v>
+<v>23232</v>
 </e>
 <e>
 <k>@cil_ldc_i4_7</k>
-<v>10666</v>
+<v>20724</v>
 </e>
 <e>
 <k>@cil_ldc_i4_8</k>
-<v>17209</v>
+<v>33436</v>
 </e>
 <e>
 <k>@cil_ldc_i4_s</k>
-<v>217583</v>
+<v>422748</v>
 </e>
 <e>
 <k>@cil_ldc_i4</k>
-<v>262565</v>
+<v>510146</v>
 </e>
 <e>
 <k>@cil_ldc_i8</k>
-<v>2511</v>
+<v>4880</v>
 </e>
 <e>
 <k>@cil_ldc_r4</k>
-<v>5274</v>
+<v>10247</v>
 </e>
 <e>
 <k>@cil_ldc_r8</k>
-<v>5309</v>
+<v>10315</v>
 </e>
 <e>
 <k>@cil_dup</k>
-<v>432865</v>
+<v>841025</v>
 </e>
 <e>
 <k>@cil_pop</k>
-<v>131816</v>
+<v>256110</v>
 </e>
 <e>
 <k>@cil_jmp</k>
@@ -1181,7 +1181,7 @@
 </e>
 <e>
 <k>@cil_call</k>
-<v>1409225</v>
+<v>2738019</v>
 </e>
 <e>
 <k>@cil_calli</k>
@@ -1189,283 +1189,283 @@
 </e>
 <e>
 <k>@cil_ret</k>
-<v>918306</v>
+<v>1784201</v>
 </e>
 <e>
 <k>@cil_br_s</k>
-<v>191079</v>
+<v>345383</v>
 </e>
 <e>
 <k>@cil_brfalse_s</k>
-<v>239525</v>
+<v>465380</v>
 </e>
 <e>
 <k>@cil_brtrue_s</k>
-<v>221401</v>
+<v>430166</v>
 </e>
 <e>
 <k>@cil_beq_s</k>
-<v>42285</v>
+<v>82157</v>
 </e>
 <e>
 <k>@cil_bge_s</k>
-<v>17953</v>
+<v>34883</v>
 </e>
 <e>
 <k>@cil_bgt_s</k>
-<v>8480</v>
+<v>16477</v>
 </e>
 <e>
 <k>@cil_ble_s</k>
-<v>15010</v>
+<v>29165</v>
 </e>
 <e>
 <k>@cil_blt_s</k>
-<v>31322</v>
+<v>60858</v>
 </e>
 <e>
 <k>@cil_bne_un_s</k>
-<v>52771</v>
+<v>102530</v>
 </e>
 <e>
 <k>@cil_bge_un_s</k>
-<v>1123</v>
+<v>2182</v>
 </e>
 <e>
 <k>@cil_bgt_un_s</k>
-<v>4489</v>
+<v>8723</v>
 </e>
 <e>
 <k>@cil_ble_un_s</k>
-<v>3146</v>
+<v>6112</v>
 </e>
 <e>
 <k>@cil_blt_un_s</k>
-<v>754</v>
+<v>1466</v>
 </e>
 <e>
 <k>@cil_br</k>
-<v>49429</v>
+<v>96038</v>
 </e>
 <e>
 <k>@cil_brfalse</k>
-<v>16652</v>
+<v>32355</v>
 </e>
 <e>
 <k>@cil_brtrue</k>
-<v>14050</v>
+<v>27299</v>
 </e>
 <e>
 <k>@cil_beq</k>
-<v>11057</v>
+<v>21484</v>
 </e>
 <e>
 <k>@cil_bge</k>
-<v>714</v>
+<v>1388</v>
 </e>
 <e>
 <k>@cil_bgt</k>
-<v>752</v>
+<v>1461</v>
 </e>
 <e>
 <k>@cil_ble</k>
-<v>2386</v>
+<v>4636</v>
 </e>
 <e>
 <k>@cil_blt</k>
-<v>4078</v>
+<v>7924</v>
 </e>
 <e>
 <k>@cil_bne_un</k>
-<v>3720</v>
+<v>7227</v>
 </e>
 <e>
 <k>@cil_bge_un</k>
-<v>140</v>
+<v>142</v>
 </e>
 <e>
 <k>@cil_bgt_un</k>
-<v>355</v>
+<v>691</v>
 </e>
 <e>
 <k>@cil_ble_un</k>
-<v>566</v>
+<v>1100</v>
 </e>
 <e>
 <k>@cil_blt_un</k>
-<v>92</v>
+<v>180</v>
 </e>
 <e>
 <k>@cil_switch</k>
-<v>12275</v>
+<v>23851</v>
 </e>
 <e>
 <k>@cil_ldind_i1</k>
-<v>75</v>
+<v>88</v>
 </e>
 <e>
 <k>@cil_ldind_u1</k>
-<v>3165</v>
+<v>5503</v>
 </e>
 <e>
 <k>@cil_ldind_i2</k>
-<v>263</v>
+<v>511</v>
 </e>
 <e>
 <k>@cil_ldind_u2</k>
-<v>2123</v>
+<v>2496</v>
 </e>
 <e>
 <k>@cil_ldind_i4</k>
-<v>5026</v>
+<v>9765</v>
 </e>
 <e>
 <k>@cil_ldind_u4</k>
-<v>762</v>
+<v>1480</v>
 </e>
 <e>
 <k>@cil_ldind_i8</k>
-<v>1012</v>
+<v>1967</v>
 </e>
 <e>
 <k>@cil_ldind_i</k>
-<v>212</v>
+<v>249</v>
 </e>
 <e>
 <k>@cil_ldind_r4</k>
-<v>360</v>
+<v>701</v>
 </e>
 <e>
 <k>@cil_ldind_r8</k>
-<v>135</v>
+<v>263</v>
 </e>
 <e>
 <k>@cil_ldind_ref</k>
-<v>3421</v>
+<v>6648</v>
 </e>
 <e>
 <k>@cil_stind_ref</k>
-<v>8706</v>
+<v>16915</v>
 </e>
 <e>
 <k>@cil_stind_i1</k>
-<v>4381</v>
+<v>8513</v>
 </e>
 <e>
 <k>@cil_stind_i2</k>
-<v>1195</v>
+<v>1405</v>
 </e>
 <e>
 <k>@cil_stind_i4</k>
-<v>5705</v>
+<v>10350</v>
 </e>
 <e>
 <k>@cil_stind_i8</k>
-<v>1205</v>
+<v>2342</v>
 </e>
 <e>
 <k>@cil_stind_r4</k>
-<v>105</v>
+<v>185</v>
 </e>
 <e>
 <k>@cil_stind_r8</k>
-<v>115</v>
+<v>224</v>
 </e>
 <e>
 <k>@cil_add</k>
-<v>115141</v>
+<v>223711</v>
 </e>
 <e>
 <k>@cil_sub</k>
-<v>43842</v>
+<v>85181</v>
 </e>
 <e>
 <k>@cil_mul</k>
-<v>15396</v>
+<v>29915</v>
 </e>
 <e>
 <k>@cil_div</k>
-<v>4690</v>
+<v>9112</v>
 </e>
 <e>
 <k>@cil_div_un</k>
-<v>194</v>
+<v>253</v>
 </e>
 <e>
 <k>@cil_rem</k>
-<v>1752</v>
+<v>3404</v>
 </e>
 <e>
 <k>@cil_rem_un</k>
-<v>117</v>
+<v>228</v>
 </e>
 <e>
 <k>@cil_and</k>
-<v>30503</v>
+<v>59265</v>
 </e>
 <e>
 <k>@cil_or</k>
-<v>11386</v>
+<v>22122</v>
 </e>
 <e>
 <k>@cil_xor</k>
-<v>11676</v>
+<v>22687</v>
 </e>
 <e>
 <k>@cil_shl</k>
-<v>9751</v>
+<v>18946</v>
 </e>
 <e>
 <k>@cil_shr</k>
-<v>4717</v>
+<v>9166</v>
 </e>
 <e>
 <k>@cil_shr_un</k>
-<v>13421</v>
+<v>26077</v>
 </e>
 <e>
 <k>@cil_neg</k>
-<v>1200</v>
+<v>2333</v>
 </e>
 <e>
 <k>@cil_not</k>
-<v>749</v>
+<v>1456</v>
 </e>
 <e>
 <k>@cil_conv_i1</k>
-<v>711</v>
+<v>1383</v>
 </e>
 <e>
 <k>@cil_conv_i2</k>
-<v>744</v>
+<v>1446</v>
 </e>
 <e>
 <k>@cil_conv_i4</k>
-<v>30731</v>
+<v>59708</v>
 </e>
 <e>
 <k>@cil_conv_i8</k>
-<v>25852</v>
+<v>50230</v>
 </e>
 <e>
 <k>@cil_conv_r4</k>
-<v>1268</v>
+<v>2464</v>
 </e>
 <e>
 <k>@cil_conv_r8</k>
-<v>2714</v>
+<v>5274</v>
 </e>
 <e>
 <k>@cil_conv_u4</k>
-<v>4025</v>
+<v>7822</v>
 </e>
 <e>
 <k>@cil_conv_u8</k>
-<v>10047</v>
+<v>19521</v>
 </e>
 <e>
 <k>@cil_callvirt</k>
-<v>1054079</v>
+<v>2047997</v>
 </e>
 <e>
 <k>@cil_cpobj</k>
@@ -1473,27 +1473,27 @@
 </e>
 <e>
 <k>@cil_ldobj</k>
-<v>6505</v>
+<v>12639</v>
 </e>
 <e>
 <k>@cil_ldstr</k>
-<v>476424</v>
+<v>925656</v>
 </e>
 <e>
 <k>@cil_newobj</k>
-<v>337788</v>
+<v>656298</v>
 </e>
 <e>
 <k>@cil_castclass</k>
-<v>49901</v>
+<v>96954</v>
 </e>
 <e>
 <k>@cil_isinst</k>
-<v>29019</v>
+<v>56382</v>
 </e>
 <e>
 <k>@cil_conv_r_un</k>
-<v>135</v>
+<v>263</v>
 </e>
 <e>
 <k>@cil_unbox</k>
@@ -1501,59 +1501,59 @@
 </e>
 <e>
 <k>@cil_throw</k>
-<v>271796</v>
+<v>380778</v>
 </e>
 <e>
 <k>@cil_ldfld</k>
-<v>861960</v>
+<v>1674725</v>
 </e>
 <e>
 <k>@cil_ldflda</k>
-<v>154586</v>
+<v>300350</v>
 </e>
 <e>
 <k>@cil_stfld</k>
-<v>551659</v>
+<v>1071833</v>
 </e>
 <e>
 <k>@cil_ldsfld</k>
-<v>209405</v>
+<v>406860</v>
 </e>
 <e>
 <k>@cil_ldsflda</k>
-<v>1301</v>
+<v>2527</v>
 </e>
 <e>
 <k>@cil_stsfld</k>
-<v>67303</v>
+<v>130765</v>
 </e>
 <e>
 <k>@cil_stobj</k>
-<v>3609</v>
+<v>7013</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i1_un</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i2_un</k>
-<v>7</v>
+<v>14</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i4_un</k>
-<v>87</v>
+<v>170</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i8_un</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u1_un</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u2_un</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u4_un</k>
@@ -1565,7 +1565,7 @@
 </e>
 <e>
 <k>@cil_conv_ovf_i_un</k>
-<v>67</v>
+<v>131</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u_un</k>
@@ -1573,139 +1573,139 @@
 </e>
 <e>
 <k>@cil_box</k>
-<v>41044</v>
+<v>79746</v>
 </e>
 <e>
 <k>@cil_newarr</k>
-<v>57634</v>
+<v>111979</v>
 </e>
 <e>
 <k>@cil_ldlen</k>
-<v>28445</v>
+<v>55266</v>
 </e>
 <e>
 <k>@cil_ldelema</k>
-<v>5073</v>
+<v>9858</v>
 </e>
 <e>
 <k>@cil_ldelem_i1</k>
-<v>90</v>
+<v>175</v>
 </e>
 <e>
 <k>@cil_ldelem_u1</k>
-<v>8006</v>
+<v>15556</v>
 </e>
 <e>
 <k>@cil_ldelem_i2</k>
-<v>220</v>
+<v>428</v>
 </e>
 <e>
 <k>@cil_ldelem_u2</k>
-<v>3131</v>
+<v>6083</v>
 </e>
 <e>
 <k>@cil_ldelem_i4</k>
-<v>9039</v>
+<v>17563</v>
 </e>
 <e>
 <k>@cil_ldelem_u4</k>
-<v>9826</v>
+<v>19092</v>
 </e>
 <e>
 <k>@cil_ldelem_i8</k>
-<v>6129</v>
+<v>11908</v>
 </e>
 <e>
 <k>@cil_ldelem_i</k>
-<v>7</v>
+<v>14</v>
 </e>
 <e>
 <k>@cil_ldelem_r4</k>
-<v>145</v>
+<v>282</v>
 </e>
 <e>
 <k>@cil_ldelem_r8</k>
-<v>235</v>
+<v>457</v>
 </e>
 <e>
 <k>@cil_ldelem_ref</k>
-<v>15783</v>
+<v>30665</v>
 </e>
 <e>
 <k>@cil_stelem_i</k>
-<v>11</v>
+<v>14</v>
 </e>
 <e>
 <k>@cil_stelem_i1</k>
-<v>4519</v>
+<v>8781</v>
 </e>
 <e>
 <k>@cil_stelem_i2</k>
-<v>4620</v>
+<v>8976</v>
 </e>
 <e>
 <k>@cil_stelem_i4</k>
-<v>11734</v>
+<v>22799</v>
 </e>
 <e>
 <k>@cil_stelem_i8</k>
-<v>4845</v>
+<v>9414</v>
 </e>
 <e>
 <k>@cil_stelem_r4</k>
-<v>102</v>
+<v>199</v>
 </e>
 <e>
 <k>@cil_stelem_r8</k>
-<v>245</v>
+<v>477</v>
 </e>
 <e>
 <k>@cil_stelem_ref</k>
-<v>186586</v>
+<v>362523</v>
 </e>
 <e>
 <k>@cil_ldelem</k>
-<v>1170</v>
+<v>2274</v>
 </e>
 <e>
 <k>@cil_stelem</k>
-<v>27565</v>
+<v>53557</v>
 </e>
 <e>
 <k>@cil_unbox_any</k>
-<v>7397</v>
+<v>14373</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i1</k>
-<v>12</v>
+<v>24</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u1</k>
-<v>57</v>
+<v>112</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i2</k>
-<v>40</v>
+<v>77</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u2</k>
-<v>27</v>
+<v>53</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i4</k>
-<v>147</v>
+<v>287</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u4</k>
-<v>40</v>
+<v>77</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i8</k>
-<v>7</v>
+<v>14</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u8</k>
-<v>23</v>
+<v>29</v>
 </e>
 <e>
 <k>@cil_refanyval</k>
@@ -1721,23 +1721,23 @@
 </e>
 <e>
 <k>@cil_ldtoken</k>
-<v>36662</v>
+<v>71232</v>
 </e>
 <e>
 <k>@cil_conv_u2</k>
-<v>2231</v>
+<v>4334</v>
 </e>
 <e>
 <k>@cil_conv_u1</k>
-<v>5788</v>
+<v>11246</v>
 </e>
 <e>
 <k>@cil_conv_i</k>
-<v>3181</v>
+<v>3740</v>
 </e>
 <e>
 <k>@cil_conv_ovf_i</k>
-<v>137</v>
+<v>267</v>
 </e>
 <e>
 <k>@cil_conv_ovf_u</k>
@@ -1745,47 +1745,47 @@
 </e>
 <e>
 <k>@cil_add_ovf</k>
-<v>889</v>
+<v>1729</v>
 </e>
 <e>
 <k>@cil_add_ovf_un</k>
-<v>77</v>
+<v>150</v>
 </e>
 <e>
 <k>@cil_mul_ovf</k>
-<v>228</v>
+<v>443</v>
 </e>
 <e>
 <k>@cil_mul_ovf_un</k>
-<v>195</v>
+<v>253</v>
 </e>
 <e>
 <k>@cil_sub_ovf</k>
-<v>571</v>
+<v>1110</v>
 </e>
 <e>
 <k>@cil_sub_ovf_un</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>@cil_endfinally</k>
-<v>29252</v>
+<v>56834</v>
 </e>
 <e>
 <k>@cil_leave</k>
-<v>34373</v>
+<v>66785</v>
 </e>
 <e>
 <k>@cil_leave_s</k>
-<v>76776</v>
+<v>149171</v>
 </e>
 <e>
 <k>@cil_stind_i</k>
-<v>108</v>
+<v>127</v>
 </e>
 <e>
 <k>@cil_conv_u</k>
-<v>5046</v>
+<v>5932</v>
 </e>
 <e>
 <k>@cil_arglist</k>
@@ -1793,31 +1793,31 @@
 </e>
 <e>
 <k>@cil_ceq</k>
-<v>84249</v>
+<v>99035</v>
 </e>
 <e>
 <k>@cil_cgt</k>
-<v>10049</v>
+<v>11813</v>
 </e>
 <e>
 <k>@cil_cgt_un</k>
-<v>31892</v>
+<v>37489</v>
 </e>
 <e>
 <k>@cil_clt</k>
-<v>16960</v>
+<v>19937</v>
 </e>
 <e>
 <k>@cil_clt_un</k>
-<v>1141</v>
+<v>1341</v>
 </e>
 <e>
 <k>@cil_ldftn</k>
-<v>41092</v>
+<v>79838</v>
 </e>
 <e>
 <k>@cil_ldvirtftn</k>
-<v>571</v>
+<v>1110</v>
 </e>
 <e>
 <k>@cil_ldarg</k>
@@ -1845,11 +1845,11 @@
 </e>
 <e>
 <k>@cil_localloc</k>
-<v>849</v>
+<v>999</v>
 </e>
 <e>
 <k>@cil_endfilter</k>
-<v>416</v>
+<v>808</v>
 </e>
 <e>
 <k>@cil_unaligned</k>
@@ -1857,7 +1857,7 @@
 </e>
 <e>
 <k>@cil_volatile</k>
-<v>4389</v>
+<v>8528</v>
 </e>
 <e>
 <k>@cil_tail</k>
@@ -1865,27 +1865,27 @@
 </e>
 <e>
 <k>@cil_initobj</k>
-<v>52322</v>
+<v>101659</v>
 </e>
 <e>
 <k>@cil_constrained</k>
-<v>13012</v>
+<v>25283</v>
 </e>
 <e>
 <k>@cil_cpblk</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>@cil_initblk</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>@cil_rethrow</k>
-<v>1937</v>
+<v>3764</v>
 </e>
 <e>
 <k>@cil_sizeof</k>
-<v>889</v>
+<v>1729</v>
 </e>
 <e>
 <k>@cil_refanytype</k>
@@ -1893,23 +1893,23 @@
 </e>
 <e>
 <k>@cil_readonly</k>
-<v>17</v>
+<v>34</v>
 </e>
 <e>
 <k>@cil_valueorreftype</k>
-<v>306365</v>
+<v>595245</v>
 </e>
 <e>
 <k>@cil_typeparameter</k>
-<v>95089</v>
+<v>184751</v>
 </e>
 <e>
 <k>@cil_array_type</k>
-<v>7292</v>
+<v>14168</v>
 </e>
 <e>
 <k>@cil_pointer_type</k>
-<v>308</v>
+<v>599</v>
 </e>
 <e>
 <k>@cil_function_pointer_type</k>
@@ -1917,64 +1917,64 @@
 </e>
 <e>
 <k>@cil_method</k>
-<v>1189816</v>
+<v>2311725</v>
 </e>
 <e>
 <k>@cil_method_implementation</k>
-<v>888189</v>
+<v>1725686</v>
 </e>
 <e>
 <k>@cil_field</k>
-<v>518960</v>
+<v>1008300</v>
 </e>
 <e>
 <k>@cil_parameter</k>
-<v>2339980</v>
+<v>4546408</v>
 </e>
 <e>
 <k>@cil_property</k>
-<v>195525</v>
+<v>379891</v>
 </e>
 <e>
 <k>@cil_event</k>
-<v>10726</v>
+<v>20841</v>
 </e>
 <e>
 <k>@cil_local_variable</k>
-<v>592197</v>
+<v>1150595</v>
 </e>
 <e>
 <k>@cil_catch_handler</k>
-<v>22546</v>
+<v>43806</v>
 </e>
 <e>
 <k>@cil_filter_handler</k>
-<v>416</v>
+<v>808</v>
 </e>
 <e>
 <k>@cil_finally_handler</k>
-<v>28495</v>
+<v>55364</v>
 </e>
 <e>
 <k>@cil_fault_handler</k>
-<v>757</v>
+<v>1470</v>
 </e>
 <e>
 <k>@cil_attribute</k>
-<v>168950</v>
+<v>328258</v>
 </e>
 </typesizes>
   <stats><relation>
 <name>compilations</name>
-<cardinality>564</cardinality>
+<cardinality>1095</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>cwd</k>
-<v>403</v>
+<v>784</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -1988,7 +1988,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -2004,12 +2004,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>243</v>
+<v>472</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160</v>
+<v>311</v>
 </b>
 </bs>
 </hist>
@@ -2019,19 +2019,19 @@
 </relation>
 <relation>
 <name>compilation_args</name>
-<cardinality>2524</cardinality>
+<cardinality>4953</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>num</k>
-<v>12</v>
+<v>24</v>
 </e>
 <e>
 <k>arg</k>
-<v>576</v>
+<v>1120</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -2045,12 +2045,12 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>295</v>
+<v>526</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>268</v>
+<v>569</v>
 </b>
 </bs>
 </hist>
@@ -2066,12 +2066,12 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>295</v>
+<v>526</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>268</v>
+<v>569</v>
 </b>
 </bs>
 </hist>
@@ -2085,14 +2085,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>107</a>
-<b>108</b>
-<v>2</v>
+<a>117</a>
+<b>118</b>
+<v>4</v>
 </b>
 <b>
 <a>225</a>
 <b>226</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -2108,17 +2108,17 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
-<a>107</a>
-<b>108</b>
-<v>2</v>
+<a>109</a>
+<b>110</b>
+<v>4</v>
 </b>
 <b>
-<a>119</a>
-<b>120</b>
-<v>2</v>
+<a>117</a>
+<b>118</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2134,12 +2134,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 <b>
-<a>107</a>
+<a>108</a>
 <b>226</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -2155,12 +2155,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>571</v>
+<v>1110</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -2170,19 +2170,19 @@
 </relation>
 <relation>
 <name>compilation_compiling_files</name>
-<cardinality>12395</cardinality>
+<cardinality>22584</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>548</v>
+<v>1095</v>
 </e>
 <e>
 <k>num</k>
-<v>1435</v>
+<v>711</v>
 </e>
 <e>
 <k>file</k>
-<v>10384</v>
+<v>22580</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -2194,49 +2194,74 @@
 <budget>12</budget>
 <bs>
 <b>
+<a>1</a>
+<b>3</b>
+<v>48</v>
+</b>
+<b>
 <a>3</a>
 <b>4</b>
-<v>1</v>
+<v>58</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>155</v>
+<v>82</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>151</v>
+<v>87</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>36</v>
+<v>68</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>43</v>
+<b>9</b>
+<v>97</v>
 </b>
 <b>
-<a>10</a>
+<a>9</a>
+<b>12</b>
+<v>87</v>
+</b>
+<b>
+<a>12</a>
+<b>15</b>
+<v>82</v>
+</b>
+<b>
+<a>15</a>
 <b>17</b>
-<v>41</v>
+<v>82</v>
 </b>
 <b>
 <a>17</a>
-<b>31</b>
-<v>41</v>
+<b>21</b>
+<v>82</v>
 </b>
 <b>
-<a>31</a>
-<b>59</b>
-<v>41</v>
+<a>21</a>
+<b>27</b>
+<v>87</v>
 </b>
 <b>
-<a>59</a>
-<b>1359</b>
-<v>36</v>
+<a>28</a>
+<b>37</b>
+<v>82</v>
+</b>
+<b>
+<a>37</a>
+<b>65</b>
+<v>82</v>
+</b>
+<b>
+<a>67</a>
+<b>147</b>
+<v>63</v>
 </b>
 </bs>
 </hist>
@@ -2250,49 +2275,74 @@
 <budget>12</budget>
 <bs>
 <b>
+<a>1</a>
+<b>3</b>
+<v>48</v>
+</b>
+<b>
 <a>3</a>
 <b>4</b>
-<v>1</v>
+<v>58</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>155</v>
+<v>82</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>151</v>
+<v>87</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>36</v>
+<v>68</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>43</v>
+<b>9</b>
+<v>97</v>
 </b>
 <b>
-<a>10</a>
+<a>9</a>
+<b>12</b>
+<v>87</v>
+</b>
+<b>
+<a>12</a>
+<b>15</b>
+<v>82</v>
+</b>
+<b>
+<a>15</a>
 <b>17</b>
-<v>41</v>
+<v>82</v>
 </b>
 <b>
 <a>17</a>
-<b>31</b>
-<v>41</v>
+<b>21</b>
+<v>82</v>
 </b>
 <b>
-<a>31</a>
-<b>59</b>
-<v>41</v>
+<a>21</a>
+<b>27</b>
+<v>87</v>
 </b>
 <b>
-<a>59</a>
-<b>1359</b>
-<v>36</v>
+<a>28</a>
+<b>37</b>
+<v>82</v>
+</b>
+<b>
+<a>37</a>
+<b>65</b>
+<v>82</v>
+</b>
+<b>
+<a>67</a>
+<b>147</b>
+<v>63</v>
 </b>
 </bs>
 </hist>
@@ -2307,28 +2357,73 @@
 <bs>
 <b>
 <a>1</a>
-<b>2</b>
-<v>739</v>
-</b>
-<b>
-<a>2</a>
 <b>3</b>
-<v>411</v>
+<v>43</v>
 </b>
 <b>
 <a>3</a>
-<b>17</b>
-<v>118</v>
+<b>4</b>
+<v>29</v>
 </b>
 <b>
-<a>17</a>
-<b>38</b>
-<v>108</v>
+<a>4</a>
+<b>5</b>
+<v>58</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>9</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>97</v>
+</b>
+<b>
+<a>7</a>
+<b>11</b>
+<v>53</v>
+</b>
+<b>
+<a>11</a>
+<b>12</b>
+<v>77</v>
+</b>
+<b>
+<a>12</a>
+<b>18</b>
+<v>63</v>
+</b>
+<b>
+<a>18</a>
+<b>24</b>
+<v>53</v>
+</b>
+<b>
+<a>25</a>
+<b>33</b>
+<v>53</v>
 </b>
 <b>
 <a>38</a>
-<b>520</b>
-<v>57</v>
+<b>52</b>
+<v>53</v>
+</b>
+<b>
+<a>56</a>
+<b>103</b>
+<v>53</v>
+</b>
+<b>
+<a>108</a>
+<b>216</b>
+<v>53</v>
+</b>
+<b>
+<a>217</a>
+<b>226</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -2343,29 +2438,74 @@
 <bs>
 <b>
 <a>1</a>
-<b>2</b>
-<v>739</v>
-</b>
-<b>
-<a>2</a>
 <b>3</b>
-<v>411</v>
+<v>43</v>
 </b>
 <b>
 <a>3</a>
-<b>16</b>
-<v>116</v>
+<b>4</b>
+<v>29</v>
 </b>
 <b>
-<a>16</a>
-<b>36</b>
-<v>109</v>
-</b>
-<b>
-<a>36</a>
-<b>476</b>
+<a>4</a>
+<b>5</b>
 <v>58</v>
 </b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>9</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>97</v>
+</b>
+<b>
+<a>7</a>
+<b>11</b>
+<v>53</v>
+</b>
+<b>
+<a>11</a>
+<b>12</b>
+<v>77</v>
+</b>
+<b>
+<a>12</a>
+<b>18</b>
+<v>63</v>
+</b>
+<b>
+<a>18</a>
+<b>24</b>
+<v>53</v>
+</b>
+<b>
+<a>25</a>
+<b>33</b>
+<v>53</v>
+</b>
+<b>
+<a>38</a>
+<b>52</b>
+<v>53</v>
+</b>
+<b>
+<a>56</a>
+<b>103</b>
+<v>53</v>
+</b>
+<b>
+<a>108</a>
+<b>216</b>
+<v>53</v>
+</b>
+<b>
+<a>217</a>
+<b>226</b>
+<v>9</v>
+</b>
 </bs>
 </hist>
 </val>
@@ -2380,17 +2520,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9343</v>
+<v>22575</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>822</v>
-</b>
-<b>
-<a>3</a>
-<b>187</b>
-<v>218</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2406,12 +2541,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9831</v>
+<v>22575</v>
 </b>
 <b>
 <a>2</a>
-<b>78</b>
-<v>552</v>
+<b>3</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2421,19 +2556,19 @@
 </relation>
 <relation>
 <name>compilation_referencing_files</name>
-<cardinality>184906</cardinality>
+<cardinality>359260</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>num</k>
-<v>1411</v>
+<v>2742</v>
 </e>
 <e>
 <k>file</k>
-<v>1757</v>
+<v>3414</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -2447,67 +2582,67 @@
 <b>
 <a>5</a>
 <b>284</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>284</a>
 <b>288</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>288</a>
 <b>292</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>293</a>
 <b>309</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>309</a>
 <b>311</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>311</a>
 <b>328</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>328</a>
 <b>344</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>344</a>
 <b>346</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>346</a>
 <b>349</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>349</a>
 <b>353</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>353</a>
 <b>359</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>359</a>
 <b>369</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>369</a>
 <b>564</b>
-<v>20</v>
+<v>38</v>
 </b>
 </bs>
 </hist>
@@ -2523,67 +2658,67 @@
 <b>
 <a>5</a>
 <b>284</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>284</a>
 <b>288</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>288</a>
 <b>292</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>293</a>
 <b>309</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>309</a>
 <b>311</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>311</a>
 <b>328</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>328</a>
 <b>344</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>344</a>
 <b>346</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>346</a>
 <b>349</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>349</a>
 <b>353</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>353</a>
 <b>359</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>359</a>
 <b>369</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>369</a>
 <b>564</b>
-<v>20</v>
+<v>38</v>
 </b>
 </bs>
 </hist>
@@ -2599,42 +2734,42 @@
 <b>
 <a>1</a>
 <b>4</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>358</v>
+<v>696</v>
 </b>
 <b>
 <a>8</a>
 <b>118</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>118</a>
 <b>214</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>222</a>
 <b>223</b>
-<v>328</v>
+<v>638</v>
 </b>
 <b>
 <a>224</a>
 <b>225</b>
-<v>365</v>
+<v>711</v>
 </b>
 <b>
 <a>225</a>
 <b>226</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -2650,62 +2785,62 @@
 <b>
 <a>1</a>
 <b>4</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>338</v>
+<v>594</v>
 </b>
 <b>
 <a>6</a>
-<b>20</b>
-<v>125</v>
+<b>17</b>
+<v>209</v>
 </b>
 <b>
-<a>20</a>
-<b>27</b>
-<v>115</v>
+<a>17</a>
+<b>23</b>
+<v>233</v>
 </b>
 <b>
-<a>27</a>
-<b>32</b>
-<v>122</v>
+<a>23</a>
+<b>31</b>
+<v>219</v>
 </b>
 <b>
-<a>32</a>
-<b>38</b>
-<v>112</v>
+<a>31</a>
+<b>35</b>
+<v>228</v>
 </b>
 <b>
-<a>38</a>
-<b>50</b>
-<v>107</v>
+<a>35</a>
+<b>45</b>
+<v>228</v>
 </b>
 <b>
-<a>50</a>
-<b>60</b>
-<v>112</v>
+<a>45</a>
+<b>57</b>
+<v>209</v>
 </b>
 <b>
-<a>60</a>
+<a>57</a>
 <b>62</b>
-<v>100</v>
+<v>189</v>
 </b>
 <b>
 <a>62</a>
 <b>65</b>
-<v>110</v>
+<v>224</v>
 </b>
 <b>
 <a>65</a>
-<b>71</b>
-<v>47</v>
+<b>73</b>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -2721,57 +2856,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>270</v>
+<v>526</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>162</v>
+<v>316</v>
 </b>
 <b>
 <a>8</a>
 <b>10</b>
-<v>142</v>
+<v>277</v>
 </b>
 <b>
 <a>10</a>
 <b>23</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>23</a>
 <b>122</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>124</a>
 <b>214</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>220</a>
 <b>221</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>222</a>
 <b>223</b>
-<v>248</v>
+<v>482</v>
 </b>
 <b>
 <a>224</a>
 <b>225</b>
-<v>368</v>
+<v>715</v>
 </b>
 </bs>
 </hist>
@@ -2787,67 +2922,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>290</v>
+<v>560</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>155</v>
+<v>282</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>95</v>
+<v>194</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>155</v>
+<v>267</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>135</v>
+<v>282</v>
 </b>
 <b>
 <a>11</a>
 <b>20</b>
-<v>137</v>
+<v>272</v>
 </b>
 <b>
 <a>20</a>
 <b>25</b>
-<v>132</v>
+<v>272</v>
 </b>
 <b>
 <a>25</a>
 <b>29</b>
-<v>135</v>
+<v>258</v>
 </b>
 <b>
 <a>29</a>
-<b>48</b>
-<v>132</v>
+<b>45</b>
+<v>267</v>
 </b>
 <b>
-<a>49</a>
-<b>62</b>
-<v>120</v>
+<a>47</a>
+<b>63</b>
+<v>272</v>
 </b>
 <b>
-<a>62</a>
-<b>64</b>
-<v>105</v>
+<a>63</a>
+<b>67</b>
+<v>306</v>
 </b>
 <b>
-<a>64</a>
-<b>68</b>
-<v>150</v>
-</b>
-<b>
-<a>68</a>
-<b>72</b>
-<v>10</v>
+<a>67</a>
+<b>74</b>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -2857,23 +2987,23 @@
 </relation>
 <relation>
 <name>compilation_time</name>
-<cardinality>3948</cardinality>
+<cardinality>7671</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>num</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>kind</k>
-<v>17</v>
+<v>34</v>
 </e>
 <e>
 <k>seconds</k>
-<v>2862</v>
+<v>5688</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -2887,7 +3017,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -2903,7 +3033,7 @@
 <b>
 <a>7</a>
 <b>8</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -2917,14 +3047,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>6</a>
-<b>7</b>
-<v>2</v>
-</b>
-<b>
 <a>7</a>
 <b>8</b>
-<v>561</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -2940,7 +3065,7 @@
 <b>
 <a>225</a>
 <b>226</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2956,7 +3081,7 @@
 <b>
 <a>7</a>
 <b>8</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2970,9 +3095,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1142</a>
-<b>1143</b>
-<v>2</v>
+<a>1168</a>
+<b>1169</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -2988,7 +3113,7 @@
 <b>
 <a>225</a>
 <b>226</b>
-<v>17</v>
+<v>34</v>
 </b>
 </bs>
 </hist>
@@ -3004,7 +3129,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17</v>
+<v>34</v>
 </b>
 </bs>
 </hist>
@@ -3018,24 +3143,34 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>158</a>
-<b>159</b>
-<v>2</v>
+<a>171</a>
+<b>172</b>
+<v>4</v>
 </b>
 <b>
-<a>161</a>
-<b>162</b>
-<v>2</v>
+<a>175</a>
+<b>176</b>
+<v>4</v>
 </b>
 <b>
-<a>174</a>
-<b>175</b>
-<v>5</v>
+<a>180</a>
+<b>181</b>
+<v>4</v>
+</b>
+<b>
+<a>182</a>
+<b>183</b>
+<v>4</v>
+</b>
+<b>
+<a>224</a>
+<b>225</b>
+<v>4</v>
 </b>
 <b>
 <a>225</a>
 <b>226</b>
-<v>7</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -3051,64 +3186,64 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2243</v>
+<v>4490</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>353</v>
-</b>
-<b>
-<a>3</a>
-<b>6</b>
-<v>248</v>
-</b>
-<b>
-<a>6</a>
-<b>9</b>
-<v>17</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>seconds</src>
-<trg>num</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2862</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>seconds</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2436</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>353</v>
+<v>691</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>72</v>
+<v>443</v>
+</b>
+<b>
+<a>5</a>
+<b>7</b>
+<v>63</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>seconds</src>
+<trg>num</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5688</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>seconds</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>4812</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>725</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>150</v>
 </b>
 </bs>
 </hist>
@@ -4351,11 +4486,11 @@
 </relation>
 <relation>
 <name>extractor_messages</name>
-<cardinality>750</cardinality>
+<cardinality>7638</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>750</v>
+<v>7638</v>
 </e>
 <e>
 <k>severity</k>
@@ -4367,19 +4502,19 @@
 </e>
 <e>
 <k>text</k>
-<v>11</v>
+<v>12</v>
 </e>
 <e>
 <k>entity</k>
-<v>541</v>
+<v>5272</v>
 </e>
 <e>
 <k>location</k>
-<v>622</v>
+<v>6707</v>
 </e>
 <e>
 <k>stack_trace</k>
-<v>121</v>
+<v>202</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -4393,7 +4528,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4409,7 +4544,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4425,7 +4560,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4441,7 +4576,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4457,7 +4592,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4473,7 +4608,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>750</v>
+<v>7638</v>
 </b>
 </bs>
 </hist>
@@ -4492,13 +4627,13 @@
 <v>1</v>
 </b>
 <b>
-<a>24</a>
-<b>25</b>
+<a>49</a>
+<b>50</b>
 <v>1</v>
 </b>
 <b>
-<a>721</a>
-<b>722</b>
+<a>7584</a>
+<b>7585</b>
 <v>1</v>
 </b>
 </bs>
@@ -4531,7 +4666,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>1</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
 </b>
 <b>
 <a>9</a>
@@ -4555,13 +4695,13 @@
 <v>1</v>
 </b>
 <b>
-<a>5</a>
-<b>6</b>
+<a>6</a>
+<b>7</b>
 <v>1</v>
 </b>
 <b>
-<a>535</a>
-<b>536</b>
+<a>5267</a>
+<b>5268</b>
 <v>1</v>
 </b>
 </bs>
@@ -4581,13 +4721,13 @@
 <v>1</v>
 </b>
 <b>
-<a>12</a>
-<b>13</b>
+<a>37</a>
+<b>38</b>
 <v>1</v>
 </b>
 <b>
-<a>610</a>
-<b>611</b>
+<a>6670</a>
+<b>6671</b>
 <v>1</v>
 </b>
 </bs>
@@ -4607,8 +4747,8 @@
 <v>2</v>
 </b>
 <b>
-<a>120</a>
-<b>121</b>
+<a>201</a>
+<b>202</b>
 <v>1</v>
 </b>
 </bs>
@@ -4623,8 +4763,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>750</a>
-<b>751</b>
+<a>7638</a>
+<b>7639</b>
 <v>1</v>
 </b>
 </bs>
@@ -4655,8 +4795,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>11</a>
-<b>12</b>
+<a>12</a>
+<b>13</b>
 <v>1</v>
 </b>
 </bs>
@@ -4671,8 +4811,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>541</a>
-<b>542</b>
+<a>5272</a>
+<b>5273</b>
 <v>1</v>
 </b>
 </bs>
@@ -4687,8 +4827,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>622</a>
-<b>623</b>
+<a>6707</a>
+<b>6708</b>
 <v>1</v>
 </b>
 </bs>
@@ -4703,8 +4843,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>121</a>
-<b>122</b>
+<a>202</a>
+<b>203</b>
 <v>1</v>
 </b>
 </bs>
@@ -4724,23 +4864,13 @@
 <v>1</v>
 </b>
 <b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
-</b>
-<b>
 <a>5</a>
 <b>6</b>
 <v>1</v>
 </b>
 <b>
-<a>16</a>
-<b>17</b>
-<v>1</v>
-</b>
-<b>
-<a>19</a>
-<b>20</b>
+<a>11</a>
+<b>12</b>
 <v>1</v>
 </b>
 <b>
@@ -4749,23 +4879,38 @@
 <v>2</v>
 </b>
 <b>
-<a>30</a>
-<b>31</b>
+<a>25</a>
+<b>26</b>
 <v>1</v>
 </b>
 <b>
-<a>49</a>
-<b>50</b>
+<a>38</a>
+<b>39</b>
 <v>1</v>
 </b>
 <b>
-<a>244</a>
-<b>245</b>
+<a>104</a>
+<b>105</b>
 <v>1</v>
 </b>
 <b>
-<a>334</a>
-<b>335</b>
+<a>216</a>
+<b>217</b>
+<v>1</v>
+</b>
+<b>
+<a>326</a>
+<b>327</b>
+<v>1</v>
+</b>
+<b>
+<a>2412</a>
+<b>2413</b>
+<v>1</v>
+</b>
+<b>
+<a>4451</a>
+<b>4452</b>
 <v>1</v>
 </b>
 </bs>
@@ -4782,7 +4927,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -4798,7 +4943,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11</v>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -4814,12 +4959,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
+<v>4</v>
 </b>
 <b>
 <a>5</a>
@@ -4827,11 +4967,6 @@
 <v>1</v>
 </b>
 <b>
-<a>8</a>
-<b>9</b>
-<v>1</v>
-</b>
-<b>
 <a>11</a>
 <b>12</b>
 <v>1</v>
@@ -4842,18 +4977,28 @@
 <v>1</v>
 </b>
 <b>
-<a>20</a>
-<b>21</b>
+<a>47</a>
+<b>48</b>
 <v>1</v>
 </b>
 <b>
-<a>189</a>
-<b>190</b>
+<a>51</a>
+<b>52</b>
 <v>1</v>
 </b>
 <b>
-<a>284</a>
-<b>285</b>
+<a>275</a>
+<b>276</b>
+<v>1</v>
+</b>
+<b>
+<a>1648</a>
+<b>1649</b>
+<v>1</v>
+</b>
+<b>
+<a>3224</a>
+<b>3225</b>
 <v>1</v>
 </b>
 </bs>
@@ -4873,13 +5018,8 @@
 <v>3</v>
 </b>
 <b>
-<a>3</a>
-<b>4</b>
-<v>1</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
+<a>11</a>
+<b>12</b>
 <v>1</v>
 </b>
 <b>
@@ -4893,23 +5033,33 @@
 <v>1</v>
 </b>
 <b>
-<a>26</a>
-<b>27</b>
+<a>25</a>
+<b>26</b>
 <v>1</v>
 </b>
 <b>
-<a>30</a>
-<b>31</b>
+<a>104</a>
+<b>105</b>
 <v>1</v>
 </b>
 <b>
-<a>216</a>
-<b>217</b>
+<a>113</a>
+<b>114</b>
 <v>1</v>
 </b>
 <b>
-<a>306</a>
-<b>307</b>
+<a>326</a>
+<b>327</b>
+<v>1</v>
+</b>
+<b>
+<a>2018</a>
+<b>2019</b>
+<v>1</v>
+</b>
+<b>
+<a>4077</a>
+<b>4078</b>
 <v>1</v>
 </b>
 </bs>
@@ -4931,21 +5081,21 @@
 <b>
 <a>3</a>
 <b>4</b>
+<v>3</v>
+</b>
+<b>
+<a>10</a>
+<b>11</b>
 <v>1</v>
 </b>
 <b>
-<a>4</a>
-<b>5</b>
-<v>2</v>
-</b>
-<b>
-<a>34</a>
-<b>35</b>
+<a>55</a>
+<b>56</b>
 <v>1</v>
 </b>
 <b>
-<a>71</a>
-<b>72</b>
+<a>124</a>
+<b>125</b>
 <v>1</v>
 </b>
 </bs>
@@ -4962,17 +5112,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>425</v>
+<v>4192</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>92</v>
+<v>792</v>
 </b>
 <b>
 <a>3</a>
-<b>25</b>
-<v>24</v>
+<b>133</b>
+<v>288</v>
 </b>
 </bs>
 </hist>
@@ -4988,7 +5138,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>541</v>
+<v>5271</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -5004,7 +5159,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>541</v>
+<v>5272</v>
 </b>
 </bs>
 </hist>
@@ -5020,12 +5175,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>540</v>
+<v>5262</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>1</v>
+<b>5</b>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -5041,17 +5196,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>490</v>
+<v>4587</v>
 </b>
 <b>
 <a>2</a>
-<b>4</b>
-<v>47</v>
+<b>3</b>
+<v>478</v>
 </b>
 <b>
-<a>4</a>
-<b>17</b>
-<v>4</v>
+<a>3</a>
+<b>67</b>
+<v>207</v>
 </b>
 </bs>
 </hist>
@@ -5067,12 +5222,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>512</v>
+<v>5188</v>
 </b>
 <b>
 <a>2</a>
 <b>6</b>
-<v>29</v>
+<v>84</v>
 </b>
 </bs>
 </hist>
@@ -5088,12 +5243,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>521</v>
+<v>5803</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>100</v>
+<v>903</v>
 </b>
 <b>
 <a>29</a>
@@ -5114,7 +5269,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>621</v>
+<v>6706</v>
 </b>
 <b>
 <a>2</a>
@@ -5135,7 +5290,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>622</v>
+<v>6707</v>
 </b>
 </bs>
 </hist>
@@ -5151,7 +5306,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>621</v>
+<v>6706</v>
 </b>
 <b>
 <a>2</a>
@@ -5172,12 +5327,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>621</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1</v>
+<v>6707</v>
 </b>
 </bs>
 </hist>
@@ -5193,12 +5343,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>596</v>
+<v>6685</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>26</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -5214,41 +5364,46 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42</v>
+<v>55</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>34</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>17</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>11</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>6</v>
+<v>18</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>11</v>
+<v>18</v>
 </b>
 <b>
 <a>9</a>
-<b>21</b>
-<v>10</v>
+<b>15</b>
+<v>18</v>
 </b>
 <b>
-<a>21</a>
-<b>76</b>
+<a>15</a>
+<b>49</b>
+<v>16</v>
+</b>
+<b>
+<a>54</a>
+<b>205</b>
+<v>16</v>
+</b>
+<b>
+<a>253</a>
+<b>1137</b>
 <v>10</v>
 </b>
 </bs>
@@ -5265,7 +5420,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120</v>
+<v>201</v>
 </b>
 <b>
 <a>2</a>
@@ -5286,7 +5441,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>121</v>
+<v>202</v>
 </b>
 </bs>
 </hist>
@@ -5302,11 +5457,11 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120</v>
+<v>201</v>
 </b>
 <b>
-<a>2</a>
-<b>3</b>
+<a>3</a>
+<b>4</b>
 <v>1</v>
 </b>
 </bs>
@@ -5323,42 +5478,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55</v>
+<v>70</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17</v>
+<v>28</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10</v>
+<v>22</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>8</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>6</v>
+<v>16</v>
 </b>
 <b>
 <a>6</a>
-<b>9</b>
-<v>11</v>
+<b>8</b>
+<v>15</v>
 </b>
 <b>
-<a>9</a>
-<b>21</b>
-<v>10</v>
+<a>8</a>
+<b>15</b>
+<v>17</v>
 </b>
 <b>
-<a>25</a>
-<b>76</b>
-<v>4</v>
+<a>15</a>
+<b>55</b>
+<v>16</v>
+</b>
+<b>
+<a>57</a>
+<b>403</b>
+<v>16</v>
+</b>
+<b>
+<a>571</a>
+<b>917</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -5374,43 +5534,48 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50</v>
+<v>63</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18</v>
+<v>31</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8</v>
+<v>19</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>10</v>
+<v>12</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>6</v>
+<b>8</b>
+<v>17</v>
 </b>
 <b>
-<a>6</a>
-<b>9</b>
+<a>8</a>
+<b>13</b>
+<v>17</v>
+</b>
+<b>
+<a>13</a>
+<b>37</b>
+<v>16</v>
+</b>
+<b>
+<a>38</a>
+<b>158</b>
+<v>16</v>
+</b>
+<b>
+<a>162</a>
+<b>1137</b>
 <v>11</v>
 </b>
-<b>
-<a>9</a>
-<b>19</b>
-<v>10</v>
-</b>
-<b>
-<a>20</a>
-<b>76</b>
-<v>8</v>
-</b>
 </bs>
 </hist>
 </val>
@@ -5419,19 +5584,19 @@
 </relation>
 <relation>
 <name>compilation_finished</name>
-<cardinality>564</cardinality>
+<cardinality>1095</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>cpu_seconds</k>
-<v>501</v>
+<v>998</v>
 </e>
 <e>
 <k>elapsed_seconds</k>
-<v>564</v>
+<v>1095</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -5445,7 +5610,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -5461,7 +5626,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -5477,17 +5642,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>448</v>
+<v>901</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47</v>
-</b>
-<b>
-<a>3</a>
-<b>6</b>
-<v>5</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -5503,17 +5663,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>448</v>
+<v>901</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47</v>
-</b>
-<b>
-<a>3</a>
-<b>6</b>
-<v>5</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -5529,7 +5684,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -5545,7 +5700,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -5555,15 +5710,15 @@
 </relation>
 <relation>
 <name>compilation_assembly</name>
-<cardinality>564</cardinality>
+<cardinality>1095</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>564</v>
+<v>1095</v>
 </e>
 <e>
 <k>assembly</k>
-<v>564</v>
+<v>1095</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -5577,7 +5732,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -5593,7 +5748,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -6017,23 +6172,23 @@
 </relation>
 <relation>
 <name>externalData</name>
-<cardinality>30</cardinality>
+<cardinality>58</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>path</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>column</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>value</k>
-<v>30</v>
+<v>58</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -6047,7 +6202,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -6063,7 +6218,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -6079,7 +6234,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -6095,7 +6250,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -6111,7 +6266,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -6127,7 +6282,7 @@
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -6143,7 +6298,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -6159,7 +6314,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -6175,7 +6330,7 @@
 <b>
 <a>6</a>
 <b>7</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -6191,7 +6346,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30</v>
+<v>58</v>
 </b>
 </bs>
 </hist>
@@ -6207,7 +6362,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30</v>
+<v>58</v>
 </b>
 </bs>
 </hist>
@@ -6223,7 +6378,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30</v>
+<v>58</v>
 </b>
 </bs>
 </hist>
@@ -6233,41 +6388,41 @@
 </relation>
 <relation>
 <name>snapshotDate</name>
-<cardinality>2</cardinality>
+<cardinality>4</cardinality>
 <columnsizes>
 <e>
 <k>snapshotDate</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>sourceLocationPrefix</name>
-<cardinality>2</cardinality>
+<cardinality>4</cardinality>
 <columnsizes>
 <e>
 <k>prefix</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>duplicateCode</name>
-<cardinality>11701</cardinality>
+<cardinality>22735</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>11701</v>
+<v>22735</v>
 </e>
 <e>
 <k>relativePath</k>
-<v>1957</v>
+<v>3803</v>
 </e>
 <e>
 <k>equivClass</k>
-<v>3607</v>
+<v>7008</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -6281,7 +6436,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11701</v>
+<v>22735</v>
 </b>
 </bs>
 </hist>
@@ -6297,7 +6452,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11701</v>
+<v>22735</v>
 </b>
 </bs>
 </hist>
@@ -6313,52 +6468,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>546</v>
+<v>1061</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>290</v>
+<v>564</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>218</v>
+<v>423</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>172</v>
+<v>336</v>
 </b>
 <b>
 <a>8</a>
 <b>10</b>
-<v>142</v>
+<v>277</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>162</v>
+<v>316</v>
 </b>
 <b>
 <a>14</a>
 <b>28</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>29</a>
 <b>77</b>
-<v>50</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -6374,52 +6529,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>581</v>
+<v>1129</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>268</v>
+<v>521</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>228</v>
+<v>443</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>117</v>
+<v>228</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>167</v>
+<v>326</v>
 </b>
 <b>
 <a>8</a>
 <b>10</b>
-<v>142</v>
+<v>277</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>160</v>
+<v>311</v>
 </b>
 <b>
 <a>14</a>
 <b>32</b>
-<v>150</v>
+<v>292</v>
 </b>
 <b>
 <a>33</a>
 <b>45</b>
-<v>20</v>
+<v>38</v>
 </b>
 </bs>
 </hist>
@@ -6435,32 +6590,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>1937</v>
+<v>3764</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>589</v>
+<v>1144</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>403</v>
+<v>784</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>220</v>
+<v>428</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>293</v>
+<v>569</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>162</v>
+<v>316</v>
 </b>
 </bs>
 </hist>
@@ -6476,37 +6631,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>348</v>
+<v>677</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1769</v>
+<v>3438</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>554</v>
+<v>1076</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>348</v>
+<v>677</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>198</v>
+<v>384</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>298</v>
+<v>579</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>90</v>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -8584,11 +8739,11 @@
 </relation>
 <relation>
 <name>locations_default</name>
-<cardinality>11326677</cardinality>
+<cardinality>14080010</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>11326677</v>
+<v>14080010</v>
 </e>
 <e>
 <k>file</k>
@@ -8596,19 +8751,19 @@
 </e>
 <e>
 <k>beginLine</k>
-<v>157416</v>
+<v>164761</v>
 </e>
 <e>
 <k>beginColumn</k>
-<v>1453</v>
+<v>1456</v>
 </e>
 <e>
 <k>endLine</k>
-<v>175851</v>
+<v>177711</v>
 </e>
 <e>
 <k>endColumn</k>
-<v>1620</v>
+<v>1641</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -8622,7 +8777,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11326677</v>
+<v>14080010</v>
 </b>
 </bs>
 </hist>
@@ -8638,7 +8793,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11326677</v>
+<v>14080010</v>
 </b>
 </bs>
 </hist>
@@ -8654,7 +8809,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11326677</v>
+<v>14080010</v>
 </b>
 </bs>
 </hist>
@@ -8670,7 +8825,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11326677</v>
+<v>14080010</v>
 </b>
 </bs>
 </hist>
@@ -8686,7 +8841,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11326677</v>
+<v>14080010</v>
 </b>
 </bs>
 </hist>
@@ -8701,73 +8856,73 @@
 <bs>
 <b>
 <a>1</a>
-<b>5</b>
-<v>420</v>
+<b>19</b>
+<v>472</v>
 </b>
 <b>
-<a>5</a>
-<b>7</b>
-<v>419</v>
+<a>19</a>
+<b>34</b>
+<v>470</v>
 </b>
 <b>
-<a>7</a>
-<b>9</b>
-<v>444</v>
+<a>34</a>
+<b>50</b>
+<v>497</v>
 </b>
 <b>
-<a>9</a>
-<b>12</b>
-<v>461</v>
+<a>50</a>
+<b>74</b>
+<v>468</v>
 </b>
 <b>
-<a>12</a>
-<b>17</b>
-<v>496</v>
+<a>74</a>
+<b>106</b>
+<v>473</v>
 </b>
 <b>
-<a>17</a>
-<b>28</b>
-<v>488</v>
+<a>106</a>
+<b>150</b>
+<v>476</v>
 </b>
 <b>
-<a>28</a>
-<b>45</b>
-<v>515</v>
+<a>150</a>
+<b>208</b>
+<v>476</v>
 </b>
 <b>
-<a>45</a>
-<b>76</b>
-<v>474</v>
+<a>208</a>
+<b>297</b>
+<v>473</v>
 </b>
 <b>
-<a>76</a>
-<b>129</b>
+<a>297</a>
+<b>446</b>
 <v>469</v>
 </b>
 <b>
-<a>129</a>
-<b>218</b>
+<a>446</a>
+<b>687</b>
 <v>468</v>
 </b>
 <b>
-<a>218</a>
-<b>424</b>
+<a>687</a>
+<b>1204</b>
 <v>468</v>
 </b>
 <b>
-<a>424</a>
-<b>1086</b>
+<a>1204</a>
+<b>2639</b>
 <v>468</v>
 </b>
 <b>
-<a>1087</a>
-<b>28809</b>
-<v>468</v>
+<a>2639</a>
+<b>42820</b>
+<v>494</v>
 </b>
 <b>
-<a>31722</a>
+<a>43087</a>
 <b>474768</b>
-<v>174</v>
+<v>60</v>
 </b>
 </bs>
 </hist>
@@ -8782,68 +8937,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>5</b>
-<v>569</v>
+<b>12</b>
+<v>541</v>
 </b>
 <b>
-<a>5</a>
-<b>7</b>
-<v>499</v>
-</b>
-<b>
-<a>7</a>
-<b>9</b>
-<v>447</v>
-</b>
-<b>
-<a>9</a>
-<b>11</b>
-<v>392</v>
-</b>
-<b>
-<a>11</a>
-<b>14</b>
-<v>504</v>
-</b>
-<b>
-<a>14</a>
+<a>12</a>
 <b>19</b>
-<v>521</v>
+<v>506</v>
 </b>
 <b>
 <a>19</a>
-<b>28</b>
-<v>533</v>
+<b>27</b>
+<v>519</v>
 </b>
 <b>
-<a>28</a>
-<b>40</b>
-<v>488</v>
+<a>27</a>
+<b>35</b>
+<v>494</v>
 </b>
 <b>
-<a>40</a>
-<b>60</b>
-<v>480</v>
+<a>35</a>
+<b>46</b>
+<v>512</v>
 </b>
 <b>
-<a>60</a>
-<b>94</b>
+<a>46</a>
+<b>61</b>
+<v>474</v>
+</b>
+<b>
+<a>61</a>
+<b>82</b>
+<v>504</v>
+</b>
+<b>
+<a>82</a>
+<b>114</b>
+<v>477</v>
+</b>
+<b>
+<a>114</a>
+<b>168</b>
 <v>475</v>
 </b>
 <b>
-<a>94</a>
-<b>205</b>
-<v>469</v>
-</b>
-<b>
-<a>205</a>
-<b>658</b>
+<a>168</a>
+<b>273</b>
 <v>468</v>
 </b>
 <b>
-<a>662</a>
+<a>273</a>
+<b>504</b>
+<v>486</v>
+</b>
+<b>
+<a>504</a>
+<b>1742</b>
+<v>468</v>
+</b>
+<b>
+<a>1746</a>
 <b>143014</b>
-<v>387</v>
+<v>308</v>
 </b>
 </bs>
 </hist>
@@ -8858,68 +9013,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>3</b>
-<v>143</v>
+<b>7</b>
+<v>563</v>
 </b>
 <b>
-<a>3</a>
-<b>4</b>
-<v>606</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>675</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>461</v>
-</b>
-<b>
-<a>6</a>
-<b>8</b>
-<v>533</v>
-</b>
-<b>
-<a>8</a>
+<a>7</a>
 <b>13</b>
-<v>535</v>
+<v>499</v>
 </b>
 <b>
 <a>13</a>
-<b>20</b>
-<v>535</v>
-</b>
-<b>
-<a>20</a>
-<b>30</b>
+<b>19</b>
 <v>486</v>
 </b>
 <b>
-<a>30</a>
+<a>19</a>
+<b>26</b>
+<v>486</v>
+</b>
+<b>
+<a>26</a>
+<b>34</b>
+<v>511</v>
+</b>
+<b>
+<a>34</a>
 <b>43</b>
-<v>500</v>
+<v>498</v>
 </b>
 <b>
 <a>43</a>
-<b>59</b>
-<v>479</v>
+<b>53</b>
+<v>484</v>
 </b>
 <b>
-<a>59</a>
-<b>82</b>
-<v>474</v>
+<a>53</a>
+<b>64</b>
+<v>481</v>
 </b>
 <b>
-<a>82</a>
-<b>127</b>
-<v>469</v>
+<a>64</a>
+<b>76</b>
+<v>481</v>
 </b>
 <b>
-<a>127</a>
+<a>76</a>
+<b>91</b>
+<v>476</v>
+</b>
+<b>
+<a>91</a>
+<b>112</b>
+<v>477</v>
+</b>
+<b>
+<a>112</a>
+<b>166</b>
+<v>473</v>
+</b>
+<b>
+<a>166</a>
 <b>930</b>
-<v>336</v>
+<v>317</v>
 </b>
 </bs>
 </hist>
@@ -8934,68 +9089,73 @@
 <bs>
 <b>
 <a>1</a>
-<b>5</b>
-<v>561</v>
-</b>
-<b>
-<a>5</a>
-<b>7</b>
-<v>504</v>
-</b>
-<b>
-<a>7</a>
-<b>9</b>
-<v>449</v>
-</b>
-<b>
-<a>9</a>
 <b>12</b>
-<v>546</v>
+<v>480</v>
 </b>
 <b>
 <a>12</a>
-<b>16</b>
-<v>573</v>
+<b>18</b>
+<v>476</v>
 </b>
 <b>
-<a>16</a>
-<b>22</b>
-<v>499</v>
+<a>18</a>
+<b>25</b>
+<v>481</v>
 </b>
 <b>
-<a>22</a>
-<b>33</b>
-<v>489</v>
+<a>25</a>
+<b>34</b>
+<v>496</v>
 </b>
 <b>
-<a>33</a>
-<b>46</b>
-<v>489</v>
-</b>
-<b>
-<a>46</a>
-<b>73</b>
-<v>484</v>
-</b>
-<b>
-<a>73</a>
-<b>129</b>
-<v>487</v>
-</b>
-<b>
-<a>129</a>
-<b>326</b>
+<a>34</a>
+<b>44</b>
 <v>468</v>
 </b>
 <b>
-<a>326</a>
-<b>2738</b>
+<a>44</a>
+<b>56</b>
+<v>483</v>
+</b>
+<b>
+<a>56</a>
+<b>76</b>
+<v>473</v>
+</b>
+<b>
+<a>76</a>
+<b>104</b>
+<v>478</v>
+</b>
+<b>
+<a>104</a>
+<b>146</b>
+<v>469</v>
+</b>
+<b>
+<a>146</a>
+<b>230</b>
 <v>468</v>
 </b>
 <b>
-<a>2749</a>
+<a>230</a>
+<b>405</b>
+<v>468</v>
+</b>
+<b>
+<a>405</a>
+<b>840</b>
+<v>468</v>
+</b>
+<b>
+<a>845</a>
+<b>28774</b>
+<v>472</v>
+</b>
+<b>
+<a>46287</a>
 <b>171760</b>
-<v>215</v>
+<v>52</v>
 </b>
 </bs>
 </hist>
@@ -9010,68 +9170,68 @@
 <bs>
 <b>
 <a>1</a>
-<b>5</b>
-<v>442</v>
-</b>
-<b>
-<a>5</a>
-<b>7</b>
-<v>534</v>
-</b>
-<b>
-<a>7</a>
-<b>9</b>
-<v>416</v>
-</b>
-<b>
-<a>9</a>
-<b>12</b>
-<v>536</v>
-</b>
-<b>
-<a>12</a>
-<b>16</b>
-<v>469</v>
-</b>
-<b>
-<a>16</a>
-<b>23</b>
-<v>499</v>
-</b>
-<b>
-<a>23</a>
-<b>34</b>
-<v>498</v>
-</b>
-<b>
-<a>34</a>
-<b>48</b>
-<v>470</v>
-</b>
-<b>
-<a>48</a>
-<b>64</b>
-<v>482</v>
-</b>
-<b>
-<a>64</a>
-<b>82</b>
+<b>15</b>
 <v>475</v>
 </b>
 <b>
-<a>82</a>
-<b>109</b>
-<v>472</v>
+<a>15</a>
+<b>23</b>
+<v>481</v>
 </b>
 <b>
-<a>109</a>
-<b>161</b>
-<v>485</v>
+<a>23</a>
+<b>33</b>
+<v>519</v>
 </b>
 <b>
-<a>161</a>
+<a>33</a>
+<b>44</b>
+<v>503</v>
+</b>
+<b>
+<a>44</a>
+<b>54</b>
+<v>481</v>
+</b>
+<b>
+<a>54</a>
+<b>66</b>
+<v>490</v>
+</b>
+<b>
+<a>66</a>
+<b>77</b>
+<v>480</v>
+</b>
+<b>
+<a>77</a>
+<b>91</b>
+<v>474</v>
+</b>
+<b>
+<a>91</a>
+<b>105</b>
+<v>490</v>
+</b>
+<b>
+<a>105</a>
+<b>123</b>
+<v>491</v>
+</b>
+<b>
+<a>123</a>
+<b>148</b>
+<v>470</v>
+</b>
+<b>
+<a>148</a>
+<b>186</b>
+<v>473</v>
+</b>
+<b>
+<a>186</a>
 <b>1038</b>
-<v>454</v>
+<v>405</v>
 </b>
 </bs>
 </hist>
@@ -9087,57 +9247,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2678</v>
+<v>4162</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>41791</v>
+<v>30681</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>15680</v>
+<v>15896</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>16871</v>
+<v>16240</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>8775</v>
+<v>9901</v>
 </b>
 <b>
 <a>6</a>
-<b>9</b>
-<v>12511</v>
+<b>8</b>
+<v>13417</v>
 </b>
 <b>
-<a>9</a>
-<b>99</b>
-<v>11909</v>
+<a>8</a>
+<b>13</b>
+<v>13925</v>
 </b>
 <b>
-<a>99</a>
-<b>109</b>
-<v>11941</v>
+<a>13</a>
+<b>101</b>
+<v>14154</v>
 </b>
 <b>
-<a>109</a>
-<b>164</b>
-<v>11942</v>
+<a>101</a>
+<b>117</b>
+<v>12389</v>
 </b>
 <b>
-<a>164</a>
-<b>250</b>
-<v>11862</v>
+<a>117</a>
+<b>182</b>
+<v>12558</v>
 </b>
 <b>
-<a>250</a>
-<b>7392</b>
-<v>11456</v>
+<a>182</a>
+<b>301</b>
+<v>12385</v>
+</b>
+<b>
+<a>301</a>
+<b>10809</b>
+<v>9053</v>
 </b>
 </bs>
 </hist>
@@ -9153,42 +9318,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92520</v>
+<v>72389</v>
 </b>
 <b>
 <a>2</a>
-<b>18</b>
-<v>11816</v>
+<b>3</b>
+<v>30310</v>
 </b>
 <b>
-<a>18</a>
-<b>50</b>
-<v>6689</v>
+<a>3</a>
+<b>38</b>
+<v>12534</v>
 </b>
 <b>
-<a>50</a>
-<b>51</b>
-<v>10035</v>
+<a>38</a>
+<b>52</b>
+<v>14356</v>
 </b>
 <b>
-<a>51</a>
-<b>65</b>
-<v>12205</v>
+<a>52</a>
+<b>79</b>
+<v>12462</v>
 </b>
 <b>
-<a>65</a>
-<b>105</b>
-<v>12183</v>
+<a>79</a>
+<b>118</b>
+<v>12565</v>
 </b>
 <b>
-<a>105</a>
-<b>708</b>
-<v>11807</v>
-</b>
-<b>
-<a>709</a>
-<b>5267</b>
-<v>161</v>
+<a>118</a>
+<b>6166</b>
+<v>10145</v>
 </b>
 </bs>
 </hist>
@@ -9204,52 +9364,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28742</v>
+<v>23471</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>36135</v>
+<v>30016</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6197</v>
+<v>11007</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>27310</v>
+<v>22185</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>6023</v>
+<v>10197</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>11735</v>
+<v>11740</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>13098</v>
+<b>9</b>
+<v>13756</v>
 </b>
 <b>
-<a>10</a>
-<b>16</b>
-<v>12302</v>
+<a>9</a>
+<b>12</b>
+<v>13097</v>
 </b>
 <b>
-<a>16</a>
-<b>48</b>
-<v>11897</v>
+<a>12</a>
+<b>19</b>
+<v>12777</v>
 </b>
 <b>
-<a>48</a>
-<b>335</b>
-<v>3977</v>
+<a>19</a>
+<b>66</b>
+<v>12384</v>
+</b>
+<b>
+<a>66</a>
+<b>352</b>
+<v>4131</v>
 </b>
 </bs>
 </hist>
@@ -9265,27 +9430,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72276</v>
+<v>67387</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>48541</v>
+<v>51814</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>14456</v>
+<v>18654</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>12667</v>
+<v>13928</v>
 </b>
 <b>
 <a>6</a>
+<b>34</b>
+<v>12361</v>
+</b>
+<b>
+<a>34</a>
 <b>306</b>
-<v>9476</v>
+<v>617</v>
 </b>
 </bs>
 </hist>
@@ -9301,57 +9471,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2731</v>
+<v>4192</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43580</v>
+<v>31624</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>16640</v>
+<v>16670</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>20845</v>
+<v>18713</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>11859</v>
+<v>12088</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>9405</v>
+<v>10186</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>11941</v>
+<v>14626</v>
 </b>
 <b>
 <a>9</a>
-<b>14</b>
-<v>13283</v>
+<b>12</b>
+<v>14505</v>
 </b>
 <b>
-<a>14</a>
-<b>24</b>
-<v>12004</v>
+<a>12</a>
+<b>17</b>
+<v>13374</v>
 </b>
 <b>
-<a>24</a>
-<b>94</b>
-<v>11811</v>
+<a>17</a>
+<b>29</b>
+<v>12447</v>
 </b>
 <b>
-<a>94</a>
-<b>378</b>
-<v>3317</v>
+<a>29</a>
+<b>111</b>
+<v>12416</v>
+</b>
+<b>
+<a>111</a>
+<b>389</b>
+<v>3920</v>
 </b>
 </bs>
 </hist>
@@ -9367,22 +9542,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>351</v>
+<v>352</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>185</v>
+<v>184</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>100</v>
+<v>101</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>128</v>
+<v>129</v>
 </b>
 <b>
 <a>6</a>
@@ -9391,33 +9566,33 @@
 </b>
 <b>
 <a>13</a>
-<b>39</b>
-<v>109</v>
+<b>40</b>
+<v>111</v>
 </b>
 <b>
-<a>39</a>
-<b>106</b>
-<v>109</v>
+<a>40</a>
+<b>110</b>
+<v>111</v>
 </b>
 <b>
-<a>106</a>
-<b>392</b>
-<v>109</v>
+<a>112</a>
+<b>476</b>
+<v>110</v>
 </b>
 <b>
-<a>400</a>
-<b>3801</b>
-<v>109</v>
+<a>490</a>
+<b>5418</b>
+<v>110</v>
 </b>
 <b>
-<a>4033</a>
-<b>35252</b>
-<v>109</v>
+<a>5447</a>
+<b>74992</b>
+<v>110</v>
 </b>
 <b>
-<a>37256</a>
-<b>1800792</b>
-<v>30</v>
+<a>76227</a>
+<b>2221388</b>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -9433,17 +9608,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>481</v>
+<v>482</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>188</v>
+<v>187</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>113</v>
+<v>115</v>
 </b>
 <b>
 <a>4</a>
@@ -9453,31 +9628,31 @@
 <b>
 <a>6</a>
 <b>11</b>
-<v>117</v>
+<v>115</v>
 </b>
 <b>
 <a>11</a>
-<b>59</b>
+<b>58</b>
 <v>110</v>
 </b>
 <b>
-<a>59</a>
-<b>177</b>
-<v>109</v>
+<a>58</a>
+<b>194</b>
+<v>110</v>
 </b>
 <b>
-<a>177</a>
-<b>695</b>
-<v>109</v>
+<a>195</a>
+<b>1098</b>
+<v>110</v>
 </b>
 <b>
-<a>698</a>
-<b>2521</b>
-<v>109</v>
+<a>1112</a>
+<b>3852</b>
+<v>110</v>
 </b>
 <b>
-<a>2548</a>
-<b>6053</b>
+<a>3882</a>
+<b>6231</b>
 <v>8</v>
 </b>
 </bs>
@@ -9504,12 +9679,12 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>112</v>
+<v>114</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>109</v>
+<v>110</v>
 </b>
 <b>
 <a>7</a>
@@ -9518,28 +9693,28 @@
 </b>
 <b>
 <a>18</a>
-<b>53</b>
-<v>111</v>
+<b>54</b>
+<v>113</v>
 </b>
 <b>
-<a>53</a>
-<b>128</b>
-<v>109</v>
+<a>54</a>
+<b>139</b>
+<v>110</v>
 </b>
 <b>
-<a>128</a>
-<b>585</b>
-<v>109</v>
+<a>140</a>
+<b>803</b>
+<v>110</v>
 </b>
 <b>
-<a>602</a>
-<b>4407</b>
-<v>109</v>
+<a>804</a>
+<b>6771</b>
+<v>110</v>
 </b>
 <b>
-<a>4493</a>
+<a>6786</a>
 <b>116262</b>
-<v>84</v>
+<v>79</v>
 </b>
 </bs>
 </hist>
@@ -9565,12 +9740,12 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>112</v>
+<v>114</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>109</v>
+<v>110</v>
 </b>
 <b>
 <a>7</a>
@@ -9579,28 +9754,28 @@
 </b>
 <b>
 <a>18</a>
-<b>53</b>
-<v>111</v>
+<b>54</b>
+<v>113</v>
 </b>
 <b>
-<a>53</a>
-<b>129</b>
-<v>109</v>
+<a>54</a>
+<b>139</b>
+<v>110</v>
 </b>
 <b>
-<a>129</a>
-<b>586</b>
-<v>109</v>
+<a>140</a>
+<b>797</b>
+<v>110</v>
 </b>
 <b>
-<a>603</a>
-<b>4408</b>
-<v>109</v>
+<a>803</a>
+<b>6771</b>
+<v>110</v>
 </b>
 <b>
-<a>4493</a>
-<b>124735</b>
-<v>84</v>
+<a>6783</a>
+<b>124736</b>
+<v>79</v>
 </b>
 </bs>
 </hist>
@@ -9616,17 +9791,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>422</v>
+<v>423</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>230</v>
+<v>229</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>93</v>
+<v>96</v>
 </b>
 <b>
 <a>4</a>
@@ -9640,28 +9815,28 @@
 </b>
 <b>
 <a>12</a>
-<b>24</b>
-<v>112</v>
+<b>25</b>
+<v>114</v>
 </b>
 <b>
-<a>24</a>
-<b>48</b>
+<a>25</a>
+<b>53</b>
 <v>110</v>
 </b>
 <b>
-<a>48</a>
-<b>103</b>
-<v>109</v>
+<a>53</a>
+<b>108</b>
+<v>111</v>
 </b>
 <b>
-<a>103</a>
-<b>176</b>
-<v>110</v>
+<a>108</a>
+<b>204</b>
+<v>111</v>
 </b>
 <b>
-<a>176</a>
-<b>724</b>
-<v>43</v>
+<a>204</a>
+<b>727</b>
+<v>38</v>
 </b>
 </bs>
 </hist>
@@ -9677,57 +9852,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43052</v>
+<v>30736</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15495</v>
+<v>14517</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>16141</v>
+<v>16816</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11843</v>
+<v>12515</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>15117</v>
+<b>6</b>
+<v>10358</v>
 </b>
 <b>
-<a>7</a>
+<a>6</a>
+<b>9</b>
+<v>14907</v>
+</b>
+<b>
+<a>9</a>
 <b>51</b>
-<v>13292</v>
+<v>14737</v>
 </b>
 <b>
 <a>51</a>
-<b>67</b>
-<v>13277</v>
+<b>64</b>
+<v>13404</v>
 </b>
 <b>
-<a>67</a>
-<b>108</b>
-<v>13666</v>
+<a>64</a>
+<b>109</b>
+<v>13430</v>
 </b>
 <b>
-<a>108</a>
+<a>109</a>
 <b>170</b>
-<v>13281</v>
+<v>13424</v>
 </b>
 <b>
 <a>170</a>
-<b>273</b>
-<v>13192</v>
+<b>277</b>
+<v>13375</v>
 </b>
 <b>
-<a>273</a>
-<b>6927</b>
-<v>7495</v>
+<a>277</a>
+<b>10708</b>
+<v>9492</v>
 </b>
 </bs>
 </hist>
@@ -9743,37 +9923,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102373</v>
+<v>74587</v>
 </b>
 <b>
 <a>2</a>
-<b>50</b>
-<v>10686</v>
+<b>3</b>
+<v>32293</v>
 </b>
 <b>
-<a>50</a>
+<a>3</a>
 <b>51</b>
-<v>14316</v>
+<v>15351</v>
 </b>
 <b>
 <a>51</a>
-<b>61</b>
-<v>13298</v>
+<b>53</b>
+<v>14842</v>
 </b>
 <b>
-<a>61</a>
-<b>105</b>
-<v>13198</v>
+<a>53</a>
+<b>91</b>
+<v>13579</v>
 </b>
 <b>
-<a>105</a>
-<b>140</b>
-<v>13318</v>
+<a>91</a>
+<b>136</b>
+<v>14119</v>
 </b>
 <b>
-<a>140</a>
-<b>5438</b>
-<v>8662</v>
+<a>136</a>
+<b>5796</b>
+<v>12940</v>
 </b>
 </bs>
 </hist>
@@ -9789,27 +9969,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>108963</v>
+<v>94269</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30801</v>
+<v>38080</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>14008</v>
+<v>18054</v>
 </b>
 <b>
 <a>4</a>
-<b>7</b>
-<v>15017</v>
+<b>6</b>
+<v>14148</v>
 </b>
 <b>
-<a>7</a>
-<b>50</b>
-<v>7062</v>
+<a>6</a>
+<b>61</b>
+<v>13160</v>
 </b>
 </bs>
 </hist>
@@ -9825,52 +10005,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>44241</v>
+<v>31573</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>33451</v>
+<v>28818</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9654</v>
+<v>12789</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>22023</v>
+<v>19691</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>9633</v>
+<v>11849</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>10956</v>
+<v>11679</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>15510</v>
+<b>9</b>
+<v>15126</v>
 </b>
 <b>
-<a>10</a>
-<b>16</b>
-<v>13744</v>
+<a>9</a>
+<b>12</b>
+<v>14464</v>
 </b>
 <b>
-<a>16</a>
-<b>55</b>
-<v>13266</v>
+<a>12</a>
+<b>18</b>
+<v>13367</v>
 </b>
 <b>
-<a>55</a>
-<b>334</b>
-<v>3373</v>
+<a>18</a>
+<b>58</b>
+<v>13376</v>
+</b>
+<b>
+<a>58</a>
+<b>353</b>
+<v>4979</v>
 </b>
 </bs>
 </hist>
@@ -9886,57 +10071,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43633</v>
+<v>31276</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19238</v>
+<v>18345</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>20512</v>
+<v>19308</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>15969</v>
+<v>15250</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>14483</v>
+<v>13460</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>8953</v>
+<v>9784</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>12318</v>
+<v>14539</v>
 </b>
 <b>
 <a>9</a>
-<b>14</b>
+<b>12</b>
 <v>13943</v>
 </b>
 <b>
-<a>14</a>
-<b>27</b>
-<v>13475</v>
+<a>12</a>
+<b>17</b>
+<v>13348</v>
 </b>
 <b>
-<a>27</a>
-<b>206</b>
-<v>13190</v>
+<a>17</a>
+<b>32</b>
+<v>13514</v>
 </b>
 <b>
-<a>206</a>
-<b>378</b>
-<v>137</v>
+<a>32</a>
+<b>156</b>
+<v>13329</v>
+</b>
+<b>
+<a>156</a>
+<b>388</b>
+<v>1615</v>
 </b>
 </bs>
 </hist>
@@ -9952,12 +10142,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>393</v>
+<v>406</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>202</v>
+<v>205</v>
 </b>
 <b>
 <a>3</a>
@@ -9967,42 +10157,42 @@
 <b>
 <a>4</a>
 <b>7</b>
-<v>122</v>
+<v>126</v>
 </b>
 <b>
 <a>7</a>
 <b>51</b>
-<v>123</v>
-</b>
-<b>
-<a>51</a>
-<b>121</b>
 <v>124</v>
 </b>
 <b>
-<a>121</a>
-<b>301</b>
-<v>122</v>
+<a>51</a>
+<b>122</b>
+<v>126</v>
 </b>
 <b>
-<a>311</a>
-<b>1031</b>
-<v>122</v>
+<a>122</a>
+<b>325</b>
+<v>124</v>
 </b>
 <b>
-<a>1037</a>
-<b>6674</b>
-<v>122</v>
+<a>328</a>
+<b>1118</b>
+<v>124</v>
 </b>
 <b>
-<a>6754</a>
-<b>56985</b>
-<v>122</v>
+<a>1126</a>
+<b>9603</b>
+<v>124</v>
 </b>
 <b>
-<a>57295</a>
-<b>866412</b>
-<v>52</v>
+<a>9620</a>
+<b>82632</b>
+<v>124</v>
+</b>
+<b>
+<a>82696</a>
+<b>908740</b>
+<v>42</v>
 </b>
 </bs>
 </hist>
@@ -10018,52 +10208,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>507</v>
+<v>521</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>182</v>
+<v>186</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>120</v>
+<v>119</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>127</v>
+<v>130</v>
 </b>
 <b>
 <a>9</a>
-<b>61</b>
-<v>125</v>
+<b>62</b>
+<v>132</v>
 </b>
 <b>
-<a>61</a>
-<b>124</b>
-<v>123</v>
+<a>62</a>
+<b>128</b>
+<v>127</v>
 </b>
 <b>
-<a>124</a>
-<b>205</b>
-<v>122</v>
+<a>129</a>
+<b>222</b>
+<v>124</v>
 </b>
 <b>
-<a>206</a>
-<b>441</b>
-<v>122</v>
+<a>222</a>
+<b>710</b>
+<v>124</v>
 </b>
 <b>
-<a>441</a>
-<b>1921</b>
-<v>122</v>
+<a>717</a>
+<b>3690</b>
+<v>124</v>
 </b>
 <b>
-<a>1944</a>
-<b>4225</b>
-<v>70</v>
+<a>3701</a>
+<b>5368</b>
+<v>54</v>
 </b>
 </bs>
 </hist>
@@ -10079,12 +10269,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>400</v>
+<v>414</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>209</v>
+<v>211</v>
 </b>
 <b>
 <a>3</a>
@@ -10094,42 +10284,42 @@
 <b>
 <a>4</a>
 <b>6</b>
-<v>123</v>
+<v>127</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>130</v>
+<v>131</v>
 </b>
 <b>
 <a>14</a>
-<b>43</b>
-<v>123</v>
+<b>44</b>
+<v>125</v>
 </b>
 <b>
-<a>43</a>
-<b>120</b>
-<v>123</v>
+<a>44</a>
+<b>124</b>
+<v>124</v>
 </b>
 <b>
-<a>121</a>
-<b>466</b>
-<v>122</v>
+<a>126</a>
+<b>541</b>
+<v>124</v>
 </b>
 <b>
-<a>471</a>
-<b>4055</b>
-<v>122</v>
+<a>549</a>
+<b>5840</b>
+<v>124</v>
 </b>
 <b>
-<a>4055</a>
-<b>13772</b>
-<v>122</v>
+<a>6139</a>
+<b>19157</b>
+<v>124</v>
 </b>
 <b>
-<a>13909</a>
-<b>47532</b>
-<v>23</v>
+<a>19476</a>
+<b>47830</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -10145,22 +10335,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>502</v>
+<v>518</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>231</v>
+<v>232</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>95</v>
+<v>96</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>146</v>
+<v>147</v>
 </b>
 <b>
 <a>7</a>
@@ -10169,28 +10359,28 @@
 </b>
 <b>
 <a>16</a>
-<b>33</b>
-<v>127</v>
-</b>
-<b>
-<a>33</a>
-<b>78</b>
-<v>122</v>
-</b>
-<b>
-<a>78</a>
-<b>107</b>
-<v>122</v>
-</b>
-<b>
-<a>107</a>
-<b>151</b>
+<b>34</b>
 <v>124</v>
 </b>
 <b>
-<a>151</a>
-<b>337</b>
-<v>18</v>
+<a>34</a>
+<b>83</b>
+<v>128</v>
+</b>
+<b>
+<a>83</a>
+<b>114</b>
+<v>125</v>
+</b>
+<b>
+<a>114</a>
+<b>164</b>
+<v>127</v>
+</b>
+<b>
+<a>164</a>
+<b>338</b>
+<v>11</v>
 </b>
 </bs>
 </hist>
@@ -10206,7 +10396,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>400</v>
+<v>416</v>
 </b>
 <b>
 <a>2</a>
@@ -10221,42 +10411,42 @@
 <b>
 <a>4</a>
 <b>6</b>
-<v>123</v>
+<v>127</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>130</v>
+<v>131</v>
 </b>
 <b>
 <a>14</a>
-<b>43</b>
-<v>123</v>
+<b>44</b>
+<v>125</v>
 </b>
 <b>
-<a>43</a>
-<b>120</b>
-<v>123</v>
+<a>44</a>
+<b>124</b>
+<v>124</v>
 </b>
 <b>
-<a>121</a>
-<b>466</b>
-<v>122</v>
+<a>126</a>
+<b>537</b>
+<v>124</v>
 </b>
 <b>
-<a>475</a>
-<b>4050</b>
-<v>122</v>
+<a>541</a>
+<b>5831</b>
+<v>124</v>
 </b>
 <b>
-<a>4064</a>
-<b>13686</b>
-<v>122</v>
+<a>6123</a>
+<b>19067</b>
+<v>124</v>
 </b>
 <b>
-<a>13833</a>
-<b>47528</b>
-<v>23</v>
+<a>19460</a>
+<b>47823</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -10266,15 +10456,15 @@
 </relation>
 <relation>
 <name>locations_mapped</name>
-<cardinality>248620</cardinality>
+<cardinality>483051</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>248620</v>
+<v>483051</v>
 </e>
 <e>
 <k>mapped_to</k>
-<v>211461</v>
+<v>410854</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -10288,7 +10478,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>248620</v>
+<v>483051</v>
 </b>
 </bs>
 </hist>
@@ -10304,12 +10494,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>205510</v>
+<v>399291</v>
 </b>
 <b>
 <a>2</a>
 <b>119</b>
-<v>5951</v>
+<v>11562</v>
 </b>
 </bs>
 </hist>
@@ -10319,23 +10509,23 @@
 </relation>
 <relation>
 <name>numlines</name>
-<cardinality>4532217</cardinality>
+<cardinality>4586385</cardinality>
 <columnsizes>
 <e>
 <k>element_id</k>
-<v>4532216</v>
+<v>4586378</v>
 </e>
 <e>
 <k>num_lines</k>
-<v>1349</v>
+<v>1354</v>
 </e>
 <e>
 <k>num_code</k>
-<v>1242</v>
+<v>1247</v>
 </e>
 <e>
 <k>num_comment</k>
-<v>635</v>
+<v>637</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -10349,12 +10539,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4532215</v>
+<v>4586371</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -10370,12 +10560,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4532215</v>
+<v>4586371</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1</v>
+<v>7</v>
 </b>
 </bs>
 </hist>
@@ -10391,7 +10581,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4532216</v>
+<v>4586374</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -10407,37 +10602,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>660</v>
+<v>651</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>208</v>
+<v>207</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>94</v>
+<v>97</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>94</v>
+<b>7</b>
+<v>125</v>
 </b>
 <b>
-<a>6</a>
-<b>12</b>
-<v>108</v>
+<a>7</a>
+<b>19</b>
+<v>105</v>
 </b>
 <b>
-<a>12</a>
-<b>50</b>
-<v>104</v>
+<a>19</a>
+<b>121</b>
+<v>102</v>
 </b>
 <b>
-<a>52</a>
-<b>1598592</b>
-<v>81</v>
+<a>126</a>
+<b>1600586</b>
+<v>67</v>
 </b>
 </bs>
 </hist>
@@ -10453,32 +10648,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>733</v>
+<v>723</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>198</v>
+<v>194</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>99</v>
+<v>106</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>121</v>
+<v>111</v>
 </b>
 <b>
 <a>7</a>
-<b>15</b>
-<v>102</v>
+<b>16</b>
+<v>103</v>
 </b>
 <b>
-<a>15</a>
-<b>34</b>
-<v>96</v>
+<a>16</a>
+<b>35</b>
+<v>104</v>
+</b>
+<b>
+<a>35</a>
+<b>39</b>
+<v>13</v>
 </b>
 </bs>
 </hist>
@@ -10494,32 +10694,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>733</v>
+<v>723</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>198</v>
+<v>196</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>97</v>
+<v>102</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>118</v>
+<v>105</v>
 </b>
 <b>
 <a>7</a>
 <b>17</b>
-<v>109</v>
+<v>104</v>
 </b>
 <b>
 <a>17</a>
+<b>32</b>
+<v>106</v>
+</b>
+<b>
+<a>32</a>
 <b>81</b>
-<v>94</v>
+<v>18</v>
 </b>
 </bs>
 </hist>
@@ -10535,37 +10740,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>651</v>
+<v>647</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>149</v>
+<v>152</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>83</v>
+<v>79</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>99</v>
+<v>93</v>
 </b>
 <b>
 <a>6</a>
 <b>14</b>
-<v>102</v>
+<v>98</v>
 </b>
 <b>
 <a>14</a>
-<b>77</b>
-<v>94</v>
+<b>50</b>
+<v>95</v>
 </b>
 <b>
-<a>83</a>
-<b>1607845</b>
-<v>64</v>
+<a>52</a>
+<b>1615186</b>
+<v>83</v>
 </b>
 </bs>
 </hist>
@@ -10581,32 +10786,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>728</v>
+<v>723</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>140</v>
+<v>143</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>84</v>
+<v>82</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>107</v>
+<v>100</v>
 </b>
 <b>
 <a>7</a>
-<b>18</b>
+<b>19</b>
 <v>96</v>
 </b>
 <b>
-<a>18</a>
-<b>42</b>
-<v>87</v>
+<a>19</a>
+<b>43</b>
+<v>94</v>
+</b>
+<b>
+<a>43</a>
+<b>49</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -10622,32 +10832,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>728</v>
+<v>723</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>141</v>
+<v>145</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>80</v>
+<v>77</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>106</v>
+<v>102</v>
 </b>
 <b>
 <a>7</a>
-<b>15</b>
+<b>16</b>
+<v>95</v>
+</b>
+<b>
+<a>16</a>
+<b>50</b>
 <v>94</v>
 </b>
 <b>
-<a>15</a>
-<b>83</b>
-<v>93</v>
+<a>50</a>
+<b>85</b>
+<v>11</v>
 </b>
 </bs>
 </hist>
@@ -10668,12 +10883,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>134</v>
+<v>131</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>55</v>
+<v>56</v>
 </b>
 <b>
 <a>4</a>
@@ -10683,17 +10898,17 @@
 <b>
 <a>6</a>
 <b>14</b>
-<v>50</v>
+<v>49</v>
 </b>
 <b>
 <a>14</a>
-<b>178</b>
+<b>173</b>
 <v>48</v>
 </b>
 <b>
-<a>178</a>
-<b>4511467</b>
-<v>14</v>
+<a>215</a>
+<b>4549896</b>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -10714,32 +10929,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>138</v>
+<v>135</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>56</v>
+<v>57</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>50</v>
+<v>51</v>
 </b>
 <b>
 <a>6</a>
-<b>15</b>
+<b>16</b>
 <v>49</v>
 </b>
 <b>
-<a>15</a>
-<b>119</b>
-<v>49</v>
+<a>16</a>
+<b>128</b>
+<v>48</v>
 </b>
 <b>
-<a>131</a>
-<b>738</b>
-<v>8</v>
+<a>136</a>
+<b>746</b>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -10760,32 +10975,32 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>139</v>
+<v>135</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>54</v>
+<v>56</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>51</v>
+<v>53</v>
 </b>
 <b>
 <a>6</a>
-<b>15</b>
+<b>16</b>
 <v>48</v>
 </b>
 <b>
-<a>15</a>
-<b>103</b>
-<v>49</v>
+<a>16</a>
+<b>117</b>
+<v>48</v>
 </b>
 <b>
-<a>116</a>
-<b>731</b>
-<v>9</v>
+<a>118</a>
+<b>739</b>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -10795,27 +11010,27 @@
 </relation>
 <relation>
 <name>assemblies</name>
-<cardinality>2160</cardinality>
+<cardinality>4198</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2160</v>
+<v>4198</v>
 </e>
 <e>
 <k>file</k>
-<v>2160</v>
+<v>4198</v>
 </e>
 <e>
 <k>fullname</k>
-<v>1769</v>
+<v>3438</v>
 </e>
 <e>
 <k>name</k>
-<v>1631</v>
+<v>3170</v>
 </e>
 <e>
 <k>version</k>
-<v>190</v>
+<v>370</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -10829,7 +11044,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10845,7 +11060,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10861,7 +11076,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10877,7 +11092,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10893,7 +11108,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10909,7 +11124,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10925,7 +11140,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10941,7 +11156,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2160</v>
+<v>4198</v>
 </b>
 </bs>
 </hist>
@@ -10957,12 +11172,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1378</v>
+<v>2678</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>391</v>
+<v>759</v>
 </b>
 </bs>
 </hist>
@@ -10978,12 +11193,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1378</v>
+<v>2678</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>391</v>
+<v>759</v>
 </b>
 </bs>
 </hist>
@@ -10999,7 +11214,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1769</v>
+<v>3438</v>
 </b>
 </bs>
 </hist>
@@ -11015,7 +11230,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1769</v>
+<v>3438</v>
 </b>
 </bs>
 </hist>
@@ -11031,17 +11246,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1125</v>
+<v>2186</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>483</v>
+<v>940</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22</v>
+<v>43</v>
 </b>
 </bs>
 </hist>
@@ -11057,17 +11272,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1125</v>
+<v>2186</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>483</v>
+<v>940</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22</v>
+<v>43</v>
 </b>
 </bs>
 </hist>
@@ -11083,12 +11298,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1516</v>
+<v>2946</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>115</v>
+<v>224</v>
 </b>
 </bs>
 </hist>
@@ -11104,12 +11319,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1516</v>
+<v>2946</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>115</v>
+<v>224</v>
 </b>
 </bs>
 </hist>
@@ -11125,32 +11340,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>17</v>
+<v>34</v>
 </b>
 <b>
 <a>11</a>
 <b>37</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>50</a>
 <b>386</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -11166,32 +11381,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>17</v>
+<v>34</v>
 </b>
 <b>
 <a>11</a>
 <b>37</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>50</a>
 <b>386</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -11207,32 +11422,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>17</v>
+<v>34</v>
 </b>
 <b>
 <a>11</a>
 <b>36</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>50</a>
 <b>234</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -11248,32 +11463,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>17</v>
+<v>34</v>
 </b>
 <b>
 <a>11</a>
 <b>36</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>50</a>
 <b>234</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -11283,27 +11498,27 @@
 </relation>
 <relation>
 <name>files</name>
-<cardinality>24351</cardinality>
+<cardinality>47312</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>24351</v>
+<v>47312</v>
 </e>
 <e>
 <k>name</k>
-<v>24351</v>
+<v>47312</v>
 </e>
 <e>
 <k>simple</k>
-<v>13679</v>
+<v>26578</v>
 </e>
 <e>
 <k>ext</k>
-<v>22</v>
+<v>43</v>
 </e>
 <e>
 <k>fromSource</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -11317,7 +11532,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11333,7 +11548,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11349,7 +11564,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11365,7 +11580,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11381,7 +11596,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11397,7 +11612,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11413,7 +11628,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11429,7 +11644,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24351</v>
+<v>47312</v>
 </b>
 </bs>
 </hist>
@@ -11445,12 +11660,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12787</v>
+<v>24844</v>
 </b>
 <b>
 <a>2</a>
 <b>154</b>
-<v>892</v>
+<v>1733</v>
 </b>
 </bs>
 </hist>
@@ -11466,12 +11681,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12787</v>
+<v>24844</v>
 </b>
 <b>
 <a>2</a>
 <b>154</b>
-<v>892</v>
+<v>1733</v>
 </b>
 </bs>
 </hist>
@@ -11487,12 +11702,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13168</v>
+<v>25585</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>511</v>
+<v>993</v>
 </b>
 </bs>
 </hist>
@@ -11508,7 +11723,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13679</v>
+<v>26578</v>
 </b>
 </bs>
 </hist>
@@ -11524,47 +11739,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>861</a>
 <b>862</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>995</a>
 <b>996</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2875</a>
 <b>2876</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4635</a>
 <b>4636</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11580,47 +11795,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>861</a>
 <b>862</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>995</a>
 <b>996</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2875</a>
 <b>2876</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4635</a>
 <b>4636</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11636,42 +11851,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>166</a>
 <b>167</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>169</a>
 <b>170</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>214</a>
 <b>215</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>650</a>
 <b>651</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>790</a>
 <b>791</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3818</a>
 <b>3819</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11687,7 +11902,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22</v>
+<v>43</v>
 </b>
 </bs>
 </hist>
@@ -11703,7 +11918,7 @@
 <b>
 <a>9714</a>
 <b>9715</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11719,7 +11934,7 @@
 <b>
 <a>9714</a>
 <b>9715</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11735,7 +11950,7 @@
 <b>
 <a>5457</a>
 <b>5458</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11751,7 +11966,7 @@
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -11761,19 +11976,19 @@
 </relation>
 <relation>
 <name>folders</name>
-<cardinality>9177</cardinality>
+<cardinality>17831</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>9177</v>
+<v>17831</v>
 </e>
 <e>
 <k>name</k>
-<v>8036</v>
+<v>15615</v>
 </e>
 <e>
 <k>simple</k>
-<v>1428</v>
+<v>2776</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -11787,7 +12002,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9177</v>
+<v>17831</v>
 </b>
 </bs>
 </hist>
@@ -11803,7 +12018,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9177</v>
+<v>17831</v>
 </b>
 </bs>
 </hist>
@@ -11819,7 +12034,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8036</v>
+<v>15615</v>
 </b>
 </bs>
 </hist>
@@ -11835,12 +12050,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6896</v>
+<v>13399</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1140</v>
+<v>2216</v>
 </b>
 </bs>
 </hist>
@@ -11856,27 +12071,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>842</v>
+<v>1636</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>278</v>
+<v>540</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>4</a>
 <b>10</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>10</a>
 <b>383</b>
-<v>92</v>
+<v>180</v>
 </b>
 </bs>
 </hist>
@@ -11892,27 +12107,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>842</v>
+<v>1636</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>278</v>
+<v>540</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>4</a>
 <b>10</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>10</a>
 <b>383</b>
-<v>92</v>
+<v>180</v>
 </b>
 </bs>
 </hist>
@@ -11922,15 +12137,15 @@
 </relation>
 <relation>
 <name>containerparent</name>
-<cardinality>32383</cardinality>
+<cardinality>62918</cardinality>
 <columnsizes>
 <e>
 <k>parent</k>
-<v>8036</v>
+<v>15615</v>
 </e>
 <e>
 <k>child</k>
-<v>32383</v>
+<v>62918</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -11944,37 +12159,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4356</v>
+<v>8465</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1070</v>
+<v>2079</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>486</v>
+<v>944</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>541</v>
+<v>1052</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>629</v>
+<v>1222</v>
 </b>
 <b>
 <a>9</a>
 <b>17</b>
-<v>609</v>
+<v>1183</v>
 </b>
 <b>
 <a>17</a>
 <b>170</b>
-<v>343</v>
+<v>667</v>
 </b>
 </bs>
 </hist>
@@ -11990,7 +12205,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32383</v>
+<v>62918</v>
 </b>
 </bs>
 </hist>
@@ -12000,15 +12215,15 @@
 </relation>
 <relation>
 <name>file_extraction_mode</name>
-<cardinality>16276</cardinality>
+<cardinality>31624</cardinality>
 <columnsizes>
 <e>
 <k>file</k>
-<v>16276</v>
+<v>31624</v>
 </e>
 <e>
 <k>mode</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12022,7 +12237,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16276</v>
+<v>31624</v>
 </b>
 </bs>
 </hist>
@@ -12038,7 +12253,7 @@
 <b>
 <a>6493</a>
 <b>6494</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -12048,15 +12263,15 @@
 </relation>
 <relation>
 <name>namespaces</name>
-<cardinality>11293</cardinality>
+<cardinality>21942</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>11293</v>
+<v>21942</v>
 </e>
 <e>
 <k>name</k>
-<v>2516</v>
+<v>4890</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12070,7 +12285,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11293</v>
+<v>21942</v>
 </b>
 </bs>
 </hist>
@@ -12086,37 +12301,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1797</v>
+<v>3492</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>320</v>
+<v>623</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>190</v>
+<v>370</v>
 </b>
 <b>
 <a>10</a>
 <b>101</b>
-<v>190</v>
+<v>370</v>
 </b>
 <b>
 <a>110</a>
 <b>139</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -12126,15 +12341,15 @@
 </relation>
 <relation>
 <name>namespace_declarations</name>
-<cardinality>8355</cardinality>
+<cardinality>19760</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>8355</v>
+<v>19760</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>1774</v>
+<v>3886</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12148,7 +12363,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8355</v>
+<v>19760</v>
 </b>
 </bs>
 </hist>
@@ -12164,37 +12379,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>669</v>
+<v>1397</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>406</v>
+<v>798</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>175</v>
+<v>414</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>140</v>
+<v>306</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>110</v>
+<v>224</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>140</v>
+<v>331</v>
 </b>
 <b>
 <a>9</a>
+<b>17</b>
+<v>301</v>
+</b>
+<b>
+<a>17</a>
 <b>996</b>
-<v>132</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -12204,15 +12424,15 @@
 </relation>
 <relation>
 <name>namespace_declaration_location</name>
-<cardinality>8355</cardinality>
+<cardinality>19760</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>8355</v>
+<v>19760</v>
 </e>
 <e>
 <k>loc</k>
-<v>8355</v>
+<v>19760</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12226,7 +12446,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8355</v>
+<v>19760</v>
 </b>
 </bs>
 </hist>
@@ -12242,7 +12462,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8355</v>
+<v>19760</v>
 </b>
 </bs>
 </hist>
@@ -12252,15 +12472,15 @@
 </relation>
 <relation>
 <name>parent_namespace</name>
-<cardinality>388662</cardinality>
+<cardinality>777059</cardinality>
 <columnsizes>
 <e>
 <k>child_id</k>
-<v>388662</v>
+<v>777059</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>6974</v>
+<v>13554</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12274,7 +12494,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>388662</v>
+<v>777059</v>
 </b>
 </bs>
 </hist>
@@ -12290,57 +12510,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1709</v>
+<v>3326</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>842</v>
+<v>1626</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>531</v>
+<v>1027</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>468</v>
+<v>915</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>641</v>
+<v>1251</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>561</v>
+<v>1091</v>
 </b>
 <b>
 <a>10</a>
 <b>15</b>
-<v>589</v>
+<v>1139</v>
 </b>
 <b>
 <a>15</a>
 <b>23</b>
-<v>546</v>
+<v>1061</v>
 </b>
 <b>
 <a>23</a>
 <b>51</b>
-<v>523</v>
+<v>1027</v>
 </b>
 <b>
 <a>51</a>
 <b>835</b>
-<v>523</v>
+<v>1017</v>
 </b>
 <b>
 <a>900</a>
-<b>34743</b>
-<v>35</v>
+<b>35556</b>
+<v>68</v>
 </b>
 </bs>
 </hist>
@@ -12350,15 +12570,15 @@
 </relation>
 <relation>
 <name>parent_namespace_declaration</name>
-<cardinality>43445</cardinality>
+<cardinality>88303</cardinality>
 <columnsizes>
 <e>
 <k>child_id</k>
-<v>43212</v>
+<v>87787</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>8355</v>
+<v>19760</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12372,12 +12592,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43145</v>
+<v>87636</v>
 </b>
 <b>
 <a>2</a>
 <b>60</b>
-<v>67</v>
+<v>150</v>
 </b>
 </bs>
 </hist>
@@ -12393,32 +12613,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5412</v>
+<v>13778</v>
 </b>
 <b>
 <a>2</a>
 <b>9</b>
-<v>747</v>
+<v>1714</v>
 </b>
 <b>
 <a>9</a>
 <b>13</b>
-<v>656</v>
+<v>1276</v>
 </b>
 <b>
 <a>13</a>
 <b>16</b>
-<v>734</v>
+<v>1427</v>
 </b>
 <b>
 <a>16</a>
-<b>21</b>
-<v>508</v>
+<b>32</b>
+<v>1509</v>
 </b>
 <b>
-<a>31</a>
+<a>32</a>
 <b>33</b>
-<v>295</v>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -12428,15 +12648,15 @@
 </relation>
 <relation>
 <name>using_namespace_directives</name>
-<cardinality>66100</cardinality>
+<cardinality>144252</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>66100</v>
+<v>144252</v>
 </e>
 <e>
 <k>namespace_id</k>
-<v>1990</v>
+<v>4227</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12450,7 +12670,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>66100</v>
+<v>144252</v>
 </b>
 </bs>
 </hist>
@@ -12466,47 +12686,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>696</v>
+<v>1495</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>285</v>
+<v>472</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>115</v>
+<v>297</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>182</v>
+<b>5</b>
+<v>238</v>
 </b>
 <b>
-<a>6</a>
-<b>11</b>
-<v>177</v>
+<a>5</a>
+<b>8</b>
+<v>365</v>
 </b>
 <b>
-<a>11</a>
-<b>21</b>
-<v>177</v>
+<a>8</a>
+<b>14</b>
+<v>336</v>
 </b>
 <b>
-<a>21</a>
-<b>45</b>
-<v>152</v>
+<a>14</a>
+<b>25</b>
+<v>321</v>
 </b>
 <b>
-<a>48</a>
-<b>206</b>
-<v>150</v>
+<a>25</a>
+<b>63</b>
+<v>326</v>
 </b>
 <b>
-<a>214</a>
-<b>2199</b>
-<v>50</v>
+<a>64</a>
+<b>465</b>
+<v>321</v>
+</b>
+<b>
+<a>510</a>
+<b>2519</b>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -12516,15 +12741,15 @@
 </relation>
 <relation>
 <name>using_static_directives</name>
-<cardinality>199</cardinality>
+<cardinality>390</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>199</v>
+<v>390</v>
 </e>
 <e>
 <k>type_id</k>
-<v>32</v>
+<v>54</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12538,7 +12763,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>199</v>
+<v>390</v>
 </b>
 </bs>
 </hist>
@@ -12554,46 +12779,46 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4</v>
+<v>2</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15</v>
+<v>22</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1</v>
+<v>4</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>3</v>
+<v>5</v>
 </b>
 <b>
 <a>5</a>
+<b>6</b>
+<v>2</v>
+</b>
+<b>
+<a>6</a>
 <b>7</b>
-<v>2</v>
+<v>5</v>
 </b>
 <b>
-<a>7</a>
+<a>8</a>
 <b>9</b>
-<v>2</v>
+<v>7</v>
 </b>
 <b>
-<a>16</a>
-<b>23</b>
-<v>2</v>
-</b>
-<b>
-<a>26</a>
-<b>27</b>
-<v>1</v>
-</b>
-<b>
-<a>30</a>
+<a>12</a>
 <b>31</b>
+<v>5</v>
+</b>
+<b>
+<a>46</a>
+<b>71</b>
 <v>2</v>
 </b>
 </bs>
@@ -12604,15 +12829,15 @@
 </relation>
 <relation>
 <name>using_directive_location</name>
-<cardinality>74275</cardinality>
+<cardinality>144310</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>74275</v>
+<v>144310</v>
 </e>
 <e>
 <k>loc</k>
-<v>74252</v>
+<v>144267</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12626,7 +12851,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74275</v>
+<v>144310</v>
 </b>
 </bs>
 </hist>
@@ -12642,12 +12867,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74229</v>
+<v>144223</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>43</v>
 </b>
 </bs>
 </hist>
@@ -12657,11 +12882,11 @@
 </relation>
 <relation>
 <name>directive_ifs</name>
-<cardinality>2550</cardinality>
+<cardinality>5161</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2550</v>
+<v>5161</v>
 </e>
 <e>
 <k>branchTaken</k>
@@ -12683,7 +12908,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2550</v>
+<v>5161</v>
 </b>
 </bs>
 </hist>
@@ -12699,7 +12924,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2550</v>
+<v>5161</v>
 </b>
 </bs>
 </hist>
@@ -12713,13 +12938,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1194</a>
-<b>1195</b>
+<a>1992</a>
+<b>1993</b>
 <v>1</v>
 </b>
 <b>
-<a>1219</a>
-<b>1220</b>
+<a>2162</a>
+<b>2163</b>
 <v>1</v>
 </b>
 </bs>
@@ -12755,13 +12980,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1199</a>
-<b>1200</b>
+<a>2013</a>
+<b>2014</b>
 <v>1</v>
 </b>
 <b>
-<a>1214</a>
-<b>1215</b>
+<a>2141</a>
+<b>2142</b>
 <v>1</v>
 </b>
 </bs>
@@ -12793,15 +13018,15 @@
 </relation>
 <relation>
 <name>directive_elifs</name>
-<cardinality>7</cardinality>
+<cardinality>59</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7</v>
+<v>59</v>
 </e>
 <e>
 <k>branchTaken</k>
-<v>1</v>
+<v>2</v>
 </e>
 <e>
 <k>conditionValue</k>
@@ -12809,11 +13034,11 @@
 </e>
 <e>
 <k>parent</k>
-<v>7</v>
+<v>51</v>
 </e>
 <e>
 <k>index</k>
-<v>1</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -12827,7 +13052,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>59</v>
 </b>
 </bs>
 </hist>
@@ -12843,7 +13068,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>59</v>
 </b>
 </bs>
 </hist>
@@ -12859,7 +13084,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>59</v>
 </b>
 </bs>
 </hist>
@@ -12875,7 +13100,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>59</v>
 </b>
 </bs>
 </hist>
@@ -12889,8 +13114,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>18</a>
+<b>19</b>
+<v>1</v>
+</b>
+<b>
+<a>41</a>
+<b>42</b>
 <v>1</v>
 </b>
 </bs>
@@ -12905,9 +13135,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>2</a>
-<b>3</b>
-<v>1</v>
+<a>1</a>
+<b>2</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -12921,8 +13151,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>18</a>
+<b>19</b>
+<v>1</v>
+</b>
+<b>
+<a>39</a>
+<b>40</b>
 <v>1</v>
 </b>
 </bs>
@@ -12937,9 +13172,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>1</v>
+<a>2</a>
+<b>3</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -12953,13 +13188,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
+<a>18</a>
+<b>19</b>
 <v>1</v>
 </b>
 <b>
-<a>6</a>
-<b>7</b>
+<a>41</a>
+<b>42</b>
 <v>1</v>
 </b>
 </bs>
@@ -12990,13 +13225,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
+<a>18</a>
+<b>19</b>
 <v>1</v>
 </b>
 <b>
-<a>6</a>
-<b>7</b>
+<a>39</a>
+<b>40</b>
 <v>1</v>
 </b>
 </bs>
@@ -13011,8 +13246,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
+<a>2</a>
+<b>3</b>
 <v>2</v>
 </b>
 </bs>
@@ -13029,7 +13264,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>43</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -13045,7 +13285,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>45</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -13061,7 +13306,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>45</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -13077,7 +13327,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7</v>
+<v>43</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -13091,8 +13346,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>8</a>
+<b>9</b>
+<v>1</v>
+</b>
+<b>
+<a>51</a>
+<b>52</b>
 <v>1</v>
 </b>
 </bs>
@@ -13107,9 +13367,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>1</v>
+<a>2</a>
+<b>3</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13125,7 +13385,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>1</v>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -13139,8 +13399,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>8</a>
+<b>9</b>
+<v>1</v>
+</b>
+<b>
+<a>51</a>
+<b>52</b>
 <v>1</v>
 </b>
 </bs>
@@ -13151,11 +13416,11 @@
 </relation>
 <relation>
 <name>directive_elses</name>
-<cardinality>1140</cardinality>
+<cardinality>2314</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1140</v>
+<v>2314</v>
 </e>
 <e>
 <k>branchTaken</k>
@@ -13163,11 +13428,11 @@
 </e>
 <e>
 <k>parent</k>
-<v>1140</v>
+<v>2314</v>
 </e>
 <e>
 <k>index</k>
-<v>2</v>
+<v>3</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13181,7 +13446,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13197,7 +13462,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13213,7 +13478,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13227,13 +13492,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>329</a>
-<b>330</b>
+<a>496</a>
+<b>497</b>
 <v>1</v>
 </b>
 <b>
-<a>750</a>
-<b>751</b>
+<a>1367</a>
+<b>1368</b>
 <v>1</v>
 </b>
 </bs>
@@ -13248,13 +13513,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>329</a>
-<b>330</b>
+<a>496</a>
+<b>497</b>
 <v>1</v>
 </b>
 <b>
-<a>750</a>
-<b>751</b>
+<a>1367</a>
+<b>1368</b>
 <v>1</v>
 </b>
 </bs>
@@ -13271,7 +13536,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>1</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -13287,7 +13557,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13303,7 +13573,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13319,7 +13589,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1140</v>
+<v>2314</v>
 </b>
 </bs>
 </hist>
@@ -13333,13 +13603,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>1</a>
+<b>2</b>
 <v>1</v>
 </b>
 <b>
-<a>1072</a>
-<b>1073</b>
+<a>10</a>
+<b>11</b>
+<v>1</v>
+</b>
+<b>
+<a>1852</a>
+<b>1853</b>
 <v>1</v>
 </b>
 </bs>
@@ -13354,6 +13629,11 @@
 <budget>12</budget>
 <bs>
 <b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
 <a>2</a>
 <b>3</b>
 <v>2</v>
@@ -13370,13 +13650,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>7</a>
-<b>8</b>
+<a>1</a>
+<b>2</b>
 <v>1</v>
 </b>
 <b>
-<a>1072</a>
-<b>1073</b>
+<a>10</a>
+<b>11</b>
+<v>1</v>
+</b>
+<b>
+<a>1852</a>
+<b>1853</b>
 <v>1</v>
 </b>
 </bs>
@@ -13387,15 +13672,15 @@
 </relation>
 <relation>
 <name>directive_endifs</name>
-<cardinality>2550</cardinality>
+<cardinality>5161</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2550</v>
+<v>5161</v>
 </e>
 <e>
 <k>start</k>
-<v>2550</v>
+<v>5161</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13409,7 +13694,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2550</v>
+<v>5161</v>
 </b>
 </bs>
 </hist>
@@ -13425,7 +13710,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2550</v>
+<v>5161</v>
 </b>
 </bs>
 </hist>
@@ -13435,15 +13720,15 @@
 </relation>
 <relation>
 <name>directive_define_symbols</name>
-<cardinality>3314</cardinality>
+<cardinality>6226</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>3314</v>
+<v>6226</v>
 </e>
 <e>
 <k>name</k>
-<v>86</v>
+<v>170</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13457,7 +13742,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3314</v>
+<v>6226</v>
 </b>
 </bs>
 </hist>
@@ -13473,52 +13758,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17</v>
+<v>37</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>8</v>
+<v>27</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10</v>
+<v>13</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>8</v>
+<v>11</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>7</v>
-</b>
-<b>
-<a>6</a>
 <b>7</b>
-<v>5</v>
+<v>11</v>
 </b>
 <b>
 <a>7</a>
-<b>12</b>
-<v>7</v>
+<b>10</b>
+<v>12</v>
 </b>
 <b>
-<a>13</a>
-<b>23</b>
-<v>6</v>
+<a>10</a>
+<b>17</b>
+<v>14</v>
 </b>
 <b>
-<a>24</a>
-<b>55</b>
-<v>7</v>
+<a>17</a>
+<b>27</b>
+<v>14</v>
 </b>
 <b>
-<a>97</a>
-<b>656</b>
-<v>7</v>
+<a>27</a>
+<b>72</b>
+<v>13</v>
+</b>
+<b>
+<a>77</a>
+<b>1098</b>
+<v>13</v>
 </b>
 </bs>
 </hist>
@@ -13528,15 +13813,15 @@
 </relation>
 <relation>
 <name>directive_regions</name>
-<cardinality>565</cardinality>
+<cardinality>1954</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>565</v>
+<v>1954</v>
 </e>
 <e>
 <k>name</k>
-<v>216</v>
+<v>710</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13550,7 +13835,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>565</v>
+<v>1954</v>
 </b>
 </bs>
 </hist>
@@ -13566,27 +13851,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6</v>
+<v>8</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>175</v>
+<v>547</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1</v>
+<v>22</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>26</v>
+<v>81</v>
 </b>
 <b>
-<a>6</a>
-<b>31</b>
-<v>8</v>
+<a>5</a>
+<b>35</b>
+<v>52</v>
 </b>
 </bs>
 </hist>
@@ -13596,15 +13881,15 @@
 </relation>
 <relation>
 <name>directive_endregions</name>
-<cardinality>565</cardinality>
+<cardinality>1954</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>565</v>
+<v>1954</v>
 </e>
 <e>
 <k>start</k>
-<v>565</v>
+<v>1954</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13618,7 +13903,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>565</v>
+<v>1954</v>
 </b>
 </bs>
 </hist>
@@ -13634,7 +13919,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>565</v>
+<v>1954</v>
 </b>
 </bs>
 </hist>
@@ -13644,15 +13929,15 @@
 </relation>
 <relation>
 <name>directive_lines</name>
-<cardinality>128896</cardinality>
+<cardinality>250436</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>128896</v>
+<v>250436</v>
 </e>
 <e>
 <k>kind</k>
-<v>7</v>
+<v>14</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13666,7 +13951,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>128896</v>
+<v>250436</v>
 </b>
 </bs>
 </hist>
@@ -13682,12 +13967,12 @@
 <b>
 <a>16650</a>
 <b>16651</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>18118</a>
 <b>18119</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -13697,15 +13982,15 @@
 </relation>
 <relation>
 <name>directive_line_value</name>
-<cardinality>41738</cardinality>
+<cardinality>81095</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>41738</v>
+<v>81095</v>
 </e>
 <e>
 <k>line</k>
-<v>709</v>
+<v>1378</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13719,7 +14004,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>41738</v>
+<v>81095</v>
 </b>
 </bs>
 </hist>
@@ -13735,57 +14020,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>70</v>
+<v>136</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>60</v>
+<v>116</v>
 </b>
 <b>
 <a>11</a>
 <b>15</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>15</a>
 <b>27</b>
-<v>62</v>
+<v>121</v>
 </b>
 <b>
 <a>27</a>
 <b>46</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>46</a>
 <b>104</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>106</a>
 <b>549</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>569</a>
 <b>727</b>
-<v>27</v>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -13795,15 +14080,15 @@
 </relation>
 <relation>
 <name>directive_line_file</name>
-<cardinality>41738</cardinality>
+<cardinality>81095</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>41738</v>
+<v>81095</v>
 </e>
 <e>
 <k>file</k>
-<v>2396</v>
+<v>4656</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13817,7 +14102,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>41738</v>
+<v>81095</v>
 </b>
 </bs>
 </hist>
@@ -13833,57 +14118,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>308</v>
+<v>599</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>396</v>
+<v>769</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>255</v>
+<v>496</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>205</v>
+<v>399</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>110</v>
+<v>214</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>200</v>
+<v>389</v>
 </b>
 <b>
 <a>9</a>
 <b>12</b>
-<v>180</v>
+<v>350</v>
 </b>
 <b>
 <a>12</a>
 <b>16</b>
-<v>205</v>
+<v>399</v>
 </b>
 <b>
 <a>16</a>
 <b>27</b>
-<v>185</v>
+<v>360</v>
 </b>
 <b>
 <a>27</a>
 <b>42</b>
-<v>188</v>
+<v>365</v>
 </b>
 <b>
 <a>42</a>
 <b>2665</b>
-<v>160</v>
+<v>311</v>
 </b>
 </bs>
 </hist>
@@ -13893,19 +14178,19 @@
 </relation>
 <relation>
 <name>directive_nullables</name>
-<cardinality>83477</cardinality>
+<cardinality>162190</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>83477</v>
+<v>162190</v>
 </e>
 <e>
 <k>setting</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>target</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -13919,7 +14204,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83477</v>
+<v>162190</v>
 </b>
 </bs>
 </hist>
@@ -13935,7 +14220,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83477</v>
+<v>162190</v>
 </b>
 </bs>
 </hist>
@@ -13951,7 +14236,7 @@
 <b>
 <a>16650</a>
 <b>16651</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -13967,7 +14252,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -13983,7 +14268,7 @@
 <b>
 <a>33300</a>
 <b>33301</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -13999,7 +14284,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14057,15 +14342,15 @@
 </relation>
 <relation>
 <name>directive_errors</name>
-<cardinality>1</cardinality>
+<cardinality>28</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1</v>
+<v>28</v>
 </e>
 <e>
 <k>message</k>
-<v>1</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14079,7 +14364,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1</v>
+<v>28</v>
 </b>
 </bs>
 </hist>
@@ -14093,8 +14378,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
+<a>4</a>
+<b>5</b>
+<v>1</v>
+</b>
+<b>
+<a>24</a>
+<b>25</b>
 <v>1</v>
 </b>
 </bs>
@@ -14153,15 +14443,15 @@
 </relation>
 <relation>
 <name>directive_defines</name>
-<cardinality>5</cardinality>
+<cardinality>22</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>5</v>
+<v>22</v>
 </e>
 <e>
 <k>name</k>
-<v>5</v>
+<v>12</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14175,7 +14465,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -14191,7 +14481,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>8</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
+</b>
+<b>
+<a>6</a>
+<b>7</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -14201,23 +14506,23 @@
 </relation>
 <relation>
 <name>pragma_checksums</name>
-<cardinality>2494</cardinality>
+<cardinality>4846</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2494</v>
+<v>4846</v>
 </e>
 <e>
 <k>file</k>
-<v>2494</v>
+<v>4846</v>
 </e>
 <e>
 <k>guid</k>
-<v>2</v>
+<v>4</v>
 </e>
 <e>
 <k>bytes</k>
-<v>2338</v>
+<v>4544</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14231,7 +14536,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14247,7 +14552,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14263,7 +14568,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14279,7 +14584,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14295,7 +14600,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14311,7 +14616,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2494</v>
+<v>4846</v>
 </b>
 </bs>
 </hist>
@@ -14327,7 +14632,7 @@
 <b>
 <a>995</a>
 <b>996</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14343,7 +14648,7 @@
 <b>
 <a>995</a>
 <b>996</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14359,7 +14664,7 @@
 <b>
 <a>933</a>
 <b>934</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14375,12 +14680,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2288</v>
+<v>4446</v>
 </b>
 <b>
 <a>2</a>
 <b>19</b>
-<v>50</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -14396,12 +14701,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2288</v>
+<v>4446</v>
 </b>
 <b>
 <a>2</a>
 <b>19</b>
-<v>50</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -14417,7 +14722,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2338</v>
+<v>4544</v>
 </b>
 </bs>
 </hist>
@@ -14427,15 +14732,15 @@
 </relation>
 <relation>
 <name>pragma_warnings</name>
-<cardinality>14725</cardinality>
+<cardinality>28609</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>14725</v>
+<v>28609</v>
 </e>
 <e>
 <k>kind</k>
-<v>5</v>
+<v>9</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14449,7 +14754,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14725</v>
+<v>28609</v>
 </b>
 </bs>
 </hist>
@@ -14465,7 +14770,7 @@
 <b>
 <a>2937</a>
 <b>2938</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14475,19 +14780,19 @@
 </relation>
 <relation>
 <name>pragma_warning_error_codes</name>
-<cardinality>14730</cardinality>
+<cardinality>28619</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>14725</v>
+<v>28609</v>
 </e>
 <e>
 <k>errorCode</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>index</k>
-<v>5</v>
+<v>9</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14501,12 +14806,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14720</v>
+<v>28600</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14522,12 +14827,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14720</v>
+<v>28600</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14543,17 +14848,17 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>946</a>
 <b>947</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>1990</a>
 <b>1991</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14569,7 +14874,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -14585,12 +14890,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>5874</a>
 <b>5875</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14606,12 +14911,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14621,15 +14926,15 @@
 </relation>
 <relation>
 <name>preprocessor_directive_location</name>
-<cardinality>229688</cardinality>
+<cardinality>446370</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>229688</v>
+<v>446370</v>
 </e>
 <e>
 <k>loc</k>
-<v>229688</v>
+<v>446370</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14643,7 +14948,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>229688</v>
+<v>446370</v>
 </b>
 </bs>
 </hist>
@@ -14659,7 +14964,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>229688</v>
+<v>446370</v>
 </b>
 </bs>
 </hist>
@@ -14669,15 +14974,15 @@
 </relation>
 <relation>
 <name>preprocessor_directive_compilation</name>
-<cardinality>229688</cardinality>
+<cardinality>446370</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>229688</v>
+<v>446370</v>
 </e>
 <e>
 <k>compilation</k>
-<v>172</v>
+<v>345</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14691,7 +14996,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>229688</v>
+<v>446370</v>
 </b>
 </bs>
 </hist>
@@ -14707,62 +15012,62 @@
 <b>
 <a>4</a>
 <b>11</b>
-<v>12</v>
+<v>29</v>
 </b>
 <b>
 <a>16</a>
-<b>62</b>
-<v>15</v>
+<b>48</b>
+<v>29</v>
 </b>
 <b>
-<a>75</a>
-<b>144</b>
-<v>15</v>
+<a>61</a>
+<b>140</b>
+<v>29</v>
 </b>
 <b>
-<a>149</a>
-<b>226</b>
-<v>15</v>
+<a>143</a>
+<b>198</b>
+<v>29</v>
 </b>
 <b>
-<a>248</a>
-<b>317</b>
-<v>15</v>
+<a>225</a>
+<b>300</b>
+<v>29</v>
 </b>
 <b>
-<a>342</a>
-<b>459</b>
-<v>15</v>
+<a>316</a>
+<b>453</b>
+<v>29</v>
 </b>
 <b>
-<a>503</a>
-<b>665</b>
-<v>15</v>
+<a>458</a>
+<b>634</b>
+<v>29</v>
 </b>
 <b>
-<a>772</a>
-<b>1090</b>
-<v>15</v>
+<a>664</a>
+<b>1055</b>
+<v>29</v>
 </b>
 <b>
-<a>1155</a>
-<b>1276</b>
-<v>15</v>
+<a>1089</a>
+<b>1250</b>
+<v>29</v>
 </b>
 <b>
-<a>1343</a>
-<b>2001</b>
-<v>15</v>
+<a>1275</a>
+<b>1989</b>
+<v>29</v>
 </b>
 <b>
-<a>2121</a>
-<b>4115</b>
-<v>15</v>
+<a>2000</a>
+<b>3215</b>
+<v>29</v>
 </b>
 <b>
-<a>6086</a>
+<a>4114</a>
 <b>19444</b>
-<v>10</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -14772,15 +15077,15 @@
 </relation>
 <relation>
 <name>preprocessor_directive_active</name>
-<cardinality>229688</cardinality>
+<cardinality>446370</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>229688</v>
+<v>446370</v>
 </e>
 <e>
 <k>active</k>
-<v>2</v>
+<v>9</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14794,7 +15099,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>229688</v>
+<v>446370</v>
 </b>
 </bs>
 </hist>
@@ -14808,9 +15113,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>91625</a>
-<b>91626</b>
-<v>2</v>
+<a>7</a>
+<b>8</b>
+<v>4</v>
+</b>
+<b>
+<a>91639</a>
+<b>91640</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -14820,19 +15130,19 @@
 </relation>
 <relation>
 <name>types</name>
-<cardinality>434504</cardinality>
+<cardinality>867165</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>434504</v>
+<v>867165</v>
 </e>
 <e>
 <k>kind</k>
-<v>67</v>
+<v>131</v>
 </e>
 <e>
 <k>name</k>
-<v>184347</v>
+<v>366858</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -14846,7 +15156,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>434504</v>
+<v>867165</v>
 </b>
 </bs>
 </hist>
@@ -14862,7 +15172,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>434504</v>
+<v>867165</v>
 </b>
 </bs>
 </hist>
@@ -14878,32 +15188,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>45</a>
-<b>198</b>
-<v>5</v>
+<b>199</b>
+<v>9</v>
 </b>
 <b>
-<a>342</a>
-<b>1750</b>
-<v>5</v>
+<a>366</a>
+<b>1874</b>
+<v>9</v>
 </b>
 <b>
-<a>2450</a>
-<b>9903</b>
-<v>5</v>
+<a>2454</a>
+<b>10198</b>
+<v>9</v>
 </b>
 <b>
-<a>20838</a>
-<b>35370</b>
-<v>5</v>
+<a>22085</a>
+<b>36570</b>
+<v>9</v>
 </b>
 <b>
-<a>40817</a>
-<b>61603</b>
-<v>5</v>
+<a>41596</a>
+<b>62642</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14919,32 +15229,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>45</a>
-<b>154</b>
-<v>5</v>
+<b>158</b>
+<v>9</v>
 </b>
 <b>
-<a>168</a>
+<a>169</a>
 <b>701</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
-<a>1043</a>
+<a>1086</a>
 <b>2228</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
-<a>6467</a>
-<b>9921</b>
-<v>5</v>
+<a>6598</a>
+<b>10563</b>
+<v>9</v>
 </b>
 <b>
-<a>17642</a>
-<b>35459</b>
-<v>5</v>
+<a>18339</a>
+<b>35727</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -14960,17 +15270,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>163114</v>
+<v>324610</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>14629</v>
+<v>28838</v>
 </b>
 <b>
 <a>5</a>
-<b>6327</b>
-<v>6603</v>
+<b>6356</b>
+<v>13408</v>
 </b>
 </bs>
 </hist>
@@ -14986,12 +15296,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>183613</v>
+<v>365421</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>734</v>
+<v>1436</v>
 </b>
 </bs>
 </hist>
@@ -15001,15 +15311,15 @@
 </relation>
 <relation>
 <name>typerefs</name>
-<cardinality>120781</cardinality>
+<cardinality>234791</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>120781</v>
+<v>234791</v>
 </e>
 <e>
 <k>name</k>
-<v>91080</v>
+<v>176982</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15023,7 +15333,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120781</v>
+<v>234791</v>
 </b>
 </bs>
 </hist>
@@ -15039,17 +15349,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83592</v>
+<v>162434</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>6938</v>
+<v>13481</v>
 </b>
 <b>
 <a>7</a>
 <b>2183</b>
-<v>548</v>
+<v>1066</v>
 </b>
 </bs>
 </hist>
@@ -15059,15 +15369,15 @@
 </relation>
 <relation>
 <name>typeref_type</name>
-<cardinality>120694</cardinality>
+<cardinality>234611</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>120694</v>
+<v>234611</v>
 </e>
 <e>
 <k>typeId</k>
-<v>120694</v>
+<v>234611</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15081,7 +15391,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120694</v>
+<v>234611</v>
 </b>
 </bs>
 </hist>
@@ -15097,7 +15407,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120694</v>
+<v>234611</v>
 </b>
 </bs>
 </hist>
@@ -15107,23 +15417,23 @@
 </relation>
 <relation>
 <name>array_element_type</name>
-<cardinality>4384</cardinality>
+<cardinality>9122</cardinality>
 <columnsizes>
 <e>
 <k>array</k>
-<v>4384</v>
+<v>9122</v>
 </e>
 <e>
 <k>dimension</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>rank</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>element</k>
-<v>4379</v>
+<v>9112</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15137,7 +15447,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4384</v>
+<v>9122</v>
 </b>
 </bs>
 </hist>
@@ -15153,7 +15463,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4384</v>
+<v>9122</v>
 </b>
 </bs>
 </hist>
@@ -15169,7 +15479,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4384</v>
+<v>9122</v>
 </b>
 </bs>
 </hist>
@@ -15185,12 +15495,12 @@
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1729</a>
-<b>1730</b>
-<v>2</v>
+<a>1853</a>
+<b>1854</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15206,12 +15516,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15227,12 +15537,12 @@
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1727</a>
-<b>1728</b>
-<v>2</v>
+<a>1851</a>
+<b>1852</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15248,12 +15558,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1747</a>
-<b>1748</b>
-<v>2</v>
+<a>1871</a>
+<b>1872</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15269,12 +15579,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15290,12 +15600,12 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1747</a>
-<b>1748</b>
-<v>2</v>
+<a>1871</a>
+<b>1872</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15311,12 +15621,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4374</v>
+<v>9103</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -15332,7 +15642,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4379</v>
+<v>9112</v>
 </b>
 </bs>
 </hist>
@@ -15348,12 +15658,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4374</v>
+<v>9103</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -15363,15 +15673,15 @@
 </relation>
 <relation>
 <name>nullable_underlying_type</name>
-<cardinality>550</cardinality>
+<cardinality>979</cardinality>
 <columnsizes>
 <e>
 <k>nullable</k>
-<v>550</v>
+<v>979</v>
 </e>
 <e>
 <k>underlying</k>
-<v>550</v>
+<v>979</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15385,7 +15695,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>550</v>
+<v>979</v>
 </b>
 </bs>
 </hist>
@@ -15401,7 +15711,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>550</v>
+<v>979</v>
 </b>
 </bs>
 </hist>
@@ -15411,15 +15721,15 @@
 </relation>
 <relation>
 <name>pointer_referent_type</name>
-<cardinality>112</cardinality>
+<cardinality>219</cardinality>
 <columnsizes>
 <e>
 <k>pointer</k>
-<v>112</v>
+<v>219</v>
 </e>
 <e>
 <k>referent</k>
-<v>112</v>
+<v>219</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15433,7 +15743,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>112</v>
+<v>219</v>
 </b>
 </bs>
 </hist>
@@ -15449,7 +15759,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>112</v>
+<v>219</v>
 </b>
 </bs>
 </hist>
@@ -15459,15 +15769,15 @@
 </relation>
 <relation>
 <name>enum_underlying_type</name>
-<cardinality>6141</cardinality>
+<cardinality>11952</cardinality>
 <columnsizes>
 <e>
 <k>enum_id</k>
-<v>6141</v>
+<v>11952</v>
 </e>
 <e>
 <k>underlying_type_id</k>
-<v>20</v>
+<v>38</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15481,7 +15791,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6141</v>
+<v>11952</v>
 </b>
 </bs>
 </hist>
@@ -15497,37 +15807,37 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>23</a>
 <b>24</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>172</a>
 <b>173</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1894</a>
-<b>1895</b>
-<v>2</v>
+<a>1898</a>
+<b>1899</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -15537,15 +15847,15 @@
 </relation>
 <relation>
 <name>delegate_return_type</name>
-<cardinality>52229</cardinality>
+<cardinality>107552</cardinality>
 <columnsizes>
 <e>
 <k>delegate_id</k>
-<v>52229</v>
+<v>107552</v>
 </e>
 <e>
 <k>return_type_id</k>
-<v>26697</v>
+<v>55510</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15559,7 +15869,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52229</v>
+<v>107552</v>
 </b>
 </bs>
 </hist>
@@ -15575,12 +15885,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>25171</v>
+<v>52198</v>
 </b>
 <b>
 <a>2</a>
-<b>4000</b>
-<v>1526</v>
+<b>4178</b>
+<v>3312</v>
 </b>
 </bs>
 </hist>
@@ -15590,15 +15900,15 @@
 </relation>
 <relation>
 <name>function_pointer_return_type</name>
-<cardinality>9</cardinality>
+<cardinality>11</cardinality>
 <columnsizes>
 <e>
 <k>function_pointer_id</k>
-<v>9</v>
+<v>11</v>
 </e>
 <e>
 <k>return_type_id</k>
-<v>6</v>
+<v>3</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15612,7 +15922,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>11</v>
 </b>
 </bs>
 </hist>
@@ -15626,9 +15936,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>5</v>
+<a>2</a>
+<b>3</b>
+<v>1</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
 </b>
 <b>
 <a>4</a>
@@ -15643,15 +15958,15 @@
 </relation>
 <relation>
 <name>extend</name>
-<cardinality>160600</cardinality>
+<cardinality>323485</cardinality>
 <columnsizes>
 <e>
 <k>sub</k>
-<v>160600</v>
+<v>323485</v>
 </e>
 <e>
 <k>super</k>
-<v>16246</v>
+<v>31566</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15665,7 +15980,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>160600</v>
+<v>323485</v>
 </b>
 </bs>
 </hist>
@@ -15681,27 +15996,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11646</v>
+<v>22628</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2050</v>
+<v>3979</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>1240</v>
+<v>2415</v>
 </b>
 <b>
 <a>5</a>
 <b>70</b>
-<v>1223</v>
+<v>2376</v>
 </b>
 <b>
 <a>70</a>
-<b>20836</b>
-<v>85</v>
+<b>22083</b>
+<v>165</v>
 </b>
 </bs>
 </hist>
@@ -15711,26 +16026,26 @@
 </relation>
 <relation>
 <name>anonymous_types</name>
-<cardinality>571</cardinality>
+<cardinality>1212</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>571</v>
+<v>1212</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>implement</name>
-<cardinality>266554</cardinality>
+<cardinality>541624</cardinality>
 <columnsizes>
 <e>
 <k>sub</k>
-<v>112586</v>
+<v>226351</v>
 </e>
 <e>
 <k>super</k>
-<v>60780</v>
+<v>122544</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15744,27 +16059,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51182</v>
+<v>100772</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27933</v>
+<v>57044</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>17643</v>
+<v>36110</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>9373</v>
+<v>18970</v>
 </b>
 <b>
 <a>7</a>
 <b>21</b>
-<v>6455</v>
+<v>13452</v>
 </b>
 </bs>
 </hist>
@@ -15780,27 +16095,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>33561</v>
+<v>66951</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14692</v>
+<v>29783</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4983</v>
+<v>10247</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>4168</v>
+<v>8694</v>
 </b>
 <b>
 <a>6</a>
-<b>20685</b>
-<v>3374</v>
+<b>21807</b>
+<v>6867</v>
 </b>
 </bs>
 </hist>
@@ -15810,15 +16125,15 @@
 </relation>
 <relation>
 <name>type_location</name>
-<cardinality>277271</cardinality>
+<cardinality>553689</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>237743</v>
+<v>466963</v>
 </e>
 <e>
 <k>loc</k>
-<v>12499</v>
+<v>29876</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15832,17 +16147,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>209975</v>
+<v>407386</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19400</v>
+<v>39232</v>
 </b>
 <b>
 <a>3</a>
 <b>638</b>
-<v>8367</v>
+<v>20344</v>
 </b>
 </bs>
 </hist>
@@ -15858,22 +16173,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10568</v>
+<v>26004</v>
 </b>
 <b>
 <a>2</a>
-<b>20</b>
-<v>962</v>
+<b>26</b>
+<v>2269</v>
 </b>
 <b>
-<a>20</a>
-<b>1759</b>
-<v>937</v>
-</b>
-<b>
-<a>1782</a>
+<a>26</a>
 <b>12195</b>
-<v>30</v>
+<v>1602</v>
 </b>
 </bs>
 </hist>
@@ -15883,15 +16193,15 @@
 </relation>
 <relation>
 <name>tuple_underlying_type</name>
-<cardinality>857</cardinality>
+<cardinality>1782</cardinality>
 <columnsizes>
 <e>
 <k>tuple</k>
-<v>857</v>
+<v>1782</v>
 </e>
 <e>
 <k>struct</k>
-<v>574</v>
+<v>1139</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15905,7 +16215,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>857</v>
+<v>1782</v>
 </b>
 </bs>
 </hist>
@@ -15921,17 +16231,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>333</v>
+<v>642</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>213</v>
+<v>423</v>
 </b>
 <b>
 <a>3</a>
-<b>6</b>
-<v>27</v>
+<b>9</b>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -15941,19 +16251,19 @@
 </relation>
 <relation>
 <name>tuple_element</name>
-<cardinality>3374</cardinality>
+<cardinality>6789</cardinality>
 <columnsizes>
 <e>
 <k>tuple</k>
-<v>854</v>
+<v>1777</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>field</k>
-<v>3374</v>
+<v>6789</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -15967,37 +16277,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>523</v>
+<v>1134</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>75</v>
+<v>146</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>55</v>
+<v>107</v>
 </b>
 </bs>
 </hist>
@@ -16013,37 +16323,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>523</v>
+<v>1134</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>75</v>
+<v>146</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>55</v>
+<v>107</v>
 </b>
 </bs>
 </hist>
@@ -16059,107 +16369,107 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>18</a>
 <b>19</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>26</a>
 <b>27</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>30</a>
 <b>31</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>34</a>
 <b>35</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>38</a>
 <b>39</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>59</a>
 <b>60</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>80</a>
 <b>81</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>93</a>
 <b>94</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>332</a>
-<b>333</b>
-<v>2</v>
+<a>356</a>
+<b>357</b>
+<v>4</v>
 </b>
 <b>
-<a>341</a>
-<b>342</b>
-<v>2</v>
+<a>365</a>
+<b>366</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -16175,107 +16485,107 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>18</a>
 <b>19</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>26</a>
 <b>27</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>30</a>
 <b>31</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>34</a>
 <b>35</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>38</a>
 <b>39</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>59</a>
 <b>60</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>80</a>
 <b>81</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>93</a>
 <b>94</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>332</a>
-<b>333</b>
-<v>2</v>
+<a>356</a>
+<b>357</b>
+<v>4</v>
 </b>
 <b>
-<a>341</a>
-<b>342</b>
-<v>2</v>
+<a>365</a>
+<b>366</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -16291,7 +16601,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3374</v>
+<v>6789</v>
 </b>
 </bs>
 </hist>
@@ -16307,7 +16617,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3374</v>
+<v>6789</v>
 </b>
 </bs>
 </hist>
@@ -16317,19 +16627,19 @@
 </relation>
 <relation>
 <name>attributes</name>
-<cardinality>368399</cardinality>
+<cardinality>745454</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>368399</v>
+<v>745454</v>
 </e>
 <e>
 <k>type_id</k>
-<v>867</v>
+<v>1685</v>
 </e>
 <e>
 <k>target</k>
-<v>219716</v>
+<v>427019</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16343,7 +16653,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>368399</v>
+<v>745454</v>
 </b>
 </bs>
 </hist>
@@ -16359,7 +16669,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>368399</v>
+<v>745454</v>
 </b>
 </bs>
 </hist>
@@ -16375,67 +16685,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>115</v>
+<v>189</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>85</v>
+<v>194</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>7</a>
-<b>9</b>
-<v>62</v>
+<b>10</b>
+<v>150</v>
 </b>
 <b>
-<a>9</a>
-<b>16</b>
-<v>67</v>
+<a>10</a>
+<b>18</b>
+<v>131</v>
 </b>
 <b>
-<a>16</a>
-<b>23</b>
-<v>65</v>
+<a>18</a>
+<b>28</b>
+<v>131</v>
 </b>
 <b>
-<a>23</a>
-<b>50</b>
-<v>65</v>
+<a>28</a>
+<b>54</b>
+<v>131</v>
 </b>
 <b>
-<a>50</a>
-<b>87</b>
-<v>65</v>
+<a>55</a>
+<b>119</b>
+<v>126</v>
 </b>
 <b>
-<a>90</a>
-<b>188</b>
-<v>65</v>
+<a>119</a>
+<b>232</b>
+<v>126</v>
 </b>
 <b>
-<a>194</a>
-<b>466</b>
-<v>65</v>
+<a>237</a>
+<b>608</b>
+<v>126</v>
 </b>
 <b>
-<a>498</a>
-<b>1735</b>
-<v>65</v>
+<a>616</a>
+<b>4825</b>
+<v>126</v>
 </b>
 <b>
-<a>1785</a>
+<a>5142</a>
 <b>41857</b>
-<v>27</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -16451,62 +16761,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>165</v>
+<v>316</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>67</v>
+<v>131</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>40</v>
+<v>77</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>72</v>
+<v>141</v>
 </b>
 <b>
 <a>9</a>
 <b>15</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>15</a>
-<b>26</b>
-<v>67</v>
+<b>25</b>
+<v>126</v>
 </b>
 <b>
-<a>26</a>
-<b>48</b>
-<v>65</v>
+<a>25</a>
+<b>47</b>
+<v>131</v>
 </b>
 <b>
-<a>48</a>
-<b>82</b>
-<v>67</v>
+<a>47</a>
+<b>81</b>
+<v>126</v>
 </b>
 <b>
-<a>82</a>
-<b>182</b>
-<v>65</v>
+<a>81</a>
+<b>176</b>
+<v>126</v>
 </b>
 <b>
-<a>183</a>
-<b>607</b>
-<v>65</v>
+<a>180</a>
+<b>563</b>
+<v>126</v>
 </b>
 <b>
-<a>607</a>
+<a>596</a>
 <b>39377</b>
-<v>52</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -16522,17 +16832,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>188082</v>
+<v>365075</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24348</v>
+<v>47478</v>
 </b>
 <b>
 <a>3</a>
 <b>957</b>
-<v>7284</v>
+<v>14465</v>
 </b>
 </bs>
 </hist>
@@ -16548,17 +16858,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>202865</v>
+<v>394279</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>16660</v>
+<v>32369</v>
 </b>
 <b>
 <a>16</a>
 <b>20</b>
-<v>190</v>
+<v>370</v>
 </b>
 </bs>
 </hist>
@@ -16568,15 +16878,15 @@
 </relation>
 <relation>
 <name>attribute_location</name>
-<cardinality>403061</cardinality>
+<cardinality>813511</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>368399</v>
+<v>745454</v>
 </e>
 <e>
 <k>loc</k>
-<v>36840</v>
+<v>72328</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16590,12 +16900,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>333737</v>
+<v>677397</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>34662</v>
+<v>68056</v>
 </b>
 </bs>
 </hist>
@@ -16611,12 +16921,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>34677</v>
+<v>68125</v>
 </b>
 <b>
 <a>4</a>
-<b>22087</b>
-<v>2163</v>
+<b>26599</b>
+<v>4203</v>
 </b>
 </bs>
 </hist>
@@ -16626,19 +16936,19 @@
 </relation>
 <relation>
 <name>type_mention</name>
-<cardinality>622003</cardinality>
+<cardinality>1252212</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>622003</v>
+<v>1252212</v>
 </e>
 <e>
 <k>type_id</k>
-<v>21696</v>
+<v>35186</v>
 </e>
 <e>
 <k>parent</k>
-<v>541633</v>
+<v>1030376</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16652,7 +16962,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>622003</v>
+<v>1252212</v>
 </b>
 </bs>
 </hist>
@@ -16668,7 +16978,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>622003</v>
+<v>1252212</v>
 </b>
 </bs>
 </hist>
@@ -16684,52 +16994,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5029</v>
+<v>5682</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4912</v>
+<v>7203</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1876</v>
+<v>3551</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>1650</v>
+<v>3839</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>1080</v>
+<v>1995</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>1622</v>
+<v>2856</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>1671</v>
+<v>2927</v>
 </b>
 <b>
 <a>12</a>
-<b>24</b>
-<v>1673</v>
+<b>22</b>
+<v>2759</v>
 </b>
 <b>
-<a>24</a>
-<b>119</b>
-<v>1633</v>
+<a>22</a>
+<b>67</b>
+<v>2652</v>
 </b>
 <b>
-<a>119</a>
-<b>44145</b>
-<v>547</v>
+<a>67</a>
+<b>80294</b>
+<v>1717</v>
 </b>
 </bs>
 </hist>
@@ -16745,47 +17055,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6457</v>
+<v>9874</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4662</v>
+<v>5858</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1635</v>
+<v>3388</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>1239</v>
+<v>2829</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>1984</v>
+<b>6</b>
+<v>1929</v>
 </b>
 <b>
-<a>7</a>
-<b>11</b>
-<v>1965</v>
+<a>6</a>
+<b>8</b>
+<v>2625</v>
 </b>
 <b>
-<a>11</a>
-<b>22</b>
-<v>1628</v>
+<a>8</a>
+<b>13</b>
+<v>2874</v>
 </b>
 <b>
-<a>22</a>
-<b>120</b>
-<v>1627</v>
+<a>13</a>
+<b>28</b>
+<v>2640</v>
 </b>
 <b>
-<a>120</a>
-<b>38647</b>
-<v>494</v>
+<a>28</a>
+<b>207</b>
+<v>2639</v>
+</b>
+<b>
+<a>207</a>
+<b>66416</b>
+<v>525</v>
 </b>
 </bs>
 </hist>
@@ -16801,17 +17116,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>480732</v>
+<v>872847</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>55624</v>
+<v>141323</v>
 </b>
 <b>
 <a>3</a>
 <b>187</b>
-<v>5276</v>
+<v>16204</v>
 </b>
 </bs>
 </hist>
@@ -16827,12 +17142,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>532606</v>
+<v>1011056</v>
 </b>
 <b>
 <a>2</a>
 <b>22</b>
-<v>9026</v>
+<v>19319</v>
 </b>
 </bs>
 </hist>
@@ -16842,15 +17157,15 @@
 </relation>
 <relation>
 <name>type_mention_location</name>
-<cardinality>626999</cardinality>
+<cardinality>1252212</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>626999</v>
+<v>1252212</v>
 </e>
 <e>
 <k>loc</k>
-<v>593108</v>
+<v>1163351</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16864,7 +17179,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>626999</v>
+<v>1252212</v>
 </b>
 </bs>
 </hist>
@@ -16880,12 +17195,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>572155</v>
+<v>1126926</v>
 </b>
 <b>
 <a>2</a>
-<b>187</b>
-<v>20953</v>
+<b>199</b>
+<v>36425</v>
 </b>
 </bs>
 </hist>
@@ -16895,15 +17210,15 @@
 </relation>
 <relation>
 <name>type_annotation</name>
-<cardinality>25557</cardinality>
+<cardinality>50926</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>25557</v>
+<v>50926</v>
 </e>
 <e>
 <k>annotation</k>
-<v>7</v>
+<v>14</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16917,7 +17232,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>25557</v>
+<v>50926</v>
 </b>
 </bs>
 </hist>
@@ -16931,19 +17246,19 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1305</a>
-<b>1306</b>
-<v>2</v>
+<a>1306</a>
+<b>1307</b>
+<v>4</v>
 </b>
 <b>
-<a>2046</a>
-<b>2047</b>
-<v>2</v>
+<a>2047</a>
+<b>2048</b>
+<v>4</v>
 </b>
 <b>
-<a>6844</a>
-<b>6845</b>
-<v>2</v>
+<a>7103</a>
+<b>7104</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -16953,15 +17268,15 @@
 </relation>
 <relation>
 <name>nullability</name>
-<cardinality>997</cardinality>
+<cardinality>1996</cardinality>
 <columnsizes>
 <e>
 <k>nullability</k>
-<v>997</v>
+<v>1996</v>
 </e>
 <e>
 <k>kind</k>
-<v>7</v>
+<v>14</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -16975,7 +17290,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>997</v>
+<v>1996</v>
 </b>
 </bs>
 </hist>
@@ -16991,17 +17306,17 @@
 <b>
 <a>13</a>
 <b>14</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>120</a>
-<b>121</b>
-<v>2</v>
+<a>127</a>
+<b>128</b>
+<v>4</v>
 </b>
 <b>
-<a>265</a>
-<b>266</b>
-<v>2</v>
+<a>270</a>
+<b>271</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17011,19 +17326,19 @@
 </relation>
 <relation>
 <name>nullability_parent</name>
-<cardinality>3146</cardinality>
+<cardinality>6278</cardinality>
 <columnsizes>
 <e>
 <k>nullability</k>
-<v>265</v>
+<v>521</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>parent</k>
-<v>990</v>
+<v>1982</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17037,22 +17352,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>172</v>
+<v>340</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>60</v>
+<v>116</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>17</v>
+<v>34</v>
 </b>
 <b>
 <a>5</a>
 <b>22</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -17068,37 +17383,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>30</v>
+<v>53</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>15</v>
+<v>38</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>22</v>
+<v>38</v>
 </b>
 <b>
 <a>8</a>
-<b>41</b>
-<v>20</v>
+<b>44</b>
+<v>43</v>
 </b>
 <b>
-<a>136</a>
-<b>201</b>
-<v>5</v>
+<a>138</a>
+<b>207</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -17114,37 +17429,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>17</a>
 <b>18</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>39</a>
 <b>40</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>87</a>
-<b>88</b>
-<v>2</v>
+<a>88</a>
+<b>89</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17160,97 +17475,97 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>44</a>
 <b>45</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>51</a>
-<b>52</b>
-<v>2</v>
+<a>52</a>
+<b>53</b>
+<v>4</v>
 </b>
 <b>
-<a>67</a>
-<b>68</b>
-<v>2</v>
+<a>69</a>
+<b>70</b>
+<v>4</v>
 </b>
 <b>
-<a>94</a>
-<b>95</b>
-<v>2</v>
+<a>97</a>
+<b>98</b>
+<v>4</v>
 </b>
 <b>
-<a>151</a>
-<b>152</b>
-<v>2</v>
+<a>157</a>
+<b>158</b>
+<v>4</v>
 </b>
 <b>
-<a>295</a>
-<b>296</b>
-<v>2</v>
+<a>305</a>
+<b>306</b>
+<v>4</v>
 </b>
 <b>
-<a>395</a>
-<b>396</b>
-<v>2</v>
+<a>407</a>
+<b>408</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17266,17 +17581,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>295</v>
+<v>594</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>616</v>
+<v>1227</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>77</v>
+<v>160</v>
 </b>
 </bs>
 </hist>
@@ -17292,37 +17607,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>250</v>
+<v>496</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>360</v>
+<v>720</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>142</v>
+<v>292</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>67</v>
+<v>136</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>67</v>
+<v>141</v>
 </b>
 <b>
 <a>8</a>
-<b>14</b>
-<v>75</v>
+<b>15</b>
+<v>155</v>
 </b>
 <b>
-<a>14</a>
+<a>15</a>
 <b>22</b>
-<v>25</v>
+<v>38</v>
 </b>
 </bs>
 </hist>
@@ -17332,15 +17647,15 @@
 </relation>
 <relation>
 <name>type_nullability</name>
-<cardinality>2271603</cardinality>
+<cardinality>4596996</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2238788</v>
+<v>4529942</v>
 </e>
 <e>
 <k>nullability</k>
-<v>601</v>
+<v>959</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17354,12 +17669,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2209099</v>
+<v>4469255</v>
 </b>
 <b>
 <a>2</a>
 <b>9</b>
-<v>29689</v>
+<v>60687</v>
 </b>
 </bs>
 </hist>
@@ -17375,57 +17690,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>131</v>
+<v>163</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>81</v>
+<v>146</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>35</v>
+<v>60</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>38</v>
+<v>67</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>48</v>
+<v>81</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>48</v>
+<v>66</v>
 </b>
 <b>
 <a>10</a>
-<b>13</b>
-<v>46</v>
+<b>14</b>
+<v>73</v>
 </b>
 <b>
-<a>13</a>
+<a>14</a>
 <b>23</b>
-<v>50</v>
+<v>77</v>
 </b>
 <b>
 <a>23</a>
-<b>61</b>
-<v>46</v>
+<b>41</b>
+<v>72</v>
 </b>
 <b>
-<a>63</a>
-<b>224</b>
-<v>46</v>
+<a>41</a>
+<b>123</b>
+<v>72</v>
 </b>
 <b>
-<a>278</a>
-<b>1814893</b>
-<v>32</v>
+<a>123</a>
+<b>4117</b>
+<v>72</v>
+</b>
+<b>
+<a>4580</a>
+<b>3677458</b>
+<v>10</v>
 </b>
 </bs>
 </hist>
@@ -17435,11 +17755,11 @@
 </relation>
 <relation>
 <name>expr_flowstate</name>
-<cardinality>1300115</cardinality>
+<cardinality>2970146</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1300115</v>
+<v>2970146</v>
 </e>
 <e>
 <k>state</k>
@@ -17457,7 +17777,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1300115</v>
+<v>2970146</v>
 </b>
 </bs>
 </hist>
@@ -17471,13 +17791,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>116006</a>
-<b>116007</b>
+<a>197316</a>
+<b>197317</b>
 <v>1</v>
 </b>
 <b>
-<a>1113915</a>
-<b>1113916</b>
+<a>2192983</a>
+<b>2192984</b>
 <v>1</v>
 </b>
 </bs>
@@ -17488,23 +17808,23 @@
 </relation>
 <relation>
 <name>type_parameters</name>
-<cardinality>102354</cardinality>
+<cardinality>202684</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>102354</v>
+<v>202684</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>generic_id</k>
-<v>51560</v>
+<v>103704</v>
 </e>
 <e>
 <k>variance</k>
-<v>7</v>
+<v>14</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -17518,7 +17838,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102354</v>
+<v>202684</v>
 </b>
 </bs>
 </hist>
@@ -17534,7 +17854,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102354</v>
+<v>202684</v>
 </b>
 </bs>
 </hist>
@@ -17550,7 +17870,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>102354</v>
+<v>202684</v>
 </b>
 </bs>
 </hist>
@@ -17566,107 +17886,107 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>48</a>
 <b>49</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>170</a>
 <b>171</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>298</a>
 <b>299</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>429</a>
 <b>430</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>560</a>
 <b>561</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>691</a>
 <b>692</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>822</a>
 <b>823</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>954</a>
 <b>955</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1089</a>
 <b>1090</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1240</a>
 <b>1241</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1385</a>
 <b>1386</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1539</a>
 <b>1540</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1753</a>
-<b>1754</b>
-<v>2</v>
+<a>1757</a>
+<b>1758</b>
+<v>4</v>
 </b>
 <b>
-<a>2007</a>
-<b>2008</b>
-<v>2</v>
+<a>2015</a>
+<b>2016</b>
+<v>4</v>
 </b>
 <b>
-<a>2524</a>
-<b>2525</b>
-<v>2</v>
+<a>2536</a>
+<b>2537</b>
+<v>4</v>
 </b>
 <b>
-<a>4710</a>
-<b>4711</b>
-<v>2</v>
+<a>4744</a>
+<b>4745</b>
+<v>4</v>
 </b>
 <b>
-<a>20558</a>
-<b>20559</b>
-<v>2</v>
+<a>21279</a>
+<b>21280</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17682,107 +18002,107 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>48</a>
 <b>49</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>170</a>
 <b>171</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>298</a>
 <b>299</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>429</a>
 <b>430</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>560</a>
 <b>561</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>691</a>
 <b>692</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>822</a>
 <b>823</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>954</a>
 <b>955</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1089</a>
 <b>1090</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1240</a>
 <b>1241</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1385</a>
 <b>1386</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1539</a>
 <b>1540</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1753</a>
-<b>1754</b>
-<v>2</v>
+<a>1757</a>
+<b>1758</b>
+<v>4</v>
 </b>
 <b>
-<a>2007</a>
-<b>2008</b>
-<v>2</v>
+<a>2015</a>
+<b>2016</b>
+<v>4</v>
 </b>
 <b>
-<a>2524</a>
-<b>2525</b>
-<v>2</v>
+<a>2536</a>
+<b>2537</b>
+<v>4</v>
 </b>
 <b>
-<a>4712</a>
-<b>4713</b>
-<v>2</v>
+<a>4748</a>
+<b>4749</b>
+<v>4</v>
 </b>
 <b>
-<a>20568</a>
-<b>20569</b>
-<v>2</v>
+<a>21292</a>
+<b>21293</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17798,17 +18118,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>40</v>
+<v>77</v>
 </b>
 </bs>
 </hist>
@@ -17824,22 +18144,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>39748</v>
+<v>80579</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5484</v>
+<v>10773</v>
 </b>
 <b>
 <a>3</a>
-<b>10</b>
-<v>3935</v>
+<b>11</b>
+<v>8348</v>
 </b>
 <b>
-<a>10</a>
+<a>11</a>
 <b>22</b>
-<v>2391</v>
+<v>4003</v>
 </b>
 </bs>
 </hist>
@@ -17855,22 +18175,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>39748</v>
+<v>80579</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5484</v>
+<v>10773</v>
 </b>
 <b>
 <a>3</a>
-<b>10</b>
-<v>3935</v>
+<b>11</b>
+<v>8348</v>
 </b>
 <b>
-<a>10</a>
+<a>11</a>
 <b>22</b>
-<v>2391</v>
+<v>4003</v>
 </b>
 </bs>
 </hist>
@@ -17886,12 +18206,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51482</v>
+<v>103553</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>77</v>
+<v>150</v>
 </b>
 </bs>
 </hist>
@@ -17907,17 +18227,17 @@
 <b>
 <a>68</a>
 <b>69</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>310</a>
 <b>311</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>40440</a>
-<b>40441</b>
-<v>2</v>
+<a>41219</a>
+<b>41220</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17933,17 +18253,17 @@
 <b>
 <a>16</a>
 <b>17</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>17</a>
 <b>18</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17959,17 +18279,17 @@
 <b>
 <a>65</a>
 <b>66</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>72</a>
 <b>73</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>20462</a>
-<b>20463</b>
-<v>2</v>
+<a>21186</a>
+<b>21187</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -17979,19 +18299,19 @@
 </relation>
 <relation>
 <name>type_arguments</name>
-<cardinality>315219</cardinality>
+<cardinality>643766</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>136875</v>
+<v>273250</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>constructed_id</k>
-<v>201248</v>
+<v>412875</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18005,17 +18325,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>119004</v>
+<v>234660</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17166</v>
+<v>37113</v>
 </b>
 <b>
 <a>3</a>
 <b>21</b>
-<v>704</v>
+<v>1475</v>
 </b>
 </bs>
 </hist>
@@ -18031,27 +18351,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>88393</v>
+<v>173928</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>27419</v>
+<v>56469</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>10305</v>
+<v>20568</v>
 </b>
 <b>
 <a>5</a>
-<b>25</b>
-<v>10278</v>
+<b>23</b>
+<v>20651</v>
 </b>
 <b>
-<a>25</a>
-<b>2394</b>
-<v>478</v>
+<a>23</a>
+<b>2800</b>
+<v>1631</v>
 </b>
 </bs>
 </hist>
@@ -18067,97 +18387,97 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>55</a>
 <b>56</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>167</a>
 <b>168</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>283</a>
 <b>284</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>402</a>
 <b>403</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>521</a>
 <b>522</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>640</a>
 <b>641</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>759</a>
 <b>760</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>883</a>
 <b>884</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1002</a>
 <b>1003</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1232</a>
 <b>1233</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1327</a>
 <b>1328</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1510</a>
-<b>1511</b>
-<v>2</v>
+<a>1515</a>
+<b>1516</b>
+<v>4</v>
 </b>
 <b>
-<a>1717</a>
-<b>1718</b>
-<v>2</v>
+<a>1729</a>
+<b>1730</b>
+<v>4</v>
 </b>
 <b>
-<a>1979</a>
-<b>1980</b>
-<v>2</v>
+<a>2010</a>
+<b>2011</b>
+<v>4</v>
 </b>
 <b>
-<a>3839</a>
-<b>3840</b>
-<v>2</v>
+<a>4190</a>
+<b>4191</b>
+<v>4</v>
 </b>
 <b>
-<a>13565</a>
-<b>13566</b>
-<v>2</v>
+<a>14311</a>
+<b>14312</b>
+<v>4</v>
 </b>
 <b>
-<a>32507</a>
-<b>32508</b>
-<v>2</v>
+<a>33697</a>
+<b>33698</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -18173,97 +18493,97 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>96</a>
 <b>97</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>227</a>
 <b>228</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>365</a>
 <b>366</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>503</a>
 <b>504</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>641</a>
 <b>642</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>779</a>
 <b>780</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>917</a>
 <b>918</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1061</a>
 <b>1062</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1201</a>
 <b>1202</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1456</a>
 <b>1457</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1641</a>
-<b>1642</b>
-<v>2</v>
+<a>1643</a>
+<b>1644</b>
+<v>4</v>
 </b>
 <b>
-<a>1859</a>
-<b>1860</b>
-<v>2</v>
+<a>1866</a>
+<b>1867</b>
+<v>4</v>
 </b>
 <b>
-<a>2240</a>
-<b>2241</b>
-<v>2</v>
+<a>2254</a>
+<b>2255</b>
+<v>4</v>
 </b>
 <b>
-<a>2987</a>
-<b>2988</b>
-<v>2</v>
+<a>3022</a>
+<b>3023</b>
+<v>4</v>
 </b>
 <b>
-<a>5285</a>
-<b>5286</b>
-<v>2</v>
+<a>5701</a>
+<b>5702</b>
+<v>4</v>
 </b>
 <b>
-<a>24196</a>
-<b>24197</b>
-<v>2</v>
+<a>25663</a>
+<b>25664</b>
+<v>4</v>
 </b>
 <b>
-<a>80280</a>
-<b>80281</b>
-<v>2</v>
+<a>84769</a>
+<b>84770</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -18279,17 +18599,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>141661</v>
+<v>290043</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>46887</v>
+<v>96228</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>12699</v>
+<v>26603</v>
 </b>
 </bs>
 </hist>
@@ -18305,17 +18625,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>140593</v>
+<v>287881</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47406</v>
+<v>97226</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>13248</v>
+<v>27767</v>
 </b>
 </bs>
 </hist>
@@ -18325,15 +18645,15 @@
 </relation>
 <relation>
 <name>constructed_generic</name>
-<cardinality>201248</cardinality>
+<cardinality>412875</cardinality>
 <columnsizes>
 <e>
 <k>constructed</k>
-<v>201248</v>
+<v>412875</v>
 </e>
 <e>
 <k>generic</k>
-<v>4256</v>
+<v>8577</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18347,7 +18667,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>201248</v>
+<v>412875</v>
 </b>
 </bs>
 </hist>
@@ -18363,47 +18683,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1737</v>
+<v>3443</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>551</v>
+<v>1154</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>293</v>
+<v>618</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>330</v>
+<v>652</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>350</v>
+<v>725</v>
 </b>
 <b>
 <a>11</a>
-<b>25</b>
-<v>328</v>
+<b>26</b>
+<v>647</v>
 </b>
 <b>
-<a>25</a>
-<b>61</b>
-<v>320</v>
+<a>26</a>
+<b>63</b>
+<v>657</v>
 </b>
 <b>
-<a>61</a>
-<b>2054</b>
-<v>320</v>
+<a>63</a>
+<b>2866</b>
+<v>647</v>
 </b>
 <b>
-<a>2323</a>
-<b>10856</b>
-<v>22</v>
+<a>2964</a>
+<b>11327</b>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -18413,15 +18733,15 @@
 </relation>
 <relation>
 <name>type_parameter_constraints</name>
-<cardinality>273733</cardinality>
+<cardinality>594129</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>273733</v>
+<v>594129</v>
 </e>
 <e>
 <k>param_id</k>
-<v>102321</v>
+<v>202597</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18435,7 +18755,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>273733</v>
+<v>594129</v>
 </b>
 </bs>
 </hist>
@@ -18451,17 +18771,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>86049</v>
+<v>167246</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9393</v>
+<v>19984</v>
 </b>
 <b>
 <a>3</a>
-<b>1740</b>
-<v>6878</v>
+<b>307</b>
+<v>15196</v>
+</b>
+<b>
+<a>311</a>
+<b>2109</b>
+<v>170</v>
 </b>
 </bs>
 </hist>
@@ -18507,11 +18832,11 @@
 </relation>
 <relation>
 <name>general_type_parameter_constraints</name>
-<cardinality>40912</cardinality>
+<cardinality>106692</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>23697</v>
+<v>60453</v>
 </e>
 <e>
 <k>kind</k>
@@ -18529,12 +18854,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6482</v>
+<v>14214</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17215</v>
+<v>46239</v>
 </b>
 </bs>
 </hist>
@@ -18553,23 +18878,23 @@
 <v>1</v>
 </b>
 <b>
-<a>172</a>
-<b>173</b>
+<a>279</a>
+<b>280</b>
 <v>1</v>
 </b>
 <b>
-<a>2708</a>
-<b>2709</b>
+<a>5837</a>
+<b>5838</b>
 <v>1</v>
 </b>
 <b>
-<a>17170</a>
-<b>17171</b>
+<a>46182</a>
+<b>46183</b>
 <v>1</v>
 </b>
 <b>
-<a>20858</a>
-<b>20859</b>
+<a>54390</a>
+<b>54391</b>
 <v>1</v>
 </b>
 </bs>
@@ -18580,15 +18905,15 @@
 </relation>
 <relation>
 <name>specific_type_parameter_constraints</name>
-<cardinality>20140</cardinality>
+<cardinality>46370</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>19736</v>
+<v>45666</v>
 </e>
 <e>
 <k>base_id</k>
-<v>787</v>
+<v>1286</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18602,12 +18927,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19370</v>
+<v>45008</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>366</v>
+<v>658</v>
 </b>
 </bs>
 </hist>
@@ -18628,48 +18953,58 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>181</v>
+<v>260</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>57</v>
+<v>70</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>87</v>
+<v>92</v>
 </b>
 <b>
 <a>5</a>
+<b>6</b>
+<v>57</v>
+</b>
+<b>
+<a>6</a>
 <b>7</b>
-<v>70</v>
+<v>138</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>53</v>
+<v>108</v>
 </b>
 <b>
 <a>10</a>
 <b>15</b>
-<v>63</v>
+<v>99</v>
 </b>
 <b>
 <a>15</a>
-<b>26</b>
+<b>21</b>
+<v>111</v>
+</b>
+<b>
+<a>21</a>
+<b>37</b>
+<v>97</v>
+</b>
+<b>
+<a>37</a>
+<b>106</b>
+<v>97</v>
+</b>
+<b>
+<a>108</a>
+<b>4902</b>
 <v>60</v>
 </b>
-<b>
-<a>26</a>
-<b>55</b>
-<v>61</v>
-</b>
-<b>
-<a>56</a>
-<b>3216</b>
-<v>58</v>
-</b>
 </bs>
 </hist>
 </val>
@@ -18678,19 +19013,19 @@
 </relation>
 <relation>
 <name>specific_type_parameter_nullability</name>
-<cardinality>13207</cardinality>
+<cardinality>31518</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>13161</v>
+<v>31372</v>
 </e>
 <e>
 <k>base_id</k>
-<v>506</v>
+<v>912</v>
 </e>
 <e>
 <k>nullability</k>
-<v>11</v>
+<v>17</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18704,12 +19039,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13115</v>
+<v>31226</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>46</v>
+<v>146</v>
 </b>
 </bs>
 </hist>
@@ -18725,7 +19060,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13161</v>
+<v>31372</v>
 </b>
 </bs>
 </hist>
@@ -18741,57 +19076,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>99</v>
+<v>97</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>107</v>
+<v>154</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>37</v>
+<v>45</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>31</v>
+<v>42</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>16</v>
+<v>51</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>41</v>
+<v>102</v>
 </b>
 <b>
 <a>7</a>
-<b>10</b>
-<v>32</v>
+<b>9</b>
+<v>73</v>
 </b>
 <b>
-<a>10</a>
+<a>9</a>
 <b>13</b>
-<v>39</v>
+<v>84</v>
 </b>
 <b>
-<a>13</a>
-<b>26</b>
-<v>38</v>
+<a>14</a>
+<b>20</b>
+<v>65</v>
 </b>
 <b>
-<a>26</a>
-<b>82</b>
-<v>40</v>
+<a>20</a>
+<b>28</b>
+<v>69</v>
 </b>
 <b>
-<a>84</a>
-<b>2385</b>
-<v>26</v>
+<a>28</a>
+<b>76</b>
+<v>73</v>
+</b>
+<b>
+<a>77</a>
+<b>4327</b>
+<v>57</v>
 </b>
 </bs>
 </hist>
@@ -18807,12 +19147,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>497</v>
+<v>890</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9</v>
+<v>22</v>
 </b>
 </bs>
 </hist>
@@ -18833,17 +19173,37 @@
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>1</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>1</v>
+<v>3</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>1</v>
+</b>
+<b>
+<a>10</a>
+<b>11</b>
+<v>1</v>
+</b>
+<b>
+<a>12</a>
+<b>13</b>
+<v>1</v>
+</b>
+<b>
+<a>16</a>
+<b>17</b>
+<v>1</v>
+</b>
+<b>
+<a>18</a>
+<b>19</b>
+<v>1</v>
 </b>
 <b>
 <a>24</a>
@@ -18851,18 +19211,28 @@
 <v>1</v>
 </b>
 <b>
-<a>41</a>
-<b>42</b>
+<a>64</a>
+<b>65</b>
 <v>1</v>
 </b>
 <b>
-<a>132</a>
-<b>133</b>
+<a>72</a>
+<b>73</b>
 <v>1</v>
 </b>
 <b>
-<a>12930</a>
-<b>12931</b>
+<a>117</a>
+<b>118</b>
+<v>1</v>
+</b>
+<b>
+<a>386</a>
+<b>387</b>
+<v>1</v>
+</b>
+<b>
+<a>30619</a>
+<b>30620</b>
 <v>1</v>
 </b>
 </bs>
@@ -18879,12 +19249,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>6</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4</v>
+<v>3</v>
 </b>
 <b>
 <a>3</a>
@@ -18894,21 +19264,26 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>1</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>1</v>
+<v>2</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
+<v>2</v>
+</b>
+<b>
+<a>12</a>
+<b>13</b>
 <v>1</v>
 </b>
 <b>
-<a>482</a>
-<b>483</b>
+<a>43</a>
+<b>44</b>
+<v>1</v>
+</b>
+<b>
+<a>836</a>
+<b>837</b>
 <v>1</v>
 </b>
 </bs>
@@ -18919,15 +19294,15 @@
 </relation>
 <relation>
 <name>function_pointer_calling_conventions</name>
-<cardinality>9</cardinality>
+<cardinality>11</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>9</v>
+<v>11</v>
 </e>
 <e>
 <k>kind</k>
-<v>2</v>
+<v>1</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -18941,7 +19316,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9</v>
+<v>11</v>
 </b>
 </bs>
 </hist>
@@ -18955,13 +19330,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>1</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
+<a>9</a>
+<b>10</b>
 <v>1</v>
 </b>
 </bs>
@@ -19052,15 +19422,15 @@
 </relation>
 <relation>
 <name>modifiers</name>
-<cardinality>42</cardinality>
+<cardinality>82</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42</v>
+<v>82</v>
 </e>
 <e>
 <k>name</k>
-<v>42</v>
+<v>82</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19074,7 +19444,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42</v>
+<v>82</v>
 </b>
 </bs>
 </hist>
@@ -19090,7 +19460,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42</v>
+<v>82</v>
 </b>
 </bs>
 </hist>
@@ -19100,15 +19470,15 @@
 </relation>
 <relation>
 <name>has_modifiers</name>
-<cardinality>2748133</cardinality>
+<cardinality>5504557</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1841097</v>
+<v>3697015</v>
 </e>
 <e>
 <k>mod_id</k>
-<v>40</v>
+<v>82</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19122,17 +19492,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1002460</v>
+<v>2024955</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>771185</v>
+<v>1538421</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>67451</v>
+<v>133639</v>
 </b>
 </bs>
 </hist>
@@ -19146,84 +19516,89 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>5</a>
-<b>6</b>
-<v>2</v>
+<a>1</a>
+<b>2</b>
+<v>4</v>
+</b>
+<b>
+<a>15</a>
+<b>16</b>
+<v>4</v>
 </b>
 <b>
 <a>28</a>
 <b>29</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>149</a>
-<b>150</b>
-<v>2</v>
+<a>151</a>
+<b>152</b>
+<v>4</v>
 </b>
 <b>
 <a>360</a>
 <b>361</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>5658</a>
-<b>5659</b>
-<v>2</v>
+<a>6163</a>
+<b>6164</b>
+<v>4</v>
 </b>
 <b>
-<a>16373</a>
-<b>16374</b>
-<v>2</v>
+<a>16387</a>
+<b>16388</b>
+<v>4</v>
 </b>
 <b>
-<a>22977</a>
-<b>22978</b>
-<v>2</v>
+<a>23884</a>
+<b>23885</b>
+<v>4</v>
 </b>
 <b>
-<a>29954</a>
-<b>29955</b>
-<v>2</v>
+<a>30035</a>
+<b>30036</b>
+<v>4</v>
 </b>
 <b>
-<a>30538</a>
-<b>30539</b>
-<v>2</v>
+<a>30651</a>
+<b>30652</b>
+<v>4</v>
 </b>
 <b>
-<a>37974</a>
-<b>37975</b>
-<v>2</v>
+<a>38027</a>
+<b>38028</b>
+<v>4</v>
 </b>
 <b>
-<a>60421</a>
-<b>60422</b>
-<v>2</v>
+<a>62139</a>
+<b>62140</b>
+<v>4</v>
 </b>
 <b>
-<a>63249</a>
-<b>63250</b>
-<v>2</v>
+<a>63916</a>
+<b>63917</b>
+<v>4</v>
 </b>
 <b>
-<a>68508</a>
-<b>68509</b>
-<v>2</v>
+<a>68706</a>
+<b>68707</b>
+<v>4</v>
 </b>
 <b>
-<a>78672</a>
-<b>78673</b>
-<v>2</v>
+<a>83872</a>
+<b>83873</b>
+<v>4</v>
 </b>
 <b>
-<a>89979</a>
-<b>89980</b>
-<v>2</v>
+<a>96025</a>
+<b>96026</b>
+<v>4</v>
 </b>
 <b>
-<a>591411</a>
-<b>591412</b>
-<v>2</v>
+<a>609801</a>
+<b>609802</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -19233,26 +19608,26 @@
 </relation>
 <relation>
 <name>compiler_generated</name>
-<cardinality>64039</cardinality>
+<cardinality>136181</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>64039</v>
+<v>136181</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>exprorstmt_name</name>
-<cardinality>1469</cardinality>
+<cardinality>3751</cardinality>
 <columnsizes>
 <e>
 <k>parent_id</k>
-<v>1469</v>
+<v>3751</v>
 </e>
 <e>
 <k>name</k>
-<v>118</v>
+<v>374</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19266,7 +19641,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1469</v>
+<v>3751</v>
 </b>
 </bs>
 </hist>
@@ -19282,47 +19657,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>43</v>
+<v>110</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>55</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12</v>
+<v>50</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>10</v>
+<b>6</b>
+<v>34</v>
 </b>
 <b>
-<a>7</a>
-<b>9</b>
-<v>9</v>
+<a>6</a>
+<b>8</b>
+<v>32</v>
 </b>
 <b>
-<a>10</a>
-<b>15</b>
-<v>9</v>
+<a>8</a>
+<b>12</b>
+<v>28</v>
 </b>
 <b>
-<a>16</a>
-<b>26</b>
-<v>7</v>
+<a>12</a>
+<b>23</b>
+<v>31</v>
 </b>
 <b>
-<a>26</a>
-<b>52</b>
-<v>10</v>
+<a>25</a>
+<b>214</b>
+<v>28</v>
 </b>
 <b>
-<a>54</a>
-<b>131</b>
-<v>5</v>
+<a>239</a>
+<b>240</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -19332,19 +19707,19 @@
 </relation>
 <relation>
 <name>nested_types</name>
-<cardinality>57075</cardinality>
+<cardinality>111931</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>57075</v>
+<v>111931</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>20621</v>
+<v>40596</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>41748</v>
+<v>81114</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19358,7 +19733,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>57075</v>
+<v>111931</v>
 </b>
 </bs>
 </hist>
@@ -19374,7 +19749,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>57075</v>
+<v>111931</v>
 </b>
 </bs>
 </hist>
@@ -19390,32 +19765,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11922</v>
+<v>23486</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3253</v>
+<v>6336</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1566</v>
+<v>3229</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>1732</v>
+<v>3355</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>1581</v>
+<v>3092</v>
 </b>
 <b>
 <a>12</a>
 <b>262</b>
-<v>564</v>
+<v>1095</v>
 </b>
 </bs>
 </hist>
@@ -19431,32 +19806,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11940</v>
+<v>23520</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3296</v>
+<v>6419</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1524</v>
+<v>3146</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>1742</v>
+<v>3385</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>1579</v>
+<v>3078</v>
 </b>
 <b>
 <a>12</a>
 <b>206</b>
-<v>538</v>
+<v>1047</v>
 </b>
 </bs>
 </hist>
@@ -19472,12 +19847,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>40237</v>
+<v>78100</v>
 </b>
 <b>
 <a>2</a>
 <b>415</b>
-<v>1511</v>
+<v>3014</v>
 </b>
 </bs>
 </hist>
@@ -19493,12 +19868,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>40613</v>
+<v>78840</v>
 </b>
 <b>
 <a>2</a>
 <b>415</b>
-<v>1135</v>
+<v>2274</v>
 </b>
 </bs>
 </hist>
@@ -19508,27 +19883,27 @@
 </relation>
 <relation>
 <name>properties</name>
-<cardinality>212542</cardinality>
+<cardinality>425592</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>212542</v>
+<v>425592</v>
 </e>
 <e>
 <k>name</k>
-<v>43400</v>
+<v>84358</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>58256</v>
+<v>117951</v>
 </e>
 <e>
 <k>type_id</k>
-<v>26015</v>
+<v>53011</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>171648</v>
+<v>333840</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -19542,7 +19917,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>212542</v>
+<v>425592</v>
 </b>
 </bs>
 </hist>
@@ -19558,7 +19933,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>212542</v>
+<v>425592</v>
 </b>
 </bs>
 </hist>
@@ -19574,7 +19949,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>212542</v>
+<v>425592</v>
 </b>
 </bs>
 </hist>
@@ -19590,7 +19965,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>212542</v>
+<v>425592</v>
 </b>
 </bs>
 </hist>
@@ -19606,32 +19981,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26111</v>
+<v>50751</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7204</v>
+<v>13993</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2970</v>
+<v>5752</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>3414</v>
+<v>6648</v>
 </b>
 <b>
 <a>7</a>
-<b>50</b>
-<v>3276</v>
+<b>49</b>
+<v>6336</v>
 </b>
 <b>
-<a>50</a>
-<b>2493</b>
-<v>423</v>
+<a>49</a>
+<b>2886</b>
+<v>876</v>
 </b>
 </bs>
 </hist>
@@ -19647,32 +20022,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26111</v>
+<v>50751</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7239</v>
+<v>14061</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2963</v>
+<v>5737</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>3431</v>
+<v>6682</v>
 </b>
 <b>
 <a>7</a>
-<b>52</b>
-<v>3256</v>
+<b>51</b>
+<v>6331</v>
 </b>
 <b>
-<a>52</a>
-<b>2224</b>
-<v>398</v>
+<a>51</a>
+<b>2578</b>
+<v>793</v>
 </b>
 </bs>
 </hist>
@@ -19688,17 +20063,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>37474</v>
+<v>72834</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3569</v>
+<v>6930</v>
 </b>
 <b>
 <a>3</a>
-<b>522</b>
-<v>2356</v>
+<b>773</b>
+<v>4592</v>
 </b>
 </bs>
 </hist>
@@ -19714,32 +20089,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26331</v>
+<v>51180</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7340</v>
+<v>14256</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2963</v>
+<v>5737</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>3304</v>
+<v>6443</v>
 </b>
 <b>
 <a>7</a>
-<b>70</b>
-<v>3256</v>
+<b>68</b>
+<v>6326</v>
 </b>
 <b>
-<a>70</a>
+<a>68</a>
 <b>2018</b>
-<v>205</v>
+<v>414</v>
 </b>
 </bs>
 </hist>
@@ -19755,42 +20130,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19786</v>
+<v>40635</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14574</v>
+<v>30139</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5590</v>
+<v>10900</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4013</v>
+<v>7841</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>3629</v>
+<v>7184</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4670</v>
+<v>9327</v>
 </b>
 <b>
 <a>8</a>
-<b>15</b>
-<v>4396</v>
+<b>16</b>
+<v>9565</v>
 </b>
 <b>
-<a>15</a>
+<a>16</a>
 <b>250</b>
-<v>1594</v>
+<v>2357</v>
 </b>
 </bs>
 </hist>
@@ -19806,42 +20181,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22107</v>
+<v>45418</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>12293</v>
+<v>25434</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5587</v>
+<v>10895</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4023</v>
+<v>7914</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>3637</v>
+<v>7145</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4647</v>
+<v>9283</v>
 </b>
 <b>
 <a>8</a>
 <b>15</b>
-<v>4605</v>
+<v>9224</v>
 </b>
 <b>
 <a>15</a>
 <b>250</b>
-<v>1353</v>
+<v>2634</v>
 </b>
 </bs>
 </hist>
@@ -19857,32 +20232,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22884</v>
+<v>46699</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15963</v>
+<v>32886</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6963</v>
+<v>13890</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>3873</v>
+<v>7544</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>4828</v>
+<v>9380</v>
 </b>
 <b>
 <a>7</a>
 <b>48</b>
-<v>3742</v>
+<v>7549</v>
 </b>
 </bs>
 </hist>
@@ -19898,42 +20273,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>19786</v>
+<v>40635</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14574</v>
+<v>30139</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5590</v>
+<v>10900</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4013</v>
+<v>7841</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>3629</v>
+<v>7184</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4670</v>
+<v>9327</v>
 </b>
 <b>
 <a>8</a>
-<b>15</b>
-<v>4396</v>
+<b>16</b>
+<v>9565</v>
 </b>
 <b>
-<a>15</a>
+<a>16</a>
 <b>250</b>
-<v>1594</v>
+<v>2357</v>
 </b>
 </bs>
 </hist>
@@ -19949,27 +20324,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15635</v>
+<v>32014</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5319</v>
+<v>10953</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2353</v>
+<v>4700</v>
 </b>
 <b>
 <a>5</a>
-<b>19</b>
-<v>1955</v>
+<b>21</b>
+<v>3984</v>
 </b>
 <b>
-<a>19</a>
-<b>11856</b>
-<v>752</v>
+<a>21</a>
+<b>12516</b>
+<v>1358</v>
 </b>
 </bs>
 </hist>
@@ -19985,17 +20360,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>21932</v>
+<v>44809</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2213</v>
+<v>4461</v>
 </b>
 <b>
 <a>3</a>
 <b>3289</b>
-<v>1870</v>
+<v>3740</v>
 </b>
 </bs>
 </hist>
@@ -20011,27 +20386,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16244</v>
+<v>33193</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5169</v>
+<v>10666</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2243</v>
+<v>4490</v>
 </b>
 <b>
 <a>5</a>
-<b>30</b>
-<v>1952</v>
+<b>35</b>
+<v>3993</v>
 </b>
 <b>
-<a>30</a>
-<b>5894</b>
-<v>406</v>
+<a>35</a>
+<b>6176</b>
+<v>667</v>
 </b>
 </bs>
 </hist>
@@ -20047,27 +20422,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15707</v>
+<v>32155</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5392</v>
+<v>11080</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2356</v>
+<v>4739</v>
 </b>
 <b>
 <a>5</a>
-<b>21</b>
-<v>1975</v>
+<b>23</b>
+<v>4003</v>
 </b>
 <b>
-<a>21</a>
-<b>10599</b>
-<v>584</v>
+<a>23</a>
+<b>10636</b>
+<v>1032</v>
 </b>
 </bs>
 </hist>
@@ -20083,12 +20458,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>169043</v>
+<v>328609</v>
 </b>
 <b>
 <a>2</a>
-<b>585</b>
-<v>2604</v>
+<b>705</b>
+<v>5231</v>
 </b>
 </bs>
 </hist>
@@ -20104,7 +20479,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>171648</v>
+<v>333840</v>
 </b>
 </bs>
 </hist>
@@ -20120,12 +20495,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>169043</v>
+<v>328609</v>
 </b>
 <b>
 <a>2</a>
-<b>585</b>
-<v>2604</v>
+<b>705</b>
+<v>5231</v>
 </b>
 </bs>
 </hist>
@@ -20141,12 +20516,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>171048</v>
+<v>332608</v>
 </b>
 <b>
 <a>2</a>
-<b>438</b>
-<v>599</v>
+<b>690</b>
+<v>1232</v>
 </b>
 </bs>
 </hist>
@@ -20156,15 +20531,15 @@
 </relation>
 <relation>
 <name>property_location</name>
-<cardinality>263937</cardinality>
+<cardinality>536505</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>212542</v>
+<v>425592</v>
 </e>
 <e>
 <k>loc</k>
-<v>24308</v>
+<v>52894</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20178,17 +20553,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>171527</v>
+<v>340167</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>32779</v>
+<v>64106</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>8234</v>
+<v>21318</v>
 </b>
 </bs>
 </hist>
@@ -20204,12 +20579,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22594</v>
+<v>49412</v>
 </b>
 <b>
 <a>2</a>
 <b>7080</b>
-<v>1714</v>
+<v>3482</v>
 </b>
 </bs>
 </hist>
@@ -20219,27 +20594,27 @@
 </relation>
 <relation>
 <name>indexers</name>
-<cardinality>7590</cardinality>
+<cardinality>17042</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7590</v>
+<v>17042</v>
 </e>
 <e>
 <k>name</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>6071</v>
+<v>13549</v>
 </e>
 <e>
 <k>type_id</k>
-<v>1817</v>
+<v>3969</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>2283</v>
+<v>4437</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20253,7 +20628,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7590</v>
+<v>17042</v>
 </b>
 </bs>
 </hist>
@@ -20269,7 +20644,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7590</v>
+<v>17042</v>
 </b>
 </bs>
 </hist>
@@ -20285,7 +20660,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7590</v>
+<v>17042</v>
 </b>
 </bs>
 </hist>
@@ -20301,7 +20676,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7590</v>
+<v>17042</v>
 </b>
 </bs>
 </hist>
@@ -20317,22 +20692,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>3017</a>
-<b>3018</b>
-<v>2</v>
+<a>3488</a>
+<b>3489</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20348,22 +20723,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>2415</a>
-<b>2416</b>
-<v>2</v>
+<a>2775</a>
+<b>2776</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20379,17 +20754,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>720</a>
-<b>721</b>
-<v>2</v>
+<a>810</a>
+<b>811</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20405,22 +20780,22 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>900</a>
 <b>901</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20436,17 +20811,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4770</v>
+<v>10505</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1160</v>
+<v>2747</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>140</v>
+<v>297</v>
 </b>
 </bs>
 </hist>
@@ -20462,12 +20837,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6066</v>
+<v>13540</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -20483,12 +20858,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5046</v>
+<v>11046</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1025</v>
+<v>2503</v>
 </b>
 </bs>
 </hist>
@@ -20504,17 +20879,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4770</v>
+<v>10505</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1160</v>
+<v>2747</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>140</v>
+<v>297</v>
 </b>
 </bs>
 </hist>
@@ -20530,27 +20905,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>461</v>
+<v>876</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>423</v>
+<v>871</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>674</v>
+<v>1626</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>120</v>
+<v>267</v>
 </b>
 <b>
 <a>6</a>
-<b>886</b>
-<v>137</v>
+<b>18</b>
+<v>301</v>
+</b>
+<b>
+<a>18</a>
+<b>1020</b>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -20566,12 +20946,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1814</v>
+<v>3964</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20587,27 +20967,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>541</v>
+<v>1032</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>376</v>
+<v>779</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>691</v>
+<v>1660</v>
 </b>
 <b>
 <a>4</a>
-<b>7</b>
-<v>165</v>
+<b>6</b>
+<v>238</v>
 </b>
 <b>
-<a>7</a>
-<b>845</b>
-<v>42</v>
+<a>6</a>
+<b>978</b>
+<v>258</v>
 </b>
 </bs>
 </hist>
@@ -20623,27 +21003,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>461</v>
+<v>876</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>423</v>
+<v>871</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>686</v>
+<v>1651</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>120</v>
+<v>267</v>
 </b>
 <b>
 <a>6</a>
 <b>198</b>
-<v>125</v>
+<v>301</v>
 </b>
 </bs>
 </hist>
@@ -20659,12 +21039,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2118</v>
+<v>4101</v>
 </b>
 <b>
 <a>2</a>
-<b>384</b>
-<v>165</v>
+<b>452</b>
+<v>336</v>
 </b>
 </bs>
 </hist>
@@ -20680,7 +21060,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2283</v>
+<v>4437</v>
 </b>
 </bs>
 </hist>
@@ -20696,12 +21076,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2118</v>
+<v>4101</v>
 </b>
 <b>
 <a>2</a>
-<b>384</b>
-<v>165</v>
+<b>452</b>
+<v>336</v>
 </b>
 </bs>
 </hist>
@@ -20717,12 +21097,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2190</v>
+<v>4247</v>
 </b>
 <b>
 <a>2</a>
-<b>384</b>
-<v>92</v>
+<b>452</b>
+<v>189</v>
 </b>
 </bs>
 </hist>
@@ -20732,15 +21112,15 @@
 </relation>
 <relation>
 <name>indexer_location</name>
-<cardinality>12780</cardinality>
+<cardinality>23899</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>6439</v>
+<v>12715</v>
 </e>
 <e>
 <k>loc</k>
-<v>183</v>
+<v>221</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20754,27 +21134,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2232</v>
+<v>4500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3081</v>
+<v>6699</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>283</v>
+<v>285</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>774</v>
+<v>1117</v>
 </b>
 <b>
 <a>5</a>
-<b>11</b>
-<v>69</v>
+<b>13</b>
+<v>114</v>
 </b>
 </bs>
 </hist>
@@ -20790,52 +21170,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49</v>
+<v>76</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>20</v>
+<v>24</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>19</v>
+<v>17</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14</v>
+<v>13</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>14</v>
+<v>18</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>14</v>
+<v>17</v>
 </b>
 <b>
 <a>13</a>
-<b>20</b>
-<v>14</v>
+<b>21</b>
+<v>18</v>
 </b>
 <b>
-<a>20</a>
-<b>35</b>
-<v>14</v>
+<a>23</a>
+<b>45</b>
+<v>18</v>
 </b>
 <b>
-<a>36</a>
-<b>112</b>
-<v>14</v>
+<a>47</a>
+<b>2319</b>
+<v>17</v>
 </b>
 <b>
-<a>124</a>
-<b>2196</b>
-<v>11</v>
+<a>3540</a>
+<b>5342</b>
+<v>3</v>
 </b>
 </bs>
 </hist>
@@ -20845,27 +21225,27 @@
 </relation>
 <relation>
 <name>accessors</name>
-<cardinality>284483</cardinality>
+<cardinality>569927</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>284483</v>
+<v>569927</v>
 </e>
 <e>
 <k>kind</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>name</k>
-<v>62337</v>
+<v>121243</v>
 </e>
 <e>
 <k>declaring_member_id</k>
-<v>220132</v>
+<v>442634</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>226384</v>
+<v>440418</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -20879,7 +21259,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>284483</v>
+<v>569927</v>
 </b>
 </bs>
 </hist>
@@ -20895,7 +21275,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>284483</v>
+<v>569927</v>
 </b>
 </bs>
 </hist>
@@ -20911,7 +21291,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>284483</v>
+<v>569927</v>
 </b>
 </bs>
 </hist>
@@ -20927,7 +21307,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>284483</v>
+<v>569927</v>
 </b>
 </bs>
 </hist>
@@ -20941,14 +21321,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>25718</a>
-<b>25719</b>
-<v>2</v>
+<a>26183</a>
+<b>26184</b>
+<v>4</v>
 </b>
 <b>
-<a>87765</a>
-<b>87766</b>
-<v>2</v>
+<a>90831</a>
+<b>90832</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20962,14 +21342,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>6501</a>
-<b>6502</b>
-<v>2</v>
+<a>6520</a>
+<b>6521</b>
+<v>4</v>
 </b>
 <b>
-<a>18366</a>
-<b>18367</b>
-<v>2</v>
+<a>18373</a>
+<b>18374</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -20983,14 +21363,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>25717</a>
-<b>25718</b>
-<v>2</v>
+<a>26182</a>
+<b>26183</b>
+<v>4</v>
 </b>
 <b>
-<a>87764</a>
-<b>87765</b>
-<v>2</v>
+<a>90830</a>
+<b>90831</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -21004,14 +21384,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>20971</a>
-<b>20972</b>
-<v>2</v>
+<a>21018</a>
+<b>21019</b>
+<v>4</v>
 </b>
 <b>
-<a>69336</a>
-<b>69337</b>
-<v>2</v>
+<a>69406</a>
+<b>69407</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -21027,27 +21407,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38650</v>
+<v>75192</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10267</v>
+<v>19949</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4103</v>
+<v>7929</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>5186</v>
+<v>10111</v>
 </b>
 <b>
 <a>8</a>
-<b>2204</b>
-<v>4128</v>
+<b>2558</b>
+<v>8060</v>
 </b>
 </bs>
 </hist>
@@ -21063,7 +21443,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>62337</v>
+<v>121243</v>
 </b>
 </bs>
 </hist>
@@ -21079,27 +21459,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38655</v>
+<v>75201</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10262</v>
+<v>19940</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4103</v>
+<v>7929</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>5186</v>
+<v>10111</v>
 </b>
 <b>
 <a>8</a>
-<b>2204</b>
-<v>4128</v>
+<b>2558</b>
+<v>8060</v>
 </b>
 </bs>
 </hist>
@@ -21115,27 +21495,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38981</v>
+<v>75840</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10611</v>
+<v>20617</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4020</v>
+<v>7763</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>4933</v>
+<v>9653</v>
 </b>
 <b>
 <a>8</a>
 <b>1202</b>
-<v>3790</v>
+<v>7369</v>
 </b>
 </bs>
 </hist>
@@ -21151,17 +21531,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155787</v>
+<v>315351</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>64342</v>
+<v>127278</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -21177,12 +21557,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155787</v>
+<v>315351</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>64345</v>
+<v>127283</v>
 </b>
 </bs>
 </hist>
@@ -21198,12 +21578,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155787</v>
+<v>315351</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>64345</v>
+<v>127283</v>
 </b>
 </bs>
 </hist>
@@ -21219,17 +21599,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>155787</v>
+<v>315351</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>64342</v>
+<v>127278</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -21245,12 +21625,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>223033</v>
+<v>433697</v>
 </b>
 <b>
 <a>2</a>
-<b>585</b>
-<v>3351</v>
+<b>705</b>
+<v>6721</v>
 </b>
 </bs>
 </hist>
@@ -21266,7 +21646,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>226384</v>
+<v>440418</v>
 </b>
 </bs>
 </hist>
@@ -21282,7 +21662,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>226384</v>
+<v>440418</v>
 </b>
 </bs>
 </hist>
@@ -21298,12 +21678,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>223033</v>
+<v>433697</v>
 </b>
 <b>
 <a>2</a>
-<b>585</b>
-<v>3351</v>
+<b>705</b>
+<v>6721</v>
 </b>
 </bs>
 </hist>
@@ -21324,15 +21704,15 @@
 </relation>
 <relation>
 <name>accessor_location</name>
-<cardinality>367482</cardinality>
+<cardinality>749823</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>284483</v>
+<v>569927</v>
 </e>
 <e>
 <k>loc</k>
-<v>43067</v>
+<v>93213</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21346,17 +21726,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>219889</v>
+<v>434768</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>50297</v>
+<v>98405</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>14296</v>
+<v>36753</v>
 </b>
 </bs>
 </hist>
@@ -21372,12 +21752,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>41305</v>
+<v>89609</v>
 </b>
 <b>
 <a>2</a>
-<b>7862</b>
-<v>1762</v>
+<b>8548</b>
+<v>3604</v>
 </b>
 </bs>
 </hist>
@@ -21387,27 +21767,27 @@
 </relation>
 <relation>
 <name>events</name>
-<cardinality>7838</cardinality>
+<cardinality>15230</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>name</k>
-<v>6685</v>
+<v>12989</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>631</v>
+<v>1227</v>
 </e>
 <e>
 <k>type_id</k>
-<v>3276</v>
+<v>6365</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>7833</v>
+<v>15220</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21421,7 +21801,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -21437,7 +21817,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -21453,7 +21833,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -21469,7 +21849,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -21485,17 +21865,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6176</v>
+<v>12001</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>503</v>
+<v>978</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21511,17 +21891,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6176</v>
+<v>12001</v>
 </b>
 <b>
 <a>2</a>
 <b>10</b>
-<v>503</v>
+<v>978</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21537,12 +21917,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6613</v>
+<v>12848</v>
 </b>
 <b>
 <a>2</a>
 <b>10</b>
-<v>72</v>
+<v>141</v>
 </b>
 </bs>
 </hist>
@@ -21558,17 +21938,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6176</v>
+<v>12001</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>503</v>
+<v>978</v>
 </b>
 <b>
 <a>14</a>
 <b>17</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21584,32 +21964,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>318</v>
+<v>618</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>117</v>
+<v>228</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -21625,32 +22005,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>318</v>
+<v>618</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -21666,27 +22046,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>396</v>
+<v>769</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>102</v>
+<v>199</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>5</a>
 <b>11</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>12</a>
 <b>181</b>
-<v>40</v>
+<v>77</v>
 </b>
 </bs>
 </hist>
@@ -21702,32 +22082,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>318</v>
+<v>618</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>117</v>
+<v>228</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>55</v>
+<v>107</v>
 </b>
 <b>
 <a>8</a>
 <b>23</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>58</a>
 <b>465</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -21743,22 +22123,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2271</v>
+<v>4412</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>599</v>
+<v>1164</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>265</v>
+<v>516</v>
 </b>
 <b>
 <a>6</a>
 <b>318</b>
-<v>140</v>
+<v>272</v>
 </b>
 </bs>
 </hist>
@@ -21774,22 +22154,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2471</v>
+<v>4802</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>471</v>
+<v>915</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>258</v>
+<v>501</v>
 </b>
 <b>
 <a>8</a>
 <b>242</b>
-<v>75</v>
+<v>146</v>
 </b>
 </bs>
 </hist>
@@ -21805,17 +22185,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2960</v>
+<v>5752</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>268</v>
+<v>521</v>
 </b>
 <b>
 <a>4</a>
 <b>27</b>
-<v>47</v>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -21831,22 +22211,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2271</v>
+<v>4412</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>599</v>
+<v>1164</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>265</v>
+<v>516</v>
 </b>
 <b>
 <a>6</a>
 <b>318</b>
-<v>140</v>
+<v>272</v>
 </b>
 </bs>
 </hist>
@@ -21862,12 +22242,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7828</v>
+<v>15210</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21883,7 +22263,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7833</v>
+<v>15220</v>
 </b>
 </bs>
 </hist>
@@ -21899,12 +22279,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7828</v>
+<v>15210</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21920,12 +22300,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7828</v>
+<v>15210</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -21935,15 +22315,15 @@
 </relation>
 <relation>
 <name>event_location</name>
-<cardinality>8167</cardinality>
+<cardinality>15868</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>loc</k>
-<v>167</v>
+<v>326</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -21957,12 +22337,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7510</v>
+<v>14592</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>328</v>
+<v>638</v>
 </b>
 </bs>
 </hist>
@@ -21978,57 +22358,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>12</a>
 <b>16</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>16</a>
 <b>31</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>64</a>
 <b>2199</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -22038,27 +22418,27 @@
 </relation>
 <relation>
 <name>event_accessors</name>
-<cardinality>15677</cardinality>
+<cardinality>30460</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>15677</v>
+<v>30460</v>
 </e>
 <e>
 <k>kind</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>name</k>
-<v>13737</v>
+<v>26690</v>
 </e>
 <e>
 <k>declaring_event_id</k>
-<v>7838</v>
+<v>15230</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>15667</v>
+<v>30441</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22072,7 +22452,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15677</v>
+<v>30460</v>
 </b>
 </bs>
 </hist>
@@ -22088,7 +22468,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15677</v>
+<v>30460</v>
 </b>
 </bs>
 </hist>
@@ -22104,7 +22484,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15677</v>
+<v>30460</v>
 </b>
 </bs>
 </hist>
@@ -22120,7 +22500,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15677</v>
+<v>30460</v>
 </b>
 </bs>
 </hist>
@@ -22136,7 +22516,7 @@
 <b>
 <a>3127</a>
 <b>3128</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -22152,7 +22532,7 @@
 <b>
 <a>2740</a>
 <b>2741</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -22168,7 +22548,7 @@
 <b>
 <a>3127</a>
 <b>3128</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -22184,7 +22564,7 @@
 <b>
 <a>3125</a>
 <b>3126</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -22200,12 +22580,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12714</v>
+<v>24703</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1022</v>
+<v>1987</v>
 </b>
 </bs>
 </hist>
@@ -22221,7 +22601,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13737</v>
+<v>26690</v>
 </b>
 </bs>
 </hist>
@@ -22237,12 +22617,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12714</v>
+<v>24703</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1022</v>
+<v>1987</v>
 </b>
 </bs>
 </hist>
@@ -22258,12 +22638,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12714</v>
+<v>24703</v>
 </b>
 <b>
 <a>2</a>
 <b>16</b>
-<v>1022</v>
+<v>1987</v>
 </b>
 </bs>
 </hist>
@@ -22279,7 +22659,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -22295,7 +22675,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -22311,7 +22691,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -22327,7 +22707,7 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>7838</v>
+<v>15230</v>
 </b>
 </bs>
 </hist>
@@ -22343,12 +22723,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15657</v>
+<v>30421</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -22364,7 +22744,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15667</v>
+<v>30441</v>
 </b>
 </bs>
 </hist>
@@ -22380,7 +22760,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15667</v>
+<v>30441</v>
 </b>
 </bs>
 </hist>
@@ -22396,12 +22776,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15657</v>
+<v>30421</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -22411,15 +22791,15 @@
 </relation>
 <relation>
 <name>event_accessor_location</name>
-<cardinality>16334</cardinality>
+<cardinality>31736</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>15677</v>
+<v>30460</v>
 </e>
 <e>
 <k>loc</k>
-<v>167</v>
+<v>326</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22433,12 +22813,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15020</v>
+<v>29184</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>656</v>
+<v>1276</v>
 </b>
 </bs>
 </hist>
@@ -22454,57 +22834,57 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>12</a>
 <b>15</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>24</a>
 <b>31</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>32</a>
 <b>61</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>128</a>
 <b>4397</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -22514,31 +22894,31 @@
 </relation>
 <relation>
 <name>operators</name>
-<cardinality>6201</cardinality>
+<cardinality>12410</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>6201</v>
+<v>12410</v>
 </e>
 <e>
 <k>name</k>
-<v>65</v>
+<v>126</v>
 </e>
 <e>
 <k>symbol</k>
-<v>60</v>
+<v>116</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>1448</v>
+<v>3024</v>
 </e>
 <e>
 <k>type_id</k>
-<v>809</v>
+<v>1621</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>5903</v>
+<v>11655</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -22552,7 +22932,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6201</v>
+<v>12410</v>
 </b>
 </bs>
 </hist>
@@ -22568,7 +22948,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6201</v>
+<v>12410</v>
 </b>
 </bs>
 </hist>
@@ -22584,7 +22964,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6201</v>
+<v>12410</v>
 </b>
 </bs>
 </hist>
@@ -22600,7 +22980,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6201</v>
+<v>12410</v>
 </b>
 </bs>
 </hist>
@@ -22616,7 +22996,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6201</v>
+<v>12410</v>
 </b>
 </bs>
 </hist>
@@ -22632,375 +23012,80 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>5</v>
+<b>5</b>
+<v>9</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>7</v>
+<v>9</v>
 </b>
 <b>
-<a>10</a>
-<b>17</b>
-<v>5</v>
+<a>9</a>
+<b>11</b>
+<v>9</v>
 </b>
 <b>
-<a>26</a>
-<b>46</b>
-<v>5</v>
-</b>
-<b>
-<a>54</a>
-<b>55</b>
-<v>5</v>
-</b>
-<b>
-<a>57</a>
-<b>58</b>
-<v>5</v>
-</b>
-<b>
-<a>65</a>
-<b>73</b>
-<v>5</v>
-</b>
-<b>
-<a>80</a>
-<b>436</b>
-<v>5</v>
-</b>
-<b>
-<a>454</a>
-<b>500</b>
-<v>5</v>
-</b>
-<b>
-<a>506</a>
-<b>507</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>symbol</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>65</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>declaring_type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>10</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>5</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>2</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>7</v>
-</b>
-<b>
-<a>10</a>
-<b>15</b>
-<v>5</v>
-</b>
-<b>
-<a>26</a>
-<b>32</b>
-<v>5</v>
-</b>
-<b>
-<a>36</a>
-<b>50</b>
-<v>5</v>
-</b>
-<b>
-<a>50</a>
-<b>52</b>
-<v>5</v>
-</b>
-<b>
-<a>52</a>
-<b>53</b>
-<v>5</v>
-</b>
-<b>
-<a>63</a>
-<b>120</b>
-<v>5</v>
-</b>
-<b>
-<a>201</a>
-<b>444</b>
-<v>5</v>
-</b>
-<b>
-<a>451</a>
-<b>452</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>7</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>20</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>5</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>2</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>7</v>
-</b>
-<b>
-<a>10</a>
-<b>15</b>
-<v>5</v>
-</b>
-<b>
-<a>26</a>
-<b>32</b>
-<v>5</v>
-</b>
-<b>
-<a>37</a>
-<b>52</b>
-<v>5</v>
-</b>
-<b>
-<a>63</a>
-<b>155</b>
-<v>5</v>
-</b>
-<b>
-<a>181</a>
-<b>182</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>10</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>5</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>2</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>7</v>
-</b>
-<b>
-<a>10</a>
-<b>17</b>
-<v>5</v>
-</b>
-<b>
-<a>26</a>
-<b>46</b>
-<v>5</v>
-</b>
-<b>
-<a>53</a>
-<b>54</b>
-<v>5</v>
-</b>
-<b>
-<a>56</a>
-<b>57</b>
-<v>5</v>
-</b>
-<b>
-<a>65</a>
-<b>73</b>
-<v>5</v>
-</b>
-<b>
-<a>80</a>
-<b>415</b>
-<v>5</v>
-</b>
-<b>
-<a>416</a>
-<b>472</b>
-<v>5</v>
-</b>
-<b>
-<a>478</a>
-<b>479</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>10</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>5</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>7</v>
-</b>
-<b>
-<a>10</a>
-<b>17</b>
-<v>5</v>
+<a>17</a>
+<b>27</b>
+<v>9</v>
 </b>
 <b>
 <a>45</a>
 <b>46</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>54</a>
 <b>55</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>57</a>
 <b>58</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
-<a>72</a>
-<b>86</b>
-<v>5</v>
+<a>66</a>
+<b>74</b>
+<v>9</v>
 </b>
 <b>
-<a>91</a>
-<b>436</b>
-<v>5</v>
+<a>85</a>
+<b>437</b>
+<v>9</v>
 </b>
 <b>
-<a>454</a>
-<b>500</b>
-<v>5</v>
+<a>459</a>
+<b>532</b>
+<v>9</v>
 </b>
 <b>
-<a>506</a>
-<b>507</b>
-<v>2</v>
+<a>532</a>
+<b>533</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
 </val>
 </dep>
 <dep>
-<src>symbol</src>
-<trg>name</trg>
+<src>name</src>
+<trg>symbol</trg>
 <val>
 <hist>
 <budget>12</budget>
@@ -23008,19 +23093,14 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>5</v>
+<v>126</v>
 </b>
 </bs>
 </hist>
 </val>
 </dep>
 <dep>
-<src>symbol</src>
+<src>name</src>
 <trg>declaring_type_id</trg>
 <val>
 <hist>
@@ -23029,113 +23109,428 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>5</v>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>7</v>
+<v>9</v>
 </b>
 <b>
-<a>10</a>
-<b>15</b>
-<v>5</v>
+<a>9</a>
+<b>11</b>
+<v>9</v>
 </b>
 <b>
-<a>31</a>
-<b>37</b>
-<v>5</v>
-</b>
-<b>
-<a>49</a>
-<b>51</b>
-<v>5</v>
-</b>
-<b>
-<a>51</a>
-<b>52</b>
-<v>2</v>
-</b>
-<b>
-<a>52</a>
-<b>53</b>
-<v>5</v>
-</b>
-<b>
-<a>63</a>
-<b>120</b>
-<v>5</v>
-</b>
-<b>
-<a>201</a>
-<b>444</b>
-<v>5</v>
-</b>
-<b>
-<a>451</a>
-<b>452</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>symbol</src>
-<trg>type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>7</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>20</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>5</v>
-</b>
-<b>
-<a>8</a>
-<b>9</b>
-<v>7</v>
-</b>
-<b>
-<a>10</a>
-<b>15</b>
-<v>5</v>
+<a>15</a>
+<b>27</b>
+<v>9</v>
 </b>
 <b>
 <a>31</a>
 <b>38</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
-<a>51</a>
-<b>64</b>
-<v>5</v>
+<a>49</a>
+<b>51</b>
+<v>9</v>
 </b>
 <b>
-<a>154</a>
-<b>182</b>
-<v>5</v>
+<a>52</a>
+<b>53</b>
+<v>14</v>
+</b>
+<b>
+<a>68</a>
+<b>121</b>
+<v>9</v>
+</b>
+<b>
+<a>206</a>
+<b>476</b>
+<v>9</v>
+</b>
+<b>
+<a>477</a>
+<b>478</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>14</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>38</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>4</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>9</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
+</b>
+<b>
+<a>15</a>
+<b>27</b>
+<v>9</v>
+</b>
+<b>
+<a>31</a>
+<b>39</b>
+<v>9</v>
+</b>
+<b>
+<a>52</a>
+<b>69</b>
+<v>9</v>
+</b>
+<b>
+<a>155</a>
+<b>186</b>
+<v>9</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>4</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>19</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>4</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>9</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
+</b>
+<b>
+<a>17</a>
+<b>27</b>
+<v>9</v>
+</b>
+<b>
+<a>45</a>
+<b>46</b>
+<v>4</v>
+</b>
+<b>
+<a>53</a>
+<b>54</b>
+<v>9</v>
+</b>
+<b>
+<a>56</a>
+<b>57</b>
+<v>9</v>
+</b>
+<b>
+<a>66</a>
+<b>74</b>
+<v>9</v>
+</b>
+<b>
+<a>85</a>
+<b>415</b>
+<v>9</v>
+</b>
+<b>
+<a>416</a>
+<b>489</b>
+<v>9</v>
+</b>
+<b>
+<a>489</a>
+<b>490</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>4</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>19</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>9</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
+</b>
+<b>
+<a>17</a>
+<b>46</b>
+<v>9</v>
+</b>
+<b>
+<a>54</a>
+<b>55</b>
+<v>9</v>
+</b>
+<b>
+<a>57</a>
+<b>58</b>
+<v>9</v>
+</b>
+<b>
+<a>73</a>
+<b>91</b>
+<v>9</v>
+</b>
+<b>
+<a>92</a>
+<b>437</b>
+<v>9</v>
+</b>
+<b>
+<a>459</a>
+<b>532</b>
+<v>9</v>
+</b>
+<b>
+<a>532</a>
+<b>533</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>107</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>9</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>declaring_type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>4</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>19</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>9</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
+</b>
+<b>
+<a>15</a>
+<b>32</b>
+<v>9</v>
+</b>
+<b>
+<a>37</a>
+<b>50</b>
+<v>9</v>
+</b>
+<b>
+<a>50</a>
+<b>51</b>
+<v>4</v>
+</b>
+<b>
+<a>52</a>
+<b>53</b>
+<v>14</v>
+</b>
+<b>
+<a>68</a>
+<b>121</b>
+<v>9</v>
+</b>
+<b>
+<a>206</a>
+<b>476</b>
+<v>9</v>
+</b>
+<b>
+<a>477</a>
+<b>478</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>14</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>38</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>9</v>
+</b>
+<b>
+<a>8</a>
+<b>9</b>
+<v>9</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
+</b>
+<b>
+<a>15</a>
+<b>32</b>
+<v>9</v>
+</b>
+<b>
+<a>38</a>
+<b>53</b>
+<v>9</v>
+</b>
+<b>
+<a>68</a>
+<b>156</b>
+<v>9</v>
+</b>
+<b>
+<a>185</a>
+<b>186</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -23151,62 +23546,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10</v>
+<v>19</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>5</v>
+<b>5</b>
+<v>9</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>7</v>
+<v>9</v>
 </b>
 <b>
-<a>10</a>
-<b>17</b>
-<v>5</v>
+<a>9</a>
+<b>11</b>
+<v>9</v>
 </b>
 <b>
-<a>45</a>
+<a>17</a>
 <b>46</b>
-<v>2</v>
+<v>9</v>
 </b>
 <b>
 <a>53</a>
 <b>54</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>56</a>
 <b>57</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
-<a>72</a>
-<b>86</b>
-<v>5</v>
+<a>73</a>
+<b>91</b>
+<v>9</v>
 </b>
 <b>
-<a>91</a>
+<a>92</a>
 <b>415</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>416</a>
-<b>472</b>
-<v>5</v>
+<b>489</b>
+<v>9</v>
 </b>
 <b>
-<a>478</a>
-<b>479</b>
-<v>2</v>
+<a>489</a>
+<b>490</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -23222,42 +23617,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>200</v>
+<v>472</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>742</v>
+<v>1568</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>115</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>22</v>
+<v>267</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>7</a>
-<b>15</b>
-<v>112</v>
+<b>16</b>
+<v>228</v>
 </b>
 <b>
-<a>15</a>
+<a>16</a>
 <b>73</b>
-<v>62</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -23273,32 +23663,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>280</v>
+<v>628</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>726</v>
+<v>1539</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>142</v>
+<v>272</v>
 </b>
 <b>
 <a>5</a>
 <b>10</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>10</a>
 <b>24</b>
-<v>47</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -23314,32 +23704,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>280</v>
+<v>628</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>729</v>
+<v>1543</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>142</v>
+<v>272</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>115</v>
+<v>228</v>
 </b>
 <b>
 <a>9</a>
 <b>22</b>
-<v>57</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -23355,27 +23745,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>945</v>
+<v>2021</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>203</v>
+<v>418</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>150</v>
+<v>292</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>112</v>
+<b>6</b>
+<v>243</v>
 </b>
 <b>
-<a>5</a>
+<a>8</a>
 <b>39</b>
-<v>37</v>
+<v>48</v>
 </b>
 </bs>
 </hist>
@@ -23391,42 +23781,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>200</v>
+<v>472</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>742</v>
+<v>1568</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>4</a>
-<b>5</b>
-<v>115</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>22</v>
+<v>267</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>7</a>
-<b>15</b>
-<v>112</v>
+<b>16</b>
+<v>228</v>
 </b>
 <b>
-<a>15</a>
+<a>16</a>
 <b>73</b>
-<v>62</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -23442,32 +23827,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>383</v>
+<v>793</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>190</v>
+<v>370</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>62</v>
+<v>121</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
-<a>18</a>
-<b>1167</b>
-<v>42</v>
+<a>19</a>
+<b>1227</b>
+<v>82</v>
 </b>
 </bs>
 </hist>
@@ -23483,27 +23868,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>596</v>
+<v>1207</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>77</v>
+<v>150</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>60</v>
+<v>116</v>
 </b>
 <b>
 <a>5</a>
 <b>13</b>
-<v>70</v>
+<v>131</v>
 </b>
 <b>
 <a>13</a>
 <b>18</b>
-<v>5</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -23519,27 +23904,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>596</v>
+<v>1207</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>82</v>
+<v>160</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>5</a>
 <b>14</b>
-<v>62</v>
+<v>121</v>
 </b>
 <b>
 <a>15</a>
 <b>16</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -23555,22 +23940,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>626</v>
+<v>1266</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>62</v>
+<v>121</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>6</a>
-<b>463</b>
-<v>55</v>
+<b>501</b>
+<v>107</v>
 </b>
 </bs>
 </hist>
@@ -23586,32 +23971,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>383</v>
+<v>793</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>190</v>
+<v>370</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>62</v>
+<v>121</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>65</v>
+<v>126</v>
 </b>
 <b>
-<a>18</a>
-<b>1107</b>
-<v>42</v>
+<a>19</a>
+<b>1137</b>
+<v>82</v>
 </b>
 </bs>
 </hist>
@@ -23627,12 +24012,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5828</v>
+<v>11509</v>
 </b>
 <b>
 <a>2</a>
-<b>21</b>
-<v>75</v>
+<b>26</b>
+<v>146</v>
 </b>
 </bs>
 </hist>
@@ -23648,7 +24033,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5903</v>
+<v>11655</v>
 </b>
 </bs>
 </hist>
@@ -23664,7 +24049,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5903</v>
+<v>11655</v>
 </b>
 </bs>
 </hist>
@@ -23680,12 +24065,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5828</v>
+<v>11509</v>
 </b>
 <b>
 <a>2</a>
-<b>21</b>
-<v>75</v>
+<b>26</b>
+<v>146</v>
 </b>
 </bs>
 </hist>
@@ -23701,12 +24086,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5873</v>
+<v>11596</v>
 </b>
 <b>
 <a>2</a>
-<b>21</b>
-<v>30</v>
+<b>22</b>
+<v>58</v>
 </b>
 </bs>
 </hist>
@@ -23716,15 +24101,15 @@
 </relation>
 <relation>
 <name>operator_location</name>
-<cardinality>11639</cardinality>
+<cardinality>22756</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1989</v>
+<v>5763</v>
 </e>
 <e>
 <k>loc</k>
-<v>1713</v>
+<v>3229</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23738,47 +24123,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>438</v>
+<v>858</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>221</v>
+<v>3220</v>
 </b>
 <b>
 <a>3</a>
-<b>6</b>
-<v>182</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>41</v>
-</b>
-<b>
-<a>7</a>
-<b>8</b>
-<v>257</v>
-</b>
-<b>
-<a>8</a>
 <b>9</b>
-<v>122</v>
+<v>395</v>
 </b>
 <b>
 <a>9</a>
-<b>10</b>
-<v>495</v>
+<b>11</b>
+<v>459</v>
 </b>
 <b>
-<a>10</a>
+<a>11</a>
 <b>12</b>
-<v>119</v>
+<v>595</v>
 </b>
 <b>
 <a>12</a>
-<b>13</b>
-<v>108</v>
+<b>14</b>
+<v>233</v>
 </b>
 </bs>
 </hist>
@@ -23794,22 +24164,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1403</v>
+<v>2830</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>115</v>
+<b>9</b>
+<v>242</v>
 </b>
 <b>
-<a>3</a>
-<b>15</b>
-<v>131</v>
-</b>
-<b>
-<a>21</a>
-<b>793</b>
-<v>63</v>
+<a>9</a>
+<b>2695</b>
+<v>156</v>
 </b>
 </bs>
 </hist>
@@ -23819,15 +24184,15 @@
 </relation>
 <relation>
 <name>constant_value</name>
-<cardinality>95257</cardinality>
+<cardinality>185350</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>95199</v>
+<v>185238</v>
 </e>
 <e>
 <k>value</k>
-<v>24531</v>
+<v>47853</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23841,12 +24206,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95141</v>
+<v>185126</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>57</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -23862,27 +24227,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16848</v>
+<v>32891</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3705</v>
+<v>7218</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1995</v>
+<v>3886</v>
 </b>
 <b>
 <a>4</a>
-<b>60</b>
-<v>1842</v>
+<b>61</b>
+<v>3589</v>
 </b>
 <b>
-<a>60</a>
+<a>61</a>
 <b>2421</b>
-<v>140</v>
+<v>267</v>
 </b>
 </bs>
 </hist>
@@ -23892,27 +24257,27 @@
 </relation>
 <relation>
 <name>methods</name>
-<cardinality>549172</cardinality>
+<cardinality>1117636</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>549172</v>
+<v>1117636</v>
 </e>
 <e>
 <k>name</k>
-<v>68273</v>
+<v>133590</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>101140</v>
+<v>202387</v>
 </e>
 <e>
 <k>type_id</k>
-<v>54054</v>
+<v>112876</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>357745</v>
+<v>696553</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -23926,7 +24291,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>549172</v>
+<v>1117636</v>
 </b>
 </bs>
 </hist>
@@ -23942,7 +24307,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>549172</v>
+<v>1117636</v>
 </b>
 </bs>
 </hist>
@@ -23958,7 +24323,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>549172</v>
+<v>1117636</v>
 </b>
 </bs>
 </hist>
@@ -23974,7 +24339,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>549172</v>
+<v>1117636</v>
 </b>
 </bs>
 </hist>
@@ -23990,32 +24355,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35183</v>
+<v>69142</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>12138</v>
+<v>23617</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5557</v>
+<v>10832</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>5404</v>
+<v>10423</v>
 </b>
 <b>
 <a>6</a>
 <b>12</b>
-<v>5429</v>
+<v>10569</v>
 </b>
 <b>
 <a>12</a>
-<b>5061</b>
-<v>4559</v>
+<b>5621</b>
+<v>9005</v>
 </b>
 </bs>
 </hist>
@@ -24031,32 +24396,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>40500</v>
+<v>79512</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9934</v>
+<v>19341</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5820</v>
+<v>11314</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>5698</v>
+<v>11046</v>
 </b>
 <b>
 <a>7</a>
-<b>32</b>
-<v>5131</v>
+<b>33</b>
+<v>10106</v>
 </b>
 <b>
-<a>32</a>
-<b>4959</b>
-<v>1188</v>
+<a>33</a>
+<b>5029</b>
+<v>2269</v>
 </b>
 </bs>
 </hist>
@@ -24072,22 +24437,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>57652</v>
+<v>112856</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5432</v>
+<v>10593</v>
 </b>
 <b>
 <a>3</a>
-<b>126</b>
-<v>5121</v>
+<b>174</b>
+<v>10023</v>
 </b>
 <b>
-<a>137</a>
-<b>2143</b>
-<v>67</v>
+<a>177</a>
+<b>2703</b>
+<v>116</v>
 </b>
 </bs>
 </hist>
@@ -24103,32 +24468,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>36040</v>
+<v>70881</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>12589</v>
+<v>24484</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5607</v>
+<v>10905</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>5512</v>
+<v>10720</v>
 </b>
 <b>
 <a>6</a>
 <b>12</b>
-<v>5149</v>
+<v>10028</v>
 </b>
 <b>
 <a>12</a>
 <b>4958</b>
-<v>3374</v>
+<v>6570</v>
 </b>
 </bs>
 </hist>
@@ -24144,42 +24509,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30224</v>
+<v>59752</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21964</v>
+<v>42983</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>15156</v>
+<v>31619</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7172</v>
+<v>14251</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7264</v>
+<v>14787</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>8104</v>
+<v>16097</v>
 </b>
 <b>
 <a>10</a>
 <b>23</b>
-<v>7831</v>
+<v>15654</v>
 </b>
 <b>
 <a>23</a>
-<b>1055</b>
-<v>3421</v>
+<b>1309</b>
+<v>7242</v>
 </b>
 </bs>
 </hist>
@@ -24195,37 +24560,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32832</v>
+<v>64817</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22819</v>
+<v>44668</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>16580</v>
+<v>34717</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>9122</v>
+<v>18191</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>8951</v>
+<v>18157</v>
 </b>
 <b>
 <a>8</a>
 <b>18</b>
-<v>7600</v>
+<v>15249</v>
 </b>
 <b>
 <a>18</a>
 <b>457</b>
-<v>3233</v>
+<v>6585</v>
 </b>
 </bs>
 </hist>
@@ -24241,32 +24606,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49695</v>
+<v>97825</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>23712</v>
+<v>49231</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11686</v>
+<v>22945</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5946</v>
+<v>11621</v>
 </b>
 <b>
 <a>5</a>
-<b>11</b>
-<v>7863</v>
+<b>10</b>
+<v>15205</v>
 </b>
 <b>
-<a>11</a>
-<b>595</b>
-<v>2236</v>
+<a>10</a>
+<b>738</b>
+<v>5557</v>
 </b>
 </bs>
 </hist>
@@ -24282,42 +24647,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30277</v>
+<v>59859</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21994</v>
+<v>43060</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>15158</v>
+<v>31619</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7184</v>
+<v>14285</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>7267</v>
+<v>14806</v>
 </b>
 <b>
 <a>6</a>
 <b>10</b>
-<v>8069</v>
+<v>16014</v>
 </b>
 <b>
 <a>10</a>
 <b>23</b>
-<v>8069</v>
+<v>16111</v>
 </b>
 <b>
 <a>23</a>
 <b>698</b>
-<v>3118</v>
+<v>6628</v>
 </b>
 </bs>
 </hist>
@@ -24333,27 +24698,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35802</v>
+<v>75435</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6943</v>
+<v>14480</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4078</v>
+<v>8309</v>
 </b>
 <b>
 <a>4</a>
-<b>9</b>
-<v>4086</v>
+<b>10</b>
+<v>8825</v>
 </b>
 <b>
-<a>9</a>
-<b>59685</b>
-<v>3143</v>
+<a>10</a>
+<b>62283</b>
+<v>5825</v>
 </b>
 </bs>
 </hist>
@@ -24369,22 +24734,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43794</v>
+<v>91567</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4717</v>
+<v>9614</v>
 </b>
 <b>
 <a>3</a>
-<b>9</b>
-<v>4203</v>
+<b>8</b>
+<v>8664</v>
 </b>
 <b>
-<a>9</a>
-<b>7612</b>
-<v>1338</v>
+<a>8</a>
+<b>7666</b>
+<v>3029</v>
 </b>
 </bs>
 </hist>
@@ -24400,22 +24765,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>41733</v>
+<v>87393</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6603</v>
+<v>13978</v>
 </b>
 <b>
 <a>3</a>
-<b>7</b>
-<v>4101</v>
+<b>8</b>
+<v>8801</v>
 </b>
 <b>
-<a>7</a>
-<b>19179</b>
-<v>1616</v>
+<a>8</a>
+<b>19699</b>
+<v>2703</v>
 </b>
 </bs>
 </hist>
@@ -24431,27 +24796,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35852</v>
+<v>75547</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>6984</v>
+<v>14538</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4103</v>
+<v>8382</v>
 </b>
 <b>
 <a>4</a>
-<b>9</b>
-<v>4061</v>
+<b>10</b>
+<v>8762</v>
 </b>
 <b>
-<a>9</a>
-<b>44405</b>
-<v>3053</v>
+<a>10</a>
+<b>44480</b>
+<v>5645</v>
 </b>
 </bs>
 </hist>
@@ -24467,12 +24832,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>344231</v>
+<v>669658</v>
 </b>
 <b>
 <a>2</a>
-<b>1207</b>
-<v>13514</v>
+<b>1367</b>
+<v>26895</v>
 </b>
 </bs>
 </hist>
@@ -24488,7 +24853,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>357745</v>
+<v>696553</v>
 </b>
 </bs>
 </hist>
@@ -24504,12 +24869,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>345048</v>
+<v>671523</v>
 </b>
 <b>
 <a>2</a>
-<b>1207</b>
-<v>12697</v>
+<b>1367</b>
+<v>25029</v>
 </b>
 </bs>
 </hist>
@@ -24525,12 +24890,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>352528</v>
+<v>686189</v>
 </b>
 <b>
 <a>2</a>
-<b>1207</b>
-<v>5216</v>
+<b>1367</b>
+<v>10364</v>
 </b>
 </bs>
 </hist>
@@ -24540,15 +24905,15 @@
 </relation>
 <relation>
 <name>method_location</name>
-<cardinality>622013</cardinality>
+<cardinality>1281341</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>549172</v>
+<v>1117636</v>
 </e>
 <e>
 <k>loc</k>
-<v>15472</v>
+<v>40830</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24562,17 +24927,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488331</v>
+<v>987264</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>49469</v>
+<v>98264</v>
 </b>
 <b>
 <a>3</a>
 <b>119</b>
-<v>11371</v>
+<v>32106</v>
 </b>
 </bs>
 </hist>
@@ -24588,17 +24953,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13409</v>
+<v>36217</v>
 </b>
 <b>
 <a>2</a>
-<b>37</b>
-<v>1160</v>
+<b>51</b>
+<v>3078</v>
 </b>
 <b>
-<a>37</a>
-<b>23908</b>
-<v>902</v>
+<a>51</a>
+<b>27732</b>
+<v>1534</v>
 </b>
 </bs>
 </hist>
@@ -24608,23 +24973,23 @@
 </relation>
 <relation>
 <name>constructors</name>
-<cardinality>138720</cardinality>
+<cardinality>277979</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>138720</v>
+<v>277979</v>
 </e>
 <e>
 <k>name</k>
-<v>68664</v>
+<v>133464</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>107588</v>
+<v>212319</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>114690</v>
+<v>223248</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24638,7 +25003,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>138720</v>
+<v>277979</v>
 </b>
 </bs>
 </hist>
@@ -24654,7 +25019,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>138720</v>
+<v>277979</v>
 </b>
 </bs>
 </hist>
@@ -24670,7 +25035,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>138720</v>
+<v>277979</v>
 </b>
 </bs>
 </hist>
@@ -24686,22 +25051,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52686</v>
+<v>102185</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9766</v>
+<v>19170</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>5271</v>
+<v>10247</v>
 </b>
 <b>
 <a>8</a>
 <b>2183</b>
-<v>940</v>
+<v>1860</v>
 </b>
 </bs>
 </hist>
@@ -24717,17 +25082,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>63031</v>
+<v>122480</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>5181</v>
+<v>10082</v>
 </b>
 <b>
 <a>11</a>
 <b>2183</b>
-<v>451</v>
+<v>901</v>
 </b>
 </bs>
 </hist>
@@ -24743,22 +25108,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53132</v>
+<v>103066</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9846</v>
+<v>19326</v>
 </b>
 <b>
 <a>3</a>
 <b>10</b>
-<v>5179</v>
+<v>10087</v>
 </b>
 <b>
 <a>10</a>
 <b>2183</b>
-<v>506</v>
+<v>983</v>
 </b>
 </bs>
 </hist>
@@ -24774,17 +25139,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>91484</v>
+<v>179651</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9914</v>
+<v>19750</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>6189</v>
+<v>12916</v>
 </b>
 </bs>
 </hist>
@@ -24800,7 +25165,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>107588</v>
+<v>212319</v>
 </b>
 </bs>
 </hist>
@@ -24816,17 +25181,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>91484</v>
+<v>179651</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9914</v>
+<v>19750</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>6189</v>
+<v>12916</v>
 </b>
 </bs>
 </hist>
@@ -24842,12 +25207,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>113489</v>
+<v>220793</v>
 </b>
 <b>
 <a>2</a>
-<b>612</b>
-<v>1200</v>
+<b>780</b>
+<v>2454</v>
 </b>
 </bs>
 </hist>
@@ -24863,7 +25228,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>114690</v>
+<v>223248</v>
 </b>
 </bs>
 </hist>
@@ -24879,12 +25244,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>113489</v>
+<v>220793</v>
 </b>
 <b>
 <a>2</a>
-<b>612</b>
-<v>1200</v>
+<b>780</b>
+<v>2454</v>
 </b>
 </bs>
 </hist>
@@ -24894,15 +25259,15 @@
 </relation>
 <relation>
 <name>constructor_location</name>
-<cardinality>159509</cardinality>
+<cardinality>321707</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>138720</v>
+<v>277979</v>
 </e>
 <e>
 <k>loc</k>
-<v>10914</v>
+<v>24771</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24916,17 +25281,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120137</v>
+<v>238659</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17760</v>
+<v>37639</v>
 </b>
 <b>
 <a>3</a>
 <b>87</b>
-<v>822</v>
+<v>1680</v>
 </b>
 </bs>
 </hist>
@@ -24942,22 +25307,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8122</v>
+<v>19000</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1484</v>
+<v>3180</v>
 </b>
 <b>
 <a>3</a>
-<b>38</b>
-<v>819</v>
+<b>59</b>
+<v>1865</v>
 </b>
 <b>
-<a>38</a>
-<b>3935</b>
-<v>488</v>
+<a>59</a>
+<b>4796</b>
+<v>725</v>
 </b>
 </bs>
 </hist>
@@ -24967,23 +25332,23 @@
 </relation>
 <relation>
 <name>destructors</name>
-<cardinality>225</cardinality>
+<cardinality>443</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>225</v>
+<v>443</v>
 </e>
 <e>
 <k>name</k>
-<v>213</v>
+<v>414</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>225</v>
+<v>443</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>220</v>
+<v>428</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -24997,7 +25362,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25013,7 +25378,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25029,7 +25394,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25045,12 +25410,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>203</v>
+<v>394</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -25066,12 +25431,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>203</v>
+<v>394</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>10</v>
+<v>19</v>
 </b>
 </bs>
 </hist>
@@ -25087,12 +25452,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>205</v>
+<v>399</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -25108,7 +25473,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25124,7 +25489,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25140,7 +25505,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -25156,12 +25521,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>218</v>
+<v>418</v>
 </b>
 <b>
-<a>3</a>
+<a>2</a>
 <b>4</b>
-<v>2</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -25177,7 +25542,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>220</v>
+<v>428</v>
 </b>
 </bs>
 </hist>
@@ -25193,12 +25558,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>218</v>
+<v>418</v>
 </b>
 <b>
-<a>3</a>
+<a>2</a>
 <b>4</b>
-<v>2</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -25208,15 +25573,15 @@
 </relation>
 <relation>
 <name>destructor_location</name>
-<cardinality>494</cardinality>
+<cardinality>659</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>125</v>
+<v>165</v>
 </e>
 <e>
 <k>loc</k>
-<v>230</v>
+<v>329</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25230,42 +25595,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>34</v>
+<v>32</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17</v>
+<v>44</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14</v>
+<v>16</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>17</v>
+<v>6</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>13</v>
+<v>29</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>9</v>
+<v>12</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>10</v>
+<v>12</v>
+</b>
+<b>
+<a>11</a>
+<b>12</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -25281,27 +25651,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>175</v>
+<v>259</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>12</v>
-</b>
-<b>
-<a>4</a>
-<b>9</b>
 <v>19</v>
 </b>
 <b>
-<a>9</a>
-<b>26</b>
-<v>8</v>
+<a>3</a>
+<b>5</b>
+<v>28</v>
+</b>
+<b>
+<a>5</a>
+<b>27</b>
+<v>21</v>
 </b>
 </bs>
 </hist>
@@ -25311,15 +25676,15 @@
 </relation>
 <relation>
 <name>overrides</name>
-<cardinality>140510</cardinality>
+<cardinality>273927</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>140498</v>
+<v>273902</v>
 </e>
 <e>
 <k>base_id</k>
-<v>33661</v>
+<v>65402</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25333,12 +25698,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>140485</v>
+<v>273878</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -25354,32 +25719,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20716</v>
+<v>40250</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5389</v>
+<v>10471</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2206</v>
+<v>4286</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>2752</v>
+<v>5338</v>
 </b>
 <b>
 <a>7</a>
-<b>216</b>
-<v>2526</v>
+<b>184</b>
+<v>4909</v>
 </b>
 <b>
-<a>217</a>
-<b>1317</b>
-<v>70</v>
+<a>215</a>
+<b>1329</b>
+<v>146</v>
 </b>
 </bs>
 </hist>
@@ -25389,15 +25754,15 @@
 </relation>
 <relation>
 <name>explicitly_implements</name>
-<cardinality>74568</cardinality>
+<cardinality>156755</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>74568</v>
+<v>156755</v>
 </e>
 <e>
 <k>interface_id</k>
-<v>6111</v>
+<v>13282</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25411,7 +25776,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74568</v>
+<v>156755</v>
 </b>
 </bs>
 </hist>
@@ -25427,37 +25792,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3171</v>
+<v>6770</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1057</v>
+<v>2488</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>604</v>
+<v>1183</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>210</v>
+<v>457</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>491</v>
+<v>1207</v>
 </b>
 <b>
 <a>7</a>
-<b>41</b>
-<v>458</v>
+<b>58</b>
+<v>998</v>
 </b>
 <b>
-<a>42</a>
+<a>58</a>
 <b>7851</b>
-<v>117</v>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -25467,23 +25832,23 @@
 </relation>
 <relation>
 <name>local_functions</name>
-<cardinality>488</cardinality>
+<cardinality>1801</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>488</v>
+<v>1801</v>
 </e>
 <e>
 <k>name</k>
-<v>271</v>
+<v>1034</v>
 </e>
 <e>
 <k>return_type</k>
-<v>47</v>
+<v>184</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>488</v>
+<v>1792</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25497,7 +25862,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1801</v>
 </b>
 </bs>
 </hist>
@@ -25513,7 +25878,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1801</v>
 </b>
 </bs>
 </hist>
@@ -25529,7 +25894,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1801</v>
 </b>
 </bs>
 </hist>
@@ -25545,22 +25910,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>227</v>
+<v>892</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18</v>
+<v>80</v>
 </b>
 <b>
 <a>3</a>
-<b>14</b>
-<v>22</v>
-</b>
-<b>
-<a>14</a>
-<b>38</b>
-<v>4</v>
+<b>137</b>
+<v>62</v>
 </b>
 </bs>
 </hist>
@@ -25576,12 +25936,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>269</v>
+<v>1026</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>2</v>
+<b>4</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -25597,22 +25957,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>227</v>
+<v>894</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18</v>
+<v>82</v>
 </b>
 <b>
 <a>3</a>
-<b>14</b>
-<v>22</v>
-</b>
-<b>
-<a>14</a>
-<b>38</b>
-<v>4</v>
+<b>137</b>
+<v>58</v>
 </b>
 </bs>
 </hist>
@@ -25628,27 +25983,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30</v>
+<v>128</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>29</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>3</v>
+<b>7</b>
+<v>15</v>
 </b>
 <b>
-<a>4</a>
-<b>11</b>
-<v>4</v>
-</b>
-<b>
-<a>26</a>
-<b>336</b>
-<v>3</v>
+<a>7</a>
+<b>1134</b>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -25664,22 +26014,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>33</v>
+<v>136</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>25</v>
 </b>
 <b>
 <a>3</a>
-<b>6</b>
-<v>4</v>
+<b>9</b>
+<v>14</v>
 </b>
 <b>
-<a>26</a>
-<b>136</b>
-<v>3</v>
+<a>9</a>
+<b>427</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -25695,27 +26045,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>30</v>
+<v>128</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>30</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>3</v>
+<b>7</b>
+<v>14</v>
 </b>
 <b>
-<a>4</a>
-<b>11</b>
-<v>4</v>
-</b>
-<b>
-<a>26</a>
-<b>336</b>
-<v>3</v>
+<a>7</a>
+<b>1132</b>
+<v>12</v>
 </b>
 </bs>
 </hist>
@@ -25731,7 +26076,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1788</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -25747,7 +26097,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1792</v>
 </b>
 </bs>
 </hist>
@@ -25763,7 +26113,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1791</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>1</v>
 </b>
 </bs>
 </hist>
@@ -25773,15 +26128,15 @@
 </relation>
 <relation>
 <name>local_function_stmts</name>
-<cardinality>488</cardinality>
+<cardinality>1792</cardinality>
 <columnsizes>
 <e>
 <k>fn</k>
-<v>488</v>
+<v>1792</v>
 </e>
 <e>
 <k>stmt</k>
-<v>488</v>
+<v>1792</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25795,7 +26150,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1792</v>
 </b>
 </bs>
 </hist>
@@ -25811,7 +26166,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488</v>
+<v>1792</v>
 </b>
 </bs>
 </hist>
@@ -25821,31 +26176,31 @@
 </relation>
 <relation>
 <name>fields</name>
-<cardinality>283465</cardinality>
+<cardinality>556636</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>283465</v>
+<v>556636</v>
 </e>
 <e>
 <k>kind</k>
-<v>5</v>
+<v>9</v>
 </e>
 <e>
 <k>name</k>
-<v>111604</v>
+<v>218217</v>
 </e>
 <e>
 <k>declaring_type_id</k>
-<v>52465</v>
+<v>103919</v>
 </e>
 <e>
 <k>type_id</k>
-<v>45611</v>
+<v>89633</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>279953</v>
+<v>547985</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -25859,7 +26214,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283465</v>
+<v>556636</v>
 </b>
 </bs>
 </hist>
@@ -25875,7 +26230,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283465</v>
+<v>556636</v>
 </b>
 </bs>
 </hist>
@@ -25891,7 +26246,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283465</v>
+<v>556636</v>
 </b>
 </bs>
 </hist>
@@ -25907,7 +26262,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283465</v>
+<v>556636</v>
 </b>
 </bs>
 </hist>
@@ -25923,7 +26278,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>283465</v>
+<v>556636</v>
 </b>
 </bs>
 </hist>
@@ -25937,14 +26292,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>37974</a>
-<b>37975</b>
-<v>2</v>
+<a>38027</a>
+<b>38028</b>
+<v>4</v>
 </b>
 <b>
-<a>75103</a>
-<b>75104</b>
-<v>2</v>
+<a>76258</a>
+<b>76259</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -25958,14 +26313,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>17417</a>
-<b>17418</b>
-<v>2</v>
+<a>17662</a>
+<b>17663</b>
+<v>4</v>
 </b>
 <b>
-<a>29019</a>
-<b>29020</b>
-<v>2</v>
+<a>29062</a>
+<b>29063</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -25979,14 +26334,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3310</a>
-<b>3311</b>
-<v>2</v>
+<a>3335</a>
+<b>3336</b>
+<v>4</v>
 </b>
 <b>
-<a>17817</a>
-<b>17818</b>
-<v>2</v>
+<a>18225</a>
+<b>18226</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -26002,12 +26357,12 @@
 <b>
 <a>2463</a>
 <b>2464</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>16181</a>
-<b>16182</b>
-<v>2</v>
+<a>16391</a>
+<b>16392</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -26021,14 +26376,14 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>37962</a>
-<b>37963</b>
-<v>2</v>
+<a>38015</a>
+<b>38016</b>
+<v>4</v>
 </b>
 <b>
-<a>73714</a>
-<b>73715</b>
-<v>2</v>
+<a>74494</a>
+<b>74495</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -26044,22 +26399,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>90218</v>
+<v>176159</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11538</v>
+<v>22565</v>
 </b>
 <b>
 <a>3</a>
-<b>15</b>
-<v>8500</v>
+<b>14</b>
+<v>16564</v>
 </b>
 <b>
-<a>15</a>
+<a>14</a>
 <b>4800</b>
-<v>1346</v>
+<v>2927</v>
 </b>
 </bs>
 </hist>
@@ -26075,12 +26430,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>106801</v>
+<v>208860</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4803</v>
+<v>9356</v>
 </b>
 </bs>
 </hist>
@@ -26096,22 +26451,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>90231</v>
+<v>176184</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11531</v>
+<v>22550</v>
 </b>
 <b>
 <a>3</a>
-<b>15</b>
-<v>8498</v>
+<b>14</b>
+<v>16555</v>
 </b>
 <b>
-<a>15</a>
+<a>14</a>
 <b>4800</b>
-<v>1343</v>
+<v>2927</v>
 </b>
 </bs>
 </hist>
@@ -26127,17 +26482,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>96495</v>
+<v>188667</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9032</v>
+<v>17660</v>
 </b>
 <b>
 <a>3</a>
 <b>2459</b>
-<v>6076</v>
+<v>11889</v>
 </b>
 </bs>
 </hist>
@@ -26153,22 +26508,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>90406</v>
+<v>176559</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11536</v>
+<v>22570</v>
 </b>
 <b>
 <a>3</a>
-<b>16</b>
-<v>8412</v>
+<b>15</b>
+<v>16472</v>
 </b>
 <b>
-<a>16</a>
+<a>15</a>
 <b>4800</b>
-<v>1248</v>
+<v>2615</v>
 </b>
 </bs>
 </hist>
@@ -26184,42 +26539,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13760</v>
+<v>27319</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10719</v>
+<v>21216</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6297</v>
+<v>12843</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5139</v>
+<v>10101</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4061</v>
+<v>7934</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4712</v>
+<v>9273</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>4143</v>
+<v>8148</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>3632</v>
+<v>7081</v>
 </b>
 </bs>
 </hist>
@@ -26235,12 +26590,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51969</v>
+<v>102828</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>496</v>
+<v>1091</v>
 </b>
 </bs>
 </hist>
@@ -26256,42 +26611,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13760</v>
+<v>27319</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10721</v>
+<v>21221</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6299</v>
+<v>12848</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5136</v>
+<v>10096</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4061</v>
+<v>7934</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4715</v>
+<v>9278</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>4143</v>
+<v>8148</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>3627</v>
+<v>7072</v>
 </b>
 </bs>
 </hist>
@@ -26307,37 +26662,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22594</v>
+<v>44526</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10699</v>
+<v>21269</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4720</v>
+<v>9707</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>3742</v>
+<v>7364</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>3141</v>
+<v>6161</v>
 </b>
 <b>
 <a>6</a>
-<b>8</b>
-<v>3675</v>
+<b>9</b>
+<v>9590</v>
 </b>
 <b>
-<a>8</a>
+<a>9</a>
 <b>132</b>
-<v>3893</v>
+<v>5299</v>
 </b>
 </bs>
 </hist>
@@ -26353,42 +26708,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>13760</v>
+<v>27319</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10719</v>
+<v>21216</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6297</v>
+<v>12843</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5139</v>
+<v>10101</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>4061</v>
+<v>7934</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>4712</v>
+<v>9273</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>4143</v>
+<v>8148</v>
 </b>
 <b>
 <a>12</a>
 <b>4204</b>
-<v>3632</v>
+<v>7081</v>
 </b>
 </bs>
 </hist>
@@ -26404,161 +26759,161 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28425</v>
+<v>55880</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5530</v>
+<v>10910</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3193</v>
+<v>6210</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>4046</v>
-</b>
-<b>
-<a>7</a>
-<b>26</b>
-<v>3421</v>
-</b>
-<b>
-<a>26</a>
-<b>9160</b>
-<v>995</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>kind</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>44486</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1125</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>32473</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>4712</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>4020</v>
-</b>
-<b>
-<a>5</a>
-<b>17</b>
-<v>3436</v>
-</b>
-<b>
-<a>17</a>
-<b>5144</b>
-<v>967</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>declaring_type_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>34857</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>5091</v>
-</b>
-<b>
-<a>3</a>
-<b>7</b>
-<v>3680</v>
-</b>
-<b>
-<a>7</a>
-<b>5706</b>
-<v>1982</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>type_id</src>
-<trg>unbound_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>28445</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>5693</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>3050</v>
-</b>
-<b>
-<a>4</a>
-<b>7</b>
-<v>4033</v>
+<v>7973</v>
 </b>
 <b>
 <a>7</a>
 <b>27</b>
-<v>3441</v>
+<v>6789</v>
 </b>
 <b>
 <a>27</a>
-<b>9081</b>
-<v>947</v>
+<b>9294</b>
+<v>1870</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>87436</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>2196</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>63795</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>9356</v>
+</b>
+<b>
+<a>3</a>
+<b>5</b>
+<v>7895</v>
+</b>
+<b>
+<a>5</a>
+<b>18</b>
+<v>6838</v>
+</b>
+<b>
+<a>18</a>
+<b>5214</b>
+<v>1748</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>declaring_type_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>68392</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>10062</v>
+</b>
+<b>
+<a>3</a>
+<b>7</b>
+<v>7242</v>
+</b>
+<b>
+<a>7</a>
+<b>5816</b>
+<v>3935</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>type_id</src>
+<trg>unbound_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>55924</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>11236</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>5922</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>7948</v>
+</b>
+<b>
+<a>7</a>
+<b>27</b>
+<v>6745</v>
+</b>
+<b>
+<a>27</a>
+<b>9188</b>
+<v>1855</v>
 </b>
 </bs>
 </hist>
@@ -26574,12 +26929,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>279539</v>
+<v>547011</v>
 </b>
 <b>
 <a>2</a>
-<b>210</b>
-<v>413</v>
+<b>234</b>
+<v>974</v>
 </b>
 </bs>
 </hist>
@@ -26595,7 +26950,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>279953</v>
+<v>547985</v>
 </b>
 </bs>
 </hist>
@@ -26611,7 +26966,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>279953</v>
+<v>547985</v>
 </b>
 </bs>
 </hist>
@@ -26627,12 +26982,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>279539</v>
+<v>547011</v>
 </b>
 <b>
 <a>2</a>
-<b>210</b>
-<v>413</v>
+<b>234</b>
+<v>974</v>
 </b>
 </bs>
 </hist>
@@ -26648,12 +27003,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>279717</v>
+<v>547469</v>
 </b>
 <b>
 <a>2</a>
 <b>138</b>
-<v>235</v>
+<v>516</v>
 </b>
 </bs>
 </hist>
@@ -26663,15 +27018,15 @@
 </relation>
 <relation>
 <name>field_location</name>
-<cardinality>321998</cardinality>
+<cardinality>637390</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>279660</v>
+<v>549271</v>
 </e>
 <e>
 <k>loc</k>
-<v>24689</v>
+<v>52845</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -26685,17 +27040,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>240001</v>
+<v>467168</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>37935</v>
+<v>78095</v>
 </b>
 <b>
 <a>3</a>
 <b>57</b>
-<v>1722</v>
+<v>4008</v>
 </b>
 </bs>
 </hist>
@@ -26711,12 +27066,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>23072</v>
+<v>49339</v>
 </b>
 <b>
 <a>2</a>
 <b>8882</b>
-<v>1616</v>
+<v>3506</v>
 </b>
 </bs>
 </hist>
@@ -26726,11 +27081,11 @@
 </relation>
 <relation>
 <name>localvars</name>
-<cardinality>72963</cardinality>
+<cardinality>163269</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>72963</v>
+<v>163269</v>
 </e>
 <e>
 <k>kind</k>
@@ -26738,7 +27093,7 @@
 </e>
 <e>
 <k>name</k>
-<v>9135</v>
+<v>22591</v>
 </e>
 <e>
 <k>implicitly_typed</k>
@@ -26746,11 +27101,11 @@
 </e>
 <e>
 <k>type_id</k>
-<v>3535</v>
+<v>7298</v>
 </e>
 <e>
 <k>parent_id</k>
-<v>72963</v>
+<v>163269</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -26764,7 +27119,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -26780,7 +27135,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -26796,7 +27151,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -26812,7 +27167,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -26828,7 +27183,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -26842,18 +27197,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3</a>
-<b>4</b>
+<a>18</a>
+<b>19</b>
 <v>1</v>
 </b>
 <b>
-<a>373</a>
-<b>374</b>
+<a>799</a>
+<b>800</b>
 <v>1</v>
 </b>
 <b>
-<a>72587</a>
-<b>72588</b>
+<a>162452</a>
+<b>162453</b>
 <v>1</v>
 </b>
 </bs>
@@ -26868,18 +27223,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>2</a>
-<b>3</b>
+<a>12</a>
+<b>13</b>
 <v>1</v>
 </b>
 <b>
-<a>115</a>
-<b>116</b>
+<a>293</a>
+<b>294</b>
 <v>1</v>
 </b>
 <b>
-<a>9057</a>
-<b>9058</b>
+<a>22378</a>
+<b>22379</b>
 <v>1</v>
 </b>
 </bs>
@@ -26915,18 +27270,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>2</a>
-<b>3</b>
+<a>10</a>
+<b>11</b>
 <v>1</v>
 </b>
 <b>
-<a>8</a>
-<b>9</b>
+<a>25</a>
+<b>26</b>
 <v>1</v>
 </b>
 <b>
-<a>3533</a>
-<b>3534</b>
+<a>7293</a>
+<b>7294</b>
 <v>1</v>
 </b>
 </bs>
@@ -26941,18 +27296,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3</a>
-<b>4</b>
+<a>18</a>
+<b>19</b>
 <v>1</v>
 </b>
 <b>
-<a>373</a>
-<b>374</b>
+<a>799</a>
+<b>800</b>
 <v>1</v>
 </b>
 <b>
-<a>72587</a>
-<b>72588</b>
+<a>162452</a>
+<b>162453</b>
 <v>1</v>
 </b>
 </bs>
@@ -26969,32 +27324,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5625</v>
+<v>14112</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1400</v>
+<v>3482</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>559</v>
+<v>1462</v>
 </b>
 <b>
 <a>4</a>
-<b>7</b>
-<v>690</v>
+<b>8</b>
+<v>1876</v>
 </b>
 <b>
-<a>7</a>
-<b>46</b>
-<v>691</v>
-</b>
-<b>
-<a>46</a>
-<b>7564</b>
-<v>170</v>
+<a>8</a>
+<b>15750</b>
+<v>1659</v>
 </b>
 </bs>
 </hist>
@@ -27010,12 +27360,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9096</v>
+<v>22499</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>39</v>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -27031,12 +27381,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8300</v>
+<v>19931</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>835</v>
+<v>2660</v>
 </b>
 </bs>
 </hist>
@@ -27052,17 +27402,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7770</v>
+<v>19221</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>727</v>
+<v>1909</v>
 </b>
 <b>
 <a>3</a>
-<b>494</b>
-<v>638</v>
+<b>678</b>
+<v>1461</v>
 </b>
 </bs>
 </hist>
@@ -27078,32 +27428,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5625</v>
+<v>14112</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1400</v>
+<v>3482</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>559</v>
+<v>1462</v>
 </b>
 <b>
 <a>4</a>
-<b>7</b>
-<v>690</v>
+<b>8</b>
+<v>1876</v>
 </b>
 <b>
-<a>7</a>
-<b>46</b>
-<v>691</v>
-</b>
-<b>
-<a>46</a>
-<b>7564</b>
-<v>170</v>
+<a>8</a>
+<b>15750</b>
+<v>1659</v>
 </b>
 </bs>
 </hist>
@@ -27117,13 +27462,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>13942</a>
-<b>13943</b>
+<a>36626</a>
+<b>36627</b>
 <v>1</v>
 </b>
 <b>
-<a>59021</a>
-<b>59022</b>
+<a>126643</a>
+<b>126644</b>
 <v>1</v>
 </b>
 </bs>
@@ -27159,13 +27504,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>2512</a>
-<b>2513</b>
+<a>8549</a>
+<b>8550</b>
 <v>1</v>
 </b>
 <b>
-<a>7458</a>
-<b>7459</b>
+<a>16702</a>
+<b>16703</b>
 <v>1</v>
 </b>
 </bs>
@@ -27180,13 +27525,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1244</a>
-<b>1245</b>
+<a>2805</a>
+<b>2806</b>
 <v>1</v>
 </b>
 <b>
-<a>2982</a>
-<b>2983</b>
+<a>6179</a>
+<b>6180</b>
 <v>1</v>
 </b>
 </bs>
@@ -27201,13 +27546,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>13942</a>
-<b>13943</b>
+<a>36626</a>
+<b>36627</b>
 <v>1</v>
 </b>
 <b>
-<a>59021</a>
-<b>59022</b>
+<a>126643</a>
+<b>126644</b>
 <v>1</v>
 </b>
 </bs>
@@ -27224,37 +27569,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1585</v>
+<v>3308</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>519</v>
+<v>1138</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>460</v>
+<v>772</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>301</v>
+<v>624</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>279</v>
+<v>591</v>
 </b>
 <b>
 <a>11</a>
-<b>47</b>
-<v>267</v>
+<b>35</b>
+<v>548</v>
 </b>
 <b>
-<a>47</a>
-<b>17427</b>
-<v>124</v>
+<a>35</a>
+<b>37230</b>
+<v>317</v>
 </b>
 </bs>
 </hist>
@@ -27270,12 +27615,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3527</v>
+<v>7269</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>8</v>
+<b>4</b>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -27291,32 +27636,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1956</v>
+<v>4172</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>733</v>
+<v>1328</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>238</v>
+<v>522</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>310</v>
+<v>643</v>
 </b>
 <b>
 <a>7</a>
 <b>49</b>
-<v>266</v>
+<v>549</v>
 </b>
 <b>
-<a>51</a>
-<b>900</b>
-<v>32</v>
+<a>49</a>
+<b>1937</b>
+<v>84</v>
 </b>
 </bs>
 </hist>
@@ -27332,12 +27677,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2844</v>
+<v>5612</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>691</v>
+<v>1686</v>
 </b>
 </bs>
 </hist>
@@ -27353,37 +27698,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1585</v>
+<v>3308</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>519</v>
+<v>1138</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>460</v>
+<v>772</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>301</v>
+<v>624</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>279</v>
+<v>591</v>
 </b>
 <b>
 <a>11</a>
-<b>47</b>
-<v>267</v>
+<b>35</b>
+<v>548</v>
 </b>
 <b>
-<a>47</a>
-<b>17427</b>
-<v>124</v>
+<a>35</a>
+<b>37230</b>
+<v>317</v>
 </b>
 </bs>
 </hist>
@@ -27399,7 +27744,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27415,7 +27760,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27431,7 +27776,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27447,7 +27792,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27463,7 +27808,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27473,15 +27818,15 @@
 </relation>
 <relation>
 <name>localvar_location</name>
-<cardinality>72963</cardinality>
+<cardinality>163269</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>72963</v>
+<v>163269</v>
 </e>
 <e>
 <k>loc</k>
-<v>72932</v>
+<v>163189</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27495,7 +27840,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72963</v>
+<v>163269</v>
 </b>
 </bs>
 </hist>
@@ -27511,12 +27856,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>72901</v>
+<v>163109</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>31</v>
+<v>80</v>
 </b>
 </bs>
 </hist>
@@ -27526,35 +27871,35 @@
 </relation>
 <relation>
 <name>params</name>
-<cardinality>1189134</cardinality>
+<cardinality>2417427</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1189134</v>
+<v>2417427</v>
 </e>
 <e>
 <k>name</k>
-<v>41432</v>
+<v>80808</v>
 </e>
 <e>
 <k>type_id</k>
-<v>164897</v>
+<v>330572</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>199</v>
 </e>
 <e>
 <k>mode</k>
-<v>15</v>
+<v>29</v>
 </e>
 <e>
 <k>parent_id</k>
-<v>671887</v>
+<v>1369587</v>
 </e>
 <e>
 <k>unbound_id</k>
-<v>734670</v>
+<v>1434940</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -27568,7 +27913,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27584,7 +27929,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27600,7 +27945,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27616,7 +27961,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27632,7 +27977,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27648,7 +27993,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189134</v>
+<v>2417427</v>
 </b>
 </bs>
 </hist>
@@ -27664,42 +28009,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15950</v>
+<v>31113</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7116</v>
+<v>13851</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3622</v>
+<v>7057</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2469</v>
+<v>4836</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>3409</v>
+<v>6648</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>3534</v>
+<v>6896</v>
 </b>
 <b>
 <a>13</a>
 <b>41</b>
-<v>3123</v>
+<v>6078</v>
 </b>
 <b>
 <a>41</a>
-<b>45301</b>
-<v>2206</v>
+<b>46351</b>
+<v>4325</v>
 </b>
 </bs>
 </hist>
@@ -27715,22 +28060,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32939</v>
+<v>64209</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4178</v>
+<v>8158</v>
 </b>
 <b>
 <a>3</a>
 <b>12</b>
-<v>3153</v>
+<v>6171</v>
 </b>
 <b>
 <a>12</a>
-<b>6754</b>
-<v>1160</v>
+<b>6855</b>
+<v>2269</v>
 </b>
 </bs>
 </hist>
@@ -27746,22 +28091,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28201</v>
+<v>55003</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7467</v>
+<v>14563</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2820</v>
+<v>5513</v>
 </b>
 <b>
 <a>4</a>
 <b>33</b>
-<v>2943</v>
+<v>5727</v>
 </b>
 </bs>
 </hist>
@@ -27777,12 +28122,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38848</v>
+<v>75776</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>2584</v>
+<v>5031</v>
 </b>
 </bs>
 </hist>
@@ -27798,42 +28143,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>15950</v>
+<v>31113</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7116</v>
+<v>13851</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3622</v>
+<v>7057</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2469</v>
+<v>4836</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>3409</v>
+<v>6648</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>3534</v>
+<v>6896</v>
 </b>
 <b>
 <a>13</a>
 <b>41</b>
-<v>3123</v>
+<v>6078</v>
 </b>
 <b>
 <a>41</a>
-<b>45301</b>
-<v>2206</v>
+<b>46351</b>
+<v>4325</v>
 </b>
 </bs>
 </hist>
@@ -27849,42 +28194,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16151</v>
+<v>31503</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7222</v>
+<v>14080</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3639</v>
+<v>7072</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2519</v>
+<v>4953</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>3324</v>
+<v>6477</v>
 </b>
 <b>
 <a>7</a>
 <b>13</b>
-<v>3544</v>
+<v>6911</v>
 </b>
 <b>
 <a>13</a>
 <b>43</b>
-<v>3158</v>
+<v>6151</v>
 </b>
 <b>
 <a>43</a>
-<b>36702</b>
-<v>1872</v>
+<b>36753</b>
+<v>3657</v>
 </b>
 </bs>
 </hist>
@@ -27900,27 +28245,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>114442</v>
+<v>227559</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19498</v>
+<v>38940</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>14283</v>
+<v>30080</v>
 </b>
 <b>
 <a>6</a>
-<b>25</b>
-<v>12476</v>
+<b>24</b>
+<v>25059</v>
 </b>
 <b>
-<a>25</a>
-<b>47259</b>
-<v>4196</v>
+<a>24</a>
+<b>48952</b>
+<v>8932</v>
 </b>
 </bs>
 </hist>
@@ -27936,17 +28281,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144619</v>
+<v>289084</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>14880</v>
+<v>30489</v>
 </b>
 <b>
 <a>4</a>
-<b>2452</b>
-<v>5397</v>
+<b>2470</b>
+<v>10997</v>
 </b>
 </bs>
 </hist>
@@ -27962,17 +28307,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>146130</v>
+<v>292148</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>12346</v>
+<v>25073</v>
 </b>
 <b>
 <a>3</a>
 <b>36</b>
-<v>6420</v>
+<v>13350</v>
 </b>
 </bs>
 </hist>
@@ -27988,12 +28333,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>160670</v>
+<v>321863</v>
 </b>
 <b>
 <a>2</a>
 <b>5</b>
-<v>4226</v>
+<v>8708</v>
 </b>
 </bs>
 </hist>
@@ -28009,27 +28354,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>115728</v>
+<v>230057</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18487</v>
+<v>36982</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>14459</v>
+<v>30494</v>
 </b>
 <b>
 <a>6</a>
-<b>26</b>
-<v>12479</v>
+<b>25</b>
+<v>25020</v>
 </b>
 <b>
-<a>26</a>
-<b>38813</b>
-<v>3742</v>
+<a>25</a>
+<b>40409</b>
+<v>8017</v>
 </b>
 </bs>
 </hist>
@@ -28045,27 +28390,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>117385</v>
+<v>233247</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17404</v>
+<v>34902</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>12270</v>
+<v>25741</v>
 </b>
 <b>
 <a>5</a>
-<b>17</b>
-<v>12554</v>
+<b>16</b>
+<v>25307</v>
 </b>
 <b>
-<a>17</a>
-<b>33727</b>
-<v>5281</v>
+<a>16</a>
+<b>33990</b>
+<v>11372</v>
 </b>
 </bs>
 </hist>
@@ -28081,67 +28426,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>52</a>
 <b>71</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>81</a>
 <b>266</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>431</a>
 <b>785</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>986</a>
 <b>1520</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>1960</a>
-<b>3510</b>
-<v>7</v>
+<b>3521</b>
+<v>14</v>
 </b>
 <b>
-<a>5391</a>
-<b>20664</b>
-<v>7</v>
+<a>5421</a>
+<b>21238</b>
+<v>14</v>
 </b>
 <b>
-<a>45851</a>
-<b>267875</b>
-<v>7</v>
+<a>47756</a>
+<b>281002</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -28157,72 +28502,72 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>10</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>12</a>
 <b>14</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>17</a>
 <b>20</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>20</a>
 <b>22</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>23</a>
 <b>27</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>29</a>
 <b>46</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>55</a>
 <b>66</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>86</a>
 <b>143</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>202</a>
 <b>435</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>630</a>
-<b>1616</b>
-<v>7</v>
+<b>1620</b>
+<v>14</v>
 </b>
 <b>
-<a>2706</a>
-<b>6807</b>
-<v>7</v>
+<a>2712</a>
+<b>6835</b>
+<v>14</v>
 </b>
 <b>
-<a>8049</a>
-<b>8050</b>
-<v>2</v>
+<a>8088</a>
+<b>8089</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28238,77 +28583,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>8</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>13</a>
 <b>14</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>14</a>
 <b>20</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>23</a>
 <b>40</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>161</a>
 <b>418</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>558</a>
 <b>841</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>1010</a>
 <b>1444</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>1705</a>
-<b>2786</b>
-<v>7</v>
+<b>2798</b>
+<v>14</v>
 </b>
 <b>
-<a>4142</a>
-<b>15101</b>
-<v>7</v>
+<a>4226</a>
+<b>15732</b>
+<v>14</v>
 </b>
 <b>
-<a>38776</a>
-<b>38777</b>
-<v>2</v>
+<a>40518</a>
+<b>40519</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28324,32 +28669,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28365,67 +28710,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>52</a>
 <b>71</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>81</a>
 <b>266</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>431</a>
 <b>785</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>986</a>
 <b>1520</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>1960</a>
-<b>3510</b>
-<v>7</v>
+<b>3521</b>
+<v>14</v>
 </b>
 <b>
-<a>5391</a>
-<b>20664</b>
-<v>7</v>
+<a>5421</a>
+<b>21238</b>
+<v>14</v>
 </b>
 <b>
-<a>45851</a>
-<b>267875</b>
-<v>7</v>
+<a>47756</a>
+<b>281002</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -28441,67 +28786,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>15</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>16</a>
 <b>26</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>30</a>
 <b>35</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>40</a>
 <b>48</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>52</a>
 <b>70</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>79</a>
 <b>141</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>178</a>
 <b>266</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>334</a>
 <b>601</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>891</a>
-<b>2068</b>
-<v>7</v>
+<b>2069</b>
+<v>14</v>
 </b>
 <b>
-<a>3523</a>
-<b>13842</b>
-<v>7</v>
+<a>3526</a>
+<b>13874</b>
+<v>14</v>
 </b>
 <b>
-<a>29502</a>
-<b>167307</b>
-<v>7</v>
+<a>29619</a>
+<b>168422</b>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -28517,32 +28862,32 @@
 <b>
 <a>1253</a>
 <b>1254</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>2018</a>
-<b>2019</b>
-<v>2</v>
+<a>2019</a>
+<b>2020</b>
+<v>4</v>
 </b>
 <b>
-<a>2317</a>
-<b>2318</b>
-<v>2</v>
+<a>2345</a>
+<b>2346</b>
+<v>4</v>
 </b>
 <b>
-<a>6844</a>
-<b>6845</b>
-<v>2</v>
+<a>7103</a>
+<b>7104</b>
+<v>4</v>
 </b>
 <b>
-<a>10051</a>
-<b>10052</b>
-<v>2</v>
+<a>10553</a>
+<b>10554</b>
+<v>4</v>
 </b>
 <b>
-<a>451874</a>
-<b>451875</b>
-<v>2</v>
+<a>473058</a>
+<b>473059</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28558,32 +28903,32 @@
 <b>
 <a>110</a>
 <b>111</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>244</a>
 <b>245</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>282</a>
-<b>283</b>
-<v>2</v>
+<a>283</a>
+<b>284</b>
+<v>4</v>
 </b>
 <b>
 <a>524</a>
 <b>525</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1118</a>
-<b>1119</b>
-<v>2</v>
+<a>1119</a>
+<b>1120</b>
+<v>4</v>
 </b>
 <b>
-<a>15568</a>
-<b>15569</b>
-<v>2</v>
+<a>15632</a>
+<b>15633</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28599,32 +28944,32 @@
 <b>
 <a>227</a>
 <b>228</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>257</a>
-<b>258</b>
-<v>2</v>
+<a>258</a>
+<b>259</b>
+<v>4</v>
 </b>
 <b>
-<a>358</a>
-<b>359</b>
-<v>2</v>
+<a>370</a>
+<b>371</b>
+<v>4</v>
 </b>
 <b>
-<a>1180</a>
-<b>1181</b>
-<v>2</v>
+<a>1224</a>
+<b>1225</b>
+<v>4</v>
 </b>
 <b>
-<a>3107</a>
-<b>3108</b>
-<v>2</v>
+<a>3184</a>
+<b>3185</b>
+<v>4</v>
 </b>
 <b>
-<a>62478</a>
-<b>62479</b>
-<v>2</v>
+<a>64542</a>
+<b>64543</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28640,32 +28985,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>12</a>
 <b>13</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>22</a>
 <b>23</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28681,32 +29026,32 @@
 <b>
 <a>1100</a>
 <b>1101</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1880</a>
-<b>1881</b>
-<v>2</v>
+<a>1881</a>
+<b>1882</b>
+<v>4</v>
 </b>
 <b>
-<a>2317</a>
-<b>2318</b>
-<v>2</v>
+<a>2345</a>
+<b>2346</b>
+<v>4</v>
 </b>
 <b>
-<a>5409</a>
-<b>5410</b>
-<v>2</v>
+<a>5653</a>
+<b>5654</b>
+<v>4</v>
 </b>
 <b>
-<a>10051</a>
-<b>10052</b>
-<v>2</v>
+<a>10553</a>
+<b>10554</b>
+<v>4</v>
 </b>
 <b>
-<a>261309</a>
-<b>261310</b>
-<v>2</v>
+<a>274200</a>
+<b>274201</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28722,32 +29067,32 @@
 <b>
 <a>1167</a>
 <b>1168</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1568</a>
 <b>1569</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>1959</a>
-<b>1960</b>
-<v>2</v>
+<a>1960</a>
+<b>1961</b>
+<v>4</v>
 </b>
 <b>
-<a>6113</a>
-<b>6114</b>
-<v>2</v>
+<a>6114</a>
+<b>6115</b>
+<v>4</v>
 </b>
 <b>
-<a>8393</a>
-<b>8394</b>
-<v>2</v>
+<a>8401</a>
+<b>8402</b>
+<v>4</v>
 </b>
 <b>
-<a>273867</a>
-<b>273868</b>
-<v>2</v>
+<a>275403</a>
+<b>275404</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -28763,27 +29108,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>396310</v>
+<v>804500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160705</v>
+<v>332632</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>63147</v>
+<v>129187</v>
 </b>
 <b>
 <a>4</a>
-<b>15</b>
-<v>50643</v>
+<b>17</b>
+<v>102754</v>
 </b>
 <b>
-<a>15</a>
+<a>17</a>
 <b>42</b>
-<v>1080</v>
+<v>511</v>
 </b>
 </bs>
 </hist>
@@ -28799,27 +29144,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>396310</v>
+<v>804500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160705</v>
+<v>332632</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>63147</v>
+<v>129187</v>
 </b>
 <b>
 <a>4</a>
-<b>15</b>
-<v>50643</v>
+<b>17</b>
+<v>102754</v>
 </b>
 <b>
-<a>15</a>
+<a>17</a>
 <b>42</b>
-<v>1080</v>
+<v>511</v>
 </b>
 </bs>
 </hist>
@@ -28835,22 +29180,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>420682</v>
+<v>854049</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>161091</v>
+<v>332929</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>55521</v>
+<v>113275</v>
 </b>
 <b>
 <a>4</a>
 <b>23</b>
-<v>34591</v>
+<v>69332</v>
 </b>
 </bs>
 </hist>
@@ -28866,27 +29211,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>396310</v>
+<v>804500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160705</v>
+<v>332632</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>63147</v>
+<v>129187</v>
 </b>
 <b>
 <a>4</a>
-<b>15</b>
-<v>50643</v>
+<b>17</b>
+<v>102754</v>
 </b>
 <b>
-<a>15</a>
+<a>17</a>
 <b>42</b>
-<v>1080</v>
+<v>511</v>
 </b>
 </bs>
 </hist>
@@ -28902,12 +29247,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>637849</v>
+<v>1301082</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>34037</v>
+<v>68504</v>
 </b>
 </bs>
 </hist>
@@ -28923,27 +29268,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>396310</v>
+<v>804500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>160705</v>
+<v>332632</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>63147</v>
+<v>129187</v>
 </b>
 <b>
 <a>4</a>
-<b>15</b>
-<v>50643</v>
+<b>17</b>
+<v>102754</v>
 </b>
 <b>
-<a>15</a>
+<a>17</a>
 <b>42</b>
-<v>1080</v>
+<v>511</v>
 </b>
 </bs>
 </hist>
@@ -28959,12 +29304,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>709316</v>
+<v>1384661</v>
 </b>
 <b>
 <a>2</a>
-<b>10857</b>
-<v>25354</v>
+<b>11328</b>
+<v>50279</v>
 </b>
 </bs>
 </hist>
@@ -28980,7 +29325,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>734670</v>
+<v>1434940</v>
 </b>
 </bs>
 </hist>
@@ -28996,12 +29341,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>725656</v>
+<v>1416836</v>
 </b>
 <b>
 <a>2</a>
-<b>3610</b>
-<v>9014</v>
+<b>3718</b>
+<v>18104</v>
 </b>
 </bs>
 </hist>
@@ -29017,7 +29362,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>734670</v>
+<v>1434940</v>
 </b>
 </bs>
 </hist>
@@ -29033,7 +29378,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>734670</v>
+<v>1434940</v>
 </b>
 </bs>
 </hist>
@@ -29049,12 +29394,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>709316</v>
+<v>1384661</v>
 </b>
 <b>
 <a>2</a>
-<b>10857</b>
-<v>25354</v>
+<b>11328</b>
+<v>50279</v>
 </b>
 </bs>
 </hist>
@@ -29064,15 +29409,15 @@
 </relation>
 <relation>
 <name>param_location</name>
-<cardinality>1316289</cardinality>
+<cardinality>2687049</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1187548</v>
+<v>2413735</v>
 </e>
 <e>
 <k>loc</k>
-<v>56062</v>
+<v>137535</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29086,17 +29431,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1063895</v>
+<v>2150616</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>120308</v>
+<v>256315</v>
 </b>
 <b>
 <a>3</a>
 <b>60</b>
-<v>3344</v>
+<v>6804</v>
 </b>
 </bs>
 </hist>
@@ -29112,12 +29457,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54295</v>
+<v>133215</v>
 </b>
 <b>
 <a>2</a>
-<b>88836</b>
-<v>1767</v>
+<b>99581</b>
+<v>4320</v>
 </b>
 </bs>
 </hist>
@@ -29127,15 +29472,15 @@
 </relation>
 <relation>
 <name>statements</name>
-<cardinality>472277</cardinality>
+<cardinality>982702</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>472277</v>
+<v>982702</v>
 </e>
 <e>
 <k>kind</k>
-<v>32</v>
+<v>38</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29149,7 +29494,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>472277</v>
+<v>982702</v>
 </b>
 </bs>
 </hist>
@@ -29163,83 +29508,83 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>15</a>
-<b>36</b>
+<a>57</a>
+<b>85</b>
 <v>2</v>
 </b>
 <b>
-<a>48</a>
-<b>52</b>
+<a>97</a>
+<b>148</b>
 <v>2</v>
 </b>
 <b>
-<a>58</a>
-<b>110</b>
+<a>204</a>
+<b>266</b>
 <v>2</v>
 </b>
 <b>
-<a>139</a>
-<b>143</b>
+<a>283</a>
+<b>308</b>
 <v>2</v>
 </b>
 <b>
-<a>146</a>
-<b>218</b>
+<a>312</a>
+<b>593</b>
 <v>2</v>
 </b>
 <b>
-<a>366</a>
-<b>402</b>
+<a>790</a>
+<b>820</b>
 <v>2</v>
 </b>
 <b>
-<a>470</a>
-<b>471</b>
+<a>918</a>
+<b>926</b>
 <v>2</v>
 </b>
 <b>
-<a>490</a>
-<b>990</b>
+<a>1226</a>
+<b>1786</b>
 <v>2</v>
 </b>
 <b>
-<a>1105</a>
-<b>1370</b>
+<a>2200</a>
+<b>2468</b>
 <v>2</v>
 </b>
 <b>
-<a>1601</a>
-<b>1628</b>
+<a>2752</a>
+<b>3191</b>
 <v>2</v>
 </b>
 <b>
-<a>1877</a>
-<b>1904</b>
+<a>3456</a>
+<b>3580</b>
 <v>2</v>
 </b>
 <b>
-<a>2956</a>
-<b>5122</b>
+<a>5468</a>
+<b>8857</b>
 <v>2</v>
 </b>
 <b>
-<a>10374</a>
-<b>32130</b>
+<a>18283</a>
+<b>60466</b>
 <v>2</v>
 </b>
 <b>
-<a>37889</a>
-<b>48002</b>
+<a>62422</a>
+<b>75943</b>
 <v>2</v>
 </b>
 <b>
-<a>48236</a>
-<b>97276</b>
+<a>94725</a>
+<b>191608</b>
 <v>2</v>
 </b>
 <b>
-<a>151170</a>
-<b>151171</b>
+<a>246631</a>
+<b>246632</b>
 <v>1</v>
 </b>
 </bs>
@@ -29250,19 +29595,19 @@
 </relation>
 <relation>
 <name>stmt_parent</name>
-<cardinality>370789</cardinality>
+<cardinality>811174</cardinality>
 <columnsizes>
 <e>
 <k>stmt</k>
-<v>370789</v>
+<v>811174</v>
 </e>
 <e>
 <k>index</k>
-<v>246</v>
+<v>448</v>
 </e>
 <e>
 <k>parent</k>
-<v>204384</v>
+<v>429777</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29276,7 +29621,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>370789</v>
+<v>811174</v>
 </b>
 </bs>
 </hist>
@@ -29292,7 +29637,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>370789</v>
+<v>811174</v>
 </b>
 </bs>
 </hist>
@@ -29308,57 +29653,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35</v>
+<v>114</v>
 </b>
 <b>
 <a>2</a>
-<b>4</b>
-<v>14</v>
+<b>3</b>
+<v>44</v>
 </b>
 <b>
-<a>4</a>
+<a>3</a>
 <b>5</b>
-<v>45</v>
+<v>26</v>
 </b>
 <b>
 <a>5</a>
-<b>11</b>
-<v>19</v>
+<b>8</b>
+<v>33</v>
 </b>
 <b>
-<a>11</a>
-<b>16</b>
-<v>15</v>
+<a>8</a>
+<b>9</b>
+<v>9</v>
 </b>
 <b>
-<a>16</a>
-<b>21</b>
-<v>22</v>
+<a>9</a>
+<b>10</b>
+<v>42</v>
 </b>
 <b>
-<a>21</a>
-<b>34</b>
-<v>19</v>
+<a>10</a>
+<b>26</b>
+<v>36</v>
 </b>
 <b>
-<a>37</a>
-<b>72</b>
-<v>19</v>
+<a>26</a>
+<b>45</b>
+<v>34</v>
 </b>
 <b>
-<a>78</a>
-<b>210</b>
-<v>19</v>
+<a>45</a>
+<b>95</b>
+<v>34</v>
 </b>
 <b>
-<a>229</a>
-<b>947</b>
-<v>19</v>
+<a>98</a>
+<b>472</b>
+<v>34</v>
 </b>
 <b>
-<a>1063</a>
-<b>135963</b>
-<v>16</v>
+<a>510</a>
+<b>78794</b>
+<v>34</v>
+</b>
+<b>
+<a>196048</a>
+<b>233227</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -29374,57 +29724,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35</v>
+<v>114</v>
 </b>
 <b>
 <a>2</a>
-<b>4</b>
-<v>14</v>
+<b>3</b>
+<v>44</v>
 </b>
 <b>
-<a>4</a>
+<a>3</a>
 <b>5</b>
-<v>45</v>
+<v>26</v>
 </b>
 <b>
 <a>5</a>
-<b>11</b>
-<v>19</v>
+<b>8</b>
+<v>33</v>
 </b>
 <b>
-<a>11</a>
-<b>16</b>
-<v>15</v>
+<a>8</a>
+<b>9</b>
+<v>9</v>
 </b>
 <b>
-<a>16</a>
-<b>21</b>
-<v>22</v>
+<a>9</a>
+<b>10</b>
+<v>42</v>
 </b>
 <b>
-<a>21</a>
-<b>34</b>
-<v>19</v>
+<a>10</a>
+<b>26</b>
+<v>36</v>
 </b>
 <b>
-<a>37</a>
-<b>72</b>
-<v>19</v>
+<a>26</a>
+<b>45</b>
+<v>34</v>
 </b>
 <b>
-<a>78</a>
-<b>210</b>
-<v>19</v>
+<a>45</a>
+<b>95</b>
+<v>34</v>
 </b>
 <b>
-<a>229</a>
-<b>947</b>
-<v>19</v>
+<a>98</a>
+<b>472</b>
+<v>34</v>
 </b>
 <b>
-<a>1063</a>
-<b>135963</b>
-<v>16</v>
+<a>510</a>
+<b>78794</b>
+<v>34</v>
+</b>
+<b>
+<a>196048</a>
+<b>233227</b>
+<v>2</v>
 </b>
 </bs>
 </hist>
@@ -29440,22 +29795,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144057</v>
+<v>290998</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>32560</v>
+<v>74368</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>16168</v>
+<v>37451</v>
 </b>
 <b>
 <a>5</a>
-<b>233</b>
-<v>11597</v>
+<b>361</b>
+<v>26959</v>
 </b>
 </bs>
 </hist>
@@ -29471,22 +29826,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>144057</v>
+<v>290998</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>32560</v>
+<v>74368</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>16168</v>
+<v>37451</v>
 </b>
 <b>
 <a>5</a>
-<b>233</b>
-<v>11597</v>
+<b>361</b>
+<v>26959</v>
 </b>
 </bs>
 </hist>
@@ -29496,11 +29851,11 @@
 </relation>
 <relation>
 <name>stmt_parent_top_level</name>
-<cardinality>101488</cardinality>
+<cardinality>171527</cardinality>
 <columnsizes>
 <e>
 <k>stmt</k>
-<v>101488</v>
+<v>171527</v>
 </e>
 <e>
 <k>index</k>
@@ -29508,7 +29863,7 @@
 </e>
 <e>
 <k>parent</k>
-<v>83071</v>
+<v>125712</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29522,7 +29877,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101488</v>
+<v>171527</v>
 </b>
 </bs>
 </hist>
@@ -29538,7 +29893,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101488</v>
+<v>171527</v>
 </b>
 </bs>
 </hist>
@@ -29552,8 +29907,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>96009</a>
-<b>96010</b>
+<a>138041</a>
+<b>138042</b>
 <v>1</v>
 </b>
 </bs>
@@ -29568,8 +29923,8 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>78586</a>
-<b>78587</b>
+<a>101170</a>
+<b>101171</b>
 <v>1</v>
 </b>
 </bs>
@@ -29586,17 +29941,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>64837</v>
+<v>80545</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18049</v>
+<v>44525</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>183</v>
+<b>5</b>
+<v>641</v>
 </b>
 </bs>
 </hist>
@@ -29612,7 +29967,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83071</v>
+<v>125712</v>
 </b>
 </bs>
 </hist>
@@ -29622,15 +29977,15 @@
 </relation>
 <relation>
 <name>stmt_location</name>
-<cardinality>472277</cardinality>
+<cardinality>982702</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>472277</v>
+<v>982702</v>
 </e>
 <e>
 <k>loc</k>
-<v>470073</v>
+<v>979818</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29644,7 +29999,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>472277</v>
+<v>982702</v>
 </b>
 </bs>
 </hist>
@@ -29660,12 +30015,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>467869</v>
+<v>976934</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2203</v>
+<v>2884</v>
 </b>
 </bs>
 </hist>
@@ -29675,15 +30030,15 @@
 </relation>
 <relation>
 <name>catch_type</name>
-<cardinality>1719</cardinality>
+<cardinality>3419</cardinality>
 <columnsizes>
 <e>
 <k>catch_id</k>
-<v>1719</v>
+<v>3419</v>
 </e>
 <e>
 <k>type_id</k>
-<v>79</v>
+<v>129</v>
 </e>
 <e>
 <k>kind</k>
@@ -29701,7 +30056,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1719</v>
+<v>3419</v>
 </b>
 </bs>
 </hist>
@@ -29717,7 +30072,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1719</v>
+<v>3419</v>
 </b>
 </bs>
 </hist>
@@ -29733,52 +30088,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16</v>
+<v>32</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15</v>
+<v>22</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>9</v>
+<v>11</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5</v>
+<v>12</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>3</v>
+<b>8</b>
+<v>9</v>
 </b>
 <b>
-<a>7</a>
-<b>9</b>
-<v>6</v>
+<a>8</a>
+<b>13</b>
+<v>11</v>
 </b>
 <b>
-<a>10</a>
-<b>15</b>
-<v>6</v>
+<a>13</a>
+<b>24</b>
+<v>9</v>
 </b>
 <b>
-<a>15</a>
-<b>28</b>
-<v>6</v>
+<a>27</a>
+<b>47</b>
+<v>9</v>
 </b>
 <b>
-<a>29</a>
-<b>144</b>
-<v>6</v>
-</b>
-<b>
-<a>203</a>
-<b>316</b>
-<v>3</v>
+<a>48</a>
+<b>702</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -29794,7 +30144,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>79</v>
+<v>129</v>
 </b>
 </bs>
 </hist>
@@ -29808,13 +30158,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>278</a>
-<b>279</b>
+<a>492</a>
+<b>493</b>
 <v>1</v>
 </b>
 <b>
-<a>1349</a>
-<b>1350</b>
+<a>2260</a>
+<b>2261</b>
 <v>1</v>
 </b>
 </bs>
@@ -29834,8 +30184,8 @@
 <v>1</v>
 </b>
 <b>
-<a>74</a>
-<b>75</b>
+<a>103</a>
+<b>104</b>
 <v>1</v>
 </b>
 </bs>
@@ -29845,20 +30195,244 @@
 </dependencies>
 </relation>
 <relation>
+<name>foreach_stmt_info</name>
+<cardinality>5338</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>5338</v>
+</e>
+<e>
+<k>kind</k>
+<v>9</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5338</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>kind</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>13</a>
+<b>14</b>
+<v>4</v>
+</b>
+<b>
+<a>1083</a>
+<b>1084</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>foreach_stmt_desugar</name>
+<cardinality>26642</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>5338</v>
+</e>
+<e>
+<k>symbol</k>
+<v>5118</v>
+</e>
+<e>
+<k>kind</k>
+<v>24</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>symbol</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>4</a>
+<b>5</b>
+<v>48</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>5289</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>4</a>
+<b>5</b>
+<v>48</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>5289</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>3097</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>857</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>370</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>414</v>
+</b>
+<b>
+<a>7</a>
+<b>1074</b>
+<v>379</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>symbol</src>
+<trg>kind</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>5118</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>kind</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1086</a>
+<b>1087</b>
+<v>4</v>
+</b>
+<b>
+<a>1096</a>
+<b>1097</b>
+<v>19</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>kind</src>
+<trg>symbol</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>2</a>
+<b>3</b>
+<v>4</v>
+</b>
+<b>
+<a>85</a>
+<b>86</b>
+<v>4</v>
+</b>
+<b>
+<a>318</a>
+<b>319</b>
+<v>4</v>
+</b>
+<b>
+<a>320</a>
+<b>321</b>
+<v>4</v>
+</b>
+<b>
+<a>326</a>
+<b>327</b>
+<v>4</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
 <name>expressions</name>
-<cardinality>1967906</cardinality>
+<cardinality>4249848</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1967906</v>
+<v>4249848</v>
 </e>
 <e>
 <k>kind</k>
-<v>112</v>
+<v>132</v>
 </e>
 <e>
 <k>type_id</k>
-<v>15377</v>
+<v>33337</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -29872,7 +30446,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1967906</v>
+<v>4249848</v>
 </b>
 </bs>
 </hist>
@@ -29888,7 +30462,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1967906</v>
+<v>4249848</v>
 </b>
 </bs>
 </hist>
@@ -29902,74 +30476,64 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3</a>
-<b>17</b>
-<v>8</v>
+<a>1</a>
+<b>39</b>
+<v>11</v>
 </b>
 <b>
-<a>18</a>
-<b>61</b>
-<v>8</v>
+<a>43</a>
+<b>148</b>
+<v>11</v>
 </b>
 <b>
-<a>61</a>
-<b>134</b>
-<v>8</v>
+<a>174</a>
+<b>371</b>
+<v>11</v>
 </b>
 <b>
-<a>145</a>
-<b>243</b>
-<v>8</v>
+<a>409</a>
+<b>693</b>
+<v>11</v>
 </b>
 <b>
-<a>250</a>
-<b>457</b>
-<v>8</v>
+<a>696</a>
+<b>1145</b>
+<v>11</v>
 </b>
 <b>
-<a>532</a>
-<b>643</b>
-<v>8</v>
+<a>1194</a>
+<b>1938</b>
+<v>11</v>
 </b>
 <b>
-<a>661</a>
-<b>1291</b>
-<v>8</v>
+<a>1945</a>
+<b>3489</b>
+<v>11</v>
 </b>
 <b>
-<a>1313</a>
-<b>2180</b>
-<v>8</v>
+<a>3723</a>
+<b>7222</b>
+<v>11</v>
 </b>
 <b>
-<a>2252</a>
-<b>3767</b>
-<v>8</v>
+<a>7548</a>
+<b>12815</b>
+<v>11</v>
 </b>
 <b>
-<a>4681</a>
-<b>6580</b>
-<v>8</v>
+<a>13024</a>
+<b>36215</b>
+<v>11</v>
 </b>
 <b>
-<a>7133</a>
-<b>22007</b>
-<v>8</v>
+<a>37825</a>
+<b>155093</b>
+<v>11</v>
 </b>
 <b>
-<a>22297</a>
-<b>62473</b>
-<v>8</v>
-</b>
-<b>
-<a>72642</a>
-<b>169972</b>
-<v>8</v>
-</b>
-<b>
-<a>174284</a>
-<b>252450</b>
-<v>2</v>
+<a>212653</a>
+<b>415548</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -29985,57 +30549,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31</v>
+<v>37</v>
 </b>
 <b>
 <a>2</a>
-<b>4</b>
-<v>8</v>
-</b>
-<b>
-<a>5</a>
-<b>8</b>
-<v>9</v>
+<b>6</b>
+<v>11</v>
 </b>
 <b>
 <a>8</a>
-<b>16</b>
-<v>8</v>
+<b>10</b>
+<v>11</v>
 </b>
 <b>
-<a>16</a>
-<b>37</b>
-<v>8</v>
+<a>11</a>
+<b>25</b>
+<v>11</v>
 </b>
 <b>
-<a>38</a>
-<b>71</b>
-<v>8</v>
+<a>33</a>
+<b>70</b>
+<v>11</v>
 </b>
 <b>
-<a>77</a>
-<b>137</b>
-<v>8</v>
+<a>70</a>
+<b>174</b>
+<v>11</v>
 </b>
 <b>
-<a>137</a>
-<b>337</b>
-<v>8</v>
+<a>195</a>
+<b>312</b>
+<v>11</v>
 </b>
 <b>
-<a>384</a>
-<b>790</b>
-<v>8</v>
+<a>369</a>
+<b>870</b>
+<v>11</v>
 </b>
 <b>
-<a>1764</a>
-<b>3948</b>
-<v>8</v>
+<a>940</a>
+<b>7017</b>
+<v>11</v>
 </b>
 <b>
-<a>4410</a>
-<b>7388</b>
-<v>3</v>
+<a>7043</a>
+<b>10152</b>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -30051,67 +30610,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2149</v>
+<v>7041</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1894</v>
+<v>3514</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>786</v>
+<v>2355</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>984</v>
+<v>1973</v>
 </b>
 <b>
 <a>5</a>
-<b>6</b>
-<v>970</v>
+<b>7</b>
+<v>2941</v>
 </b>
 <b>
-<a>6</a>
-<b>8</b>
-<v>1167</v>
+<a>7</a>
+<b>11</b>
+<v>3050</v>
 </b>
 <b>
-<a>8</a>
-<b>12</b>
-<v>1337</v>
+<a>11</a>
+<b>17</b>
+<v>2562</v>
 </b>
 <b>
-<a>12</a>
-<b>19</b>
-<v>1299</v>
+<a>17</a>
+<b>28</b>
+<v>2624</v>
 </b>
 <b>
-<a>19</a>
-<b>30</b>
-<v>1215</v>
-</b>
-<b>
-<a>30</a>
+<a>28</a>
 <b>50</b>
-<v>1164</v>
+<v>2526</v>
 </b>
 <b>
 <a>50</a>
-<b>113</b>
-<v>1161</v>
+<b>129</b>
+<v>2501</v>
 </b>
 <b>
-<a>113</a>
-<b>1379</b>
-<v>1154</v>
-</b>
-<b>
-<a>1383</a>
-<b>318203</b>
-<v>93</v>
+<a>129</a>
+<b>637120</b>
+<v>2246</v>
 </b>
 </bs>
 </hist>
@@ -30127,42 +30676,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5687</v>
+<v>13053</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2551</v>
+<v>4824</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1979</v>
+<v>4688</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>1305</v>
+<v>2594</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>933</v>
+<v>2037</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>1320</v>
+<v>2775</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>1227</v>
+<v>2524</v>
 </b>
 <b>
 <a>12</a>
 <b>57</b>
-<v>372</v>
+<v>837</v>
 </b>
 </bs>
 </hist>
@@ -30172,19 +30721,19 @@
 </relation>
 <relation>
 <name>expr_parent</name>
-<cardinality>1745009</cardinality>
+<cardinality>3919489</cardinality>
 <columnsizes>
 <e>
 <k>expr</k>
-<v>1745009</v>
+<v>3919489</v>
 </e>
 <e>
 <k>index</k>
-<v>11825</v>
+<v>81443</v>
 </e>
 <e>
 <k>parent</k>
-<v>1152644</v>
+<v>2571970</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -30198,7 +30747,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1745009</v>
+<v>3919489</v>
 </b>
 </bs>
 </hist>
@@ -30214,7 +30763,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1745009</v>
+<v>3919489</v>
 </b>
 </bs>
 </hist>
@@ -30230,47 +30779,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3162</v>
+<v>67541</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>439</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1589</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>186</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>1234</v>
+<v>6323</v>
 </b>
 <b>
 <a>6</a>
-<b>7</b>
-<v>2909</v>
+<b>13</b>
+<v>6164</v>
 </b>
 <b>
-<a>8</a>
-<b>10</b>
-<v>1020</v>
-</b>
-<b>
-<a>10</a>
-<b>18</b>
-<v>895</v>
-</b>
-<b>
-<a>18</a>
-<b>837462</b>
-<v>387</v>
+<a>13</a>
+<b>1590335</b>
+<v>1414</v>
 </b>
 </bs>
 </hist>
@@ -30286,47 +30810,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3162</v>
+<v>67541</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>439</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1589</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>186</v>
-</b>
-<b>
-<a>5</a>
 <b>6</b>
-<v>1234</v>
+<v>6323</v>
 </b>
 <b>
 <a>6</a>
-<b>7</b>
-<v>2909</v>
+<b>13</b>
+<v>6164</v>
 </b>
 <b>
-<a>8</a>
-<b>10</b>
-<v>1020</v>
-</b>
-<b>
-<a>10</a>
-<b>18</b>
-<v>895</v>
-</b>
-<b>
-<a>18</a>
-<b>837462</b>
-<v>387</v>
+<a>13</a>
+<b>1590335</b>
+<v>1414</v>
 </b>
 </bs>
 </hist>
@@ -30342,17 +30841,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>726174</v>
+<v>1616500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>372615</v>
+<v>828257</v>
 </b>
 <b>
 <a>3</a>
-<b>11185</b>
-<v>53853</v>
+<b>65537</b>
+<v>127211</v>
 </b>
 </bs>
 </hist>
@@ -30368,17 +30867,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>726174</v>
+<v>1616500</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>372615</v>
+<v>828257</v>
 </b>
 <b>
 <a>3</a>
-<b>11185</b>
-<v>53853</v>
+<b>65537</b>
+<v>127211</v>
 </b>
 </bs>
 </hist>
@@ -30388,19 +30887,19 @@
 </relation>
 <relation>
 <name>expr_parent_top_level</name>
-<cardinality>239881</cardinality>
+<cardinality>500059</cardinality>
 <columnsizes>
 <e>
 <k>expr</k>
-<v>239881</v>
+<v>500059</v>
 </e>
 <e>
 <k>index</k>
-<v>22</v>
+<v>43</v>
 </e>
 <e>
 <k>parent</k>
-<v>204873</v>
+<v>431875</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -30414,7 +30913,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>239881</v>
+<v>500059</v>
 </b>
 </bs>
 </hist>
@@ -30430,7 +30929,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>239881</v>
+<v>500059</v>
 </b>
 </bs>
 </hist>
@@ -30446,47 +30945,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>113</a>
 <b>114</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>125</a>
-<b>126</b>
-<v>2</v>
+<a>166</a>
+<b>167</b>
+<v>4</v>
 </b>
 <b>
 <a>250</a>
 <b>251</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>884</a>
 <b>885</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>4456</a>
-<b>4457</b>
-<v>2</v>
+<a>4465</a>
+<b>4466</b>
+<v>4</v>
 </b>
 <b>
-<a>8335</a>
-<b>8336</b>
-<v>2</v>
+<a>8472</a>
+<b>8473</b>
+<v>4</v>
 </b>
 <b>
-<a>81483</a>
-<b>81484</b>
-<v>2</v>
+<a>88274</a>
+<b>88275</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -30502,47 +31001,47 @@
 <b>
 <a>2</a>
 <b>3</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>43</a>
 <b>44</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>113</a>
 <b>114</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>125</a>
-<b>126</b>
-<v>2</v>
+<a>166</a>
+<b>167</b>
+<v>4</v>
 </b>
 <b>
 <a>250</a>
 <b>251</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>884</a>
 <b>885</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
-<a>4456</a>
-<b>4457</b>
-<v>2</v>
+<a>4465</a>
+<b>4466</b>
+<v>4</v>
 </b>
 <b>
-<a>8335</a>
-<b>8336</b>
-<v>2</v>
+<a>8472</a>
+<b>8473</b>
+<v>4</v>
 </b>
 <b>
-<a>81419</a>
-<b>81420</b>
-<v>2</v>
+<a>88210</a>
+<b>88211</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -30558,17 +31057,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>184342</v>
+<v>391863</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>18284</v>
+<v>35647</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>2246</v>
+<v>4364</v>
 </b>
 </bs>
 </hist>
@@ -30584,17 +31083,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>184435</v>
+<v>392043</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>18222</v>
+<v>35526</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>2216</v>
+<v>4305</v>
 </b>
 </bs>
 </hist>
@@ -30604,490 +31103,55 @@
 </relation>
 <relation>
 <name>implicitly_typed_array_creation</name>
-<cardinality>3866</cardinality>
+<cardinality>10813</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>3866</v>
+<v>10813</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>explicitly_sized_array_creation</name>
-<cardinality>1913</cardinality>
+<cardinality>4258</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1913</v>
+<v>4258</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>stackalloc_array_creation</name>
-<cardinality>170</cardinality>
+<cardinality>830</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>170</v>
+<v>830</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>implicitly_typed_object_creation</name>
-<cardinality>405</cardinality>
+<cardinality>769</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>405</v>
+<v>769</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>mutator_invocation_mode</name>
-<cardinality>2</cardinality>
+<cardinality>4</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2</v>
-</e>
-<e>
-<k>mode</k>
-<v>2</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>mode</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>mode</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>2</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>expr_compiler_generated</name>
-<cardinality>759849</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>759849</v>
-</e>
-</columnsizes>
-<dependencies/>
-</relation>
-<relation>
-<name>expr_value</name>
-<cardinality>719515</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>719515</v>
-</e>
-<e>
-<k>value</k>
-<v>52225</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>value</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>719515</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>value</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>36487</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>6531</v>
-</b>
-<b>
-<a>3</a>
-<b>5</b>
-<v>4017</v>
-</b>
-<b>
-<a>5</a>
-<b>25</b>
-<v>3927</v>
-</b>
-<b>
-<a>25</a>
-<b>148925</b>
-<v>1263</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>expr_call</name>
-<cardinality>304738</cardinality>
-<columnsizes>
-<e>
-<k>caller_id</k>
-<v>304738</v>
-</e>
-<e>
-<k>target_id</k>
-<v>22603</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>caller_id</src>
-<trg>target_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>304738</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>target_id</src>
-<trg>caller_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>12775</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>3512</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>1884</v>
-</b>
-<b>
-<a>4</a>
-<b>7</b>
-<v>1846</v>
-</b>
-<b>
-<a>7</a>
-<b>24</b>
-<v>1714</v>
-</b>
-<b>
-<a>24</a>
-<b>23696</b>
-<v>872</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>expr_access</name>
-<cardinality>603781</cardinality>
-<columnsizes>
-<e>
-<k>accesser_id</k>
-<v>603781</v>
-</e>
-<e>
-<k>target_id</k>
-<v>151428</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>accesser_id</src>
-<trg>target_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>603781</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>target_id</src>
-<trg>accesser_id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>49895</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>33117</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>23450</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>14681</v>
-</b>
-<b>
-<a>5</a>
-<b>6</b>
-<v>8746</v>
-</b>
-<b>
-<a>6</a>
-<b>10</b>
-<v>12743</v>
-</b>
-<b>
-<a>10</a>
-<b>4570</b>
-<v>8794</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>expr_location</name>
-<cardinality>1970785</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>1970785</v>
-</e>
-<e>
-<k>loc</k>
-<v>1481488</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>loc</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1970785</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>loc</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>1266804</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>207105</v>
-</b>
-<b>
-<a>3</a>
-<b>62488</b>
-<v>7578</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>dynamic_member_name</name>
-<cardinality>6116</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>6116</v>
-</e>
-<e>
-<k>name</k>
-<v>629</v>
-</e>
-</columnsizes>
-<dependencies>
-<dep>
-<src>id</src>
-<trg>name</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>6116</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-<dep>
-<src>name</src>
-<trg>id</trg>
-<val>
-<hist>
-<budget>12</budget>
-<bs>
-<b>
-<a>1</a>
-<b>2</b>
-<v>172</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>107</v>
-</b>
-<b>
-<a>3</a>
-<b>4</b>
-<v>82</v>
-</b>
-<b>
-<a>4</a>
-<b>5</b>
-<v>50</v>
-</b>
-<b>
-<a>5</a>
-<b>7</b>
-<v>47</v>
-</b>
-<b>
-<a>7</a>
-<b>11</b>
-<v>50</v>
-</b>
-<b>
-<a>11</a>
-<b>18</b>
-<v>50</v>
-</b>
-<b>
-<a>18</a>
-<b>47</b>
-<v>50</v>
-</b>
-<b>
-<a>70</a>
-<b>303</b>
-<v>17</v>
-</b>
-</bs>
-</hist>
-</val>
-</dep>
-</dependencies>
-</relation>
-<relation>
-<name>conditional_access</name>
-<cardinality>1323</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>1323</v>
-</e>
-</columnsizes>
-<dependencies/>
-</relation>
-<relation>
-<name>expr_argument</name>
-<cardinality>409033</cardinality>
-<columnsizes>
-<e>
-<k>id</k>
-<v>409033</v>
+<v>4</v>
 </e>
 <e>
 <k>mode</k>
@@ -31105,7 +31169,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409033</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -31119,24 +31183,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>93</a>
-<b>94</b>
-<v>1</v>
-</b>
-<b>
-<a>764</a>
-<b>765</b>
-<v>1</v>
-</b>
-<b>
-<a>1980</a>
-<b>1981</b>
-<v>1</v>
-</b>
-<b>
-<a>406196</a>
-<b>406197</b>
-<v>1</v>
+<a>1</a>
+<b>2</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -31145,16 +31194,304 @@
 </dependencies>
 </relation>
 <relation>
-<name>expr_argument_name</name>
-<cardinality>27657</cardinality>
+<name>expr_compiler_generated</name>
+<cardinality>1629608</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>27657</v>
+<v>1629608</v>
+</e>
+</columnsizes>
+<dependencies/>
+</relation>
+<relation>
+<name>expr_value</name>
+<cardinality>1399039</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>1399039</v>
+</e>
+<e>
+<k>value</k>
+<v>102863</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>value</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1399039</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>value</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>72292</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>14945</v>
+</b>
+<b>
+<a>3</a>
+<b>6</b>
+<v>7875</v>
+</b>
+<b>
+<a>6</a>
+<b>2259</b>
+<v>7715</v>
+</b>
+<b>
+<a>2294</a>
+<b>272384</b>
+<v>36</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>expr_call</name>
+<cardinality>677208</cardinality>
+<columnsizes>
+<e>
+<k>caller_id</k>
+<v>677208</v>
+</e>
+<e>
+<k>target_id</k>
+<v>53760</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>caller_id</src>
+<trg>target_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>677208</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>target_id</src>
+<trg>caller_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>28797</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>10035</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>4354</v>
+</b>
+<b>
+<a>4</a>
+<b>7</b>
+<v>4652</v>
+</b>
+<b>
+<a>7</a>
+<b>24</b>
+<v>4067</v>
+</b>
+<b>
+<a>24</a>
+<b>43831</b>
+<v>1855</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>expr_access</name>
+<cardinality>1375134</cardinality>
+<columnsizes>
+<e>
+<k>accesser_id</k>
+<v>1375134</v>
+</e>
+<e>
+<k>target_id</k>
+<v>338201</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>accesser_id</src>
+<trg>target_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1375134</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>target_id</src>
+<trg>accesser_id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>110095</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>71039</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>54599</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>33048</v>
+</b>
+<b>
+<a>5</a>
+<b>6</b>
+<v>19820</v>
+</b>
+<b>
+<a>6</a>
+<b>9</b>
+<v>25648</v>
+</b>
+<b>
+<a>9</a>
+<b>7782</b>
+<v>23949</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>expr_location</name>
+<cardinality>4249848</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>4249848</v>
+</e>
+<e>
+<k>loc</k>
+<v>3325383</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>loc</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>4249848</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>loc</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>2815023</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>493349</v>
+</b>
+<b>
+<a>3</a>
+<b>105362</b>
+<v>17010</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>dynamic_member_name</name>
+<cardinality>13627</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>13627</v>
 </e>
 <e>
 <k>name</k>
-<v>1049</v>
+<v>1407</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -31168,7 +31505,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27657</v>
+<v>13627</v>
 </b>
 </bs>
 </hist>
@@ -31184,47 +31521,204 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>344</v>
+<v>409</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>172</v>
+<v>248</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>101</v>
+<v>160</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>71</v>
+<v>112</v>
+</b>
+<b>
+<a>5</a>
+<b>7</b>
+<v>116</v>
+</b>
+<b>
+<a>7</a>
+<b>11</b>
+<v>121</v>
+</b>
+<b>
+<a>11</a>
+<b>19</b>
+<v>107</v>
+</b>
+<b>
+<a>20</a>
+<b>97</b>
+<v>107</v>
+</b>
+<b>
+<a>122</a>
+<b>304</b>
+<v>24</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>conditional_access</name>
+<cardinality>3073</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>3073</v>
+</e>
+</columnsizes>
+<dependencies/>
+</relation>
+<relation>
+<name>expr_argument</name>
+<cardinality>897951</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>897951</v>
+</e>
+<e>
+<k>mode</k>
+<v>4</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>mode</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>897951</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>mode</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>213</a>
+<b>214</b>
+<v>1</v>
+</b>
+<b>
+<a>4293</a>
+<b>4294</b>
+<v>1</v>
+</b>
+<b>
+<a>5669</a>
+<b>5670</b>
+<v>1</v>
+</b>
+<b>
+<a>887776</a>
+<b>887777</b>
+<v>1</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+</dependencies>
+</relation>
+<relation>
+<name>expr_argument_name</name>
+<cardinality>60805</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>60805</v>
+</e>
+<e>
+<k>name</k>
+<v>2738</v>
+</e>
+</columnsizes>
+<dependencies>
+<dep>
+<src>id</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>60805</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>895</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>486</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>281</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>195</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>96</v>
+<v>251</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>89</v>
+<v>232</v>
 </b>
 <b>
 <a>13</a>
-<b>26</b>
-<v>81</v>
+<b>28</b>
+<v>207</v>
 </b>
 <b>
-<a>26</a>
-<b>187</b>
-<v>79</v>
-</b>
-<b>
-<a>212</a>
-<b>4751</b>
-<v>16</v>
+<a>28</a>
+<b>11230</b>
+<v>191</v>
 </b>
 </bs>
 </hist>
@@ -31282,11 +31776,11 @@
 </relation>
 <relation>
 <name>xmlDTDs</name>
-<cardinality>5</cardinality>
+<cardinality>6</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>5</v>
+<v>6</v>
 </e>
 <e>
 <k>root</k>
@@ -31302,7 +31796,7 @@
 </e>
 <e>
 <k>fileid</k>
-<v>5</v>
+<v>6</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -31316,7 +31810,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31332,7 +31826,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31348,7 +31842,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31364,7 +31858,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31582,7 +32076,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31598,7 +32092,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31614,7 +32108,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -31630,7 +32124,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>6</v>
 </b>
 </bs>
 </hist>
@@ -35693,11 +36187,11 @@
 </relation>
 <relation>
 <name>commentline</name>
-<cardinality>94236</cardinality>
+<cardinality>419593</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>94236</v>
+<v>419593</v>
 </e>
 <e>
 <k>kind</k>
@@ -35705,11 +36199,11 @@
 </e>
 <e>
 <k>text</k>
-<v>52841</v>
+<v>201215</v>
 </e>
 <e>
 <k>rawtext</k>
-<v>53561</v>
+<v>203884</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35723,7 +36217,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94236</v>
+<v>419593</v>
 </b>
 </bs>
 </hist>
@@ -35739,7 +36233,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94236</v>
+<v>419593</v>
 </b>
 </bs>
 </hist>
@@ -35755,7 +36249,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94236</v>
+<v>419593</v>
 </b>
 </bs>
 </hist>
@@ -35769,18 +36263,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>604</a>
-<b>605</b>
+<a>18162</a>
+<b>18163</b>
 <v>1</v>
 </b>
 <b>
-<a>7127</a>
-<b>7128</b>
+<a>152161</a>
+<b>152162</b>
 <v>1</v>
 </b>
 <b>
-<a>81418</a>
-<b>81419</b>
+<a>167355</a>
+<b>167356</b>
 <v>1</v>
 </b>
 </bs>
@@ -35795,18 +36289,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>156</a>
-<b>157</b>
+<a>12037</a>
+<b>12038</b>
 <v>1</v>
 </b>
 <b>
-<a>4531</a>
-<b>4532</b>
+<a>60681</a>
+<b>60682</b>
 <v>1</v>
 </b>
 <b>
-<a>45654</a>
-<b>45655</b>
+<a>90120</a>
+<b>90121</b>
 <v>1</v>
 </b>
 </bs>
@@ -35821,18 +36315,18 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>157</a>
-<b>158</b>
+<a>12704</a>
+<b>12705</b>
 <v>1</v>
 </b>
 <b>
-<a>4678</a>
-<b>4679</b>
+<a>60920</a>
+<b>60921</b>
 <v>1</v>
 </b>
 <b>
-<a>45835</a>
-<b>45836</b>
+<a>90457</a>
+<b>90458</b>
 <v>1</v>
 </b>
 </bs>
@@ -35849,17 +36343,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>44757</v>
+<v>164841</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5919</v>
+<v>23991</v>
 </b>
 <b>
 <a>3</a>
-<b>6105</b>
-<v>2164</v>
+<b>24462</b>
+<v>12382</v>
 </b>
 </bs>
 </hist>
@@ -35875,12 +36369,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52470</v>
+<v>200103</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>371</v>
+<v>1112</v>
 </b>
 </bs>
 </hist>
@@ -35896,12 +36390,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52264</v>
+<v>199092</v>
 </b>
 <b>
 <a>2</a>
-<b>35</b>
-<v>577</v>
+<b>51</b>
+<v>2122</v>
 </b>
 </bs>
 </hist>
@@ -35917,17 +36411,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>45738</v>
+<v>168234</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5679</v>
+<v>23515</v>
 </b>
 <b>
 <a>3</a>
-<b>5512</b>
-<v>2143</v>
+<b>24457</b>
+<v>12133</v>
 </b>
 </bs>
 </hist>
@@ -35943,7 +36437,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53561</v>
+<v>203884</v>
 </b>
 </bs>
 </hist>
@@ -35959,7 +36453,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>53561</v>
+<v>203884</v>
 </b>
 </bs>
 </hist>
@@ -35969,15 +36463,15 @@
 </relation>
 <relation>
 <name>commentline_location</name>
-<cardinality>94236</cardinality>
+<cardinality>419593</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>94236</v>
+<v>419593</v>
 </e>
 <e>
 <k>loc</k>
-<v>94236</v>
+<v>419593</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -35991,7 +36485,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94236</v>
+<v>419593</v>
 </b>
 </bs>
 </hist>
@@ -36007,7 +36501,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94236</v>
+<v>419593</v>
 </b>
 </bs>
 </hist>
@@ -36017,26 +36511,26 @@
 </relation>
 <relation>
 <name>commentblock</name>
-<cardinality>42325</cardinality>
+<cardinality>147802</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42325</v>
+<v>147802</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>commentblock_location</name>
-<cardinality>42325</cardinality>
+<cardinality>147802</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42325</v>
+<v>147802</v>
 </e>
 <e>
 <k>loc</k>
-<v>42325</v>
+<v>147802</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36050,7 +36544,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42325</v>
+<v>147802</v>
 </b>
 </bs>
 </hist>
@@ -36066,7 +36560,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42325</v>
+<v>147802</v>
 </b>
 </bs>
 </hist>
@@ -36076,15 +36570,15 @@
 </relation>
 <relation>
 <name>commentblock_binding</name>
-<cardinality>133597</cardinality>
+<cardinality>511943</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42288</v>
+<v>147743</v>
 </e>
 <e>
 <k>entity</k>
-<v>65144</v>
+<v>220972</v>
 </e>
 <e>
 <k>bindtype</k>
@@ -36102,22 +36596,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9049</v>
+<v>18478</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10673</v>
+<v>29773</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22336</v>
+<v>99191</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>228</v>
+<v>299</v>
 </b>
 </bs>
 </hist>
@@ -36133,22 +36627,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7568</v>
+<v>13258</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1533</v>
+<v>5343</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10676</v>
+<v>29728</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>22509</v>
+<v>99412</v>
 </b>
 </bs>
 </hist>
@@ -36164,17 +36658,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50257</v>
+<v>161677</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10921</v>
+<v>43223</v>
 </b>
 <b>
 <a>3</a>
-<b>525</b>
-<v>3965</v>
+<b>9897</b>
+<v>16071</v>
 </b>
 </bs>
 </hist>
@@ -36190,22 +36684,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32218</v>
+<v>96451</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25063</v>
+<v>94876</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7689</v>
+<v>28747</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>173</v>
+<v>897</v>
 </b>
 </bs>
 </hist>
@@ -36219,23 +36713,23 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>23541</a>
-<b>23542</b>
+<a>84123</a>
+<b>84124</b>
 <v>1</v>
 </b>
 <b>
-<a>32035</a>
-<b>32036</b>
+<a>104686</a>
+<b>104687</b>
 <v>1</v>
 </b>
 <b>
-<a>32822</a>
-<b>32823</b>
+<a>108160</a>
+<b>108161</b>
 <v>1</v>
 </b>
 <b>
-<a>37140</a>
-<b>37141</b>
+<a>114096</a>
+<b>114097</b>
 <v>1</v>
 </b>
 </bs>
@@ -36250,23 +36744,23 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>15869</a>
-<b>15870</b>
+<a>35989</a>
+<b>35990</b>
 <v>1</v>
 </b>
 <b>
-<a>21711</a>
-<b>21712</b>
+<a>77578</a>
+<b>77579</b>
 <v>1</v>
 </b>
 <b>
-<a>29111</a>
-<b>29112</b>
+<a>86538</a>
+<b>86539</b>
 <v>1</v>
 </b>
 <b>
-<a>33686</a>
-<b>33687</b>
+<a>102518</a>
+<b>102519</b>
 <v>1</v>
 </b>
 </bs>
@@ -36277,19 +36771,19 @@
 </relation>
 <relation>
 <name>commentblock_child</name>
-<cardinality>132682</cardinality>
+<cardinality>555877</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>42325</v>
+<v>147802</v>
 </e>
 <e>
 <k>commentline</k>
-<v>94161</v>
+<v>419504</v>
 </e>
 <e>
 <k>index</k>
-<v>1200</v>
+<v>5092</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -36303,22 +36797,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>26814</v>
+<v>78982</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9030</v>
+<v>20337</v>
 </b>
 <b>
 <a>3</a>
+<b>4</b>
+<v>19370</v>
+</b>
+<b>
+<a>4</a>
 <b>5</b>
-<v>3555</v>
+<v>9150</v>
 </b>
 <b>
 <a>5</a>
-<b>1136</b>
-<v>2923</v>
+<b>8</b>
+<v>11712</v>
+</b>
+<b>
+<a>8</a>
+<b>4098</b>
+<v>8249</v>
 </b>
 </bs>
 </hist>
@@ -36334,27 +36838,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2277</v>
+<v>4380</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>24975</v>
+<v>75536</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>8866</v>
+<v>22212</v>
 </b>
 <b>
 <a>4</a>
+<b>5</b>
+<v>17481</v>
+</b>
+<b>
+<a>5</a>
 <b>6</b>
-<v>3376</v>
+<v>8801</v>
 </b>
 <b>
 <a>6</a>
-<b>1137</b>
-<v>2828</v>
+<b>9</b>
+<v>11424</v>
+</b>
+<b>
+<a>9</a>
+<b>4099</b>
+<v>7966</v>
 </b>
 </bs>
 </hist>
@@ -36370,7 +36884,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>94161</v>
+<v>419496</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>8</v>
 </b>
 </bs>
 </hist>
@@ -36386,12 +36905,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55641</v>
+<v>283141</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>38520</v>
+<v>136363</v>
 </b>
 </bs>
 </hist>
@@ -36407,47 +36926,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>286</v>
+<v>2272</v>
 </b>
 <b>
 <a>2</a>
-<b>6</b>
-<v>71</v>
+<b>3</b>
+<v>1407</v>
 </b>
 <b>
-<a>6</a>
+<a>3</a>
 <b>7</b>
-<v>300</v>
+<v>406</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>77</v>
-</b>
-<b>
-<a>10</a>
-<b>11</b>
-<v>145</v>
+<v>448</v>
 </b>
 <b>
 <a>11</a>
-<b>15</b>
-<v>64</v>
+<b>28</b>
+<v>387</v>
 </b>
 <b>
-<a>15</a>
-<b>17</b>
-<v>101</v>
-</b>
-<b>
-<a>17</a>
-<b>40</b>
-<v>99</v>
-</b>
-<b>
-<a>40</a>
-<b>40041</b>
-<v>53</v>
+<a>28</a>
+<b>118949</b>
+<v>168</v>
 </b>
 </bs>
 </hist>
@@ -36463,47 +36967,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>286</v>
+<v>2272</v>
 </b>
 <b>
 <a>2</a>
-<b>6</b>
-<v>71</v>
+<b>3</b>
+<v>1407</v>
 </b>
 <b>
-<a>6</a>
+<a>3</a>
 <b>7</b>
-<v>300</v>
+<v>406</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>77</v>
-</b>
-<b>
-<a>10</a>
-<b>11</b>
-<v>145</v>
+<v>448</v>
 </b>
 <b>
 <a>11</a>
-<b>15</b>
-<v>64</v>
+<b>28</b>
+<v>387</v>
 </b>
 <b>
-<a>15</a>
-<b>17</b>
-<v>101</v>
-</b>
-<b>
-<a>17</a>
-<b>40</b>
-<v>99</v>
-</b>
-<b>
-<a>40</a>
-<b>40041</b>
-<v>53</v>
+<a>28</a>
+<b>118942</b>
+<v>168</v>
 </b>
 </bs>
 </hist>
@@ -36975,7 +37464,7 @@
 </e>
 <e>
 <k>name</k>
-<v>1</v>
+<v>2</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37003,8 +37492,13 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3</a>
-<b>4</b>
+<a>1</a>
+<b>2</b>
+<v>1</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
 <v>1</v>
 </b>
 </bs>
@@ -37302,7 +37796,7 @@
 </e>
 <e>
 <k>name</k>
-<v>6</v>
+<v>3</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37330,19 +37824,9 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>1</a>
-<b>2</b>
-<v>4</v>
-</b>
-<b>
-<a>2</a>
-<b>3</b>
-<v>1</v>
-</b>
-<b>
 <a>3</a>
 <b>4</b>
-<v>1</v>
+<v>3</v>
 </b>
 </bs>
 </hist>
@@ -37363,23 +37847,23 @@
 </relation>
 <relation>
 <name>cil_instruction</name>
-<cardinality>16552562</cardinality>
+<cardinality>32160402</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>16552562</v>
+<v>32160402</v>
 </e>
 <e>
 <k>opcode</k>
-<v>496</v>
+<v>964</v>
 </e>
 <e>
 <k>index</k>
-<v>171041</v>
+<v>332320</v>
 </e>
 <e>
 <k>impl</k>
-<v>888189</v>
+<v>1725686</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37393,7 +37877,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16552562</v>
+<v>32160402</v>
 </b>
 </bs>
 </hist>
@@ -37409,7 +37893,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16552562</v>
+<v>32160402</v>
 </b>
 </bs>
 </hist>
@@ -37425,7 +37909,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16552562</v>
+<v>32160402</v>
 </b>
 </bs>
 </hist>
@@ -37441,72 +37925,72 @@
 <b>
 <a>1</a>
 <b>7</b>
-<v>40</v>
+<v>77</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>46</a>
 <b>106</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>128</a>
 <b>302</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>304</a>
 <b>953</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>1002</a>
 <b>1752</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>1791</a>
 <b>2952</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>3194</a>
 <b>4898</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>5191</a>
 <b>11577</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>11669</a>
 <b>19719</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>19906</a>
 <b>53412</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>54233</a>
 <b>104298</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>104740</a>
 <b>420483</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>562153</a>
 <b>815024</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -37522,67 +38006,67 @@
 <b>
 <a>1</a>
 <b>7</b>
-<v>42</v>
+<v>82</v>
 </b>
 <b>
 <a>10</a>
 <b>31</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>32</a>
 <b>68</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>75</a>
 <b>148</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>150</a>
 <b>214</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>214</a>
 <b>313</b>
-<v>40</v>
+<v>77</v>
 </b>
 <b>
 <a>323</a>
 <b>468</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>486</a>
 <b>699</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>714</a>
 <b>872</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>879</a>
 <b>1176</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>1185</a>
 <b>1360</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>1382</a>
 <b>2349</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>2641</a>
 <b>31606</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -37598,72 +38082,72 @@
 <b>
 <a>1</a>
 <b>6</b>
-<v>40</v>
+<v>77</v>
 </b>
 <b>
 <a>7</a>
 <b>22</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>26</a>
 <b>58</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>62</a>
 <b>191</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>192</a>
 <b>422</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>434</a>
 <b>696</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>703</a>
 <b>993</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>1012</a>
 <b>2698</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>2754</a>
 <b>5088</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>5150</a>
 <b>9841</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>10112</a>
 <b>16999</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>18955</a>
 <b>42845</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>44005</a>
 <b>171634</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>243198</a>
 <b>301111</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -37679,22 +38163,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>133975</v>
+<v>260304</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>15742</v>
+<v>30587</v>
 </b>
 <b>
 <a>11</a>
 <b>25</b>
-<v>13115</v>
+<v>25482</v>
 </b>
 <b>
 <a>25</a>
 <b>354308</b>
-<v>8207</v>
+<v>15946</v>
 </b>
 </bs>
 </hist>
@@ -37710,27 +38194,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>134281</v>
+<v>260898</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9097</v>
+<v>17675</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>14782</v>
+<v>28721</v>
 </b>
 <b>
 <a>5</a>
 <b>160</b>
-<v>12829</v>
+<v>24927</v>
 </b>
 <b>
 <a>160</a>
 <b>169</b>
-<v>50</v>
+<v>97</v>
 </b>
 </bs>
 </hist>
@@ -37746,22 +38230,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>133975</v>
+<v>260304</v>
 </b>
 <b>
 <a>2</a>
 <b>11</b>
-<v>15742</v>
+<v>30587</v>
 </b>
 <b>
 <a>11</a>
 <b>25</b>
-<v>13115</v>
+<v>25482</v>
 </b>
 <b>
 <a>25</a>
 <b>354308</b>
-<v>8207</v>
+<v>15946</v>
 </b>
 </bs>
 </hist>
@@ -37777,57 +38261,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43222</v>
+<v>83978</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>129568</v>
+<v>251741</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>170983</v>
+<v>332208</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>100772</v>
+<v>195793</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>55082</v>
+<v>107021</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>81281</v>
+<v>157924</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>77684</v>
+<v>150934</v>
 </b>
 <b>
 <a>14</a>
 <b>21</b>
-<v>68857</v>
+<v>133785</v>
 </b>
 <b>
 <a>21</a>
 <b>35</b>
-<v>67649</v>
+<v>131437</v>
 </b>
 <b>
 <a>35</a>
 <b>106</b>
-<v>66634</v>
+<v>129465</v>
 </b>
 <b>
 <a>106</a>
 <b>68231</b>
-<v>26452</v>
+<v>51394</v>
 </b>
 </bs>
 </hist>
@@ -37843,57 +38327,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43222</v>
+<v>83978</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>129716</v>
+<v>252028</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>174054</v>
+<v>338175</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>123195</v>
+<v>239360</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>68133</v>
+<v>132377</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>49557</v>
+<v>96286</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>76029</v>
+<v>147720</v>
 </b>
 <b>
 <a>9</a>
 <b>12</b>
-<v>66293</v>
+<v>128802</v>
 </b>
 <b>
 <a>12</a>
 <b>17</b>
-<v>69868</v>
+<v>135748</v>
 </b>
 <b>
 <a>17</a>
 <b>33</b>
-<v>67955</v>
+<v>132032</v>
 </b>
 <b>
 <a>33</a>
 <b>74</b>
-<v>20162</v>
+<v>39174</v>
 </b>
 </bs>
 </hist>
@@ -37909,57 +38393,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43222</v>
+<v>83978</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>129568</v>
+<v>251741</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>170983</v>
+<v>332208</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>100772</v>
+<v>195793</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>55082</v>
+<v>107021</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>81281</v>
+<v>157924</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>77684</v>
+<v>150934</v>
 </b>
 <b>
 <a>14</a>
 <b>21</b>
-<v>68857</v>
+<v>133785</v>
 </b>
 <b>
 <a>21</a>
 <b>35</b>
-<v>67649</v>
+<v>131437</v>
 </b>
 <b>
 <a>35</a>
 <b>106</b>
-<v>66634</v>
+<v>129465</v>
 </b>
 <b>
 <a>106</a>
 <b>68231</b>
-<v>26452</v>
+<v>51394</v>
 </b>
 </bs>
 </hist>
@@ -37969,15 +38453,15 @@
 </relation>
 <relation>
 <name>cil_jump</name>
-<cardinality>1031096</cardinality>
+<cardinality>2003344</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>1031096</v>
+<v>2003344</v>
 </e>
 <e>
 <k>target</k>
-<v>825801</v>
+<v>1604471</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -37991,7 +38475,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1031096</v>
+<v>2003344</v>
 </b>
 </bs>
 </hist>
@@ -38007,17 +38491,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>715866</v>
+<v>1390876</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>73951</v>
+<v>143682</v>
 </b>
 <b>
 <a>3</a>
 <b>360</b>
-<v>35983</v>
+<v>69912</v>
 </b>
 </bs>
 </hist>
@@ -38027,15 +38511,15 @@
 </relation>
 <relation>
 <name>cil_access</name>
-<cardinality>6137610</cardinality>
+<cardinality>11924922</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>6137610</v>
+<v>11924922</v>
 </e>
 <e>
 <k>target</k>
-<v>1371444</v>
+<v>2664615</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38049,7 +38533,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6137610</v>
+<v>11924922</v>
 </b>
 </bs>
 </hist>
@@ -38065,37 +38549,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>486346</v>
+<v>944934</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>380856</v>
+<v>739974</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>138477</v>
+<v>269051</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>96310</v>
+<v>187123</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>116673</v>
+<v>226687</v>
 </b>
 <b>
 <a>7</a>
 <b>14</b>
-<v>104758</v>
+<v>203537</v>
 </b>
 <b>
 <a>14</a>
 <b>25741</b>
-<v>48023</v>
+<v>93306</v>
 </b>
 </bs>
 </hist>
@@ -38105,15 +38589,15 @@
 </relation>
 <relation>
 <name>cil_value</name>
-<cardinality>969669</cardinality>
+<cardinality>1883995</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>969669</v>
+<v>1883995</v>
 </e>
 <e>
 <k>value</k>
-<v>254691</v>
+<v>494847</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38127,7 +38611,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>969669</v>
+<v>1883995</v>
 </b>
 </bs>
 </hist>
@@ -38143,27 +38627,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>172094</v>
+<v>334366</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>40663</v>
+<v>79005</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>20952</v>
+<v>40708</v>
 </b>
 <b>
 <a>6</a>
 <b>33</b>
-<v>19172</v>
+<v>37250</v>
 </b>
 <b>
 <a>33</a>
 <b>86799</b>
-<v>1809</v>
+<v>3516</v>
 </b>
 </bs>
 </hist>
@@ -38173,19 +38657,19 @@
 </relation>
 <relation>
 <name>cil_switch</name>
-<cardinality>100055</cardinality>
+<cardinality>194400</cardinality>
 <columnsizes>
 <e>
 <k>instruction</k>
-<v>12275</v>
+<v>23851</v>
 </e>
 <e>
 <k>index</k>
-<v>1296</v>
+<v>2518</v>
 </e>
 <e>
 <k>target</k>
-<v>67220</v>
+<v>130605</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38199,47 +38683,47 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>3612</v>
+<v>7018</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2363</v>
+<v>4592</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>1662</v>
+<v>3229</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>867</v>
+<v>1685</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>742</v>
+<v>1441</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>1110</v>
+<v>2157</v>
 </b>
 <b>
 <a>11</a>
 <b>17</b>
-<v>950</v>
+<v>1845</v>
 </b>
 <b>
 <a>17</a>
 <b>128</b>
-<v>922</v>
+<v>1792</v>
 </b>
 <b>
 <a>141</a>
 <b>518</b>
-<v>45</v>
+<v>87</v>
 </b>
 </bs>
 </hist>
@@ -38255,42 +38739,42 @@
 <b>
 <a>1</a>
 <b>3</b>
-<v>543</v>
+<v>1056</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4244</v>
+<v>8245</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2825</v>
+<v>5489</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>1323</v>
+<v>2571</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>947</v>
+<v>1841</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>874</v>
+<v>1699</v>
 </b>
 <b>
 <a>9</a>
 <b>14</b>
-<v>925</v>
+<v>1797</v>
 </b>
 <b>
 <a>14</a>
 <b>204</b>
-<v>591</v>
+<v>1149</v>
 </b>
 </bs>
 </hist>
@@ -38306,52 +38790,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>508</v>
+<v>988</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>185</v>
+<v>360</v>
 </b>
 <b>
 <a>6</a>
 <b>11</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>18</a>
 <b>24</b>
-<v>97</v>
+<v>189</v>
 </b>
 <b>
 <a>25</a>
 <b>47</b>
-<v>102</v>
+<v>199</v>
 </b>
 <b>
 <a>47</a>
 <b>225</b>
-<v>97</v>
+<v>189</v>
 </b>
 <b>
 <a>238</a>
 <b>4898</b>
-<v>55</v>
+<v>107</v>
 </b>
 </bs>
 </hist>
@@ -38367,52 +38851,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20</v>
+<v>38</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>501</v>
+<v>974</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>160</v>
+<v>311</v>
 </b>
 <b>
 <a>5</a>
 <b>11</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>107</v>
+<v>209</v>
 </b>
 <b>
 <a>18</a>
 <b>24</b>
-<v>105</v>
+<v>204</v>
 </b>
 <b>
 <a>24</a>
 <b>47</b>
-<v>100</v>
+<v>194</v>
 </b>
 <b>
 <a>47</a>
 <b>271</b>
-<v>97</v>
+<v>189</v>
 </b>
 <b>
 <a>289</a>
 <b>4830</b>
-<v>47</v>
+<v>92</v>
 </b>
 </bs>
 </hist>
@@ -38428,12 +38912,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>66381</v>
+<v>128973</v>
 </b>
 <b>
 <a>2</a>
 <b>12</b>
-<v>839</v>
+<v>1631</v>
 </b>
 </bs>
 </hist>
@@ -38449,17 +38933,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>60843</v>
+<v>118214</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>5146</v>
+<v>9999</v>
 </b>
 <b>
 <a>7</a>
 <b>253</b>
-<v>1230</v>
+<v>2391</v>
 </b>
 </bs>
 </hist>
@@ -38537,15 +39021,15 @@
 </relation>
 <relation>
 <name>cil_type_location</name>
-<cardinality>142744</cardinality>
+<cardinality>277341</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>131230</v>
+<v>254970</v>
 </e>
 <e>
 <k>loc</k>
-<v>1757</v>
+<v>3414</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38559,12 +39043,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>119716</v>
+<v>232600</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11513</v>
+<v>22370</v>
 </b>
 </bs>
 </hist>
@@ -38580,67 +39064,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>112</v>
+<v>219</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>152</v>
+<v>297</v>
 </b>
 <b>
 <a>9</a>
 <b>13</b>
-<v>140</v>
+<v>272</v>
 </b>
 <b>
 <a>13</a>
 <b>17</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>17</a>
 <b>23</b>
-<v>145</v>
+<v>282</v>
 </b>
 <b>
 <a>23</a>
 <b>32</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>32</a>
 <b>43</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>43</a>
 <b>66</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>66</a>
 <b>110</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>112</a>
 <b>238</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>239</a>
 <b>2419</b>
-<v>125</v>
+<v>243</v>
 </b>
 </bs>
 </hist>
@@ -38650,15 +39134,15 @@
 </relation>
 <relation>
 <name>cil_method_location</name>
-<cardinality>969646</cardinality>
+<cardinality>1883951</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>924658</v>
+<v>1796543</v>
 </e>
 <e>
 <k>loc</k>
-<v>1609</v>
+<v>3126</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38672,12 +39156,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>879671</v>
+<v>1709135</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44987</v>
+<v>87407</v>
 </b>
 </bs>
 </hist>
@@ -38693,67 +39177,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>11</a>
 <b>23</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>23</a>
 <b>38</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>38</a>
 <b>53</b>
-<v>130</v>
+<v>253</v>
 </b>
 <b>
 <a>53</a>
 <b>79</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>80</a>
 <b>107</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>107</a>
 <b>138</b>
-<v>127</v>
+<v>248</v>
 </b>
 <b>
 <a>140</a>
 <b>204</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>204</a>
 <b>278</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>281</a>
 <b>385</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>388</a>
 <b>734</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>735</a>
 <b>1631</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>1646</a>
 <b>33686</b>
-<v>105</v>
+<v>204</v>
 </b>
 </bs>
 </hist>
@@ -38763,27 +39247,27 @@
 </relation>
 <relation>
 <name>cil_type</name>
-<cardinality>409055</cardinality>
+<cardinality>794764</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>409055</v>
+<v>794764</v>
 </e>
 <e>
 <k>name</k>
-<v>92151</v>
+<v>179043</v>
 </e>
 <e>
 <k>kind</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>parent</k>
-<v>79995</v>
+<v>155425</v>
 </e>
 <e>
 <k>sourceDecl</k>
-<v>239129</v>
+<v>464610</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -38797,7 +39281,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409055</v>
+<v>794764</v>
 </b>
 </bs>
 </hist>
@@ -38813,7 +39297,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409055</v>
+<v>794764</v>
 </b>
 </bs>
 </hist>
@@ -38829,7 +39313,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409055</v>
+<v>794764</v>
 </b>
 </bs>
 </hist>
@@ -38845,7 +39329,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>409055</v>
+<v>794764</v>
 </b>
 </bs>
 </hist>
@@ -38861,22 +39345,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>70838</v>
+<v>137633</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11566</v>
+<v>22472</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>7292</v>
+<v>14168</v>
 </b>
 <b>
 <a>7</a>
 <b>21324</b>
-<v>2454</v>
+<v>4768</v>
 </b>
 </bs>
 </hist>
@@ -38892,7 +39376,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>92151</v>
+<v>179043</v>
 </b>
 </bs>
 </hist>
@@ -38908,17 +39392,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83582</v>
+<v>162395</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>7021</v>
+<v>13642</v>
 </b>
 <b>
 <a>4</a>
 <b>21324</b>
-<v>1546</v>
+<v>3005</v>
 </b>
 </bs>
 </hist>
@@ -38934,17 +39418,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>75192</v>
+<v>146093</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11579</v>
+<v>22497</v>
 </b>
 <b>
 <a>3</a>
 <b>21324</b>
-<v>5379</v>
+<v>10452</v>
 </b>
 </bs>
 </hist>
@@ -38960,22 +39444,22 @@
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2909</a>
 <b>2910</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>37932</a>
 <b>37933</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>122212</a>
 <b>122213</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -38991,22 +39475,22 @@
 <b>
 <a>21</a>
 <b>22</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>101</a>
 <b>102</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1188</a>
 <b>1189</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>35450</a>
 <b>35451</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -39022,22 +39506,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>31</a>
 <b>32</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11217</a>
 <b>11218</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -39053,22 +39537,22 @@
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2464</a>
 <b>2465</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>37932</a>
 <b>37933</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>54872</a>
 <b>54873</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -39084,27 +39568,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52382</v>
+<v>101775</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13790</v>
+<v>26793</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>6866</v>
+<v>13340</v>
 </b>
 <b>
 <a>6</a>
 <b>33</b>
-<v>6021</v>
+<v>11699</v>
 </b>
 <b>
 <a>33</a>
 <b>26079</b>
-<v>935</v>
+<v>1816</v>
 </b>
 </bs>
 </hist>
@@ -39120,27 +39604,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52678</v>
+<v>102350</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14005</v>
+<v>27212</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>6813</v>
+<v>13238</v>
 </b>
 <b>
 <a>6</a>
 <b>38</b>
-<v>6013</v>
+<v>11684</v>
 </b>
 <b>
 <a>38</a>
 <b>1426</b>
-<v>483</v>
+<v>940</v>
 </b>
 </bs>
 </hist>
@@ -39156,12 +39640,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>78348</v>
+<v>152225</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>1646</v>
+<v>3199</v>
 </b>
 </bs>
 </hist>
@@ -39177,27 +39661,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52625</v>
+<v>102248</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14015</v>
+<v>27231</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>6765</v>
+<v>13145</v>
 </b>
 <b>
 <a>6</a>
 <b>38</b>
-<v>6003</v>
+<v>11665</v>
 </b>
 <b>
 <a>38</a>
 <b>3476</b>
-<v>584</v>
+<v>1134</v>
 </b>
 </bs>
 </hist>
@@ -39213,12 +39697,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225344</v>
+<v>437827</v>
 </b>
 <b>
 <a>2</a>
 <b>3705</b>
-<v>13785</v>
+<v>26783</v>
 </b>
 </bs>
 </hist>
@@ -39234,7 +39718,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>239129</v>
+<v>464610</v>
 </b>
 </bs>
 </hist>
@@ -39250,7 +39734,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>239129</v>
+<v>464610</v>
 </b>
 </bs>
 </hist>
@@ -39266,12 +39750,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>234845</v>
+<v>456287</v>
 </b>
 <b>
 <a>2</a>
 <b>225</b>
-<v>4284</v>
+<v>8323</v>
 </b>
 </bs>
 </hist>
@@ -39281,15 +39765,15 @@
 </relation>
 <relation>
 <name>cil_pointer_type</name>
-<cardinality>308</cardinality>
+<cardinality>599</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>308</v>
+<v>599</v>
 </e>
 <e>
 <k>pointee</k>
-<v>308</v>
+<v>599</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39303,7 +39787,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>308</v>
+<v>599</v>
 </b>
 </bs>
 </hist>
@@ -39319,7 +39803,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>308</v>
+<v>599</v>
 </b>
 </bs>
 </hist>
@@ -39329,19 +39813,19 @@
 </relation>
 <relation>
 <name>cil_array_type</name>
-<cardinality>7292</cardinality>
+<cardinality>14168</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7292</v>
+<v>14168</v>
 </e>
 <e>
 <k>element_type</k>
-<v>7252</v>
+<v>14090</v>
 </e>
 <e>
 <k>rank</k>
-<v>7</v>
+<v>14</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39355,7 +39839,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7292</v>
+<v>14168</v>
 </b>
 </bs>
 </hist>
@@ -39371,7 +39855,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7292</v>
+<v>14168</v>
 </b>
 </bs>
 </hist>
@@ -39387,12 +39871,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7214</v>
+<v>14017</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -39408,12 +39892,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7214</v>
+<v>14017</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>37</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -39429,17 +39913,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2892</a>
 <b>2893</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -39455,17 +39939,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2892</a>
 <b>2893</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -39528,23 +40012,23 @@
 </relation>
 <relation>
 <name>cil_method</name>
-<cardinality>1189816</cardinality>
+<cardinality>2311725</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>1189816</v>
+<v>2311725</v>
 </e>
 <e>
 <k>name</k>
-<v>226266</v>
+<v>439619</v>
 </e>
 <e>
 <k>parent</k>
-<v>195528</v>
+<v>379896</v>
 </e>
 <e>
 <k>return_type</k>
-<v>110065</v>
+<v>213848</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39558,7 +40042,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189816</v>
+<v>2311725</v>
 </b>
 </bs>
 </hist>
@@ -39574,7 +40058,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189816</v>
+<v>2311725</v>
 </b>
 </bs>
 </hist>
@@ -39590,7 +40074,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1189816</v>
+<v>2311725</v>
 </b>
 </bs>
 </hist>
@@ -39606,27 +40090,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>139407</v>
+<v>270858</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>40949</v>
+<v>79561</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>12877</v>
+<v>25020</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>17229</v>
+<v>33475</v>
 </b>
 <b>
 <a>7</a>
 <b>64064</b>
-<v>15803</v>
+<v>30704</v>
 </b>
 </bs>
 </hist>
@@ -39642,27 +40126,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>146614</v>
+<v>284861</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>39384</v>
+<v>76521</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>20508</v>
+<v>39846</v>
 </b>
 <b>
 <a>5</a>
 <b>25</b>
-<v>17056</v>
+<v>33139</v>
 </b>
 <b>
 <a>25</a>
 <b>52725</b>
-<v>2702</v>
+<v>5250</v>
 </b>
 </bs>
 </hist>
@@ -39678,17 +40162,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>197578</v>
+<v>383880</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>20693</v>
+<v>40206</v>
 </b>
 <b>
 <a>4</a>
 <b>2803</b>
-<v>7994</v>
+<v>15532</v>
 </b>
 </bs>
 </hist>
@@ -39704,42 +40188,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55538</v>
+<v>107908</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>43468</v>
+<v>84456</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25692</v>
+<v>49918</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14695</v>
+<v>28551</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>15878</v>
+<v>30850</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>16931</v>
+<v>32896</v>
 </b>
 <b>
 <a>11</a>
 <b>21</b>
-<v>14893</v>
+<v>28936</v>
 </b>
 <b>
 <a>21</a>
 <b>3536</b>
-<v>8430</v>
+<v>16379</v>
 </b>
 </bs>
 </hist>
@@ -39755,42 +40239,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>58825</v>
+<v>114293</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44576</v>
+<v>86608</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25978</v>
+<v>50473</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>14873</v>
+<v>28897</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>16908</v>
+<v>32852</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>15437</v>
+<v>29993</v>
 </b>
 <b>
 <a>11</a>
 <b>26</b>
-<v>14757</v>
+<v>28673</v>
 </b>
 <b>
 <a>26</a>
 <b>1885</b>
-<v>4171</v>
+<v>8104</v>
 </b>
 </bs>
 </hist>
@@ -39806,32 +40290,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>83409</v>
+<v>162059</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>48191</v>
+<v>93632</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>23862</v>
+<v>46363</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>11982</v>
+<v>23281</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>14604</v>
+<v>28376</v>
 </b>
 <b>
 <a>7</a>
 <b>1924</b>
-<v>13476</v>
+<v>26184</v>
 </b>
 </bs>
 </hist>
@@ -39847,27 +40331,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>67877</v>
+<v>131881</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>19668</v>
+<v>38214</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>9691</v>
+<v>18829</v>
 </b>
 <b>
 <a>5</a>
 <b>13</b>
-<v>8520</v>
+<v>16555</v>
 </b>
 <b>
 <a>13</a>
 <b>190707</b>
-<v>4306</v>
+<v>8367</v>
 </b>
 </bs>
 </hist>
@@ -39883,22 +40367,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>78972</v>
+<v>153438</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15607</v>
+<v>30324</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>9846</v>
+<v>19131</v>
 </b>
 <b>
 <a>6</a>
 <b>28461</b>
-<v>5637</v>
+<v>10953</v>
 </b>
 </bs>
 </hist>
@@ -39914,22 +40398,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>74781</v>
+<v>145294</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18202</v>
+<v>35365</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>9027</v>
+<v>17539</v>
 </b>
 <b>
 <a>5</a>
 <b>62018</b>
-<v>8054</v>
+<v>15649</v>
 </b>
 </bs>
 </hist>
@@ -39939,15 +40423,15 @@
 </relation>
 <relation>
 <name>cil_method_source_declaration</name>
-<cardinality>1083735</cardinality>
+<cardinality>2105616</cardinality>
 <columnsizes>
 <e>
 <k>method</k>
-<v>1083735</v>
+<v>2105616</v>
 </e>
 <e>
 <k>source</k>
-<v>958949</v>
+<v>1863168</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -39961,7 +40445,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1083735</v>
+<v>2105616</v>
 </b>
 </bs>
 </hist>
@@ -39977,12 +40461,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>904975</v>
+<v>1758299</v>
 </b>
 <b>
 <a>2</a>
 <b>1021</b>
-<v>53974</v>
+<v>104868</v>
 </b>
 </bs>
 </hist>
@@ -39992,19 +40476,19 @@
 </relation>
 <relation>
 <name>cil_method_implementation</name>
-<cardinality>888189</cardinality>
+<cardinality>1725686</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>888189</v>
+<v>1725686</v>
 </e>
 <e>
 <k>method</k>
-<v>843532</v>
+<v>1638921</v>
 </e>
 <e>
 <k>location</k>
-<v>1591</v>
+<v>3092</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40018,7 +40502,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>888189</v>
+<v>1725686</v>
 </b>
 </bs>
 </hist>
@@ -40034,7 +40518,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>888189</v>
+<v>1725686</v>
 </b>
 </bs>
 </hist>
@@ -40050,12 +40534,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>798875</v>
+<v>1552156</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44656</v>
+<v>86764</v>
 </b>
 </bs>
 </hist>
@@ -40071,12 +40555,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>798875</v>
+<v>1552156</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>44656</v>
+<v>86764</v>
 </b>
 </bs>
 </hist>
@@ -40092,67 +40576,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>140</v>
+<v>272</v>
 </b>
 <b>
 <a>11</a>
 <b>22</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>22</a>
 <b>36</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>36</a>
 <b>50</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>50</a>
 <b>74</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>74</a>
 <b>104</b>
-<v>127</v>
+<v>248</v>
 </b>
 <b>
 <a>104</a>
 <b>133</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>133</a>
 <b>192</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>192</a>
 <b>271</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>271</a>
 <b>365</b>
-<v>127</v>
+<v>248</v>
 </b>
 <b>
 <a>372</a>
 <b>654</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>682</a>
 <b>1597</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>1599</a>
 <b>33053</b>
-<v>97</v>
+<v>189</v>
 </b>
 </bs>
 </hist>
@@ -40168,67 +40652,67 @@
 <b>
 <a>1</a>
 <b>11</b>
-<v>140</v>
+<v>272</v>
 </b>
 <b>
 <a>11</a>
 <b>22</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>22</a>
 <b>36</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>36</a>
 <b>50</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>50</a>
 <b>74</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>74</a>
 <b>104</b>
-<v>127</v>
+<v>248</v>
 </b>
 <b>
 <a>104</a>
 <b>133</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>133</a>
 <b>192</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>192</a>
 <b>271</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>271</a>
 <b>365</b>
-<v>127</v>
+<v>248</v>
 </b>
 <b>
 <a>372</a>
 <b>654</b>
-<v>120</v>
+<v>233</v>
 </b>
 <b>
 <a>682</a>
 <b>1597</b>
-<v>122</v>
+<v>238</v>
 </b>
 <b>
 <a>1599</a>
 <b>33053</b>
-<v>97</v>
+<v>189</v>
 </b>
 </bs>
 </hist>
@@ -40238,15 +40722,15 @@
 </relation>
 <relation>
 <name>cil_implements</name>
-<cardinality>55097</cardinality>
+<cardinality>107050</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>54706</v>
+<v>106291</v>
 </e>
 <e>
 <k>decl</k>
-<v>9119</v>
+<v>17719</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40260,12 +40744,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54315</v>
+<v>105531</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>391</v>
+<v>759</v>
 </b>
 </bs>
 </hist>
@@ -40281,27 +40765,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5936</v>
+<v>11533</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1391</v>
+<v>2703</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>812</v>
+<v>1578</v>
 </b>
 <b>
 <a>5</a>
 <b>18</b>
-<v>684</v>
+<v>1329</v>
 </b>
 <b>
 <a>18</a>
 <b>2180</b>
-<v>295</v>
+<v>574</v>
 </b>
 </bs>
 </hist>
@@ -40311,23 +40795,23 @@
 </relation>
 <relation>
 <name>cil_field</name>
-<cardinality>518960</cardinality>
+<cardinality>1008300</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>518960</v>
+<v>1008300</v>
 </e>
 <e>
 <k>parent</k>
-<v>103509</v>
+<v>201111</v>
 </e>
 <e>
 <k>name</k>
-<v>185701</v>
+<v>360803</v>
 </e>
 <e>
 <k>field_type</k>
-<v>85352</v>
+<v>165834</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40341,7 +40825,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>518960</v>
+<v>1008300</v>
 </b>
 </bs>
 </hist>
@@ -40357,7 +40841,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>518960</v>
+<v>1008300</v>
 </b>
 </bs>
 </hist>
@@ -40373,7 +40857,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>518960</v>
+<v>1008300</v>
 </b>
 </bs>
 </hist>
@@ -40389,47 +40873,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31195</v>
+<v>60609</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21115</v>
+<v>41025</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11471</v>
+<v>22287</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7966</v>
+<v>15478</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>6026</v>
+<v>11708</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>8721</v>
+<v>16944</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>9187</v>
+<v>17850</v>
 </b>
 <b>
 <a>12</a>
 <b>227</b>
-<v>7766</v>
+<v>15089</v>
 </b>
 <b>
 <a>237</a>
 <b>4205</b>
-<v>60</v>
+<v>116</v>
 </b>
 </bs>
 </hist>
@@ -40445,47 +40929,47 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31195</v>
+<v>60609</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>21115</v>
+<v>41025</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>11471</v>
+<v>22287</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>7966</v>
+<v>15478</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>6026</v>
+<v>11708</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>8721</v>
+<v>16944</v>
 </b>
 <b>
 <a>8</a>
 <b>12</b>
-<v>9187</v>
+<v>17850</v>
 </b>
 <b>
 <a>12</a>
 <b>227</b>
-<v>7766</v>
+<v>15089</v>
 </b>
 <b>
 <a>237</a>
 <b>4205</b>
-<v>60</v>
+<v>116</v>
 </b>
 </bs>
 </hist>
@@ -40501,37 +40985,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>36231</v>
+<v>70394</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>30751</v>
+<v>59747</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>10508</v>
+<v>20417</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5898</v>
+<v>11460</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>8072</v>
+<v>15683</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>8262</v>
+<v>16053</v>
 </b>
 <b>
 <a>11</a>
 <b>132</b>
-<v>3785</v>
+<v>7354</v>
 </b>
 </bs>
 </hist>
@@ -40547,22 +41031,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>134749</v>
+<v>261809</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>28485</v>
+<v>55344</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>15474</v>
+<v>30066</v>
 </b>
 <b>
 <a>7</a>
 <b>5664</b>
-<v>6991</v>
+<v>13584</v>
 </b>
 </bs>
 </hist>
@@ -40578,22 +41062,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>134749</v>
+<v>261809</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>28485</v>
+<v>55344</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>15474</v>
+<v>30066</v>
 </b>
 <b>
 <a>7</a>
 <b>5664</b>
-<v>6991</v>
+<v>13584</v>
 </b>
 </bs>
 </hist>
@@ -40609,17 +41093,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>157161</v>
+<v>305352</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>17525</v>
+<v>34050</v>
 </b>
 <b>
 <a>3</a>
 <b>2790</b>
-<v>11015</v>
+<v>21401</v>
 </b>
 </bs>
 </hist>
@@ -40635,32 +41119,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>42515</v>
+<v>82605</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22521</v>
+<v>43757</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4610</v>
+<v>8957</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>7851</v>
+<v>15254</v>
 </b>
 <b>
 <a>7</a>
 <b>31</b>
-<v>6452</v>
+<v>12536</v>
 </b>
 <b>
 <a>31</a>
 <b>21103</b>
-<v>1401</v>
+<v>2722</v>
 </b>
 </bs>
 </hist>
@@ -40676,22 +41160,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49760</v>
+<v>96681</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>22894</v>
+<v>44483</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>7322</v>
+<v>14227</v>
 </b>
 <b>
 <a>6</a>
 <b>12257</b>
-<v>5374</v>
+<v>10442</v>
 </b>
 </bs>
 </hist>
@@ -40707,27 +41191,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>61655</v>
+<v>119792</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9242</v>
+<v>17957</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>6813</v>
+<v>13238</v>
 </b>
 <b>
 <a>5</a>
 <b>20</b>
-<v>6414</v>
+<v>12463</v>
 </b>
 <b>
 <a>20</a>
 <b>8901</b>
-<v>1225</v>
+<v>2381</v>
 </b>
 </bs>
 </hist>
@@ -40737,23 +41221,23 @@
 </relation>
 <relation>
 <name>cil_parameter</name>
-<cardinality>2339980</cardinality>
+<cardinality>4546408</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2339980</v>
+<v>4546408</v>
 </e>
 <e>
 <k>parameterizable</k>
-<v>1142723</v>
+<v>2220226</v>
 </e>
 <e>
 <k>index</k>
-<v>102</v>
+<v>199</v>
 </e>
 <e>
 <k>param_type</k>
-<v>284357</v>
+<v>552486</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -40767,7 +41251,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2339980</v>
+<v>4546408</v>
 </b>
 </bs>
 </hist>
@@ -40783,7 +41267,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2339980</v>
+<v>4546408</v>
 </b>
 </bs>
 </hist>
@@ -40799,7 +41283,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2339980</v>
+<v>4546408</v>
 </b>
 </bs>
 </hist>
@@ -40815,27 +41299,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>463488</v>
+<v>900524</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>405252</v>
+<v>787375</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>167073</v>
+<v>324610</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>90027</v>
+<v>174917</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>16881</v>
+<v>32798</v>
 </b>
 </bs>
 </hist>
@@ -40851,27 +41335,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>463488</v>
+<v>900524</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>405252</v>
+<v>787375</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>167073</v>
+<v>324610</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>90027</v>
+<v>174917</v>
 </b>
 <b>
 <a>7</a>
 <b>42</b>
-<v>16881</v>
+<v>32798</v>
 </b>
 </bs>
 </hist>
@@ -40887,22 +41371,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>488208</v>
+<v>948553</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>410659</v>
+<v>797881</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>161084</v>
+<v>312974</v>
 </b>
 <b>
 <a>4</a>
 <b>23</b>
-<v>82770</v>
+<v>160817</v>
 </b>
 </bs>
 </hist>
@@ -40918,67 +41402,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>18</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>20</a>
 <b>35</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>44</a>
 <b>53</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>61</a>
 <b>78</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>87</a>
 <b>122</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>150</a>
 <b>293</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>378</a>
 <b>632</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>810</a>
 <b>2528</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3263</a>
 <b>6735</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>11503</a>
 <b>42648</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>109294</a>
 <b>455844</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -40994,67 +41478,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>18</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>20</a>
 <b>35</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>44</a>
 <b>53</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>61</a>
 <b>78</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>87</a>
 <b>122</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>150</a>
 <b>293</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>378</a>
 <b>632</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>810</a>
 <b>2528</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3263</a>
 <b>6735</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>11503</a>
 <b>42648</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>109294</a>
 <b>455844</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -41070,72 +41554,72 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3</a>
 <b>11</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>11</a>
 <b>16</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>16</a>
 <b>18</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>19</a>
 <b>21</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>22</a>
 <b>28</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>34</a>
 <b>88</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>129</a>
 <b>233</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>290</a>
 <b>447</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>554</a>
 <b>928</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>1321</a>
 <b>3323</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>6167</a>
 <b>43422</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>83818</a>
 <b>83819</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -41151,42 +41635,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95417</v>
+<v>185389</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>70539</v>
+<v>137053</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>23168</v>
+<v>45014</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>19788</v>
+<v>38448</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>22569</v>
+<v>43849</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>22007</v>
+<v>42758</v>
 </b>
 <b>
 <a>11</a>
 <b>27</b>
-<v>21553</v>
+<v>41877</v>
 </b>
 <b>
 <a>27</a>
 <b>58010</b>
-<v>9312</v>
+<v>18094</v>
 </b>
 </bs>
 </hist>
@@ -41202,42 +41686,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>97067</v>
+<v>188594</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>69870</v>
+<v>135753</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>23381</v>
+<v>45428</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>19162</v>
+<v>37230</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>22799</v>
+<v>44298</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>22037</v>
+<v>42817</v>
 </b>
 <b>
 <a>11</a>
 <b>28</b>
-<v>21471</v>
+<v>41716</v>
 </b>
 <b>
 <a>28</a>
 <b>46068</b>
-<v>8568</v>
+<v>16647</v>
 </b>
 </bs>
 </hist>
@@ -41253,22 +41737,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>198441</v>
+<v>385556</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>56524</v>
+<v>109822</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>22884</v>
+<v>44463</v>
 </b>
 <b>
 <a>4</a>
 <b>36</b>
-<v>6507</v>
+<v>12644</v>
 </b>
 </bs>
 </hist>
@@ -41278,37 +41762,37 @@
 </relation>
 <relation>
 <name>cil_parameter_in</name>
-<cardinality>16650</cardinality>
+<cardinality>32350</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>16650</v>
+<v>32350</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_parameter_out</name>
-<cardinality>23687</cardinality>
+<cardinality>46022</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>23687</v>
+<v>46022</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_setter</name>
-<cardinality>54944</cardinality>
+<cardinality>106753</cardinality>
 <columnsizes>
 <e>
 <k>prop</k>
-<v>54944</v>
+<v>106753</v>
 </e>
 <e>
 <k>method</k>
-<v>54944</v>
+<v>106753</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41322,7 +41806,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54944</v>
+<v>106753</v>
 </b>
 </bs>
 </hist>
@@ -41338,7 +41822,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>54944</v>
+<v>106753</v>
 </b>
 </bs>
 </hist>
@@ -41348,19 +41832,19 @@
 </relation>
 <relation>
 <name>cil_custom_modifiers</name>
-<cardinality>2113</cardinality>
+<cardinality>4105</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>2113</v>
+<v>4105</v>
 </e>
 <e>
 <k>modifier</k>
-<v>27</v>
+<v>53</v>
 </e>
 <e>
 <k>kind</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41374,7 +41858,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2113</v>
+<v>4105</v>
 </b>
 </bs>
 </hist>
@@ -41390,7 +41874,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2113</v>
+<v>4105</v>
 </b>
 </bs>
 </hist>
@@ -41406,57 +41890,57 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>10</a>
 <b>11</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>19</a>
 <b>20</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>29</a>
 <b>30</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>51</a>
 <b>52</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>68</a>
 <b>69</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>87</a>
 <b>88</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>94</a>
 <b>95</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>444</a>
 <b>445</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -41472,7 +41956,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27</v>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -41488,7 +41972,7 @@
 <b>
 <a>843</a>
 <b>844</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -41504,7 +41988,7 @@
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -41514,15 +41998,15 @@
 </relation>
 <relation>
 <name>cil_type_annotation</name>
-<cardinality>100907</cardinality>
+<cardinality>196056</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>100907</v>
+<v>196056</v>
 </e>
 <e>
 <k>annotation</k>
-<v>2</v>
+<v>4</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41536,7 +42020,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>100907</v>
+<v>196056</v>
 </b>
 </bs>
 </hist>
@@ -41552,7 +42036,7 @@
 <b>
 <a>40253</a>
 <b>40254</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -41562,15 +42046,15 @@
 </relation>
 <relation>
 <name>cil_getter</name>
-<cardinality>195244</cardinality>
+<cardinality>379346</cardinality>
 <columnsizes>
 <e>
 <k>prop</k>
-<v>195244</v>
+<v>379346</v>
 </e>
 <e>
 <k>method</k>
-<v>195244</v>
+<v>379346</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41584,7 +42068,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>195244</v>
+<v>379346</v>
 </b>
 </bs>
 </hist>
@@ -41600,7 +42084,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>195244</v>
+<v>379346</v>
 </b>
 </bs>
 </hist>
@@ -41610,15 +42094,15 @@
 </relation>
 <relation>
 <name>cil_adder</name>
-<cardinality>10741</cardinality>
+<cardinality>20870</cardinality>
 <columnsizes>
 <e>
 <k>event</k>
-<v>10741</v>
+<v>20870</v>
 </e>
 <e>
 <k>method</k>
-<v>10741</v>
+<v>20870</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41632,7 +42116,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10741</v>
+<v>20870</v>
 </b>
 </bs>
 </hist>
@@ -41648,7 +42132,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10741</v>
+<v>20870</v>
 </b>
 </bs>
 </hist>
@@ -41658,15 +42142,15 @@
 </relation>
 <relation>
 <name>cil_remover</name>
-<cardinality>10741</cardinality>
+<cardinality>20870</cardinality>
 <columnsizes>
 <e>
 <k>event</k>
-<v>10741</v>
+<v>20870</v>
 </e>
 <e>
 <k>method</k>
-<v>10741</v>
+<v>20870</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41680,7 +42164,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10741</v>
+<v>20870</v>
 </b>
 </bs>
 </hist>
@@ -41696,7 +42180,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10741</v>
+<v>20870</v>
 </b>
 </bs>
 </hist>
@@ -41754,23 +42238,23 @@
 </relation>
 <relation>
 <name>cil_property</name>
-<cardinality>195525</cardinality>
+<cardinality>379891</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>195525</v>
+<v>379891</v>
 </e>
 <e>
 <k>parent</k>
-<v>48198</v>
+<v>93646</v>
 </e>
 <e>
 <k>name</k>
-<v>54674</v>
+<v>106227</v>
 </e>
 <e>
 <k>property_type</k>
-<v>25642</v>
+<v>49821</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -41784,7 +42268,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>195525</v>
+<v>379891</v>
 </b>
 </bs>
 </hist>
@@ -41800,7 +42284,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>195525</v>
+<v>379891</v>
 </b>
 </bs>
 </hist>
@@ -41816,7 +42300,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>195525</v>
+<v>379891</v>
 </b>
 </bs>
 </hist>
@@ -41832,42 +42316,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>14855</v>
+<v>28863</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11463</v>
+<v>22273</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5873</v>
+<v>11411</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4349</v>
+<v>8450</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2953</v>
+<v>5737</v>
 </b>
 <b>
 <a>6</a>
 <b>9</b>
-<v>4457</v>
+<v>8659</v>
 </b>
 <b>
 <a>9</a>
 <b>25</b>
-<v>3652</v>
+<v>7096</v>
 </b>
 <b>
 <a>25</a>
 <b>1883</b>
-<v>594</v>
+<v>1154</v>
 </b>
 </bs>
 </hist>
@@ -41883,42 +42367,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17297</v>
+<v>33607</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9154</v>
+<v>17787</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>5820</v>
+<v>11309</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4354</v>
+<v>8460</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>2943</v>
+<v>5718</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>3409</v>
+<v>6624</v>
 </b>
 <b>
 <a>8</a>
 <b>15</b>
-<v>3712</v>
+<v>7213</v>
 </b>
 <b>
 <a>15</a>
 <b>1883</b>
-<v>1506</v>
+<v>2927</v>
 </b>
 </bs>
 </hist>
@@ -41934,32 +42418,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>18041</v>
+<v>35053</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>13256</v>
+<v>25755</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>6933</v>
+<v>13472</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>4168</v>
+<v>8099</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>3990</v>
+<v>7753</v>
 </b>
 <b>
 <a>8</a>
 <b>50</b>
-<v>1807</v>
+<v>3511</v>
 </b>
 </bs>
 </hist>
@@ -41975,27 +42459,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32232</v>
+<v>62626</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11030</v>
+<v>21430</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3334</v>
+<v>6477</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>4507</v>
+<v>8757</v>
 </b>
 <b>
 <a>8</a>
 <b>2134</b>
-<v>3569</v>
+<v>6935</v>
 </b>
 </bs>
 </hist>
@@ -42011,27 +42495,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32232</v>
+<v>62626</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>11067</v>
+<v>21503</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>3321</v>
+<v>6453</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>4514</v>
+<v>8771</v>
 </b>
 <b>
 <a>8</a>
 <b>1400</b>
-<v>3537</v>
+<v>6872</v>
 </b>
 </bs>
 </hist>
@@ -42047,17 +42531,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>46012</v>
+<v>89399</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5645</v>
+<v>10968</v>
 </b>
 <b>
 <a>3</a>
 <b>568</b>
-<v>3015</v>
+<v>5859</v>
 </b>
 </bs>
 </hist>
@@ -42073,27 +42557,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>16169</v>
+<v>31415</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3868</v>
+<v>7515</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1636</v>
+<v>3180</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>2246</v>
+<v>4364</v>
 </b>
 <b>
 <a>8</a>
 <b>15452</b>
-<v>1722</v>
+<v>3346</v>
 </b>
 </bs>
 </hist>
@@ -42109,27 +42593,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>17089</v>
+<v>33202</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3617</v>
+<v>7028</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>1566</v>
+<v>3044</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>1987</v>
+<v>3862</v>
 </b>
 <b>
 <a>8</a>
 <b>5858</b>
-<v>1381</v>
+<v>2683</v>
 </b>
 </bs>
 </hist>
@@ -42145,22 +42629,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>20548</v>
+<v>39924</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2732</v>
+<v>5308</v>
 </b>
 <b>
 <a>3</a>
 <b>12</b>
-<v>1955</v>
+<v>3799</v>
 </b>
 <b>
 <a>12</a>
 <b>6253</b>
-<v>406</v>
+<v>789</v>
 </b>
 </bs>
 </hist>
@@ -42170,23 +42654,23 @@
 </relation>
 <relation>
 <name>cil_event</name>
-<cardinality>10726</cardinality>
+<cardinality>20841</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>10726</v>
+<v>20841</v>
 </e>
 <e>
 <k>parent</k>
-<v>3324</v>
+<v>6458</v>
 </e>
 <e>
 <k>name</k>
-<v>6723</v>
+<v>13062</v>
 </e>
 <e>
 <k>event_type</k>
-<v>3497</v>
+<v>6794</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42200,7 +42684,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10726</v>
+<v>20841</v>
 </b>
 </bs>
 </hist>
@@ -42216,7 +42700,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10726</v>
+<v>20841</v>
 </b>
 </bs>
 </hist>
@@ -42232,7 +42716,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>10726</v>
+<v>20841</v>
 </b>
 </bs>
 </hist>
@@ -42248,17 +42732,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2955</v>
+<v>5742</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>253</v>
+<v>491</v>
 </b>
 <b>
 <a>7</a>
 <b>465</b>
-<v>115</v>
+<v>224</v>
 </b>
 </bs>
 </hist>
@@ -42274,17 +42758,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2955</v>
+<v>5742</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>253</v>
+<v>491</v>
 </b>
 <b>
 <a>7</a>
 <b>465</b>
-<v>115</v>
+<v>224</v>
 </b>
 </bs>
 </hist>
@@ -42300,17 +42784,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3045</v>
+<v>5917</v>
 </b>
 <b>
 <a>2</a>
 <b>20</b>
-<v>250</v>
+<v>487</v>
 </b>
 <b>
 <a>30</a>
 <b>181</b>
-<v>27</v>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -42326,17 +42810,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5998</v>
+<v>11655</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>496</v>
+<v>964</v>
 </b>
 <b>
 <a>4</a>
 <b>566</b>
-<v>228</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -42352,17 +42836,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5998</v>
+<v>11655</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>496</v>
+<v>964</v>
 </b>
 <b>
 <a>4</a>
 <b>566</b>
-<v>228</v>
+<v>443</v>
 </b>
 </bs>
 </hist>
@@ -42378,12 +42862,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6417</v>
+<v>12468</v>
 </b>
 <b>
 <a>2</a>
 <b>566</b>
-<v>305</v>
+<v>594</v>
 </b>
 </bs>
 </hist>
@@ -42399,27 +42883,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>486</v>
+<v>944</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2323</v>
+<v>4515</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>300</v>
+<v>584</v>
 </b>
 <b>
 <a>4</a>
 <b>8</b>
-<v>295</v>
+<v>574</v>
 </b>
 <b>
 <a>8</a>
 <b>318</b>
-<v>90</v>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -42435,17 +42919,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>731</v>
+<v>1422</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2617</v>
+<v>5084</v>
 </b>
 <b>
 <a>3</a>
 <b>32</b>
-<v>147</v>
+<v>287</v>
 </b>
 </bs>
 </hist>
@@ -42461,27 +42945,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>674</v>
+<v>1310</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>2236</v>
+<v>4344</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>255</v>
+<v>496</v>
 </b>
 <b>
 <a>4</a>
 <b>10</b>
-<v>273</v>
+<v>530</v>
 </b>
 <b>
 <a>10</a>
 <b>243</b>
-<v>57</v>
+<v>112</v>
 </b>
 </bs>
 </hist>
@@ -42491,23 +42975,23 @@
 </relation>
 <relation>
 <name>cil_local_variable</name>
-<cardinality>592197</cardinality>
+<cardinality>1150595</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>592197</v>
+<v>1150595</v>
 </e>
 <e>
 <k>impl</k>
-<v>179424</v>
+<v>348608</v>
 </e>
 <e>
 <k>index</k>
-<v>355</v>
+<v>691</v>
 </e>
 <e>
 <k>var_type</k>
-<v>79371</v>
+<v>154212</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -42521,7 +43005,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>592197</v>
+<v>1150595</v>
 </b>
 </bs>
 </hist>
@@ -42537,7 +43021,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>592197</v>
+<v>1150595</v>
 </b>
 </bs>
 </hist>
@@ -42553,7 +43037,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>592197</v>
+<v>1150595</v>
 </b>
 </bs>
 </hist>
@@ -42569,37 +43053,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>71998</v>
+<v>139888</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>31924</v>
+<v>62027</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25381</v>
+<v>49314</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12080</v>
+<v>23471</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>16404</v>
+<v>31873</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>14850</v>
+<v>28853</v>
 </b>
 <b>
 <a>12</a>
 <b>143</b>
-<v>6783</v>
+<v>13179</v>
 </b>
 </bs>
 </hist>
@@ -42615,37 +43099,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>71998</v>
+<v>139888</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>31924</v>
+<v>62027</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>25381</v>
+<v>49314</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12080</v>
+<v>23471</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>16404</v>
+<v>31873</v>
 </b>
 <b>
 <a>7</a>
 <b>12</b>
-<v>14850</v>
+<v>28853</v>
 </b>
 <b>
 <a>12</a>
 <b>143</b>
-<v>6783</v>
+<v>13179</v>
 </b>
 </bs>
 </hist>
@@ -42661,32 +43145,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>86641</v>
+<v>168337</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>36085</v>
+<v>70112</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>19523</v>
+<v>37932</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>10623</v>
+<v>20641</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>14238</v>
+<v>27664</v>
 </b>
 <b>
 <a>7</a>
 <b>47</b>
-<v>12311</v>
+<v>23919</v>
 </b>
 </bs>
 </hist>
@@ -42702,62 +43186,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35</v>
+<v>68</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>13</a>
 <b>19</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>21</a>
 <b>51</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>56</a>
 <b>167</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>182</a>
 <b>829</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>1008</a>
 <b>8631</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>11398</a>
 <b>71575</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -42773,62 +43257,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>35</v>
+<v>68</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>45</v>
+<v>87</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>25</v>
+<v>48</v>
 </b>
 <b>
 <a>7</a>
 <b>8</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>8</a>
 <b>13</b>
-<v>32</v>
+<v>63</v>
 </b>
 <b>
 <a>13</a>
 <b>19</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>21</a>
 <b>51</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>56</a>
 <b>167</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>182</a>
 <b>829</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>1008</a>
 <b>8631</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>11398</a>
 <b>71575</b>
-<v>15</v>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -42844,67 +43328,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>37</v>
+<v>73</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>47</v>
+<v>92</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>30</v>
+<v>58</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12</v>
+<v>24</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>30</v>
+<v>58</v>
 </b>
 <b>
 <a>6</a>
 <b>8</b>
-<v>30</v>
+<v>58</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>22</v>
+<v>43</v>
 </b>
 <b>
 <a>11</a>
 <b>18</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>19</a>
 <b>42</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>52</a>
 <b>110</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>143</a>
 <b>539</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>599</a>
 <b>4919</b>
-<v>27</v>
+<v>53</v>
 </b>
 <b>
 <a>7226</a>
 <b>19498</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -42920,37 +43404,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>41836</v>
+<v>81285</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14018</v>
+<v>27236</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4309</v>
+<v>8372</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>6084</v>
+<v>11820</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>6580</v>
+<v>12785</v>
 </b>
 <b>
 <a>8</a>
 <b>76</b>
-<v>5956</v>
+<v>11572</v>
 </b>
 <b>
 <a>76</a>
 <b>35712</b>
-<v>586</v>
+<v>1139</v>
 </b>
 </bs>
 </hist>
@@ -42966,32 +43450,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>43909</v>
+<v>85313</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15943</v>
+<v>30976</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4314</v>
+<v>8382</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>6021</v>
+<v>11699</v>
 </b>
 <b>
 <a>5</a>
 <b>14</b>
-<v>6186</v>
+<v>12020</v>
 </b>
 <b>
 <a>14</a>
 <b>21451</b>
-<v>2995</v>
+<v>5820</v>
 </b>
 </bs>
 </hist>
@@ -43007,27 +43491,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49725</v>
+<v>96613</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>14757</v>
+<v>28673</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7086</v>
+<v>13769</v>
 </b>
 <b>
 <a>4</a>
 <b>9</b>
-<v>6104</v>
+<v>11859</v>
 </b>
 <b>
 <a>9</a>
 <b>122</b>
-<v>1697</v>
+<v>3297</v>
 </b>
 </bs>
 </hist>
@@ -43090,35 +43574,35 @@
 </relation>
 <relation>
 <name>cil_handler</name>
-<cardinality>52214</cardinality>
+<cardinality>101449</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>52214</v>
+<v>101449</v>
 </e>
 <e>
 <k>impl</k>
-<v>36760</v>
+<v>71422</v>
 </e>
 <e>
 <k>index</k>
-<v>40</v>
+<v>77</v>
 </e>
 <e>
 <k>kind</k>
-<v>10</v>
+<v>19</v>
 </e>
 <e>
 <k>try_start</k>
-<v>50239</v>
+<v>97611</v>
 </e>
 <e>
 <k>try_end</k>
-<v>51380</v>
+<v>99827</v>
 </e>
 <e>
 <k>handler_start</k>
-<v>52214</v>
+<v>101449</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -43132,7 +43616,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43148,7 +43632,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43164,7 +43648,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43180,7 +43664,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43196,7 +43680,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43212,7 +43696,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -43228,22 +43712,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27677</v>
+<v>53776</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5740</v>
+<v>11153</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2792</v>
+<v>5425</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>548</v>
+<v>1066</v>
 </b>
 </bs>
 </hist>
@@ -43259,22 +43743,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27677</v>
+<v>53776</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5740</v>
+<v>11153</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2792</v>
+<v>5425</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>548</v>
+<v>1066</v>
 </b>
 </bs>
 </hist>
@@ -43290,17 +43774,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>31839</v>
+<v>61861</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4805</v>
+<v>9336</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>115</v>
+<v>224</v>
 </b>
 </bs>
 </hist>
@@ -43316,22 +43800,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>28206</v>
+<v>54803</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5582</v>
+<v>10846</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>2845</v>
+<v>5528</v>
 </b>
 <b>
 <a>7</a>
 <b>15</b>
-<v>125</v>
+<v>243</v>
 </b>
 </bs>
 </hist>
@@ -43347,22 +43831,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27961</v>
+<v>54326</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5695</v>
+<v>11065</v>
 </b>
 <b>
 <a>3</a>
 <b>6</b>
-<v>2842</v>
+<v>5523</v>
 </b>
 <b>
 <a>6</a>
 <b>16</b>
-<v>260</v>
+<v>506</v>
 </b>
 </bs>
 </hist>
@@ -43378,22 +43862,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>27677</v>
+<v>53776</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5740</v>
+<v>11153</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>2792</v>
+<v>5425</v>
 </b>
 <b>
 <a>5</a>
 <b>17</b>
-<v>548</v>
+<v>1066</v>
 </b>
 </bs>
 </hist>
@@ -43409,77 +43893,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43495,77 +43979,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43581,22 +44065,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15</v>
+<v>29</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>12</v>
+<v>24</v>
 </b>
 </bs>
 </hist>
@@ -43612,77 +44096,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43698,77 +44182,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43784,77 +44268,77 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>9</a>
 <b>10</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11</a>
 <b>12</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>20</a>
 <b>21</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>40</a>
 <b>41</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>66</a>
 <b>67</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>123</a>
 <b>124</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>219</a>
 <b>220</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>685</a>
 <b>686</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1333</a>
 <b>1334</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3623</a>
 <b>3624</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14664</a>
 <b>14665</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43870,22 +44354,22 @@
 <b>
 <a>166</a>
 <b>167</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8994</a>
 <b>8995</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43901,22 +44385,22 @@
 <b>
 <a>148</a>
 <b>149</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>7560</a>
 <b>7561</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8663</a>
 <b>8664</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43932,22 +44416,22 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>16</a>
 <b>17</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43963,22 +44447,22 @@
 <b>
 <a>159</a>
 <b>160</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8695</a>
 <b>8696</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11363</a>
 <b>11364</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -43994,22 +44478,22 @@
 <b>
 <a>159</a>
 <b>160</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8704</a>
 <b>8705</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -44025,22 +44509,22 @@
 <b>
 <a>166</a>
 <b>167</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>302</a>
 <b>303</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>8994</a>
 <b>8995</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>11367</a>
 <b>11368</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -44056,12 +44540,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>48542</v>
+<v>94314</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>1697</v>
+<v>3297</v>
 </b>
 </bs>
 </hist>
@@ -44077,7 +44561,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50239</v>
+<v>97611</v>
 </b>
 </bs>
 </hist>
@@ -44093,12 +44577,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>48542</v>
+<v>94314</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>1697</v>
+<v>3297</v>
 </b>
 </bs>
 </hist>
@@ -44114,12 +44598,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49076</v>
+<v>95351</v>
 </b>
 <b>
 <a>2</a>
 <b>4</b>
-<v>1163</v>
+<v>2259</v>
 </b>
 </bs>
 </hist>
@@ -44135,12 +44619,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>49098</v>
+<v>95395</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1140</v>
+<v>2216</v>
 </b>
 </bs>
 </hist>
@@ -44156,12 +44640,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>48542</v>
+<v>94314</v>
 </b>
 <b>
 <a>2</a>
 <b>8</b>
-<v>1697</v>
+<v>3297</v>
 </b>
 </bs>
 </hist>
@@ -44177,12 +44661,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50748</v>
+<v>98600</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>631</v>
+<v>1227</v>
 </b>
 </bs>
 </hist>
@@ -44198,7 +44682,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51380</v>
+<v>99827</v>
 </b>
 </bs>
 </hist>
@@ -44214,12 +44698,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50748</v>
+<v>98600</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>631</v>
+<v>1227</v>
 </b>
 </bs>
 </hist>
@@ -44235,12 +44719,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51289</v>
+<v>99652</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>90</v>
+<v>175</v>
 </b>
 </bs>
 </hist>
@@ -44256,7 +44740,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51380</v>
+<v>99827</v>
 </b>
 </bs>
 </hist>
@@ -44272,12 +44756,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>50748</v>
+<v>98600</v>
 </b>
 <b>
 <a>2</a>
 <b>7</b>
-<v>631</v>
+<v>1227</v>
 </b>
 </bs>
 </hist>
@@ -44293,7 +44777,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44309,7 +44793,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44325,7 +44809,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44341,7 +44825,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44357,7 +44841,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44373,7 +44857,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>52214</v>
+<v>101449</v>
 </b>
 </bs>
 </hist>
@@ -44383,15 +44867,15 @@
 </relation>
 <relation>
 <name>cil_handler_filter</name>
-<cardinality>416</cardinality>
+<cardinality>808</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>416</v>
+<v>808</v>
 </e>
 <e>
 <k>filter_start</k>
-<v>416</v>
+<v>808</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44405,7 +44889,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>416</v>
+<v>808</v>
 </b>
 </bs>
 </hist>
@@ -44421,7 +44905,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>416</v>
+<v>808</v>
 </b>
 </bs>
 </hist>
@@ -44431,15 +44915,15 @@
 </relation>
 <relation>
 <name>cil_handler_type</name>
-<cardinality>22546</cardinality>
+<cardinality>43806</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>22546</v>
+<v>43806</v>
 </e>
 <e>
 <k>catch_type</k>
-<v>649</v>
+<v>1261</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44453,7 +44937,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>22546</v>
+<v>43806</v>
 </b>
 </bs>
 </hist>
@@ -44469,42 +44953,42 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>225</v>
+<v>438</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>77</v>
+<v>150</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>8</a>
 <b>16</b>
-<v>52</v>
+<v>102</v>
 </b>
 <b>
 <a>16</a>
 <b>2589</b>
-<v>50</v>
+<v>97</v>
 </b>
 <b>
 <a>3495</a>
 <b>3496</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -44514,15 +44998,15 @@
 </relation>
 <relation>
 <name>cil_method_stack_size</name>
-<cardinality>888189</cardinality>
+<cardinality>1725686</cardinality>
 <columnsizes>
 <e>
 <k>method</k>
-<v>888189</v>
+<v>1725686</v>
 </e>
 <e>
 <k>size</k>
-<v>82</v>
+<v>160</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44536,7 +45020,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>888189</v>
+<v>1725686</v>
 </b>
 </bs>
 </hist>
@@ -44552,62 +45036,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>10</a>
 <b>14</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>14</a>
 <b>19</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>54</a>
 <b>75</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>99</a>
 <b>326</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>814</a>
 <b>2665</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>3004</a>
 <b>5050</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>8726</a>
 <b>20803</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>23498</a>
 <b>270374</b>
-<v>5</v>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -44617,110 +45101,110 @@
 </relation>
 <relation>
 <name>cil_public</name>
-<cardinality>982987</cardinality>
+<cardinality>1909872</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>982987</v>
+<v>1909872</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_private</name>
-<cardinality>477765</cardinality>
+<cardinality>928262</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>477765</v>
+<v>928262</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_protected</name>
-<cardinality>935332</cardinality>
+<cardinality>1817282</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>935332</v>
+<v>1817282</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_internal</name>
-<cardinality>23052</cardinality>
+<cardinality>41663</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>23052</v>
+<v>41663</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_static</name>
-<cardinality>408907</cardinality>
+<cardinality>794476</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>408907</v>
+<v>794476</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_sealed</name>
-<cardinality>183415</cardinality>
+<cardinality>356362</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>183415</v>
+<v>356362</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_virtual</name>
-<cardinality>348562</cardinality>
+<cardinality>677231</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>348562</v>
+<v>677231</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_abstract</name>
-<cardinality>84971</cardinality>
+<cardinality>165093</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>84971</v>
+<v>165093</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_class</name>
-<cardinality>122717</cardinality>
+<cardinality>238430</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>122717</v>
+<v>238430</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_interface</name>
-<cardinality>8513</cardinality>
+<cardinality>16540</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>8513</v>
+<v>16540</v>
 </e>
 </columnsizes>
 <dependencies/>
@@ -44749,37 +45233,37 @@
 </relation>
 <relation>
 <name>cil_specialname</name>
-<cardinality>417180</cardinality>
+<cardinality>810549</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>417180</v>
+<v>810549</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_newslot</name>
-<cardinality>217219</cardinality>
+<cardinality>422041</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>217219</v>
+<v>422041</v>
 </e>
 </columnsizes>
 <dependencies/>
 </relation>
 <relation>
 <name>cil_base_class</name>
-<cardinality>121182</cardinality>
+<cardinality>235449</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>121182</v>
+<v>235449</v>
 </e>
 <e>
 <k>base</k>
-<v>11012</v>
+<v>21396</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44793,7 +45277,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>121182</v>
+<v>235449</v>
 </b>
 </bs>
 </hist>
@@ -44809,32 +45293,32 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>6334</v>
+<v>12307</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1985</v>
+<v>3857</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>829</v>
+<v>1612</v>
 </b>
 <b>
 <a>4</a>
 <b>7</b>
-<v>972</v>
+<v>1889</v>
 </b>
 <b>
 <a>7</a>
 <b>84</b>
-<v>827</v>
+<v>1607</v>
 </b>
 <b>
 <a>86</a>
 <b>23834</b>
-<v>62</v>
+<v>121</v>
 </b>
 </bs>
 </hist>
@@ -44844,15 +45328,15 @@
 </relation>
 <relation>
 <name>cil_base_interface</name>
-<cardinality>64405</cardinality>
+<cardinality>125135</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>35286</v>
+<v>68558</v>
 </e>
 <e>
 <k>base</k>
-<v>16046</v>
+<v>31176</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44866,27 +45350,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>24534</v>
+<v>47668</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>4173</v>
+<v>8109</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>3221</v>
+<v>6258</v>
 </b>
 <b>
 <a>5</a>
 <b>9</b>
-<v>2765</v>
+<v>5372</v>
 </b>
 <b>
 <a>9</a>
 <b>25</b>
-<v>591</v>
+<v>1149</v>
 </b>
 </bs>
 </hist>
@@ -44902,27 +45386,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>11561</v>
+<v>22463</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1764</v>
+<v>3428</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>1296</v>
+<v>2518</v>
 </b>
 <b>
 <a>5</a>
 <b>30</b>
-<v>1205</v>
+<v>2342</v>
 </b>
 <b>
 <a>30</a>
 <b>2180</b>
-<v>218</v>
+<v>423</v>
 </b>
 </bs>
 </hist>
@@ -44932,15 +45416,15 @@
 </relation>
 <relation>
 <name>cil_enum_underlying_type</name>
-<cardinality>7237</cardinality>
+<cardinality>14061</cardinality>
 <columnsizes>
 <e>
 <k>id</k>
-<v>7237</v>
+<v>14061</v>
 </e>
 <e>
 <k>underlying</k>
-<v>20</v>
+<v>38</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -44954,7 +45438,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>7237</v>
+<v>14061</v>
 </b>
 </bs>
 </hist>
@@ -44970,42 +45454,42 @@
 <b>
 <a>5</a>
 <b>6</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>25</a>
 <b>26</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>31</a>
 <b>32</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>41</a>
 <b>42</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>173</a>
 <b>174</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>291</a>
 <b>292</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2315</a>
 <b>2316</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -45015,19 +45499,19 @@
 </relation>
 <relation>
 <name>cil_type_parameter</name>
-<cardinality>95089</cardinality>
+<cardinality>184751</cardinality>
 <columnsizes>
 <e>
 <k>unbound</k>
-<v>53453</v>
+<v>103855</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>param</k>
-<v>95089</v>
+<v>184751</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -45041,22 +45525,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38572</v>
+<v>74943</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9774</v>
+<v>18990</v>
 </b>
 <b>
 <a>3</a>
 <b>13</b>
-<v>4196</v>
+<v>8153</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>909</v>
+<v>1768</v>
 </b>
 </bs>
 </hist>
@@ -45072,22 +45556,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>38572</v>
+<v>74943</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>9774</v>
+<v>18990</v>
 </b>
 <b>
 <a>3</a>
 <b>13</b>
-<v>4196</v>
+<v>8153</v>
 </b>
 <b>
 <a>13</a>
 <b>22</b>
-<v>909</v>
+<v>1768</v>
 </b>
 </bs>
 </hist>
@@ -45103,107 +45587,107 @@
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>65</a>
 <b>66</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>132</a>
 <b>133</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>207</a>
 <b>208</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>363</a>
 <b>364</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>441</a>
 <b>442</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>519</a>
 <b>520</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>598</a>
 <b>599</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>680</a>
 <b>681</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>791</a>
 <b>792</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>891</a>
 <b>892</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1012</a>
 <b>1013</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1173</a>
 <b>1174</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1409</a>
 <b>1410</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2037</a>
 <b>2038</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>5936</a>
 <b>5937</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -45219,107 +45703,107 @@
 <b>
 <a>8</a>
 <b>9</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14</a>
 <b>15</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21</a>
 <b>22</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>27</a>
 <b>28</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>65</a>
 <b>66</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>132</a>
 <b>133</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>207</a>
 <b>208</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>285</a>
 <b>286</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>363</a>
 <b>364</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>441</a>
 <b>442</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>519</a>
 <b>520</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>598</a>
 <b>599</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>680</a>
 <b>681</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>791</a>
 <b>792</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>891</a>
 <b>892</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1012</a>
 <b>1013</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1173</a>
 <b>1174</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1409</a>
 <b>1410</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2037</a>
 <b>2038</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>5936</a>
 <b>5937</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>21323</a>
 <b>21324</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -45335,7 +45819,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95089</v>
+<v>184751</v>
 </b>
 </bs>
 </hist>
@@ -45351,7 +45835,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>95089</v>
+<v>184751</v>
 </b>
 </bs>
 </hist>
@@ -45361,19 +45845,19 @@
 </relation>
 <relation>
 <name>cil_type_argument</name>
-<cardinality>379309</cardinality>
+<cardinality>736969</cardinality>
 <columnsizes>
 <e>
 <k>bound</k>
-<v>247697</v>
+<v>481258</v>
 </e>
 <e>
 <k>index</k>
-<v>52</v>
+<v>102</v>
 </e>
 <e>
 <k>t</k>
-<v>129781</v>
+<v>252155</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -45387,17 +45871,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>172996</v>
+<v>336119</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>60392</v>
+<v>117337</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>14309</v>
+<v>27801</v>
 </b>
 </bs>
 </hist>
@@ -45413,17 +45897,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>175521</v>
+<v>341024</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>59304</v>
+<v>115223</v>
 </b>
 <b>
 <a>3</a>
 <b>22</b>
-<v>12872</v>
+<v>25010</v>
 </b>
 </bs>
 </hist>
@@ -45439,97 +45923,97 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>5</v>
+<v>9</v>
 </b>
 <b>
 <a>84</a>
 <b>85</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>205</a>
 <b>206</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>343</a>
 <b>344</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>482</a>
 <b>483</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>621</a>
 <b>622</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>760</a>
 <b>761</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>899</a>
 <b>900</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1044</a>
 <b>1045</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1189</a>
 <b>1190</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1601</a>
 <b>1602</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1810</a>
 <b>1811</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2091</a>
 <b>2092</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2513</a>
 <b>2514</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>3338</a>
 <b>3339</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>5708</a>
 <b>5709</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>29799</a>
 <b>29800</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>98809</a>
 <b>98810</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -45545,97 +46029,97 @@
 <b>
 <a>3</a>
 <b>4</b>
-<v>7</v>
+<v>14</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>49</a>
 <b>50</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>116</a>
 <b>117</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>185</a>
 <b>186</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>254</a>
 <b>255</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>322</a>
 <b>323</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>390</a>
 <b>391</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>457</a>
 <b>458</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>531</a>
 <b>532</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>602</a>
 <b>603</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>925</a>
 <b>926</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>927</a>
 <b>928</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1083</a>
 <b>1084</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1307</a>
 <b>1308</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>1645</a>
 <b>1646</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>2968</a>
 <b>2969</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>14488</a>
 <b>14489</b>
-<v>2</v>
+<v>4</v>
 </b>
 <b>
 <a>39680</a>
 <b>39681</b>
-<v>2</v>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -45651,27 +46135,27 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>51623</v>
+<v>100300</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>37437</v>
+<v>72737</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>21864</v>
+<v>42481</v>
 </b>
 <b>
 <a>4</a>
 <b>6</b>
-<v>10345</v>
+<v>20100</v>
 </b>
 <b>
 <a>6</a>
 <b>4208</b>
-<v>8510</v>
+<v>16535</v>
 </b>
 </bs>
 </hist>
@@ -45687,17 +46171,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>98187</v>
+<v>190771</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>28552</v>
+<v>55476</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>3040</v>
+<v>5908</v>
 </b>
 </bs>
 </hist>
@@ -45798,19 +46282,19 @@
 </relation>
 <relation>
 <name>cil_attribute</name>
-<cardinality>168950</cardinality>
+<cardinality>328258</cardinality>
 <columnsizes>
 <e>
 <k>attributeid</k>
-<v>168950</v>
+<v>328258</v>
 </e>
 <e>
 <k>element</k>
-<v>127933</v>
+<v>248565</v>
 </e>
 <e>
 <k>constructor</k>
-<v>1737</v>
+<v>3375</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -45824,7 +46308,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>168950</v>
+<v>328258</v>
 </b>
 </bs>
 </hist>
@@ -45840,7 +46324,7 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>168950</v>
+<v>328258</v>
 </b>
 </bs>
 </hist>
@@ -45856,17 +46340,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>101559</v>
+<v>197322</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>18883</v>
+<v>36690</v>
 </b>
 <b>
 <a>3</a>
 <b>92</b>
-<v>7490</v>
+<v>14553</v>
 </b>
 </bs>
 </hist>
@@ -45882,17 +46366,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>109719</v>
+<v>213176</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>15950</v>
+<v>30991</v>
 </b>
 <b>
 <a>3</a>
 <b>7</b>
-<v>2263</v>
+<v>4398</v>
 </b>
 </bs>
 </hist>
@@ -45908,57 +46392,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>285</v>
+<v>555</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>205</v>
+<v>399</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>162</v>
+<v>316</v>
 </b>
 <b>
 <a>5</a>
 <b>8</b>
-<v>157</v>
+<v>306</v>
 </b>
 <b>
 <a>8</a>
 <b>11</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>11</a>
 <b>19</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>19</a>
 <b>33</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>33</a>
 <b>64</b>
-<v>130</v>
+<v>253</v>
 </b>
 <b>
 <a>64</a>
 <b>179</b>
-<v>130</v>
+<v>253</v>
 </b>
 <b>
 <a>187</a>
 <b>15289</b>
-<v>110</v>
+<v>214</v>
 </b>
 </bs>
 </hist>
@@ -45974,57 +46458,57 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>308</v>
+<v>599</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>198</v>
+<v>384</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>145</v>
+<v>282</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>162</v>
+<v>316</v>
 </b>
 <b>
 <a>5</a>
 <b>7</b>
-<v>125</v>
+<v>243</v>
 </b>
 <b>
 <a>7</a>
 <b>10</b>
-<v>145</v>
+<v>282</v>
 </b>
 <b>
 <a>10</a>
 <b>17</b>
-<v>130</v>
+<v>253</v>
 </b>
 <b>
 <a>17</a>
 <b>31</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>31</a>
 <b>50</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>50</a>
 <b>151</b>
-<v>130</v>
+<v>253</v>
 </b>
 <b>
 <a>152</a>
 <b>15028</b>
-<v>122</v>
+<v>238</v>
 </b>
 </bs>
 </hist>
@@ -46034,19 +46518,19 @@
 </relation>
 <relation>
 <name>cil_attribute_named_argument</name>
-<cardinality>7973</cardinality>
+<cardinality>10939</cardinality>
 <columnsizes>
 <e>
 <k>attribute_id</k>
-<v>4938</v>
+<v>7978</v>
 </e>
 <e>
 <k>param</k>
-<v>25</v>
+<v>155</v>
 </e>
 <e>
 <k>value</k>
-<v>128</v>
+<v>1095</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -46060,17 +46544,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>1911</v>
+<v>5089</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>3020</v>
+<v>2815</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>7</v>
+<v>73</v>
 </b>
 </bs>
 </hist>
@@ -46086,17 +46570,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3839</v>
+<v>6560</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>1095</v>
+<v>1402</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>4</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -46112,62 +46596,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>3</v>
+<v>34</v>
 </b>
 <b>
 <a>2</a>
-<b>3</b>
-<v>2</v>
+<b>4</b>
+<v>9</v>
+</b>
+<b>
+<a>4</a>
+<b>5</b>
+<v>9</v>
 </b>
 <b>
 <a>5</a>
-<b>7</b>
-<v>2</v>
+<b>6</b>
+<v>14</v>
 </b>
 <b>
 <a>7</a>
-<b>9</b>
-<v>2</v>
+<b>8</b>
+<v>4</v>
 </b>
 <b>
-<a>11</a>
-<b>14</b>
-<v>2</v>
+<a>8</a>
+<b>9</b>
+<v>14</v>
+</b>
+<b>
+<a>9</a>
+<b>11</b>
+<v>9</v>
 </b>
 <b>
 <a>14</a>
-<b>19</b>
-<v>2</v>
+<b>30</b>
+<v>9</v>
 </b>
 <b>
-<a>19</a>
-<b>20</b>
-<v>1</v>
+<a>32</a>
+<b>43</b>
+<v>9</v>
 </b>
 <b>
-<a>22</a>
-<b>23</b>
-<v>2</v>
+<a>46</a>
+<b>47</b>
+<v>9</v>
 </b>
 <b>
-<a>26</a>
-<b>39</b>
-<v>2</v>
+<a>47</a>
+<b>48</b>
+<v>9</v>
 </b>
 <b>
-<a>55</a>
-<b>61</b>
-<v>2</v>
+<a>96</a>
+<b>308</b>
+<v>9</v>
 </b>
 <b>
-<a>347</a>
-<b>348</b>
-<v>2</v>
-</b>
-<b>
-<a>2859</a>
-<b>3660</b>
-<v>2</v>
+<a>725</a>
+<b>731</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -46183,42 +46672,37 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>8</v>
+<v>77</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>5</v>
+<v>19</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>2</v>
+<v>19</v>
 </b>
 <b>
 <a>4</a>
-<b>6</b>
-<v>2</v>
-</b>
-<b>
-<a>6</a>
-<b>7</b>
-<v>1</v>
-</b>
-<b>
-<a>7</a>
 <b>8</b>
-<v>2</v>
+<v>9</v>
 </b>
 <b>
-<a>9</a>
-<b>11</b>
-<v>2</v>
+<a>10</a>
+<b>14</b>
+<v>9</v>
 </b>
 <b>
 <a>26</a>
-<b>39</b>
-<v>2</v>
+<b>45</b>
+<v>9</v>
+</b>
+<b>
+<a>47</a>
+<b>56</b>
+<v>9</v>
 </b>
 </bs>
 </hist>
@@ -46234,32 +46718,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>71</v>
+<v>720</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>25</v>
+<v>238</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>6</v>
+<b>5</b>
+<v>82</v>
 </b>
 <b>
-<a>4</a>
-<b>7</b>
-<v>11</v>
-</b>
-<b>
-<a>8</a>
-<b>301</b>
-<v>10</v>
-</b>
-<b>
-<a>347</a>
-<b>3871</b>
-<v>3</v>
+<a>5</a>
+<b>866</b>
+<v>53</v>
 </b>
 </bs>
 </hist>
@@ -46275,12 +46749,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>120</v>
+<v>1066</v>
 </b>
 <b>
 <a>2</a>
-<b>7</b>
-<v>8</v>
+<b>10</b>
+<v>29</v>
 </b>
 </bs>
 </hist>
@@ -46290,19 +46764,19 @@
 </relation>
 <relation>
 <name>cil_attribute_positional_argument</name>
-<cardinality>58735</cardinality>
+<cardinality>103139</cardinality>
 <columnsizes>
 <e>
 <k>attribute_id</k>
-<v>57269</v>
+<v>97017</v>
 </e>
 <e>
 <k>index</k>
-<v>5</v>
+<v>29</v>
 </e>
 <e>
 <k>value</k>
-<v>4430</v>
+<v>17261</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -46316,12 +46790,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55901</v>
+<v>92336</v>
 </b>
 <b>
 <a>2</a>
-<b>6</b>
-<v>1368</v>
+<b>7</b>
+<v>4680</v>
 </b>
 </bs>
 </hist>
@@ -46337,12 +46811,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>55905</v>
+<v>92346</v>
 </b>
 <b>
 <a>2</a>
-<b>5</b>
-<v>1364</v>
+<b>7</b>
+<v>4670</v>
 </b>
 </bs>
 </hist>
@@ -46356,29 +46830,34 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>20</a>
-<b>21</b>
-<v>1</v>
+<a>14</a>
+<b>15</b>
+<v>4</v>
 </b>
 <b>
-<a>21</a>
-<b>22</b>
-<v>1</v>
+<a>24</a>
+<b>25</b>
+<v>4</v>
 </b>
 <b>
-<a>57</a>
-<b>58</b>
-<v>1</v>
+<a>117</a>
+<b>118</b>
+<v>4</v>
 </b>
 <b>
-<a>1368</a>
-<b>1369</b>
-<v>1</v>
+<a>141</a>
+<b>142</b>
+<v>4</v>
 </b>
 <b>
-<a>57269</a>
-<b>57270</b>
-<v>1</v>
+<a>961</a>
+<b>962</b>
+<v>4</v>
+</b>
+<b>
+<a>19919</a>
+<b>19920</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -46392,24 +46871,29 @@
 <budget>12</budget>
 <bs>
 <b>
-<a>3</a>
-<b>4</b>
-<v>2</v>
+<a>4</a>
+<b>5</b>
+<v>4</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>1</v>
+<v>9</v>
 </b>
 <b>
-<a>110</a>
-<b>111</b>
-<v>1</v>
+<a>25</a>
+<b>26</b>
+<v>4</v>
 </b>
 <b>
-<a>4331</a>
-<b>4332</b>
-<v>1</v>
+<a>433</a>
+<b>434</b>
+<v>4</v>
+</b>
+<b>
+<a>3150</a>
+<b>3151</b>
+<v>4</v>
 </b>
 </bs>
 </hist>
@@ -46425,27 +46909,22 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2894</v>
+<v>12298</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>723</v>
+<v>2527</v>
 </b>
 <b>
 <a>3</a>
-<b>4</b>
-<v>215</v>
+<b>6</b>
+<v>1446</v>
 </b>
 <b>
-<a>4</a>
-<b>9</b>
-<v>382</v>
-</b>
-<b>
-<a>9</a>
-<b>17524</b>
-<v>216</v>
+<a>6</a>
+<b>5556</b>
+<v>988</v>
 </b>
 </bs>
 </hist>
@@ -46461,12 +46940,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>4414</v>
+<v>16935</v>
 </b>
 <b>
 <a>2</a>
 <b>6</b>
-<v>16</v>
+<v>326</v>
 </b>
 </bs>
 </hist>
@@ -46476,19 +46955,19 @@
 </relation>
 <relation>
 <name>metadata_handle</name>
-<cardinality>3178070</cardinality>
+<cardinality>6174756</cardinality>
 <columnsizes>
 <e>
 <k>entity</k>
-<v>2925983</v>
+<v>5684969</v>
 </e>
 <e>
 <k>location</k>
-<v>1757</v>
+<v>3414</v>
 </e>
 <e>
 <k>handle</k>
-<v>141034</v>
+<v>274019</v>
 </e>
 </columnsizes>
 <dependencies>
@@ -46502,17 +46981,17 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2683251</v>
+<v>5213358</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>238091</v>
+<v>462594</v>
 </b>
 <b>
 <a>3</a>
 <b>638</b>
-<v>4640</v>
+<v>9015</v>
 </b>
 </bs>
 </hist>
@@ -46528,12 +47007,12 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>2802586</v>
+<v>5445218</v>
 </b>
 <b>
 <a>2</a>
 <b>59</b>
-<v>123396</v>
+<v>239750</v>
 </b>
 </bs>
 </hist>
@@ -46549,72 +47028,72 @@
 <b>
 <a>1</a>
 <b>3</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>3</a>
 <b>36</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>36</a>
 <b>79</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>79</a>
 <b>130</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>130</a>
 <b>200</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>200</a>
 <b>288</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>288</a>
 <b>400</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>403</a>
 <b>527</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>528</a>
 <b>744</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>747</a>
 <b>1109</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>1116</a>
 <b>1915</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>1920</a>
 <b>4051</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>4053</a>
 <b>50922</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>67370</a>
 <b>92454</b>
-<v>7</v>
+<v>14</v>
 </b>
 </bs>
 </hist>
@@ -46630,67 +47109,67 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>147</v>
+<v>287</v>
 </b>
 <b>
 <a>3</a>
 <b>20</b>
-<v>145</v>
+<v>282</v>
 </b>
 <b>
 <a>20</a>
 <b>46</b>
-<v>137</v>
+<v>267</v>
 </b>
 <b>
 <a>46</a>
 <b>76</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>77</a>
 <b>119</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>119</a>
 <b>176</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>176</a>
 <b>253</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>255</a>
 <b>332</b>
-<v>135</v>
+<v>263</v>
 </b>
 <b>
 <a>338</a>
 <b>481</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>483</a>
 <b>683</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>685</a>
 <b>1273</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>1295</a>
 <b>2685</b>
-<v>132</v>
+<v>258</v>
 </b>
 <b>
 <a>2710</a>
 <b>55264</b>
-<v>125</v>
+<v>243</v>
 </b>
 </bs>
 </hist>
@@ -46706,62 +47185,62 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>9741</v>
+<v>18927</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>23163</v>
+<v>45004</v>
 </b>
 <b>
 <a>3</a>
 <b>5</b>
-<v>12303</v>
+<v>23904</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>9009</v>
+<v>17504</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>15504</v>
+<v>30124</v>
 </b>
 <b>
 <a>7</a>
 <b>9</b>
-<v>9761</v>
+<v>18966</v>
 </b>
 <b>
 <a>9</a>
 <b>11</b>
-<v>11363</v>
+<v>22078</v>
 </b>
 <b>
 <a>11</a>
 <b>13</b>
-<v>10822</v>
+<v>21026</v>
 </b>
 <b>
 <a>13</a>
 <b>21</b>
-<v>11042</v>
+<v>21454</v>
 </b>
 <b>
 <a>21</a>
 <b>39</b>
-<v>10869</v>
+<v>21118</v>
 </b>
 <b>
 <a>39</a>
 <b>83</b>
-<v>10583</v>
+<v>20563</v>
 </b>
 <b>
 <a>83</a>
 <b>1061</b>
-<v>6868</v>
+<v>13345</v>
 </b>
 </bs>
 </hist>
@@ -46777,52 +47256,52 @@
 <b>
 <a>1</a>
 <b>2</b>
-<v>32363</v>
+<v>62879</v>
 </b>
 <b>
 <a>2</a>
 <b>3</b>
-<v>10852</v>
+<v>21084</v>
 </b>
 <b>
 <a>3</a>
 <b>4</b>
-<v>24173</v>
+<v>46967</v>
 </b>
 <b>
 <a>4</a>
 <b>5</b>
-<v>9741</v>
+<v>18927</v>
 </b>
 <b>
 <a>5</a>
 <b>6</b>
-<v>9979</v>
+<v>19389</v>
 </b>
 <b>
 <a>6</a>
 <b>7</b>
-<v>11350</v>
+<v>22054</v>
 </b>
 <b>
 <a>7</a>
 <b>11</b>
-<v>11982</v>
+<v>23281</v>
 </b>
 <b>
 <a>11</a>
 <b>19</b>
-<v>11315</v>
+<v>21985</v>
 </b>
 <b>
 <a>19</a>
 <b>41</b>
-<v>10729</v>
+<v>20846</v>
 </b>
 <b>
 <a>41</a>
 <b>702</b>
-<v>8545</v>
+<v>16603</v>
 </b>
 </bs>
 </hist>

From ef55ca179be065e052a6c8f7fd1c9f70044d5587 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Sat, 6 Feb 2021 21:13:55 +0100
Subject: [PATCH 227/429] Improve file read exception logging

---
 csharp/extractor/Semmle.Extraction/Entities/File.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction/Entities/File.cs b/csharp/extractor/Semmle.Extraction/Entities/File.cs
index 4c339e49f7b..9ad618512a4 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/File.cs
@@ -62,7 +62,7 @@ namespace Semmle.Extraction.Entities
                 }
                 catch (Exception exc)
                 {
-                    Context.ExtractionError($"Couldn't read file: {originalPath}", null, null, exc.StackTrace);
+                    Context.ExtractionError($"Couldn't read file: {originalPath}. {exc.Message}", null, null, exc.StackTrace);
                 }
             }
 

From 2e30f2d9ceffcab4de4306ffa582402c11c30279 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Mon, 8 Feb 2021 00:05:02 +0100
Subject: [PATCH 228/429] Java: Fix QHelp & accept test output

Accept test output for changed alert message.
---
 .../CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp      | 8 +++++---
 .../JxBrowserWithoutCertValidation.expected               | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
index 27d10c15223..38b37901c0c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
@@ -11,9 +11,11 @@ Versions smaller than 6.24 by default ignore any HTTPS certificate errors thereb
 
 <recommendation>
 <p>Do either of these:
-<li>Update to version 6.24 or 7.x.x as these correctly reject certificate errors by default.</li>
-<li>Add a custom implementation of the <code>LoadHandler</code> interface whose <code>onCertificateError</code> method always returns <b>true</b> indicating that loading should be cancelled.
-Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandler</code> on every <code>Browser</code> you use.</li>
+<ul>
+  <li>Update to version 6.24 or 7.x.x as these correctly reject certificate errors by default.</li>
+  <li>Add a custom implementation of the <code>LoadHandler</code> interface whose <code>onCertificateError</code> method always returns <b>true</b> indicating that loading should be cancelled.
+  Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandler</code> on every <code>Browser</code> you use.</li>
+</ul>
 </p>
 </recommendation>
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
index 9b611b6cfc9..605aca10a26 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.expected
@@ -1 +1 @@
-| JxBrowserWithoutCertValidationV6_23_1.java:17:27:17:39 | new Browser(...) | This JxBrowser instance allows man-in-the-middle attacks. |
+| JxBrowserWithoutCertValidationV6_23_1.java:17:27:17:39 | new Browser(...) | This JxBrowser instance may not check HTTPS certificates. |

From 8ca75e41d2a500ce8835c80af932a9faa46d9c18 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 09:59:45 +0100
Subject: [PATCH 229/429] add change note

---
 javascript/change-notes/2021-02-08-immutable.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-08-immutable.md

diff --git a/javascript/change-notes/2021-02-08-immutable.md b/javascript/change-notes/2021-02-08-immutable.md
new file mode 100644
index 00000000000..8f4a11113e2
--- /dev/null
+++ b/javascript/change-notes/2021-02-08-immutable.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the Immutable.js library.
+  Affected packages are
+    [Immutable.js](https://npmjs.com/package/immutable)

From 504db8739d9b895e6fdb07760ca71d40db5ab68a Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 10:00:26 +0100
Subject: [PATCH 230/429] fix typo in execa change-note file name

---
 .../change-notes/{202020-12-22-execa.md => 2020-12-22-execa.md}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename javascript/change-notes/{202020-12-22-execa.md => 2020-12-22-execa.md} (100%)

diff --git a/javascript/change-notes/202020-12-22-execa.md b/javascript/change-notes/2020-12-22-execa.md
similarity index 100%
rename from javascript/change-notes/202020-12-22-execa.md
rename to javascript/change-notes/2020-12-22-execa.md

From bd50ed975f350749a1bb2fd65fdaf5a79f3b2274 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 8 Feb 2021 11:18:37 +0100
Subject: [PATCH 231/429] Fix doc comment

---
 csharp/ql/src/semmle/code/csharp/Stmt.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index 2846c3255ea..15199896390 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -588,7 +588,7 @@ class ForeachStmt extends LoopStmt, @foreach_stmt {
   /** Gets the called `MoveNext` or `MoveNextAsync` method. */
   Method getMoveNext() { foreach_stmt_desugar(this, result, 3) }
 
-  /** Gets the called `Dispose` or `DisposeAsync` method. */
+  /** Gets the called `Dispose` or `DisposeAsync` method, if any. */
   Method getDispose() { foreach_stmt_desugar(this, result, 4) }
 
   /** Gets the called `Current` property. */

From 738d1bc3d46ac4e72e2ffc51dad9504b93094cca Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Mon, 8 Feb 2021 14:08:16 +0100
Subject: [PATCH 232/429] Python: More use of `API::Node`

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Flask.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 3baa394ebcd..bfd1dac63ec 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -33,7 +33,7 @@ private module FlaskModel {
     API::Node request() { result = flask_attr("request") }
 
     /** Gets a reference to the `flask.make_response` function. */
-    DataFlow::Node make_response() { result = flask_attr("make_response").getAUse() }
+    API::Node make_response() { result = flask_attr("make_response") }
 
     /**
      * Provides models for the `flask.Flask` class
@@ -407,7 +407,7 @@ private module FlaskModel {
     override CallNode node;
 
     FlaskMakeResponseCall() {
-      node.getFunction() = flask::make_response().asCfgNode()
+      node.getFunction() = flask::make_response().getAUse().asCfgNode()
       or
       node.getFunction() = flask::Flask::make_response_().getAUse().asCfgNode()
     }

From 2c4a477a4e2ba8eda5185feb2268154a7f5932a5 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 8 Feb 2021 14:08:34 +0100
Subject: [PATCH 233/429] Python: Support `moduleImport("dotted.name")` in API
 graphs

---
 python/ql/src/semmle/python/ApiGraphs.qll | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 3169592c8b2..7ad2a795c73 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -209,12 +209,14 @@ module API {
 
   /**
    * Gets a node corresponding to an import of module `m`.
-   *
-   * Note: You should only use this predicate for top level modules. If you want nodes corresponding to a submodule,
-   * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`,
-   * use `moduleImport("foo").getMember("bar")`.
    */
-  Node moduleImport(string m) { result = Impl::MkModuleImport(m) }
+  Node moduleImport(string m) {
+    result = Impl::MkModuleImport(m)
+    or
+    exists(string before_dot, string after_dot | before_dot + "." + after_dot = m |
+      result = moduleImport(before_dot).getMember(after_dot)
+    )
+  }
 
   /**
    * Provides the actual implementation of API graphs, cached for performance.

From 46eb3fd10ac911f2a0c4244fefd9641cf75d6ff2 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 8 Feb 2021 14:22:42 +0100
Subject: [PATCH 234/429] Python: Even more `API::Node` pushing.

---
 python/ql/src/semmle/python/frameworks/Flask.qll | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 51ef9b51d2f..1ac48689fd8 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -306,9 +306,9 @@ private module FlaskModel {
 
   private module FlaskRequestTracking {
     /** Gets a reference to either of the `get_json` or `get_data` attributes of a Flask request. */
-    DataFlow::Node tainted_methods(string attr_name) {
+    API::Node tainted_methods(string attr_name) {
       attr_name in ["get_data", "get_json"] and
-      result = flask::request().getMember(attr_name).getAUse()
+      result = flask::request().getMember(attr_name)
     }
   }
 
@@ -364,7 +364,7 @@ private module FlaskModel {
       )
       or
       // methods (needs special handling to track bound-methods -- see `FlaskRequestMethodCallsAdditionalTaintStep` below)
-      this = FlaskRequestTracking::tainted_methods(attr_name)
+      this = FlaskRequestTracking::tainted_methods(attr_name).getAUse()
     }
 
     override string getSourceType() { result = "flask.request input" }
@@ -374,7 +374,7 @@ private module FlaskModel {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       // NOTE: `request -> request.tainted_method` part is handled as part of RequestInputAccess
       // tainted_method -> tainted_method()
-      nodeFrom = FlaskRequestTracking::tainted_methods(_) and
+      nodeFrom = FlaskRequestTracking::tainted_methods(_).getAUse() and
       nodeTo.asCfgNode().(CallNode).getFunction() = nodeFrom.asCfgNode()
     }
   }
@@ -443,7 +443,7 @@ private module FlaskModel {
     DataFlow::CfgNode {
     override CallNode node;
 
-    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").asCfgNode() }
+    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").getAUse().asCfgNode() }
 
     override DataFlow::Node getRedirectLocation() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]

From b278233a94bb4867633c47c5567eab155f056369 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 8 Feb 2021 15:44:29 +0000
Subject: [PATCH 235/429] JS: Mention all versions of Angular are supported

---
 docs/codeql/support/reusables/frameworks.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 4427407fe9d..40b4f2bdec7 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -93,7 +93,8 @@ JavaScript and TypeScript built-in support
    :widths: auto
 
    Name, Category
-   angularjs, HTML framework
+   angular (modern version), HTML framework
+   angular.js (legacy version), HTML framework
    axios, Network communicator
    browser, Runtime environment
    electron, Runtime environment

From 72a699e0996d61cd92aec91fe659e42134c6401e Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 8 Feb 2021 16:55:18 +0100
Subject: [PATCH 236/429] Python: Add `CallCfgNode` class and rewrite using
 that class

I prefer this name to `CfgCallNode` as the latter will make
autocomplete more difficult.
---
 .../dataflow/new/internal/DataFlowPublic.qll  | 23 ++++++--
 .../ql/src/semmle/python/frameworks/Flask.qll | 53 +++++++------------
 2 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 93540203f94..b86bdd2a3cf 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -165,6 +165,23 @@ class CfgNode extends Node, TCfgNode {
   override Location getLocation() { result = node.getLocation() }
 }
 
+/** A data-flow node corresponding to a `CallNode` in the control-flow graph. */
+class CallCfgNode extends CfgNode {
+  override CallNode node;
+
+  /**
+   * Gets the data-flow node for the function component of the call corresponding to this data-flow
+   * node.
+   */
+  Node getFunction() { result.asCfgNode() = node.getFunction() }
+
+  /** Gets the data-flow node corresponding to the nth argument of the call corresponding to this data-flow node */
+  Node getArg(int i) { result.asCfgNode() = node.getArg(i) }
+
+  /** Gets the data-flow node corresponding to the named argument of the call corresponding to this data-flow node */
+  Node getArgByName(string name) { result.asCfgNode() = node.getArgByName(name) }
+}
+
 /**
  * An expression, viewed as a node in a data flow graph.
  *
@@ -481,7 +498,7 @@ class LocalSourceNode extends Node {
   /**
    * Gets a call to this node.
    */
-  Node getACall() { Cached::call(this, result) }
+  CallCfgNode getACall() { Cached::call(this, result) }
 }
 
 cached
@@ -526,10 +543,10 @@ private module Cached {
    * Holds if `func` flows to the callee of `call`.
    */
   cached
-  predicate call(LocalSourceNode func, Node call) {
+  predicate call(LocalSourceNode func, CallCfgNode call) {
     exists(CfgNode n |
       func.flowsTo(n) and
-      n.asCfgNode() = call.asCfgNode().(CallNode).getFunction()
+      n = call.getFunction()
     )
   }
 }
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 1ac48689fd8..8b649a0d0ad 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -125,23 +125,21 @@ private module FlaskModel {
     abstract class InstanceSource extends HTTP::Server::HttpResponse::Range, DataFlow::Node { }
 
     /** A direct instantiation of `flask.Response`. */
-    private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-      override CallNode node;
-
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
       ClassInstantiation() { this = classRef().getACall() }
 
-      override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
+      override DataFlow::Node getBody() { result = this.getArg(0) }
 
       override string getMimetypeDefault() { result = "text/html" }
 
       /** Gets the argument passed to the `mimetype` parameter, if any. */
       private DataFlow::Node getMimetypeArg() {
-        result.asCfgNode() in [node.getArg(3), node.getArgByName("mimetype")]
+        result in [this.getArg(3), this.getArgByName("mimetype")]
       }
 
       /** Gets the argument passed to the `content_type` parameter, if any. */
       private DataFlow::Node getContentTypeArg() {
-        result.asCfgNode() in [node.getArg(4), node.getArgByName("content_type")]
+        result in [this.getArg(4), this.getArgByName("content_type")]
       }
 
       override DataFlow::Node getMimetypeOrContentTypeArg() {
@@ -228,13 +226,11 @@ private module FlaskModel {
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.route
    */
-  private class FlaskAppRouteCall extends FlaskRouteSetup, DataFlow::CfgNode {
-    override CallNode node;
-
-    FlaskAppRouteCall() { node.getFunction() = flask::Flask::route().getAUse().asCfgNode() }
+  private class FlaskAppRouteCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
+    FlaskAppRouteCall() { this.getFunction() = flask::Flask::route().getAUse() }
 
     override DataFlow::Node getUrlPatternArg() {
-      result.asCfgNode() in [node.getArg(0), node.getArgByName("rule")]
+      result in [this.getArg(0), this.getArgByName("rule")]
     }
 
     override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
@@ -245,20 +241,14 @@ private module FlaskModel {
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.add_url_rule
    */
-  private class FlaskAppAddUrlRuleCall extends FlaskRouteSetup, DataFlow::CfgNode {
-    override CallNode node;
-
-    FlaskAppAddUrlRuleCall() {
-      node.getFunction() = flask::Flask::add_url_rule().getAUse().asCfgNode()
-    }
+  private class FlaskAppAddUrlRuleCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
+    FlaskAppAddUrlRuleCall() { this.getFunction() = flask::Flask::add_url_rule().getAUse() }
 
     override DataFlow::Node getUrlPatternArg() {
-      result.asCfgNode() in [node.getArg(0), node.getArgByName("rule")]
+      result in [this.getArg(0), this.getArgByName("rule")]
     }
 
-    DataFlow::Node getViewArg() {
-      result.asCfgNode() in [node.getArg(2), node.getArgByName("view_func")]
-    }
+    DataFlow::Node getViewArg() { result in [this.getArg(2), this.getArgByName("view_func")] }
 
     override Function getARequestHandler() {
       exists(DataFlow::LocalSourceNode func_src |
@@ -375,7 +365,7 @@ private module FlaskModel {
       // NOTE: `request -> request.tainted_method` part is handled as part of RequestInputAccess
       // tainted_method -> tainted_method()
       nodeFrom = FlaskRequestTracking::tainted_methods(_).getAUse() and
-      nodeTo.asCfgNode().(CallNode).getFunction() = nodeFrom.asCfgNode()
+      nodeTo.(DataFlow::CallCfgNode).getFunction() = nodeFrom
     }
   }
 
@@ -403,16 +393,15 @@ private module FlaskModel {
    * - https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response
    * - https://flask.palletsprojects.com/en/1.1.x/api/#flask.make_response
    */
-  private class FlaskMakeResponseCall extends HTTP::Server::HttpResponse::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class FlaskMakeResponseCall extends HTTP::Server::HttpResponse::Range,
+    DataFlow::CallCfgNode {
     FlaskMakeResponseCall() {
-      node.getFunction() = flask::make_response().getAUse().asCfgNode()
+      this.getFunction() = flask::make_response().getAUse()
       or
-      node.getFunction() = flask::Flask::make_response_().getAUse().asCfgNode()
+      this.getFunction() = flask::Flask::make_response_().getAUse()
     }
 
-    override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getBody() { result = this.getArg(0) }
 
     override string getMimetypeDefault() { result = "text/html" }
 
@@ -440,13 +429,11 @@ private module FlaskModel {
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.redirect
    */
   private class FlaskRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
-    DataFlow::CfgNode {
-    override CallNode node;
-
-    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").getAUse().asCfgNode() }
+    DataFlow::CallCfgNode {
+    FlaskRedirectCall() { this.getFunction() = flask_attr("redirect").getAUse() }
 
     override DataFlow::Node getRedirectLocation() {
-      result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]
+      result in [this.getArg(0), this.getArgByName("location")]
     }
 
     override DataFlow::Node getBody() { none() }

From c59b5c98cb661dd450cd2c78489df6a201738373 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 8 Feb 2021 19:14:11 +0100
Subject: [PATCH 237/429] Python: Replace use of `AttrNode` with `getMember`

---
 .../ql/src/semmle/python/frameworks/Flask.qll | 76 +++++++++----------
 1 file changed, 36 insertions(+), 40 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 8b649a0d0ad..c0702ab7391 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -312,46 +312,42 @@ private module FlaskModel {
 
     RequestInputAccess() {
       // attributes
-      exists(AttrNode attr |
-        this.asCfgNode() = attr and
-        attr.getObject(attr_name) = flask::request().getAUse().asCfgNode()
-      |
-        attr_name in [
-            // str
-            "path", "full_path", "base_url", "url", "access_control_request_method",
-            "content_encoding", "content_md5", "content_type", "data", "method", "mimetype",
-            "origin", "query_string", "referrer", "remote_addr", "remote_user", "user_agent",
-            // dict
-            "environ", "cookies", "mimetype_params", "view_args",
-            // json
-            "json",
-            // List[str]
-            "access_route",
-            // file-like
-            "stream", "input_stream",
-            // MultiDict[str, str]
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.MultiDict
-            "args", "values", "form",
-            // MultiDict[str, FileStorage]
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage
-            // TODO: FileStorage needs extra taint steps
-            "files",
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.HeaderSet
-            "access_control_request_headers", "pragma",
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Accept
-            // TODO: Kinda badly modeled for now -- has type List[Tuple[value, quality]], and some extra methods
-            "accept_charsets", "accept_encodings", "accept_languages", "accept_mimetypes",
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Authorization
-            // TODO: dict subclass with extra attributes like `username` and `password`
-            "authorization",
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.RequestCacheControl
-            // TODO: has attributes like `no_cache`, and `to_header` method (actually, many of these models do)
-            "cache_control",
-            // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers
-            // TODO: dict-like with wsgiref.headers.Header compatibility methods
-            "headers"
-          ]
-      )
+      this = flask::request().getMember(attr_name).getAUse() and
+      attr_name in [
+          // str
+          "path", "full_path", "base_url", "url", "access_control_request_method",
+          "content_encoding", "content_md5", "content_type", "data", "method", "mimetype", "origin",
+          "query_string", "referrer", "remote_addr", "remote_user", "user_agent",
+          // dict
+          "environ", "cookies", "mimetype_params", "view_args",
+          // json
+          "json",
+          // List[str]
+          "access_route",
+          // file-like
+          "stream", "input_stream",
+          // MultiDict[str, str]
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.MultiDict
+          "args", "values", "form",
+          // MultiDict[str, FileStorage]
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage
+          // TODO: FileStorage needs extra taint steps
+          "files",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.HeaderSet
+          "access_control_request_headers", "pragma",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Accept
+          // TODO: Kinda badly modeled for now -- has type List[Tuple[value, quality]], and some extra methods
+          "accept_charsets", "accept_encodings", "accept_languages", "accept_mimetypes",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Authorization
+          // TODO: dict subclass with extra attributes like `username` and `password`
+          "authorization",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.RequestCacheControl
+          // TODO: has attributes like `no_cache`, and `to_header` method (actually, many of these models do)
+          "cache_control",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers
+          // TODO: dict-like with wsgiref.headers.Header compatibility methods
+          "headers"
+        ]
       or
       // methods (needs special handling to track bound-methods -- see `FlaskRequestMethodCallsAdditionalTaintStep` below)
       this = FlaskRequestTracking::tainted_methods(attr_name).getAUse()

From 7583904046bebf3ae2d9c44dde34b1b01a6d8f6f Mon Sep 17 00:00:00 2001
From: Alexander Eyers-Taylor <alexet@github.com>
Date: Mon, 8 Feb 2021 18:54:13 +0000
Subject: [PATCH 238/429] Update the language specification to allow empty
 var_decls

This is a degenerate form that is accepted in the compiler even if they don't make much sense.

Fixes #5060
---
 .../ql-language-specification.rst                    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/codeql/ql-language-reference/ql-language-specification.rst b/docs/codeql/ql-language-reference/ql-language-specification.rst
index df1da36a1ba..0fe54210504 100644
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -374,7 +374,7 @@ A *variable declaration list* provides a sequence of variables and a type for ea
 
 ::
 
-   var_decls ::= var_decl ("," var_decl)*
+   var_decls ::= (var_decl ("," var_decl)*)?
    var_decl ::= type simpleId
 
 A valid variable declaration list must not include two declarations with the same variable name. Moreover, if the declaration has a typing environment that applies, it must not use a variable name that is already present in that typing environment.
@@ -820,7 +820,7 @@ The head of the predicate gives a name, an optional *result type*, and a sequenc
 
 ::
 
-   head ::= ("predicate" | type) predicateName "(" (var_decls)? ")"
+   head ::= ("predicate" | type) predicateName "(" var_decls ")"
 
 The body of a predicate is of one of three forms:
 
@@ -1209,7 +1209,7 @@ An aggregation can be written in one of two forms:
 
 ::
 
-   aggregation ::= aggid ("[" expr "]")? "(" (var_decls)? ("|" (formula)? ("|" as_exprs ("order" "by" aggorderbys)?)?)? ")"
+   aggregation ::= aggid ("[" expr "]")? "(" var_decls ("|" (formula)? ("|" as_exprs ("order" "by" aggorderbys)?)?)? ")"
                |   aggid ("[" expr "]")? "(" as_exprs ("order" "by" aggorderbys)? ")"
                |   "unique" "(" var_decls "|" (formula)? ("|" as_exprs)? ")"
 
@@ -2046,7 +2046,7 @@ The complete grammar for QL is as follows:
                   |   "language" "[" "monotonicAggregates" "]"
                   |   "bindingset" "[" (variable ( "," variable)*)? "]"
 
-   head ::= ("predicate" | type) predicateName "(" (var_decls)? ")"
+   head ::= ("predicate" | type) predicateName "(" var_decls ")"
 
    optbody ::= ";"
            |  "{" formula "}" 
@@ -2070,7 +2070,7 @@ The complete grammar for QL is as follows:
          |  qldoc? annotations "class" classname "=" type ";"
          |  qldoc? annotations "module" modulename "=" moduleId ";"
          
-   var_decls ::= var_decl ("," var_decl)*
+   var_decls ::= (var_decl ("," var_decl)*)?
 
    var_decl ::= type simpleId
 
@@ -2157,7 +2157,7 @@ The complete grammar for QL is as follows:
 
    postfix_cast ::= primary "." "(" type ")"
 
-   aggregation ::= aggid ("[" expr "]")? "(" (var_decls)? ("|" (formula)? ("|" as_exprs ("order" "by" aggorderbys)?)?)? ")"
+   aggregation ::= aggid ("[" expr "]")? "(" var_decls ("|" (formula)? ("|" as_exprs ("order" "by" aggorderbys)?)?)? ")"
                |   aggid ("[" expr "]")? "(" as_exprs ("order" "by" aggorderbys)? ")"
                |   "unique" "(" var_decls "|" (formula)? ("|" as_exprs)? ")"
  

From cb16c64540134199475dc3093fb3e260ecfe8283 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 19:41:25 +0000
Subject: [PATCH 239/429] Call out the issue of copied code for C/C++ example
 code in the C/C++ CodeQL Tests README.md (where we talk about it for tests).

---
 cpp/ql/test/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/README.md b/cpp/ql/test/README.md
index 417d7bbe19d..6cf9082eaea 100644
--- a/cpp/ql/test/README.md
+++ b/cpp/ql/test/README.md
@@ -1,6 +1,6 @@
 # C/C++ CodeQL tests
 
-This document provides additional information about the C/C++ CodeQL Tests located in `cpp/ql/test`.  See [Contributing to CodeQL](/CONTRIBUTING.md) for general information about contributing to this repository.
+This document provides additional information about the C/C++ CodeQL Tests located in `cpp/ql/test`.  The principles under 'Copying code' also apply to any other C/C++ code in this repository, such as examples linked from query `.qhelp` files in `cp/ql/src`.  See [Contributing to CodeQL](/CONTRIBUTING.md) for more general information about contributing to this repository.
 
 The tests can be run through Visual Studio Code.  Advanced users may also use the `codeql test run` command.
 

From 74178a5e8627ea151df80a6d9af50642657ec222 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 19:55:02 +0000
Subject: [PATCH 240/429] Call out the copied code issue for qhelp files again
 (more generally) in the Supported CodeQL queries and libraries doc.

---
 docs/supported-queries.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/supported-queries.md b/docs/supported-queries.md
index dc02a1e547c..0c4b7069f5d 100644
--- a/docs/supported-queries.md
+++ b/docs/supported-queries.md
@@ -20,7 +20,7 @@ The process must begin with the first step and must conclude with the final step
 
    Query help files explain the purpose of your query to other users. Write your query help in a `.qhelp` file and save it in the same directory as your query. For more information on writing query help, see the [Query help style guide](query-help-style-guide.md).
 
-   - Note, in particular, that almost all queries need to have a pair of "before" and "after" examples demonstrating the kind of problem the query identifies and how to fix it. Make sure that the examples are actually consistent with what the query does, for example by including them in your unit tests.
+   - Note, in particular, that almost all queries need to have a pair of "before" and "after" examples demonstrating the kind of problem the query identifies and how to fix it. Make sure that the examples are actually consistent with what the query does, for example by including them in your unit tests. Examples must be original, not copied from third-party sources.
    - At the time of writing, there is no way of previewing help locally. Once you've opened a PR, a preview will be created as part of the CI checks. A GitHub employee will review this and let you know of any problems.
 
 3. **Write unit tests**

From 690b525192b682f7bbf2f035c42fc6701fdbf2d0 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 19:52:01 +0000
Subject: [PATCH 241/429] Add a link to the C/C++ CodeQL Tests README.md from
 the Supported CodeQL queries and libraries doc.

---
 docs/supported-queries.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/supported-queries.md b/docs/supported-queries.md
index 0c4b7069f5d..5facba235e9 100644
--- a/docs/supported-queries.md
+++ b/docs/supported-queries.md
@@ -27,7 +27,8 @@ The process must begin with the first step and must conclude with the final step
 
    Add one or more unit tests for the query (and for any library changes you make) to the `ql/<language>/ql/test/experimental` directory. Tests for library changes go into the `library-tests` subdirectory, and tests for queries go into `query-tests` with their relative path mirroring the query's location under `ql/<language>/ql/src/experimental`.
 
-   See the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://help.semmle.com/codeql/) for more information.
+ 	- see the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://help.semmle.com/codeql/) for more information.
+	- see [C/C++ CodeQL tests](/cpp/ql/test/README.md) for more information about contributing tests for C/C++ queries in particular.
 
 4. **Test for correctness on real-world code**
 

From 65ea1a4631366beb8273aa5a76a64f48d65fce51 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 19:39:14 +0000
Subject: [PATCH 242/429] Add hints / links about tests and documentation to
 CONTRIBUTING.md.

---
 CONTRIBUTING.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 39552ad0bd9..69247da373c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -53,6 +53,11 @@ Experimental queries and libraries may not be actively maintained as the [suppor
 
 After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
 
+6. **Query Help Files and Unit Tests**
+
+	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories.
+	- see [Supported CodeQL queries and libraries](docs/supported-queries.md) for more information about contributing query help files and unit tests.
+
 ## Using your personal data
 
 If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product. 

From e1ca762bbc9958539a3b4fec63875fb25a9491b7 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 20:24:15 +0000
Subject: [PATCH 243/429] Fix layout.

---
 CONTRIBUTING.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 69247da373c..8366d80ce2b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -49,15 +49,15 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     - The query must have at least one true positive result on some revision of a real project.
 
-Experimental queries and libraries may not be actively maintained as the [supported](docs/supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
-
-After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
-
 6. **Query Help Files and Unit Tests**
 
 	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories.
 	- see [Supported CodeQL queries and libraries](docs/supported-queries.md) for more information about contributing query help files and unit tests.
 
+Experimental queries and libraries may not be actively maintained as the [supported](docs/supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
+
+After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
+
 ## Using your personal data
 
 If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product. 

From bd255617d8d0592852519b397fd8882504d065ae Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 20:25:35 +0000
Subject: [PATCH 244/429] Three copies of a link is too much.

---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 8366d80ce2b..6e417a0d9c2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -54,7 +54,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories.
 	- see [Supported CodeQL queries and libraries](docs/supported-queries.md) for more information about contributing query help files and unit tests.
 
-Experimental queries and libraries may not be actively maintained as the [supported](docs/supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
+Experimental queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
 
 After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
 

From 07b263bb2fb6f184eca09995ac9df78fa9948259 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 20:27:28 +0000
Subject: [PATCH 245/429] Typo.

---
 cpp/ql/test/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/README.md b/cpp/ql/test/README.md
index 6cf9082eaea..efa020a074f 100644
--- a/cpp/ql/test/README.md
+++ b/cpp/ql/test/README.md
@@ -1,6 +1,6 @@
 # C/C++ CodeQL tests
 
-This document provides additional information about the C/C++ CodeQL Tests located in `cpp/ql/test`.  The principles under 'Copying code' also apply to any other C/C++ code in this repository, such as examples linked from query `.qhelp` files in `cp/ql/src`.  See [Contributing to CodeQL](/CONTRIBUTING.md) for more general information about contributing to this repository.
+This document provides additional information about the C/C++ CodeQL Tests located in `cpp/ql/test`.  The principles under 'Copying code' also apply to any other C/C++ code in this repository, such as examples linked from query `.qhelp` files in `cpp/ql/src`.  See [Contributing to CodeQL](/CONTRIBUTING.md) for more general information about contributing to this repository.
 
 The tests can be run through Visual Studio Code.  Advanced users may also use the `codeql test run` command.
 

From 8bf9fc611168e63303b84de5216428fa3025a679 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 8 Feb 2021 20:29:46 +0000
Subject: [PATCH 246/429] Consistent capitalisation.

---
 docs/supported-queries.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/supported-queries.md b/docs/supported-queries.md
index 5facba235e9..55530c2fa12 100644
--- a/docs/supported-queries.md
+++ b/docs/supported-queries.md
@@ -27,8 +27,8 @@ The process must begin with the first step and must conclude with the final step
 
    Add one or more unit tests for the query (and for any library changes you make) to the `ql/<language>/ql/test/experimental` directory. Tests for library changes go into the `library-tests` subdirectory, and tests for queries go into `query-tests` with their relative path mirroring the query's location under `ql/<language>/ql/src/experimental`.
 
- 	- see the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://help.semmle.com/codeql/) for more information.
-	- see [C/C++ CodeQL tests](/cpp/ql/test/README.md) for more information about contributing tests for C/C++ queries in particular.
+ 	- See the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://help.semmle.com/codeql/) for more information.
+	- See [C/C++ CodeQL tests](/cpp/ql/test/README.md) for more information about contributing tests for C/C++ queries in particular.
 
 4. **Test for correctness on real-world code**
 

From f114ef1f06e6965023143f9385cd32e6f49a76cc Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Mon, 8 Feb 2021 16:57:49 -0800
Subject: [PATCH 247/429] Adding unit tests

---
 .../DangerousNativeFunctionCall.expected      |   1 +
 .../DangerousNativeFunctionCall.qlref         |   1 +
 .../backdoor/PotentialTimeBomb.expected       |  23 ++
 .../backdoor/PotentialTimeBomb.qlref          |   1 +
 .../ProcessNameToHashTaintFlow.expected       |   3 +
 .../backdoor/ProcessNameToHashTaintFlow.qlref |   1 +
 .../Security Features/backdoor/test.cs        |  76 +++++
 .../ModifiedFnvFunctionDetection.expected     |   1 +
 .../ModifiedFnvFunctionDetection.qlref        |   1 +
 ...mberOfKnownCommandsAboveThreshold.expected |   1 +
 .../NumberOfKnownCommandsAboveThreshold.qlref |   1 +
 ...NumberOfKnownHashesAboveThreshold.expected | 248 ++++++++++++++
 .../NumberOfKnownHashesAboveThreshold.qlref   |   1 +
 ...mberOfKnownLiteralsAboveThreshold.expected | 140 ++++++++
 .../NumberOfKnownLiteralsAboveThreshold.qlref |   1 +
 ...rOfKnownMethodNamesAboveThreshold.expected | 104 ++++++
 ...mberOfKnownMethodNamesAboveThreshold.qlref |   1 +
 ...SwallowEverythingExceptionHandler.expected |   3 +
 .../SwallowEverythingExceptionHandler.qlref   |   1 +
 .../campaign/Solorigate/test.cs               | 309 ++++++++++++++++++
 20 files changed, 918 insertions(+)
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/backdoor/test.cs
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.expected
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qlref
 create mode 100644 csharp/ql/test/experimental/Security Features/campaign/Solorigate/test.cs

diff --git a/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.expected b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.expected
new file mode 100644
index 00000000000..f890a844778
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.expected	
@@ -0,0 +1 @@
+| test.cs:31:9:31:74 | call to method InitiateSystemShutdownExW | Call to an external method 'InitiateSystemShutdownExW'. |
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref
new file mode 100644
index 00000000000..1215c001b40
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected
new file mode 100644
index 00000000000..490a71b0c0c
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected	
@@ -0,0 +1,23 @@
+edges
+| test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:36:70:48 | access to local variable lastWriteTime |
+| test.cs:70:13:70:71 | call to method CompareTo : Int32 | test.cs:70:13:70:76 | ... >= ... |
+| test.cs:70:36:70:48 | access to local variable lastWriteTime | test.cs:70:36:70:70 | call to method AddHours |
+| test.cs:70:36:70:48 | access to local variable lastWriteTime | test.cs:70:36:70:70 | call to method AddHours : DateTime |
+| test.cs:70:36:70:48 | access to local variable lastWriteTime : DateTime | test.cs:70:36:70:70 | call to method AddHours |
+| test.cs:70:36:70:48 | access to local variable lastWriteTime : DateTime | test.cs:70:36:70:70 | call to method AddHours : DateTime |
+| test.cs:70:36:70:70 | call to method AddHours | test.cs:70:13:70:71 | call to method CompareTo |
+| test.cs:70:36:70:70 | call to method AddHours | test.cs:70:13:70:71 | call to method CompareTo : Int32 |
+| test.cs:70:36:70:70 | call to method AddHours : DateTime | test.cs:70:13:70:71 | call to method CompareTo |
+| test.cs:70:36:70:70 | call to method AddHours : DateTime | test.cs:70:13:70:71 | call to method CompareTo : Int32 |
+#select
+| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
+| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo : Int32 | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
+| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
+| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... : Boolean | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
+nodes
+| test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime |
+| test.cs:70:13:70:71 | call to method CompareTo | semmle.label | call to method CompareTo |
+| test.cs:70:13:70:71 | call to method CompareTo : Int32 | semmle.label | call to method CompareTo : Int32 |
+| test.cs:70:13:70:76 | ... >= ... | semmle.label | ... >= ... |
+| test.cs:70:36:70:48 | access to local variable lastWriteTime | semmle.label | access to local variable lastWriteTime |
+| test.cs:70:36:70:70 | call to method AddHours | semmle.label | call to method AddHours |
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref
new file mode 100644
index 00000000000..f76817aa089
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/backdoor/PotentialTimeBomb.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected
new file mode 100644
index 00000000000..58e3dda0964
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected	
@@ -0,0 +1,3 @@
+edges
+nodes
+#select
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref
new file mode 100644
index 00000000000..d1d0d520d61
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/backdoor/test.cs b/csharp/ql/test/experimental/Security Features/backdoor/test.cs
new file mode 100644
index 00000000000..aea05818423
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/backdoor/test.cs	
@@ -0,0 +1,76 @@
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace System.IO
+{
+    public class File
+    {
+        public static DateTime GetLastWriteTime(string s)
+        {
+            return new DateTime(DateTime.MaxValue.Ticks);
+        }
+    }
+}
+
+namespace System.Diagnostics
+{
+    public class Process
+    {
+        public static string GetCurrentProcess() { return "test"; }
+    }
+}
+
+class External {
+    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    public static extern bool InitiateSystemShutdownExW([In] string lpMachineName, [In] string lpMessage, [In] uint dwTimeout, [MarshalAs(UnmanagedType.Bool)][In] bool bForceAppsClosed, [MarshalAs(UnmanagedType.Bool)][In] bool bRebootAfterShutdown, [In] uint dwReason);
+
+    void TestDangerousNativeFunctionCall()
+    {
+        InitiateSystemShutdownExW(null, null, 0U, true, true, 2147745794U); // BUG : DangerousNativeFunctionCall
+    }
+
+    ulong GetFvnHash(string s)
+    {
+        ulong num = 14695981039346656037UL; /* FNV base offset */
+        try
+        {
+            foreach (byte b in Encoding.UTF8.GetBytes(s))
+            {
+                num ^= (ulong)b;
+                num *= 1099511628211UL; /* FNV prime */
+            }
+        }
+        catch
+        {
+        }
+        // regular FVN
+        return num; 
+    }
+
+    void IndirectTestProcessNameToHashTaintFlow( string s)
+    {
+        GetFvnHash(s); // BUG : ProcessNameToHashTaintFlow
+    }
+
+    void TestProcessNameToHashTaintFlow()
+    {
+        GetFvnHash( System.Diagnostics.Process.GetCurrentProcess() ); // BUG : ProcessNameToHashTaintFlow
+
+        string proc = System.Diagnostics.Process.GetCurrentProcess();
+
+        IndirectTestProcessNameToHashTaintFlow( proc );
+    }
+
+    void TestTimeBomb() 
+    {
+        DateTime lastWriteTime = System.IO.File.GetLastWriteTime("someFile");
+        int num = new Random().Next(288, 336);
+        if (DateTime.Now.CompareTo(lastWriteTime.AddHours((double)num)) >= 0) // BUG : Potential time bomb
+        {
+            // Some code here
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.expected
new file mode 100644
index 00000000000..da578042bc3
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.expected	
@@ -0,0 +1 @@
+| test.cs:40:16:40:36 | 6605813339339102567 | The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@. | test.cs:26:9:26:11 | num | num | test.cs:40:10:40:36 | ... ^ ... | xor | test.cs:40:16:40:36 | 6605813339339102567 | 6605813339339102567 |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qlref
new file mode 100644
index 00000000000..af0428b3391
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.expected
new file mode 100644
index 00000000000..fa8afc54079
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.expected	
@@ -0,0 +1 @@
+| test.cs:43:7:43:15 | JobEngine | The enum $@ may be related to Solorigate. It matches 19 of the values used for commands in the enum. | test.cs:43:7:43:15 | JobEngine | JobEngine |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref
new file mode 100644
index 00000000000..11d2fef0441
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.expected
new file mode 100644
index 00000000000..3603cf8a20a
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.expected	
@@ -0,0 +1,248 @@
+| test.cs:10:15:10:36 | 14695981039346656037 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:10:15:10:36 | 14695981039346656037 | 14695981039346656037 |
+| test.cs:15:11:15:25 | 1099511628211 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:15:11:15:25 | 1099511628211 | 1099511628211 |
+| test.cs:26:15:26:36 | 14695981039346656037 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:26:15:26:36 | 14695981039346656037 | 14695981039346656037 |
+| test.cs:32:12:32:26 | 1099511628211 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:32:12:32:26 | 1099511628211 | 1099511628211 |
+| test.cs:40:16:40:36 | 6605813339339102567 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:40:16:40:36 | 6605813339339102567 | 6605813339339102567 |
+| test.cs:173:5:173:24 | 10063651499895178962 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:173:5:173:24 | 10063651499895178962 | 10063651499895178962 |
+| test.cs:173:27:173:46 | 10235971842993272939 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:173:27:173:46 | 10235971842993272939 | 10235971842993272939 |
+| test.cs:173:49:173:68 | 10296494671777307979 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:173:49:173:68 | 10296494671777307979 | 10296494671777307979 |
+| test.cs:174:5:174:24 | 10336842116636872171 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:174:5:174:24 | 10336842116636872171 | 10336842116636872171 |
+| test.cs:174:27:174:46 | 10374841591685794123 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:174:27:174:46 | 10374841591685794123 | 10374841591685794123 |
+| test.cs:174:49:174:68 | 10393903804869831898 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:174:49:174:68 | 10393903804869831898 | 10393903804869831898 |
+| test.cs:175:5:175:24 | 10463926208560207521 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:175:5:175:24 | 10463926208560207521 | 10463926208560207521 |
+| test.cs:175:27:175:46 | 10484659978517092504 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:175:27:175:46 | 10484659978517092504 | 10484659978517092504 |
+| test.cs:175:49:175:68 | 10501212300031893463 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:175:49:175:68 | 10501212300031893463 | 10501212300031893463 |
+| test.cs:176:5:176:24 | 10545868833523019926 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:176:5:176:24 | 10545868833523019926 | 10545868833523019926 |
+| test.cs:176:27:176:46 | 10657751674541025650 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:176:27:176:46 | 10657751674541025650 | 10657751674541025650 |
+| test.cs:176:49:176:66 | 106672141413120087 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:176:49:176:66 | 106672141413120087 | 106672141413120087 |
+| test.cs:176:69:176:88 | 10734127004244879770 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:176:69:176:88 | 10734127004244879770 | 10734127004244879770 |
+| test.cs:177:5:177:24 | 10829648878147112121 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:177:5:177:24 | 10829648878147112121 | 10829648878147112121 |
+| test.cs:177:27:177:39 | 1099511628211 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:177:27:177:39 | 1099511628211 | 1099511628211 |
+| test.cs:177:42:177:61 | 11073283311104541690 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:177:42:177:61 | 11073283311104541690 | 11073283311104541690 |
+| test.cs:177:64:177:82 | 1109067043404435916 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:177:64:177:82 | 1109067043404435916 | 1109067043404435916 |
+| test.cs:178:5:178:24 | 11109294216876344399 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:178:5:178:24 | 11109294216876344399 | 11109294216876344399 |
+| test.cs:178:27:178:46 | 11266044540366291518 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:178:27:178:46 | 11266044540366291518 | 11266044540366291518 |
+| test.cs:178:49:178:68 | 11385275378891906608 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:178:49:178:68 | 11385275378891906608 | 11385275378891906608 |
+| test.cs:179:5:179:24 | 11771945869106552231 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:179:5:179:24 | 11771945869106552231 | 11771945869106552231 |
+| test.cs:179:27:179:46 | 11801746708619571308 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:179:27:179:46 | 11801746708619571308 | 11801746708619571308 |
+| test.cs:179:49:179:68 | 11818825521849580123 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:179:49:179:68 | 11818825521849580123 | 11818825521849580123 |
+| test.cs:180:5:180:24 | 11913842725949116895 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:180:5:180:24 | 11913842725949116895 | 11913842725949116895 |
+| test.cs:180:27:180:46 | 12027963942392743532 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:180:27:180:46 | 12027963942392743532 | 12027963942392743532 |
+| test.cs:180:49:180:68 | 12094027092655598256 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:180:49:180:68 | 12094027092655598256 | 12094027092655598256 |
+| test.cs:181:5:181:24 | 12343334044036541897 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:181:5:181:24 | 12343334044036541897 | 12343334044036541897 |
+| test.cs:181:27:181:46 | 12445177985737237804 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:181:27:181:46 | 12445177985737237804 | 12445177985737237804 |
+| test.cs:181:49:181:68 | 12445232961318634374 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:181:49:181:68 | 12445232961318634374 | 12445232961318634374 |
+| test.cs:182:5:182:24 | 12574535824074203265 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:182:5:182:24 | 12574535824074203265 | 12574535824074203265 |
+| test.cs:182:27:182:46 | 12679195163651834776 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:182:27:182:46 | 12679195163651834776 | 12679195163651834776 |
+| test.cs:182:49:182:68 | 12709986806548166638 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:182:49:182:68 | 12709986806548166638 | 12709986806548166638 |
+| test.cs:183:5:183:24 | 12718416789200275332 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:183:5:183:24 | 12718416789200275332 | 12718416789200275332 |
+| test.cs:183:27:183:46 | 12785322942775634499 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:183:27:183:46 | 12785322942775634499 | 12785322942775634499 |
+| test.cs:183:49:183:68 | 12790084614253405985 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:183:49:183:68 | 12790084614253405985 | 12790084614253405985 |
+| test.cs:184:5:184:24 | 12969190449276002545 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:184:5:184:24 | 12969190449276002545 | 12969190449276002545 |
+| test.cs:184:27:184:46 | 13014156621614176974 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:184:27:184:46 | 13014156621614176974 | 13014156621614176974 |
+| test.cs:184:49:184:68 | 13029357933491444455 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:184:49:184:68 | 13029357933491444455 | 13029357933491444455 |
+| test.cs:185:5:185:24 | 13135068273077306806 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:185:5:185:24 | 13135068273077306806 | 13135068273077306806 |
+| test.cs:185:27:185:46 | 13260224381505715848 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:185:27:185:46 | 13260224381505715848 | 13260224381505715848 |
+| test.cs:185:49:185:68 | 13316211011159594063 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:185:49:185:68 | 13316211011159594063 | 13316211011159594063 |
+| test.cs:186:5:186:24 | 13464308873961738403 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:186:5:186:24 | 13464308873961738403 | 13464308873961738403 |
+| test.cs:186:27:186:46 | 13544031715334011032 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:186:27:186:46 | 13544031715334011032 | 13544031715334011032 |
+| test.cs:186:49:186:68 | 13581776705111912829 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:186:49:186:68 | 13581776705111912829 | 13581776705111912829 |
+| test.cs:187:5:187:24 | 13599785766252827703 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:187:5:187:24 | 13599785766252827703 | 13599785766252827703 |
+| test.cs:187:27:187:46 | 13611051401579634621 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:187:27:187:46 | 13611051401579634621 | 13611051401579634621 |
+| test.cs:187:49:187:68 | 13611814135072561278 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:187:49:187:68 | 13611814135072561278 | 13611814135072561278 |
+| test.cs:188:5:188:24 | 13655261125244647696 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:188:5:188:24 | 13655261125244647696 | 13655261125244647696 |
+| test.cs:188:27:188:45 | 1367627386496056834 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:188:27:188:45 | 1367627386496056834 | 1367627386496056834 |
+| test.cs:188:48:188:66 | 1368907909245890092 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:188:48:188:66 | 1368907909245890092 | 1368907909245890092 |
+| test.cs:188:69:188:88 | 13693525876560827283 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:188:69:188:88 | 13693525876560827283 | 13693525876560827283 |
+| test.cs:189:5:189:24 | 13783346438774742614 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:189:5:189:24 | 13783346438774742614 | 13783346438774742614 |
+| test.cs:189:27:189:46 | 13799353263187722717 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:189:27:189:46 | 13799353263187722717 | 13799353263187722717 |
+| test.cs:189:49:189:68 | 13825071784440082496 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:189:49:189:68 | 13825071784440082496 | 13825071784440082496 |
+| test.cs:190:5:190:24 | 13852439084267373191 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:190:5:190:24 | 13852439084267373191 | 13852439084267373191 |
+| test.cs:190:27:190:46 | 13876356431472225791 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:190:27:190:46 | 13876356431472225791 | 13876356431472225791 |
+| test.cs:190:49:190:68 | 14055243717250701608 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:190:49:190:68 | 14055243717250701608 | 14055243717250701608 |
+| test.cs:191:5:191:24 | 14079676299181301772 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:191:5:191:24 | 14079676299181301772 | 14079676299181301772 |
+| test.cs:191:27:191:46 | 14095938998438966337 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:191:27:191:46 | 14095938998438966337 | 14095938998438966337 |
+| test.cs:191:49:191:68 | 14111374107076822891 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:191:49:191:68 | 14111374107076822891 | 14111374107076822891 |
+| test.cs:192:5:192:24 | 14193859431895170587 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:192:5:192:24 | 14193859431895170587 | 14193859431895170587 |
+| test.cs:192:27:192:46 | 14226582801651130532 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:192:27:192:46 | 14226582801651130532 | 14226582801651130532 |
+| test.cs:192:49:192:68 | 14243671177281069512 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:192:49:192:68 | 14243671177281069512 | 14243671177281069512 |
+| test.cs:193:5:193:24 | 14256853800858727521 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:193:5:193:24 | 14256853800858727521 | 14256853800858727521 |
+| test.cs:193:27:193:46 | 14480775929210717493 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:193:27:193:46 | 14480775929210717493 | 14480775929210717493 |
+| test.cs:193:49:193:68 | 14482658293117931546 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:193:49:193:68 | 14482658293117931546 | 14482658293117931546 |
+| test.cs:194:5:194:24 | 14513577387099045298 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:194:5:194:24 | 14513577387099045298 | 14513577387099045298 |
+| test.cs:194:27:194:46 | 14630721578341374856 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:194:27:194:46 | 14630721578341374856 | 14630721578341374856 |
+| test.cs:194:49:194:68 | 14695981039346656037 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:194:49:194:68 | 14695981039346656037 | 14695981039346656037 |
+| test.cs:195:5:195:24 | 14710585101020280896 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:195:5:195:24 | 14710585101020280896 | 14710585101020280896 |
+| test.cs:195:27:195:45 | 1475579823244607677 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:195:27:195:45 | 1475579823244607677 | 1475579823244607677 |
+| test.cs:195:48:195:67 | 14868920869169964081 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:195:48:195:67 | 14868920869169964081 | 14868920869169964081 |
+| test.cs:195:70:195:89 | 14968320160131875803 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:195:70:195:89 | 14968320160131875803 | 14968320160131875803 |
+| test.cs:196:5:196:24 | 14971809093655817917 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:196:5:196:24 | 14971809093655817917 | 14971809093655817917 |
+| test.cs:196:27:196:46 | 15039834196857999838 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:196:27:196:46 | 15039834196857999838 | 15039834196857999838 |
+| test.cs:196:49:196:68 | 15092207615430402812 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:196:49:196:68 | 15092207615430402812 | 15092207615430402812 |
+| test.cs:197:5:197:24 | 15114163911481793350 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:197:5:197:24 | 15114163911481793350 | 15114163911481793350 |
+| test.cs:197:27:197:46 | 15194901817027173566 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:197:27:197:46 | 15194901817027173566 | 15194901817027173566 |
+| test.cs:197:49:197:68 | 15267980678929160412 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:197:49:197:68 | 15267980678929160412 | 15267980678929160412 |
+| test.cs:198:5:198:24 | 15457732070353984570 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:198:5:198:24 | 15457732070353984570 | 15457732070353984570 |
+| test.cs:198:27:198:46 | 15514036435533858158 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:198:27:198:46 | 15514036435533858158 | 15514036435533858158 |
+| test.cs:198:49:198:68 | 15535773470978271326 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:198:49:198:68 | 15535773470978271326 | 15535773470978271326 |
+| test.cs:199:5:199:24 | 15587050164583443069 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:199:5:199:24 | 15587050164583443069 | 15587050164583443069 |
+| test.cs:199:27:199:44 | 155978580751494388 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:199:27:199:44 | 155978580751494388 | 155978580751494388 |
+| test.cs:199:47:199:66 | 15695338751700748390 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:199:47:199:66 | 15695338751700748390 | 15695338751700748390 |
+| test.cs:199:69:199:88 | 15997665423159927228 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:199:69:199:88 | 15997665423159927228 | 15997665423159927228 |
+| test.cs:200:5:200:24 | 16066522799090129502 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:200:5:200:24 | 16066522799090129502 | 16066522799090129502 |
+| test.cs:200:27:200:46 | 16066651430762394116 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:200:27:200:46 | 16066651430762394116 | 16066651430762394116 |
+| test.cs:200:49:200:68 | 16112751343173365533 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:200:49:200:68 | 16112751343173365533 | 16112751343173365533 |
+| test.cs:201:5:201:24 | 16130138450758310172 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:201:5:201:24 | 16130138450758310172 | 16130138450758310172 |
+| test.cs:201:27:201:45 | 1614465773938842903 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:201:27:201:45 | 1614465773938842903 | 1614465773938842903 |
+| test.cs:201:48:201:67 | 16292685861617888592 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:201:48:201:67 | 16292685861617888592 | 16292685861617888592 |
+| test.cs:201:70:201:89 | 16335643316870329598 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:201:70:201:89 | 16335643316870329598 | 16335643316870329598 |
+| test.cs:202:5:202:24 | 16423314183614230717 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:202:5:202:24 | 16423314183614230717 | 16423314183614230717 |
+| test.cs:202:27:202:46 | 16570804352575357627 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:202:27:202:46 | 16570804352575357627 | 16570804352575357627 |
+| test.cs:202:49:202:67 | 1682585410644922036 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:202:49:202:67 | 1682585410644922036 | 1682585410644922036 |
+| test.cs:202:70:202:89 | 16858955978146406642 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:202:70:202:89 | 16858955978146406642 | 16858955978146406642 |
+| test.cs:203:5:203:24 | 16990567851129491937 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:203:5:203:24 | 16990567851129491937 | 16990567851129491937 |
+| test.cs:203:27:203:46 | 17017923349298346219 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:203:27:203:46 | 17017923349298346219 | 17017923349298346219 |
+| test.cs:203:49:203:68 | 17097380490166623672 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:203:49:203:68 | 17097380490166623672 | 17097380490166623672 |
+| test.cs:204:5:204:24 | 17109238199226571972 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:204:5:204:24 | 17109238199226571972 | 17109238199226571972 |
+| test.cs:204:27:204:46 | 17204844226884380288 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:204:27:204:46 | 17204844226884380288 | 17204844226884380288 |
+| test.cs:204:49:204:68 | 17291806236368054941 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:204:49:204:68 | 17291806236368054941 | 17291806236368054941 |
+| test.cs:205:5:205:24 | 17351543633914244545 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:205:5:205:24 | 17351543633914244545 | 17351543633914244545 |
+| test.cs:205:27:205:46 | 17439059603042731363 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:205:27:205:46 | 17439059603042731363 | 17439059603042731363 |
+| test.cs:205:49:205:68 | 17574002783607647274 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:205:49:205:68 | 17574002783607647274 | 17574002783607647274 |
+| test.cs:206:5:206:24 | 17624147599670377042 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:206:5:206:24 | 17624147599670377042 | 17624147599670377042 |
+| test.cs:206:27:206:46 | 17633734304611248415 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:206:27:206:46 | 17633734304611248415 | 17633734304611248415 |
+| test.cs:206:49:206:68 | 17683972236092287897 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:206:49:206:68 | 17683972236092287897 | 17683972236092287897 |
+| test.cs:207:5:207:24 | 17849680105131524334 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:207:5:207:24 | 17849680105131524334 | 17849680105131524334 |
+| test.cs:207:27:207:46 | 17939405613729073960 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:207:27:207:46 | 17939405613729073960 | 17939405613729073960 |
+| test.cs:207:49:207:68 | 17956969551821596225 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:207:49:207:68 | 17956969551821596225 | 17956969551821596225 |
+| test.cs:208:5:208:24 | 17978774977754553159 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:208:5:208:24 | 17978774977754553159 | 17978774977754553159 |
+| test.cs:208:27:208:46 | 17984632978012874803 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:208:27:208:46 | 17984632978012874803 | 17984632978012874803 |
+| test.cs:208:49:208:68 | 17997967489723066537 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:208:49:208:68 | 17997967489723066537 | 17997967489723066537 |
+| test.cs:209:5:209:24 | 18147627057830191163 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:209:5:209:24 | 18147627057830191163 | 18147627057830191163 |
+| test.cs:209:27:209:46 | 18150909006539876521 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:209:27:209:46 | 18150909006539876521 | 18150909006539876521 |
+| test.cs:209:49:209:68 | 18159703063075866524 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:209:49:209:68 | 18159703063075866524 | 18159703063075866524 |
+| test.cs:210:5:210:24 | 18246404330670877335 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:210:5:210:24 | 18246404330670877335 | 18246404330670877335 |
+| test.cs:210:27:210:46 | 18294908219222222902 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:210:27:210:46 | 18294908219222222902 | 18294908219222222902 |
+| test.cs:210:49:210:68 | 18392881921099771407 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:210:49:210:68 | 18392881921099771407 | 18392881921099771407 |
+| test.cs:211:5:211:24 | 18446744073709551613 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:211:5:211:24 | 18446744073709551613 | 18446744073709551613 |
+| test.cs:211:27:211:44 | 191060519014405309 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:211:27:211:44 | 191060519014405309 | 191060519014405309 |
+| test.cs:211:47:211:65 | 2032008861530788751 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:211:47:211:65 | 2032008861530788751 | 2032008861530788751 |
+| test.cs:211:68:211:86 | 2128122064571842954 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:211:68:211:86 | 2128122064571842954 | 2128122064571842954 |
+| test.cs:212:5:212:14 | 2147483647 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:212:5:212:14 | 2147483647 | 2147483647 |
+| test.cs:212:17:212:26 | 2147745794 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:212:17:212:26 | 2147745794 | 2147745794 |
+| test.cs:212:29:212:47 | 2380224015317016190 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:212:29:212:47 | 2380224015317016190 | 2380224015317016190 |
+| test.cs:212:50:212:68 | 2478231962306073784 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:212:50:212:68 | 2478231962306073784 | 2478231962306073784 |
+| test.cs:213:5:213:23 | 2532538262737333146 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:213:5:213:23 | 2532538262737333146 | 2532538262737333146 |
+| test.cs:213:26:213:44 | 2589926981877829912 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:213:26:213:44 | 2589926981877829912 | 2589926981877829912 |
+| test.cs:213:47:213:65 | 2597124982561782591 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:213:47:213:65 | 2597124982561782591 | 2597124982561782591 |
+| test.cs:213:68:213:86 | 2600364143812063535 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:213:68:213:86 | 2600364143812063535 | 2600364143812063535 |
+| test.cs:214:5:214:23 | 2717025511528702475 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:214:5:214:23 | 2717025511528702475 | 2717025511528702475 |
+| test.cs:214:26:214:44 | 2734787258623754862 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:214:26:214:44 | 2734787258623754862 | 2734787258623754862 |
+| test.cs:214:47:214:63 | 27407921587843457 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:214:47:214:63 | 27407921587843457 | 27407921587843457 |
+| test.cs:214:66:214:84 | 2760663353550280147 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:214:66:214:84 | 2760663353550280147 | 2760663353550280147 |
+| test.cs:215:5:215:23 | 2797129108883749491 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:215:5:215:23 | 2797129108883749491 | 2797129108883749491 |
+| test.cs:215:26:215:44 | 2810460305047003196 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:215:26:215:44 | 2810460305047003196 | 2810460305047003196 |
+| test.cs:215:47:215:64 | 292198192373389586 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:215:47:215:64 | 292198192373389586 | 292198192373389586 |
+| test.cs:215:67:215:85 | 2934149816356927366 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:215:67:215:85 | 2934149816356927366 | 2934149816356927366 |
+| test.cs:216:5:216:23 | 3045986759481489935 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:216:5:216:23 | 3045986759481489935 | 3045986759481489935 |
+| test.cs:216:26:216:44 | 3178468437029279937 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:216:26:216:44 | 3178468437029279937 | 3178468437029279937 |
+| test.cs:216:47:216:65 | 3200333496547938354 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:216:47:216:65 | 3200333496547938354 | 3200333496547938354 |
+| test.cs:216:68:216:86 | 3320026265773918739 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:216:68:216:86 | 3320026265773918739 | 3320026265773918739 |
+| test.cs:217:5:217:23 | 3320767229281015341 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:217:5:217:23 | 3320767229281015341 | 3320767229281015341 |
+| test.cs:217:26:217:44 | 3341747963119755850 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:217:26:217:44 | 3341747963119755850 | 3341747963119755850 |
+| test.cs:217:47:217:65 | 3407972863931386250 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:217:47:217:65 | 3407972863931386250 | 3407972863931386250 |
+| test.cs:217:68:217:86 | 3413052607651207697 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:217:68:217:86 | 3413052607651207697 | 3413052607651207697 |
+| test.cs:218:5:218:23 | 3413886037471417852 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:218:5:218:23 | 3413886037471417852 | 3413886037471417852 |
+| test.cs:218:26:218:44 | 3421197789791424393 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:218:26:218:44 | 3421197789791424393 | 3421197789791424393 |
+| test.cs:218:47:218:65 | 3421213182954201407 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:218:47:218:65 | 3421213182954201407 | 3421213182954201407 |
+| test.cs:218:68:218:86 | 3425260965299690882 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:218:68:218:86 | 3425260965299690882 | 3425260965299690882 |
+| test.cs:219:5:219:23 | 3538022140597504361 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:219:5:219:23 | 3538022140597504361 | 3538022140597504361 |
+| test.cs:219:26:219:44 | 3575761800716667678 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:219:26:219:44 | 3575761800716667678 | 3575761800716667678 |
+| test.cs:219:47:219:65 | 3588624367609827560 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:219:47:219:65 | 3588624367609827560 | 3588624367609827560 |
+| test.cs:219:68:219:86 | 3626142665768487764 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:219:68:219:86 | 3626142665768487764 | 3626142665768487764 |
+| test.cs:220:5:220:23 | 3642525650883269872 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:220:5:220:23 | 3642525650883269872 | 3642525650883269872 |
+| test.cs:220:26:220:44 | 3656637464651387014 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:220:26:220:44 | 3656637464651387014 | 3656637464651387014 |
+| test.cs:220:47:220:65 | 3660705254426876796 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:220:47:220:65 | 3660705254426876796 | 3660705254426876796 |
+| test.cs:220:68:220:86 | 3769837838875367802 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:220:68:220:86 | 3769837838875367802 | 3769837838875367802 |
+| test.cs:221:5:221:23 | 3778500091710709090 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:221:5:221:23 | 3778500091710709090 | 3778500091710709090 |
+| test.cs:221:26:221:44 | 3796405623695665524 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:221:26:221:44 | 3796405623695665524 | 3796405623695665524 |
+| test.cs:221:47:221:65 | 3869935012404164040 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:221:47:221:65 | 3869935012404164040 | 3869935012404164040 |
+| test.cs:221:68:221:86 | 3890769468012566366 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:221:68:221:86 | 3890769468012566366 | 3890769468012566366 |
+| test.cs:222:5:222:23 | 3890794756780010537 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:222:5:222:23 | 3890794756780010537 | 3890794756780010537 |
+| test.cs:222:26:222:43 | 397780960855462669 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:222:26:222:43 | 397780960855462669 | 397780960855462669 |
+| test.cs:222:46:222:64 | 4030236413975199654 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:222:46:222:64 | 4030236413975199654 | 4030236413975199654 |
+| test.cs:222:67:222:85 | 4088976323439621041 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:222:67:222:85 | 4088976323439621041 | 4088976323439621041 |
+| test.cs:223:5:223:23 | 4454255944391929578 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:223:5:223:23 | 4454255944391929578 | 4454255944391929578 |
+| test.cs:223:26:223:44 | 4501656691368064027 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:223:26:223:44 | 4501656691368064027 | 4501656691368064027 |
+| test.cs:223:47:223:65 | 4578480846255629462 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:223:47:223:65 | 4578480846255629462 | 4578480846255629462 |
+| test.cs:223:68:223:86 | 4821863173800309721 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:223:68:223:86 | 4821863173800309721 | 4821863173800309721 |
+| test.cs:224:5:224:23 | 4931721628717906635 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:224:5:224:23 | 4931721628717906635 | 4931721628717906635 |
+| test.cs:224:26:224:43 | 506634811745884560 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:224:26:224:43 | 506634811745884560 | 506634811745884560 |
+| test.cs:224:46:224:64 | 5132256620104998637 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:224:46:224:64 | 5132256620104998637 | 5132256620104998637 |
+| test.cs:224:67:224:85 | 5183687599225757871 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:224:67:224:85 | 5183687599225757871 | 5183687599225757871 |
+| test.cs:225:5:225:22 | 521157249538507889 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:225:5:225:22 | 521157249538507889 | 521157249538507889 |
+| test.cs:225:25:225:43 | 5219431737322569038 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:225:25:225:43 | 5219431737322569038 | 5219431737322569038 |
+| test.cs:225:46:225:63 | 541172992193764396 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:225:46:225:63 | 541172992193764396 | 541172992193764396 |
+| test.cs:225:66:225:84 | 5415426428750045503 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:225:66:225:84 | 5415426428750045503 | 5415426428750045503 |
+| test.cs:226:5:226:23 | 5449730069165757263 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:226:5:226:23 | 5449730069165757263 | 5449730069165757263 |
+| test.cs:226:26:226:44 | 5587557070429522647 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:226:26:226:44 | 5587557070429522647 | 5587557070429522647 |
+| test.cs:226:47:226:65 | 5614586596107908838 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:226:47:226:65 | 5614586596107908838 | 5614586596107908838 |
+| test.cs:226:68:226:85 | 576626207276463000 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:226:68:226:85 | 576626207276463000 | 576626207276463000 |
+| test.cs:227:5:227:23 | 5942282052525294911 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:227:5:227:23 | 5942282052525294911 | 5942282052525294911 |
+| test.cs:227:26:227:44 | 5945487981219695001 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:227:26:227:44 | 5945487981219695001 | 5945487981219695001 |
+| test.cs:227:47:227:65 | 5984963105389676759 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:227:47:227:65 | 5984963105389676759 | 5984963105389676759 |
+| test.cs:227:68:227:85 | 607197993339007484 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:227:68:227:85 | 607197993339007484 | 607197993339007484 |
+| test.cs:228:5:228:23 | 6088115528707848728 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:228:5:228:23 | 6088115528707848728 | 6088115528707848728 |
+| test.cs:228:26:228:44 | 6116246686670134098 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:228:26:228:44 | 6116246686670134098 | 6116246686670134098 |
+| test.cs:228:47:228:65 | 6180361713414290679 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:228:47:228:65 | 6180361713414290679 | 6180361713414290679 |
+| test.cs:228:68:228:86 | 6195833633417633900 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:228:68:228:86 | 6195833633417633900 | 6195833633417633900 |
+| test.cs:229:5:229:23 | 6274014997237900919 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:229:5:229:23 | 6274014997237900919 | 6274014997237900919 |
+| test.cs:229:26:229:43 | 640589622539783622 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:229:26:229:43 | 640589622539783622 | 640589622539783622 |
+| test.cs:229:46:229:64 | 6461429591783621719 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:229:46:229:64 | 6461429591783621719 | 6461429591783621719 |
+| test.cs:229:67:229:85 | 6491986958834001955 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:229:67:229:85 | 6491986958834001955 | 6491986958834001955 |
+| test.cs:230:5:230:23 | 6508141243778577344 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:230:5:230:23 | 6508141243778577344 | 6508141243778577344 |
+| test.cs:230:26:230:44 | 6605813339339102567 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:230:26:230:44 | 6605813339339102567 | 6605813339339102567 |
+| test.cs:230:47:230:64 | 682250828679635420 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:230:47:230:64 | 682250828679635420 | 682250828679635420 |
+| test.cs:230:67:230:85 | 6827032273910657891 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:230:67:230:85 | 6827032273910657891 | 6827032273910657891 |
+| test.cs:231:5:231:23 | 6943102301517884811 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:231:5:231:23 | 6943102301517884811 | 6943102301517884811 |
+| test.cs:231:26:231:43 | 700598796416086955 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:231:26:231:43 | 700598796416086955 | 700598796416086955 |
+| test.cs:231:46:231:64 | 7080175711202577138 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:231:46:231:64 | 7080175711202577138 | 7080175711202577138 |
+| test.cs:231:67:231:85 | 7175363135479931834 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:231:67:231:85 | 7175363135479931834 | 7175363135479931834 |
+| test.cs:232:5:232:23 | 7315838824213522000 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:232:5:232:23 | 7315838824213522000 | 7315838824213522000 |
+| test.cs:232:26:232:44 | 7412338704062093516 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:232:26:232:44 | 7412338704062093516 | 7412338704062093516 |
+| test.cs:232:47:232:65 | 7516148236133302073 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:232:47:232:65 | 7516148236133302073 | 7516148236133302073 |
+| test.cs:232:68:232:86 | 7574774749059321801 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:232:68:232:86 | 7574774749059321801 | 7574774749059321801 |
+| test.cs:233:5:233:23 | 7701683279824397773 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:233:5:233:23 | 7701683279824397773 | 7701683279824397773 |
+| test.cs:233:26:233:44 | 7775177810774851294 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:233:26:233:44 | 7775177810774851294 | 7775177810774851294 |
+| test.cs:233:47:233:65 | 7810436520414958497 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:233:47:233:65 | 7810436520414958497 | 7810436520414958497 |
+| test.cs:233:68:233:86 | 7878537243757499832 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:233:68:233:86 | 7878537243757499832 | 7878537243757499832 |
+| test.cs:234:5:234:21 | 79089792725215063 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:234:5:234:21 | 79089792725215063 | 79089792725215063 |
+| test.cs:234:24:234:42 | 7982848972385914508 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:234:24:234:42 | 7982848972385914508 | 7982848972385914508 |
+| test.cs:234:45:234:63 | 8052533790968282297 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:234:45:234:63 | 8052533790968282297 | 8052533790968282297 |
+| test.cs:234:66:234:84 | 8129411991672431889 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:234:66:234:84 | 8129411991672431889 | 8129411991672431889 |
+| test.cs:235:5:235:23 | 8146185202538899243 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:235:5:235:23 | 8146185202538899243 | 8146185202538899243 |
+| test.cs:235:26:235:43 | 835151375515278827 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:235:26:235:43 | 835151375515278827 | 835151375515278827 |
+| test.cs:235:46:235:64 | 8381292265993977266 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:235:46:235:64 | 8381292265993977266 | 8381292265993977266 |
+| test.cs:235:67:235:85 | 8408095252303317471 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:235:67:235:85 | 8408095252303317471 | 8408095252303317471 |
+| test.cs:236:5:236:23 | 8473756179280619170 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:236:5:236:23 | 8473756179280619170 | 8473756179280619170 |
+| test.cs:236:26:236:44 | 8478833628889826985 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:236:26:236:44 | 8478833628889826985 | 8478833628889826985 |
+| test.cs:236:47:236:65 | 8612208440357175863 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:236:47:236:65 | 8612208440357175863 | 8612208440357175863 |
+| test.cs:236:68:236:86 | 8697424601205169055 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:236:68:236:86 | 8697424601205169055 | 8697424601205169055 |
+| test.cs:237:5:237:23 | 8698326794961817906 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:237:5:237:23 | 8698326794961817906 | 8698326794961817906 |
+| test.cs:237:26:237:44 | 8709004393777297355 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:237:26:237:44 | 8709004393777297355 | 8709004393777297355 |
+| test.cs:237:47:237:65 | 8727477769544302060 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:237:47:237:65 | 8727477769544302060 | 8727477769544302060 |
+| test.cs:237:68:237:86 | 8760312338504300643 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:237:68:237:86 | 8760312338504300643 | 8760312338504300643 |
+| test.cs:238:5:238:23 | 8799118153397725683 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:238:5:238:23 | 8799118153397725683 | 8799118153397725683 |
+| test.cs:238:26:238:44 | 8873858923435176895 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:238:26:238:44 | 8873858923435176895 | 8873858923435176895 |
+| test.cs:238:47:238:65 | 8994091295115840290 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:238:47:238:65 | 8994091295115840290 | 8994091295115840290 |
+| test.cs:238:68:238:86 | 9007106680104765185 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:238:68:238:86 | 9007106680104765185 | 9007106680104765185 |
+| test.cs:239:5:239:23 | 9061219083560670602 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:239:5:239:23 | 9061219083560670602 | 9061219083560670602 |
+| test.cs:239:26:239:44 | 9149947745824492274 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:239:26:239:44 | 9149947745824492274 | 9149947745824492274 |
+| test.cs:239:47:239:64 | 917638920165491138 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:239:47:239:64 | 917638920165491138 | 917638920165491138 |
+| test.cs:239:67:239:85 | 9234894663364701749 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:239:67:239:85 | 9234894663364701749 | 9234894663364701749 |
+| test.cs:240:5:240:23 | 9333057603143916814 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:240:5:240:23 | 9333057603143916814 | 9333057603143916814 |
+| test.cs:240:26:240:44 | 9384605490088500348 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:240:26:240:44 | 9384605490088500348 | 9384605490088500348 |
+| test.cs:240:47:240:65 | 9531326785919727076 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:240:47:240:65 | 9531326785919727076 | 9531326785919727076 |
+| test.cs:240:68:240:86 | 9555688264681862794 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:240:68:240:86 | 9555688264681862794 | 9555688264681862794 |
+| test.cs:241:5:241:23 | 9559632696372799208 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:241:5:241:23 | 9559632696372799208 | 9559632696372799208 |
+| test.cs:241:26:241:44 | 9903758755917170407 | The Hash literal $@ may be related to the Solorigate campaign. Total count = 243 is above the threshold 5. | test.cs:241:26:241:44 | 9903758755917170407 | 9903758755917170407 |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qlref
new file mode 100644
index 00000000000..0b468dcce55
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.expected
new file mode 100644
index 00000000000..043068419d7
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.expected	
@@ -0,0 +1,140 @@
+| test.cs:247:4:247:35 | "(?i)([^a-z]\|^)(test)([^a-z]\|$)" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:247:4:247:35 | "(?i)([^a-z]\|^)(test)([^a-z]\|$)" | (?i)([^a-z]\|^)(test)([^a-z]\|$) |
+| test.cs:247:38:247:55 | "(?i)(solarwinds)" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:247:38:247:55 | "(?i)(solarwinds)" | (?i)(solarwinds) |
+| test.cs:247:58:247:96 | "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:247:58:247:96 | "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n" | [{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n |
+| test.cs:248:4:248:18 | "[{0,5}] {1}\n" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:248:4:248:18 | "[{0,5}] {1}\n" | [{0,5}] {1}\n |
+| test.cs:248:21:248:37 | "[E] {0} {1} {2}" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:248:21:248:37 | "[E] {0} {1} {2}" | [E] {0} {1} {2} |
+| test.cs:249:4:249:62 | "\\"\\{[0-9a-f-]{36}\\}\\"\|\\"[0-9a-f]{32}\\"\|\\"[0-9a-f]{16}\\"" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:249:4:249:62 | "\\"\\{[0-9a-f-]{36}\\}\\"\|\\"[0-9a-f]{32}\\"\|\\"[0-9a-f]{16}\\"" | "\\{[0-9a-f-]{36}\\}"\|"[0-9a-f]{32}"\|"[0-9a-f]{16}" |
+| test.cs:249:65:249:79 | ".CortexPlugin" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:249:65:249:79 | ".CortexPlugin" | .CortexPlugin |
+| test.cs:249:82:249:89 | ".Orion" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:249:82:249:89 | ".Orion" | .Orion |
+| test.cs:250:4:250:36 | "\\"EventName\\":\\"EventManager\\"," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:250:4:250:36 | "\\"EventName\\":\\"EventManager\\"," | "EventName":"EventManager", |
+| test.cs:250:39:250:64 | "\\"EventType\\":\\"Orion\\"," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:250:39:250:64 | "\\"EventType\\":\\"Orion\\"," | "EventType":"Orion", |
+| test.cs:251:4:251:56 | "\\OrionImprovement\\SolarWinds.OrionImprovement.exe" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:251:4:251:56 | "\\OrionImprovement\\SolarWinds.OrionImprovement.exe" | \\OrionImprovement\\SolarWinds.OrionImprovement.exe |
+| test.cs:252:4:252:44 | "0123456789abcdefghijklmnopqrstuvwxyz-_." | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:252:4:252:44 | "0123456789abcdefghijklmnopqrstuvwxyz-_." | 0123456789abcdefghijklmnopqrstuvwxyz-_. |
+| test.cs:252:47:252:70 | "\\"sessionId\\":\\"{0}\\"," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:252:47:252:70 | "\\"sessionId\\":\\"{0}\\"," | "sessionId":"{0}", |
+| test.cs:252:73:252:85 | "\\"steps\\":[" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:252:73:252:85 | "\\"steps\\":[" | "steps":[ |
+| test.cs:253:4:253:24 | "\\"Succeeded\\":true," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:253:4:253:24 | "\\"Succeeded\\":true," | "Succeeded":true, |
+| test.cs:253:27:253:62 | "\\"Timestamp\\":\\"\\/Date({0})\\/\\"," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:253:27:253:62 | "\\"Timestamp\\":\\"\\/Date({0})\\/\\"," | "Timestamp":"\\/Date({0})\\/", |
+| test.cs:253:65:253:85 | "\\"userId\\":\\"{0}\\"," | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:253:65:253:85 | "\\"userId\\":\\"{0}\\"," | "userId":"{0}", |
+| test.cs:254:4:254:23 | "{0} {1} HTTP/{2}\n" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:4:254:23 | "{0} {1} HTTP/{2}\n" | {0} {1} HTTP/{2}\n |
+| test.cs:254:26:254:32 | "10140" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:26:254:32 | "10140" | 10140 |
+| test.cs:254:35:254:48 | "144.86.226.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:35:254:48 | "144.86.226.0" | 144.86.226.0 |
+| test.cs:254:51:254:65 | "154.118.140.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:51:254:65 | "154.118.140.0" | 154.118.140.0 |
+| test.cs:254:68:254:79 | "172.16.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:68:254:79 | "172.16.0.0" | 172.16.0.0 |
+| test.cs:254:82:254:93 | "18.130.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:254:82:254:93 | "18.130.0.0" | 18.130.0.0 |
+| test.cs:255:4:255:15 | "184.72.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:4:255:15 | "184.72.0.0" | 184.72.0.0 |
+| test.cs:255:18:255:30 | "192.168.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:18:255:30 | "192.168.0.0" | 192.168.0.0 |
+| test.cs:255:33:255:47 | "199.201.117.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:33:255:47 | "199.201.117.0" | 199.201.117.0 |
+| test.cs:255:50:255:61 | "20.140.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:50:255:61 | "20.140.0.0" | 20.140.0.0 |
+| test.cs:255:64:255:70 | "20100" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:64:255:70 | "20100" | 20100 |
+| test.cs:255:73:255:79 | "20220" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:73:255:79 | "20220" | 20220 |
+| test.cs:255:82:255:94 | "217.163.7.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:255:82:255:94 | "217.163.7.0" | 217.163.7.0 |
+| test.cs:256:4:256:14 | "224.0.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:4:256:14 | "224.0.0.0" | 224.0.0.0 |
+| test.cs:256:17:256:27 | "240.0.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:17:256:27 | "240.0.0.0" | 240.0.0.0 |
+| test.cs:256:30:256:42 | "255.240.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:30:256:42 | "255.240.0.0" | 255.240.0.0 |
+| test.cs:256:45:256:57 | "255.254.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:45:256:57 | "255.254.0.0" | 255.254.0.0 |
+| test.cs:256:60:256:74 | "255.255.248.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:60:256:74 | "255.255.248.0" | 255.255.248.0 |
+| test.cs:256:77:256:87 | "3.0.0.382" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:256:77:256:87 | "3.0.0.382" | 3.0.0.382 |
+| test.cs:257:4:257:16 | "41.84.159.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:4:257:16 | "41.84.159.0" | 41.84.159.0 |
+| test.cs:257:19:257:25 | "43140" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:19:257:25 | "43140" | 43140 |
+| test.cs:257:28:257:33 | "4320" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:28:257:33 | "4320" | 4320 |
+| test.cs:257:36:257:42 | "43260" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:36:257:42 | "43260" | 43260 |
+| test.cs:257:45:257:52 | "524287" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:45:257:52 | "524287" | 524287 |
+| test.cs:257:55:257:92 | "583da945-62af-10e8-4902-a8f205c72b2e" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:257:55:257:92 | "583da945-62af-10e8-4902-a8f205c72b2e" | 583da945-62af-10e8-4902-a8f205c72b2e |
+| test.cs:258:4:258:10 | "65280" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:4:258:10 | "65280" | 65280 |
+| test.cs:258:13:258:25 | "71.152.53.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:13:258:25 | "71.152.53.0" | 71.152.53.0 |
+| test.cs:258:28:258:40 | "74.114.24.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:28:258:40 | "74.114.24.0" | 74.114.24.0 |
+| test.cs:258:43:258:54 | "8.18.144.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:43:258:54 | "8.18.144.0" | 8.18.144.0 |
+| test.cs:258:57:258:69 | "87.238.80.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:57:258:69 | "87.238.80.0" | 87.238.80.0 |
+| test.cs:258:72:258:84 | "96.31.172.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:72:258:84 | "96.31.172.0" | 96.31.172.0 |
+| test.cs:258:87:258:94 | "983040" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:258:87:258:94 | "983040" | 983040 |
+| test.cs:259:4:259:14 | "99.79.0.0" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:4:259:14 | "99.79.0.0" | 99.79.0.0 |
+| test.cs:259:17:259:31 | "Administrator" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:17:259:31 | "Administrator" | Administrator |
+| test.cs:259:34:259:47 | "advapi32.dll" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:34:259:47 | "advapi32.dll" | advapi32.dll |
+| test.cs:259:50:259:57 | "Apollo" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:50:259:57 | "Apollo" | Apollo |
+| test.cs:259:60:259:72 | "appsync-api" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:60:259:72 | "appsync-api" | appsync-api |
+| test.cs:259:75:259:90 | "avsvmcloud.com" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:259:75:259:90 | "avsvmcloud.com" | avsvmcloud.com |
+| test.cs:260:4:260:23 | "api.solarwinds.com" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:4:260:23 | "api.solarwinds.com" | api.solarwinds.com |
+| test.cs:260:26:260:32 | "-root" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:26:260:32 | "-root" | -root |
+| test.cs:260:35:260:41 | "-cert" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:35:260:41 | "-cert" | -cert |
+| test.cs:260:44:260:58 | "-universal_ca" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:44:260:58 | "-universal_ca" | -universal_ca |
+| test.cs:260:61:260:65 | "-ca" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:61:260:65 | "-ca" | -ca |
+| test.cs:260:68:260:80 | "-primary_ca" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:68:260:80 | "-primary_ca" | -primary_ca |
+| test.cs:260:83:260:94 | "-timestamp" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:260:83:260:94 | "-timestamp" | -timestamp |
+| test.cs:261:4:261:12 | "-global" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:4:261:12 | "-global" | -global |
+| test.cs:261:15:261:25 | "-secureca" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:15:261:25 | "-secureca" | -secureca |
+| test.cs:261:28:261:44 | "CloudMonitoring" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:28:261:44 | "CloudMonitoring" | CloudMonitoring |
+| test.cs:261:47:261:58 | "MACAddress" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:47:261:58 | "MACAddress" | MACAddress |
+| test.cs:261:61:261:73 | "DHCPEnabled" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:61:261:73 | "DHCPEnabled" | DHCPEnabled |
+| test.cs:261:76:261:87 | "DHCPServer" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:261:76:261:87 | "DHCPServer" | DHCPServer |
+| test.cs:262:4:262:16 | "DNSHostName" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:262:4:262:16 | "DNSHostName" | DNSHostName |
+| test.cs:262:19:262:46 | "DNSDomainSuffixSearchOrder" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:262:19:262:46 | "DNSDomainSuffixSearchOrder" | DNSDomainSuffixSearchOrder |
+| test.cs:262:49:262:70 | "DNSServerSearchOrder" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:262:49:262:70 | "DNSServerSearchOrder" | DNSServerSearchOrder |
+| test.cs:262:73:262:83 | "IPAddress" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:262:73:262:83 | "IPAddress" | IPAddress |
+| test.cs:262:86:262:95 | "IPSubnet" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:262:86:262:95 | "IPSubnet" | IPSubnet |
+| test.cs:263:4:263:21 | "DefaultIPGateway" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:263:4:263:21 | "DefaultIPGateway" | DefaultIPGateway |
+| test.cs:263:24:263:39 | "OSArchitecture" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:263:24:263:39 | "OSArchitecture" | OSArchitecture |
+| test.cs:263:42:263:54 | "InstallDate" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:263:42:263:54 | "InstallDate" | InstallDate |
+| test.cs:263:57:263:70 | "Organization" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:263:57:263:70 | "Organization" | Organization |
+| test.cs:263:73:263:88 | "RegisteredUser" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:263:73:263:88 | "RegisteredUser" | RegisteredUser |
+| test.cs:264:4:264:11 | "fc00::" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:4:264:11 | "fc00::" | fc00:: |
+| test.cs:264:14:264:21 | "fe00::" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:14:264:21 | "fe00::" | fe00:: |
+| test.cs:264:24:264:31 | "fec0::" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:24:264:31 | "fec0::" | fec0:: |
+| test.cs:264:34:264:41 | "ffc0::" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:34:264:41 | "ffc0::" | ffc0:: |
+| test.cs:264:44:264:51 | "ff00::" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:44:264:51 | "ff00::" | ff00:: |
+| test.cs:264:54:264:59 | "HKCC" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:54:264:59 | "HKCC" | HKCC |
+| test.cs:264:62:264:67 | "HKCR" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:62:264:67 | "HKCR" | HKCR |
+| test.cs:264:70:264:75 | "HKCU" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:70:264:75 | "HKCU" | HKCU |
+| test.cs:264:78:264:83 | "HKDD" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:264:78:264:83 | "HKDD" | HKDD |
+| test.cs:265:4:265:22 | "HKEY_CLASSES_ROOT" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:265:4:265:22 | "HKEY_CLASSES_ROOT" | HKEY_CLASSES_ROOT |
+| test.cs:265:25:265:45 | "HKEY_CURRENT_CONFIG" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:265:25:265:45 | "HKEY_CURRENT_CONFIG" | HKEY_CURRENT_CONFIG |
+| test.cs:265:48:265:66 | "HKEY_CURRENT_USER" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:265:48:265:66 | "HKEY_CURRENT_USER" | HKEY_CURRENT_USER |
+| test.cs:265:69:265:83 | "HKEY_DYN_DATA" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:265:69:265:83 | "HKEY_DYN_DATA" | HKEY_DYN_DATA |
+| test.cs:266:4:266:23 | "HKEY_LOCAL_MACHINE" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:266:4:266:23 | "HKEY_LOCAL_MACHINE" | HKEY_LOCAL_MACHINE |
+| test.cs:266:26:266:80 | "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:266:26:266:80 | "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" | HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography |
+| test.cs:267:4:267:25 | "HKEY_PERFOMANCE_DATA" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:4:267:25 | "HKEY_PERFOMANCE_DATA" | HKEY_PERFOMANCE_DATA |
+| test.cs:267:28:267:39 | "HKEY_USERS" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:28:267:39 | "HKEY_USERS" | HKEY_USERS |
+| test.cs:267:42:267:47 | "HKLM" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:42:267:47 | "HKLM" | HKLM |
+| test.cs:267:50:267:55 | "HKPD" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:50:267:55 | "HKPD" | HKPD |
+| test.cs:267:58:267:62 | "HKU" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:58:267:62 | "HKU" | HKU |
+| test.cs:267:65:267:79 | "If-None-Match" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:267:65:267:79 | "If-None-Match" | If-None-Match |
+| test.cs:268:4:268:25 | "Microsoft-CryptoAPI/" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:4:268:25 | "Microsoft-CryptoAPI/" | Microsoft-CryptoAPI/ |
+| test.cs:268:28:268:34 | "Nodes" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:28:268:34 | "Nodes" | Nodes |
+| test.cs:268:37:268:45 | "Volumes" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:37:268:45 | "Volumes" | Volumes |
+| test.cs:268:48:268:59 | "Interfaces" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:48:268:59 | "Interfaces" | Interfaces |
+| test.cs:268:62:268:73 | "Components" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:62:268:73 | "Components" | Components |
+| test.cs:268:76:268:85 | "opensans" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:268:76:268:85 | "opensans" | opensans |
+| test.cs:269:4:269:17 | "Organization" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:269:4:269:17 | "Organization" | Organization |
+| test.cs:269:20:269:35 | "OSArchitecture" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:269:20:269:35 | "OSArchitecture" | OSArchitecture |
+| test.cs:269:38:269:54 | "ParentProcessID" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:269:38:269:54 | "ParentProcessID" | ParentProcessID |
+| test.cs:269:57:269:66 | "PathName" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:269:57:269:66 | "PathName" | PathName |
+| test.cs:269:69:269:91 | "ReportWatcherPostpone" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:269:69:269:91 | "ReportWatcherPostpone" | ReportWatcherPostpone |
+| test.cs:270:4:270:23 | "ReportWatcherRetry" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:270:4:270:23 | "ReportWatcherRetry" | ReportWatcherRetry |
+| test.cs:270:26:270:33 | "S-1-5-" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:270:26:270:33 | "S-1-5-" | S-1-5- |
+| test.cs:270:36:270:55 | "SeRestorePrivilege" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:270:36:270:55 | "SeRestorePrivilege" | SeRestorePrivilege |
+| test.cs:270:58:270:78 | "SeShutdownPrivilege" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:270:58:270:78 | "SeShutdownPrivilege" | SeShutdownPrivilege |
+| test.cs:271:4:271:29 | "SeTakeOwnershipPrivilege" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:271:4:271:29 | "SeTakeOwnershipPrivilege" | SeTakeOwnershipPrivilege |
+| test.cs:271:32:271:43 | "SolarWinds" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:271:32:271:43 | "SolarWinds" | SolarWinds |
+| test.cs:271:46:271:80 | "SolarWindsOrionImprovementClient/" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:271:46:271:80 | "SolarWindsOrionImprovementClient/" | SolarWindsOrionImprovementClient/ |
+| test.cs:272:4:272:18 | "SourceCodePro" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:4:272:18 | "SourceCodePro" | SourceCodePro |
+| test.cs:272:21:272:35 | "SourceHanSans" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:21:272:35 | "SourceHanSans" | SourceHanSans |
+| test.cs:272:38:272:53 | "SourceHanSerif" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:38:272:53 | "SourceHanSerif" | SourceHanSerif |
+| test.cs:272:56:272:71 | "SourceSerifPro" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:56:272:71 | "SourceSerifPro" | SourceSerifPro |
+| test.cs:272:74:272:80 | "Start" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:74:272:80 | "Start" | Start |
+| test.cs:272:83:272:95 | "swip/Events" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:272:83:272:95 | "swip/Events" | swip/Events |
+| test.cs:273:4:273:14 | "swip/upd/" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:273:4:273:14 | "swip/upd/" | swip/upd/ |
+| test.cs:273:17:273:34 | "swip/Upload.ashx" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:273:17:273:34 | "swip/Upload.ashx" | swip/Upload.ashx |
+| test.cs:273:37:273:44 | "SYSTEM" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:273:37:273:44 | "SYSTEM" | SYSTEM |
+| test.cs:273:47:273:83 | "SYSTEM\\CurrentControlSet\\services" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:273:47:273:83 | "SYSTEM\\CurrentControlSet\\services" | SYSTEM\\CurrentControlSet\\services |
+| test.cs:273:86:273:96 | "us-east-1" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:273:86:273:96 | "us-east-1" | us-east-1 |
+| test.cs:274:4:274:14 | "us-east-2" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:274:4:274:14 | "us-east-2" | us-east-2 |
+| test.cs:274:17:274:27 | "us-west-2" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:274:17:274:27 | "us-west-2" | us-west-2 |
+| test.cs:274:30:274:62 | "fonts/woff/{0}-{1}-{2}{3}.woff2" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:274:30:274:62 | "fonts/woff/{0}-{1}-{2}{3}.woff2" | fonts/woff/{0}-{1}-{2}{3}.woff2 |
+| test.cs:275:4:275:44 | "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:275:4:275:44 | "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2" | fonts/woff/{0}-{1}-{2}-webfont{3}.woff2 |
+| test.cs:275:47:275:80 | "ph2eifo3n5utg1j8d94qrvbmk0sal76c" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:275:47:275:80 | "ph2eifo3n5utg1j8d94qrvbmk0sal76c" | ph2eifo3n5utg1j8d94qrvbmk0sal76c |
+| test.cs:276:4:276:26 | "pki/crl/{0}{1}{2}.crl" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:276:4:276:26 | "pki/crl/{0}{1}{2}.crl" | pki/crl/{0}{1}{2}.crl |
+| test.cs:276:29:276:65 | "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:276:29:276:65 | "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj" | rq3gsalt6u1iyfzop572d49bnx8cvmkewhj |
+| test.cs:277:4:277:73 | "Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:277:4:277:73 | "Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true" | Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true |
+| test.cs:278:4:278:40 | "Select * From Win32_OperatingSystem" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:278:4:278:40 | "Select * From Win32_OperatingSystem" | Select * From Win32_OperatingSystem |
+| test.cs:278:43:278:71 | "Select * From Win32_Process" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:278:43:278:71 | "Select * From Win32_Process" | Select * From Win32_Process |
+| test.cs:279:4:279:37 | "Select * From Win32_SystemDriver" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:279:4:279:37 | "Select * From Win32_SystemDriver" | Select * From Win32_SystemDriver |
+| test.cs:279:40:279:72 | "Select * From Win32_UserAccount" | The literal $@ may be related to the Solorigate campaign. Total count = 138 is above the threshold 30. | test.cs:279:40:279:72 | "Select * From Win32_UserAccount" | Select * From Win32_UserAccount |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref
new file mode 100644
index 00000000000..e3c8a3b7f87
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.expected
new file mode 100644
index 00000000000..625fe686581
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.expected	
@@ -0,0 +1,104 @@
+| test.cs:66:7:66:11 | Abort | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:66:7:66:11 | Abort | Abort |
+| test.cs:67:7:67:28 | AddFileExecutionEngine | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:67:7:67:28 | AddFileExecutionEngine | AddFileExecutionEngine |
+| test.cs:68:7:68:32 | AddRegistryExecutionEngine | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:68:7:68:32 | AddRegistryExecutionEngine | AddRegistryExecutionEngine |
+| test.cs:69:7:69:27 | AdjustTokenPrivileges | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:69:7:69:27 | AdjustTokenPrivileges | AdjustTokenPrivileges |
+| test.cs:70:7:70:18 | Base64Decode | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:70:7:70:18 | Base64Decode | Base64Decode |
+| test.cs:71:7:71:18 | Base64Encode | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:71:7:71:18 | Base64Encode | Base64Encode |
+| test.cs:72:7:72:26 | ByteArrayToHexString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:72:7:72:26 | ByteArrayToHexString | ByteArrayToHexString |
+| test.cs:73:7:73:27 | CheckServerConnection | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:73:7:73:27 | CheckServerConnection | CheckServerConnection |
+| test.cs:74:7:74:11 | Close | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:74:7:74:11 | Close | Close |
+| test.cs:75:7:75:17 | CloseHandle | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:75:7:75:17 | CloseHandle | CloseHandle |
+| test.cs:76:7:76:30 | CollectSystemDescription | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:76:7:76:30 | CollectSystemDescription | CollectSystemDescription |
+| test.cs:77:7:77:14 | Compress | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:77:7:77:14 | Compress | Compress |
+| test.cs:78:7:78:24 | CreateSecureString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:78:7:78:24 | CreateSecureString | CreateSecureString |
+| test.cs:79:7:79:18 | CreateString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:79:7:79:18 | CreateString | CreateString |
+| test.cs:80:7:80:25 | CreateUploadRequest | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:80:7:80:25 | CreateUploadRequest | CreateUploadRequest |
+| test.cs:81:7:81:29 | CreateUploadRequestImpl | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:81:7:81:29 | CreateUploadRequestImpl | CreateUploadRequestImpl |
+| test.cs:82:7:82:16 | Decompress | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:82:7:82:16 | Decompress | Decompress |
+| test.cs:83:7:83:18 | DecryptShort | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:83:7:83:18 | DecryptShort | DecryptShort |
+| test.cs:84:7:84:13 | Deflate | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:84:7:84:13 | Deflate | Deflate |
+| test.cs:85:7:85:14 | DelayMin | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:85:7:85:14 | DelayMin | DelayMin |
+| test.cs:86:7:86:13 | DelayMs | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:86:7:86:13 | DelayMs | DelayMs |
+| test.cs:87:7:87:16 | DeleteFile | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:87:7:87:16 | DeleteFile | DeleteFile |
+| test.cs:88:7:88:25 | DeleteRegistryValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:88:7:88:25 | DeleteRegistryValue | DeleteRegistryValue |
+| test.cs:89:7:89:17 | DeleteValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:89:7:89:17 | DeleteValue | DeleteValue |
+| test.cs:90:7:90:19 | ExecuteEngine | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:90:7:90:19 | ExecuteEngine | ExecuteEngine |
+| test.cs:91:7:91:16 | FileExists | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:91:7:91:16 | FileExists | FileExists |
+| test.cs:92:7:92:18 | GetAddresses | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:92:7:92:18 | GetAddresses | GetAddresses |
+| test.cs:93:7:93:22 | GetAddressFamily | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:93:7:93:22 | GetAddressFamily | GetAddressFamily |
+| test.cs:94:7:94:22 | GetArgumentIndex | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:94:7:94:22 | GetArgumentIndex | GetArgumentIndex |
+| test.cs:95:7:95:16 | GetBaseUri | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:95:7:95:16 | GetBaseUri | GetBaseUri |
+| test.cs:96:7:96:20 | GetBaseUriImpl | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:96:7:96:20 | GetBaseUriImpl | GetBaseUriImpl |
+| test.cs:97:7:97:14 | GetCache | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:97:7:97:14 | GetCache | GetCache |
+| test.cs:98:7:98:23 | GetCurrentProcess | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:98:7:98:23 | GetCurrentProcess | GetCurrentProcess |
+| test.cs:99:7:99:22 | GetCurrentString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:99:7:99:22 | GetCurrentString | GetCurrentString |
+| test.cs:100:7:100:22 | GetDescriptionId | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:100:7:100:22 | GetDescriptionId | GetDescriptionId |
+| test.cs:101:7:101:17 | GetFileHash | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:101:7:101:17 | GetFileHash | GetFileHash |
+| test.cs:102:7:102:26 | GetFileSystemEntries | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:102:7:102:26 | GetFileSystemEntries | GetFileSystemEntries |
+| test.cs:103:7:103:13 | GetHash | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:103:7:103:13 | GetHash | GetHash |
+| test.cs:104:7:104:13 | GetHive | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:104:7:104:13 | GetHive | GetHive |
+| test.cs:105:7:105:17 | GetIntArray | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:105:7:105:17 | GetIntArray | GetIntArray |
+| test.cs:106:7:106:20 | GetIPHostEntry | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:106:7:106:20 | GetIPHostEntry | GetIPHostEntry |
+| test.cs:107:7:107:33 | GetManagementObjectProperty | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:107:7:107:33 | GetManagementObjectProperty | GetManagementObjectProperty |
+| test.cs:108:7:108:36 | GetNetworkAdapterConfiguration | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:108:7:108:36 | GetNetworkAdapterConfiguration | GetNetworkAdapterConfiguration |
+| test.cs:109:7:109:21 | GetNewOwnerName | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:109:7:109:21 | GetNewOwnerName | GetNewOwnerName |
+| test.cs:110:7:110:19 | GetNextString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:110:7:110:19 | GetNextString | GetNextString |
+| test.cs:111:7:111:21 | GetNextStringEx | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:111:7:111:21 | GetNextStringEx | GetNextStringEx |
+| test.cs:112:7:112:23 | GetOrCreateUserID | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:112:7:112:23 | GetOrCreateUserID | GetOrCreateUserID |
+| test.cs:113:7:113:35 | GetOrionImprovementCustomerId | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:113:7:113:35 | GetOrionImprovementCustomerId | GetOrionImprovementCustomerId |
+| test.cs:114:7:114:18 | GetOSVersion | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:114:7:114:18 | GetOSVersion | GetOSVersion |
+| test.cs:115:7:115:23 | GetPreviousString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:115:7:115:23 | GetPreviousString | GetPreviousString |
+| test.cs:116:7:116:29 | GetProcessByDescription | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:116:7:116:29 | GetProcessByDescription | GetProcessByDescription |
+| test.cs:117:7:117:36 | GetRegistrySubKeyAndValueNames | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:117:7:117:36 | GetRegistrySubKeyAndValueNames | GetRegistrySubKeyAndValueNames |
+| test.cs:118:7:118:15 | GetStatus | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:118:7:118:15 | GetStatus | GetStatus |
+| test.cs:119:7:119:19 | GetStringHash | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:119:7:119:19 | GetStringHash | GetStringHash |
+| test.cs:120:7:120:28 | GetSubKeyAndValueNames | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:120:7:120:28 | GetSubKeyAndValueNames | GetSubKeyAndValueNames |
+| test.cs:121:7:121:18 | GetUserAgent | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:121:7:121:18 | GetUserAgent | GetUserAgent |
+| test.cs:122:7:122:14 | GetValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:122:7:122:14 | GetValue | GetValue |
+| test.cs:123:7:123:17 | GetWebProxy | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:123:7:123:17 | GetWebProxy | GetWebProxy |
+| test.cs:124:7:124:26 | HexStringToByteArray | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:124:7:124:26 | HexStringToByteArray | HexStringToByteArray |
+| test.cs:125:7:125:13 | Inflate | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:125:7:125:13 | Inflate | Inflate |
+| test.cs:126:7:126:16 | Initialize | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:126:7:126:16 | Initialize | Initialize |
+| test.cs:127:7:127:31 | InitiateSystemShutdownExW | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:127:7:127:31 | InitiateSystemShutdownExW | InitiateSystemShutdownExW |
+| test.cs:128:7:128:25 | IsNullOrInvalidName | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:128:7:128:25 | IsNullOrInvalidName | IsNullOrInvalidName |
+| test.cs:129:7:129:20 | IsSynchronized | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:129:7:129:20 | IsSynchronized | IsSynchronized |
+| test.cs:130:7:130:14 | KillTask | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:130:7:130:14 | KillTask | KillTask |
+| test.cs:131:7:131:27 | LookupPrivilegeValueW | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:131:7:131:27 | LookupPrivilegeValueW | LookupPrivilegeValueW |
+| test.cs:132:7:132:22 | OpenProcessToken | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:132:7:132:22 | OpenProcessToken | OpenProcessToken |
+| test.cs:133:7:133:26 | ParseServiceResponse | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:133:7:133:26 | ParseServiceResponse | ParseServiceResponse |
+| test.cs:134:7:134:11 | Quote | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:134:7:134:11 | Quote | Quote |
+| test.cs:135:7:135:16 | ReadConfig | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:135:7:135:16 | ReadConfig | ReadConfig |
+| test.cs:136:7:136:20 | ReadDeviceInfo | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:136:7:136:20 | ReadDeviceInfo | ReadDeviceInfo |
+| test.cs:137:7:137:23 | ReadRegistryValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:137:7:137:23 | ReadRegistryValue | ReadRegistryValue |
+| test.cs:138:7:138:22 | ReadReportStatus | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:138:7:138:22 | ReadReportStatus | ReadReportStatus |
+| test.cs:139:7:139:23 | ReadServiceStatus | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:139:7:139:23 | ReadServiceStatus | ReadServiceStatus |
+| test.cs:140:7:140:20 | RebootComputer | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:140:7:140:20 | RebootComputer | RebootComputer |
+| test.cs:141:7:141:13 | RunTask | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:141:7:141:13 | RunTask | RunTask |
+| test.cs:142:7:142:22 | SearchAssemblies | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:142:7:142:22 | SearchAssemblies | SearchAssemblies |
+| test.cs:143:7:143:26 | SearchConfigurations | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:143:7:143:26 | SearchConfigurations | SearchConfigurations |
+| test.cs:144:7:144:20 | SearchServices | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:144:7:144:20 | SearchServices | SearchServices |
+| test.cs:145:7:145:22 | SetAutomaticMode | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:145:7:145:22 | SetAutomaticMode | SetAutomaticMode |
+| test.cs:146:7:146:17 | SetKeyOwner | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:146:7:146:17 | SetKeyOwner | SetKeyOwner |
+| test.cs:147:7:147:31 | SetKeyOwnerWithPrivileges | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:147:7:147:31 | SetKeyOwnerWithPrivileges | SetKeyOwnerWithPrivileges |
+| test.cs:148:7:148:23 | SetKeyPermissions | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:148:7:148:23 | SetKeyPermissions | SetKeyPermissions |
+| test.cs:149:7:149:19 | SetManualMode | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:149:7:149:19 | SetManualMode | SetManualMode |
+| test.cs:150:7:150:25 | SetProcessPrivilege | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:150:7:150:25 | SetProcessPrivilege | SetProcessPrivilege |
+| test.cs:151:7:151:22 | SetRegistryValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:151:7:151:22 | SetRegistryValue | SetRegistryValue |
+| test.cs:152:7:152:13 | SetTime | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:152:7:152:13 | SetTime | SetTime |
+| test.cs:153:7:153:14 | SetValue | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:153:7:153:14 | SetValue | SetValue |
+| test.cs:154:7:154:17 | SplitString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:154:7:154:17 | SplitString | SplitString |
+| test.cs:155:7:155:14 | ToString | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:155:7:155:14 | ToString | ToString |
+| test.cs:156:7:156:16 | TrackEvent | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:156:7:156:16 | TrackEvent | TrackEvent |
+| test.cs:157:7:157:20 | TrackProcesses | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:157:7:157:20 | TrackProcesses | TrackProcesses |
+| test.cs:158:7:158:13 | Unquote | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:158:7:158:13 | Unquote | Unquote |
+| test.cs:159:7:159:11 | Unzip | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:159:7:159:11 | Unzip | Unzip |
+| test.cs:160:7:160:12 | Update | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:160:7:160:12 | Update | Update |
+| test.cs:161:7:161:18 | UpdateBuffer | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:161:7:161:18 | UpdateBuffer | UpdateBuffer |
+| test.cs:162:7:162:24 | UpdateNotification | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:162:7:162:24 | UpdateNotification | UpdateNotification |
+| test.cs:163:7:163:29 | UploadSystemDescription | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:163:7:163:29 | UploadSystemDescription | UploadSystemDescription |
+| test.cs:164:7:164:11 | Valid | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:164:7:164:11 | Valid | Valid |
+| test.cs:165:7:165:17 | WriteConfig | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:165:7:165:17 | WriteConfig | WriteConfig |
+| test.cs:166:7:166:15 | WriteFile | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:166:7:166:15 | WriteFile | WriteFile |
+| test.cs:167:7:167:23 | WriteReportStatus | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:167:7:167:23 | WriteReportStatus | WriteReportStatus |
+| test.cs:168:7:168:24 | WriteServiceStatus | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:168:7:168:24 | WriteServiceStatus | WriteServiceStatus |
+| test.cs:169:7:169:9 | Zip | The method $@ may be related to Solorigate. Total count = 104 is above the threshold 50. | test.cs:169:7:169:9 | Zip | Zip |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref
new file mode 100644
index 00000000000..7483e8f5902
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.expected b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.expected
new file mode 100644
index 00000000000..9125049047e
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.expected	
@@ -0,0 +1,3 @@
+| test.cs:35:3:38:3 | catch {...} | Empty Swallow Everything Exception. |
+| test.cs:289:3:290:4 | catch {...} | Empty Swallow Everything Exception. |
+| test.cs:295:3:298:3 | catch (...) {...} | Empty Swallow Everything Exception. |
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qlref b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qlref
new file mode 100644
index 00000000000..783fb3f06a0
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qlref	
@@ -0,0 +1 @@
+experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.ql
\ No newline at end of file
diff --git a/csharp/ql/test/experimental/Security Features/campaign/Solorigate/test.cs b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/test.cs
new file mode 100644
index 00000000000..1ee9403a5f1
--- /dev/null
+++ b/csharp/ql/test/experimental/Security Features/campaign/Solorigate/test.cs	
@@ -0,0 +1,309 @@
+using System;
+using System.Text;
+
+
+class FalsePositiveCases
+{
+	// regular FVN
+	ulong GetRegularFvnHash(string s)
+	{
+		ulong num = 14695981039346656037UL; /* FNV base offset */
+
+		foreach (byte b in Encoding.UTF8.GetBytes(s))
+		{
+			num ^= (ulong)b;
+			num *= 1099511628211UL; /* FNV prime */
+		}
+
+		return num;
+	}
+}
+
+class TestCases
+{
+	ulong GetRegularFvnHash(string s)
+	{
+		ulong num = 14695981039346656037UL;
+		try
+		{
+			foreach (byte b in Encoding.UTF8.GetBytes(s))
+			{
+				num ^= (ulong)b;
+				num *= 1099511628211UL;
+			}
+		}
+		catch // BUG : SwallowEverythingExceptionHandler
+		{
+
+		}
+
+		return num ^ 6605813339339102567UL; // BUG (ModifiedFnvFunctionDetection.ql)
+	}
+
+	enum JobEngine
+	{
+		Idle,
+		Exit,
+		SetTime,
+		CollectSystemDescription,
+		UploadSystemDescription,
+		RunTask,
+		GetProcessByDescription,
+		KillTask,
+		GetFileSystemEntries,
+		WriteFile,
+		FileExists,
+		DeleteFile,
+		GetFileHash,
+		ReadRegistryValue,
+		SetRegistryValue,
+		DeleteRegistryValue,
+		GetRegistrySubKeyAndValueNames,
+		Reboot,
+		None
+	}
+
+	void Abort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void AddFileExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void AddRegistryExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void AdjustTokenPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Base64Decode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Base64Encode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ByteArrayToHexString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CheckServerConnection() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Close() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CloseHandle() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CollectSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Compress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CreateSecureString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CreateString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CreateUploadRequest() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void CreateUploadRequestImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Decompress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DecryptShort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Deflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DelayMin() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DelayMs() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DeleteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DeleteRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void DeleteValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ExecuteEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void FileExists() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetAddresses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetAddressFamily() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetArgumentIndex() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetBaseUri() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetBaseUriImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetCache() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetCurrentProcess() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetCurrentString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetDescriptionId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetFileHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetFileSystemEntries() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetHive() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetIntArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetIPHostEntry() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetManagementObjectProperty() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetNetworkAdapterConfiguration() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetNewOwnerName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetNextString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetNextStringEx() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetOrCreateUserID() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetOrionImprovementCustomerId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetOSVersion() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetPreviousString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetProcessByDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetRegistrySubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetStringHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetSubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetUserAgent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void GetWebProxy() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void HexStringToByteArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Inflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Initialize() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void InitiateSystemShutdownExW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void IsNullOrInvalidName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void IsSynchronized() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void KillTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void LookupPrivilegeValueW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void OpenProcessToken() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ParseServiceResponse() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Quote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ReadConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ReadDeviceInfo() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ReadRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ReadReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ReadServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void RebootComputer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void RunTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SearchAssemblies() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SearchConfigurations() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SearchServices() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetAutomaticMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetKeyOwner() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetKeyOwnerWithPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetKeyPermissions() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetManualMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetProcessPrivilege() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetTime() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void SplitString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void ToString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void TrackEvent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void TrackProcesses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Unquote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Unzip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Update() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void UpdateBuffer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void UpdateNotification() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void UploadSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Valid() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void WriteConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void WriteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void WriteReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void WriteServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+	void Zip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold
+
+	void Hashes() {
+		ulong[] hashes = { // BUG : NumberOfKnownHashesAboveThreshold
+		  10063651499895178962, 10235971842993272939, 10296494671777307979,
+		  10336842116636872171, 10374841591685794123, 10393903804869831898,
+		  10463926208560207521, 10484659978517092504, 10501212300031893463,
+		  10545868833523019926, 10657751674541025650, 106672141413120087, 10734127004244879770,
+		  10829648878147112121, 1099511628211, 11073283311104541690, 1109067043404435916,
+		  11109294216876344399, 11266044540366291518, 11385275378891906608,
+		  11771945869106552231, 11801746708619571308, 11818825521849580123,
+		  11913842725949116895, 12027963942392743532, 12094027092655598256,
+		  12343334044036541897, 12445177985737237804, 12445232961318634374,
+		  12574535824074203265, 12679195163651834776, 12709986806548166638,
+		  12718416789200275332, 12785322942775634499, 12790084614253405985,
+		  12969190449276002545, 13014156621614176974, 13029357933491444455,
+		  13135068273077306806, 13260224381505715848, 13316211011159594063,
+		  13464308873961738403, 13544031715334011032, 13581776705111912829,
+		  13599785766252827703, 13611051401579634621, 13611814135072561278,
+		  13655261125244647696, 1367627386496056834, 1368907909245890092, 13693525876560827283,
+		  13783346438774742614, 13799353263187722717, 13825071784440082496,
+		  13852439084267373191, 13876356431472225791, 14055243717250701608,
+		  14079676299181301772, 14095938998438966337, 14111374107076822891,
+		  14193859431895170587, 14226582801651130532, 14243671177281069512,
+		  14256853800858727521, 14480775929210717493, 14482658293117931546,
+		  14513577387099045298, 14630721578341374856, 14695981039346656037,
+		  14710585101020280896, 1475579823244607677, 14868920869169964081, 14968320160131875803,
+		  14971809093655817917, 15039834196857999838, 15092207615430402812,
+		  15114163911481793350, 15194901817027173566, 15267980678929160412,
+		  15457732070353984570, 15514036435533858158, 15535773470978271326,
+		  15587050164583443069, 155978580751494388, 15695338751700748390, 15997665423159927228,
+		  16066522799090129502, 16066651430762394116, 16112751343173365533,
+		  16130138450758310172, 1614465773938842903, 16292685861617888592, 16335643316870329598,
+		  16423314183614230717, 16570804352575357627, 1682585410644922036, 16858955978146406642,
+		  16990567851129491937, 17017923349298346219, 17097380490166623672,
+		  17109238199226571972, 17204844226884380288, 17291806236368054941,
+		  17351543633914244545, 17439059603042731363, 17574002783607647274,
+		  17624147599670377042, 17633734304611248415, 17683972236092287897,
+		  17849680105131524334, 17939405613729073960, 17956969551821596225,
+		  17978774977754553159, 17984632978012874803, 17997967489723066537,
+		  18147627057830191163, 18150909006539876521, 18159703063075866524,
+		  18246404330670877335, 18294908219222222902, 18392881921099771407,
+		  18446744073709551613, 191060519014405309, 2032008861530788751, 2128122064571842954,
+		  2147483647, 2147745794, 2380224015317016190, 2478231962306073784,
+		  2532538262737333146, 2589926981877829912, 2597124982561782591, 2600364143812063535,
+		  2717025511528702475, 2734787258623754862, 27407921587843457, 2760663353550280147,
+		  2797129108883749491, 2810460305047003196, 292198192373389586, 2934149816356927366,
+		  3045986759481489935, 3178468437029279937, 3200333496547938354, 3320026265773918739,
+		  3320767229281015341, 3341747963119755850, 3407972863931386250, 3413052607651207697,
+		  3413886037471417852, 3421197789791424393, 3421213182954201407, 3425260965299690882,
+		  3538022140597504361, 3575761800716667678, 3588624367609827560, 3626142665768487764,
+		  3642525650883269872, 3656637464651387014, 3660705254426876796, 3769837838875367802,
+		  3778500091710709090, 3796405623695665524, 3869935012404164040, 3890769468012566366,
+		  3890794756780010537, 397780960855462669, 4030236413975199654, 4088976323439621041,
+		  4454255944391929578, 4501656691368064027, 4578480846255629462, 4821863173800309721,
+		  4931721628717906635, 506634811745884560, 5132256620104998637, 5183687599225757871,
+		  521157249538507889, 5219431737322569038, 541172992193764396, 5415426428750045503,
+		  5449730069165757263, 5587557070429522647, 5614586596107908838, 576626207276463000,
+		  5942282052525294911, 5945487981219695001, 5984963105389676759, 607197993339007484,
+		  6088115528707848728, 6116246686670134098, 6180361713414290679, 6195833633417633900,
+		  6274014997237900919, 640589622539783622, 6461429591783621719, 6491986958834001955,
+		  6508141243778577344, 6605813339339102567, 682250828679635420, 6827032273910657891,
+		  6943102301517884811, 700598796416086955, 7080175711202577138, 7175363135479931834,
+		  7315838824213522000, 7412338704062093516, 7516148236133302073, 7574774749059321801,
+		  7701683279824397773, 7775177810774851294, 7810436520414958497, 7878537243757499832,
+		  79089792725215063, 7982848972385914508, 8052533790968282297, 8129411991672431889,
+		  8146185202538899243, 835151375515278827, 8381292265993977266, 8408095252303317471,
+		  8473756179280619170, 8478833628889826985, 8612208440357175863, 8697424601205169055,
+		  8698326794961817906, 8709004393777297355, 8727477769544302060, 8760312338504300643,
+		  8799118153397725683, 8873858923435176895, 8994091295115840290, 9007106680104765185,
+		  9061219083560670602, 9149947745824492274, 917638920165491138, 9234894663364701749,
+		  9333057603143916814, 9384605490088500348, 9531326785919727076, 9555688264681862794,
+		  9559632696372799208, 9903758755917170407
+		};
+	}
+
+	void Literals() {
+		string[] literals = { // BUG : NumberOfKnownLiteralsAboveThreshold
+			"(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n",
+			"[{0,5}] {1}\n", "[E] {0} {1} {2}",
+			"\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion",
+			"\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",",
+			"\\OrionImprovement\\SolarWinds.OrionImprovement.exe",
+			"0123456789abcdefghijklmnopqrstuvwxyz-_.", "\"sessionId\":\"{0}\",", "\"steps\":[",
+			"\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",",
+			"{0} {1} HTTP/{2}\n", "10140", "144.86.226.0", "154.118.140.0", "172.16.0.0", "18.130.0.0",
+			"184.72.0.0", "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220", "217.163.7.0",
+			"224.0.0.0", "240.0.0.0", "255.240.0.0", "255.254.0.0", "255.255.248.0", "3.0.0.382",
+			"41.84.159.0", "43140", "4320", "43260", "524287", "583da945-62af-10e8-4902-a8f205c72b2e",
+			"65280", "71.152.53.0", "74.114.24.0", "8.18.144.0", "87.238.80.0", "96.31.172.0", "983040",
+			"99.79.0.0", "Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com",
+			"api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp",
+			"-global", "-secureca", "CloudMonitoring", "MACAddress", "DHCPEnabled", "DHCPServer",
+			"DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet",
+			"DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser",
+			"fc00::", "fe00::", "fec0::", "ffc0::", "ff00::", "HKCC", "HKCR", "HKCU", "HKDD",
+			"HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA",
+			"HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+			"HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match",
+			"Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components", "opensans",
+			"Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone",
+			"ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege",
+			"SeTakeOwnershipPrivilege", "SolarWinds", "SolarWindsOrionImprovementClient/",
+			"SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events",
+			"swip/upd/", "swip/Upload.ashx", "SYSTEM", "SYSTEM\\CurrentControlSet\\services", "us-east-1",
+			"us-east-2", "us-west-2", "fonts/woff/{0}-{1}-{2}{3}.woff2",
+			"fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c",
+			"pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj",
+			"Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true",
+			"Select * From Win32_OperatingSystem", "Select * From Win32_Process",
+			"Select * From Win32_SystemDriver", "Select * From Win32_UserAccount"
+		};
+				
+	}
+
+	void SwallowExceptionTest()
+	{
+		try{
+			Literals();
+		}
+		catch // BUG : SwallowEverythingExceptionHandler
+		{}
+
+		try{
+			Literals();
+		}
+		catch( Exception e) // BUG : SwallowEverythingExceptionHandler
+		{
+			// 
+		}
+
+		try{
+			Literals();
+		}
+		catch( Exception e)
+		{
+			// NOT A BUG
+			throw;
+		}
+	}
+}

From 503b339a1f0d121c3976667f4e861908dd52aa15 Mon Sep 17 00:00:00 2001
From: CaptainFreak <patelshoeb4@gmail.com>
Date: Tue, 9 Feb 2021 07:35:35 +0530
Subject: [PATCH 248/429] remove hbs specific checks

---
 .../Security/CWE-073/TemplateObjectInjection.ql            | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
index 8c5c19e6096..58c02667af3 100644
--- a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
@@ -14,10 +14,6 @@ import javascript
 import DataFlow::PathGraph
 import semmle.javascript.security.TaintedObject
 
-predicate isUsingHbsEngine() {
-  Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
-}
-
 class TemplateObjInjectionConfig extends TaintTracking::Configuration {
   TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" }
 
@@ -32,8 +28,7 @@ class TemplateObjInjectionConfig extends TaintTracking::Configuration {
     exists(MethodCallExpr mc |
       Express::isResponse(mc.getReceiver()) and
       mc.getMethodName() = "render" and
-      sink.asExpr() = mc.getArgument(1) and
-      isUsingHbsEngine()
+      sink.asExpr() = mc.getArgument(1)
     )
   }
 

From 3818971b79d98ae63d01951be5d5fcb26bf783f2 Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Tue, 9 Feb 2021 13:09:02 +0100
Subject: [PATCH 249/429] Add redirect sinks

Both the familiy of `Accepted` and `Created` method set the location
header based on provided input. If this is untrusted input this can
result in an URL redirect attack.
---
 .../code/csharp/frameworks/microsoft/AspNetCore.qll       | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll b/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
index 3ebd7028504..a00f7d21a05 100644
--- a/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
@@ -195,7 +195,13 @@ class MicrosoftAspNetCoreMvcController extends Class {
   /** Gets a `Redirect*` method. */
   Method getARedirectMethod() {
     result = this.getAMethod() and
-    result.getName().matches("Redirect%")
+    (
+      result.getName().matches("Redirect%")
+      or
+      result.getName().matches("Accepted%")
+      or
+      result.getName().matches("Created%")
+    )
   }
 }
 

From 8dd5a7e7c7a11ac645e7fa7c8ad6fb456755eab2 Mon Sep 17 00:00:00 2001
From: alexet <alexet@semmle.com>
Date: Tue, 9 Feb 2021 12:10:09 +0000
Subject: [PATCH 250/429] Javascript Extractor: Update <tt> tages to <code>

---
 .../com/semmle/js/ast/DeclarationFlags.java   | 22 +++++++++----------
 .../src/com/semmle/js/ast/Literal.java        |  2 +-
 .../com/semmle/js/ast/MemberDefinition.java   |  6 ++---
 .../com/semmle/js/extractor/ASTExtractor.java |  6 ++---
 .../com/semmle/js/extractor/AutoBuild.java    |  4 ++--
 .../com/semmle/js/extractor/ScopeManager.java |  2 +-
 .../com/semmle/js/parser/ParsedProject.java   |  2 +-
 .../src/com/semmle/ts/ast/ArrayTypeExpr.java  |  2 +-
 .../semmle/ts/ast/ConditionalTypeExpr.java    |  2 +-
 .../ts/ast/ExportAsNamespaceDeclaration.java  |  2 +-
 .../ts/ast/ExpressionWithTypeArguments.java   |  2 +-
 .../ts/ast/ExternalModuleDeclaration.java     |  2 +-
 .../com/semmle/ts/ast/GenericTypeExpr.java    |  2 +-
 .../ts/ast/GlobalAugmentationDeclaration.java |  2 +-
 .../com/semmle/ts/ast/INodeWithSymbol.java    |  2 +-
 .../com/semmle/ts/ast/ITypeExpression.java    |  2 +-
 .../src/com/semmle/ts/ast/ImportTypeExpr.java |  2 +-
 .../semmle/ts/ast/ImportWholeDeclaration.java |  2 +-
 .../semmle/ts/ast/IndexedAccessTypeExpr.java  |  2 +-
 .../src/com/semmle/ts/ast/InferTypeExpr.java  |  2 +-
 .../com/semmle/ts/ast/InterfaceTypeExpr.java  |  2 +-
 .../semmle/ts/ast/IntersectionTypeExpr.java   |  4 ++--
 .../com/semmle/ts/ast/KeywordTypeExpr.java    |  8 +++----
 .../src/com/semmle/ts/ast/MappedTypeExpr.java |  6 ++---
 .../com/semmle/ts/ast/NonNullAssertion.java   |  2 +-
 .../com/semmle/ts/ast/OptionalTypeExpr.java   |  2 +-
 .../semmle/ts/ast/ParenthesizedTypeExpr.java  |  2 +-
 .../com/semmle/ts/ast/PredicateTypeExpr.java  |  8 +++----
 .../src/com/semmle/ts/ast/RestTypeExpr.java   |  2 +-
 .../src/com/semmle/ts/ast/TupleTypeExpr.java  |  2 +-
 .../src/com/semmle/ts/ast/TypeAssertion.java  |  2 +-
 .../src/com/semmle/ts/ast/TypeParameter.java  |  6 ++---
 .../src/com/semmle/ts/ast/TypeofTypeExpr.java |  2 +-
 .../src/com/semmle/ts/ast/UnaryTypeExpr.java  |  2 +-
 .../src/com/semmle/ts/ast/UnionTypeExpr.java  |  2 +-
 .../semmle/ts/extractor/TypeExtractor.java    |  2 +-
 .../ts/extractor/TypeScriptASTConverter.java  | 16 +++++++-------
 .../semmle/ts/extractor/TypeScriptParser.java |  4 ++--
 .../com/semmle/ts/extractor/TypeTable.java    |  4 ++--
 39 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java b/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java
index 28546fdeca8..cbd8b1eedf7 100644
--- a/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java
+++ b/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java
@@ -88,59 +88,59 @@ public class DeclarationFlags {
     return (flags & declareKeyword) != 0;
   }
 
-  /** Returns a mask with the computed bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the computed bit set to the value of <code>enable</code>. */
   public static int getComputed(boolean enable) {
     return enable ? computed : 0;
   }
 
-  /** Returns a mask with the abstract bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the abstract bit set to the value of <code>enable</code>. */
   public static int getAbstract(boolean enable) {
     return enable ? abstract_ : 0;
   }
 
-  /** Returns a mask with the static bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the static bit set to the value of <code>enable</code>. */
   public static int getStatic(boolean enable) {
     return enable ? static_ : 0;
   }
 
-  /** Returns a mask with the public bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the public bit set to the value of <code>enable</code>. */
   public static int getPublic(boolean enable) {
     return enable ? public_ : 0;
   }
 
-  /** Returns a mask with the readonly bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the readonly bit set to the value of <code>enable</code>. */
   public static int getReadonly(boolean enable) {
     return enable ? readonly : 0;
   }
 
-  /** Returns a mask with the private bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the private bit set to the value of <code>enable</code>. */
   public static int getPrivate(boolean enable) {
     return enable ? private_ : 0;
   }
 
-  /** Returns a mask with the protected bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the protected bit set to the value of <code>enable</code>. */
   public static int getProtected(boolean enable) {
     return enable ? protected_ : 0;
   }
 
-  /** Returns a mask with the optional bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the optional bit set to the value of <code>enable</code>. */
   public static int getOptional(boolean enable) {
     return enable ? optional : 0;
   }
 
   /**
-   * Returns a mask with the definite assignment assertion bit set to the value of <tt>enable</tt>.
+   * Returns a mask with the definite assignment assertion bit set to the value of <code>enable</code>.
    */
   public static int getDefiniteAssignmentAssertion(boolean enable) {
     return enable ? definiteAssignmentAssertion : 0;
   }
 
-  /** Returns a mask with the declare keyword bit set to the value of <tt>enable</tt>. */
+  /** Returns a mask with the declare keyword bit set to the value of <code>enable</code>. */
   public static int getDeclareKeyword(boolean enable) {
     return enable ? declareKeyword : 0;
   }
 
-  /** Returns true if the <tt>n</tt>th bit is set in <tt>flags</tt>. */
+  /** Returns true if the <code>n</code>th bit is set in <code>flags</code>. */
   public static boolean hasNthFlag(int flags, int n) {
     return (flags & (1 << n)) != 0;
   }
diff --git a/javascript/extractor/src/com/semmle/js/ast/Literal.java b/javascript/extractor/src/com/semmle/js/ast/Literal.java
index 15408b05916..3c53798b851 100644
--- a/javascript/extractor/src/com/semmle/js/ast/Literal.java
+++ b/javascript/extractor/src/com/semmle/js/ast/Literal.java
@@ -6,7 +6,7 @@ import com.semmle.ts.ast.ITypeExpression;
 /**
  * A literal constant.
  *
- * <p>A <tt>null</tt> literal may occur as a TypeScript type annotation - other literals are always
+ * <p>A <code>null</code> literal may occur as a TypeScript type annotation - other literals are always
  * expressions.
  */
 public class Literal extends Expression implements ITypeExpression {
diff --git a/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java b/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java
index c04b79fa366..7cacafa96ed 100644
--- a/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java
+++ b/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java
@@ -40,7 +40,7 @@ public abstract class MemberDefinition<V extends Expression> extends Node {
     return flags;
   }
 
-  /** Returns true if this has the <tt>static</tt> modifier. */
+  /** Returns true if this has the <code>static</code> modifier. */
   public boolean isStatic() {
     return DeclarationFlags.isStatic(flags);
   }
@@ -55,7 +55,7 @@ public abstract class MemberDefinition<V extends Expression> extends Node {
     return DeclarationFlags.isAbstract(flags);
   }
 
-  /** Returns true if has the <tt>public</tt> modifier (not true for implicitly public members). */
+  /** Returns true if has the <code>public</code> modifier (not true for implicitly public members). */
   public boolean hasPublicKeyword() {
     return DeclarationFlags.isPublic(flags);
   }
@@ -75,7 +75,7 @@ public abstract class MemberDefinition<V extends Expression> extends Node {
     return DeclarationFlags.isReadonly(flags);
   }
 
-  /** Returns true if this has the <tt>declare</tt> modifier. */
+  /** Returns true if this has the <code>declare</code> modifier. */
   public boolean hasDeclareKeyword() {
     return DeclarationFlags.hasDeclareKeyword(flags);
   }
diff --git a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
index 73cefdae30d..bb270353869 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
@@ -253,7 +253,7 @@ public class ASTExtractor {
 
     /**
      * An identifier that refers to a variable from inside a type, i.e. the operand to a
-     * <tt>typeof</tt> type or left operand to an <tt>is</tt> type.
+     * <code>typeof</code> type or left operand to an <code>is</code> type.
      *
      * <p>This is generally treated as a type, except a variable binding will be emitted for it.
      */
@@ -288,7 +288,7 @@ public class ASTExtractor {
     VAR_AND_TYPE_AND_NAMESPACE_DECL,
 
     /**
-     * An identifier that occurs as part of a named export, such as <tt>export { A }</tt>.
+     * An identifier that occurs as part of a named export, such as <code>export { A }</code>.
      *
      * <p>This may refer to a variable, type, and/or a namespace, and will export exactly those that
      * can be resolved.
@@ -301,7 +301,7 @@ public class ASTExtractor {
 
     /**
      * An identifier that occurs as a qualified name in a default export expression, such as
-     * <tt>A</tt> in <tt>export default A.B</tt>.
+     * <code>A</code> in <code>export default A.B</code>.
      *
      * <p>This acts like {@link #EXPORT}, except it cannot refer to a type (i.e. it must be a
      * variable and/or a namespace).
diff --git a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
index 398330acd59..505c45832e2 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
@@ -722,13 +722,13 @@ public class AutoBuild {
   }
 
   /**
-   * Prepares <tt>package.json</tt> files in a virtual source root, and, if enabled,
+   * Prepares <code>package.json</code> files in a virtual source root, and, if enabled,
    * installs dependencies for use by the TypeScript type checker.
    * <p>
    * Some packages must be downloaded while others exist within the same repo ("monorepos")
    * but are not in a location where TypeScript would look for it.
    * <p>
-   * Downloaded packages are intalled under <tt>SCRATCH_DIR</tt>, in a mirrored directory hierarchy
+   * Downloaded packages are intalled under <code>SCRATCH_DIR</code>, in a mirrored directory hierarchy
    * we call the "virtual source root".
    * <p>
    * Packages that exists within the repo are not downloaded. Since they are part of the main source tree,
diff --git a/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java b/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java
index 14e88a92c9d..923635037c7 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java
@@ -149,7 +149,7 @@ public class ScopeManager {
   }
 
   /**
-   * Enters a scope for a block of form <tt>declare global { ... }</tt>.
+   * Enters a scope for a block of form <code>declare global { ... }</code>.
    *
    * <p>Declarations in this block will contribute to the global scope, but references can still be
    * resolved in the scope enclosing the declaration itself. The scope itself does not have its own
diff --git a/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java b/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
index 49c6049d452..34315111ba6 100644
--- a/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
+++ b/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
@@ -14,7 +14,7 @@ public class ParsedProject {
     this.allFiles = allFiles;
   }
 
-  /** Returns the <tt>tsconfig.json</tt> file that defines this project. */
+  /** Returns the <code>tsconfig.json</code> file that defines this project. */
   public File getTsConfigFile() {
     return tsConfigFile;
   }
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ArrayTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/ArrayTypeExpr.java
index badcf444439..07a1da74ed7 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ArrayTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ArrayTypeExpr.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
 /**
- * An array type, such as <tt>number[]</tt>, or in general <tt>T[]</tt> where <tt>T</tt> is a type.
+ * An array type, such as <code>number[]</code>, or in general <code>T[]</code> where <code>T</code> is a type.
  */
 public class ArrayTypeExpr extends TypeExpression {
   private final ITypeExpression elementType;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ConditionalTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/ConditionalTypeExpr.java
index 61bc2c647f2..e690f6b6244 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ConditionalTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ConditionalTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A conditional type annotation, such as <tt>T extends any[] ? A : B</tt>. */
+/** A conditional type annotation, such as <code>T extends any[] ? A : B</code>. */
 public class ConditionalTypeExpr extends TypeExpression {
   private ITypeExpression checkType;
   private ITypeExpression extendsType;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ExportAsNamespaceDeclaration.java b/javascript/extractor/src/com/semmle/ts/ast/ExportAsNamespaceDeclaration.java
index b6921b34924..f836f052f23 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ExportAsNamespaceDeclaration.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ExportAsNamespaceDeclaration.java
@@ -5,7 +5,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Statement;
 import com.semmle.js.ast.Visitor;
 
-/** A statement of form <tt>export as namespace X</tt> where <tt>X</tt> is an identifier. */
+/** A statement of form <code>export as namespace X</code> where <code>X</code> is an identifier. */
 public class ExportAsNamespaceDeclaration extends Statement {
   private Identifier id;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ExpressionWithTypeArguments.java b/javascript/extractor/src/com/semmle/ts/ast/ExpressionWithTypeArguments.java
index 4c4c681d078..c1f3c318a9e 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ExpressionWithTypeArguments.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ExpressionWithTypeArguments.java
@@ -13,7 +13,7 @@ import java.util.List;
  * class StringList extends List&lt;string&gt; {}
  * </pre>
  *
- * Above, <tt>List</tt> is a concrete expression whereas its type argument is a type.
+ * Above, <code>List</code> is a concrete expression whereas its type argument is a type.
  */
 public class ExpressionWithTypeArguments extends Expression {
   private final Expression expression;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ExternalModuleDeclaration.java b/javascript/extractor/src/com/semmle/ts/ast/ExternalModuleDeclaration.java
index 58baaac7424..555e86da2b4 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ExternalModuleDeclaration.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ExternalModuleDeclaration.java
@@ -6,7 +6,7 @@ import com.semmle.js.ast.Statement;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** A statement of form <tt>declare module "X" {...}</tt>. */
+/** A statement of form <code>declare module "X" {...}</code>. */
 public class ExternalModuleDeclaration extends Statement {
   private final Literal name;
   private final List<Statement> body;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/GenericTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/GenericTypeExpr.java
index efaee334c1f..1df66ae1fe2 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/GenericTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/GenericTypeExpr.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** An instantiation of a named type, such as <tt>Array&lt;number&gt;</tt> */
+/** An instantiation of a named type, such as <code>Array&lt;number&gt;</code> */
 public class GenericTypeExpr extends TypeExpression {
   private final ITypeExpression typeName; // Always Identifier or MemberExpression
   private final List<ITypeExpression> typeArguments;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/GlobalAugmentationDeclaration.java b/javascript/extractor/src/com/semmle/ts/ast/GlobalAugmentationDeclaration.java
index b8eec7fac94..008e5e403c1 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/GlobalAugmentationDeclaration.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/GlobalAugmentationDeclaration.java
@@ -5,7 +5,7 @@ import com.semmle.js.ast.Statement;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** A statement of form: <tt>declare global { ... }</tt> */
+/** A statement of form: <code>declare global { ... }</code> */
 public class GlobalAugmentationDeclaration extends Statement {
   private final List<Statement> body;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/INodeWithSymbol.java b/javascript/extractor/src/com/semmle/ts/ast/INodeWithSymbol.java
index 9f5e1fe2993..c0fc5864c63 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/INodeWithSymbol.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/INodeWithSymbol.java
@@ -8,7 +8,7 @@ package com.semmle.ts.ast;
  */
 public interface INodeWithSymbol {
   /**
-   * Gets a number identifying the symbol associated with this AST node, or <tt>-1</tt> if there is
+   * Gets a number identifying the symbol associated with this AST node, or <code>-1</code> if there is
    * no such symbol.
    */
   int getSymbol();
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ITypeExpression.java b/javascript/extractor/src/com/semmle/ts/ast/ITypeExpression.java
index 0054adb4f72..71185a7f92c 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ITypeExpression.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ITypeExpression.java
@@ -8,6 +8,6 @@ import com.semmle.js.ast.Literal;
  *
  * <p>At the QL level, expressions and type annotations are completely separate. In the extractor,
  * however, some expressions such as {@link Literal} type may occur in a type annotation because the
- * TypeScript AST does not distinguish <tt>null</tt> literals from the <tt>null</tt> type.
+ * TypeScript AST does not distinguish <code>null</code> literals from the <code>null</code> type.
  */
 public interface ITypeExpression extends INode, ITypedAstNode {}
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ImportTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/ImportTypeExpr.java
index edf60004645..11535c3376c 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ImportTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ImportTypeExpr.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.Expression;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** An import type such as in <tt>import("http").ServerRequest</tt>. */
+/** An import type such as in <code>import("http").ServerRequest</code>. */
 public class ImportTypeExpr extends Expression implements ITypeExpression {
   private final ITypeExpression path;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ImportWholeDeclaration.java b/javascript/extractor/src/com/semmle/ts/ast/ImportWholeDeclaration.java
index 4631a615fe2..9b4c7b6b6d8 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ImportWholeDeclaration.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ImportWholeDeclaration.java
@@ -6,7 +6,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Statement;
 import com.semmle.js.ast.Visitor;
 
-/** An import of form <tt>import a = E</tt>. */
+/** An import of form <code>import a = E</code>. */
 public class ImportWholeDeclaration extends Statement {
   private final Identifier lhs;
   private final Expression rhs;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/IndexedAccessTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/IndexedAccessTypeExpr.java
index baf7b95ff2e..420084d3ef2 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/IndexedAccessTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/IndexedAccessTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A type of form <tt>T[K]</tt> where <tt>T</tt> and <tt>K</tt> are types. */
+/** A type of form <code>T[K]</code> where <code>T</code> and <code>K</code> are types. */
 public class IndexedAccessTypeExpr extends TypeExpression {
   private final ITypeExpression objectType;
   private final ITypeExpression indexType;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/InferTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/InferTypeExpr.java
index a18269ce6c2..b9d24409ea6 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/InferTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/InferTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A type annotation of form <tt>infer R</tt> */
+/** A type annotation of form <code>infer R</code> */
 public class InferTypeExpr extends TypeExpression {
   private TypeParameter typeParameter;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/InterfaceTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/InterfaceTypeExpr.java
index 20f2b45b2b8..2c34d0bdb6a 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/InterfaceTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/InterfaceTypeExpr.java
@@ -5,7 +5,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** An inline interface type, such as <tt>{x: number; y: number}</tt>. */
+/** An inline interface type, such as <code>{x: number; y: number}</code>. */
 public class InterfaceTypeExpr extends TypeExpression {
   private final List<MemberDefinition<?>> body;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/IntersectionTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/IntersectionTypeExpr.java
index 2ff10be12cb..820ec752ce7 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/IntersectionTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/IntersectionTypeExpr.java
@@ -5,8 +5,8 @@ import com.semmle.js.ast.Visitor;
 import java.util.List;
 
 /**
- * An intersection type such as <tt>T&amp;S</tt>, denoting the intersection of type <tt>T</tt> and
- * type <tt>S</tt>.
+ * An intersection type such as <code>T&amp;S</code>, denoting the intersection of type <code>T</code> and
+ * type <code>S</code>.
  */
 public class IntersectionTypeExpr extends TypeExpression {
   private final List<ITypeExpression> elementTypes;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/KeywordTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/KeywordTypeExpr.java
index ede17e079e9..173dfc36294 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/KeywordTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/KeywordTypeExpr.java
@@ -4,14 +4,14 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
 /**
- * One of the TypeScript keyword types, such as <tt>string</tt> or <tt>any</tt>.
+ * One of the TypeScript keyword types, such as <code>string</code> or <code>any</code>.
  *
- * <p>This includes the type <tt>unique symbol</tt> which consists of two keywords but is
+ * <p>This includes the type <code>unique symbol</code> which consists of two keywords but is
  * represented as a keyword single type expression.
  *
- * <p>At the QL level, the <tt>null</tt> type is also a keyword type. In the extractor, however,
+ * <p>At the QL level, the <code>null</code> type is also a keyword type. In the extractor, however,
  * this is represented by a Literal, because the TypeScript AST does not distinguish those two uses
- * of <tt>null</tt>.
+ * of <code>null</code>.
  */
 public class KeywordTypeExpr extends TypeExpression {
   private final String keyword;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/MappedTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/MappedTypeExpr.java
index 30129296f34..7c951096bcc 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/MappedTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/MappedTypeExpr.java
@@ -4,10 +4,10 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
 /**
- * A type of form <tt>{ [K in C]: T }</tt>, where <tt>T</tt> is a type that may refer to <tt>K</tt>.
+ * A type of form <code>{ [K in C]: T }</code>, where <code>T</code> is a type that may refer to <code>K</code>.
  *
- * <p>As with the TypeScript AST, the <tt>K in C</tt> part is represented as a type parameter with
- * <tt>C</tt> as its upper bound.
+ * <p>As with the TypeScript AST, the <code>K in C</code> part is represented as a type parameter with
+ * <code>C</code> as its upper bound.
  */
 public class MappedTypeExpr extends TypeExpression {
   private final TypeParameter typeParameter;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/NonNullAssertion.java b/javascript/extractor/src/com/semmle/ts/ast/NonNullAssertion.java
index 485b827ce97..6fe3d04b6c8 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/NonNullAssertion.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/NonNullAssertion.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.Expression;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A TypeScript expression of form <tt>E!</tt>, asserting that <tt>E</tt> is not null. */
+/** A TypeScript expression of form <code>E!</code>, asserting that <code>E</code> is not null. */
 public class NonNullAssertion extends Expression {
   private final Expression expression;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/OptionalTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/OptionalTypeExpr.java
index 3d98f563127..b474c8cbaea 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/OptionalTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/OptionalTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** An optional type in a tuple type, such as <tt>number?</tt> in <tt>[string, number?]</tt>. */
+/** An optional type in a tuple type, such as <code>number?</code> in <code>[string, number?]</code>. */
 public class OptionalTypeExpr extends TypeExpression {
   private final ITypeExpression elementType;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/ParenthesizedTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/ParenthesizedTypeExpr.java
index 1be6f191ff7..fd17b9ade0a 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/ParenthesizedTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/ParenthesizedTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A type expression in parentheses, such as <tt>("foo" | "bar")</tt>. */
+/** A type expression in parentheses, such as <code>("foo" | "bar")</code>. */
 public class ParenthesizedTypeExpr extends TypeExpression {
   private final ITypeExpression elementType;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java
index 27bd3c1718c..f0b6042448a 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java
@@ -4,8 +4,8 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
 /**
- * A type of form <tt>E is T</tt>, <tt>asserts E is T</tt> or <tt>asserts E</tt> where <tt>E</tt> is
- * a parameter name or <tt>this</tt> and <tt>T</tt> is a type.
+ * A type of form <code>E is T</code>, <code>asserts E is T</code> or <code>asserts E</code> where <code>E</code> is
+ * a parameter name or <code>this</code> and <code>T</code> is a type.
  */
 public class PredicateTypeExpr extends TypeExpression {
   private final ITypeExpression expression;
@@ -23,12 +23,12 @@ public class PredicateTypeExpr extends TypeExpression {
     this.hasAssertsKeyword = hasAssertsKeyword;
   }
 
-  /** Returns the <tt>E</tt> in <tt>E is T</tt>. */
+  /** Returns the <code>E</code> in <code>E is T</code>. */
   public ITypeExpression getExpression() {
     return expression;
   }
 
-  /** Returns the <tt>T</tt> in <tt>E is T</tt>. */
+  /** Returns the <code>T</code> in <code>E is T</code>. */
   public ITypeExpression getTypeExpr() {
     return type;
   }
diff --git a/javascript/extractor/src/com/semmle/ts/ast/RestTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/RestTypeExpr.java
index ef0d9ad7f7f..5acb1069ee5 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/RestTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/RestTypeExpr.java
@@ -3,7 +3,7 @@ package com.semmle.ts.ast;
 import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
-/** A rest type in a tuple type, such as <tt>number[]</tt> in <tt>[string, ...number[]]</tt>. */
+/** A rest type in a tuple type, such as <code>number[]</code> in <code>[string, ...number[]]</code>. */
 public class RestTypeExpr extends TypeExpression {
   private final ITypeExpression arrayType;
 
diff --git a/javascript/extractor/src/com/semmle/ts/ast/TupleTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/TupleTypeExpr.java
index a42df41847e..aa175b59167 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/TupleTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/TupleTypeExpr.java
@@ -5,7 +5,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** A tuple type, such as <tt>[number, string]</tt>. */
+/** A tuple type, such as <code>[number, string]</code>. */
 public class TupleTypeExpr extends TypeExpression {
   private final List<ITypeExpression> elementTypes;
   private final List<Identifier> elementNames;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/TypeAssertion.java b/javascript/extractor/src/com/semmle/ts/ast/TypeAssertion.java
index 6a9150f93c2..39b108dac79 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/TypeAssertion.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/TypeAssertion.java
@@ -30,7 +30,7 @@ public class TypeAssertion extends Expression {
   }
 
   /**
-   * True if this is an assertion of form <tt>E as T</tt>, as opposed to the old syntax <code>
+   * True if this is an assertion of form <code>E as T</code>, as opposed to the old syntax <code>
    * &lt;T&gt; E</code>.
    */
   public boolean isAsExpression() {
diff --git a/javascript/extractor/src/com/semmle/ts/ast/TypeParameter.java b/javascript/extractor/src/com/semmle/ts/ast/TypeParameter.java
index 7cbf8d2d0eb..c5c516ef2d4 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/TypeParameter.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/TypeParameter.java
@@ -7,7 +7,7 @@ import com.semmle.js.ast.Visitor;
 /**
  * A type parameter declared on a class, interface, function, or type alias.
  *
- * <p>The general form of a type parameter is: <tt>S extends T = U</tt>.
+ * <p>The general form of a type parameter is: <code>S extends T = U</code>.
  */
 public class TypeParameter extends TypeExpression {
   private final Identifier id;
@@ -29,7 +29,7 @@ public class TypeParameter extends TypeExpression {
   /**
    * Returns the bound on the type parameter, or {@code null} if there is no bound.
    *
-   * <p>For example, in <tt>T extends Array = number[]</tt> the bound is <tt>Array</tt>.
+   * <p>For example, in <code>T extends Array = number[]</code> the bound is <code>Array</code>.
    */
   public ITypeExpression getBound() {
     return bound;
@@ -38,7 +38,7 @@ public class TypeParameter extends TypeExpression {
   /**
    * Returns the type parameter default, or {@code null} if there is no default,
    *
-   * <p>For example, in <tt>T extends Array = number[]</tt> the default is <tt>number[]</tt>.
+   * <p>For example, in <code>T extends Array = number[]</code> the default is <code>number[]</code>.
    */
   public ITypeExpression getDefault() {
     return default_;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/TypeofTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/TypeofTypeExpr.java
index cf308191a03..ed56a4c7f9b 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/TypeofTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/TypeofTypeExpr.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 
 /**
- * A type of form <tt>typeof E</tt> where <tt>E</tt> is an expression that takes the form of a
+ * A type of form <code>typeof E</code> where <code>E</code> is an expression that takes the form of a
  * qualified name.
  */
 public class TypeofTypeExpr extends TypeExpression {
diff --git a/javascript/extractor/src/com/semmle/ts/ast/UnaryTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/UnaryTypeExpr.java
index 5682bb11d03..66658f27c8e 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/UnaryTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/UnaryTypeExpr.java
@@ -6,7 +6,7 @@ import com.semmle.js.ast.Visitor;
 /**
  * A unary operator applied to a type.
  *
- * <p>This can be <tt>keyof T</tt> or <tt>readonly T</tt>.
+ * <p>This can be <code>keyof T</code> or <code>readonly T</code>.
  */
 public class UnaryTypeExpr extends TypeExpression {
   private final ITypeExpression elementType;
diff --git a/javascript/extractor/src/com/semmle/ts/ast/UnionTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/UnionTypeExpr.java
index 4be288914f4..fedb0dc5482 100644
--- a/javascript/extractor/src/com/semmle/ts/ast/UnionTypeExpr.java
+++ b/javascript/extractor/src/com/semmle/ts/ast/UnionTypeExpr.java
@@ -4,7 +4,7 @@ import com.semmle.js.ast.SourceLocation;
 import com.semmle.js.ast.Visitor;
 import java.util.List;
 
-/** A union type such as <tt>number | string | boolean</tt>. */
+/** A union type such as <code>number | string | boolean</code>. */
 public class UnionTypeExpr extends TypeExpression {
   private final List<ITypeExpression> elementTypes;
 
diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeExtractor.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeExtractor.java
index caf88175956..08f261b71de 100644
--- a/javascript/extractor/src/com/semmle/ts/extractor/TypeExtractor.java
+++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeExtractor.java
@@ -12,7 +12,7 @@ import java.util.Map;
 /**
  * Extracts type and symbol information into TRAP files.
  *
- * <p>This is closely coupled with the <tt>type_table.ts</tt> file in the parser-wrapper. Type
+ * <p>This is closely coupled with the <code>type_table.ts</code> file in the parser-wrapper. Type
  * strings and symbol strings generated in that file are parsed here. See that file for reference
  * and documentation.
  */
diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
index 0824ad9be17..36d4f888618 100644
--- a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
+++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
@@ -703,14 +703,14 @@ public class TypeScriptASTConverter {
   }
 
   /**
-   * Converts the given child to an AST node of the given type or <tt>null</tt>. A ParseError is
+   * Converts the given child to an AST node of the given type or <code>null</code>. A ParseError is
    * thrown if a different type of node was found.
    *
    * <p>This is used to detect syntax errors that are not reported as syntax errors by the
    * TypeScript parser. Usually they are reported as errors in a later compiler stage, which the
    * extractor does not run.
    *
-   * <p>Returns <tt>null</tt> if the child is absent.
+   * <p>Returns <code>null</code> if the child is absent.
    */
   @SuppressWarnings("unchecked")
   private <T extends Node> T tryConvertChild(JsonObject node, String prop, Class<T> expectedType)
@@ -2515,8 +2515,8 @@ public class TypeScriptASTConverter {
   }
 
   /**
-   * Returns a specific modifier from the given node (or <tt>null</tt> if absent), as defined by its
-   * <tt>modifiers</tt> property and the <tt>kind</tt> property of the modifier AST node.
+   * Returns a specific modifier from the given node (or <code>null</code> if absent), as defined by its
+   * <code>modifiers</code> property and the <code>kind</code> property of the modifier AST node.
    */
   private JsonObject getModifier(JsonObject node, String modKind) {
     for (JsonElement mod : getModifiers(node))
@@ -2526,8 +2526,8 @@ public class TypeScriptASTConverter {
   }
 
   /**
-   * Check whether a node has a particular modifier, as defined by its <tt>modifiers</tt> property
-   * and the <tt>kind</tt> property of the modifier AST node.
+   * Check whether a node has a particular modifier, as defined by its <code>modifiers</code> property
+   * and the <code>kind</code> property of the modifier AST node.
    */
   private boolean hasModifier(JsonObject node, String modKind) {
     return getModifier(node, modKind) != null;
@@ -2568,8 +2568,8 @@ public class TypeScriptASTConverter {
   }
 
   /**
-   * Check whether a node has a particular flag, as defined by its <tt>flags</tt> property and the
-   * <tt>ts.NodeFlags</tt> in enum.
+   * Check whether a node has a particular flag, as defined by its <code>flags</code> property and the
+   * <code>ts.NodeFlags</code> in enum.
    */
   private boolean hasFlag(JsonObject node, String flagName) {
     int flagId = metadata.getNodeFlagId(flagName);
diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptParser.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptParser.java
index 36792f2d204..70a06656df8 100644
--- a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptParser.java
+++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptParser.java
@@ -97,7 +97,7 @@ public class TypeScriptParser {
   public static final String TYPESCRIPT_RETRIES_VAR = "SEMMLE_TYPESCRIPT_RETRIES";
 
   /**
-   * An environment variable (without the <tt>SEMMLE_</tt> or <tt>LGTM_</tt> prefix), that can be
+   * An environment variable (without the <code>SEMMLE_</code> or <code>LGTM_</code> prefix), that can be
    * set to indicate the maximum heap space usable by the Node.js process, in addition to its
    * "reserve memory".
    *
@@ -106,7 +106,7 @@ public class TypeScriptParser {
   public static final String TYPESCRIPT_RAM_SUFFIX = "TYPESCRIPT_RAM";
 
   /**
-   * An environment variable (without the <tt>SEMMLE_</tt> or <tt>LGTM_</tt> prefix), that can be
+   * An environment variable (without the <code>SEMMLE_</code> or <code>LGTM_</code> prefix), that can be
    * set to indicate the amount of heap space the Node.js process should reserve for extracting
    * individual files.
    *
diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeTable.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeTable.java
index 0b7e98d0c2a..53d8c437d92 100644
--- a/javascript/extractor/src/com/semmle/ts/extractor/TypeTable.java
+++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeTable.java
@@ -4,9 +4,9 @@ import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
 
 /**
- * Holds the output of the <tt>get-type-table</tt> command.
+ * Holds the output of the <code>get-type-table</code> command.
  *
- * <p>See documentation in <tt>parser-wrapper/src/type_table.ts</tt>.
+ * <p>See documentation in <code>parser-wrapper/src/type_table.ts</code>.
  */
 public class TypeTable {
   private final JsonArray typeStrings;

From d1910a3f5c3deab1ac11bb878546f3c92f760e8b Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 9 Feb 2021 12:12:24 +0000
Subject: [PATCH 251/429] Update CONTRIBUTING.md

Co-authored-by: Jonas Jensen <jbj@github.com>
---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6e417a0d9c2..bf7faeaa213 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -49,7 +49,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     - The query must have at least one true positive result on some revision of a real project.
 
-6. **Query Help Files and Unit Tests**
+6. **Query help files and unit tests**
 
 	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories.
 	- see [Supported CodeQL queries and libraries](docs/supported-queries.md) for more information about contributing query help files and unit tests.

From eb7e30d472b96a9493ea34996db9ea4ffc4a1a3a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 9 Feb 2021 13:25:12 +0100
Subject: [PATCH 252/429] Python: Add test of django view handler with
 decorator

Which we currently don't handle :(

Also added a bit more explanatory comments
---
 .../frameworks/django-v2-v3/routing_test.py    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
index 9d8c2dedc03..d6736433b0f 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -3,6 +3,7 @@ from django.urls import path, re_path
 from django.http import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
 from django.views import View
 import django.views.generic.base
+from django.views.decorators.http import require_GET
 
 
 def url_match_xss(request, foo, bar, no_taint=None):  # $requestHandler routedParameter=foo routedParameter=bar
@@ -105,6 +106,10 @@ urlpatterns = [
     path("not_valid/<not_valid!>", not_valid_identifier),  # $routeSetup="not_valid/<not_valid!>"
 ]
 
+################################################################################
+# Deprecated django.conf.urls.url
+################################################################################
+
 # This version 1.x way of defining urls is deprecated in Django 3.1, but still works
 from django.conf.urls import url
 
@@ -116,9 +121,22 @@ urlpatterns = [
 ]
 
 
+################################################################################
+# Special stuff
+################################################################################
+
 class PossiblyNotRouted(View):
     # Even if our analysis can't find a route-setup for this class, we should still
     # consider it to be a handle incoming HTTP requests
 
     def get(self, request, possibly_not_routed=42):  # $ requestHandler routedParameter=possibly_not_routed
         return HttpResponse('PossiblyNotRouted get: {}'.format(possibly_not_routed))  # $HttpResponse
+
+
+@require_GET
+def with_decorator(request, foo):  # $ MISSING: requestHandler routedParameter=foo
+    pass
+
+urlpatterns = [
+    path("with_decorator/<foo>", with_decorator),  # $ routeSetup="with_decorator/<foo>"
+]

From 1d25184b3214078361865d579d3c0a6fd63f61e5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 9 Feb 2021 13:35:44 +0100
Subject: [PATCH 253/429] Python: Add test for type-tracking through decorators

In general, if there is _some_ decorator on a function, it might not be safe to
track content out of it (since the decorator could do anything), but in this
case, we can see what the decorator does, so we should be able to handle it (but
we don't right now).

By my understanding of how type-tracking works, if we track content through
`my_decorator`, then we would also track content to the result of
`unrelated_func()`, which I wanted to make sure our tests would catch.

I found out the core of the problem seems to come from our lack of being able to
track to the inner scope, and added an explicit test for that.
---
 .../dataflow/typetracking/test.py             | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/typetracking/test.py b/python/ql/test/experimental/dataflow/typetracking/test.py
index a4dd1baeac1..4392e3bbf46 100644
--- a/python/ql/test/experimental/dataflow/typetracking/test.py
+++ b/python/ql/test/experimental/dataflow/typetracking/test.py
@@ -56,6 +56,41 @@ def test_import():
     y # $tracked
     mymodule.z # $tracked
 
+
+def to_inner_scope():
+    x = tracked # $tracked
+    def foo():
+        y = x # $ MISSING: tracked
+        return y # $ MISSING: tracked
+    also_x = foo() # $ MISSING: tracked
+    print(also_x) # $ MISSING: tracked
+
+
+def my_decorator(func):
+    # This part doesn't make any sense in a normal decorator, but just shows how we
+    # handle type-tracking
+
+    func() # $tracked
+
+    def wrapper():
+        print("before function call")
+        val = func() # $ MISSING: tracked
+        print("after function call")
+        return val # $ MISSING: tracked
+    return wrapper
+
+@my_decorator
+def get_tracked2():
+    return tracked # $tracked
+
+@my_decorator
+def unrelated_func():
+    return "foo"
+
+def use_funcs_with_decorators():
+    x = get_tracked2() # $ MISSING: tracked
+    y = unrelated_func()
+
 # ------------------------------------------------------------------------------
 
 def expects_int(x): # $int

From 9854b95c30ce6161fe811adc21b0699851725c60 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 8 Feb 2021 11:18:56 +0100
Subject: [PATCH 254/429] Fix query performance

---
 csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql | 10 ++++++++--
 csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql   |  8 +++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql b/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql
index 3e89dc89e9d..3e71e7c7894 100644
--- a/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql	
+++ b/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql	
@@ -27,6 +27,12 @@ class NestedForConditions extends SC::StructuralComparisonConfiguration {
   }
 }
 
+private predicate hasChild(Stmt outer, Element child) {
+  outer = child.getParent()
+  or
+  hasChild(outer, child.getParent())
+}
+
 /** A nested `for` statement that shares the same iteration variable as an outer `for` statement. */
 class NestedForLoopSameVariable extends ForStmt {
   ForStmt outer;
@@ -35,7 +41,7 @@ class NestedForLoopSameVariable extends ForStmt {
   MutatorOperation outerUpdate;
 
   NestedForLoopSameVariable() {
-    outer = this.getParent+() and
+    hasChild(outer, this) and
     innerUpdate = this.getAnUpdate() and
     outerUpdate = outer.getAnUpdate() and
     innerUpdate.getOperand() = iteration.getAnAccess() and
@@ -88,7 +94,7 @@ class NestedForLoopSameVariable extends ForStmt {
 
   /** Finds elements inside the outer loop that are no longer guarded by the loop invariant. */
   private ControlFlow::Node getAnUnguardedNode() {
-    result.getElement().getParent+() = getOuterForStmt().getBody() and
+    hasChild(getOuterForStmt().getBody(), result.getElement()) and
     (
       result =
         this.getCondition().(ControlFlowElement).getAControlFlowExitNode().getAFalseSuccessor()
diff --git a/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql b/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
index 5d2ef55cd1f..7c93d25d646 100644
--- a/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql	
+++ b/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql	
@@ -12,12 +12,18 @@
 import csharp
 import semmle.code.csharp.frameworks.System
 
+private predicate equalsMethodChild(EqualsMethod equals, Element child) {
+  child = equals
+  or
+  equalsMethodChild(equals, child.getParent())
+}
+
 predicate nodeBeforeParameterAccess(ControlFlow::Node node) {
   exists(EqualsMethod equals | equals.getBody() = node.getElement())
   or
   exists(EqualsMethod equals, Parameter param, ControlFlow::Node mid |
     equals.getParameter(0) = param and
-    equals.getAChild*() = mid.getElement() and
+    equalsMethodChild(equals, mid.getElement()) and
     nodeBeforeParameterAccess(mid) and
     not param.getAnAccess() = mid.getElement() and
     mid.getASuccessor() = node

From e194411cfaf4c1a61955ba853ad8fd7984a2ef8b Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Tue, 9 Feb 2021 09:16:57 -0500
Subject: [PATCH 255/429] Java: fix javac errors in test code

---
 .../security/CWE-273/UnsafeCertTrustTest.java | 10 ++++-----
 .../security/CWE-297/InsecureJavaMail.java    |  4 ++--
 .../CWE-312/CleartextStorageSharedPrefs.java  | 12 +++++-----
 .../security/CWE-326/InsufficientKeySize.java |  2 +-
 .../security/CWE-522/InsecureBasicAuth.java   | 12 +++++-----
 .../security/CWE-522/InsecureLdapAuth.java    | 20 ++++++++---------
 .../security/CWE-918/SpringSSRF.java          |  3 ++-
 .../library-tests/ExternalProcess/Test.java   |  8 +++----
 .../library-tests/RelativePaths/Test.java     |  2 +-
 .../commentedcode/CommentedCode.java          |  2 +-
 .../library-tests/dataflow/capture/A.java     |  2 +-
 .../dataflow/taint-ioutils/Test.java          |  2 +-
 .../dataflow/taint-jackson/Test.java          |  4 ++--
 .../test/library-tests/dataflow/taint/A.java  | 12 +++++-----
 .../test/library-tests/dataflow/taint/B.java  |  2 +-
 .../dataflow/taintsources/IntentSources.java  | 10 ++++-----
 .../dataflow/taintsources/RmiFlow.java        |  2 +-
 .../dataflow/taintsources/RmiFlowImpl.java    |  4 ++--
 .../dispatch/ViableCallable.java              | 20 ++++++++---------
 .../dispatch/ViableCallable2.java             |  4 ++--
 java/ql/test/library-tests/guards/Logic.java  |  2 +-
 java/ql/test/library-tests/guards/Test.java   |  2 +-
 .../pathcreation/PathCreation.java            | 14 ++++++------
 .../reflection/ReflectiveAccess.java          |  2 +-
 .../successors/TestThrow2/TestThrow2.java     |  4 ++--
 .../CloseReader/CloseReader.java              |  2 +-
 .../query-tests/ContinueInFalseLoop/A.java    |  4 ++--
 .../MissingCallToSuperClone/Test.java         |  4 ++--
 .../MissingInstanceofInEquals/GoodReturn.java |  2 +-
 java/ql/test/query-tests/Nullness/C.java      |  4 ++--
 java/ql/test/query-tests/RangeAnalysis/A.java |  4 ++--
 .../test/query-tests/UseBraces/UseBraces.java | 14 ++++++------
 .../UselessComparisonTest/Test.java           |  2 +-
 .../test/query-tests/UselessNullCheck/A.java  |  4 ++--
 .../dead-code/DeadField/ReflectionTest.java   |  2 +-
 .../DeadMethod/ReflectionMethodTest.java      |  2 +-
 .../CWE-022/semmle/tests/ZipTest.java         | 14 ++++++------
 .../query-tests/security/CWE-078/Test.java    | 10 ++++-----
 .../CWE-297/UnsafeHostnameVerification.java   |  2 +-
 .../security/CWE-311/CWE-319/Test.java        |  2 +-
 .../security/CWE-421/semmle/Test.java         |  4 ++--
 .../test/query-tests/security/CWE-502/A.java  | 22 +++++++++----------
 .../test/query-tests/security/CWE-502/B.java  |  8 +++----
 .../CWE-611/DocumentBuilderTests.java         |  4 ++--
 .../security/CWE-732/semmle/tests/Test.java   |  4 ++--
 .../semmle/tests/MethodAccessLockOrder.java   |  4 ++--
 .../android/app/Activity.java                 |  3 ++-
 .../android/content/Intent.java               |  4 +++-
 .../android/os/BaseBundle.java                |  1 +
 .../android/os/Parcel.java                    |  1 +
 .../crypto/EncryptedSharedPreferences.java    |  3 ++-
 51 files changed, 149 insertions(+), 142 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java b/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
index a45727a7406..1e8ecbbc20d 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
@@ -87,7 +87,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL engine is set to null
 	 */
-	public void testSSLEngineEndpointIdSetNull() {
+	public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
@@ -98,7 +98,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL engine is not set
 	 */
-	public void testSSLEngineEndpointIdNotSet() {
+	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 	}
@@ -106,7 +106,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdNotSet() {
+	public void testSSLSocketEndpointIdNotSet() throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
@@ -115,7 +115,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
-	public void testSocketEndpointIdNotSet() {
+	public void testSocketEndpointIdNotSet() throws java.io.IOException {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);
 	}
@@ -127,4 +127,4 @@ public class UnsafeCertTrustTest {
 	// ConnectionFactory connectionFactory = new ConnectionFactory();
 	// connectionFactory.useSslProtocol();
 	// }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
index 05d700437dd..62c64027695 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
@@ -29,7 +29,7 @@ class InsecureJavaMail {
 		final Session session = Session.getInstance(properties, authenticator);
 	}
 
-	public void testSimpleMail() {
+	public void testSimpleMail() throws Exception {
 		Email email = new SimpleEmail();
 		email.setHostName("config.hostName");
 		email.setSmtpPort(25);
@@ -42,4 +42,4 @@ class InsecureJavaMail {
 		email.addTo("toAddress");
 		email.send();
 	}
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java b/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java
index 51a92314c67..39614c82234 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java
@@ -20,7 +20,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}
 
 	// GOOD - save sensitive information in encrypted format
-	public void testSetSharedPrefs2(Context context, String name, String password) {
+	public void testSetSharedPrefs2(Context context, String name, String password) throws Exception {
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
 		Editor editor = sharedPrefs.edit();
 		editor.putString("name", encrypt(name));
@@ -28,7 +28,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 		editor.commit();
 	}
 
-	private static String encrypt(String cleartext) {
+	private static String encrypt(String cleartext) throws Exception {
 		// Use an encryption or hashing algorithm in real world. The demo below just returns its hash.
 		MessageDigest digest = MessageDigest.getInstance("SHA-256");
 		byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
@@ -37,7 +37,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}
 
 	// GOOD - save sensitive information in encrypted format using separate variables
-	public void testSetSharedPrefs3(Context context, String name, String password) {
+	public void testSetSharedPrefs3(Context context, String name, String password) throws Exception {
 		String encUsername = encrypt(name);
 		String encPassword = encrypt(password);
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
@@ -49,7 +49,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs4(Context context, String name, String password) {
+	public void testSetSharedPrefs4(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -69,7 +69,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs5(Context context, String name, String password) {
+	public void testSetSharedPrefs5(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -89,7 +89,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs6(Context context, String name, String password) {
+	public void testSetSharedPrefs6(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
diff --git a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
index df46d6e69a9..a606017a27e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -3,7 +3,7 @@ import java.security.spec.ECGenParameterSpec;
 import javax.crypto.KeyGenerator;
 
 public class InsufficientKeySize {
-    public void CryptoMethod() {
+    public void CryptoMethod() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
         // BAD: Key size is less than 128
         keyGen1.init(64);
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
index 1f7be303471..c59af48e09b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
@@ -57,7 +57,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using the URI constructor with one argument.
 	 */
-	public void testApacheHttpRequest4(String username, String password) {
+	public void testApacheHttpRequest4(String username, String password) throws Exception {
 		String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		URI uri = new URI(uriStr);
 		HttpRequestBase post = new HttpPost(uri);
@@ -74,7 +74,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments.
 	 */
-	public void testApacheHttpRequest5(String username, String password) {
+	public void testApacheHttpRequest5(String username, String password) throws Exception {
 		HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
@@ -122,7 +122,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String spec)` constructor.
 	 */
-	public void testHttpUrlConnection(String username, String password) {
+	public void testHttpUrlConnection(String username, String password) throws Exception {
 		String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -136,7 +136,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String protocol, String host, String file)` constructor.
 	 */
-	public void testHttpUrlConnection2(String username, String password) {
+	public void testHttpUrlConnection2(String username, String password) throws Exception {
 		String host = "www.example.com";
 		String path = "/rest/getuser.do?uid=abcdx";
 		String protocol = "http";
@@ -152,7 +152,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using a constructor with private URL.
 	 */
-	public void testHttpUrlConnection3(String username, String password) {
+	public void testHttpUrlConnection3(String username, String password) throws Exception {
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -161,4 +161,4 @@ public class InsecureBasicAuth {
 		conn.setDoOutput(true);
 		conn.setRequestProperty("Authorization", "Basic " + encoding);
 	}
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
index 14142d31b21..978a4df671b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -7,7 +7,7 @@ import javax.naming.ldap.InitialLdapContext;
 
 public class InsecureLdapAuth {
 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password) {
+	public void testCleartextLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -21,7 +21,7 @@ public class InsecureLdapAuth {
 	}
 
 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -35,7 +35,7 @@ public class InsecureLdapAuth {
 	}
 
 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth(String ldapUserName, String password) {
+	public void testSslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldaps://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -49,7 +49,7 @@ public class InsecureLdapAuth {
 	}
 
 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth2(String ldapUserName, String password) {
+	public void testSslLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -64,7 +64,7 @@ public class InsecureLdapAuth {
 	}
 
 	// GOOD - Test LDAP authentication with SASL authentication.
-	public void testSaslLdapAuth(String ldapUserName, String password) {
+	public void testSaslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -78,7 +78,7 @@ public class InsecureLdapAuth {
 	}
 
 	// GOOD - Test LDAP authentication in cleartext connecting to local LDAP server.
-	public void testCleartextLdapAuth2(String ldapUserName, String password) {
+	public void testCleartextLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://localhost:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -92,7 +92,7 @@ public class InsecureLdapAuth {
 	}
 
 	// BAD - Test LDAP authentication in cleartext using `InitialLdapContext`.
-	public void testCleartextLdapAuth3(String ldapUserName, String password) {
+	public void testCleartextLdapAuth3(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -107,7 +107,7 @@ public class InsecureLdapAuth {
 
 
 	// BAD - Test LDAP authentication in cleartext using `DirContext` and string literals.
-	public void testCleartextLdapAuth4(String ldapUserName, String password) {
+	public void testCleartextLdapAuth4(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put("java.naming.factory.initial",
@@ -131,7 +131,7 @@ public class InsecureLdapAuth {
 	}
 
 	// GOOD - Test LDAP authentication with `ssl` configuration and basic authentication.
-	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		setSSL(environment);
@@ -143,7 +143,7 @@ public class InsecureLdapAuth {
 	}
 
 	// BAD - Test LDAP authentication with basic authentication.
-	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
index ddd8ecc3dd6..a7d3cb32b87 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
@@ -26,7 +26,7 @@ public class SpringSSRF extends HttpServlet {
         String fooResourceUrl = request2.getParameter("uri");;
         RestTemplate restTemplate = new RestTemplate();
         HttpEntity<String> request = new HttpEntity<>(new String("bar"));
-
+        try {
         {
             ResponseEntity<String> response =
                     restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
@@ -68,5 +68,6 @@ public class SpringSSRF extends HttpServlet {
         {
             restTemplate.put(fooResourceUrl, new String("object"));
         }
+        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
     }
 }
diff --git a/java/ql/test/library-tests/ExternalProcess/Test.java b/java/ql/test/library-tests/ExternalProcess/Test.java
index c3554589282..ee29327ef90 100644
--- a/java/ql/test/library-tests/ExternalProcess/Test.java
+++ b/java/ql/test/library-tests/ExternalProcess/Test.java
@@ -43,28 +43,28 @@ class Test {
 		new Bogus().exec("Irrelevant version of exec");
 	}
 
-	void apacheExecute1() {
+	void apacheExecute1() throws IOException {
 		String line = "AcroRd32.exe /p /h some.file";
 		CommandLine cmdLine = CommandLine.parse(line);
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute2() {
+	void apacheExecute2() throws IOException {
 		String line = "AcroRd32.exe /p /h some.file";
 		CommandLine cmdLine = CommandLine.parse(line, null);
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute3() {
+	void apacheExecute3() throws IOException {
 		CommandLine cmdLine = new CommandLine("AcroRd32.exe");
 		cmdLine.addArguments("/p /h some.file");
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute4() {
+	void apacheExecute4() throws IOException {
 		CommandLine cmdLine = new CommandLine("AcroRd32.exe");
 		cmdLine.addArguments("/p /h some.file", false);
 		DefaultExecutor executor = new DefaultExecutor();
diff --git a/java/ql/test/library-tests/RelativePaths/Test.java b/java/ql/test/library-tests/RelativePaths/Test.java
index 860b7ffbecf..4c020819121 100644
--- a/java/ql/test/library-tests/RelativePaths/Test.java
+++ b/java/ql/test/library-tests/RelativePaths/Test.java
@@ -1,5 +1,5 @@
 class Test {
-	public static void main(String[] args) {
+	public static void main(String[] args) throws java.io.IOException {
 		// Relative paths
 		Runtime.getRuntime().exec("make");
 		Runtime.getRuntime().exec("m");
diff --git a/java/ql/test/library-tests/commentedcode/CommentedCode.java b/java/ql/test/library-tests/commentedcode/CommentedCode.java
index fa14ad7cc69..02bee2fe2f9 100644
--- a/java/ql/test/library-tests/commentedcode/CommentedCode.java
+++ b/java/ql/test/library-tests/commentedcode/CommentedCode.java
@@ -88,8 +88,8 @@ public class CommentedCode {
 		 * &nbsp ;
 		 * &nbsp ;
 		 */
+		return -1;
 	}
-	
 //	public static int commentedOutMethod(){
 //		
 //		return 123;
diff --git a/java/ql/test/library-tests/dataflow/capture/A.java b/java/ql/test/library-tests/dataflow/capture/A.java
index 2311179499a..8bc40f9ae77 100644
--- a/java/ql/test/library-tests/dataflow/capture/A.java
+++ b/java/ql/test/library-tests/dataflow/capture/A.java
@@ -32,7 +32,7 @@ public class A {
           case 0: return p;
           case 1: return s;
           case 2: return b1.getElem();
-          case 3: return b2.getElem();
+          default:return b2.getElem();
         }
       }
     };
diff --git a/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java b/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
index 1d616184705..a6660c87252 100644
--- a/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
@@ -8,7 +8,7 @@ import java.util.List;
 import org.apache.commons.io.IOUtils;
 
 class Test {
-	public static void ioutils() {
+	public static void ioutils() throws java.io.FileNotFoundException, java.io.IOException {
 		InputStream inp = new FileInputStream("test"); // user input
 
 		InputStream buf = IOUtils.buffer(inp);
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
index 6c3a7dbf4b5..2caf9e4ee80 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -14,7 +14,7 @@ class Test {
 		return "tainted";
 	}
 
-	public static void jacksonObjectMapper() {
+	public static void jacksonObjectMapper() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
 		String s = taint();
 		ObjectMapper om = new ObjectMapper();
 		File file = new File("testFile");
@@ -32,7 +32,7 @@ class Test {
 		System.out.println(reconstructed);
 	}
 
-	public static void jacksonObjectWriter() {
+	public static void jacksonObjectWriter() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
 		String s = taint();
 		ObjectWriter ow = new ObjectWriter();
 		File file = new File("testFile");
diff --git a/java/ql/test/library-tests/dataflow/taint/A.java b/java/ql/test/library-tests/dataflow/taint/A.java
index e3a38d8e191..55fd9796586 100644
--- a/java/ql/test/library-tests/dataflow/taint/A.java
+++ b/java/ql/test/library-tests/dataflow/taint/A.java
@@ -15,7 +15,7 @@ public class A {
     sink(b2);
   }
 
-  void test2() {
+  void test2() throws IOException {
     ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
     bOutput.write(taint());
     byte[] b = bOutput.toByteArray();
@@ -25,11 +25,11 @@ public class A {
     sink(b2);
   }
 
-  void streamWrite(ByteArrayOutputStream baos, byte[] data) {
+  void streamWrite(ByteArrayOutputStream baos, byte[] data) throws IOException {
     baos.write(data);
   }
 
-  void test3(ByteArrayOutputStream baos) {
+  void test3(ByteArrayOutputStream baos) throws IOException {
     streamWrite(baos, taint());
     sink(baos.toByteArray());
   }
@@ -38,11 +38,11 @@ public class A {
     ByteArrayOutputStream baos = new ByteArrayOutputStream();
   }
 
-  void streamWriteHolder(BaosHolder bh, byte[] data) {
+  void streamWriteHolder(BaosHolder bh, byte[] data) throws IOException {
     bh.baos.write(data);
   }
 
-  void test4(BaosHolder bh) {
+  void test4(BaosHolder bh) throws IOException {
     streamWriteHolder(bh, taint());
     sink(bh.baos.toByteArray());
   }
@@ -51,7 +51,7 @@ public class A {
     byte[] data = new byte[10];
   }
 
-  void test5_a(DataHolder dh) {
+  void test5_a(DataHolder dh) throws IOException {
     ByteArrayInputStream bais = new ByteArrayInputStream(taint());
     bais.read(dh.data);
     test5_b(dh);
diff --git a/java/ql/test/library-tests/dataflow/taint/B.java b/java/ql/test/library-tests/dataflow/taint/B.java
index b53c49bdc39..81b007e6871 100644
--- a/java/ql/test/library-tests/dataflow/taint/B.java
+++ b/java/ql/test/library-tests/dataflow/taint/B.java
@@ -11,7 +11,7 @@ public class B {
 
   public static void sink(Object o) { }
 
-  public static void maintest() {
+  public static void maintest() throws java.io.UnsupportedEncodingException, java.net.MalformedURLException {
     String[] args = taint();
     // tainted - access to main args
     String[] aaaargs = args;
diff --git a/java/ql/test/library-tests/dataflow/taintsources/IntentSources.java b/java/ql/test/library-tests/dataflow/taintsources/IntentSources.java
index 960bbff0bce..6f0051f0d10 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/IntentSources.java
+++ b/java/ql/test/library-tests/dataflow/taintsources/IntentSources.java
@@ -4,21 +4,21 @@ import android.app.Activity;
 
 public class IntentSources extends Activity {
 
-	public void test() {
+	public void test() throws java.io.IOException {
 
 		String trouble = this.getIntent().getStringExtra("key");
 		Runtime.getRuntime().exec(trouble);
 
 	}
 
-	public void test2() {
+	public void test2() throws java.io.IOException {
 
 		String trouble = getIntent().getStringExtra("key");
 		Runtime.getRuntime().exec(trouble);
 
 	}
 
-	public void test3() {
+	public void test3() throws java.io.IOException {
 
 		String trouble = getIntent().getExtras().getString("key");
 		Runtime.getRuntime().exec(trouble);
@@ -29,9 +29,9 @@ public class IntentSources extends Activity {
 
 class OtherClass {
 
-	public void test(IntentSources is) {
+	public void test(IntentSources is) throws java.io.IOException {
 		String trouble = is.getIntent().getStringExtra("key");
 		Runtime.getRuntime().exec(trouble);
 	}
 
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/library-tests/dataflow/taintsources/RmiFlow.java b/java/ql/test/library-tests/dataflow/taintsources/RmiFlow.java
index eeab5a1fa09..69d7c9449ee 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/RmiFlow.java
+++ b/java/ql/test/library-tests/dataflow/taintsources/RmiFlow.java
@@ -4,5 +4,5 @@ import java.rmi.Remote;
 import java.rmi.RemoteException;
 
 public interface RmiFlow extends Remote {
-	String listDirectory(String path);
+	String listDirectory(String path) throws java.io.IOException;
 }
diff --git a/java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java b/java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java
index eee65d5c64e..f75c6ddf2b7 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java
+++ b/java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java
@@ -1,13 +1,13 @@
 package security.library.dataflow;
 
 public class RmiFlowImpl implements RmiFlow {
-	public String listDirectory(String path) {
+	public String listDirectory(String path) throws java.io.IOException {
 		String command = "ls " + path;
 		Runtime.getRuntime().exec(command);
 		return "pretend there are some results here";
 	}
 
-	public String notRemotable(String path) {
+	public String notRemotable(String path) throws java.io.IOException {
 		String command = "ls " + path;
 		Runtime.getRuntime().exec(command);
 		return "pretend there are some results here";
diff --git a/java/ql/test/library-tests/dispatch/ViableCallable.java b/java/ql/test/library-tests/dispatch/ViableCallable.java
index 1e404463c05..f698ea0fb9d 100644
--- a/java/ql/test/library-tests/dispatch/ViableCallable.java
+++ b/java/ql/test/library-tests/dispatch/ViableCallable.java
@@ -36,7 +36,7 @@ class ViableCallable {
 		i2.f("", 0l);
 	}
 
-	<TMock> TMock Mock() { throw new Exception(); }
+	<TMock> TMock Mock() { throw new Error(); }
 
 	void CreateTypeInstance() {
 		Run(new C2<Boolean>(), null, null, null);
@@ -63,7 +63,7 @@ abstract class C1<T1_C1, T2_C1> {
 		M(x, 8);
 	}
 
-	public void f(T1_C1 x, T2_C1 y) { throw new Exception(); }
+	public void f(T1_C1 x, T2_C1 y) { throw new Error(); }
 }
 
 interface I1<T_I1> {
@@ -80,27 +80,27 @@ interface I2<T_I2> {
 
 class C2<T_C2> extends C1<String, T_C2> implements I1<T_C2> {
 	@Override
-	public <T3_C2> T_C2 M(String x, T3_C2 y) { throw new Exception(); }
+	public <T3_C2> T_C2 M(String x, T3_C2 y) { throw new Error(); }
 }
 
 class C3 extends C1<String, Long> implements I2<Long> {
 	@Override
-	public <T3_C3> Long M(String x, T3_C3 y) { throw new Exception(); }
+	public <T3_C3> Long M(String x, T3_C3 y) { throw new Error(); }
 }
 
 class C4<T_C4> extends C1<T_C4[], Boolean> {
 	@Override
-	public <T3_C4> Boolean M(T_C4[] x, T3_C4 y) { throw new Exception(); }
+	public <T3_C4> Boolean M(T_C4[] x, T3_C4 y) { throw new Error(); }
 }
 
 class C5 extends C1<String, Boolean> {
 	@Override
-	public <T3_C5> Boolean M(String x, T3_C5 y) { throw new Exception(); }
+	public <T3_C5> Boolean M(String x, T3_C5 y) { throw new Error(); }
 }
 
 class C6<T1_C6, T2_C6> extends C1<T1_C6, T2_C6> {
 	@Override
-	public <T3_C6> T2_C6 M(T1_C6 x, T3_C6 y) { throw new Exception(); }
+	public <T3_C6> T2_C6 M(T1_C6 x, T3_C6 y) { throw new Error(); }
 
 	public void Run(T1_C6 x) {
 		// Viable callables: C6.M(), C7.M()
@@ -113,7 +113,7 @@ class C6<T1_C6, T2_C6> extends C1<T1_C6, T2_C6> {
 
 class C7<T1_C7> extends C6<T1_C7, Byte> {
 	@Override
-	public <T3_C7> Byte M(T1_C7 x, T3_C7 y) { throw new Exception(); }
+	public <T3_C7> Byte M(T1_C7 x, T3_C7 y) { throw new Error(); }
 
 	public void Run(T1_C7 x) {
 		// Viable callables: C7.M()
@@ -129,11 +129,11 @@ class C7<T1_C7> extends C6<T1_C7, Byte> {
 
 class C8<T_C8, T2_C8> extends C1<String, T2_C8> {
 	@Override
-	public <T3_C8> T2_C8 M(String x, T3_C8 y) { throw new Exception(); }
+	public <T3_C8> T2_C8 M(String x, T3_C8 y) { throw new Error(); }
 }
 
 class C9<T_C9> extends C8<Boolean, Boolean> {
 	@Override
-	public <T3_C9> Boolean M(String x, T3_C9 y) { throw new Exception(); }
+	public <T3_C9> Boolean M(String x, T3_C9 y) { throw new Error(); }
 }
 
diff --git a/java/ql/test/library-tests/dispatch/ViableCallable2.java b/java/ql/test/library-tests/dispatch/ViableCallable2.java
index a1d17b63162..79ecc9d3cd0 100644
--- a/java/ql/test/library-tests/dispatch/ViableCallable2.java
+++ b/java/ql/test/library-tests/dispatch/ViableCallable2.java
@@ -20,10 +20,10 @@ class ViableCallable2 {
 }
 
 class A {
-    public void m() { throw new Exception(); }
+    public void m() { throw new Error(); }
 }
 
 class B extends A {
     @Override
-    public void m() { throw new Exception(); }
+    public void m() { throw new Error(); }
 }
diff --git a/java/ql/test/library-tests/guards/Logic.java b/java/ql/test/library-tests/guards/Logic.java
index a07890a4a75..afe646908a0 100644
--- a/java/ql/test/library-tests/guards/Logic.java
+++ b/java/ql/test/library-tests/guards/Logic.java
@@ -41,7 +41,7 @@ public class Logic {
   }
 
   private static void checkTrue(boolean b, String msg) {
-    if (!b) throw new Exception(msg);
+    if (!b) throw new Error    (msg);
   }
 
   private static void checkFalse(boolean b, String msg) {
diff --git a/java/ql/test/library-tests/guards/Test.java b/java/ql/test/library-tests/guards/Test.java
index 59f63917b09..d4441f98fdd 100644
--- a/java/ql/test/library-tests/guards/Test.java
+++ b/java/ql/test/library-tests/guards/Test.java
@@ -3,7 +3,7 @@ class Test {
 	void test(int x) {
 		z = 0;
 		if (x < 0) {
-			throw new Exception();
+			throw new Error();
 		}
 		int y = 0;
 		while(x >= 0) {
diff --git a/java/ql/test/library-tests/pathcreation/PathCreation.java b/java/ql/test/library-tests/pathcreation/PathCreation.java
index dcdb28adf45..fcd1eed3e28 100644
--- a/java/ql/test/library-tests/pathcreation/PathCreation.java
+++ b/java/ql/test/library-tests/pathcreation/PathCreation.java
@@ -18,7 +18,7 @@ class PathCreation {
         File f = new File(new File("dir"), "sub");
     }
 
-    public void testNewFileWithURI() {
+    public void testNewFileWithURI() throws java.net.URISyntaxException {
         File f = new File(new URI("dir"));
     }
 
@@ -27,7 +27,7 @@ class PathCreation {
         Path p2 = Path.of("dir", "sub");
     }
 
-    public void testPathOfWithURI() {
+    public void testPathOfWithURI() throws java.net.URISyntaxException {
         Path p = Path.of(new URI("dir"));
     }
 
@@ -36,7 +36,7 @@ class PathCreation {
         Path p2 = Paths.get("dir", "sub");
     }
 
-    public void testPathsGetWithURI() {
+    public void testPathsGetWithURI() throws java.net.URISyntaxException {
         Path p = Paths.get(new URI("dir"));
     }
 
@@ -53,19 +53,19 @@ class PathCreation {
         Path p = Path.of("dir").resolve("sub");
     }
 
-    public void testNewFileWriterWithString() {
+    public void testNewFileWriterWithString() throws java.io.IOException {
         FileWriter fw = new FileWriter("dir");
     }
 
-    public void testNewFileReaderWithString() {
+    public void testNewFileReaderWithString() throws java.io.FileNotFoundException {
         FileReader fr = new FileReader("dir");
     }
 
-    public void testNewFileOutputStreamWithString() {
+    public void testNewFileOutputStreamWithString() throws java.io.FileNotFoundException {
         FileOutputStream fos = new FileOutputStream("dir");
     }
 
-    public void testNewFileInputStreamWithString() {
+    public void testNewFileInputStreamWithString() throws java.io.FileNotFoundException {
         FileInputStream fis = new FileInputStream("dir");
     }
 }
diff --git a/java/ql/test/library-tests/reflection/reflection/ReflectiveAccess.java b/java/ql/test/library-tests/reflection/reflection/ReflectiveAccess.java
index 2a729af39fd..99687ea2649 100644
--- a/java/ql/test/library-tests/reflection/reflection/ReflectiveAccess.java
+++ b/java/ql/test/library-tests/reflection/reflection/ReflectiveAccess.java
@@ -14,7 +14,7 @@ public class ReflectiveAccess {
 		return classContainingAnnotation.getAnnotation(annotationClass);
 	}
 
-	public static void main(String[] args) {
+	public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException {
 		Class<?> testClass = Class.forName("reflection.ReflectiveAccess$TestClass");
 
 		testClass.newInstance();
diff --git a/java/ql/test/library-tests/successors/TestThrow2/TestThrow2.java b/java/ql/test/library-tests/successors/TestThrow2/TestThrow2.java
index c3652aa161c..29f86a7bb58 100644
--- a/java/ql/test/library-tests/successors/TestThrow2/TestThrow2.java
+++ b/java/ql/test/library-tests/successors/TestThrow2/TestThrow2.java
@@ -5,8 +5,8 @@ class TestThrow2 {
 	{
 		try {
 			thrower();
-		} catch (Exception e) {
+		} catch (Throwable e) {
 			;
 		}
 	}
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
index 38549f5873c..7d78f8dbfef 100644
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
@@ -100,7 +100,7 @@ class CloseReader {
 		private void init(InputStreamReader reader) {
 			fileRd = new BufferedReader(reader);
 		}
-		public void readStuff() {
+		public void readStuff() throws java.io.IOException {
 			System.out.println(fileRd.readLine());
 			fileRd.close();
 		}
diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/A.java b/java/ql/test/query-tests/ContinueInFalseLoop/A.java
index 14c4ee0e7aa..911d4146a66 100644
--- a/java/ql/test/query-tests/ContinueInFalseLoop/A.java
+++ b/java/ql/test/query-tests/ContinueInFalseLoop/A.java
@@ -32,14 +32,14 @@ public class A {
 
     // --- while, for loops ---
 
-    while (false) {
+    while (c.cond()) {
       if (c.cond())
         continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
       if (c.cond())
         break;
     }
 
-    for (i = 0; false; i++) {
+    for (i = 0; c.cond(); i++) {
       if (c.cond())
         continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
       if (c.cond())
diff --git a/java/ql/test/query-tests/MissingCallToSuperClone/Test.java b/java/ql/test/query-tests/MissingCallToSuperClone/Test.java
index 77efe645ef5..a236543a695 100644
--- a/java/ql/test/query-tests/MissingCallToSuperClone/Test.java
+++ b/java/ql/test/query-tests/MissingCallToSuperClone/Test.java
@@ -1,10 +1,10 @@
 class IAmAGoodCloneable implements Cloneable {
-	public Object clone() {
+	public Object clone() throws CloneNotSupportedException {
 		return super.clone();
 	}
 }
 
-class Sub1 extends IAmAGoodCloneable { public Object clone() { return super.clone(); } }
+class Sub1 extends IAmAGoodCloneable { public Object clone() throws CloneNotSupportedException { return super.clone(); } }
 
 class IAmABadCloneable implements Cloneable {
 	public Object clone() {
diff --git a/java/ql/test/query-tests/MissingInstanceofInEquals/GoodReturn.java b/java/ql/test/query-tests/MissingInstanceofInEquals/GoodReturn.java
index 593469fe6fb..0de780e4162 100644
--- a/java/ql/test/query-tests/MissingInstanceofInEquals/GoodReturn.java
+++ b/java/ql/test/query-tests/MissingInstanceofInEquals/GoodReturn.java
@@ -3,7 +3,7 @@ class GoodReturn {
 
   @Override
   public int hashCode() {
-    getClass().hashCode();
+    return getClass().hashCode();
   }
 
   @Override
diff --git a/java/ql/test/query-tests/Nullness/C.java b/java/ql/test/query-tests/Nullness/C.java
index c9fe368a394..ac6a5f291da 100644
--- a/java/ql/test/query-tests/Nullness/C.java
+++ b/java/ql/test/query-tests/Nullness/C.java
@@ -171,7 +171,7 @@ public class C {
 
   private void verifyBool(boolean b) {
     if (!b) {
-      throw new Exception();
+      throw new Error();
     }
   }
 
@@ -192,7 +192,7 @@ public class C {
 
   private void verifyNotNull(Object obj) {
     if (obj == null) {
-      throw new Exception();
+      throw new Error();
     }
   }
 
diff --git a/java/ql/test/query-tests/RangeAnalysis/A.java b/java/ql/test/query-tests/RangeAnalysis/A.java
index f2cb4918387..53fbc62f83b 100644
--- a/java/ql/test/query-tests/RangeAnalysis/A.java
+++ b/java/ql/test/query-tests/RangeAnalysis/A.java
@@ -5,7 +5,7 @@ public class A {
 
   public A(int[] arr2, int n) {
     if (arr2.length % 2 != 0)
-      throw new Exception();
+      throw new Error();
     this.arr2 = arr2;
     this.arr3 = new int[n << 1];
   }
@@ -168,7 +168,7 @@ public class A {
     if (n > 0) {
       a = n > 0 ? new int[3 * n] : null;
     }
-    int sum;
+    int sum = 0;
     if (a != null) {
       for (int i = 0; i < a.length; i += 3) {
         sum += a[i + 2]; // OK
diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.java b/java/ql/test/query-tests/UseBraces/UseBraces.java
index c823456cd2a..756050b2c44 100644
--- a/java/ql/test/query-tests/UseBraces/UseBraces.java
+++ b/java/ql/test/query-tests/UseBraces/UseBraces.java
@@ -7,9 +7,9 @@ class UseBraces
 	void f() { }
 	void g() { }
 	void h() { }
-	void test()
+	void test(boolean bb)
 	{
-		int x, y;
+		int x = 0, y;
 		int[] branches = new int[10];
 		
 		// If-then statement
@@ -67,27 +67,27 @@ class UseBraces
 
 		// While statement
 
-		while(false)
+		while(bb)
 		{
 			f();
 		}
 			g();		// No alert
 
 
-		while(false)
+		while(bb)
 			f();
 		g();
 
-		while(false)
+		while(bb   )
 			f();
 			g();		// Alert
 			g();		// No alert
 
-		while(false)
+		while(bb   )
 			f();	g();		// Alert
 
 
-		while(false)
+		while(bb)
 			if (x != 0) x = 1;
 
 		// Do-while statement
diff --git a/java/ql/test/query-tests/UselessComparisonTest/Test.java b/java/ql/test/query-tests/UselessComparisonTest/Test.java
index 4b9d7488317..eafac84dea5 100644
--- a/java/ql/test/query-tests/UselessComparisonTest/Test.java
+++ b/java/ql/test/query-tests/UselessComparisonTest/Test.java
@@ -3,7 +3,7 @@ class Test {
 	void test(int x) {
 		z = getInt();
 		if (x < 0 || z < 0) {
-			throw new Exception();
+			throw new Error();
 		}
 		int y = 0;
 		if (x >= 0) y++; // useless test due to test in line 5 being false
diff --git a/java/ql/test/query-tests/UselessNullCheck/A.java b/java/ql/test/query-tests/UselessNullCheck/A.java
index 017629ec516..009f5efadd3 100644
--- a/java/ql/test/query-tests/UselessNullCheck/A.java
+++ b/java/ql/test/query-tests/UselessNullCheck/A.java
@@ -7,7 +7,7 @@ public class A {
       new Object();
     } catch(Exception e) {
       if (e == null) { // Useless check
-        throw new Exception();
+        throw new Error();
       }
     }
   }
@@ -16,7 +16,7 @@ public class A {
     if (o instanceof A) {
       A a = (A)o;
       if (a != null) { // Useless check
-        throw new Exception();
+        throw new Error();
       }
     }
   }
diff --git a/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java b/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java
index 418975b0281..72ca3ae46f6 100644
--- a/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java
+++ b/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java
@@ -16,7 +16,7 @@ public class ReflectionTest {
 		public int shadowedField;
 	}
 
-	public static void main(String[] args) {
+	public static void main(String[] args) throws NoSuchFieldException {
 		// Ensure the two classes are live, otherwise we might hide some results
 		new ParentClass();
 		new ChildClass();
diff --git a/java/ql/test/query-tests/dead-code/DeadMethod/ReflectionMethodTest.java b/java/ql/test/query-tests/dead-code/DeadMethod/ReflectionMethodTest.java
index 4336655a664..c77718f9750 100644
--- a/java/ql/test/query-tests/dead-code/DeadMethod/ReflectionMethodTest.java
+++ b/java/ql/test/query-tests/dead-code/DeadMethod/ReflectionMethodTest.java
@@ -19,7 +19,7 @@ public class ReflectionMethodTest {
     public void test4() { }
   }
 
-  public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException {
+  public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException {
     // Get class by name
     Class.forName("ReflectionTest$TestObject1").getMethod("test1");
     // Use classloader
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
index 46ed97e2d98..b5bee61b965 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
@@ -3,7 +3,7 @@ import java.nio.file.*;
 import java.util.zip.*;
 
 public class ZipTest {
-  public void m1(ZipEntry entry, File dir) {
+  public void m1(ZipEntry entry, File dir) throws Exception {
     String name = entry.getName();
     File file = new File(dir, name);
     FileOutputStream os = new FileOutputStream(file); // ZipSlip
@@ -11,7 +11,7 @@ public class ZipTest {
     FileWriter fw = new FileWriter(file); // ZipSlip
   }
 
-  public void m2(ZipEntry entry, File dir) {
+  public void m2(ZipEntry entry, File dir) throws Exception {
     String name = entry.getName();
     File file = new File(dir, name);
     File canFile = file.getCanonicalFile();
@@ -21,7 +21,7 @@ public class ZipTest {
     FileOutputStream os = new FileOutputStream(file); // OK
   }
 
-  public void m3(ZipEntry entry, File dir) {
+  public void m3(ZipEntry entry, File dir) throws Exception {
     String name = entry.getName();
     File file = new File(dir, name);
     if (!file.toPath().normalize().startsWith(dir.toPath()))
@@ -29,20 +29,20 @@ public class ZipTest {
     FileOutputStream os = new FileOutputStream(file); // OK
   }
 
-  private void validate(File tgtdir, File file) {
+  private void validate(File tgtdir, File file) throws Exception {
     File canFile = file.getCanonicalFile();
     if (!canFile.toPath().startsWith(tgtdir.toPath()))
       throw new Exception();
   }
 
-  public void m4(ZipEntry entry, File dir) {
+  public void m4(ZipEntry entry, File dir) throws Exception {
     String name = entry.getName();
     File file = new File(dir, name);
     validate(dir, file);
     FileOutputStream os = new FileOutputStream(file); // OK
   }
 
-  public void m5(ZipEntry entry, File dir) {
+  public void m5(ZipEntry entry, File dir) throws Exception {
     String name = entry.getName();
     File file = new File(dir, name);
     Path absfile = file.toPath().toAbsolutePath().normalize();
@@ -52,7 +52,7 @@ public class ZipTest {
     FileOutputStream os = new FileOutputStream(file); // OK
   }
 
-  public void m6(ZipEntry entry, Path dir) {
+  public void m6(ZipEntry entry, Path dir) throws Exception {
     String canonicalDest = dir.toFile().getCanonicalPath();
     Path target = dir.resolve(entry.getName());
     String canonicalTarget = target.toFile().getCanonicalPath();
diff --git a/java/ql/test/query-tests/security/CWE-078/Test.java b/java/ql/test/query-tests/security/CWE-078/Test.java
index 6e185b86bbd..1ac5dc47882 100644
--- a/java/ql/test/query-tests/security/CWE-078/Test.java
+++ b/java/ql/test/query-tests/security/CWE-078/Test.java
@@ -3,7 +3,7 @@ import java.util.List;
 import java.util.ArrayList;
 
 class Test {
-  public static void shellCommand(String arg) {
+  public static void shellCommand(String arg) throws java.io.IOException {
     ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg);
     pb.start();
 
@@ -25,7 +25,7 @@ class Test {
     pb.start();
   }
 
-  public static void nonShellCommand(String arg) {
+  public static void nonShellCommand(String arg) throws java.io.IOException {
     ProcessBuilder pb = new ProcessBuilder("./customTool " + arg);
     pb.start();
 
@@ -46,7 +46,7 @@ class Test {
     pb.start();
   }
 
-  public static void relativeCommand() {
+  public static void relativeCommand() throws java.io.IOException {
       ProcessBuilder pb = new ProcessBuilder("ls");
       pb.start();
 
@@ -54,11 +54,11 @@ class Test {
       pb.start();
   }
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws java.io.IOException {
       String arg = args.length > 1 ? args[1] : "default";
 
       shellCommand(arg);
       nonShellCommand(arg);
       relativeCommand();
   }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
index 005271998ba..c893e0b8eef 100644
--- a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
+++ b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
@@ -66,7 +66,7 @@ public class UnsafeHostnameVerification {
         HostnameVerifier verifier = new HostnameVerifier() {
             @Override
             public boolean verify(String hostname, SSLSession session) {
-                verify(hostname, session.getPeerCertificates());
+                try { verify(hostname, session.getPeerCertificates()); } catch (Exception e) { throw new RuntimeException(); }
                 return true; // GOOD [but detected as BAD]. The verification of the certificate is done in
                              // another method and
                 // in the case of a mismatch, an `Exception` is thrown so the `return true`
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
index 568a9d89f85..9e2f3f923e8 100644
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
@@ -3,7 +3,7 @@ import javax.net.ssl.HttpsURLConnection;
 import java.io.*;
 
 class Test {
-  public void m1(HttpURLConnection connection) {
+  public void m1(HttpURLConnection connection) throws java.io.IOException {
     InputStream input;
     if (connection instanceof HttpsURLConnection) {
       input = connection.getInputStream(); // OK
diff --git a/java/ql/test/query-tests/security/CWE-421/semmle/Test.java b/java/ql/test/query-tests/security/CWE-421/semmle/Test.java
index 31d20ae133a..0e2dc665a4b 100644
--- a/java/ql/test/query-tests/security/CWE-421/semmle/Test.java
+++ b/java/ql/test/query-tests/security/CWE-421/semmle/Test.java
@@ -31,7 +31,7 @@ class Test {
 		return true;
 	}
 	
-	public void doConnect(int desiredPort, String username) {
+	public void doConnect(int desiredPort, String username) throws Exception {
 		ServerSocket listenSocket = new ServerSocket(desiredPort);
 
 		if (isAuthenticated(username)) {
@@ -56,7 +56,7 @@ class Test {
 		
 	}
 
-	public void doConnectChannel(int desiredPort, String username) {
+	public void doConnectChannel(int desiredPort, String username) throws Exception {
 		ServerSocketChannel listenChannel = ServerSocketChannel.open();
 		SocketAddress port = new InetSocketAddress(desiredPort);
 		listenChannel.bind(port);
diff --git a/java/ql/test/query-tests/security/CWE-502/A.java b/java/ql/test/query-tests/security/CWE-502/A.java
index 3b3de5f8ed2..d1ef4859823 100644
--- a/java/ql/test/query-tests/security/CWE-502/A.java
+++ b/java/ql/test/query-tests/security/CWE-502/A.java
@@ -9,32 +9,32 @@ import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.Yaml;
 
 public class A {
-  public Object deserialize1(Socket sock) {
+  public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
     InputStream inputStream = sock.getInputStream();
     ObjectInputStream in = new ObjectInputStream(inputStream);
     return in.readObject(); // unsafe
   }
 
-  public Object deserialize2(Socket sock) {
+  public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
     InputStream inputStream = sock.getInputStream();
     ObjectInputStream in = new ObjectInputStream(inputStream);
     return in.readUnshared(); // unsafe
   }
 
-  public Object deserialize3(Socket sock) {
+  public Object deserialize3(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     XMLDecoder d = new XMLDecoder(inputStream);
     return d.readObject(); // unsafe
   }
 
-  public Object deserialize4(Socket sock) {
+  public Object deserialize4(Socket sock) throws java.io.IOException {
     XStream xs = new XStream();
     InputStream inputStream = sock.getInputStream();
     Reader reader = new InputStreamReader(inputStream);
     return xs.fromXML(reader); // unsafe
   }
 
-  public void deserialize5(Socket sock) {
+  public void deserialize5(Socket sock) throws java.io.IOException {
     Kryo kryo = new Kryo();
     Input input = new Input(sock.getInputStream());
     A a1 = kryo.readObject(input, A.class); // unsafe
@@ -42,20 +42,20 @@ public class A {
     Object o = kryo.readClassAndObject(input); // unsafe
   }
 
-  private Kryo getSafeKryo() {
+  private Kryo getSafeKryo() throws java.io.IOException {
     Kryo kryo = new Kryo();
     kryo.setRegistrationRequired(true);
     // ... kryo.register(A.class) ...
     return kryo;
   }
 
-  public void deserialize6(Socket sock) {
+  public void deserialize6(Socket sock) throws java.io.IOException {
     Kryo kryo = getSafeKryo();
     Input input = new Input(sock.getInputStream());
     Object o = kryo.readClassAndObject(input); // OK
   }
 
-  public void deserializeSnakeYaml(Socket sock) {
+  public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml();
     InputStream input = sock.getInputStream();
     Object o = yaml.load(input); //unsafe
@@ -65,7 +65,7 @@ public class A {
     A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
   }
 
-  public void deserializeSnakeYaml2(Socket sock) {
+  public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor());
     InputStream input = sock.getInputStream();
     Object o = yaml.load(input); //unsafe
@@ -75,7 +75,7 @@ public class A {
     A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
   }
 
-  public void deserializeSnakeYaml3(Socket sock) {
+  public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new SafeConstructor());
     InputStream input = sock.getInputStream();
     Object o = yaml.load(input); //OK
@@ -85,7 +85,7 @@ public class A {
     A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //OK
   }
 
-  public void deserializeSnakeYaml4(Socket sock) {
+  public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor(A.class));
     InputStream input = sock.getInputStream();
     Object o = yaml.load(input); //OK
diff --git a/java/ql/test/query-tests/security/CWE-502/B.java b/java/ql/test/query-tests/security/CWE-502/B.java
index 671442a9346..a12555edd70 100644
--- a/java/ql/test/query-tests/security/CWE-502/B.java
+++ b/java/ql/test/query-tests/security/CWE-502/B.java
@@ -3,19 +3,19 @@ import java.net.Socket;
 import com.alibaba.fastjson.JSON;
 
 public class B {
-  public Object deserializeJson1(Socket sock) {
+  public Object deserializeJson1(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     return JSON.parseObject(inputStream, null); // unsafe
   }
 
-  public Object deserializeJson2(Socket sock) {
+  public Object deserializeJson2(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
     return JSON.parse(bytes); // unsafe
   }
 
-  public Object deserializeJson3(Socket sock) {
+  public Object deserializeJson3(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
@@ -23,7 +23,7 @@ public class B {
     return JSON.parseObject(s); // unsafe
   }
 
-  public Object deserializeJson4(Socket sock) {
+  public Object deserializeJson4(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
diff --git a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java
index f70b44e2f1a..cb25141a90d 100644
--- a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java
+++ b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java
@@ -102,7 +102,7 @@ class DocumentBuilderTests {
 	builder.parse(source.getInputStream()); //unsafe
   }
 
-  private static DocumentBuilderFactory getDocumentBuilderFactory() {
+  private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     String feature = "";
     feature = "http://xml.org/sax/features/external-parameter-entities";
@@ -115,8 +115,8 @@ class DocumentBuilderTests {
   private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER = new ThreadLocal<DocumentBuilder>() {
     @Override
     protected DocumentBuilder initialValue() {
-      DocumentBuilderFactory factory = getDocumentBuilderFactory();
       try {
+        DocumentBuilderFactory factory = getDocumentBuilderFactory();
         return factory.newDocumentBuilder();
       } catch (Exception ex) {
         throw new RuntimeException(ex);
diff --git a/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java
index ec1dfd1289c..8717203802d 100644
--- a/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java
@@ -31,11 +31,11 @@ class Test {
 		new FileInputStream(f2);
 	}
 
-	public static void readFile(File f) {
+	public static void readFile(File f) throws java.io.FileNotFoundException {
 		new FileReader(f);
 	}
 
 	public static void setWorldWritable(File f) {
 		f.setWritable(true, false);
 	}
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java b/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java
index 9092bfee427..e02364c05ec 100644
--- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java
+++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java
@@ -26,9 +26,9 @@ class MethodAccessLockOrder {
 	public boolean initiateTransfer(boolean fromSavings, int amount) {
 		// AVOID: inconsistent lock order
 		if (fromSavings) {
-			primary.transferFrom(savings, amount);
+			return primary.transferFrom(savings, amount);
 		} else {
-			savings.transferFrom(primary, amount);
+			return savings.transferFrom(primary, amount);
 		}
 	}
 
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java b/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
index 19a2662b96c..e04f68a203d 100644
--- a/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
@@ -1019,6 +1019,7 @@ public class Activity {
      * @see Activity#requireViewById(int)
      */
     public <T> T findViewById(int id) {
+        return null;
     }
 
     /**
@@ -1141,4 +1142,4 @@ public class Activity {
      */
     public void startActivities(Intent[] intents, Bundle options) {
     }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java b/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java
index 292069c0f71..09422c7a48a 100644
--- a/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java
@@ -821,6 +821,7 @@ public class Intent implements Parcelable, Cloneable {
      */
     @Deprecated
     public static Intent getIntent(String uri) {
+        return null;
     }
 
     /**
@@ -845,6 +846,7 @@ public class Intent implements Parcelable, Cloneable {
      * @see #toUri
      */
     public static Intent parseUri(String uri, int flags) {
+        return null;
     }
 
     /**
@@ -2069,4 +2071,4 @@ public class Intent implements Parcelable, Cloneable {
         return null;
     }
 
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/os/BaseBundle.java b/java/ql/test/stubs/google-android-9.0.0/android/os/BaseBundle.java
index 4b85ae8e67a..3ac33642ab4 100644
--- a/java/ql/test/stubs/google-android-9.0.0/android/os/BaseBundle.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/os/BaseBundle.java
@@ -97,6 +97,7 @@ public class BaseBundle {
      * @hide
      */
     public String getPairValue() {
+        return null;
     }
 
     /**
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/os/Parcel.java b/java/ql/test/stubs/google-android-9.0.0/android/os/Parcel.java
index 2670e258e4f..077da662edb 100644
--- a/java/ql/test/stubs/google-android-9.0.0/android/os/Parcel.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/os/Parcel.java
@@ -229,6 +229,7 @@ public final class Parcel {
     }
 
     public final float[] createFloatArray() {
+        return null;
     }
 
     public final void readFloatArray(float[] val) {
diff --git a/java/ql/test/stubs/google-android-9.0.0/androidx/security/crypto/EncryptedSharedPreferences.java b/java/ql/test/stubs/google-android-9.0.0/androidx/security/crypto/EncryptedSharedPreferences.java
index db918d448f2..8ca1443d049 100644
--- a/java/ql/test/stubs/google-android-9.0.0/androidx/security/crypto/EncryptedSharedPreferences.java
+++ b/java/ql/test/stubs/google-android-9.0.0/androidx/security/crypto/EncryptedSharedPreferences.java
@@ -85,6 +85,7 @@ public final class EncryptedSharedPreferences implements SharedPreferences {
             PrefKeyEncryptionScheme prefKeyEncryptionScheme,
             PrefValueEncryptionScheme prefValueEncryptionScheme)
             throws GeneralSecurityException, IOException {
+        return null;
     }
 
     /**
@@ -168,4 +169,4 @@ public final class EncryptedSharedPreferences implements SharedPreferences {
     public void unregisterOnSharedPreferenceChangeListener(
             OnSharedPreferenceChangeListener listener) {
     }
-}
\ No newline at end of file
+}

From e5331a4735546448375dc9ce062d903e48956f02 Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Tue, 9 Feb 2021 09:17:35 -0500
Subject: [PATCH 256/429] Java: accept changes in expected output

---
 .../dataflow/taintsources/remote.expected              | 10 +++++-----
 .../semmle/tests/LockOrderInconsistency.expected       |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/java/ql/test/library-tests/dataflow/taintsources/remote.expected b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
index 57acdb6d26c..e4f1dac7ca6 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/remote.expected
+++ b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
@@ -5,21 +5,21 @@
 | A.java:41:5:41:53 | getInputStream(...) | A.java:41:5:41:53 | getInputStream(...) |
 | A.java:42:5:42:45 | getInputStream(...) | A.java:42:5:42:45 | getInputStream(...) |
 | A.java:43:5:43:47 | getHostName(...) | A.java:43:5:43:47 | getHostName(...) |
-| IntentSources.java:9:20:9:35 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1057:19:1057:32 | parameter this |
+| IntentSources.java:9:20:9:35 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1059:19:1059:32 | parameter this |
 | IntentSources.java:9:20:9:35 | getIntent(...) | IntentSources.java:9:20:9:35 | getIntent(...) |
 | IntentSources.java:9:20:9:35 | getIntent(...) | IntentSources.java:9:20:9:57 | getStringExtra(...) |
 | IntentSources.java:9:20:9:35 | getIntent(...) | IntentSources.java:10:29:10:35 | trouble |
-| IntentSources.java:16:20:16:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1057:19:1057:32 | parameter this |
+| IntentSources.java:16:20:16:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1059:19:1059:32 | parameter this |
 | IntentSources.java:16:20:16:30 | getIntent(...) | IntentSources.java:16:20:16:30 | getIntent(...) |
 | IntentSources.java:16:20:16:30 | getIntent(...) | IntentSources.java:16:20:16:52 | getStringExtra(...) |
 | IntentSources.java:16:20:16:30 | getIntent(...) | IntentSources.java:17:29:17:35 | trouble |
-| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1356:19:1356:27 | parameter this |
-| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/os/BaseBundle.java:599:19:599:27 | parameter this |
+| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1358:19:1358:27 | parameter this |
+| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/os/BaseBundle.java:600:19:600:27 | parameter this |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:23:20:23:30 | getIntent(...) |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:23:20:23:42 | getExtras(...) |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:23:20:23:59 | getString(...) |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:24:29:24:35 | trouble |
-| IntentSources.java:33:20:33:33 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1057:19:1057:32 | parameter this |
+| IntentSources.java:33:20:33:33 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1059:19:1059:32 | parameter this |
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:33:20:33:33 | getIntent(...) |
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:33:20:33:55 | getStringExtra(...) |
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:34:29:34:35 | trouble |
diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.expected b/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.expected
index 89a404374cc..995d2a75277 100644
--- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.expected
+++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.expected
@@ -1,4 +1,4 @@
-| MethodAccessLockOrder.java:29:4:29:40 | transferFrom(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | MethodAccessLockOrder.java:8:21:8:41 | subtract(...) | here | MethodAccessLockOrder.java:31:4:31:40 | transferFrom(...) | here |
+| MethodAccessLockOrder.java:29:11:29:47 | transferFrom(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | MethodAccessLockOrder.java:8:21:8:41 | subtract(...) | here | MethodAccessLockOrder.java:31:11:31:47 | transferFrom(...) | here |
 | ReentrantLockOrder.java:11:4:11:21 | lock(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | ReentrantLockOrder.java:12:4:12:21 | lock(...) | here | ReentrantLockOrder.java:28:4:28:21 | lock(...) | here |
 | ReentrantLockOrder.java:28:4:28:21 | lock(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | ReentrantLockOrder.java:29:4:29:21 | lock(...) | here | ReentrantLockOrder.java:11:4:11:21 | lock(...) | here |
 | SynchronizedStmtLockOrder.java:8:16:8:26 | primaryLock | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | SynchronizedStmtLockOrder.java:9:17:9:27 | savingsLock | here | SynchronizedStmtLockOrder.java:22:16:22:26 | savingsLock | here |

From cc031118dd8cc4b1d03652e325a4d648046f6239 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 9 Feb 2021 15:19:30 +0000
Subject: [PATCH 257/429] Update CONTRIBUTING.md

Co-authored-by: hubwriter <hubwriter@github.com>
---
 CONTRIBUTING.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index bf7faeaa213..f9f6fe310a4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -51,8 +51,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 6. **Query help files and unit tests**
 
-	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories.
-	- see [Supported CodeQL queries and libraries](docs/supported-queries.md) for more information about contributing query help files and unit tests.
+	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories. For more information about contributing query help files and unit tests, see [Supported CodeQL queries and libraries](docs/supported-queries.md).
 
 Experimental queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
 

From d475e55ec0cba77b38fb07baa7b4ebe6f778ec89 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 9 Feb 2021 15:20:03 +0000
Subject: [PATCH 258/429] Update cpp/ql/test/README.md

Co-authored-by: hubwriter <hubwriter@github.com>
---
 cpp/ql/test/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/README.md b/cpp/ql/test/README.md
index efa020a074f..9de2b10e1b8 100644
--- a/cpp/ql/test/README.md
+++ b/cpp/ql/test/README.md
@@ -1,6 +1,6 @@
 # C/C++ CodeQL tests
 
-This document provides additional information about the C/C++ CodeQL Tests located in `cpp/ql/test`.  The principles under 'Copying code' also apply to any other C/C++ code in this repository, such as examples linked from query `.qhelp` files in `cpp/ql/src`.  See [Contributing to CodeQL](/CONTRIBUTING.md) for more general information about contributing to this repository.
+This document provides additional information about the C/C++ CodeQL tests located in `cpp/ql/test`.  The principles under "Copying code", below, also apply to any other C/C++ code in this repository, such as examples linked from query `.qhelp` files in `cpp/ql/src`.  For more general information about contributing to this repository, see [Contributing to CodeQL](/CONTRIBUTING.md).
 
 The tests can be run through Visual Studio Code.  Advanced users may also use the `codeql test run` command.
 

From e5970f4c652a6088249c82c02b1450ab0c5a81bb Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 9 Feb 2021 20:09:24 +0100
Subject: [PATCH 259/429] Data flow: Take `clearsContent()` into account in
 flow exploration

---
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()

From 1f9b42f9ab19c24f9150430f6341a5b7d792b819 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 9 Feb 2021 20:10:23 +0100
Subject: [PATCH 260/429] Data flow: Sync files

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll   | 2 ++
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll  | 2 ++
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll  | 2 ++
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll  | 2 ++
 .../src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll | 2 ++
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll   | 2 ++
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll  | 2 ++
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll  | 2 ++
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll  | 2 ++
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll  | 2 ++
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll  | 2 ++
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll  | 2 ++
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll  | 2 ++
 java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll | 2 ++
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll | 2 ++
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll | 2 ++
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll | 2 ++
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll | 2 ++
 .../ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll | 2 ++
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll   | 2 ++
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll   | 2 ++
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll   | 2 ++
 22 files changed, 44 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index d9f5acdd279..59cc8d529a7 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -3598,6 +3598,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
       )
@@ -3611,6 +3612,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeType(node), ap.getType())
       else any()

From 3b4357792bdb194e31918fbd007e366a43aac34b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Wed, 10 Feb 2021 12:21:48 +0100
Subject: [PATCH 261/429] Remove sanitizing condition which does not prevent
 vulnerability.

---
 .../ql/src/semmle/code/java/frameworks/SnakeYaml.qll | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
index 5c277b7200b..04b3be0a3dc 100644
--- a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
+++ b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
@@ -7,13 +7,6 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.dataflow.DataFlow3
 
-/**
- * The class `org.yaml.snakeyaml.constructor.Constructor`.
- */
-class SnakeYamlConstructor extends RefType {
-  SnakeYamlConstructor() { this.hasQualifiedName("org.yaml.snakeyaml.constructor", "Constructor") }
-}
-
 /**
  * The class `org.yaml.snakeyaml.constructor.SafeConstructor`.
  */
@@ -24,14 +17,11 @@ class SnakeYamlSafeConstructor extends RefType {
 }
 
 /**
- * An instance of `SafeConstructor` or a `Constructor` that only allows the type that is passed into its argument.
+ * An instance of `SafeConstructor`
  */
 class SafeSnakeYamlConstruction extends ClassInstanceExpr {
   SafeSnakeYamlConstruction() {
     this.getConstructedType() instanceof SnakeYamlSafeConstructor
-    or
-    this.getConstructedType() instanceof SnakeYamlConstructor and
-    this.getNumArgument() > 0
   }
 }
 

From 0cf3a29429dacc1e0876d1198b71ec1b5aaa7e7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Wed, 10 Feb 2021 13:09:57 +0100
Subject: [PATCH 262/429] Add support for Apache Commons Lang ArrayUtils

---
 .../code/java/frameworks/apache/Lang.qll      | 49 +++++++++++++++----
 1 file changed, 40 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index dcf91b36132..e31b2e30861 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -1,27 +1,58 @@
 /** Definitions related to the Apache Commons Lang library. */
 
 import java
+private import semmle.code.java.dataflow.FlowSteps
 
-/*--- Types ---*/
-/** The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. */
+/** 
+ * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. 
+ */
 class TypeApacheRandomStringUtils extends Class {
   TypeApacheRandomStringUtils() {
-    hasQualifiedName("org.apache.commons.lang", "RandomStringUtils") or
-    hasQualifiedName("org.apache.commons.lang3", "RandomStringUtils")
+    this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "RandomStringUtils")
+  }
+}
+
+/** 
+ * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`. 
+ */
+class TypeApacheArrayUtils extends Class {
+  TypeApacheArrayUtils() {
+    hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "ArrayUtils")
   }
 }
 
-/*--- Methods ---*/
 /**
  * The method `deserialize` in either `org.apache.commons.lang.SerializationUtils`
  * or `org.apache.commons.lang3.SerializationUtils`.
  */
 class MethodApacheSerializationUtilsDeserialize extends Method {
   MethodApacheSerializationUtilsDeserialize() {
-    (
-      this.getDeclaringType().hasQualifiedName("org.apache.commons.lang", "SerializationUtils") or
-      this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "SerializationUtils")
-    ) and
+    this.getDeclaringType().hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SerializationUtils") and
     this.hasName("deserialize")
   }
 }
+
+/**
+ * A taint preserving method on `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`
+ */
+private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingCallable {
+  ApacheLangArrayUtilsTaintPreservingMethod() {
+    this.getDeclaringType() instanceof TypeApacheArrayUtils
+  }
+
+  override predicate returnsTaintFrom(int src) {
+    this.hasName(["addAll", "addFirst"]) and
+    src = [0 .. getNumberOfParameters()]
+    or
+    this.hasName(["clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse", "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive", "toString", "toStringArray"]) and
+    src = 0
+    or
+    this.hasName("add") and
+    this.getNumberOfParameters() = 2 and
+    src = [0,1,2]
+    or
+    this.hasName("add") and
+    this.getNumberOfParameters() = 3 and
+    src = [0, 2]
+  }
+}

From 645b021845e4a2f8b36379d1bdec9c1f707e4234 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Wed, 10 Feb 2021 13:20:29 +0100
Subject: [PATCH 263/429] Add support for the Preconditions Class in the Guava
 framework

---
 .../code/java/frameworks/guava/Guava.qll      |  1 +
 .../java/frameworks/guava/Preconditions.qll   | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 java/ql/src/semmle/code/java/frameworks/guava/Preconditions.qll

diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Guava.qll b/java/ql/src/semmle/code/java/frameworks/guava/Guava.qll
index 547a920d749..c6bdf0ea9b9 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Guava.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Guava.qll
@@ -5,3 +5,4 @@
 import java
 import StringUtils
 import Collections
+import Preconditions
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Preconditions.qll b/java/ql/src/semmle/code/java/frameworks/guava/Preconditions.qll
new file mode 100644
index 00000000000..f9fce517988
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Preconditions.qll
@@ -0,0 +1,23 @@
+/** Definitions of flow steps through the Preconditions class in the Guava framework. */
+
+import java
+private import semmle.code.java.dataflow.FlowSteps
+
+/**
+ * The class `com.google.common.base.Preconditions`.
+ */
+class TypeGuavaPreconditions extends Class {
+  TypeGuavaPreconditions() { this.hasQualifiedName("com.google.common.base", "Preconditions") }
+}
+
+/**
+ * A method that returns its argumnets.
+ */
+private class GuavaPreconditionsMethod extends TaintPreservingCallable {
+  GuavaPreconditionsMethod() {
+    this.getDeclaringType() instanceof TypeGuavaPreconditions and
+    this.hasName("checkNotNull")
+  }
+
+  override predicate returnsTaintFrom(int src) { src = 0 }
+}

From 5c82ff83ded47c67bbf5e4ae0e33da569ac73eff Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Wed, 10 Feb 2021 13:57:51 +0100
Subject: [PATCH 264/429] Java: Fix qhelp, fix CWE reference

---
 .../Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp  | 3 +--
 .../Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql     | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
index 38b37901c0c..7327573b8ba 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
@@ -10,13 +10,12 @@ Versions smaller than 6.24 by default ignore any HTTPS certificate errors thereb
 </overview>
 
 <recommendation>
-<p>Do either of these:
+<p>Do either of these:</p>
 <ul>
   <li>Update to version 6.24 or 7.x.x as these correctly reject certificate errors by default.</li>
   <li>Add a custom implementation of the <code>LoadHandler</code> interface whose <code>onCertificateError</code> method always returns <b>true</b> indicating that loading should be cancelled.
   Then use the <code>setLoadHandler</code> method with your custom <code>LoadHandler</code> on every <code>Browser</code> you use.</li>
 </ul>
-</p>
 </recommendation>
 
 <example>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
index 4046f4e9606..aecffaf3f3b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id java/jxbrowser/disabled-certificate-validation
  * @tags security
- *       external/cwe-295
+ *       external/cwe/cwe-295
  */
 
 import java

From 44ca2e26a64cea5e5495e8fbbf64562a2839492e Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 17:08:18 +0100
Subject: [PATCH 265/429] add taint-step to XML parsers

---
 .../javascript/frameworks/XmlParsers.qll      | 25 ++++++++++++++++---
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/xml.js   | 10 ++++++++
 3 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/TaintTracking/xml.js

diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index 060fa62ee76..3a78bda7b1a 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -25,6 +25,9 @@ module XML {
 
     /** Holds if this call to the XML parser resolves entities of the given `kind`. */
     abstract predicate resolvesEntities(EntityKind kind);
+
+    /** Gets a reference to a value resulting from parsing the XML. */
+    js::DataFlow::Node getAResult() { none() }
   }
 
   /**
@@ -98,10 +101,11 @@ module XML {
    * An invocation of `expat.Parser.parse` or `expat.Parser.write`.
    */
   class ExpatParserInvocation extends ParserInvocation {
+    js::DataFlow::NewNode parser;
+
     ExpatParserInvocation() {
-      exists(string m | m = "parse" or m = "write" |
-        this = moduleMethodCall("node-expat", "Parser", m)
-      )
+      parser = js::DataFlow::moduleMember("node-expat", "Parser").getAnInstantiation() and
+      this = parser.getAMemberCall(["parse", "write"]).asExpr()
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
@@ -110,6 +114,10 @@ module XML {
       // only internal entities are resolved by default
       kind = InternalEntity()
     }
+
+    override js::DataFlow::Node getAResult() {
+      result = parser.getAMemberCall("on").getABoundCallbackParameter(1, _)
+    }
   }
 
   /**
@@ -160,4 +168,15 @@ module XML {
 
     override predicate resolvesEntities(XML::EntityKind kind) { kind = InternalEntity() }
   }
+
+  private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
+    XML::ParserInvocation parser;
+
+    XMLParserTaintStep() { this.asExpr() = parser }
+
+    override predicate step(js::DataFlow::Node pred, js::DataFlow::Node succ) {
+      pred.asExpr() = parser.getSourceArgument() and
+      succ = parser.getAResult()
+    }
+  }
 }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 24fcbb5a6ef..3af34b132d0 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -145,3 +145,4 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:45:10:45:24 | x.map(x2 => x2) |
 | tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
+| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
new file mode 100644
index 00000000000..d7e25268493
--- /dev/null
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -0,0 +1,10 @@
+(function () {
+    var Parser = require("node-expat").Parser
+    var parser = new Parser();
+
+    parser.write(source());
+
+    parser.on("text", text => {
+        sink(text); // NOT OK
+    });
+})();
\ No newline at end of file

From c43025d7b3a741a5ba652013841807ce0f9343a8 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 17:32:14 +0100
Subject: [PATCH 266/429] add model for xml2js

---
 .../javascript/frameworks/XmlParsers.qll      | 25 +++++++++++++++++++
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/xml.js   |  5 ++++
 3 files changed, 31 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index 3a78bda7b1a..c9f2b993a5c 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -169,6 +169,31 @@ module XML {
     override predicate resolvesEntities(XML::EntityKind kind) { kind = InternalEntity() }
   }
 
+  /**
+   * An invocation of `xml2js`.
+   */
+  private class Xml2JSInvocation extends XML::ParserInvocation {
+    js::DataFlow::CallNode call;
+
+    Xml2JSInvocation() {
+      exists(js::API::Node imp | imp = js::API::moduleImport("xml2js") |
+        call = [imp, imp.getMember("Parser").getInstance()].getMember("parseString").getACall() and
+        this = call.asExpr()
+      )
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // sax-js (the parser used) does not expand entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() {
+      result = call.getABoundCallbackParameter(call.getNumArgument() - 1, 1)
+    }
+  }
+
   private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
     XML::ParserInvocation parser;
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 3af34b132d0..8b2453a3cb1 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -146,3 +146,4 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
+| xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
index d7e25268493..25e733c8fab 100644
--- a/javascript/ql/test/library-tests/TaintTracking/xml.js
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -7,4 +7,9 @@
     parser.on("text", text => {
         sink(text); // NOT OK
     });
+
+    var parseString = require('xml2js').parseString;
+    parseString(source(), function (err, result) {
+        sink(result); // NOT OK
+    });
 })();
\ No newline at end of file

From 73f7cd149f149d635384e419f186f7c6d49234c8 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 17:50:49 +0100
Subject: [PATCH 267/429] add model for `sax`

---
 .../javascript/frameworks/XmlParsers.qll      | 32 +++++++++++++++++++
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/xml.js   | 10 ++++++
 3 files changed, 43 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index c9f2b993a5c..de203a88f04 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -194,6 +194,38 @@ module XML {
     }
   }
 
+  /**
+   * An invocation of `sax`.
+   */
+  private class SaxInvocation extends XML::ParserInvocation {
+    js::DataFlow::InvokeNode parser;
+
+    SaxInvocation() {
+      exists(js::API::Node imp | imp = js::API::moduleImport("sax") |
+        parser = imp.getMember("parser").getACall()
+        or
+        parser = imp.getMember("SAXParser").getAnInstantiation()
+      ) and
+      this = parser.getAMemberCall("write").asExpr()
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // sax-js does not expand entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() {
+      result =
+        parser
+            .getAPropertyWrite(any(string s | s.matches("on%")))
+            .getRhs()
+            .getAFunctionValue()
+            .getAParameter()
+    }
+  }
+
   private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
     XML::ParserInvocation parser;
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 8b2453a3cb1..39a370ecf71 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -147,3 +147,4 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
+| xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
index 25e733c8fab..a603f3d1c0e 100644
--- a/javascript/ql/test/library-tests/TaintTracking/xml.js
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -12,4 +12,14 @@
     parseString(source(), function (err, result) {
         sink(result); // NOT OK
     });
+
+    var sax = require("sax");
+    var parser = sax.parser(strict);
+    
+    parser.onattribute = function (attr) {
+        sink(attr); // NOT OK
+    };
+    
+    parser.write(source()).close();
+
 })();
\ No newline at end of file

From e2a66bf3ed5474f6b84528126754b4ba5bb9cc48 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 18:16:19 +0100
Subject: [PATCH 268/429] add model for `xml-js`

---
 .../javascript/frameworks/XmlParsers.qll      | 21 +++++++++++++++++++
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/xml.js   |  3 +++
 3 files changed, 25 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index de203a88f04..4a9c670ba37 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -226,6 +226,27 @@ module XML {
     }
   }
 
+  /**
+   * An invocation of `xml-js`.
+   */
+  private class XmlJSInvocation extends XML::ParserInvocation {
+    XmlJSInvocation() {
+      this =
+        js::DataFlow::moduleMember("xml-js", ["xml2json", "xml2js", "json2xml", "js2xml"])
+            .getACall()
+            .asExpr()
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // xml-js does not expand custom entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() { result.asExpr() = this }
+  }
+
   private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
     XML::ParserInvocation parser;
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 39a370ecf71..ab48576b374 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -148,3 +148,4 @@ typeInferenceMismatch
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
+| xml.js:26:27:26:34 | source() | xml.js:26:10:26:39 | convert ... (), {}) |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
index a603f3d1c0e..44989e7a733 100644
--- a/javascript/ql/test/library-tests/TaintTracking/xml.js
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -22,4 +22,7 @@
     
     parser.write(source()).close();
 
+    var convert = require('xml-js');
+    sink(convert.xml2json(source(), {})); // NOT OK
+
 })();
\ No newline at end of file

From 0ca231059474c1535e3fd19898acb46dd463ff80 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 4 Feb 2021 18:26:24 +0100
Subject: [PATCH 269/429] add model for htmlparser2

---
 .../javascript/frameworks/XmlParsers.qll      | 29 +++++++++++++++++++
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/xml.js   |  9 ++++++
 3 files changed, 39 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index 4a9c670ba37..80c2ff8a608 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -247,6 +247,35 @@ module XML {
     override js::DataFlow::Node getAResult() { result.asExpr() = this }
   }
 
+  /**
+   * An invocation of `htmlparser2`.
+   */
+  private class HtmlParser2Invocation extends XML::ParserInvocation {
+    js::DataFlow::NewNode parser;
+
+    HtmlParser2Invocation() {
+      parser = js::DataFlow::moduleMember("htmlparser2", "Parser").getAnInstantiation() and
+      this = parser.getAMemberCall("write").asExpr()
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // htmlparser2 does not expand entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() {
+      result =
+        parser
+            .getArgument(0)
+            .getALocalSource()
+            .getAPropertySource()
+            .getAFunctionValue()
+            .getAParameter()
+    }
+  }
+
   private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
     XML::ParserInvocation parser;
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index ab48576b374..c98e9ad7e79 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -149,3 +149,4 @@ typeInferenceMismatch
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
 | xml.js:26:27:26:34 | source() | xml.js:26:10:26:39 | convert ... (), {}) |
+| xml.js:34:18:34:25 | source() | xml.js:31:18:31:21 | name |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
index 44989e7a733..8e3785d4a2b 100644
--- a/javascript/ql/test/library-tests/TaintTracking/xml.js
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -25,4 +25,13 @@
     var convert = require('xml-js');
     sink(convert.xml2json(source(), {})); // NOT OK
 
+    const htmlparser2 = require("htmlparser2");
+    const parser = new htmlparser2.Parser({
+        onopentag(name, attributes) {
+            sink(name) // NOT OK
+        }
+    });
+    parser.write(source());
+    parser.end();
+
 })();
\ No newline at end of file

From 4969a1ef4fee604b4eca05aab08f32f6333904de Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 17:34:36 +0100
Subject: [PATCH 270/429] add change note

---
 javascript/change-notes/2021-02-08-xml-parser-taint.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-08-xml-parser-taint.md

diff --git a/javascript/change-notes/2021-02-08-xml-parser-taint.md b/javascript/change-notes/2021-02-08-xml-parser-taint.md
new file mode 100644
index 00000000000..ab59b4f3b92
--- /dev/null
+++ b/javascript/change-notes/2021-02-08-xml-parser-taint.md
@@ -0,0 +1,8 @@
+lgtm,codescanning
+* The security queries now track taint through XML parsers. 
+  Affected packages are
+    [xml2js](https://www.npmjs.com/package/xml2js) and
+    [sax](https://www.npmjs.com/package/sax) and
+    [xml-js](https://www.npmjs.com/package/xml-js) and
+    [htmlparser2](https://www.npmjs.com/package/htmlparser2) and
+    [node-expat](https://www.npmjs.com/package/node-expat)

From d1087d4e41a017558daa46be2ffb1f471200ca6d Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sat, 6 Feb 2021 23:24:33 +0100
Subject: [PATCH 271/429] move sources from XssThroughDom into a customizations
 file

---
 .../security/dataflow/XssThroughDom.qll       | 86 +---------------
 .../dataflow/XssThroughDomCustomizations.qll  | 99 +++++++++++++++++++
 2 files changed, 100 insertions(+), 85 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
index 8c3157fcce4..f0f3c9d973c 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
@@ -11,8 +11,8 @@ private import semmle.javascript.dataflow.InferredTypes
  */
 module XssThroughDom {
   import Xss::XssThroughDom
+  private import XssThroughDomCustomizations::XssThroughDom
   private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
-  private import semmle.javascript.dataflow.InferredTypes
   private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
 
   /**
@@ -40,88 +40,4 @@ module XssThroughDom {
       DomBasedXss::isOptionallySanitizedEdge(pred, succ)
     }
   }
-
-  /**
-   * Gets an attribute name that could store user-controlled data.
-   *
-   * Attributes such as "id", "href", and "src" are often used as input to HTML.
-   * However, they are either rarely controlable by a user, or already a sink for other XSS vulnerabilities.
-   * Such attributes are therefore ignored.
-   */
-  bindingset[result]
-  string unsafeAttributeName() {
-    result.regexpMatch("data-.*") or
-    result.regexpMatch("aria-.*") or
-    result = ["name", "value", "title", "alt"]
-  }
-
-  /**
-   * A source for text from the DOM from a JQuery method call.
-   */
-  class JQueryTextSource extends Source, JQuery::MethodCall {
-    JQueryTextSource() {
-      (
-        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
-        or
-        this.getMethodName() = "attr" and
-        this.getNumArgument() = 1 and
-        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
-        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
-      ) and
-      // looks like a $("<p>" + ... ) source, which is benign for this query.
-      not exists(DataFlow::Node prefix |
-        DomBasedXss::isPrefixOfJQueryHtmlString(this.getReceiver()
-              .(DataFlow::CallNode)
-              .getAnArgument(), prefix)
-      |
-        prefix.getStringValue().regexpMatch("\\s*<.*")
-      )
-    }
-  }
-
-  /**
-   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
-   */
-  class DOMTextSource extends Source {
-    DOMTextSource() {
-      exists(DataFlow::PropRead read | read = this |
-        read.getBase().getALocalSource() = DOM::domValueRef() and
-        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
-      )
-      or
-      exists(DataFlow::MethodCallNode mcn | mcn = this |
-        mcn.getReceiver().getALocalSource() = DOM::domValueRef() and
-        mcn.getMethodName() = "getAttribute" and
-        mcn.getArgument(0).mayHaveStringValue(unsafeAttributeName())
-      )
-    }
-  }
-
-  /**
-   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
-   *
-   * This sanitizer helps prune infeasible paths in type-overloaded functions.
-   */
-  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
-    override EqualityTest astNode;
-    Expr operand;
-    boolean polarity;
-
-    TypeTestGuard() {
-      exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
-        // typeof x === "string" sanitizes `x` when it evaluates to false
-        tag = "string" and
-        polarity = astNode.getPolarity().booleanNot()
-        or
-        // typeof x === "object" sanitizes `x` when it evaluates to true
-        tag != "string" and
-        polarity = astNode.getPolarity()
-      )
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      polarity = outcome and
-      e = operand
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
new file mode 100644
index 00000000000..3b7a774de3f
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -0,0 +1,99 @@
+/**
+ * Provides default sources for reasoning about
+ * cross-site scripting vulnerabilities through the DOM.
+ */
+
+import javascript
+
+/**
+ * Sources for cross-site scripting vulnerabilities through the DOM.
+ */
+module XssThroughDom {
+  import Xss::XssThroughDom
+  private import semmle.javascript.dataflow.InferredTypes
+  private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
+
+  /**
+   * Gets an attribute name that could store user-controlled data.
+   *
+   * Attributes such as "id", "href", and "src" are often used as input to HTML.
+   * However, they are either rarely controlable by a user, or already a sink for other XSS vulnerabilities.
+   * Such attributes are therefore ignored.
+   */
+  bindingset[result]
+  string unsafeAttributeName() {
+    result.regexpMatch("data-.*") or
+    result.regexpMatch("aria-.*") or
+    result = ["name", "value", "title", "alt"]
+  }
+
+  /**
+   * A source for text from the DOM from a JQuery method call.
+   */
+  class JQueryTextSource extends Source, JQuery::MethodCall {
+    JQueryTextSource() {
+      (
+        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
+        or
+        this.getMethodName() = "attr" and
+        this.getNumArgument() = 1 and
+        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
+        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      ) and
+      // looks like a $("<p>" + ... ) source, which is benign for this query.
+      not exists(DataFlow::Node prefix |
+        DomBasedXss::isPrefixOfJQueryHtmlString(this.getReceiver()
+              .(DataFlow::CallNode)
+              .getAnArgument(), prefix)
+      |
+        prefix.getStringValue().regexpMatch("\\s*<.*")
+      )
+    }
+  }
+
+  /**
+   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
+   */
+  class DOMTextSource extends Source {
+    DOMTextSource() {
+      exists(DataFlow::PropRead read | read = this |
+        read.getBase().getALocalSource() = DOM::domValueRef() and
+        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
+      )
+      or
+      exists(DataFlow::MethodCallNode mcn | mcn = this |
+        mcn.getReceiver().getALocalSource() = DOM::domValueRef() and
+        mcn.getMethodName() = "getAttribute" and
+        mcn.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      )
+    }
+  }
+
+  /**
+   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
+   *
+   * This sanitizer helps prune infeasible paths in type-overloaded functions.
+   */
+  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+    override EqualityTest astNode;
+    Expr operand;
+    boolean polarity;
+
+    TypeTestGuard() {
+      exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
+        // typeof x === "string" sanitizes `x` when it evaluates to false
+        tag = "string" and
+        polarity = astNode.getPolarity().booleanNot()
+        or
+        // typeof x === "object" sanitizes `x` when it evaluates to true
+        tag != "string" and
+        polarity = astNode.getPolarity()
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      polarity = outcome and
+      e = operand
+    }
+  }
+}

From ff3950ce98023d8db4c2beadd39a3b66501d8746 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sun, 7 Feb 2021 12:58:10 +0100
Subject: [PATCH 272/429] add model for formik

---
 .../dataflow/XssThroughDomCustomizations.qll  | 41 +++++++++++++++
 .../XssThroughDom/XssThroughDom.expected      | 52 +++++++++++++++++++
 .../Security/CWE-079/XssThroughDom/forms.js   | 39 ++++++++++++++
 3 files changed, 132 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
index 3b7a774de3f..8990f69aa0d 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -96,4 +96,45 @@ module XssThroughDom {
       e = operand
     }
   }
+
+  /**
+   * A module for form inputs seen as sources for xss-through-dom.
+   */
+  module Forms {
+    /**
+     * A reference to an import of `Formik`.
+     */
+    private DataFlow::SourceNode formik() {
+      result = DataFlow::moduleImport("formik")
+      or
+      result = DataFlow::globalVarRef("Formik")
+    }
+
+    /**
+     * An object containing input values from a form build with `Formik`.
+     */
+    class FormikSource extends Source {
+      FormikSource() {
+        exists(JSXElement elem |
+          formik().getAPropertyRead("Formik").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName(["validate", "onSubmit"])
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+        or
+        this =
+          formik()
+              .getAMemberCall("withFormik")
+              .getOptionArgument(0, ["validate", "handleSubmit"])
+              .getAFunctionValue()
+              .getParameter(0)
+        or
+        this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
+      }
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index ae003b99243..5c938cd6c1d 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -1,4 +1,30 @@
 nodes
+| forms.js:8:23:8:28 | values |
+| forms.js:8:23:8:28 | values |
+| forms.js:9:31:9:36 | values |
+| forms.js:9:31:9:40 | values.foo |
+| forms.js:9:31:9:40 | values.foo |
+| forms.js:11:24:11:29 | values |
+| forms.js:11:24:11:29 | values |
+| forms.js:12:31:12:36 | values |
+| forms.js:12:31:12:40 | values.bar |
+| forms.js:12:31:12:40 | values.bar |
+| forms.js:24:15:24:20 | values |
+| forms.js:24:15:24:20 | values |
+| forms.js:25:23:25:28 | values |
+| forms.js:25:23:25:34 | values.email |
+| forms.js:25:23:25:34 | values.email |
+| forms.js:28:20:28:25 | values |
+| forms.js:28:20:28:25 | values |
+| forms.js:29:23:29:28 | values |
+| forms.js:29:23:29:34 | values.email |
+| forms.js:29:23:29:34 | values.email |
+| forms.js:34:11:34:53 | values |
+| forms.js:34:13:34:18 | values |
+| forms.js:34:13:34:18 | values |
+| forms.js:35:19:35:24 | values |
+| forms.js:35:19:35:30 | values.email |
+| forms.js:35:19:35:30 | values.email |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -50,6 +76,27 @@ nodes
 | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 edges
+| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
+| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
+| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
+| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
+| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
+| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
+| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
+| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
+| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
+| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
+| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
+| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
+| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
+| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
+| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
+| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
+| forms.js:34:11:34:53 | values | forms.js:35:19:35:24 | values |
+| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
+| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
+| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
+| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -70,6 +117,11 @@ edges
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 #select
+| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
+| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
+| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
+| forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
+| forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
new file mode 100644
index 00000000000..2159c424dfe
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -0,0 +1,39 @@
+import React from 'react';
+import { Formik, withFormik, useFormikContext } from 'formik';
+
+const FormikBasic = () => (
+    <div>
+        <Formik
+            initialValues={{ email: '', password: '' }}
+            validate={values => {
+                $("#id").html(values.foo); // NOT OK
+            }}
+            onSubmit={(values, { setSubmitting }) => {
+                $("#id").html(values.bar); // NOT OK
+            }}
+        >
+            {(inputs) => (
+                <form onSubmit={handleSubmit}></form>
+            )}
+        </Formik>
+    </div>
+);
+
+const FormikEnhanced = withFormik({
+    mapPropsToValues: () => ({ name: '' }),
+    validate: values => {
+        $("#id").html(values.email); // NOT OK
+    },
+
+    handleSubmit: (values, { setSubmitting }) => {
+        $("#id").html(values.email); // NOT OK
+    }
+})(MyForm);
+
+(function () {
+    const { values, submitForm } = useFormikContext();
+    $("#id").html(values.email); // NOT OK
+
+    $("#id").html(submitForm.email); // OK 
+})
+

From 458dda9d2571f16048abee1f96d6e0bde26afa2f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sun, 7 Feb 2021 22:47:57 +0100
Subject: [PATCH 273/429] add xss-through-dom source from react-final-form

---
 .../dataflow/XssThroughDomCustomizations.qll   | 18 ++++++++++++++++++
 .../XssThroughDom/XssThroughDom.expected       | 10 ++++++++++
 .../Security/CWE-079/XssThroughDom/forms.js    | 15 +++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
index 8990f69aa0d..ada7412f8cb 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -136,5 +136,23 @@ module XssThroughDom {
         this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
       }
     }
+
+    /**
+     * An object containing input values from a form build with `react-final-form`.
+     */
+    class ReactFinalFormSource extends Source {
+      ReactFinalFormSource() {
+        exists(JSXElement elem |
+          DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName("onSubmit")
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+      }
+    }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index 5c938cd6c1d..b7621d89ab7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -25,6 +25,11 @@ nodes
 | forms.js:35:19:35:24 | values |
 | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values |
+| forms.js:44:21:44:26 | values |
+| forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -97,6 +102,10 @@ edges
 | forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -122,6 +131,7 @@ edges
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
 | forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
 | forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
+| forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
index 2159c424dfe..7054b8333d7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -37,3 +37,18 @@ const FormikEnhanced = withFormik({
     $("#id").html(submitForm.email); // OK 
 })
 
+import { Form } from 'react-final-form'
+
+const App = () => (
+  <Form
+    onSubmit={async values => {
+      $("#id").html(values.stooge); // NOT OK
+    }}
+    initialValues={{ stooge: 'larry', employed: false }}
+    render={({ handleSubmit, form, submitting, pristine, values }) => (
+      <form onSubmit={handleSubmit}>
+        <input type="text" name="stooge"></input>
+      </form>
+    )}
+  />
+)
\ No newline at end of file

From 65d93c9061193e576c7f980a6c2c21dd70b6b1d4 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 09:36:11 +0100
Subject: [PATCH 274/429] detect for DOM elements from DOM events in React

---
 javascript/ql/src/semmle/javascript/DOM.qll         | 13 +++++++++++++
 .../CWE-079/XssThroughDom/XssThroughDom.expected    |  5 +++++
 .../Security/CWE-079/XssThroughDom/forms.js         | 11 +++++++++++
 3 files changed, 29 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
index a1facf39505..e5a3d3eb672 100644
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -357,6 +357,15 @@ module DOM {
     }
   }
 
+  /**
+   * Gets a reference to a DOM event.
+   */
+  private DataFlow::SourceNode domEventSource() {
+    exists(JSXAttribute attr | attr.getName().matches("on%") |
+      result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
+    )
+  }
+
   /** Gets a data flow node that refers directly to a value from the DOM. */
   DataFlow::SourceNode domValueSource() { result instanceof DomValueSource::Range }
 
@@ -368,6 +377,10 @@ module DOM {
     t.start() and
     result = domValueRef().getAMethodCall(["item", "namedItem"])
     or
+    // e.g. <form onSubmit={e => e.target}/>
+    t.startInProp("target") and
+    result = domEventSource()
+    or
     exists(DataFlow::TypeTracker t2 | result = domValueRef(t2).track(t2, t))
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index b7621d89ab7..dfe5365f5d1 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -30,6 +30,9 @@ nodes
 | forms.js:45:21:45:26 | values |
 | forms.js:45:21:45:33 | values.stooge |
 | forms.js:45:21:45:33 | values.stooge |
+| forms.js:57:19:57:32 | e.target.value |
+| forms.js:57:19:57:32 | e.target.value |
+| forms.js:57:19:57:32 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -106,6 +109,7 @@ edges
 | forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
 | forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
+| forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -132,6 +136,7 @@ edges
 | forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
 | forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
 | forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text |
+| forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
index 7054b8333d7..84ebb26e088 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -51,4 +51,15 @@ const App = () => (
       </form>
     )}
   />
+);
+
+function plainSubmit(e) {
+    $("#id").html(e.target.value); // NOT OK
+}
+
+const plainReact = () => (
+    <form onSubmit={e => plainSubmit(e)}>
+        <input type="text" value={this.state.value} onChange={this.handleChange} />
+        <input type="submit" value="Submit" />
+    </form>
 )
\ No newline at end of file

From be9636491bf996d02abb63a9666f61a5763ef880 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 15:44:34 +0100
Subject: [PATCH 275/429] add source for react-hook-form in xss-through-dom

---
 .../dataflow/XssThroughDomCustomizations.qll  | 16 ++++++++
 .../XssThroughDom/XssThroughDom.expected      | 22 +++++++++++
 .../Security/CWE-079/XssThroughDom/forms.js   | 37 ++++++++++++++++++-
 3 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
index ada7412f8cb..2176d5f83c6 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -154,5 +154,21 @@ module XssThroughDom {
         )
       }
     }
+
+    /**
+     * An object containing input values from a form build with `react-hook-form`.
+     */
+    class ReactHookFormSource extends Source {
+      ReactHookFormSource() {
+        exists(API::Node useForm |
+          useForm = API::moduleImport("react-hook-form").getMember("useForm").getReturn()
+        |
+          this =
+            useForm.getMember("handleSubmit").getParameter(0).getParameter(0).getAnImmediateUse()
+          or
+          this = useForm.getMember("getValues").getACall()
+        )
+      }
+    }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index dfe5365f5d1..8fc40dc01e6 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -33,6 +33,17 @@ nodes
 | forms.js:57:19:57:32 | e.target.value |
 | forms.js:57:19:57:32 | e.target.value |
 | forms.js:57:19:57:32 | e.target.value |
+| forms.js:71:21:71:24 | data |
+| forms.js:71:21:71:24 | data |
+| forms.js:72:19:72:22 | data |
+| forms.js:72:19:72:27 | data.name |
+| forms.js:72:19:72:27 | data.name |
+| forms.js:92:17:92:36 | values |
+| forms.js:92:26:92:36 | getValues() |
+| forms.js:92:26:92:36 | getValues() |
+| forms.js:93:25:93:30 | values |
+| forms.js:93:25:93:35 | values.name |
+| forms.js:93:25:93:35 | values.name |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -110,6 +121,15 @@ edges
 | forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value |
+| forms.js:71:21:71:24 | data | forms.js:72:19:72:22 | data |
+| forms.js:71:21:71:24 | data | forms.js:72:19:72:22 | data |
+| forms.js:72:19:72:22 | data | forms.js:72:19:72:27 | data.name |
+| forms.js:72:19:72:22 | data | forms.js:72:19:72:27 | data.name |
+| forms.js:92:17:92:36 | values | forms.js:93:25:93:30 | values |
+| forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
+| forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
+| forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
+| forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -137,6 +157,8 @@ edges
 | forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
 | forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text |
 | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text |
+| forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text |
+| forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
index 84ebb26e088..4c84701d241 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -62,4 +62,39 @@ const plainReact = () => (
         <input type="text" value={this.state.value} onChange={this.handleChange} />
         <input type="submit" value="Submit" />
     </form>
-)
\ No newline at end of file
+)
+
+import { useForm } from 'react-hook-form';
+
+function HookForm() {
+  const { register, handleSubmit, errors } = useForm(); // initialize the hook
+  const onSubmit = (data) => {
+    $("#id").html(data.name); // NOT OK 
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)}>
+        <input name="name" ref={register({ required: true })} />
+        <input type="submit" />
+    </form>
+  );
+}
+
+function HookForm2() {
+  const { register, getValues } = useForm();
+  
+  return (
+    <form>
+      <input name="name" ref={register} />
+      <button
+        type="button"
+        onClick={() => {
+          const values = getValues(); // { test: "test-input", test1: "test1-input" }
+          $("#id").html(values.name); // NOT OK
+        }}
+      >
+      </button>
+    </form>
+  );
+}
+  
\ No newline at end of file

From 101d4358a9f334d39ae954291f968079d19805d3 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 16:00:50 +0100
Subject: [PATCH 276/429] detect DOM nodes from event callbacks

---
 javascript/ql/src/semmle/javascript/DOM.qll           | 11 ++++++++++-
 .../CWE-079/XssThroughDom/XssThroughDom.expected      | 10 ++++++++++
 .../Security/CWE-079/XssThroughDom/forms.js           | 11 ++++++++++-
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
index e5a3d3eb672..5b1b9c30542 100644
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -361,9 +361,19 @@ module DOM {
    * Gets a reference to a DOM event.
    */
   private DataFlow::SourceNode domEventSource() {
+    // e.g. <form onSubmit={e => e.target}/>
     exists(JSXAttribute attr | attr.getName().matches("on%") |
       result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
     )
+    or
+    // node.addEventListener("submit", e => e.target)
+    result = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
+    or
+    // node.onSubmit = (e => e.target);
+    exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
+      write.getPropertyName().matches("on%") and
+      result = write.getRhs().getAFunctionValue().getParameter(0)
+    )
   }
 
   /** Gets a data flow node that refers directly to a value from the DOM. */
@@ -377,7 +387,6 @@ module DOM {
     t.start() and
     result = domValueRef().getAMethodCall(["item", "namedItem"])
     or
-    // e.g. <form onSubmit={e => e.target}/>
     t.startInProp("target") and
     result = domEventSource()
     or
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index 8fc40dc01e6..cfa5ba99070 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -44,6 +44,12 @@ nodes
 | forms.js:93:25:93:30 | values |
 | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -130,6 +136,8 @@ edges
 | forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -159,6 +167,8 @@ edges
 | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text |
 | forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text |
 | forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:103:23:103:36 | e.target.value | DOM text |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:107:23:107:36 | e.target.value | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
index 4c84701d241..b91b7490bb2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -97,4 +97,13 @@ function HookForm2() {
     </form>
   );
 }
-  
\ No newline at end of file
+
+function vanillaJS() {
+    document.querySelector("form.myform").addEventListener("submit", e => {
+        $("#id").html(e.target.value); // NOT OK
+    });
+
+    document.querySelector("form.myform").onsubmit = function (e) {
+        $("#id").html(e.target.value); // NOT OK
+    }
+}
\ No newline at end of file

From 91f7d330448bbb67de31e4d839bea7c3b78463db Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 17:31:47 +0100
Subject: [PATCH 277/429] add change note

---
 javascript/change-notes/2021-02-08-xss-through-dom-forms.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-08-xss-through-dom-forms.md

diff --git a/javascript/change-notes/2021-02-08-xss-through-dom-forms.md b/javascript/change-notes/2021-02-08-xss-through-dom-forms.md
new file mode 100644
index 00000000000..33c864bbaef
--- /dev/null
+++ b/javascript/change-notes/2021-02-08-xss-through-dom-forms.md
@@ -0,0 +1,6 @@
+lgtm,codescanning
+* The `js/xss-through-dom` query now recognizes form inputs as sources.
+  Affected packages are
+    [formik](https://www.npmjs.com/package/formik) and
+    [react-final-form](https://www.npmjs.com/package/react-final-form) and
+    [react-hook-form](https://www.npmjs.com/package/react-hook-form)

From b4704f70160d222de2a71eaa55828de86be59c99 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 10 Feb 2021 14:51:08 +0100
Subject: [PATCH 278/429] add taint-step for the `marked` library

---
 javascript/ql/src/javascript.qll              |  1 +
 .../semmle/javascript/frameworks/Markdown.qll | 21 +++++++++++++++++++
 .../ReflectedXss/ReflectedXss.expected        | 14 +++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js      |  6 ++++++
 .../ReflectedXssWithCustomSanitizer.expected  |  2 ++
 5 files changed, 44 insertions(+)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index d5c459c4d5c..9b035508497 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -93,6 +93,7 @@ import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
 import semmle.javascript.frameworks.HttpFrameworks
+import semmle.javascript.frameworks.Markdown
 import semmle.javascript.frameworks.NoSQL
 import semmle.javascript.frameworks.PkgCloud
 import semmle.javascript.frameworks.PropertyProjection
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
new file mode 100644
index 00000000000..c32c7189c7c
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -0,0 +1,21 @@
+/**
+ * Provides classes for modelling common markdown parsers and generators.
+ */
+
+import javascript
+
+/**
+ * A taint step for the `marked` library, that converts markdown to HTML.
+ */
+private class MarkedStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  MarkedStep() {
+    this = DataFlow::globalVarRef("marked").getACall()
+    or
+    this = DataFlow::moduleImport("marked").getACall()
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    succ = this and
+    pred = this.getAnArgument()
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index bc28be8d730..32878144f34 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -7,6 +7,13 @@ nodes
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
 | ReflectedXss.js:17:31:17:39 | params.id |
 | ReflectedXss.js:17:31:17:39 | params.id |
+| ReflectedXss.js:22:12:22:19 | req.body |
+| ReflectedXss.js:22:12:22:19 | req.body |
+| ReflectedXss.js:22:12:22:19 | req.body |
+| ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:23:19:23:26 | req.body |
+| ReflectedXss.js:23:19:23:26 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -100,6 +107,11 @@ edges
 | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
 | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
 | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
+| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body |
+| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -178,6 +190,8 @@ edges
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
+| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
+| ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index 4a7c04a989c..68e8a5057a6 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -16,3 +16,9 @@ app.get('/user/:id', function(req, res) {
 function moreBadStuff(params, res) {
   res.send("Unknown user: " + params.id); // NOT OK
 }
+
+var marked = require("marked");
+app.get('/user/:id', function(req, res) {
+  res.send(req.body); // NOT OK
+  res.send(marked(req.body)); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index b35bbd53c1b..d1e58db0ecb 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -1,5 +1,7 @@
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
+| ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
+| ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From f76018c039f125c6258e30a2aae4a7bc4d30c7cf Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 10 Feb 2021 15:11:41 +0100
Subject: [PATCH 279/429] add taint step for the `markdown-table` library

---
 .../semmle/javascript/frameworks/Markdown.qll | 14 ++++++++++++-
 .../ReflectedXss/ReflectedXss.expected        | 21 +++++++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js      | 11 ++++++++++
 .../ReflectedXssWithCustomSanitizer.expected  |  2 ++
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index c32c7189c7c..55949202a82 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -16,6 +16,18 @@ private class MarkedStep extends TaintTracking::AdditionalTaintStep, DataFlow::C
 
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     succ = this and
-    pred = this.getAnArgument()
+    pred = this.getArgument(0)
+  }
+}
+
+/**
+ * A taint step for the `markdown-table` library.
+ */
+private class MarkdownTableStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  MarkdownTableStep() { this = DataFlow::moduleImport("markdown-table").getACall() }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    succ = this and
+    pred = this.getArgument(0)
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index 32878144f34..a6413502bf8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -14,6 +14,17 @@ nodes
 | ReflectedXss.js:23:12:23:27 | marked(req.body) |
 | ReflectedXss.js:23:19:23:26 | req.body |
 | ReflectedXss.js:23:19:23:26 | req.body |
+| ReflectedXss.js:29:12:29:19 | req.body |
+| ReflectedXss.js:29:12:29:19 | req.body |
+| ReflectedXss.js:29:12:29:19 | req.body |
+| ReflectedXss.js:30:7:33:4 | mytable |
+| ReflectedXss.js:30:17:33:4 | table([ ... y]\\n  ]) |
+| ReflectedXss.js:30:23:33:3 | [\\n    [ ... dy]\\n  ] |
+| ReflectedXss.js:32:5:32:22 | ['body', req.body] |
+| ReflectedXss.js:32:14:32:21 | req.body |
+| ReflectedXss.js:32:14:32:21 | req.body |
+| ReflectedXss.js:34:12:34:18 | mytable |
+| ReflectedXss.js:34:12:34:18 | mytable |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -112,6 +123,14 @@ edges
 | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
 | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
 | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
+| ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body |
+| ReflectedXss.js:30:7:33:4 | mytable | ReflectedXss.js:34:12:34:18 | mytable |
+| ReflectedXss.js:30:7:33:4 | mytable | ReflectedXss.js:34:12:34:18 | mytable |
+| ReflectedXss.js:30:17:33:4 | table([ ... y]\\n  ]) | ReflectedXss.js:30:7:33:4 | mytable |
+| ReflectedXss.js:30:23:33:3 | [\\n    [ ... dy]\\n  ] | ReflectedXss.js:30:17:33:4 | table([ ... y]\\n  ]) |
+| ReflectedXss.js:32:5:32:22 | ['body', req.body] | ReflectedXss.js:30:23:33:3 | [\\n    [ ... dy]\\n  ] |
+| ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:32:5:32:22 | ['body', req.body] |
+| ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:32:5:32:22 | ['body', req.body] |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -192,6 +211,8 @@ edges
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
 | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
 | ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
+| ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value |
+| ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index 68e8a5057a6..bcef58877ba 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -22,3 +22,14 @@ app.get('/user/:id', function(req, res) {
   res.send(req.body); // NOT OK
   res.send(marked(req.body)); // NOT OK
 });
+
+
+var table = require('markdown-table')
+app.get('/user/:id', function(req, res) {
+  res.send(req.body); // NOT OK
+  var mytable = table([
+    ['Name', 'Content'],
+    ['body', req.body]
+  ]);
+  res.send(mytable); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index d1e58db0ecb..ce0cec4cce5 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -2,6 +2,8 @@
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
 | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
 | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
+| ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value |
+| ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From 42eceb80bd1f038a584e9f52f146e78e89f944ba Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 15:47:55 +0100
Subject: [PATCH 280/429] Python: Handle view functions with decorators

---
 ...-21-django-view-function-with-decorator.md |  2 ++
 .../src/semmle/python/frameworks/Django.qll   | 21 ++++++++++++++++++-
 .../frameworks/django-v2-v3/routing_test.py   |  2 +-
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 python/change-notes/2021-12-21-django-view-function-with-decorator.md

diff --git a/python/change-notes/2021-12-21-django-view-function-with-decorator.md b/python/change-notes/2021-12-21-django-view-function-with-decorator.md
new file mode 100644
index 00000000000..404ce23f240
--- /dev/null
+++ b/python/change-notes/2021-12-21-django-view-function-with-decorator.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improved modeling of `django` to recognize request handlers functions that are decorated (for example with `django.views.decorators.http.require_GET`). This leads to more sources of remote user input (`RemoteFlowSource`), since we correctly identify the first parameter as being passed a django request.
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index fd43d938806..b39edb6d97c 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1975,6 +1975,14 @@ private module Django {
     }
   }
 
+  /**
+   * Gets the last decorator call for the function `func`, if `func` has decorators.
+   */
+  private Expr lastDecoratorCall(Function func) {
+    result = func.getDefinition().(FunctionExpr).getADecoratorCall() and
+    not exists(Call other_decorator | other_decorator.getArg(0) = result)
+  }
+
   // ---------------------------------------------------------------------------
   // routing modeling
   // ---------------------------------------------------------------------------
@@ -1987,7 +1995,18 @@ private module Django {
    */
   private DataFlow::Node djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker t, Function func) {
     t.start() and
-    result = DataFlow::exprNode(func.getDefinition())
+    (
+      not exists(func.getADecorator()) and
+      result.asExpr() = func.getDefinition()
+      or
+      // If the function has decorators, we still want to model the function as being
+      // the request handler for a route setup. In such situations, we must track the
+      // last decorator call instead of the function itself.
+      //
+      // Note that this means that we blindly ignore what the decorator actually does to
+      // the function, which seems like an OK tradeoff.
+      result.asExpr() = lastDecoratorCall(func)
+    )
     or
     exists(DataFlow::TypeTracker t2 |
       result = djangoRouteHandlerFunctionTracker(t2, func).track(t2, t)
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
index d6736433b0f..c45c4a36869 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -134,7 +134,7 @@ class PossiblyNotRouted(View):
 
 
 @require_GET
-def with_decorator(request, foo):  # $ MISSING: requestHandler routedParameter=foo
+def with_decorator(request, foo):  # $ requestHandler routedParameter=foo
     pass
 
 urlpatterns = [

From 78a3206fce88d07157404ab5e045941d4465057a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 15:55:54 +0100
Subject: [PATCH 281/429] Python: Add test with unkown view class in django

---
 .../frameworks/django-v2-v3/routing_test.py            | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
index c45c4a36869..557201a8d65 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -140,3 +140,13 @@ def with_decorator(request, foo):  # $ requestHandler routedParameter=foo
 urlpatterns = [
     path("with_decorator/<foo>", with_decorator),  # $ routeSetup="with_decorator/<foo>"
 ]
+
+class UnknownViewSubclass(UnknownViewSuperclass):
+    # Although we don't know for certain that this class is a django view class, the fact that it's
+    # used with `as_view()` in the routing setup should be enough that we treat it as such.
+    def get(self, request): # $ MISSING: requestHandler
+        pass
+
+urlpatterns = [
+    path("UnknownViewSubclass/", UnknownViewSubclass.as_view()),  # $ routeSetup="UnknownViewSubclass/"
+]

From b428945bc296d2a9a8f798fe600e48da89e19221 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 16:06:44 +0100
Subject: [PATCH 282/429] Django: Fix DjangoRouteHandler char-pred

Before it the class would contain _all_ functions xD
---
 python/ql/src/semmle/python/frameworks/Django.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index b39edb6d97c..08794a32a89 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2029,7 +2029,7 @@ private module Django {
     DjangoViewClassDef() { this.getABase() = django::views::generic::View::subclassRef().asExpr() }
 
     /** Gets a function that could handle incoming requests, if any. */
-    DjangoRouteHandler getARequestHandler() {
+    Function getARequestHandler() {
       // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
       // points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
       result = this.getAMethod() and
@@ -2076,7 +2076,7 @@ private module Django {
    */
   private class DjangoRouteHandler extends Function {
     DjangoRouteHandler() {
-      exists(djangoRouteHandlerFunctionTracker(this))
+      exists(DjangoRouteSetup route | route.getViewArg() = djangoRouteHandlerFunctionTracker(this))
       or
       any(DjangoViewClassDef vc).getARequestHandler() = this
     }

From ca0d3459875dc505f98611bf3915d7f195c5cb12 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 16:26:25 +0100
Subject: [PATCH 283/429] Django: Model any class used in django route setup as
 view class

---
 ...r.md => 2021-12-21-django-improvements.md} |  1 +
 .../src/semmle/python/frameworks/Django.qll   | 51 +++++++++++++------
 .../frameworks/django-v2-v3/routing_test.py   |  2 +-
 3 files changed, 38 insertions(+), 16 deletions(-)
 rename python/change-notes/{2021-12-21-django-view-function-with-decorator.md => 2021-12-21-django-improvements.md} (52%)

diff --git a/python/change-notes/2021-12-21-django-view-function-with-decorator.md b/python/change-notes/2021-12-21-django-improvements.md
similarity index 52%
rename from python/change-notes/2021-12-21-django-view-function-with-decorator.md
rename to python/change-notes/2021-12-21-django-improvements.md
index 404ce23f240..e3a22961c73 100644
--- a/python/change-notes/2021-12-21-django-view-function-with-decorator.md
+++ b/python/change-notes/2021-12-21-django-improvements.md
@@ -1,2 +1,3 @@
 lgtm,codescanning
 * Improved modeling of `django` to recognize request handlers functions that are decorated (for example with `django.views.decorators.http.require_GET`). This leads to more sources of remote user input (`RemoteFlowSource`), since we correctly identify the first parameter as being passed a django request.
+* Improved modeling of django View classes. We now consider any class using in a routing setup with `<class>.as_view()` as django view class. This leads to more sources of remote user input (`RemoteFlowSource`), since we correctly identify the first parameter as being passed a django request.
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 08794a32a89..6599ccdc03a 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2024,18 +2024,8 @@ private module Django {
     result = djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker::end(), func)
   }
 
-  /** A django View class defined in project code. */
-  class DjangoViewClassDef extends Class {
-    DjangoViewClassDef() { this.getABase() = django::views::generic::View::subclassRef().asExpr() }
-
-    /** Gets a function that could handle incoming requests, if any. */
-    Function getARequestHandler() {
-      // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
-      // points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
-      result = this.getAMethod() and
-      result.getName() = HTTP::httpVerbLower()
-    }
-
+  /** A class that might be a django View class. */
+  class PossibleDjangoViewClass extends Class {
     /** Gets a reference to this class. */
     private DataFlow::Node getARef(DataFlow::TypeTracker t) {
       t.start() and
@@ -2070,6 +2060,37 @@ private module Django {
     DataFlow::Node asViewResult() { result = asViewResult(DataFlow::TypeTracker::end()) }
   }
 
+  /** A class that we consider a django View class. */
+  abstract class DjangoViewClass extends PossibleDjangoViewClass {
+    /** Gets a function that could handle incoming requests, if any. */
+    Function getARequestHandler() {
+      // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
+      // points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
+      result = this.getAMethod() and
+      result.getName() = HTTP::httpVerbLower()
+    }
+  }
+
+  /**
+   * A class that is used in a route-setup, with `<class>.as_view()`, therefore being
+   * considered a django View class.
+   */
+  class DjangoViewClassFromRouteSetup extends DjangoViewClass {
+    DjangoViewClassFromRouteSetup() {
+      exists(DjangoRouteSetup setup | setup.getViewArg() = this.asViewResult())
+    }
+  }
+
+  /**
+   * A class that has a super-type which is a django View class, therefore also
+   * becoming a django View class.
+   */
+  class DjangoViewClassFromSuperClass extends DjangoViewClass {
+    DjangoViewClassFromSuperClass() {
+      this.getABase() = django::views::generic::View::subclassRef().asExpr()
+    }
+  }
+
   /**
    * A function that is a django route handler, meaning it handles incoming requests
    * with the django framework.
@@ -2078,7 +2099,7 @@ private module Django {
     DjangoRouteHandler() {
       exists(DjangoRouteSetup route | route.getViewArg() = djangoRouteHandlerFunctionTracker(this))
       or
-      any(DjangoViewClassDef vc).getARequestHandler() = this
+      any(DjangoViewClass vc).getARequestHandler() = this
     }
 
     /** Gets the index of the request parameter. */
@@ -2102,7 +2123,7 @@ private module Django {
     final override DjangoRouteHandler getARequestHandler() {
       djangoRouteHandlerFunctionTracker(result) = getViewArg()
       or
-      exists(DjangoViewClassDef vc |
+      exists(DjangoViewClass vc |
         getViewArg() = vc.asViewResult() and
         result = vc.getARequestHandler()
       )
@@ -2113,7 +2134,7 @@ private module Django {
   private class DjangoViewClassHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range,
     DjangoRouteHandler {
     DjangoViewClassHandlerWithoutKnownRoute() {
-      exists(DjangoViewClassDef vc | vc.getARequestHandler() = this) and
+      exists(DjangoViewClass vc | vc.getARequestHandler() = this) and
       not exists(DjangoRouteSetup setup | setup.getARequestHandler() = this)
     }
 
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
index 557201a8d65..acdbe2cfa42 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -144,7 +144,7 @@ urlpatterns = [
 class UnknownViewSubclass(UnknownViewSuperclass):
     # Although we don't know for certain that this class is a django view class, the fact that it's
     # used with `as_view()` in the routing setup should be enough that we treat it as such.
-    def get(self, request): # $ MISSING: requestHandler
+    def get(self, request): # $ requestHandler
         pass
 
 urlpatterns = [

From 0d497e8b9af1c2d2d970d198fddaede34caf7de6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 10 Feb 2021 17:22:35 +0100
Subject: [PATCH 284/429] add model for the `showdown` library

---
 .../semmle/javascript/frameworks/Markdown.qll   | 17 +++++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.expected  | 14 ++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js        |  8 ++++++++
 .../ReflectedXssWithCustomSanitizer.expected    |  2 ++
 4 files changed, 41 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 55949202a82..ed902bb9274 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -31,3 +31,20 @@ private class MarkdownTableStep extends TaintTracking::AdditionalTaintStep, Data
     pred = this.getArgument(0)
   }
 }
+
+/**
+ * A taint step for the `showdown` library.
+ */
+private class ShowDownStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  ShowDownStep() {
+    this =
+      [DataFlow::globalVarRef("showdown"), DataFlow::moduleImport("showdown")]
+          .getAConstructorInvocation("Converter")
+          .getAMemberCall(["makeHtml", "makeMd"])
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    succ = this and
+    pred = this.getArgument(0)
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index a6413502bf8..38661c86c6d 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -25,6 +25,13 @@ nodes
 | ReflectedXss.js:32:14:32:21 | req.body |
 | ReflectedXss.js:34:12:34:18 | mytable |
 | ReflectedXss.js:34:12:34:18 | mytable |
+| ReflectedXss.js:41:12:41:19 | req.body |
+| ReflectedXss.js:41:12:41:19 | req.body |
+| ReflectedXss.js:41:12:41:19 | req.body |
+| ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:42:31:42:38 | req.body |
+| ReflectedXss.js:42:31:42:38 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -131,6 +138,11 @@ edges
 | ReflectedXss.js:32:5:32:22 | ['body', req.body] | ReflectedXss.js:30:23:33:3 | [\\n    [ ... dy]\\n  ] |
 | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:32:5:32:22 | ['body', req.body] |
 | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:32:5:32:22 | ['body', req.body] |
+| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body |
+| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -213,6 +225,8 @@ edges
 | ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
 | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value |
 | ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
+| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
+| ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index bcef58877ba..e9461f2c6d8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -33,3 +33,11 @@ app.get('/user/:id', function(req, res) {
   ]);
   res.send(mytable); // NOT OK
 });
+
+var showdown  = require('showdown');
+var converter = new showdown.Converter();
+
+app.get('/user/:id', function(req, res) {
+  res.send(req.body); // NOT OK
+  res.send(converter.makeHtml(req.body)); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index ce0cec4cce5..ddd7ae3b372 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -4,6 +4,8 @@
 | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
 | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value |
 | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
+| ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
+| ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From 9ca738d921d2ea570dcb4037f2bf3543925fda56 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 16:37:57 +0100
Subject: [PATCH 285/429] Python: Add taint test for self.request on django
 view class

---
 .../django-v2-v3/TestTaint.expected           | 160 +++++++++---------
 .../frameworks/django-v2-v3/taint_test.py     |  18 +-
 .../frameworks/django-v2-v3/testapp/views.py  |   1 +
 3 files changed, 101 insertions(+), 78 deletions(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
index 97037cb1079..d3cb5470b1b 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
@@ -1,82 +1,88 @@
-| taint_test.py:7 | ok   | test_taint | bar |
-| taint_test.py:7 | ok   | test_taint | foo |
-| taint_test.py:8 | ok   | test_taint | baz |
-| taint_test.py:14 | ok   | test_taint | request |
-| taint_test.py:16 | ok   | test_taint | request.body |
-| taint_test.py:17 | ok   | test_taint | request.path |
-| taint_test.py:18 | ok   | test_taint | request.path_info |
-| taint_test.py:22 | ok   | test_taint | request.method |
-| taint_test.py:24 | ok   | test_taint | request.encoding |
-| taint_test.py:25 | ok   | test_taint | request.content_type |
-| taint_test.py:28 | ok   | test_taint | request.content_params |
-| taint_test.py:29 | ok   | test_taint | request.content_params["key"] |
-| taint_test.py:30 | ok   | test_taint | request.content_params.get(..) |
-| taint_test.py:34 | ok   | test_taint | request.GET |
-| taint_test.py:35 | ok   | test_taint | request.GET["key"] |
-| taint_test.py:36 | ok   | test_taint | request.GET.get(..) |
-| taint_test.py:37 | fail | test_taint | request.GET.getlist(..) |
-| taint_test.py:38 | fail | test_taint | request.GET.getlist(..)[0] |
-| taint_test.py:39 | ok   | test_taint | request.GET.pop(..) |
-| taint_test.py:40 | ok   | test_taint | request.GET.pop(..)[0] |
-| taint_test.py:41 | ok   | test_taint | request.GET.popitem()[0] |
-| taint_test.py:42 | ok   | test_taint | request.GET.popitem()[1] |
-| taint_test.py:43 | ok   | test_taint | request.GET.popitem()[1][0] |
-| taint_test.py:44 | fail | test_taint | request.GET.dict() |
-| taint_test.py:45 | fail | test_taint | request.GET.dict()["key"] |
-| taint_test.py:46 | fail | test_taint | request.GET.urlencode() |
-| taint_test.py:49 | ok   | test_taint | request.POST |
-| taint_test.py:52 | ok   | test_taint | request.COOKIES |
-| taint_test.py:53 | ok   | test_taint | request.COOKIES["key"] |
-| taint_test.py:54 | ok   | test_taint | request.COOKIES.get(..) |
-| taint_test.py:57 | ok   | test_taint | request.FILES |
-| taint_test.py:58 | ok   | test_taint | request.FILES["key"] |
-| taint_test.py:59 | fail | test_taint | request.FILES["key"].content_type |
-| taint_test.py:60 | fail | test_taint | request.FILES["key"].content_type_extra |
-| taint_test.py:61 | fail | test_taint | request.FILES["key"].content_type_extra["key"] |
-| taint_test.py:62 | fail | test_taint | request.FILES["key"].charset |
-| taint_test.py:63 | fail | test_taint | request.FILES["key"].name |
-| taint_test.py:64 | fail | test_taint | request.FILES["key"].file |
-| taint_test.py:65 | fail | test_taint | request.FILES["key"].file.read() |
-| taint_test.py:67 | ok   | test_taint | request.FILES.get(..) |
-| taint_test.py:68 | fail | test_taint | request.FILES.get(..).name |
-| taint_test.py:69 | fail | test_taint | request.FILES.getlist(..) |
-| taint_test.py:70 | fail | test_taint | request.FILES.getlist(..)[0] |
-| taint_test.py:71 | fail | test_taint | request.FILES.getlist(..)[0].name |
-| taint_test.py:72 | fail | test_taint | request.FILES.dict() |
-| taint_test.py:73 | fail | test_taint | request.FILES.dict()["key"] |
-| taint_test.py:74 | fail | test_taint | request.FILES.dict()["key"].name |
-| taint_test.py:77 | ok   | test_taint | request.META |
-| taint_test.py:78 | ok   | test_taint | request.META["HTTP_USER_AGENT"] |
-| taint_test.py:79 | ok   | test_taint | request.META.get(..) |
-| taint_test.py:82 | ok   | test_taint | request.headers |
-| taint_test.py:83 | ok   | test_taint | request.headers["user-agent"] |
-| taint_test.py:84 | ok   | test_taint | request.headers["USER_AGENT"] |
-| taint_test.py:87 | ok   | test_taint | request.resolver_match |
-| taint_test.py:88 | fail | test_taint | request.resolver_match.args |
-| taint_test.py:89 | fail | test_taint | request.resolver_match.args[0] |
-| taint_test.py:90 | fail | test_taint | request.resolver_match.kwargs |
-| taint_test.py:91 | fail | test_taint | request.resolver_match.kwargs["key"] |
-| taint_test.py:93 | fail | test_taint | request.get_full_path() |
-| taint_test.py:94 | fail | test_taint | request.get_full_path_info() |
-| taint_test.py:98 | fail | test_taint | request.read() |
-| taint_test.py:99 | fail | test_taint | request.readline() |
-| taint_test.py:100 | fail | test_taint | request.readlines() |
-| taint_test.py:101 | fail | test_taint | request.readlines()[0] |
-| taint_test.py:102 | fail | test_taint | ListComp |
-| taint_test.py:108 | ok   | test_taint | args |
-| taint_test.py:109 | ok   | test_taint | args[0] |
-| taint_test.py:110 | ok   | test_taint | kwargs |
-| taint_test.py:111 | ok   | test_taint | kwargs["key"] |
-| taint_test.py:115 | ok   | test_taint | request.current_app |
-| taint_test.py:120 | ok   | test_taint | request.get_host() |
-| taint_test.py:121 | ok   | test_taint | request.get_port() |
-| taint_test.py:128 | fail | test_taint | request.build_absolute_uri() |
-| taint_test.py:129 | fail | test_taint | request.build_absolute_uri(..) |
+| taint_test.py:8 | ok   | test_taint | bar |
+| taint_test.py:8 | ok   | test_taint | foo |
+| taint_test.py:9 | ok   | test_taint | baz |
+| taint_test.py:15 | ok   | test_taint | request |
+| taint_test.py:17 | ok   | test_taint | request.body |
+| taint_test.py:18 | ok   | test_taint | request.path |
+| taint_test.py:19 | ok   | test_taint | request.path_info |
+| taint_test.py:23 | ok   | test_taint | request.method |
+| taint_test.py:25 | ok   | test_taint | request.encoding |
+| taint_test.py:26 | ok   | test_taint | request.content_type |
+| taint_test.py:29 | ok   | test_taint | request.content_params |
+| taint_test.py:30 | ok   | test_taint | request.content_params["key"] |
+| taint_test.py:31 | ok   | test_taint | request.content_params.get(..) |
+| taint_test.py:35 | ok   | test_taint | request.GET |
+| taint_test.py:36 | ok   | test_taint | request.GET["key"] |
+| taint_test.py:37 | ok   | test_taint | request.GET.get(..) |
+| taint_test.py:38 | fail | test_taint | request.GET.getlist(..) |
+| taint_test.py:39 | fail | test_taint | request.GET.getlist(..)[0] |
+| taint_test.py:40 | ok   | test_taint | request.GET.pop(..) |
+| taint_test.py:41 | ok   | test_taint | request.GET.pop(..)[0] |
+| taint_test.py:42 | ok   | test_taint | request.GET.popitem()[0] |
+| taint_test.py:43 | ok   | test_taint | request.GET.popitem()[1] |
+| taint_test.py:44 | ok   | test_taint | request.GET.popitem()[1][0] |
+| taint_test.py:45 | fail | test_taint | request.GET.dict() |
+| taint_test.py:46 | fail | test_taint | request.GET.dict()["key"] |
+| taint_test.py:47 | fail | test_taint | request.GET.urlencode() |
+| taint_test.py:50 | ok   | test_taint | request.POST |
+| taint_test.py:53 | ok   | test_taint | request.COOKIES |
+| taint_test.py:54 | ok   | test_taint | request.COOKIES["key"] |
+| taint_test.py:55 | ok   | test_taint | request.COOKIES.get(..) |
+| taint_test.py:58 | ok   | test_taint | request.FILES |
+| taint_test.py:59 | ok   | test_taint | request.FILES["key"] |
+| taint_test.py:60 | fail | test_taint | request.FILES["key"].content_type |
+| taint_test.py:61 | fail | test_taint | request.FILES["key"].content_type_extra |
+| taint_test.py:62 | fail | test_taint | request.FILES["key"].content_type_extra["key"] |
+| taint_test.py:63 | fail | test_taint | request.FILES["key"].charset |
+| taint_test.py:64 | fail | test_taint | request.FILES["key"].name |
+| taint_test.py:65 | fail | test_taint | request.FILES["key"].file |
+| taint_test.py:66 | fail | test_taint | request.FILES["key"].file.read() |
+| taint_test.py:68 | ok   | test_taint | request.FILES.get(..) |
+| taint_test.py:69 | fail | test_taint | request.FILES.get(..).name |
+| taint_test.py:70 | fail | test_taint | request.FILES.getlist(..) |
+| taint_test.py:71 | fail | test_taint | request.FILES.getlist(..)[0] |
+| taint_test.py:72 | fail | test_taint | request.FILES.getlist(..)[0].name |
+| taint_test.py:73 | fail | test_taint | request.FILES.dict() |
+| taint_test.py:74 | fail | test_taint | request.FILES.dict()["key"] |
+| taint_test.py:75 | fail | test_taint | request.FILES.dict()["key"].name |
+| taint_test.py:78 | ok   | test_taint | request.META |
+| taint_test.py:79 | ok   | test_taint | request.META["HTTP_USER_AGENT"] |
+| taint_test.py:80 | ok   | test_taint | request.META.get(..) |
+| taint_test.py:83 | ok   | test_taint | request.headers |
+| taint_test.py:84 | ok   | test_taint | request.headers["user-agent"] |
+| taint_test.py:85 | ok   | test_taint | request.headers["USER_AGENT"] |
+| taint_test.py:88 | ok   | test_taint | request.resolver_match |
+| taint_test.py:89 | fail | test_taint | request.resolver_match.args |
+| taint_test.py:90 | fail | test_taint | request.resolver_match.args[0] |
+| taint_test.py:91 | fail | test_taint | request.resolver_match.kwargs |
+| taint_test.py:92 | fail | test_taint | request.resolver_match.kwargs["key"] |
+| taint_test.py:94 | fail | test_taint | request.get_full_path() |
+| taint_test.py:95 | fail | test_taint | request.get_full_path_info() |
+| taint_test.py:99 | fail | test_taint | request.read() |
+| taint_test.py:100 | fail | test_taint | request.readline() |
+| taint_test.py:101 | fail | test_taint | request.readlines() |
+| taint_test.py:102 | fail | test_taint | request.readlines()[0] |
+| taint_test.py:103 | fail | test_taint | ListComp |
+| taint_test.py:109 | ok   | test_taint | args |
+| taint_test.py:110 | ok   | test_taint | args[0] |
+| taint_test.py:111 | ok   | test_taint | kwargs |
+| taint_test.py:112 | ok   | test_taint | kwargs["key"] |
+| taint_test.py:116 | ok   | test_taint | request.current_app |
+| taint_test.py:121 | ok   | test_taint | request.get_host() |
+| taint_test.py:122 | ok   | test_taint | request.get_port() |
+| taint_test.py:129 | fail | test_taint | request.build_absolute_uri() |
 | taint_test.py:130 | fail | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:133 | ok   | test_taint | request.build_absolute_uri(..) |
+| taint_test.py:131 | fail | test_taint | request.build_absolute_uri(..) |
 | taint_test.py:134 | ok   | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:142 | ok   | test_taint | request.get_signed_cookie(..) |
+| taint_test.py:135 | ok   | test_taint | request.build_absolute_uri(..) |
 | taint_test.py:143 | ok   | test_taint | request.get_signed_cookie(..) |
 | taint_test.py:144 | ok   | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:148 | fail | test_taint | request.get_signed_cookie(..) |
+| taint_test.py:145 | ok   | test_taint | request.get_signed_cookie(..) |
 | taint_test.py:149 | fail | test_taint | request.get_signed_cookie(..) |
+| taint_test.py:150 | fail | test_taint | request.get_signed_cookie(..) |
+| taint_test.py:157 | fail | some_method | self.request |
+| taint_test.py:158 | fail | some_method | self.request.GET["key"] |
+| taint_test.py:160 | fail | some_method | self.args |
+| taint_test.py:161 | fail | some_method | self.args[0] |
+| taint_test.py:163 | fail | some_method | self.kwargs |
+| taint_test.py:164 | fail | some_method | self.kwargs["key"] |
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py
index a0db86f2961..9c21e59e2e3 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py
@@ -1,6 +1,7 @@
 """testing views for Django 2.x and 3.x"""
 from django.urls import path
 from django.http import HttpRequest
+from django.views import View
 
 
 def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler routedParameter=foo routedParameter=bar
@@ -150,7 +151,22 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
     )
 
 
+class ClassView(View):
+    def some_method(self):
+        ensure_tainted(
+            self.request,
+            self.request.GET["key"],
+
+            self.args,
+            self.args[0],
+
+            self.kwargs,
+            self.kwargs["key"],
+        )
+
+
 # fake setup, you can't actually run this
 urlpatterns = [
-    path("test-taint/<foo>/<bar>", test_taint),  # $routeSetup="test-taint/<foo>/<bar>"
+    path("test-taint/<foo>/<bar>", test_taint),  # $ routeSetup="test-taint/<foo>/<bar>"
+    path("ClassView/", ClassView.as_view()), # $ routeSetup="ClassView/"
 ]
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
index 55c60a551a0..d2028d0dd03 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
@@ -30,4 +30,5 @@ class MyCustomViewBaseClass(View):
 
 class MyViewHandlerWithCustomInheritance(MyCustomViewBaseClass):
     def get(self, request: HttpRequest): # $ requestHandler
+        print(self.request.GET)
         return HttpResponse("MyViewHandlerWithCustomInheritance: GET") # $ HttpResponse

From c57a4df819f7c0450a060e1a627a0eeb71ee3223 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 10 Feb 2021 17:46:05 +0100
Subject: [PATCH 286/429] Python: Model taint of self.request on django view
 class

---
 .../2021-12-21-django-improvements.md         |  1 +
 .../src/semmle/python/frameworks/Django.qll   | 63 +++++++++++++++++++
 .../django-v2-v3/TestTaint.expected           | 12 ++--
 3 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/python/change-notes/2021-12-21-django-improvements.md b/python/change-notes/2021-12-21-django-improvements.md
index e3a22961c73..fb2e7494983 100644
--- a/python/change-notes/2021-12-21-django-improvements.md
+++ b/python/change-notes/2021-12-21-django-improvements.md
@@ -1,3 +1,4 @@
 lgtm,codescanning
 * Improved modeling of `django` to recognize request handlers functions that are decorated (for example with `django.views.decorators.http.require_GET`). This leads to more sources of remote user input (`RemoteFlowSource`), since we correctly identify the first parameter as being passed a django request.
 * Improved modeling of django View classes. We now consider any class using in a routing setup with `<class>.as_view()` as django view class. This leads to more sources of remote user input (`RemoteFlowSource`), since we correctly identify the first parameter as being passed a django request.
+* Improved modeling of `django`, so for View classes we now model `self.request`, `self.args`, and `self.kwargs` as sources of remote user input (`RemoteFlowSource`).
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 6599ccdc03a..fee806ff8ef 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2069,6 +2069,29 @@ private module Django {
       result = this.getAMethod() and
       result.getName() = HTTP::httpVerbLower()
     }
+
+    /**
+     * Gets a reference to instances of this class, originating from a self parameter of
+     * a method defined on this class.
+     *
+     * Note: TODO: This doesn't take MRO into account
+     * Note: TODO: This doesn't take staticmethod/classmethod into account
+     */
+    private DataFlow::Node getASelfRef(DataFlow::TypeTracker t) {
+      t.start() and
+      result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+      or
+      exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
+    }
+
+    /**
+     * Gets a reference to instances of this class, originating from a self parameter of
+     * a method defined on this class.
+     *
+     * Note: TODO: This doesn't take MRO into account
+     * Note: TODO: This doesn't take staticmethod/classmethod into account
+     */
+    DataFlow::Node getASelfRef() { result = this.getASelfRef(DataFlow::TypeTracker::end()) }
   }
 
   /**
@@ -2307,6 +2330,46 @@ private module Django {
     override string getSourceType() { result = "django.http.request.HttpRequest" }
   }
 
+  /**
+   * A read of the `request` attribute on a reference to an instance of a View class,
+   * which is the request being processed currently.
+   *
+   * See https://docs.djangoproject.com/en/3.1/topics/class-based-views/generic-display/#dynamic-filtering
+   */
+  private class DjangoViewClassRequestAttributeRead extends django::http::request::HttpRequest::InstanceSource,
+    RemoteFlowSource::Range, DataFlow::Node {
+    DjangoViewClassRequestAttributeRead() {
+      exists(DataFlow::AttrRead read | this = read |
+        read.getObject() = any(DjangoViewClass vc).getASelfRef() and
+        read.getAttributeName() = "request"
+      )
+    }
+
+    override string getSourceType() {
+      result = "django.http.request.HttpRequest (attribute on self in View class)"
+    }
+  }
+
+  /**
+   * A read of the `args` or `kwargs` attribute on a reference to an instance of a View class,
+   * which contains the routed parameters captured from the URL route.
+   *
+   * See https://docs.djangoproject.com/en/3.1/topics/class-based-views/generic-display/#dynamic-filtering
+   */
+  private class DjangoViewClassRoutedParamsAttributeRead extends RemoteFlowSource::Range,
+    DataFlow::Node {
+    DjangoViewClassRoutedParamsAttributeRead() {
+      exists(DataFlow::AttrRead read | this = read |
+        read.getObject() = any(DjangoViewClass vc).getASelfRef() and
+        read.getAttributeName() in ["args", "kwargs"]
+      )
+    }
+
+    override string getSourceType() {
+      result = "django routed param from attribute on self in View class"
+    }
+  }
+
   private class DjangoHttpRequstAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       nodeFrom = django::http::request::HttpRequest::instance() and
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
index d3cb5470b1b..c76685c6739 100644
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected
@@ -80,9 +80,9 @@
 | taint_test.py:145 | ok   | test_taint | request.get_signed_cookie(..) |
 | taint_test.py:149 | fail | test_taint | request.get_signed_cookie(..) |
 | taint_test.py:150 | fail | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:157 | fail | some_method | self.request |
-| taint_test.py:158 | fail | some_method | self.request.GET["key"] |
-| taint_test.py:160 | fail | some_method | self.args |
-| taint_test.py:161 | fail | some_method | self.args[0] |
-| taint_test.py:163 | fail | some_method | self.kwargs |
-| taint_test.py:164 | fail | some_method | self.kwargs["key"] |
+| taint_test.py:157 | ok   | some_method | self.request |
+| taint_test.py:158 | ok   | some_method | self.request.GET["key"] |
+| taint_test.py:160 | ok   | some_method | self.args |
+| taint_test.py:161 | ok   | some_method | self.args[0] |
+| taint_test.py:163 | ok   | some_method | self.kwargs |
+| taint_test.py:164 | ok   | some_method | self.kwargs["key"] |

From 7cff1f441bef167d72f599693ed01937a613336c Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 10 Feb 2021 18:13:01 +0100
Subject: [PATCH 287/429] add model for the `unified` and `remark` libraries

---
 .../semmle/javascript/frameworks/Markdown.qll | 58 +++++++++++++++++++
 .../ReflectedXss/ReflectedXss.expected        | 45 ++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js      | 34 +++++++++++
 .../ReflectedXssWithCustomSanitizer.expected  |  5 ++
 4 files changed, 142 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index ed902bb9274..0ea930a3453 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -48,3 +48,61 @@ private class ShowDownStep extends TaintTracking::AdditionalTaintStep, DataFlow:
     pred = this.getArgument(0)
   }
 }
+
+/**
+ * Classes and predicates for modelling taint steps in `unified` and `remark`.
+ */
+private module Unified {
+  /**
+   * The creation of a parser from `unified`.
+   * The `remark` module is a shorthand that initializes `unified` with a markdown parser.
+   */
+  DataFlow::CallNode unified() { result = DataFlow::moduleImport(["unified", "remark"]).getACall() }
+
+  /**
+   * A chain of method calls that process an input with `unified`.
+   */
+  class UnifiedChain extends DataFlow::CallNode {
+    DataFlow::CallNode root;
+
+    UnifiedChain() {
+      root = unified() and
+      this = root.getAChainedMethodCall(["process", "processSync"])
+    }
+
+    /**
+     * Gets a plugin that is used in this chain.
+     */
+    DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) }
+
+    /**
+     * Gets the input that is processed.
+     */
+    DataFlow::Node getInput() { result = getArgument(0) }
+
+    /**
+     * Gets the processed output.
+     */
+    DataFlow::Node getOutput() {
+      this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1)
+      or
+      this.getCalleeName() = "processSync" and result = this
+    }
+  }
+
+  /**
+   * A taint step for the `unified` library.
+   */
+  class UnifiedStep extends TaintTracking::AdditionalTaintStep, UnifiedChain {
+    UnifiedStep() {
+      // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name.
+      not this.getAUsedPlugin().getALocalSource() =
+        DataFlow::moduleImport(any(string s | s.matches("%sanitize%")))
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getInput() and
+      succ = getOutput()
+    }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index 38661c86c6d..cc01ba98932 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -32,6 +32,29 @@ nodes
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body |
 | ReflectedXss.js:42:31:42:38 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body |
+| ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:33:68:40 | req.body |
+| ReflectedXss.js:68:33:68:40 | req.body |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:48:72:55 | req.body |
+| ReflectedXss.js:72:48:72:55 | req.body |
+| ReflectedXss.js:74:20:74:27 | req.body |
+| ReflectedXss.js:74:20:74:27 | req.body |
+| ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -143,6 +166,23 @@ edges
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -227,6 +267,11 @@ edges
 | ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
+| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
+| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
+| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
+| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index e9461f2c6d8..15f8ea7f7fd 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -41,3 +41,37 @@ app.get('/user/:id', function(req, res) {
   res.send(req.body); // NOT OK
   res.send(converter.makeHtml(req.body)); // NOT OK
 });
+
+var unified = require('unified');
+var markdown = require('remark-parse');
+var remark2rehype = require('remark-rehype');
+var doc = require('rehype-document');
+var format = require('rehype-format');
+var html = require('rehype-stringify');
+var remark = require("remark");
+var sanitize = require("rehype-sanitize");
+const { resetExtensions } = require('showdown');
+
+app.get('/user/:id', function (req, res) {
+  res.send(req.body); // NOT OK
+
+  unified()
+    .use(markdown)
+    .use(remark2rehype)
+    .use(doc, { title: '👋🌍' })
+    .use(format)
+    .use(html)
+    .process(req.body, function (err, file) {
+      res.send(file); // NOT OK
+    });
+
+  res.send(remark().processSync(req.body).toString()); // NOT OK
+
+  res.send(remark().use(sanitize).processSync(req.body).toString()); // OK
+
+  res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK
+
+  remark().process(req.body, (e, f) => {
+    res.send(f); // NOT OK
+  })
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index ddd7ae3b372..96f1093be3b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -6,6 +6,11 @@
 | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
+| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
+| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
+| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
+| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From 190164c182463c32226374975cb61b330db7a145 Mon Sep 17 00:00:00 2001
From: Raul Garcia <42392023+raulgarciamsft@users.noreply.github.com>
Date: Wed, 10 Feb 2021 13:30:40 -0800
Subject: [PATCH 288/429] Update csharp/ql/src/experimental/Security
 Features/campaign/Solorigate/Solorigate.qhelp

Co-authored-by: Bas van Schaik <5082246+sj@users.noreply.github.com>
---
 .../Security Features/campaign/Solorigate/Solorigate.qhelp    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
index dcd7c0b9d74..bba4df25c7d 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp	
@@ -4,10 +4,10 @@
 <qhelp>
  <overview>
   <p>The nation-state supply chain attack on SolarWinds known as Solorigate or SunBurst gave nation-state actors access to some victims' networks.</p>
-  <p>The purpose of these rules is to identify potentially tampered code that requires further analysis</p>
+  <p>The purpose of these rules is to identify potentially tampered code that requires further analysis.</p>
 </overview> 
 <recommendation>
   <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
   <p>For more information, please visit https://aka.ms/solorigate. </p>
 </recommendation>
-</qhelp>
\ No newline at end of file
+</qhelp>

From ef0d3720a1010abaaa41b37308c5727e9d257849 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Wed, 10 Feb 2021 13:39:24 -0800
Subject: [PATCH 289/429] Addressing a few comments

---
 .../Security Features/backdoor/PotentialTimeBomb.qhelp          | 2 +-
 .../campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp      | 2 +-
 .../campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
index fb619cb738e..57a8c5719fa 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp	
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query checks for data flow from a file's last modification date and a condition statement that controls code execution. A malicious actor could have implanted code that triggers after a certain time, leading to a "time bomb".</p>
+    <p>This query detects situations in which an offset to a last file modification time is used to conditionally execute a particular block of code. This is a common pattern in backdoors, where the file's modification timestamp is the time at which the backdoor was planted, and the time offset is used as a time bomb before a particular code block is executed.</p>
   </overview>
 
   <recommendation>
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
index 8b639b14ab0..0b0e1333eb1 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
+    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code used in the SolarWinds attack included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
     <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
index 34c773636ad..42fb738f157 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql	
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related command names in enum is above the threshold
- * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered by an external agent.
+ * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered with by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security

From 2a1c11b517d31cf20550eacc68656d3c7c1b1631 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Wed, 10 Feb 2021 23:56:45 +0100
Subject: [PATCH 290/429] Improve MavenPom documentation, rename inconsistent
 predicates

---
 java/ql/src/semmle/code/xml/MavenPom.qll | 96 +++++++++++++-----------
 1 file changed, 54 insertions(+), 42 deletions(-)

diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll
index 0a545c0bc99..30c1e673b23 100644
--- a/java/ql/src/semmle/code/xml/MavenPom.qll
+++ b/java/ql/src/semmle/code/xml/MavenPom.qll
@@ -28,7 +28,7 @@ class ProtoPom extends XMLElement {
   Version getVersion() { result = this.getAChild() }
 
   /**
-   * Gets a string representing the version, or an empty string if no version
+   * Gets a string representing the version, or an empty string if no `version`
    * tag was provided.
    */
   string getVersionString() {
@@ -53,7 +53,7 @@ class Pom extends ProtoPom {
   Pom() {
     this.getName() = "project" and
     // Ignore "dependency-reduced-pom" files - these are generated by the
-    // shading plugin, and duplicate existing pom files.
+    // Maven Shade Plugin, and duplicate existing POM files.
     this.getFile().getStem() != "dependency-reduced-pom"
   }
 
@@ -77,7 +77,7 @@ class Pom extends ProtoPom {
   /** Gets a child XML element named "dependencies". */
   Dependencies getDependencies() { result = this.getAChild() }
 
-  /** Gets a child XML element named `dependencyManagement`. */
+  /** Gets a child XML element named "dependencyManagement". */
   DependencyManagement getDependencyManagement() { result = getAChild() }
 
   /** Gets a Dependency element for this POM. */
@@ -100,7 +100,8 @@ class Pom extends ProtoPom {
   }
 
   /**
-   * Gets a property value defined for this project with the given name.
+   * Gets a property value defined for this project with the given name, either in a local
+   * `<properties>` section, or in the `<properties>` section of an ancestor POM.
    */
   PomProperty getProperty(string name) {
     result.getName() = name and
@@ -112,7 +113,7 @@ class Pom extends ProtoPom {
    */
   PomElement getProjectProperty() {
     (
-      // It must either be a child of the pom, or a child of the parent node of the pom
+      // It must either be a child of the POM, or a child of the parent node of the POM
       result = getAChild()
       or
       result = getParentPom().getAChild() and
@@ -124,8 +125,8 @@ class Pom extends ProtoPom {
   }
 
   /**
-   * Resolve the given placeholder (if possible) in the static context of this pom. Resolution
-   * occurs by considering the properties defined by this project.
+   * Resolve the given placeholder (if possible) in the static context of this POM. Resolution
+   * occurs by considering the properties defined by this project or an ancestor project.
    */
   string resolvePlaceholder(string name) {
     if name.prefix(8) = "project."
@@ -142,32 +143,33 @@ class Pom extends ProtoPom {
   }
 
   /**
-   * Gets all the dependencies that are exported by this pom. An exported dependency is one that
-   * is transitively available, i.e. one with scope compile.
+   * Gets all the dependencies that are exported by this POM. An exported dependency is one that
+   * is transitively available, i.e. one with scope "compile".
    */
   Dependency getAnExportedDependency() {
     result = getADependency() and result.getScope() = "compile"
   }
 
   /**
-   * Gets a pom dependency that is exported by this pom. An exported dependency is one that
-   * is transitively available, i.e. one with scope compile.
+   * Gets a POM dependency that is exported by this POM. An exported dependency is one that
+   * is transitively available, i.e. one with scope "compile".
    */
   Pom getAnExportedPom() { result = getAnExportedDependency().getPom() }
 
   /**
-   * Gets the `<parent>` element of this pom, if any.
+   * Gets the `<parent>` element of this POM, if any.
    */
   Parent getParentElement() { result = getAChild() }
 
   /**
-   * Gets the pom referred to by the `<parent>` element of this pom, if any.
+   * Gets the POM referred to by the `<parent>` element of this POM, if any.
    */
   Pom getParentPom() { result = getParentElement().getPom() }
 
   /**
-   * Gets the version specified for dependency `dep` in a `dependencyManagement`
-   * section if this pom or one of its ancestors.
+   * Gets the version specified for dependency _dep_ in a `dependencyManagement`
+   * section in this POM or one of its ancestors, or an empty string if no version
+   * is specified.
    */
   string getVersionStringForDependency(Dependency dep) {
     if exists(getDependencyManagement().getDependency(dep))
@@ -223,12 +225,13 @@ class Dependency extends ProtoPom {
   Pom getPom() { result.getShortCoordinate() = this.getShortCoordinate() }
 
   /**
-   * Gets the jar file that we think maven resolved this dependency to (if any).
+   * Gets the jar file that Maven likely resolved this dependency to (if any).
+   * See `MavenRepo.getAnArtifact(ProtoPom)` for how this match is determined.
    */
   File getJar() { exists(MavenRepo mr | result = mr.getAnArtifact(this)) }
 
   /**
-   * Gets the scope of this dependency. If the scope tag is present, this will
+   * Gets the scope of this dependency. If the `scope` tag is present, this will
    * be the string contents of that tag, otherwise it defaults to "compile".
    */
   string getScope() {
@@ -249,14 +252,14 @@ class Dependency extends ProtoPom {
 }
 
 /**
- * A Maven dependency element that represents an actual dependency from a given pom project.
+ * A Maven dependency element that represents an actual dependency from a given POM project.
  */
 class PomDependency extends Dependency {
   PomDependency() {
     exists(Pom source |
-      // This dependency must be a dependency of a pom - dependency tags can also appear in the dependency
-      // management section, where they do not directly contribute to the dependencies of the containing
-      // pom.
+      // This dependency must be a dependency of a POM - dependency tags can also appear in the
+      // dependencyManagement section, where they do not directly contribute to the dependencies of
+      // the containing POM.
       source.getADependency() = this and
       // Consider dependencies that can be used at compile time.
       (
@@ -284,7 +287,7 @@ class PomElement extends XMLElement {
       s = allCharactersString() and
       if s.matches("${%")
       then
-        // Resolve the placeholder in the parent pom
+        // Resolve the placeholder in the parent POM
         result = getParent*().(Pom).resolvePlaceholder(s.substring(2, s.length() - 1))
       else result = s
     )
@@ -330,7 +333,7 @@ class Dependencies extends PomElement {
   Dependency getADependency() { result = this.getAChild() }
 }
 
-/** An XML element named `dependencyManagement`, as found in Maven POM XML files. */
+/** An XML element named "dependencyManagement", as found in Maven POM XML files. */
 class DependencyManagement extends PomElement {
   DependencyManagement() { getName() = "dependencyManagement" }
 
@@ -340,7 +343,7 @@ class DependencyManagement extends PomElement {
 
   /**
    * Gets a dependency declared in this `dependencyManagement` element that has
-   * the same (short) coordinates as `dep`.
+   * the same (short) coordinates as _dep_.
    */
   Dependency getDependency(Dependency dep) {
     result = getADependency() and
@@ -349,7 +352,7 @@ class DependencyManagement extends PomElement {
 }
 
 /**
- * An XML element name "properties", as found in Maven POM XML files.
+ * An XML element named "properties", as found in Maven POM XML files.
  */
 class PomProperties extends PomElement {
   PomProperties() { this.getName() = "properties" }
@@ -366,8 +369,8 @@ class PomProperty extends PomElement {
 }
 
 /**
- * A folder that represents a maven local repository using the standard layout. Any folder called
- * "repository" with a parent name ".m2" is considered to be a maven repository.
+ * A folder that represents a local Maven repository using the standard layout. Any folder called
+ * "repository" with a parent name ".m2" is considered to be a Maven repository.
  */
 class MavenRepo extends Folder {
   MavenRepo() { getBaseName() = "repository" and getParentContainer().getBaseName() = ".m2" }
@@ -378,10 +381,10 @@ class MavenRepo extends Folder {
   File getAJarFile() { result = getAChildContainer*().(File) and result.getExtension() = "jar" }
 
   /**
-   * Gets any jar artifacts in this repository that match the pom project definition. This is an
-   * over approximation. For soft qualifiers (e.g. 1.0) we return precise matches in preference to
-   * artefact only matches. For hard qualifiers (e.g. [1.0]) we return only precise matches. For
-   * all other qualifiers, we return all matches regardless of version.
+   * Gets any jar artifacts in this repository that match the POM project definition. This is an
+   * over approximation. For soft qualifiers (e.g. 1.0) precise matches are returned in preference
+   * to artifact only matches. For hard qualifiers (e.g. [1.0]) only precise matches are returned.
+   * For all other qualifiers, all matches are returned regardless of version.
    */
   MavenRepoJar getAnArtifact(ProtoPom pom) {
     result = getAJarFile() and
@@ -389,7 +392,7 @@ class MavenRepo extends Folder {
     then
       // Either a hard match qualifier, or soft and there is at least one precise match
       result.preciseMatch(pom)
-    else result.artefactMatches(pom)
+    else result.artifactMatches(pom)
   }
 }
 
@@ -401,16 +404,19 @@ private predicate versionHardMatch(ProtoPom pom) {
 }
 
 /**
- * A jar file inside a maven repository.
+ * A jar file inside a Maven repository.
  *
  * See: https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final
  */
 class MavenRepoJar extends File {
   MavenRepoJar() { exists(MavenRepo mr | mr.getAJarFile() = this) }
 
-  string getGroupID() {
+  /**
+   * Gets the `groupId` of this jar.
+   */
+  string getGroupId() {
     exists(MavenRepo mr | mr.getAJarFile() = this |
-      // Assuming the standard layout, the first part of the directory structure from the maven
+      // Assuming the standard layout, the first part of the directory structure from the Maven
       // repository will be the groupId converted to a path by replacing "." with "/".
       result =
         getParentContainer()
@@ -422,24 +428,30 @@ class MavenRepoJar extends File {
     )
   }
 
-  string getArtefactID() { result = getParentContainer().getParentContainer().getBaseName() }
+  /**
+   * Gets the `artifactId` of this jar.
+   */
+  string getArtifactId() { result = getParentContainer().getParentContainer().getBaseName() }
 
+  /**
+   * Gets the artifact version string of this jar.
+   */
   string getVersion() { result = getParentContainer().getBaseName() }
 
   /**
-   * Holds if this jar is an artefact for the given pom or dependency, regardless of which version it is.
+   * Holds if this jar is an artifact for the given POM or dependency, regardless of which version it is.
    */
-  predicate artefactMatches(ProtoPom pom) {
-    pom.getGroup().getValue() = getGroupID() and
-    pom.getArtifact().getValue() = getArtefactID()
+  predicate artifactMatches(ProtoPom pom) {
+    pom.getGroup().getValue() = getGroupId() and
+    pom.getArtifact().getValue() = getArtifactId()
   }
 
   /**
-   * Holds if this jar is both an artefact for the pom, and has a version string that matches the pom
+   * Holds if this jar is both an artifact for the POM, and has a version string that matches the POM
    * version string. Only soft and hard version matches are supported.
    */
   predicate preciseMatch(ProtoPom pom) {
-    artefactMatches(pom) and
+    artifactMatches(pom) and
     if versionHardMatch(pom)
     then ("[" + getVersion() + "]").matches(pom.getVersionString() + "%")
     else getVersion().matches(pom.getVersionString() + "%")

From e2fbf8a68ca9a301bb166412d9e780d3ecc73c6c Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 20:38:05 +0100
Subject: [PATCH 291/429] add files uploaded with `multer` as RemoteFlowSource

---
 .../semmle/javascript/frameworks/Express.qll  |  3 ++-
 .../CWE-078/CommandInjection.expected         | 24 +++++++++++++++++++
 .../Security/CWE-078/form-parsers.js          | 16 +++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index e1519892caf..3931f96cbb6 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -509,8 +509,9 @@ module Express {
         this = request.getAPropertyRead("cookies")
         or
         // `req.files`, treated the same as `req.body`.
+        // `express-fileupload` uses .files, and `multer` uses .files or .file
         kind = "body" and
-        this = request.getAPropertyRead("files")
+        this = request.getAPropertyRead(["files", "file"])
       )
       or
       kind = "body" and
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
index 5d9c4fcdb61..ec874655c74 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -88,6 +88,18 @@ nodes
 | execSeries.js:18:34:18:40 | req.url |
 | execSeries.js:19:12:19:16 | [cmd] |
 | execSeries.js:19:13:19:15 | cmd |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:19:9:26 | req.file |
+| form-parsers.js:9:19:9:26 | req.file |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:13:3:13:11 | req.files |
+| form-parsers.js:13:3:13:11 | req.files |
+| form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:21:14:24 | file |
+| form-parsers.js:14:21:14:37 | file.originalname |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -222,6 +234,16 @@ edges
 | execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) |
 | execSeries.js:19:12:19:16 | [cmd] | execSeries.js:13:19:13:26 | commands |
 | execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] |
+| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname | form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname | form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file |
+| form-parsers.js:14:21:14:24 | file | form-parsers.js:14:21:14:37 | file.originalname |
+| form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -293,6 +315,8 @@ edges
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command depends on $@. | exec-sh2.js:14:25:14:31 | req.url | a user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command depends on $@. | exec-sh.js:19:25:19:31 | req.url | a user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command depends on $@. | form-parsers.js:9:19:9:26 | req.file | a user-provided value |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command depends on $@. | form-parsers.js:13:3:13:11 | req.files | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
new file mode 100644
index 00000000000..34054ee7fc3
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -0,0 +1,16 @@
+var express = require('express');
+var multer  = require('multer');
+var upload = multer({ dest: 'uploads/' });
+ 
+var app = express();
+var exec = require("child_process").exec;
+ 
+app.post('/profile', upload.single('avatar'), function (req, res, next) {
+  exec("touch " + req.file.originalname); // NOT OK
+});
+ 
+app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) {
+  req.files.forEach(file => {
+    exec("touch " + file.originalname); // NOT OK
+  })
+});

From a03f4ed3cd100e81f5a4c5a7c75a4312ec62dd99 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 8 Feb 2021 21:45:08 +0100
Subject: [PATCH 292/429] add remote flow source for `busboy`

---
 javascript/ql/src/javascript.qll              |  3 +-
 .../javascript/frameworks/FormParsers.qll     | 30 +++++++++++++++++++
 .../CWE-078/CommandInjection.expected         | 10 +++++++
 .../Security/CWE-078/form-parsers.js          | 12 ++++++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index d5c459c4d5c..dcdbcff9a81 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -85,10 +85,11 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
-import semmle.javascript.frameworks.Immutable
+import semmle.javascript.frameworks.FormParsers
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
+import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
diff --git a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
new file mode 100644
index 00000000000..795aaa0802b
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
@@ -0,0 +1,30 @@
+/**
+ * Provides classes for modelling the server-side form/file parsing libraries.
+ */
+
+import javascript
+
+/**
+ * Classes and predicate modelling the `Busboy` library.
+ */
+module Busboy {
+  /**
+   * A `Busboy` instance that has request data flowing into it.
+   */
+  private DataFlow::NewNode busboy() {
+    result = DataFlow::moduleImport("busboy").getAnInstantiation() and
+    exists(MethodCallExpr pipe |
+      pipe.calls(any(HTTP::RequestExpr req), "pipe") and
+      result.flowsToExpr(pipe.getArgument(0))
+    )
+  }
+
+  /**
+   * A source of remote flow from the `Busboy` library.
+   */
+  class BusBoyRemoteFlow extends RemoteFlowSource {
+    BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
+
+    override string getSourceType() { result = "Busbuy parsed user value" }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
index ec874655c74..d245b61e0fc 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -100,6 +100,11 @@ nodes
 | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | form-parsers.js:14:21:14:24 | file |
 | form-parsers.js:14:21:14:37 | file.originalname |
+| form-parsers.js:24:48:24:55 | filename |
+| form-parsers.js:24:48:24:55 | filename |
+| form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:21:25:28 | filename |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -244,6 +249,10 @@ edges
 | form-parsers.js:14:21:14:24 | file | form-parsers.js:14:21:14:37 | file.originalname |
 | form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename |
+| form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename |
+| form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -317,6 +326,7 @@ edges
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command depends on $@. | form-parsers.js:9:19:9:26 | req.file | a user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command depends on $@. | form-parsers.js:13:3:13:11 | req.files | a user-provided value |
+| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command depends on $@. | form-parsers.js:24:48:24:55 | filename | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
index 34054ee7fc3..02e117f085a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -14,3 +14,15 @@ app.post('/photos/upload', upload.array('photos', 12), function (req, res, next)
     exec("touch " + file.originalname); // NOT OK
   })
 });
+
+
+var http = require('http');
+var Busboy = require('busboy');
+
+http.createServer(function (req, res) {
+  var busboy = new Busboy({ headers: req.headers });
+  busboy.on('file', function (fieldname, file, filename, encoding, mimetype) {
+    exec("touch " + filename); // NOT OK
+  });
+  req.pipe(busboy);
+}).listen(8000);

From 61b4ffec3d818cf02d252a794a6df5d95ee81aaa Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 9 Feb 2021 10:16:25 +0100
Subject: [PATCH 293/429] add remote flow from the `Formidable` library

---
 .../javascript/frameworks/FormParsers.qll     | 24 ++++++++++++++++++-
 .../CWE-078/CommandInjection.expected         | 24 +++++++++++++++++++
 .../Security/CWE-078/form-parsers.js          | 15 ++++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
index 795aaa0802b..c43eb57b8b4 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
@@ -7,7 +7,7 @@ import javascript
 /**
  * Classes and predicate modelling the `Busboy` library.
  */
-module Busboy {
+private module Busboy {
   /**
    * A `Busboy` instance that has request data flowing into it.
    */
@@ -28,3 +28,25 @@ module Busboy {
     override string getSourceType() { result = "Busbuy parsed user value" }
   }
 }
+
+/**
+ * A source of remote flow from the `Formidable` library parsing a HTTP request.
+ */
+private class FormidableRemoteFlow extends RemoteFlowSource {
+  FormidableRemoteFlow() {
+    exists(DataFlow::CallNode parse, DataFlow::InvokeNode formidable |
+      formidable = DataFlow::moduleImport("formidable").getACall()
+      or
+      formidable = DataFlow::moduleMember("formidable", "formidable").getACall()
+      or
+      formidable =
+        DataFlow::moduleMember("formidable", ["IncomingForm", "Formidable"]).getAnInstantiation()
+    |
+      parse = formidable.getAMemberCall("parse") and
+      parse.getArgument(0).asExpr() instanceof HTTP::RequestExpr and
+      this = parse.getABoundCallbackParameter(1, any(int i | i > 0))
+    )
+  }
+
+  override string getSourceType() { result = "Formidable parsed user value" }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
index d245b61e0fc..e0440f1d338 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -105,6 +105,18 @@ nodes
 | form-parsers.js:25:10:25:28 | "touch " + filename |
 | form-parsers.js:25:10:25:28 | "touch " + filename |
 | form-parsers.js:25:21:25:28 | filename |
+| form-parsers.js:35:25:35:30 | fields |
+| form-parsers.js:35:25:35:30 | fields |
+| form-parsers.js:36:10:36:31 | "touch  ... ds.name |
+| form-parsers.js:36:10:36:31 | "touch  ... ds.name |
+| form-parsers.js:36:21:36:26 | fields |
+| form-parsers.js:36:21:36:31 | fields.name |
+| form-parsers.js:40:26:40:31 | fields |
+| form-parsers.js:40:26:40:31 | fields |
+| form-parsers.js:41:10:41:31 | "touch  ... ds.name |
+| form-parsers.js:41:10:41:31 | "touch  ... ds.name |
+| form-parsers.js:41:21:41:26 | fields |
+| form-parsers.js:41:21:41:31 | fields.name |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -253,6 +265,16 @@ edges
 | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename |
 | form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
 | form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:21:36:26 | fields |
+| form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:21:36:26 | fields |
+| form-parsers.js:36:21:36:26 | fields | form-parsers.js:36:21:36:31 | fields.name |
+| form-parsers.js:36:21:36:31 | fields.name | form-parsers.js:36:10:36:31 | "touch  ... ds.name |
+| form-parsers.js:36:21:36:31 | fields.name | form-parsers.js:36:10:36:31 | "touch  ... ds.name |
+| form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:21:41:26 | fields |
+| form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:21:41:26 | fields |
+| form-parsers.js:41:21:41:26 | fields | form-parsers.js:41:21:41:31 | fields.name |
+| form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
+| form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -327,6 +349,8 @@ edges
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command depends on $@. | form-parsers.js:9:19:9:26 | req.file | a user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command depends on $@. | form-parsers.js:13:3:13:11 | req.files | a user-provided value |
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command depends on $@. | form-parsers.js:24:48:24:55 | filename | a user-provided value |
+| form-parsers.js:36:10:36:31 | "touch  ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:35:25:35:30 | fields | a user-provided value |
+| form-parsers.js:41:10:41:31 | "touch  ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:40:26:40:31 | fields | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
index 02e117f085a..75c6cf910e3 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -26,3 +26,18 @@ http.createServer(function (req, res) {
   });
   req.pipe(busboy);
 }).listen(8000);
+
+
+const formidable = require('formidable'); 
+app.post('/api/upload', (req, res, next) => {
+  let form = formidable({ multiples: true });
+ 
+  form.parse(req, (err, fields, files) => {
+    exec("touch " + fields.name); // NOT OK
+  });
+
+  let form2 = new formidable.IncomingForm();
+  form2.parse(req, (err, fields, files) => {
+    exec("touch " + fields.name); // NOT OK
+  });
+});

From 010d580f8e4b44abe579451c5fcd7e20e22e7ed5 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 9 Feb 2021 11:00:16 +0100
Subject: [PATCH 294/429] add model for `multiparty`

---
 .../javascript/frameworks/FormParsers.qll     | 37 ++++++++++++++++++-
 .../CWE-078/CommandInjection.expected         | 24 ++++++++++++
 .../Security/CWE-078/form-parsers.js          | 20 ++++++++++
 3 files changed, 79 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
index c43eb57b8b4..e8f9b76a40e 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
@@ -25,7 +25,7 @@ private module Busboy {
   class BusBoyRemoteFlow extends RemoteFlowSource {
     BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
 
-    override string getSourceType() { result = "Busbuy parsed user value" }
+    override string getSourceType() { result = "parsed user value from Busbuy" }
   }
 }
 
@@ -48,5 +48,38 @@ private class FormidableRemoteFlow extends RemoteFlowSource {
     )
   }
 
-  override string getSourceType() { result = "Formidable parsed user value" }
+  override string getSourceType() { result = "parsed user value from Formidable" }
+}
+
+/**
+ * Predicates and classes modelling the `multiparty` library.
+ */
+private module Multiparty {
+  /**
+   * Gets an instance of of `Multiparty` form parser that parses a HTTP request object.
+   * The `parse` call is the method call that receives the HTTP request object.
+   */
+  private DataFlow::SourceNode form(DataFlow::MethodCallNode parse) {
+    result = DataFlow::moduleMember("multiparty", "Form").getAnInstantiation() and
+    parse = result.getAMethodCall("parse") and
+    parse.getArgument(0).asExpr() instanceof HTTP::RequestExpr
+  }
+
+  /**
+   * A source of remote flow from the `Multiparty` library.
+   */
+  class MultipartyRemoteFlow extends RemoteFlowSource {
+    MultipartyRemoteFlow() {
+      exists(DataFlow::MethodCallNode parse | exists(form(parse)) |
+        this = parse.getABoundCallbackParameter(1, any(int i | i > 0))
+      )
+      or
+      exists(DataFlow::MethodCallNode on | on = form(_).getAMethodCall("on") |
+        on.getArgument(0).mayHaveStringValue(["part", "file", "field"]) and
+        this = on.getABoundCallbackParameter(1, _)
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Multiparty" }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
index e0440f1d338..3878bbc2088 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -117,6 +117,18 @@ nodes
 | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
 | form-parsers.js:41:21:41:26 | fields |
 | form-parsers.js:41:21:41:31 | fields.name |
+| form-parsers.js:52:34:52:39 | fields |
+| form-parsers.js:52:34:52:39 | fields |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:53:21:53:31 | fields.name |
+| form-parsers.js:58:30:58:33 | part |
+| form-parsers.js:58:30:58:33 | part |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:59:21:59:33 | part.filename |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -275,6 +287,16 @@ edges
 | form-parsers.js:41:21:41:26 | fields | form-parsers.js:41:21:41:31 | fields.name |
 | form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
 | form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
+| form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:53:21:53:26 | fields | form-parsers.js:53:21:53:31 | fields.name |
+| form-parsers.js:53:21:53:31 | fields.name | form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:21:53:31 | fields.name | form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:58:30:58:33 | part | form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:58:30:58:33 | part | form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:59:21:59:24 | part | form-parsers.js:59:21:59:33 | part.filename |
+| form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -351,6 +373,8 @@ edges
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command depends on $@. | form-parsers.js:24:48:24:55 | filename | a user-provided value |
 | form-parsers.js:36:10:36:31 | "touch  ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:35:25:35:30 | fields | a user-provided value |
 | form-parsers.js:41:10:41:31 | "touch  ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:40:26:40:31 | fields | a user-provided value |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:52:34:52:39 | fields | a user-provided value |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch  ... ilename | This command depends on $@. | form-parsers.js:58:30:58:33 | part | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
index 75c6cf910e3..4b1dabde441 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -41,3 +41,23 @@ app.post('/api/upload', (req, res, next) => {
     exec("touch " + fields.name); // NOT OK
   });
 });
+
+var multiparty = require('multiparty');
+var http = require('http');
+
+http.createServer(function (req, res) {
+  // parse a file upload
+  var form = new multiparty.Form();
+
+  form.parse(req, function (err, fields, files) {
+    exec("touch " + fields.name); // NOT OK
+  });
+
+
+  var form2 = new multiparty.Form();
+  form2.on('part', function (part) { // / file / field
+    exec("touch " + part.filename); // NOT OK
+  });
+  form2.parse(req);
+
+}).listen(8080);

From 044f80215e812797de0f6bce94e229b85f686b68 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 9 Feb 2021 11:20:07 +0100
Subject: [PATCH 295/429] add change note

---
 javascript/change-notes/2021-02-09-form-parsers.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-09-form-parsers.md

diff --git a/javascript/change-notes/2021-02-09-form-parsers.md b/javascript/change-notes/2021-02-09-form-parsers.md
new file mode 100644
index 00000000000..4ad87cff32b
--- /dev/null
+++ b/javascript/change-notes/2021-02-09-form-parsers.md
@@ -0,0 +1,6 @@
+lgtm,codescanning
+* Server side form parsing libraries are now recognized as source of remote user input. 
+    [multer](https://www.npmjs.com/package/multer) and
+    [busboy](https://www.npmjs.com/package/busboy) and
+    [formidable](https://www.npmjs.com/package/formidable) and
+    [multiparty](https://www.npmjs.com/package/formidable)
\ No newline at end of file

From 3ee0029cd87f4882fd9bf6afefc4c2e3e7bcde28 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 13:33:42 +0100
Subject: [PATCH 296/429] Update
 javascript/change-notes/2021-02-08-xml-parser-taint.md

Co-authored-by: Asger F <asgerf@github.com>
---
 javascript/change-notes/2021-02-08-xml-parser-taint.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/javascript/change-notes/2021-02-08-xml-parser-taint.md b/javascript/change-notes/2021-02-08-xml-parser-taint.md
index ab59b4f3b92..2028be3e06f 100644
--- a/javascript/change-notes/2021-02-08-xml-parser-taint.md
+++ b/javascript/change-notes/2021-02-08-xml-parser-taint.md
@@ -1,8 +1,8 @@
 lgtm,codescanning
 * The security queries now track taint through XML parsers. 
   Affected packages are
-    [xml2js](https://www.npmjs.com/package/xml2js) and
-    [sax](https://www.npmjs.com/package/sax) and
-    [xml-js](https://www.npmjs.com/package/xml-js) and
-    [htmlparser2](https://www.npmjs.com/package/htmlparser2) and
+    [xml2js](https://www.npmjs.com/package/xml2js),
+    [sax](https://www.npmjs.com/package/sax),
+    [xml-js](https://www.npmjs.com/package/xml-js),
+    [htmlparser2](https://www.npmjs.com/package/htmlparser2), and
     [node-expat](https://www.npmjs.com/package/node-expat)

From f12c38425fe4bde58785b9662b2f6f7800d7bb90 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 10 Feb 2021 18:14:45 +0100
Subject: [PATCH 297/429] add change-note

---
 javascript/change-notes/2021-02-10-markdown.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-10-markdown.md

diff --git a/javascript/change-notes/2021-02-10-markdown.md b/javascript/change-notes/2021-02-10-markdown.md
new file mode 100644
index 00000000000..3ee12ae65f3
--- /dev/null
+++ b/javascript/change-notes/2021-02-10-markdown.md
@@ -0,0 +1,8 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in markdown parses.
+  Affected packages are
+    [marked](https://npmjs.com/package/marked), 
+    [markdown-table](https://npmjs.com/package/markdown-table), 
+    [showdown](https://npmjs.com/package/showdown), 
+    [unified](https://npmjs.com/package/unified), and
+    [remark](https://npmjs.com/package/remark)

From d14586de56ed4b82765a3cc5ce21d55161e8e845 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 14:41:45 +0100
Subject: [PATCH 298/429] add two non ReDoS regular expressions to the ReDoS
 test suite

Adds the regular expression from #5145
---
 javascript/ql/test/query-tests/Performance/ReDoS/tst.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
index 68549d11e3d..ef45c7f87bd 100644
--- a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
@@ -351,3 +351,7 @@ var bad79 = /(a*)*b/;
 var bad80 = /(a+)*b/;
 var bad81 = /(a*)+b/;
 var bad82 = /(a+)+b/;
+
+// GOOD
+var good40 = /(a|b)+/;
+var good41 = /(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+/;

From ea30598a08899da1087517e244c3854697107d73 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 11 Feb 2021 16:07:39 +0100
Subject: [PATCH 299/429] Python: Split dotted names more efficiently

---
 python/ql/src/semmle/python/ApiGraphs.qll | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 7ad2a795c73..ef29996fd5b 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -319,12 +319,11 @@ module API {
      * For instance, `prefix_member("foo.bar", "baz", "foo.bar.baz")` would hold.
      */
     private predicate prefix_member(TApiNode base, string member, TApiNode sub) {
-      exists(string base_str, string sub_str |
-        base = MkModuleImport(base_str) and
+      exists(string sub_str, string regexp |
+        regexp = "(.+)[.]([^.]+)" and
+        base = MkModuleImport(sub_str.regexpCapture(regexp, 1)) and
+        member = sub_str.regexpCapture(regexp, 2) and
         sub = MkModuleImport(sub_str)
-      |
-        base_str + "." + member = sub_str and
-        not member.matches("%.%")
       )
     }
 

From 4c66071f5f976b42b094b179d2b3da4b7ed638e3 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Thu, 11 Feb 2021 16:08:28 +0100
Subject: [PATCH 300/429] Python: Revert "Python: Support
 `moduleImport("dotted.name")` in API graphs"

This reverts commit 2c4a477a4e2ba8eda5185feb2268154a7f5932a5.

It's probably best _not_ to do this, as any `getMember` cycle in the
API graph will lead to nontermination.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index ef29996fd5b..40a3bf4f756 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -209,14 +209,12 @@ module API {
 
   /**
    * Gets a node corresponding to an import of module `m`.
+   *
+   * Note: You should only use this predicate for top level modules. If you want nodes corresponding to a submodule,
+   * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`,
+   * use `moduleImport("foo").getMember("bar")`.
    */
-  Node moduleImport(string m) {
-    result = Impl::MkModuleImport(m)
-    or
-    exists(string before_dot, string after_dot | before_dot + "." + after_dot = m |
-      result = moduleImport(before_dot).getMember(after_dot)
-    )
-  }
+  Node moduleImport(string m) { result = Impl::MkModuleImport(m) }
 
   /**
    * Provides the actual implementation of API graphs, cached for performance.

From 69d8aa143c6532f0e07340698cdb082fcf091e14 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 16:16:46 +0100
Subject: [PATCH 301/429] add taint step for the `snarkdown` libary

---
 .../change-notes/2021-02-10-markdown.md       |  1 +
 .../semmle/javascript/frameworks/Markdown.qll | 12 ++++++++++
 .../ReflectedXss/ReflectedXss.expected        | 23 +++++++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js      |  9 ++++++++
 .../ReflectedXssWithCustomSanitizer.expected  |  3 +++
 5 files changed, 48 insertions(+)

diff --git a/javascript/change-notes/2021-02-10-markdown.md b/javascript/change-notes/2021-02-10-markdown.md
index 3ee12ae65f3..b3c843db0f5 100644
--- a/javascript/change-notes/2021-02-10-markdown.md
+++ b/javascript/change-notes/2021-02-10-markdown.md
@@ -4,5 +4,6 @@ lgtm,codescanning
     [marked](https://npmjs.com/package/marked), 
     [markdown-table](https://npmjs.com/package/markdown-table), 
     [showdown](https://npmjs.com/package/showdown), 
+    [snarkdown](https://npmjs.com/package/snarkdown), 
     [unified](https://npmjs.com/package/unified), and
     [remark](https://npmjs.com/package/remark)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 0ea930a3453..bff1c364d00 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -106,3 +106,15 @@ private module Unified {
     }
   }
 }
+
+/**
+ * A taint step for the `snarkdown` library.
+ */
+private class SnarkdownStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  SnarkdownStep() { this = DataFlow::moduleImport("snarkdown").getACall() }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    this = succ and
+    pred = this.getArgument(0)
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index cc01ba98932..e0f353a9d32 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -55,6 +55,17 @@ nodes
 | ReflectedXss.js:74:34:74:34 | f |
 | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body |
+| ReflectedXss.js:84:22:84:29 | req.body |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body |
+| ReflectedXss.js:85:23:85:30 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -183,6 +194,15 @@ edges
 | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
 | ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -272,6 +292,9 @@ edges
 | ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
 | ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
 | ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
+| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index 15f8ea7f7fd..7e531bdd4e1 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -75,3 +75,12 @@ app.get('/user/:id', function (req, res) {
     res.send(f); // NOT OK
   })
 });
+
+import snarkdown from 'snarkdown';
+var snarkdown2 = require("snarkdown");
+
+app.get('/user/:id', function (req, res) {
+  res.send(req.body); // NOT OK
+  res.send(snarkdown(req.body)); // NOT OK
+  res.send(snarkdown2(req.body)); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index 96f1093be3b..92017e8f378 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -11,6 +11,9 @@
 | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
 | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
 | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
+| ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From fd46b7a7bcb1c590a4e113f0daf0c0267d39f994 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 16:17:26 +0100
Subject: [PATCH 302/429] fix type in change-note

Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
---
 javascript/change-notes/2021-02-10-markdown.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/change-notes/2021-02-10-markdown.md b/javascript/change-notes/2021-02-10-markdown.md
index b3c843db0f5..ed3dfb505e6 100644
--- a/javascript/change-notes/2021-02-10-markdown.md
+++ b/javascript/change-notes/2021-02-10-markdown.md
@@ -1,5 +1,5 @@
 lgtm,codescanning
-* The dataflow libraries now model dataflow in markdown parses.
+* The dataflow libraries now model dataflow in markdown parsers.
   Affected packages are
     [marked](https://npmjs.com/package/marked), 
     [markdown-table](https://npmjs.com/package/markdown-table), 

From 33b5802ff6fd4b9b5b7cf2173b2c99b515703dda Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 12:42:39 +0000
Subject: [PATCH 303/429] C++: Update StdPair.qll (just for consistency).

---
 .../semmle/code/cpp/models/implementations/StdPair.qll    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
index 41867e71acc..1d8c4ea44d1 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
@@ -7,8 +7,8 @@ import semmle.code.cpp.models.interfaces.Taint
 /**
  * An instantiation of `std::pair<T1, T2>`.
  */
-class StdPairClass extends ClassTemplateInstantiation {
-  StdPairClass() { getTemplate().hasQualifiedName("std", "pair") }
+class StdPair extends ClassTemplateInstantiation {
+  StdPair() { this.hasQualifiedName("std", "pair") }
 }
 
 /**
@@ -18,9 +18,9 @@ class StdPairClass extends ClassTemplateInstantiation {
  */
 class StdPairCopyishConstructor extends Constructor, TaintFunction {
   StdPairCopyishConstructor() {
-    this.getDeclaringType() instanceof StdPairClass and
+    this.getDeclaringType() instanceof StdPair and
     this.getNumberOfParameters() = 1 and
-    this.getParameter(0).getUnspecifiedType().(ReferenceType).getBaseType() instanceof StdPairClass
+    this.getParameter(0).getUnspecifiedType().(ReferenceType).getBaseType() instanceof StdPair
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From 21b2999722c41f481d0265653e4569143b8ddb76 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 13:23:59 +0000
Subject: [PATCH 304/429] C++: Update StdSet.qll.

---
 .../cpp/models/implementations/StdSet.qll     | 27 ++++++++++---------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
index 9fac9ae75f8..5c30afca572 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -5,14 +5,18 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
+/**
+ * An instantiation of `std::set` or `std::unordered_set`.
+ */
+class StdSet extends ClassTemplateInstantiation {
+  StdSet() { this.hasQualifiedName("std", ["set", "unordered_set"]) }
+}
+
 /**
  * Additional model for set constructors using iterator inputs.
  */
 private class StdSetConstructor extends Constructor, TaintFunction {
-  StdSetConstructor() {
-    this.hasQualifiedName("std", "set", "set") or
-    this.hasQualifiedName("std", "unordered_set", "unordered_set")
-  }
+  StdSetConstructor() { this.getDeclaringType() instanceof StdSet }
 
   /**
    * Gets the index of a parameter to this function that is an iterator.
@@ -36,7 +40,7 @@ private class StdSetConstructor extends Constructor, TaintFunction {
  * The standard set `insert` and `insert_or_assign` functions.
  */
 private class StdSetInsert extends TaintFunction {
-  StdSetInsert() { this.hasQualifiedName("std", ["set", "unordered_set"], "insert") }
+  StdSetInsert() { this.getClassAndName("insert") instanceof StdSet }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from last parameter to qualifier and return value
@@ -53,9 +57,7 @@ private class StdSetInsert extends TaintFunction {
  * The standard set `emplace` and `emplace_hint` functions.
  */
 private class StdSetEmplace extends TaintFunction {
-  StdSetEmplace() {
-    this.hasQualifiedName("std", ["set", "unordered_set"], ["emplace", "emplace_hint"])
-  }
+  StdSetEmplace() { this.getClassAndName(["emplace", "emplace_hint"]) instanceof StdSet }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier and return value
@@ -76,7 +78,7 @@ private class StdSetEmplace extends TaintFunction {
  * The standard set `merge` function.
  */
 private class StdSetMerge extends TaintFunction {
-  StdSetMerge() { this.hasQualifiedName("std", ["set", "unordered_set"], "merge") }
+  StdSetMerge() { this.getClassAndName("merge") instanceof StdSet }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // container1.merge(container2)
@@ -89,7 +91,7 @@ private class StdSetMerge extends TaintFunction {
  * The standard set `find` function.
  */
 private class StdSetFind extends TaintFunction {
-  StdSetFind() { this.hasQualifiedName("std", ["set", "unordered_set"], "find") }
+  StdSetFind() { this.getClassAndName("find") instanceof StdSet }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
@@ -101,7 +103,7 @@ private class StdSetFind extends TaintFunction {
  * The standard set `erase` function.
  */
 private class StdSetErase extends TaintFunction {
-  StdSetErase() { this.hasQualifiedName("std", ["set", "unordered_set"], "erase") }
+  StdSetErase() { this.getClassAndName("erase") instanceof StdSet }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to iterator return value
@@ -116,8 +118,7 @@ private class StdSetErase extends TaintFunction {
  */
 private class StdSetEqualRange extends TaintFunction {
   StdSetEqualRange() {
-    this.hasQualifiedName("std", ["set", "unordered_set"],
-      ["lower_bound", "upper_bound", "equal_range"])
+    this.getClassAndName(["lower_bound", "upper_bound", "equal_range"]) instanceof StdSet
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From 91627cbd88ea8606cf2a51ff4233f383423291ef Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 11 Feb 2021 17:21:32 +0100
Subject: [PATCH 305/429] C++: Add models for BSD-style send and recv
 functions.

---
 cpp/ql/src/semmle/code/cpp/models/Models.qll  |  2 +
 .../code/cpp/models/implementations/Recv.qll  | 73 +++++++++++++++++++
 .../code/cpp/models/implementations/Send.qll  | 55 ++++++++++++++
 .../code/cpp/models/interfaces/FlowSource.qll |  9 +++
 .../semmle/code/cpp/security/FlowSources.qll  | 28 +++++++
 .../src/semmle/code/cpp/security/Security.qll | 15 +++-
 .../defaulttainttracking.cpp                  | 19 +++++
 .../remote-flow-sink.expected                 |  0
 .../annotate_sinks_only/remote-flow-sink.ql   | 20 +++++
 9 files changed, 220 insertions(+), 1 deletion(-)
 create mode 100644 cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
 create mode 100644 cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.expected
 create mode 100644 cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.ql

diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
index 7ec66b3a2e9..c36c1da9bcd 100644
--- a/cpp/ql/src/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -28,3 +28,5 @@ private import implementations.Swap
 private import implementations.GetDelim
 private import implementations.SmartPointer
 private import implementations.Sscanf
+private import implementations.Send
+private import implementations.Recv
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
new file mode 100644
index 00000000000..e7d52472d1d
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
@@ -0,0 +1,73 @@
+/**
+ * Provides implementation classes modeling `recv` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.FlowSource
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/** The function `recv` and its assorted variants */
+private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction, RemoteFlowFunction {
+  Recv() {
+    this.hasGlobalName([
+        "recv", // recv(socket, dest, len, flags)
+        "recvfrom", // recvfrom(socket, dest, len, flags, from, fromlen)
+        "read", // read(socket, dest, len)
+        "pread" // pread(socket, dest, len, offset)
+      ])
+  }
+
+  override predicate parameterNeverEscapes(int index) {
+    this.getParameter(index).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 1 and countParam = 2
+  }
+
+  override predicate hasArrayInput(int bufParam) { this.hasGlobalName("recvfrom") and bufParam = 4 }
+
+  override predicate hasArrayOutput(int bufParam) {
+    bufParam = 1
+    or
+    this.hasGlobalName("recvfrom") and bufParam = 4
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    this.hasGlobalName("recvfrom") and
+    (
+      i = 4 and buffer = true
+      or
+      i = 5 and buffer = false
+    )
+  }
+
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = true and mustWrite = false
+    or
+    this.hasGlobalName("recvfrom") and
+    (
+      i = 4 and buffer = true and mustWrite = false
+      or
+      i = 5 and buffer = false and mustWrite = false
+    )
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(1) and
+    description = "Buffer read by " + this.getName()
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
new file mode 100644
index 00000000000..414cbd13e7d
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
@@ -0,0 +1,55 @@
+/**
+ * Provides implementation classes modeling `send` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.FlowSource
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/** The function `send` and its assorted variants */
+private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, RemoteFlowFunctionSink {
+  Send() {
+    this.hasGlobalName([
+        "send", // send(socket, buf, len, flags)
+        "sendto", // sendto(socket, buf, len, flags, to, tolen)
+        "write" // write(socket, buf, len);
+      ])
+  }
+
+  override predicate parameterNeverEscapes(int index) {
+    this.getParameter(index).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 1 and countParam = 2
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 1 }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    none()
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 1 and buffer = true
+    or
+    exists(this.getParameter(4)) and i = 4 and buffer = false
+  }
+
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
+
+  override predicate hasRemoteFlowSink(FunctionInput input, string description) {
+    input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
index c0c95b38756..b3b5d8850ba 100644
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -29,3 +29,12 @@ abstract class LocalFlowFunction extends Function {
    */
   abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }
+
+/** A library function that sends data over a network connection. */
+abstract class RemoteFlowFunctionSink extends Function {
+  /**
+   * Holds if data described by `description` flows into `input` to a call to this function, and is then
+   * send over a network connection.
+   */
+  abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
+}
diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
index c8bad67352b..e3900f1799b 100644
--- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
@@ -98,3 +98,31 @@ private class ArgvSource extends LocalFlowSource {
 
   override string getSourceType() { result = "a command-line argument" }
 }
+
+/** A remote data flow sink. */
+abstract class RemoteFlowSink extends DataFlow::Node {
+  /** Gets a string that describes the type of this flow sink. */
+  abstract string getSinkType();
+}
+
+private class RemoteParameterSink extends RemoteFlowSink {
+  string sourceType;
+
+  RemoteParameterSink() {
+    exists(RemoteFlowFunctionSink func, FunctionInput input, CallInstruction call, int index |
+      func.hasRemoteFlowSink(input, sourceType) and call.getStaticCallTarget() = func
+    |
+      exists(ReadSideEffectInstruction read |
+        call = read.getPrimaryInstruction() and
+        read.getIndex() = index and
+        this.asOperand() = read.getSideEffectOperand() and
+        input.isParameterDerefOrQualifierObject(index)
+      )
+      or
+      input.isParameterOrQualifierAddress(index) and
+      this.asOperand() = call.getArgumentOperand(index)
+    )
+  }
+
+  override string getSinkType() { result = sourceType }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/security/Security.qll b/cpp/ql/src/semmle/code/cpp/security/Security.qll
index 16dc89d9a6e..15e9d86ad6a 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Security.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Security.qll
@@ -6,6 +6,7 @@
 import semmle.code.cpp.exprs.Expr
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.SecurityOptions
+import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
  * Extend this class to customize the security queries for
@@ -60,7 +61,7 @@ class SecurityOptions extends string {
       functionCall.getTarget().hasGlobalName(fname) and
       exists(functionCall.getArgument(arg)) and
       (
-        fname = ["read", "recv", "recvmsg"] and arg = 1
+        fname = "recvmsg" and arg = 1
         or
         fname = "getaddrinfo" and arg = 3
         or
@@ -68,6 +69,12 @@ class SecurityOptions extends string {
         (arg = 1 or arg = 4 or arg = 5)
       )
     )
+    or
+    exists(RemoteFlowFunction remote, FunctionOutput output |
+      functionCall.getTarget() = remote and
+      output.isParameterDerefOrQualifierObject(arg) and
+      remote.hasRemoteFlowSource(output, _)
+    )
   }
 
   /**
@@ -81,6 +88,12 @@ class SecurityOptions extends string {
         userInputReturn(fname)
       )
     )
+    or
+    exists(RemoteFlowFunction remote, FunctionOutput output |
+      functionCall.getTarget() = remote and
+      (output.isReturnValue() or output.isReturnValueDeref()) and
+      remote.hasRemoteFlowSource(output, _)
+    )
   }
 
   /**
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
index b24efc1dc8e..6156e80015c 100644
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -216,3 +216,22 @@ void test_pointers2()
 	sink(ptr4); // clean
 	sink(*ptr4); // $ MISSING: ast,ir
 }
+
+// --- recv ---
+
+int recv(int s, char* buf, int len, int flags);
+
+void test_recv() {
+	char buffer[1024];
+	recv(0, buffer, sizeof(buffer), 0);
+	sink(buffer); // $ ast,ir
+	sink(*buffer); // $ ast,ir
+}
+
+// --- send ---
+
+int send(int, const void*, int, int);
+
+void test_send(char* buffer, int length) {
+  send(0, buffer, length, 0); // $ remote
+}
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.ql b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.ql
new file mode 100644
index 00000000000..4fbbe8fa3bf
--- /dev/null
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.ql
@@ -0,0 +1,20 @@
+/** This tests that we are able to detect remote flow sinks. */
+
+import cpp
+import TestUtilities.InlineExpectationsTest
+import semmle.code.cpp.security.FlowSources
+
+class RemoteFlowSinkTest extends InlineExpectationsTest {
+  RemoteFlowSinkTest() { this = "RemoteFlowSinkTest" }
+
+  override string getARelevantTag() { result = "remote" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "remote" and
+    value = "" and
+    exists(RemoteFlowSink node |
+      location = node.getLocation() and
+      element = node.toString()
+    )
+  }
+}

From 6f405635ef6fe3ca7343f64c403c4d2a816f4ee6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 17:49:44 +0100
Subject: [PATCH 306/429] add ClientRequest model for apollo-client

---
 .../javascript/frameworks/ClientRequests.qll  | 31 +++++++++++++++++++
 .../ClientRequests/ClientRequests.expected    | 12 +++++++
 .../frameworks/ClientRequests/apollo.js       | 23 ++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/frameworks/ClientRequests/apollo.js

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index f405b28beca..34f878c125f 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -823,4 +823,35 @@ module ClientRequest {
 
     override DataFlow::Node getADataNode() { none() }
   }
+
+  /**
+   * Classes and predicates modelling the `apollo-client` library.
+   */
+  private module ApolloClient {
+    /**
+     * A function from `apollo-client` that accepts an options object that may contain a `uri` property.
+     */
+    API::Node apolloUriCallee() {
+      result = API::moduleImport("apollo-link-http").getMember(["HttpLink", "createHttpLink"])
+      or
+      result =
+        API::moduleImport(["apollo-boost", "apollo-client", "apollo-client-preset"])
+            .getMember(["ApolloClient", "HttpLink", "createNetworkInterface"])
+      or
+      result = API::moduleImport("apollo-link-ws").getMember("WebSocketLink")
+    }
+
+    /**
+     * A model of a URL request made using apollo-client.
+     */
+    class ApolloClientRequeist extends ClientRequest::Range, API::InvokeNode {
+      ApolloClientRequeist() { this = apolloUriCallee().getAnInvocation() }
+
+      override DataFlow::Node getUrl() { result = getParameter(0).getMember("uri").getARhs() }
+
+      override DataFlow::Node getHost() { none() }
+
+      override DataFlow::Node getADataNode() { none() }
+    }
+  }
 }
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
index 5ba426c968f..47c340f7a8e 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -1,4 +1,10 @@
 test_ClientRequest
+| apollo.js:5:18:5:78 | new cre ... hql' }) |
+| apollo.js:10:1:10:54 | new Htt ... hql' }) |
+| apollo.js:14:16:14:69 | new Apo ... .com'}) |
+| apollo.js:17:1:17:34 | new Pre ... yurl"}) |
+| apollo.js:20:1:20:77 | createN ... phql'}) |
+| apollo.js:23:1:23:31 | new Web ... wsUri}) |
 | tst.js:11:5:11:16 | request(url) |
 | tst.js:13:5:13:20 | request.get(url) |
 | tst.js:15:5:15:23 | request.delete(url) |
@@ -111,6 +117,12 @@ test_getHost
 | tst.js:93:5:93:35 | net.req ... host }) | tst.js:93:29:93:32 | host |
 | tst.js:219:5:219:41 | data.so ... Host"}) | tst.js:219:32:219:39 | "myHost" |
 test_getUrl
+| apollo.js:5:18:5:78 | new cre ... hql' }) | apollo.js:5:44:5:75 | 'https: ... raphql' |
+| apollo.js:10:1:10:54 | new Htt ... hql' }) | apollo.js:10:21:10:51 | 'http:/ ... raphql' |
+| apollo.js:14:16:14:69 | new Apo ... .com'}) | apollo.js:14:39:14:67 | 'https: ... le.com' |
+| apollo.js:17:1:17:34 | new Pre ... yurl"}) | apollo.js:17:26:17:32 | "myurl" |
+| apollo.js:20:1:20:77 | createN ... phql'}) | apollo.js:20:30:20:75 | 'https: ... raphql' |
+| apollo.js:23:1:23:31 | new Web ... wsUri}) | apollo.js:23:25:23:29 | wsUri |
 | tst.js:11:5:11:16 | request(url) | tst.js:11:13:11:15 | url |
 | tst.js:13:5:13:20 | request.get(url) | tst.js:13:17:13:19 | url |
 | tst.js:15:5:15:23 | request.delete(url) | tst.js:15:20:15:22 | url |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/apollo.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/apollo.js
new file mode 100644
index 00000000000..9aff4e64ab1
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/apollo.js
@@ -0,0 +1,23 @@
+import { ApolloClient } from 'apollo-client'
+import { HttpLink } from 'apollo-link-http'
+import { createHttpLink } from 'apollo-link-http'
+
+const httpLink = new createHttpLink({ uri: 'https://api.github.com/graphql' }) // url 1
+
+const ApolloClient = require('apollo-client-preset').ApolloClient;
+const HttpLink = require('apollo-link-http').HttpLink;
+
+new HttpLink({ uri: 'http://localhost:8080/graphql' }); // url 2
+
+import ApolloClient from 'apollo-boost'; // / 'apollo-client'
+ 
+const client = new ApolloClient({uri: 'https://graphql.example.com'}); // url 3
+
+let PresetHttpLink = require('apollo-client-preset').HttpLink;
+new PresetHttpLink({uri: "myurl"}); // url 4
+
+import { createNetworkInterface } from 'apollo-client';
+createNetworkInterface({uri: 'https://web-go-demo.herokuapp.com/__/graphql'}) // url 5
+
+const { WebSocketLink } = require('apollo-link-ws')
+new WebSocketLink({uri: wsUri}) // url 6
\ No newline at end of file

From 004147a22fda52a7585a3814ba64544f174b9b60 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 11 Feb 2021 17:54:53 +0100
Subject: [PATCH 307/429] add change note

---
 javascript/change-notes/2021-02-11-apollo-client.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-11-apollo-client.md

diff --git a/javascript/change-notes/2021-02-11-apollo-client.md b/javascript/change-notes/2021-02-11-apollo-client.md
new file mode 100644
index 00000000000..93ec78f1f41
--- /dev/null
+++ b/javascript/change-notes/2021-02-11-apollo-client.md
@@ -0,0 +1,8 @@
+lgtm,codescanning
+* URIs used in the Apollo-link libraries are now recognized as sinks for `js/request-forgery`.
+  Affected packages are
+    [apollo-link-http](https://www.npmjs.com/package/apollo-link-http), 
+    [apollo-client](https://www.npmjs.com/package/apollo-client), 
+    [apollo-boost](https://www.npmjs.com/package/apollo-boost), 
+    [apollo-client-preset](https://www.npmjs.com/package/apollo-client-preset), and
+    [apollo-link-ws](https://www.npmjs.com/package/apollo-link-ws)

From 354f21f2c326c08eb663d557af980a3af9d169a8 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 14:22:46 +0000
Subject: [PATCH 308/429] C++: BSL support.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll | 2 +-
 cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
index 1d8c4ea44d1..42c3b9025f8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
@@ -8,7 +8,7 @@ import semmle.code.cpp.models.interfaces.Taint
  * An instantiation of `std::pair<T1, T2>`.
  */
 class StdPair extends ClassTemplateInstantiation {
-  StdPair() { this.hasQualifiedName("std", "pair") }
+  StdPair() { this.hasQualifiedName(["std", "bsl"], "pair") }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
index 5c30afca572..68e78776968 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -9,7 +9,7 @@ import semmle.code.cpp.models.interfaces.Iterator
  * An instantiation of `std::set` or `std::unordered_set`.
  */
 class StdSet extends ClassTemplateInstantiation {
-  StdSet() { this.hasQualifiedName("std", ["set", "unordered_set"]) }
+  StdSet() { this.hasQualifiedName(["std", "bsl"], ["set", "unordered_set"]) }
 }
 
 /**

From 710ca21d19d70b69a38d6dddc75d0150c0485225 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Thu, 11 Feb 2021 11:52:58 -0800
Subject: [PATCH 309/429] Addressing comments we missed earlier

---
 .../backdoor/ProcessNameToHashTaintFlow.ql    |  5 +--
 ...mberOfKnownMethodNamesAboveThreshold.qhelp |  2 +-
 .../NumberOfKnownMethodNamesAboveThreshold.ql |  3 +-
 .../Cryptography/NonCryptographicHashes.qll   | 41 ++++++-------------
 4 files changed, 17 insertions(+), 34 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
index d6fd090540e..14d0cc02e44 100644
--- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
+++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql	
@@ -36,11 +36,10 @@ predicate isGetHash(Expr arg) {
     mc.getAnArgument() = arg
   )
   or
-  exists(Callable callable, Parameter param, Call call, int i |
+  exists(Callable callable, Parameter param, Call call |
     isCallableAPotentialNonCryptographicHashFunction(callable, param) and
-    callable.getParameter(i) = param and
     call = callable.getACall() and
-    call.getArgument(i) = arg
+    arg = call.getArgumentForParameter(param)
   )
 }
 
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp
index 9216fa9e2e5..f75f1e27097 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp	
@@ -4,7 +4,7 @@
 <qhelp>
   <overview>
     <p>This query detects method names used in the Solorigate code.</p>
-    <p>This query detects when the code includes at least 50 of the mthods used in the Solorigate tampered code</p>
+    <p>This query detects when the code includes at least 50 of the methods used in the Solorigate tampered code</p>
     <p>Please notice that by themselves these method names are not malign.</p>
   </overview>
 
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
index c60281882b8..430329c3a10 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql	
@@ -18,8 +18,7 @@ import Solorigate
  */
 
 int countSolorigateSuspiciousMethodNames() {
-  result =
-    count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
+  result = count(string s | s = any(Method m | isSolorigateSuspiciousMethodName(m)).getName())
 }
 
 from Method m, int total, int threshold
diff --git a/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll b/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
index ea4368af7f6..4e6c40205ec 100644
--- a/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
+++ b/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
@@ -23,17 +23,15 @@ predicate maybeANonCryptogrphicHash(Callable callable, Variable v, Expr xor, Exp
  * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
  * followed by a multiplication `mul` expression.
  */
-predicate maybeUsedInFNVFunction(Variable v, Expr xor, Expr mul, LoopStmt loop) {
+predicate maybeUsedInFNVFunction(Variable v, Operation xor, Operation mul, LoopStmt loop) {
   exists(Expr e1, Expr e2 |
-    exists(Operation axore, Operation amule | xor = axore and mul = amule |
-      e1.getAChild*() = v.getAnAccess() and
-      e2.getAChild*() = v.getAnAccess() and
-      e1 = axore.getAnOperand() and
-      e2 = amule.getAnOperand() and
-      axore.getAControlFlowNode().getASuccessor*() = amule.getAControlFlowNode() and
-      (axore instanceof AssignXorExpr or axore instanceof BitwiseXorExpr) and
-      (amule instanceof AssignMulExpr or amule instanceof MulExpr)
-    )
+    e1.getAChild*() = v.getAnAccess() and
+    e2.getAChild*() = v.getAnAccess() and
+    e1 = xor.getAnOperand() and
+    e2 = mul.getAnOperand() and
+    xor.getAControlFlowNode().getASuccessor*() = mul.getAControlFlowNode() and
+    (xor instanceof AssignXorExpr or xor instanceof BitwiseXorExpr) and
+    (mul instanceof AssignMulExpr or mul instanceof MulExpr)
   ) and
   loop.getAChild*() = mul.getEnclosingStmt() and
   loop.getAChild*() = xor.getEnclosingStmt()
@@ -44,13 +42,11 @@ predicate maybeUsedInFNVFunction(Variable v, Expr xor, Expr mul, LoopStmt loop)
  * where there is a loop statement `loop` where the variable `v` is used in an xor `xor` expression
  * followed by an addition `add` expression.
  */
-predicate maybeUsedInElfHashFunction(Variable v, Expr xorExpr, Expr addExpr, LoopStmt loop) {
+private predicate maybeUsedInElfHashFunction(Variable v, Operation xor, Operation add, LoopStmt loop) {
   exists(
-    Expr e1, Operation add, Expr e2, AssignExpr addAssign, Operation xor, AssignExpr xorAssign,
-    Operation notOp, AssignExpr notAssign
+    Expr e1, Expr e2, AssignExpr addAssign, AssignExpr xorAssign, Operation notOp,
+    AssignExpr notAssign
   |
-    xorExpr = xor and
-    addExpr = add and
     (add instanceof AddExpr or add instanceof AssignAddExpr) and
     e1.getAChild*() = add.getAnOperand() and
     e1 instanceof BinaryBitwiseOperation and
@@ -70,17 +66,6 @@ predicate maybeUsedInElfHashFunction(Variable v, Expr xorExpr, Expr addExpr, Loo
   )
 }
 
-/**
- * Any dataflow from any source to any sink, used internally
- */
-private class AnyDataFlow extends TaintTracking2::Configuration {
-  AnyDataFlow() { this = "DataFlowFromDataGatheringMethodToVariable" }
-
-  override predicate isSource(Node source) { any() }
-
-  override predicate isSink(Node sink) { any() }
-}
-
 /**
  * Holds if the Callable is a function that behaves like a non-cryptographic hash
  * where the parameter `param` is likely the message to hash
@@ -94,13 +79,13 @@ predicate isCallableAPotentialNonCryptographicHashFunction(Callable callable, Pa
       or
       param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*()
       or
-      exists(AnyDataFlow config, Node source, Node sink |
+      exists(Node source, Node sink |
         (
           sink.asExpr() = op1.(Operation).getAChild*() or
           sink.asExpr() = op2.(Operation).getAChild*()
         ) and
         source.asExpr() = param.getAnAccess() and
-        config.hasFlow(source, sink)
+        DataFlow::localFlow(source, sink)
       )
     )
   )

From e89891fa1fa01a1e1711a7daef3ef8fe45bf2781 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Fri, 12 Feb 2021 01:30:47 +0100
Subject: [PATCH 310/429] Address review comments

---
 java/ql/src/semmle/code/xml/MavenPom.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll
index 30c1e673b23..bbbb4580340 100644
--- a/java/ql/src/semmle/code/xml/MavenPom.qll
+++ b/java/ql/src/semmle/code/xml/MavenPom.qll
@@ -167,7 +167,7 @@ class Pom extends ProtoPom {
   Pom getParentPom() { result = getParentElement().getPom() }
 
   /**
-   * Gets the version specified for dependency _dep_ in a `dependencyManagement`
+   * Gets the version specified for dependency `dep` in a `dependencyManagement`
    * section in this POM or one of its ancestors, or an empty string if no version
    * is specified.
    */
@@ -343,7 +343,7 @@ class DependencyManagement extends PomElement {
 
   /**
    * Gets a dependency declared in this `dependencyManagement` element that has
-   * the same (short) coordinates as _dep_.
+   * the same (short) coordinates as `dep`.
    */
   Dependency getDependency(Dependency dep) {
     result = getADependency() and
@@ -383,7 +383,7 @@ class MavenRepo extends Folder {
   /**
    * Gets any jar artifacts in this repository that match the POM project definition. This is an
    * over approximation. For soft qualifiers (e.g. 1.0) precise matches are returned in preference
-   * to artifact only matches. For hard qualifiers (e.g. [1.0]) only precise matches are returned.
+   * to artifact-only matches. For hard qualifiers (e.g. [1.0]) only precise matches are returned.
    * For all other qualifiers, all matches are returned regardless of version.
    */
   MavenRepoJar getAnArtifact(ProtoPom pom) {

From 0aded1549eff5acd3c2d476c5eee6453e1517885 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 12 Feb 2021 09:33:33 +0100
Subject: [PATCH 311/429] Improve NestedLoopsSameVariable query performance

---
 csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql b/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql
index 3e71e7c7894..f0eb93926c0 100644
--- a/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql	
+++ b/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql	
@@ -28,7 +28,8 @@ class NestedForConditions extends SC::StructuralComparisonConfiguration {
 }
 
 private predicate hasChild(Stmt outer, Element child) {
-  outer = child.getParent()
+  outer = child.getParent() and
+  (outer instanceof ForStmt or outer = any(ForStmt f).getBody())
   or
   hasChild(outer, child.getParent())
 }

From ed2dc5f6ad7c85a635306f10393a36f0c0ad6fe7 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 12 Feb 2021 10:26:31 +0100
Subject: [PATCH 312/429] Python: Fix date for change-note

---
 ...1-django-improvements.md => 2021-02-10-django-improvements.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename python/change-notes/{2021-12-21-django-improvements.md => 2021-02-10-django-improvements.md} (100%)

diff --git a/python/change-notes/2021-12-21-django-improvements.md b/python/change-notes/2021-02-10-django-improvements.md
similarity index 100%
rename from python/change-notes/2021-12-21-django-improvements.md
rename to python/change-notes/2021-02-10-django-improvements.md

From b1c7cb63968e391c8da7d64a932d4282196ac50b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 12 Feb 2021 10:31:27 +0100
Subject: [PATCH 313/429] C++: Address review comments.

---
 .../CWE/CWE-020/ExternalAPIsSpecific.qll       |  2 +-
 .../code/cpp/models/implementations/Fread.qll  |  2 +-
 .../cpp/models/implementations/GetDelim.qll    |  2 +-
 .../code/cpp/models/implementations/Getenv.qll |  2 +-
 .../code/cpp/models/implementations/Gets.qll   |  2 +-
 .../code/cpp/models/implementations/Recv.qll   | 18 +++++++++++++++---
 .../code/cpp/models/implementations/Send.qll   | 11 ++++++++---
 .../code/cpp/models/interfaces/FlowSource.qll  | 12 ++++++------
 .../semmle/code/cpp/security/FlowSources.qll   | 10 +++++-----
 .../src/semmle/code/cpp/security/Security.qll  | 14 ++++----------
 10 files changed, 43 insertions(+), 32 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
index 788baeddbff..9ca598f86d6 100644
--- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
@@ -46,7 +46,7 @@ class UntrustedDataToExternalAPIConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalAPIConfig() { this = "UntrustedDataToExternalAPIConfig" }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(RemoteFlowFunction remoteFlow |
+    exists(RemoteFlowSourceFunction remoteFlow |
       remoteFlow = source.asExpr().(Call).getTarget() and
       remoteFlow.hasRemoteFlowSource(_, _)
     )
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
index 11568c8a974..9524b18b0a2 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
@@ -1,7 +1,7 @@
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.FlowSource
 
-private class Fread extends AliasFunction, RemoteFlowFunction {
+private class Fread extends AliasFunction, RemoteFlowSourceFunction {
   Fread() { this.hasGlobalName("fread") }
 
   override predicate parameterNeverEscapes(int n) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/GetDelim.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/GetDelim.qll
index 3561caee7fb..e2015406346 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/GetDelim.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/GetDelim.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The standard functions `getdelim`, `getwdelim` and the glibc variant `__getdelim`.
  */
 private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectFunction,
-  RemoteFlowFunction {
+  RemoteFlowSourceFunction {
   GetDelimFunction() { hasGlobalName(["getdelim", "getwdelim", "__getdelim"]) }
 
   override predicate hasTaintFlow(FunctionInput i, FunctionOutput o) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
index 9761a4293a8..93b601de752 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
@@ -8,7 +8,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
 /**
  * The POSIX function `getenv`.
  */
-class Getenv extends LocalFlowFunction {
+class Getenv extends LocalFlowSourceFunction {
   Getenv() { this.hasGlobalName("getenv") }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
index 91653cd6b37..f698a1209f4 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
@@ -14,7 +14,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The standard functions `gets` and `fgets`.
  */
 private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, AliasFunction,
-  SideEffectFunction, RemoteFlowFunction {
+  SideEffectFunction, RemoteFlowSourceFunction {
   GetsFunction() {
     // gets(str)
     // fgets(str, num, stream)
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
index e7d52472d1d..ef919c9eb39 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
@@ -10,11 +10,13 @@ import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `recv` and its assorted variants */
-private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction, RemoteFlowFunction {
+private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
+  RemoteFlowSourceFunction {
   Recv() {
     this.hasGlobalName([
         "recv", // recv(socket, dest, len, flags)
         "recvfrom", // recvfrom(socket, dest, len, flags, from, fromlen)
+        "recvmsg", // recvmsg(socket, msg, flags)
         "read", // read(socket, dest, len)
         "pread" // pread(socket, dest, len, offset)
       ])
@@ -29,7 +31,9 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override predicate parameterIsAlwaysReturned(int index) { none() }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
-    bufParam = 1 and countParam = 2
+    not this.hasGlobalName("recvmsg") and
+    bufParam = 1 and
+    countParam = 2
   }
 
   override predicate hasArrayInput(int bufParam) { this.hasGlobalName("recvfrom") and bufParam = 4 }
@@ -47,6 +51,10 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
       or
       i = 5 and buffer = false
     )
+    or
+    this.hasGlobalName("recvmsg") and
+    i = 1 and
+    buffer = true
   }
 
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
@@ -67,7 +75,11 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override predicate hasOnlySpecificWriteSideEffects() { any() }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(1) and
+    (
+      output.isParameterDeref(1)
+      or
+      this.hasGlobalName("recvfrom") and output.isParameterDeref([4, 5])
+    ) and
     description = "Buffer read by " + this.getName()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
index 414cbd13e7d..2a6cd0bac51 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
@@ -10,11 +10,12 @@ import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `send` and its assorted variants */
-private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, RemoteFlowFunctionSink {
+private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, RemoteFlowSinkFunction {
   Send() {
     this.hasGlobalName([
         "send", // send(socket, buf, len, flags)
         "sendto", // sendto(socket, buf, len, flags, to, tolen)
+        "sendmsg", // sendmsg(socket, msg, flags)
         "write" // write(socket, buf, len);
       ])
   }
@@ -28,7 +29,9 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override predicate parameterIsAlwaysReturned(int index) { none() }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
-    bufParam = 1 and countParam = 2
+    not this.hasGlobalName("sendmsg") and
+    bufParam = 1 and
+    countParam = 2
   }
 
   override predicate hasArrayInput(int bufParam) { bufParam = 1 }
@@ -44,7 +47,9 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
     i = 1 and buffer = true
     or
-    exists(this.getParameter(4)) and i = 4 and buffer = false
+    this.hasGlobalName("sendto") and i = 4 and buffer = false
+    or
+    this.hasGlobalName("sendmsg") and i = 1 and buffer = true
   }
 
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
index b3b5d8850ba..8f953761cdc 100644
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -1,9 +1,9 @@
 /**
- * Provides a class for modeling functions that return data from potentially untrusted sources. To use
- * this QL library, create a QL class extending `DataFlowFunction` with a
+ * Provides classes for modeling functions that return data from (or send data to) potentially untrusted
+ * sources. To use this QL library, create a QL class extending `DataFlowFunction` with a
  * characteristic predicate that selects the function or set of functions you
  * are modeling. Within that class, override the predicates provided by
- * `RemoteFlowFunction` to match the flow within that function.
+ * `RemoteFlowSourceFunction` or `RemoteFlowSinkFunction` to match the flow within that function.
  */
 
 import cpp
@@ -13,7 +13,7 @@ import semmle.code.cpp.models.Models
 /**
  * A library function that returns data that may be read from a network connection.
  */
-abstract class RemoteFlowFunction extends Function {
+abstract class RemoteFlowSourceFunction extends Function {
   /**
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
@@ -23,7 +23,7 @@ abstract class RemoteFlowFunction extends Function {
 /**
  * A library function that returns data that is directly controlled by a user.
  */
-abstract class LocalFlowFunction extends Function {
+abstract class LocalFlowSourceFunction extends Function {
   /**
    * Holds if data described by `description` flows from `output` of a call to this function.
    */
@@ -31,7 +31,7 @@ abstract class LocalFlowFunction extends Function {
 }
 
 /** A library function that sends data over a network connection. */
-abstract class RemoteFlowFunctionSink extends Function {
+abstract class RemoteFlowSinkFunction extends Function {
   /**
    * Holds if data described by `description` flows into `input` to a call to this function, and is then
    * send over a network connection.
diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
index e3900f1799b..b080651951f 100644
--- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
@@ -23,7 +23,7 @@ private class RemoteReturnSource extends RemoteFlowSource {
   string sourceType;
 
   RemoteReturnSource() {
-    exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output |
+    exists(RemoteFlowSourceFunction func, CallInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getStaticCallTarget() = func and
       func.hasRemoteFlowSource(output, sourceType) and
@@ -42,7 +42,7 @@ private class RemoteParameterSource extends RemoteFlowSource {
   string sourceType;
 
   RemoteParameterSource() {
-    exists(RemoteFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
+    exists(RemoteFlowSourceFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
       func.hasRemoteFlowSource(output, sourceType) and
@@ -57,7 +57,7 @@ private class LocalReturnSource extends LocalFlowSource {
   string sourceType;
 
   LocalReturnSource() {
-    exists(LocalFlowFunction func, CallInstruction instr, FunctionOutput output |
+    exists(LocalFlowSourceFunction func, CallInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getStaticCallTarget() = func and
       func.hasLocalFlowSource(output, sourceType) and
@@ -76,7 +76,7 @@ private class LocalParameterSource extends LocalFlowSource {
   string sourceType;
 
   LocalParameterSource() {
-    exists(LocalFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
+    exists(LocalFlowSourceFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
       func.hasLocalFlowSource(output, sourceType) and
@@ -109,7 +109,7 @@ private class RemoteParameterSink extends RemoteFlowSink {
   string sourceType;
 
   RemoteParameterSink() {
-    exists(RemoteFlowFunctionSink func, FunctionInput input, CallInstruction call, int index |
+    exists(RemoteFlowSinkFunction func, FunctionInput input, CallInstruction call, int index |
       func.hasRemoteFlowSink(input, sourceType) and call.getStaticCallTarget() = func
     |
       exists(ReadSideEffectInstruction read |
diff --git a/cpp/ql/src/semmle/code/cpp/security/Security.qll b/cpp/ql/src/semmle/code/cpp/security/Security.qll
index 15e9d86ad6a..d39c13a25a0 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Security.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Security.qll
@@ -60,17 +60,11 @@ class SecurityOptions extends string {
       or
       functionCall.getTarget().hasGlobalName(fname) and
       exists(functionCall.getArgument(arg)) and
-      (
-        fname = "recvmsg" and arg = 1
-        or
-        fname = "getaddrinfo" and arg = 3
-        or
-        fname = "recvfrom" and
-        (arg = 1 or arg = 4 or arg = 5)
-      )
+      fname = "getaddrinfo" and
+      arg = 3
     )
     or
-    exists(RemoteFlowFunction remote, FunctionOutput output |
+    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
       functionCall.getTarget() = remote and
       output.isParameterDerefOrQualifierObject(arg) and
       remote.hasRemoteFlowSource(output, _)
@@ -89,7 +83,7 @@ class SecurityOptions extends string {
       )
     )
     or
-    exists(RemoteFlowFunction remote, FunctionOutput output |
+    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
       functionCall.getTarget() = remote and
       (output.isReturnValue() or output.isReturnValueDeref()) and
       remote.hasRemoteFlowSource(output, _)

From 729c7f23719f494638c1fb011211cd3b67359e88 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 12 Feb 2021 10:53:34 +0100
Subject: [PATCH 314/429] C++: Add deprecated alias to RemoteFlowSourceFunction
 and LocalFlowSourceFunction.

---
 .../code/cpp/models/interfaces/FlowSource.qll      | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
index 8f953761cdc..8c80377c8ec 100644
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -20,6 +20,13 @@ abstract class RemoteFlowSourceFunction extends Function {
   abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 }
 
+/**
+ * DEPRECATED: Use `RemoteFlowSourceFunction` instead.
+ *
+ * A library function that returns data that may be read from a network connection.
+ */
+deprecated class RemoteFlowFunction = RemoteFlowSourceFunction;
+
 /**
  * A library function that returns data that is directly controlled by a user.
  */
@@ -30,6 +37,13 @@ abstract class LocalFlowSourceFunction extends Function {
   abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }
 
+/**
+ * DEPRECATED: Use `LocalFlowSourceFunction` instead.
+ *
+ * A library function that returns data that is directly controlled by a user.
+ */
+deprecated class LocalFlowFunction = LocalFlowSourceFunction;
+
 /** A library function that sends data over a network connection. */
 abstract class RemoteFlowSinkFunction extends Function {
   /**

From 1651f81ac8f2d9592321841ce978f5a95826aad7 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 12 Feb 2021 12:19:12 +0100
Subject: [PATCH 315/429] Python: Refactor to avoid confusing name

After discussion with @yoff
---
 python/ql/src/semmle/python/frameworks/Django.qll | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index fee806ff8ef..6e90d5adee0 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2024,8 +2024,15 @@ private module Django {
     result = djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker::end(), func)
   }
 
-  /** A class that might be a django View class. */
-  class PossibleDjangoViewClass extends Class {
+  /**
+   * In order to recognize a class as being a django view class, based on the `as_view`
+   * call, we need to be able to track such calls on _any_ class. This is provided by
+   * the member predicates of this QL class.
+   *
+   * As such, a Python class being part of `DjangoViewClassHelper` doesn't signify that
+   * we model it as a django view class.
+   */
+  class DjangoViewClassHelper extends Class {
     /** Gets a reference to this class. */
     private DataFlow::Node getARef(DataFlow::TypeTracker t) {
       t.start() and
@@ -2061,7 +2068,7 @@ private module Django {
   }
 
   /** A class that we consider a django View class. */
-  abstract class DjangoViewClass extends PossibleDjangoViewClass {
+  abstract class DjangoViewClass extends DjangoViewClassHelper {
     /** Gets a function that could handle incoming requests, if any. */
     Function getARequestHandler() {
       // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with

From 97df60f9d6284f9f8d3823d71c0f5fb32e6c2ecf Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Fri, 12 Feb 2021 12:12:16 +0000
Subject: [PATCH 316/429] Move misplaced experimental query into the
 conventional directory

---
 .../experimental/{ => Security/CWE}/CWE-918/RequestForgery.java | 0
 .../{ => Security/CWE}/CWE-918/RequestForgery.qhelp             | 0
 .../experimental/{ => Security/CWE}/CWE-918/RequestForgery.ql   | 0
 .../experimental/{ => Security/CWE}/CWE-918/RequestForgery.qll  | 0
 .../query-tests/security/CWE-918/RequestForgery.qlref           | 2 +-
 5 files changed, 1 insertion(+), 1 deletion(-)
 rename java/ql/src/experimental/{ => Security/CWE}/CWE-918/RequestForgery.java (100%)
 rename java/ql/src/experimental/{ => Security/CWE}/CWE-918/RequestForgery.qhelp (100%)
 rename java/ql/src/experimental/{ => Security/CWE}/CWE-918/RequestForgery.ql (100%)
 rename java/ql/src/experimental/{ => Security/CWE}/CWE-918/RequestForgery.qll (100%)

diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.java b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.java
similarity index 100%
rename from java/ql/src/experimental/CWE-918/RequestForgery.java
rename to java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.java
diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.qhelp b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qhelp
similarity index 100%
rename from java/ql/src/experimental/CWE-918/RequestForgery.qhelp
rename to java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qhelp
diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.ql b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
similarity index 100%
rename from java/ql/src/experimental/CWE-918/RequestForgery.ql
rename to java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.qll b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
similarity index 100%
rename from java/ql/src/experimental/CWE-918/RequestForgery.qll
rename to java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref
index 3d529ae5a2c..3e35024c212 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref
@@ -1 +1 @@
-experimental/CWE-918/RequestForgery.ql
\ No newline at end of file
+experimental/Security/CWE/CWE-918/RequestForgery.ql

From 655cfb3a475432e5cb019207a065481102dfb93e Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Fri, 12 Feb 2021 12:24:19 +0000
Subject: [PATCH 317/429] Re-introduce deprecated versions of old Maven
 predicate names

---
 java/ql/src/semmle/code/xml/MavenPom.qll | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll
index bbbb4580340..f13680b2b44 100644
--- a/java/ql/src/semmle/code/xml/MavenPom.qll
+++ b/java/ql/src/semmle/code/xml/MavenPom.qll
@@ -428,11 +428,21 @@ class MavenRepoJar extends File {
     )
   }
 
+  /**
+   * DEPRECATED: name changed to `getGroupId` for consistent use of camel-case.
+   */
+  deprecated string getGroupID() { result = getGroupId() }
+
   /**
    * Gets the `artifactId` of this jar.
    */
   string getArtifactId() { result = getParentContainer().getParentContainer().getBaseName() }
 
+  /**
+   * DEPRECATED: name changed to `getArtifactId` for consistent casing and consistent spelling with Maven.
+   */
+  deprecated string getArtefactID() { result = getArtifactId() }
+
   /**
    * Gets the artifact version string of this jar.
    */
@@ -446,6 +456,11 @@ class MavenRepoJar extends File {
     pom.getArtifact().getValue() = getArtifactId()
   }
 
+  /**
+   * DEPRECATED: name changed to `artifactMatches` for consistent spelling with Maven.
+   */
+  deprecated predicate artefactMatches(ProtoPom pom) { artifactMatches(pom) }
+
   /**
    * Holds if this jar is both an artifact for the POM, and has a version string that matches the POM
    * version string. Only soft and hard version matches are supported.

From 49eda8ced626299e28d5257634369e7c9cc40570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 12 Feb 2021 14:56:10 +0100
Subject: [PATCH 318/429] apply LSP formatter

---
 .../code/java/frameworks/apache/Lang.qll      | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index e31b2e30861..c9af49464e0 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -3,17 +3,18 @@
 import java
 private import semmle.code.java.dataflow.FlowSteps
 
-/** 
- * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. 
+/**
+ * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`.
  */
 class TypeApacheRandomStringUtils extends Class {
   TypeApacheRandomStringUtils() {
-    this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "RandomStringUtils")
+    this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"],
+      "RandomStringUtils")
   }
 }
 
-/** 
- * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`. 
+/**
+ * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`.
  */
 class TypeApacheArrayUtils extends Class {
   TypeApacheArrayUtils() {
@@ -27,7 +28,9 @@ class TypeApacheArrayUtils extends Class {
  */
 class MethodApacheSerializationUtilsDeserialize extends Method {
   MethodApacheSerializationUtilsDeserialize() {
-    this.getDeclaringType().hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SerializationUtils") and
+    this.getDeclaringType()
+        .hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"],
+          "SerializationUtils") and
     this.hasName("deserialize")
   }
 }
@@ -44,12 +47,16 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
     this.hasName(["addAll", "addFirst"]) and
     src = [0 .. getNumberOfParameters()]
     or
-    this.hasName(["clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse", "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive", "toString", "toStringArray"]) and
+    this.hasName([
+        "clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse",
+        "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive",
+        "toString", "toStringArray"
+      ]) and
     src = 0
     or
     this.hasName("add") and
     this.getNumberOfParameters() = 2 and
-    src = [0,1,2]
+    src = [0, 1, 2]
     or
     this.hasName("add") and
     this.getNumberOfParameters() = 3 and

From 8606386c2ce297221e08ff9cf81c261225a0d1c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 12 Feb 2021 14:59:28 +0100
Subject: [PATCH 319/429] add bidirectional import

---
 java/ql/src/semmle/code/java/dataflow/FlowSteps.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
index d129ee6544e..cb219650414 100644
--- a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -16,6 +16,7 @@ module Frameworks {
   private import semmle.code.java.frameworks.Guice
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.apache.Lang
 }
 
 /**

From 6b80a429139cd6748b87312b30543c0efacb7804 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 12 Feb 2021 15:03:11 +0100
Subject: [PATCH 320/429] apply LSP formatter and add missing dot

---
 java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
index 04b3be0a3dc..db5687f916a 100644
--- a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
+++ b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
@@ -17,12 +17,10 @@ class SnakeYamlSafeConstructor extends RefType {
 }
 
 /**
- * An instance of `SafeConstructor`
+ * An instance of `SafeConstructor`.
  */
 class SafeSnakeYamlConstruction extends ClassInstanceExpr {
-  SafeSnakeYamlConstruction() {
-    this.getConstructedType() instanceof SnakeYamlSafeConstructor
-  }
+  SafeSnakeYamlConstruction() { this.getConstructedType() instanceof SnakeYamlSafeConstructor }
 }
 
 /**

From 7d294361dc2e762948a59344a64e753a7e02d7e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Fri, 12 Feb 2021 15:40:44 +0100
Subject: [PATCH 321/429] Update
 java/ql/src/semmle/code/java/frameworks/apache/Lang.qll

Co-authored-by: Joe Farebrother <joefarebrother@github.com>
---
 java/ql/src/semmle/code/java/frameworks/apache/Lang.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index c9af49464e0..6f0d8739382 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -56,7 +56,7 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
     or
     this.hasName("add") and
     this.getNumberOfParameters() = 2 and
-    src = [0, 1, 2]
+    src = [0, 1]
     or
     this.hasName("add") and
     this.getNumberOfParameters() = 3 and

From 7705fc4f98af10ddac36af39dc9be75019d4ede1 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 11:28:07 +0000
Subject: [PATCH 322/429] C++: Add more test cases for iterator taint flow.

---
 .../dataflow/taint-tests/localTaint.expected  | 107 ++++++++++++++++++
 .../taint-tests/standalone_iterators.cpp      |  31 +++++
 .../dataflow/taint-tests/vector.cpp           |  36 ++++++
 3 files changed, 174 insertions(+)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 9f038101d67..50cfca5c990 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3197,6 +3197,52 @@
 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
 | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
 | standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
+| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
+| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
+| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:106:6:106:7 | c1 |  |
+| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:101:6:101:7 | c1 | standalone_iterators.cpp:101:9:101:13 | call to begin | TAINT |
+| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:102:6:102:7 | c1 |  |
+| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 |  |
+| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:101:2:101:15 | ... = ... |  |
+| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:103:3:103:3 | a |  |
+| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:104:7:104:7 | a |  |
+| standalone_iterators.cpp:102:6:102:7 | c1 | standalone_iterators.cpp:102:9:102:13 | call to begin | TAINT |
+| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 |  |
+| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
+| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
+| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
+| standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
+| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |
+| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:106:6:106:7 | c1 | standalone_iterators.cpp:106:9:106:13 | call to begin | TAINT |
+| standalone_iterators.cpp:106:6:106:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:106:2:106:15 | ... = ... |  |
+| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:108:7:108:7 | c |  |
+| standalone_iterators.cpp:107:7:107:7 | b [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:108:7:108:7 | c [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
+| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:116:7:116:8 | c1 |  |
+| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:116:7:116:8 | c1 | standalone_iterators.cpp:116:10:116:14 | call to begin | TAINT |
+| standalone_iterators.cpp:116:7:116:8 | ref arg c1 | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:116:2:116:16 | ... = ... |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:117:7:117:8 | it |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:118:2:118:3 | it |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:119:7:119:8 | it |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it |  |
+| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it |  |
+| standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it |  |
+| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it |  |
+| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
+| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
@@ -7481,3 +7527,64 @@
 | vector.cpp:496:25:496:30 | call to source | vector.cpp:496:2:496:3 | ref arg v2 | TAINT |
 | vector.cpp:496:25:496:30 | call to source | vector.cpp:496:5:496:11 | call to emplace | TAINT |
 | vector.cpp:497:7:497:8 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
+| vector.cpp:503:18:503:21 | {...} | vector.cpp:506:8:506:9 | as |  |
+| vector.cpp:503:18:503:21 | {...} | vector.cpp:507:8:507:9 | as |  |
+| vector.cpp:503:18:503:21 | {...} | vector.cpp:509:9:509:10 | as |  |
+| vector.cpp:503:18:503:21 | {...} | vector.cpp:515:8:515:9 | as |  |
+| vector.cpp:503:20:503:20 | 0 | vector.cpp:503:18:503:21 | {...} | TAINT |
+| vector.cpp:506:8:506:9 | as | vector.cpp:506:8:506:12 | access to array |  |
+| vector.cpp:506:11:506:11 | 1 | vector.cpp:506:8:506:12 | access to array | TAINT |
+| vector.cpp:507:8:507:9 | as | vector.cpp:507:8:507:19 | access to array |  |
+| vector.cpp:507:11:507:16 | call to source | vector.cpp:507:8:507:19 | access to array | TAINT |
+| vector.cpp:509:9:509:10 | as | vector.cpp:509:3:509:10 | ... = ... |  |
+| vector.cpp:509:9:509:10 | as | vector.cpp:510:9:510:11 | ptr |  |
+| vector.cpp:509:9:509:10 | as | vector.cpp:511:3:511:5 | ptr |  |
+| vector.cpp:510:9:510:11 | ptr | vector.cpp:510:8:510:11 | * ... | TAINT |
+| vector.cpp:511:3:511:5 | ptr | vector.cpp:511:3:511:10 | ... += ... | TAINT |
+| vector.cpp:511:3:511:10 | ... += ... | vector.cpp:512:9:512:11 | ptr |  |
+| vector.cpp:511:3:511:10 | ... += ... | vector.cpp:513:3:513:5 | ptr |  |
+| vector.cpp:511:10:511:10 | 1 | vector.cpp:511:3:511:10 | ... += ... | TAINT |
+| vector.cpp:512:9:512:11 | ptr | vector.cpp:512:8:512:11 | * ... | TAINT |
+| vector.cpp:513:3:513:5 | ptr | vector.cpp:513:3:513:17 | ... += ... | TAINT |
+| vector.cpp:513:3:513:17 | ... += ... | vector.cpp:514:9:514:11 | ptr |  |
+| vector.cpp:513:10:513:15 | call to source | vector.cpp:513:3:513:17 | ... += ... | TAINT |
+| vector.cpp:514:9:514:11 | ptr | vector.cpp:514:8:514:11 | * ... | TAINT |
+| vector.cpp:515:8:515:9 | as | vector.cpp:515:8:515:12 | access to array |  |
+| vector.cpp:515:11:515:11 | 1 | vector.cpp:515:8:515:12 | access to array | TAINT |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:523:8:523:9 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:524:8:524:9 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:526:8:526:9 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:520:30:520:30 | 0 | vector.cpp:520:25:520:31 | call to vector | TAINT |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:524:8:524:9 | vs |  |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:523:8:523:9 | vs | vector.cpp:523:10:523:10 | call to operator[] | TAINT |
+| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
+| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:524:8:524:9 | vs | vector.cpp:524:10:524:10 | call to operator[] | TAINT |
+| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:526:8:526:9 | vs | vector.cpp:526:11:526:15 | call to begin | TAINT |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:526:3:526:17 | ... = ... |  |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:527:9:527:10 | it |  |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:528:3:528:4 | it |  |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:529:9:529:10 | it |  |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:530:3:530:4 | it |  |
+| vector.cpp:526:11:526:15 | call to begin | vector.cpp:531:9:531:10 | it |  |
+| vector.cpp:527:9:527:10 | it | vector.cpp:527:8:527:8 | call to operator* | TAINT |
+| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= |  |
+| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it |  |
+| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it |  |
+| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
+| vector.cpp:528:9:528:9 | 1 | vector.cpp:528:6:528:6 | call to operator+= |  |
+| vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
+| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= |  |
+| vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
+| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:6:530:6 | call to operator+= |  |
+| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
+| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
index 3fb8c738305..0d6760f08a9 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
@@ -90,3 +90,34 @@ void test_insert_iterator() {
     *i2-- = 0;
     sink(c2); // clean
 }
+
+void sink(insert_iterator_by_trait);
+insert_iterator_by_trait &operator+=(insert_iterator_by_trait &it, int amount);
+
+void test_assign_through_iterator() {
+    container c1;
+    insert_iterator_by_trait a, b, c;
+
+	a = c1.begin();
+	b = c1.begin();
+	*a = source();
+	sink(a); // $ ast MISSING: ir
+
+	c = c1.begin();
+	sink(b); // MISSING: ast,ir
+	sink(c); // $ ast MISSING: ir
+	sink(c1); // $ ast MISSING: ir
+}
+
+void test_nonmember_iterator() {
+    container c1;
+    insert_iterator_by_trait it;
+
+	it = c1.begin();
+	sink(it);
+	it += 1;
+	sink(it);
+	it += source();
+	sink(it); // $ MISSING: ast,ir
+	sink(c1);
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index ec354da548c..5d040988dd8 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -496,3 +496,39 @@ void test_vector_emplace() {
 	v2.emplace(v2.begin(), source());
 	sink(v2); // $ ast,ir
 }
+
+void test_vector_iterator() {
+	{
+		// array behaviour, for comparison
+		short as[100] = {0};
+		short *ptr;
+
+		sink(as[1]);
+		sink(as[source()]); // $ ast,ir
+
+		ptr = as;
+		sink(*ptr);
+		ptr += 1;
+		sink(*ptr);
+		ptr += source();
+		sink(*ptr); // $ ast,ir
+		sink(as[1]);
+	}
+
+	{
+		// iterator behaviour
+		std::vector<short> vs(100, 0);
+		std::vector<short>::iterator it;
+
+		sink(vs[1]);
+		sink(vs[source()]); // $ MISSING: ast,ir
+
+		it = vs.begin();
+		sink(*it);
+		it += 1;
+		sink(*it);
+		it += source();
+		sink(*it); // $ MISSING: ast,ir
+		sink(vs[1]);
+	}
+}

From 90dbbbb0c22991eb87fb5306f9b2bb655c646bbb Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 14:53:09 +0000
Subject: [PATCH 323/429] C++: Update Iterator.qll.

---
 .../cpp/models/implementations/Iterator.qll   | 21 +++++++------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index a5b1c0e83ec..16d1e273707 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -177,8 +177,7 @@ private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunctio
 class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
   IteratorReferenceFunction {
   IteratorPointerDereferenceMemberOperator() {
-    this.hasName("operator*") and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName("operator*") instanceof Iterator
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -195,8 +194,7 @@ class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunc
  */
 private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunction, TaintFunction {
   IteratorCrementMemberOperator() {
-    this.hasName(["operator++", "operator--"]) and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -221,8 +219,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
  */
 private class IteratorFieldMemberOperator extends Operator, TaintFunction {
   IteratorFieldMemberOperator() {
-    this.hasName("operator->") and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName("operator->") instanceof Iterator
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -236,8 +233,7 @@ private class IteratorFieldMemberOperator extends Operator, TaintFunction {
  */
 private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFunction {
   IteratorBinaryArithmeticMemberOperator() {
-    this.hasName(["operator+", "operator-"]) and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -252,8 +248,7 @@ private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, Tai
 private class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFunction,
   TaintFunction {
   IteratorAssignArithmeticMemberOperator() {
-    this.hasName(["operator+=", "operator-="]) and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -276,8 +271,7 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
 private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
   IteratorReferenceFunction {
   IteratorArrayMemberOperator() {
-    this.hasName("operator[]") and
-    this.getDeclaringType() instanceof Iterator
+    this.getClassAndName("operator[]") instanceof Iterator
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -295,8 +289,7 @@ private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
  */
 private class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunction {
   IteratorAssignmentMemberOperator() {
-    this.hasName("operator=") and
-    this.getDeclaringType() instanceof Iterator and
+    this.getClassAndName("operator=") instanceof Iterator and
     not this instanceof CopyAssignmentOperator and
     not this instanceof MoveAssignmentOperator
   }

From da06b2a615804b43b2edba1b14877006c0fd9fcf Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 16:44:05 +0000
Subject: [PATCH 324/429] C++: Improve Iterator.qll layout and QLDoc.

---
 .../code/cpp/models/implementations/Iterator.qll | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index 16d1e273707..5aeefb760ae 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -26,6 +26,14 @@ private class IteratorTraits extends Class {
   Type getIteratorType() { result = this.getTemplateArgument(0) }
 }
 
+/**
+ * A type that is deduced to be an iterator because there is a corresponding
+ * `std::iterator_traits` instantiation for it.
+ */
+private class IteratorByTraits extends Iterator {
+  IteratorByTraits() { exists(IteratorTraits it | it.getIteratorType() = this) }
+}
+
 /**
  * A type which has the typedefs expected for an iterator.
  */
@@ -48,13 +56,9 @@ private class StdIterator extends Iterator, Class {
 }
 
 /**
- * A type that is deduced to be an iterator because there is a corresponding
- * `std::iterator_traits` instantiation for it.
+ * Gets the `FunctionInput` corresponding to an iterator parameter to
+ * user-defined operator `op`, at `index`.
  */
-private class IteratorByTraits extends Iterator {
-  IteratorByTraits() { exists(IteratorTraits it | it.getIteratorType() = this) }
-}
-
 private FunctionInput getIteratorArgumentInput(Operator op, int index) {
   exists(Type t |
     t =

From 61b0d6a0cd0a18db306c3a43a29e1b87d3329926 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 16:27:37 +0000
Subject: [PATCH 325/429] C++: Fix Iterator.qll non-member operator+= charpred.

---
 .../semmle/code/cpp/models/implementations/Iterator.qll   | 4 +++-
 .../dataflow/taint-tests/localTaint.expected              | 8 ++++----
 .../dataflow/taint-tests/standalone_iterators.cpp         | 2 +-
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index 5aeefb760ae..b21055d60e8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -157,9 +157,11 @@ private class IteratorSubOperator extends Operator, TaintFunction {
  * A non-member `operator+=` or `operator-=` function for an iterator type.
  */
 private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunction, TaintFunction {
+  FunctionInput iteratorInput;
+
   IteratorAssignArithmeticOperator() {
     this.hasName(["operator+=", "operator-="]) and
-    this.getDeclaringType() instanceof Iterator
+    iteratorInput = getIteratorArgumentInput(this, 0)
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 50cfca5c990..5c002dc6455 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3238,11 +3238,15 @@
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 |  |
+| standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
+| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= |  |
 | standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
+| standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
@@ -3922,12 +3926,10 @@
 | string.cpp:408:8:408:9 | i2 | string.cpp:409:10:409:11 | i7 |  |
 | string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= |  |
 | string.cpp:409:12:409:12 | call to operator+= | string.cpp:409:8:409:8 | call to operator* | TAINT |
-| string.cpp:409:14:409:14 | 1 | string.cpp:409:12:409:12 | call to operator+= |  |
 | string.cpp:410:8:410:9 | i2 | string.cpp:410:3:410:9 | ... = ... |  |
 | string.cpp:410:8:410:9 | i2 | string.cpp:411:10:411:11 | i8 |  |
 | string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= |  |
 | string.cpp:411:12:411:12 | call to operator-= | string.cpp:411:8:411:8 | call to operator* | TAINT |
-| string.cpp:411:14:411:14 | 1 | string.cpp:411:12:411:12 | call to operator-= |  |
 | string.cpp:413:8:413:9 | s2 | string.cpp:413:11:413:13 | call to end | TAINT |
 | string.cpp:413:11:413:13 | call to end | string.cpp:413:3:413:15 | ... = ... |  |
 | string.cpp:413:11:413:13 | call to end | string.cpp:414:5:414:6 | i9 |  |
@@ -7580,11 +7582,9 @@
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:528:9:528:9 | 1 | vector.cpp:528:6:528:6 | call to operator+= |  |
 | vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
 | vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= |  |
 | vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:6:530:6 | call to operator+= |  |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
 | vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
index 0d6760f08a9..362784eeb1a 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
@@ -118,6 +118,6 @@ void test_nonmember_iterator() {
 	it += 1;
 	sink(it);
 	it += source();
-	sink(it); // $ MISSING: ast,ir
+	sink(it); // $ ast,ir
 	sink(c1);
 }

From 3cfb0a21fef0bb60b32708f15ec4b57b0a0739de Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 11 Feb 2021 16:28:42 +0000
Subject: [PATCH 326/429] C++: Fix Iterator.qll taint/data flows for
 operator+=.

---
 .../cpp/models/implementations/Iterator.qll   | 26 +++++++++++--------
 .../dataflow/taint-tests/localTaint.expected  |  4 +++
 .../dataflow/taint-tests/vector.cpp           |  2 +-
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index b21055d60e8..c15f127d1de 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -167,11 +167,15 @@ private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunctio
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
     output.isReturnValue()
-    or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the object referenced by the first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+    or
     input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
@@ -224,9 +228,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
  * A member `operator->` function for an iterator type.
  */
 private class IteratorFieldMemberOperator extends Operator, TaintFunction {
-  IteratorFieldMemberOperator() {
-    this.getClassAndName("operator->") instanceof Iterator
-  }
+  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
@@ -260,14 +262,18 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
     output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
   }
 }
 
@@ -276,9 +282,7 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
  */
 private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
   IteratorReferenceFunction {
-  IteratorArrayMemberOperator() {
-    this.getClassAndName("operator[]") instanceof Iterator
-  }
+  IteratorArrayMemberOperator() { this.getClassAndName("operator[]") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 5c002dc6455..eb8d93e1b9a 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3926,10 +3926,12 @@
 | string.cpp:408:8:408:9 | i2 | string.cpp:409:10:409:11 | i7 |  |
 | string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= |  |
 | string.cpp:409:12:409:12 | call to operator+= | string.cpp:409:8:409:8 | call to operator* | TAINT |
+| string.cpp:409:14:409:14 | 1 | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
 | string.cpp:410:8:410:9 | i2 | string.cpp:410:3:410:9 | ... = ... |  |
 | string.cpp:410:8:410:9 | i2 | string.cpp:411:10:411:11 | i8 |  |
 | string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= |  |
 | string.cpp:411:12:411:12 | call to operator-= | string.cpp:411:8:411:8 | call to operator* | TAINT |
+| string.cpp:411:14:411:14 | 1 | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
 | string.cpp:413:8:413:9 | s2 | string.cpp:413:11:413:13 | call to end | TAINT |
 | string.cpp:413:11:413:13 | call to end | string.cpp:413:3:413:15 | ... = ... |  |
 | string.cpp:413:11:413:13 | call to end | string.cpp:414:5:414:6 | i9 |  |
@@ -7582,9 +7584,11 @@
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
+| vector.cpp:528:9:528:9 | 1 | vector.cpp:528:3:528:4 | ref arg it | TAINT |
 | vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
 | vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= |  |
 | vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
+| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
 | vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index 5d040988dd8..4f0c8fab414 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -528,7 +528,7 @@ void test_vector_iterator() {
 		it += 1;
 		sink(*it);
 		it += source();
-		sink(*it); // $ MISSING: ast,ir
+		sink(*it); // $ ast,ir
 		sink(vs[1]);
 	}
 }

From 1edfd04598396dd5804801b862c343c589d5c5f9 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 15:56:47 +0000
Subject: [PATCH 327/429] C++: BSL Support.

---
 .../semmle/code/cpp/models/implementations/Iterator.qll   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index c15f127d1de..e8ad3d454d8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.Iterator
  */
 private class IteratorTraits extends Class {
   IteratorTraits() {
-    this.hasQualifiedName("std", "iterator_traits") and
+    this.hasQualifiedName(["std", "bsl"], "iterator_traits") and
     not this instanceof TemplateClass and
     exists(TypedefType t |
       this.getAMember() = t and
@@ -44,7 +44,7 @@ private class IteratorByTypedefs extends Iterator, Class {
     this.getAMember().(TypedefType).hasName("pointer") and
     this.getAMember().(TypedefType).hasName("reference") and
     this.getAMember().(TypedefType).hasName("iterator_category") and
-    not this.hasQualifiedName("std", "iterator_traits")
+    not this.hasQualifiedName(["std", "bsl"], "iterator_traits")
   }
 }
 
@@ -52,7 +52,7 @@ private class IteratorByTypedefs extends Iterator, Class {
  * The `std::iterator` class.
  */
 private class StdIterator extends Iterator, Class {
-  StdIterator() { this.hasQualifiedName("std", "iterator") }
+  StdIterator() { this.hasQualifiedName(["std", "bsl"], "iterator") }
 }
 
 /**
@@ -340,7 +340,7 @@ private class BeginOrEndFunction extends MemberFunction, TaintFunction, GetItera
  */
 private class InserterIteratorFunction extends GetIteratorFunction {
   InserterIteratorFunction() {
-    this.hasQualifiedName("std", ["front_inserter", "inserter", "back_inserter"])
+    this.hasQualifiedName(["std", "bsl"], ["front_inserter", "inserter", "back_inserter"])
   }
 
   override predicate getsIterator(FunctionInput input, FunctionOutput output) {

From df91b8182cc5d30e07aa766b94f9c8410bfca676 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 16:24:45 +0000
Subject: [PATCH 328/429] C++: Deprecate StdPairClass properly.

---
 .../semmle/code/cpp/models/implementations/StdPair.qll    | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
index 42c3b9025f8..9076220cc22 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
@@ -7,10 +7,16 @@ import semmle.code.cpp.models.interfaces.Taint
 /**
  * An instantiation of `std::pair<T1, T2>`.
  */
-class StdPair extends ClassTemplateInstantiation {
+private class StdPair extends ClassTemplateInstantiation {
   StdPair() { this.hasQualifiedName(["std", "bsl"], "pair") }
 }
 
+/**
+ * DEPRECATED: This is now called `StdPair` and is a private part of the
+ * library implementation.
+ */
+deprecated class StdPairClass = StdPair;
+
 /**
  * Any of the single-parameter constructors of `std::pair` that takes a reference to an
  * instantiation of `std::pair`. These constructors allow conversion between pair types when the

From d362b5aa654a4656fcd2974fc842f0b2c8ebbd01 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 16:29:44 +0000
Subject: [PATCH 329/429] C++: StdSet should be private as well.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
index 68e78776968..d2e9892abcb 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -8,7 +8,7 @@ import semmle.code.cpp.models.interfaces.Iterator
 /**
  * An instantiation of `std::set` or `std::unordered_set`.
  */
-class StdSet extends ClassTemplateInstantiation {
+private class StdSet extends ClassTemplateInstantiation {
   StdSet() { this.hasQualifiedName(["std", "bsl"], ["set", "unordered_set"]) }
 }
 

From 74f05d569b7d6a8566781d6a7fbcfd26a4bb9fc9 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 17:41:32 +0000
Subject: [PATCH 330/429] C++: BSL support.

---
 .../cpp/models/implementations/StdString.qll   | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 9f4c458815f..2ffd5916172 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -12,7 +12,7 @@ import semmle.code.cpp.models.interfaces.DataFlow
  * The `std::basic_string` template class instantiations.
  */
 private class StdBasicString extends ClassTemplateInstantiation {
-  StdBasicString() { this.hasQualifiedName("std", "basic_string") }
+  StdBasicString() { this.hasQualifiedName(["std", "bsl"], "basic_string") }
 }
 
 /**
@@ -127,7 +127,7 @@ private class StdStringFrontBack extends TaintFunction {
  */
 private class StdStringPlus extends TaintFunction {
   StdStringPlus() {
-    this.hasQualifiedName("std", "operator+") and
+    this.hasQualifiedName(["std", "bsl"], "operator+") and
     this.getUnspecifiedType() instanceof StdBasicString
   }
 
@@ -256,7 +256,7 @@ private class StdStringSubstr extends TaintFunction {
  * The `std::basic_stringstream` template class instantiations.
  */
 private class StdBasicStringStream extends ClassTemplateInstantiation {
-  StdBasicStringStream() { this.hasQualifiedName("std", "basic_stringstream") }
+  StdBasicStringStream() { this.hasQualifiedName(["std", "bsl"], "basic_stringstream") }
 }
 
 /**
@@ -280,7 +280,7 @@ private class StdStringAt extends TaintFunction {
  * The `std::basic_istream` template class instantiations.
  */
 private class StdBasicIStream extends ClassTemplateInstantiation {
-  StdBasicIStream() { this.hasQualifiedName("std", "basic_istream") }
+  StdBasicIStream() { this.hasQualifiedName(["std", "bsl"], "basic_istream") }
 }
 
 /**
@@ -314,7 +314,7 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {
  */
 private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
   StdIStreamInNonMember() {
-    this.hasQualifiedName("std", "operator>>") and
+    this.hasQualifiedName(["std", "bsl"], "operator>>") and
     this.getUnspecifiedType().(ReferenceType).getBaseType() instanceof StdBasicIStream
   }
 
@@ -462,7 +462,7 @@ private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
  * The (non-member) function `std::getline`.
  */
 private class StdGetLine extends DataFlowFunction, TaintFunction {
-  StdGetLine() { this.hasQualifiedName("std", "getline") }
+  StdGetLine() { this.hasQualifiedName(["std", "bsl"], "getline") }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // flow from first parameter to return value
@@ -488,7 +488,7 @@ private class StdGetLine extends DataFlowFunction, TaintFunction {
  * The `std::basic_ostream` template class instantiations.
  */
 private class StdBasicOStream extends ClassTemplateInstantiation {
-  StdBasicOStream() { this.hasQualifiedName("std", "basic_ostream") }
+  StdBasicOStream() { this.hasQualifiedName(["std", "bsl"], "basic_ostream") }
 }
 
 /**
@@ -535,7 +535,7 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {
  */
 private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
   StdOStreamOutNonMember() {
-    this.hasQualifiedName("std", "operator<<") and
+    this.hasQualifiedName(["std", "bsl"], "operator<<") and
     this.getUnspecifiedType().(ReferenceType).getBaseType() instanceof StdBasicOStream
   }
 
@@ -609,7 +609,7 @@ private class StdStringStreamStr extends TaintFunction {
  * The `std::basic_ios` template class instantiations.
  */
 private class StdBasicIOS extends ClassTemplateInstantiation {
-  StdBasicIOS() { this.hasQualifiedName("std", "basic_ios") }
+  StdBasicIOS() { this.hasQualifiedName(["std", "bsl"], "basic_ios") }
 }
 
 /**

From 6d452521f75646a507f0f6509c61e6500e1a1581 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 12 Feb 2021 17:42:33 +0000
Subject: [PATCH 331/429] C++: Move StdBasicStringStream to a more logical
 location.

---
 .../code/cpp/models/implementations/StdString.qll  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 2ffd5916172..73a0f6edf26 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -252,13 +252,6 @@ private class StdStringSubstr extends TaintFunction {
   }
 }
 
-/**
- * The `std::basic_stringstream` template class instantiations.
- */
-private class StdBasicStringStream extends ClassTemplateInstantiation {
-  StdBasicStringStream() { this.hasQualifiedName(["std", "bsl"], "basic_stringstream") }
-}
-
 /**
  * The `std::string` functions `at` and `operator[]`.
  */
@@ -563,6 +556,13 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
   }
 }
 
+/**
+ * The `std::basic_stringstream` template class instantiations.
+ */
+private class StdBasicStringStream extends ClassTemplateInstantiation {
+  StdBasicStringStream() { this.hasQualifiedName(["std", "bsl"], "basic_stringstream") }
+}
+
 /**
  * Additional model for `std::stringstream` constructors that take a string
  * input parameter.

From 26324227832ef755a8620191e7ee3df728cc8639 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 12 Feb 2021 19:28:12 +0100
Subject: [PATCH 332/429] Python: Add FP test for unknown argument in string
 format

Reported in https://github.com/github/codeql/issues/2650

I found this during a bit of spring cleaning in my working
directory. As this doesn't have any immediate security implications, I
don't know when we'll get round to fixing it, but it can't hurt to
have the test case checked in.
---
 .../UnusedNamedArgumentIn3101Format.expected  |  3 +++
 .../Formatting/unknown_format_string.py       | 25 +++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py

diff --git a/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.expected b/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.expected
index 849920f8c07..462a9ed3992 100644
--- a/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.expected
+++ b/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.expected
@@ -6,3 +6,6 @@
 | test.py:45:1:45:35 | format() | Surplus named argument for string format. An argument named 'z' is provided, but it is not required by $@. | test.py:39:14:39:18 | Str | any format used. |
 | test.py:46:1:46:34 | Attribute() | Surplus named argument for string format. An argument named 'z' is provided, but it is not required by $@. | test.py:37:14:37:18 | Str | any format used. |
 | test.py:46:1:46:34 | Attribute() | Surplus named argument for string format. An argument named 'z' is provided, but it is not required by $@. | test.py:39:14:39:18 | Str | any format used. |
+| unknown_format_string.py:9:12:9:30 | Attribute() | Surplus named argument for string format. An argument named 'b' is provided, but it is not required by $@. | unknown_format_string.py:8:15:8:19 | Str | format "{a}" |
+| unknown_format_string.py:17:12:17:30 | Attribute() | Surplus named argument for string format. An argument named 'b' is provided, but it is not required by $@. | unknown_format_string.py:16:15:16:19 | Str | format "{a}" |
+| unknown_format_string.py:25:12:25:30 | Attribute() | Surplus named argument for string format. An argument named 'b' is provided, but it is not required by $@. | unknown_format_string.py:24:15:24:19 | Str | format "{a}" |
diff --git a/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py b/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py
new file mode 100644
index 00000000000..a3b32a504db
--- /dev/null
+++ b/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py
@@ -0,0 +1,25 @@
+# FP Reported in https://github.com/github/codeql/issues/2650
+
+def possibly_unknown_format_string1(x):
+    user_specified = unknown_function()
+    if user_specified:
+        fmt = user_specified
+    else:
+        fmt = "{a}"
+    return fmt.format(a=1,b=2)
+
+def possibly_unknown_format_string2(x):
+    user_specified = input()
+    if user_specified:
+        fmt = user_specified
+    else:
+        fmt = "{a}"
+    return fmt.format(a=1,b=2)
+
+
+def possibly_unknown_format_string3(x):
+    if unknown_function():
+        fmt = input()
+    else:
+        fmt = "{a}"
+    return fmt.format(a=1,b=2)

From 782f4bc3e20a6f7904adf8b7facb1fd47bb364f6 Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Fri, 12 Feb 2021 13:38:55 -0800
Subject: [PATCH 333/429] Fixing  shared .qhelp issue (renaming to .qhelp.inc)&
 addressing a fix

---
 .../ModifiedFnvFunctionDetection.qhelp          |  2 +-
 .../NumberOfKnownCommandsAboveThreshold.qhelp   |  2 +-
 .../NumberOfKnownHashesAboveThreshold.qhelp     |  2 +-
 .../NumberOfKnownLiteralsAboveThreshold.qhelp   |  2 +-
 ...NumberOfKnownMethodNamesAboveThreshold.qhelp |  2 +-
 .../{Solorigate.qhelp => Solorigate.qhelp.inc}  |  0
 .../SwallowEverythingExceptionHandler.qhelp     |  2 +-
 .../Cryptography/NonCryptographicHashes.qll     | 17 ++++-------------
 8 files changed, 10 insertions(+), 19 deletions(-)
 rename csharp/ql/src/experimental/Security Features/campaign/Solorigate/{Solorigate.qhelp => Solorigate.qhelp.inc} (100%)

diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
index 0b0e1333eb1..dab8e033caa 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp	
@@ -7,6 +7,6 @@
     <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp
index 9417cbb2645..adad2a1ba04 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp	
@@ -7,6 +7,6 @@
     <p>By themselves, the names of these enumeration constants are not malicious, so the query only detects enumerations that includes at least 10 of the 18 Solorigate commands.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp
index a5fca70869b..3188a45d7a6 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp	
@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these literals are not malign, but several of the values together would be less likely to be coincidental.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp
index 5a275eeadba..fe6e1d0a936 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp	
@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these literals are not malign.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp
index f75f1e27097..d99821def93 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp	
@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these method names are not malign.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp.inc
similarity index 100%
rename from csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
rename to csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp.inc
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
index 7be5a1f902e..7c52a5e2e5e 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp	
@@ -7,6 +7,6 @@
     <p>This query detects all generic exception empty catch blocks, but it is strongly suggested that the results for cs/catch-of-all-exceptions also be reviewed in the event that a malicious swallow everything exception handler was not empty</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>
\ No newline at end of file
diff --git a/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll b/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
index 4e6c40205ec..03585e32a77 100644
--- a/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
+++ b/csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
@@ -74,19 +74,10 @@ predicate isCallableAPotentialNonCryptographicHashFunction(Callable callable, Pa
   exists(Variable v, Expr op1, Expr op2, LoopStmt loop |
     maybeANonCryptogrphicHash(callable, v, op1, op2, loop) and
     callable.getAParameter() = param and
-    (
-      param.getAnAccess() = op1.(Operation).getAnOperand().getAChild*()
-      or
-      param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*()
-      or
-      exists(Node source, Node sink |
-        (
-          sink.asExpr() = op1.(Operation).getAChild*() or
-          sink.asExpr() = op2.(Operation).getAChild*()
-        ) and
-        source.asExpr() = param.getAnAccess() and
-        DataFlow::localFlow(source, sink)
-      )
+    exists(ParameterNode p, ExprNode n |
+      p.getParameter() = param and
+      localFlow(p, n) and
+      n.getExpr() in [op1.(Operation).getAChild*(), op2.(Operation).getAChild*()]
     )
   )
 }

From 1d007b6e7251f09954e8e243e7555e3064d5dbaf Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Sun, 14 Feb 2021 21:42:58 -0500
Subject: [PATCH 334/429] Java: delete two test cases as per code review

---
 .../query-tests/ContinueInFalseLoop/A.java    | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/A.java b/java/ql/test/query-tests/ContinueInFalseLoop/A.java
index 911d4146a66..51f381b94c8 100644
--- a/java/ql/test/query-tests/ContinueInFalseLoop/A.java
+++ b/java/ql/test/query-tests/ContinueInFalseLoop/A.java
@@ -30,21 +30,21 @@ public class A {
         break;
     } while (c.cond());
 
-    // --- while, for loops ---
 
-    while (c.cond()) {
-      if (c.cond())
-        continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
-      if (c.cond())
-        break;
-    }
 
-    for (i = 0; c.cond(); i++) {
-      if (c.cond())
-        continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
-      if (c.cond())
-        break;
-    }
+
+
+
+
+
+
+
+
+
+
+
+
+
 
     // --- nested loops ---
 

From 91f277681a467ea2dd4a6d7fdbc9907804a06587 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 15 Feb 2021 09:59:04 +0100
Subject: [PATCH 335/429] fix typo in ApolloClientRequest

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
---
 .../ql/src/semmle/javascript/frameworks/ClientRequests.qll    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index 34f878c125f..ebfdc874f64 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -844,8 +844,8 @@ module ClientRequest {
     /**
      * A model of a URL request made using apollo-client.
      */
-    class ApolloClientRequeist extends ClientRequest::Range, API::InvokeNode {
-      ApolloClientRequeist() { this = apolloUriCallee().getAnInvocation() }
+    class ApolloClientRequest extends ClientRequest::Range, API::InvokeNode {
+      ApolloClientRequest() { this = apolloUriCallee().getAnInvocation() }
 
       override DataFlow::Node getUrl() { result = getParameter(0).getMember("uri").getARhs() }
 

From 1a4f370d1507c693dc507cfa54b2976c00b2e32e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:00:28 +0100
Subject: [PATCH 336/429] C#: Fix formatting issues

---
 csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs   | 9 +++++++--
 .../Semmle.Extraction.CIL.Driver/ExtractorOptions.cs     | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs b/csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs
index 2f16872dd74..c5d65794fb5 100644
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs
@@ -45,6 +45,7 @@ namespace Semmle.Autobuild.Shared
         private readonly SolutionFile? solution;
 
         private readonly IEnumerable<Project> includedProjects;
+
         public override IEnumerable<IProjectOrSolution> IncludedProjects => includedProjects;
 
         public IEnumerable<SolutionConfigurationInSolution> Configurations =>
@@ -84,8 +85,12 @@ namespace Semmle.Autobuild.Shared
                 .ToArray();
         }
 
-        private IEnumerable<Version> ToolsVersions => includedProjects.Where(p => p.ValidToolsVersion).Select(p => p.ToolsVersion);
+        private IEnumerable<Version> ToolsVersions => includedProjects
+            .Where(p => p.ValidToolsVersion)
+            .Select(p => p.ToolsVersion);
 
-        public Version ToolsVersion => ToolsVersions.Any() ? ToolsVersions.Max() : new Version();
+        public Version ToolsVersion => ToolsVersions.Any()
+            ? ToolsVersions.Max()
+            : new Version();
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL.Driver/ExtractorOptions.cs b/csharp/extractor/Semmle.Extraction.CIL.Driver/ExtractorOptions.cs
index 9964ff5bf0c..75405d562fe 100644
--- a/csharp/extractor/Semmle.Extraction.CIL.Driver/ExtractorOptions.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL.Driver/ExtractorOptions.cs
@@ -163,7 +163,7 @@ namespace Semmle.Extraction.CIL.Driver
         }
 
         private readonly HashSet<string> filesAnalyzed = new HashSet<string>();
-        public HashSet<AssemblyName> MissingReferences {get;} = new HashSet<AssemblyName>();
+        public HashSet<AssemblyName> MissingReferences { get; } = new HashSet<AssemblyName>();
     }
 
     /// <summary>

From a75306acbd85b66d797e76543e294aea97b4fd60 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:00:52 +0100
Subject: [PATCH 337/429] C#: Remove warnings from MdProvider

---
 csharp/extractor/Semmle.Extraction.CIL/PDB/MdProvider.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/PDB/MdProvider.cs b/csharp/extractor/Semmle.Extraction.CIL/PDB/MdProvider.cs
index c6c943032a6..fc22f1f6e94 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/PDB/MdProvider.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/PDB/MdProvider.cs
@@ -2,6 +2,8 @@ using System;
 using Microsoft.DiaSymReader;
 using System.Reflection;
 
+#pragma warning disable IDE0060, CA1822
+
 namespace Semmle.Extraction.PDB
 {
     /// <summary>
@@ -31,3 +33,5 @@ namespace Semmle.Extraction.PDB
             throw new NotImplementedException();
     }
 }
+
+#pragma warning restore

From fc3e6526ce7407dda5c2be3305cb208b909f6bcf Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:03:06 +0100
Subject: [PATCH 338/429] C#: Remove IExtractionScope.FromSource

---
 csharp/extractor/Semmle.Extraction/AssemblyScope.cs    | 2 --
 csharp/extractor/Semmle.Extraction/Context.cs          | 2 +-
 csharp/extractor/Semmle.Extraction/IExtractionScope.cs | 2 --
 csharp/extractor/Semmle.Extraction/SourceScope.cs      | 2 --
 4 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction/AssemblyScope.cs b/csharp/extractor/Semmle.Extraction/AssemblyScope.cs
index 84c117d17c4..27c9377bb30 100644
--- a/csharp/extractor/Semmle.Extraction/AssemblyScope.cs
+++ b/csharp/extractor/Semmle.Extraction/AssemblyScope.cs
@@ -21,7 +21,5 @@ namespace Semmle.Extraction
         public bool InScope(ISymbol symbol) =>
             SymbolEqualityComparer.Default.Equals(symbol.ContainingAssembly, assembly) ||
             SymbolEqualityComparer.Default.Equals(symbol, assembly);
-
-        public bool FromSource => false;
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index e6b4826f2ef..1ebbdf72ea4 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -242,7 +242,7 @@ namespace Semmle.Extraction
             ShouldAddAssemblyTrapPrefix = addAssemblyTrapPrefix;
         }
 
-        public bool FromSource => scope.FromSource;
+        public bool FromSource => scope is SourceScope;
 
         public ICommentGenerator CommentGenerator { get; } = new CommentProcessor();
 
diff --git a/csharp/extractor/Semmle.Extraction/IExtractionScope.cs b/csharp/extractor/Semmle.Extraction/IExtractionScope.cs
index 78b4a29d0d1..f12823b3f96 100644
--- a/csharp/extractor/Semmle.Extraction/IExtractionScope.cs
+++ b/csharp/extractor/Semmle.Extraction/IExtractionScope.cs
@@ -22,7 +22,5 @@ namespace Semmle.Extraction
         /// </summary>
         /// <param name="path">The path to populate.</param>
         bool InFileScope(string path);
-
-        bool FromSource { get; }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/SourceScope.cs b/csharp/extractor/Semmle.Extraction/SourceScope.cs
index 48a89decba9..fba816f6363 100644
--- a/csharp/extractor/Semmle.Extraction/SourceScope.cs
+++ b/csharp/extractor/Semmle.Extraction/SourceScope.cs
@@ -19,7 +19,5 @@ namespace Semmle.Extraction
         public bool InFileScope(string path) => path == SourceTree.FilePath;
 
         public bool InScope(ISymbol symbol) => symbol.Locations.Any(loc => loc.SourceTree == SourceTree);
-
-        public bool FromSource => true;
     }
 }

From 6cdec2d30ecb5624e2505b768587a841159c4f36 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:09:34 +0100
Subject: [PATCH 339/429] C#: Remove 'extractor.CreateContext' factory method

---
 .../Semmle.Extraction.CIL/Entities/Assembly.cs    |  2 +-
 .../Semmle.Extraction.CSharp/Analyser.cs          |  6 +++---
 csharp/extractor/Semmle.Extraction/Context.cs     | 13 +++++--------
 csharp/extractor/Semmle.Extraction/Extractor.cs   | 15 ---------------
 4 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
index 8a843f1672d..5c0a834909c 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
@@ -136,7 +136,7 @@ namespace Semmle.Extraction.CIL.Entities
                 trapFile = trapWriter.TrapFile;
                 if (nocache || !System.IO.File.Exists(trapFile))
                 {
-                    var cx = extractor.CreateContext(null, trapWriter, null, false);
+                    var cx = new Extraction.Context(extractor, trapWriter);
                     ExtractCIL(cx, assemblyPath, extractPdbs);
                     extracted = true;
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index f9e0d7c3806..ee2326648ed 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -230,7 +230,7 @@ namespace Semmle.Extraction.CSharp
                 var projectLayout = layout.LookupProjectOrDefault(transformedAssemblyPath);
                 var trapWriter = projectLayout.CreateTrapWriter(Logger, transformedAssemblyPath, options.TrapCompression, discardDuplicates: false);
                 compilationTrapFile = trapWriter;  // Dispose later
-                var cx = extractor.CreateContext(compilation.Clone(), trapWriter, new AssemblyScope(assembly, assemblyPath), AddAssemblyTrapPrefix);
+                var cx = new Context(extractor, compilation.Clone(), trapWriter, new AssemblyScope(assembly, assemblyPath), AddAssemblyTrapPrefix);
 
                 compilationEntity = Entities.Compilation.Create(cx);
             }
@@ -285,7 +285,7 @@ namespace Semmle.Extraction.CSharp
 
                     if (c.GetAssemblyOrModuleSymbol(r) is IAssemblySymbol assembly)
                     {
-                        var cx = extractor.CreateContext(c, trapWriter, new AssemblyScope(assembly, assemblyPath), AddAssemblyTrapPrefix);
+                        var cx = new Context(extractor, c, trapWriter, new AssemblyScope(assembly, assemblyPath), AddAssemblyTrapPrefix);
 
                         foreach (var module in assembly.Modules)
                         {
@@ -371,7 +371,7 @@ namespace Semmle.Extraction.CSharp
 
                     if (!upToDate)
                     {
-                        var cx = extractor.CreateContext(compilation.Clone(), trapWriter, new SourceScope(tree), AddAssemblyTrapPrefix);
+                        var cx = new Context(extractor, compilation.Clone(), trapWriter, new SourceScope(tree), AddAssemblyTrapPrefix);
                         // Ensure that the file itself is populated in case the source file is totally empty
                         var root = tree.GetRoot();
                         Extraction.Entities.File.Create(cx, root.SyntaxTree.FilePath);
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index 1ebbdf72ea4..af13b5d3b76 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -225,14 +225,6 @@ namespace Semmle.Extraction
         /// </summary>
         public Compilation Compilation { get; }
 
-        /// <summary>
-        /// Create a new context, one per source file/assembly.
-        /// </summary>
-        /// <param name="e">The extractor.</param>
-        /// <param name="c">The Roslyn compilation.</param>
-        /// <param name="extractedEntity">Name of the source/dll file.</param>
-        /// <param name="scope">Defines which symbols are included in the trap file (e.g. AssemblyScope or SourceScope)</param>
-        /// <param name="addAssemblyTrapPrefix">Whether to add assembly prefixes to TRAP labels.</param>
         public Context(IExtractor e, Compilation c, TrapWriter trapWriter, IExtractionScope scope, bool addAssemblyTrapPrefix)
         {
             Extractor = e;
@@ -242,6 +234,11 @@ namespace Semmle.Extraction
             ShouldAddAssemblyTrapPrefix = addAssemblyTrapPrefix;
         }
 
+        public Context(IExtractor e, TrapWriter trapWriter)
+            : this(e, null, trapWriter, null, false)
+        {
+        }
+
         public bool FromSource => scope is SourceScope;
 
         public ICommentGenerator CommentGenerator { get; } = new CommentProcessor();
diff --git a/csharp/extractor/Semmle.Extraction/Extractor.cs b/csharp/extractor/Semmle.Extraction/Extractor.cs
index 4f5c27f3a90..33ec2d72915 100644
--- a/csharp/extractor/Semmle.Extraction/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction/Extractor.cs
@@ -83,16 +83,6 @@ namespace Semmle.Extraction
         /// The path transformer to apply.
         /// </summary>
         PathTransformer PathTransformer { get; }
-
-        /// <summary>
-        /// Creates a new context.
-        /// </summary>
-        /// <param name="c">The C# compilation.</param>
-        /// <param name="trapWriter">The trap writer.</param>
-        /// <param name="scope">The extraction scope (what to include in this trap file).</param>
-        /// <param name="addAssemblyTrapPrefix">Whether to add assembly prefixes to TRAP labels.</param>
-        /// <returns></returns>
-        Context CreateContext(Compilation c, TrapWriter trapWriter, IExtractionScope scope, bool addAssemblyTrapPrefix);
     }
 
     /// <summary>
@@ -189,11 +179,6 @@ namespace Semmle.Extraction
             }
         }
 
-        public Context CreateContext(Compilation c, TrapWriter trapWriter, IExtractionScope scope, bool addAssemblyTrapPrefix)
-        {
-            return new Context(this, c, trapWriter, scope, addAssemblyTrapPrefix);
-        }
-
         public IEnumerable<string> MissingTypes => missingTypes;
 
         public IEnumerable<string> MissingNamespaces => missingNamespaces;

From 9ddeff80bf5e0ce621b58674650f509413b8fe71 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:12:49 +0100
Subject: [PATCH 340/429] Remove useless 'IExtractor' interface

---
 .../Semmle.Extraction.CSharp/Analyser.cs      |  2 +-
 csharp/extractor/Semmle.Extraction/Context.cs |  8 +-
 csharp/extractor/Semmle.Extraction/Entity.cs  |  2 +-
 .../extractor/Semmle.Extraction/Extractor.cs  | 83 +------------------
 4 files changed, 7 insertions(+), 88 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
index ee2326648ed..b04b429993d 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Analyser.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CSharp
     /// </summary>
     public sealed class Analyser : IDisposable
     {
-        private IExtractor extractor;
+        private Extraction.Extractor extractor;
         private CSharpCompilation compilation;
         private Layout layout;
         private bool init;
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index af13b5d3b76..c3eaa80d933 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction
         /// <summary>
         /// Access various extraction functions, e.g. logger, trap writer.
         /// </summary>
-        public IExtractor Extractor { get; }
+        public Extractor Extractor { get; }
 
         /// <summary>
         /// The program database provided by Roslyn.
@@ -51,7 +51,7 @@ namespace Semmle.Extraction
         // A recursion guard against writing to the trap file whilst writing an id to the trap file.
         private bool writingLabel = false;
 
-        public void DefineLabel(IEntity entity, TextWriter trapFile, IExtractor extractor)
+        public void DefineLabel(IEntity entity, TextWriter trapFile, Extractor extractor)
         {
             if (writingLabel)
             {
@@ -225,7 +225,7 @@ namespace Semmle.Extraction
         /// </summary>
         public Compilation Compilation { get; }
 
-        public Context(IExtractor e, Compilation c, TrapWriter trapWriter, IExtractionScope scope, bool addAssemblyTrapPrefix)
+        public Context(Extractor e, Compilation c, TrapWriter trapWriter, IExtractionScope scope, bool addAssemblyTrapPrefix)
         {
             Extractor = e;
             Compilation = c;
@@ -234,7 +234,7 @@ namespace Semmle.Extraction
             ShouldAddAssemblyTrapPrefix = addAssemblyTrapPrefix;
         }
 
-        public Context(IExtractor e, TrapWriter trapWriter)
+        public Context(Extractor e, TrapWriter trapWriter)
             : this(e, null, trapWriter, null, false)
         {
         }
diff --git a/csharp/extractor/Semmle.Extraction/Entity.cs b/csharp/extractor/Semmle.Extraction/Entity.cs
index 5479c93fee9..8839b6ede2a 100644
--- a/csharp/extractor/Semmle.Extraction/Entity.cs
+++ b/csharp/extractor/Semmle.Extraction/Entity.cs
@@ -137,7 +137,7 @@ namespace Semmle.Extraction
             where TSymbol : ISymbol
             where TEntity : ICachedEntity => cx.CreateEntityFromSymbol(factory, init);
 
-        public static void DefineLabel(this IEntity entity, TextWriter trapFile, IExtractor extractor)
+        public static void DefineLabel(this IEntity entity, TextWriter trapFile, Extractor extractor)
         {
             trapFile.WriteLabel(entity);
             trapFile.Write("=");
diff --git a/csharp/extractor/Semmle.Extraction/Extractor.cs b/csharp/extractor/Semmle.Extraction/Extractor.cs
index 33ec2d72915..6e031fbca52 100644
--- a/csharp/extractor/Semmle.Extraction/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction/Extractor.cs
@@ -4,91 +4,10 @@ using Semmle.Util.Logging;
 
 namespace Semmle.Extraction
 {
-    /// <summary>
-    /// Provides common extraction functions for use during extraction.
-    /// </summary>
-    ///
-    /// <remarks>
-    /// This is held in the <see cref="Context"/> passed to each entity.
-    /// </remarks>
-    public interface IExtractor
-    {
-        /// <summary>
-        /// Logs a message (to csharp.log).
-        /// Increases the error count if msg.severity is Error.
-        /// </summary>
-        /// <param name="msg">The message to log.</param>
-        void Message(Message msg);
-
-        /// <summary>
-        /// Cache assembly names.
-        /// </summary>
-        /// <param name="assembly">The assembly name.</param>
-        /// <param name="file">The file defining the assembly.</param>
-        void SetAssemblyFile(string assembly, string file);
-
-        /// <summary>
-        /// Maps assembly names to file names.
-        /// </summary>
-        /// <param name="assembly">The assembly name</param>
-        /// <returns>The file defining the assmebly.</returns>
-        string GetAssemblyFile(string assembly);
-
-        /// <summary>
-        /// How many errors encountered during extraction?
-        /// </summary>
-        int Errors { get; }
-
-        /// <summary>
-        /// The extraction is standalone - meaning there will be a lot of errors.
-        /// </summary>
-        bool Standalone { get; }
-
-        /// <summary>
-        /// Record a new error type.
-        /// </summary>
-        /// <param name="fqn">The display name of the type, qualified where possible.</param>
-        /// <param name="fromSource">If the missing type was referenced from a source file.</param>
-        void MissingType(string fqn, bool fromSource);
-
-        /// <summary>
-        /// Record an unresolved `using namespace` directive.
-        /// </summary>
-        /// <param name="fqn">The full name of the namespace.</param>
-        /// <param name="fromSource">If the missing namespace was referenced from a source file.</param>
-        void MissingNamespace(string fqn, bool fromSource);
-
-        /// <summary>
-        /// The list of missing types.
-        /// </summary>
-        IEnumerable<string> MissingTypes { get; }
-
-        /// <summary>
-        /// The list of missing namespaces.
-        /// </summary>
-        IEnumerable<string> MissingNamespaces { get; }
-
-        /// <summary>
-        /// The full path of the generated DLL/EXE.
-        /// null if not specified.
-        /// </summary>
-        string OutputPath { get; }
-
-        /// <summary>
-        /// The object used for logging.
-        /// </summary>
-        ILogger Logger { get; }
-
-        /// <summary>
-        /// The path transformer to apply.
-        /// </summary>
-        PathTransformer PathTransformer { get; }
-    }
-
     /// <summary>
     /// Implementation of the main extractor state.
     /// </summary>
-    public class Extractor : IExtractor
+    public class Extractor
     {
         public bool Standalone
         {

From 5ce5a96cb6cb6b181f796ada0b185631f144fac6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:15:33 +0100
Subject: [PATCH 341/429] Remove 'ContextExtensions'

---
 csharp/extractor/Semmle.Extraction/Context.cs | 36 ++++++++-----------
 1 file changed, 14 insertions(+), 22 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index c3eaa80d933..99e877f5ef2 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -457,42 +457,36 @@ namespace Semmle.Extraction
             new Entities.ExtractionMessage(this, msg);
             Extractor.Message(msg);
         }
-    }
 
-    public static class ContextExtensions
-    {
         /// <summary>
         /// Signal an error in the program model.
         /// </summary>
-        /// <param name="cx">The context.</param>
         /// <param name="node">The syntax node causing the failure.</param>
         /// <param name="msg">The error message.</param>
-        public static void ModelError(this Context cx, SyntaxNode node, string msg)
+        public void ModelError(SyntaxNode node, string msg)
         {
-            if (!cx.Extractor.Standalone)
+            if (!Extractor.Standalone)
                 throw new InternalError(node, msg);
         }
 
         /// <summary>
         /// Signal an error in the program model.
         /// </summary>
-        /// <param name="context">The context.</param>
         /// <param name="node">Symbol causing the error.</param>
         /// <param name="msg">The error message.</param>
-        public static void ModelError(this Context cx, ISymbol symbol, string msg)
+        public void ModelError(ISymbol symbol, string msg)
         {
-            if (!cx.Extractor.Standalone)
+            if (!Extractor.Standalone)
                 throw new InternalError(symbol, msg);
         }
 
         /// <summary>
         /// Signal an error in the program model.
         /// </summary>
-        /// <param name="context">The context.</param>
         /// <param name="msg">The error message.</param>
-        public static void ModelError(this Context cx, string msg)
+        public void ModelError(string msg)
         {
-            if (!cx.Extractor.Standalone)
+            if (!Extractor.Standalone)
                 throw new InternalError(msg);
         }
 
@@ -500,11 +494,10 @@ namespace Semmle.Extraction
         /// Tries the supplied action <paramref name="a"/>, and logs an uncaught
         /// exception error if the action fails.
         /// </summary>
-        /// <param name="context">The context.</param>
         /// <param name="node">Optional syntax node for error reporting.</param>
         /// <param name="symbol">Optional symbol for error reporting.</param>
         /// <param name="a">The action to perform.</param>
-        public static void Try(this Context context, SyntaxNode? node, ISymbol? symbol, Action a)
+        public void Try(SyntaxNode? node, ISymbol? symbol, Action a)
         {
             try
             {
@@ -516,33 +509,32 @@ namespace Semmle.Extraction
 
                 if (node != null)
                 {
-                    message = Message.Create(context, ex.Message, node, ex.StackTrace);
+                    message = Message.Create(this, ex.Message, node, ex.StackTrace);
                 }
                 else if (symbol != null)
                 {
-                    message = Message.Create(context, ex.Message, symbol, ex.StackTrace);
+                    message = Message.Create(this, ex.Message, symbol, ex.StackTrace);
                 }
                 else if (ex is InternalError ie)
                 {
-                    message = new Message(ie.Text, ie.EntityText, Entities.Location.Create(context, ie.Location), ex.StackTrace);
+                    message = new Message(ie.Text, ie.EntityText, Entities.Location.Create(this, ie.Location), ex.StackTrace);
                 }
                 else
                 {
-                    message = new Message($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(context), ex.StackTrace);
+                    message = new Message($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(this), ex.StackTrace);
                 }
 
-                context.ExtractionError(message);
+                ExtractionError(message);
             }
         }
 
         /// <summary>
         /// Write the given tuple to the trap file.
         /// </summary>
-        /// <param name="cx">Extractor context.</param>
         /// <param name="tuple">Tuple to write.</param>
-        public static void Emit(this Context cx, Tuple tuple)
+        public void Emit(Tuple tuple)
         {
-            cx.TrapWriter.Emit(tuple);
+            TrapWriter.Emit(tuple);
         }
     }
 }

From e8fd6e11128c74496d4259ed964fb743bbc58b5d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:23:15 +0100
Subject: [PATCH 342/429] Move classes to seperate files

---
 .../Entities/CallTypeExtensions.cs            |  27 ++
 .../Entities/Expression.cs                    | 320 ------------------
 .../Entities/ExpressionInfo.cs                |  36 ++
 .../Entities/ExpressionNodeInfo.cs            | 189 +++++++++++
 .../Entities/Expression`1.cs                  |  34 ++
 .../Entities/IExpressionInfo.cs               |  53 +++
 .../Entities/IExpressionParentEntity.cs       |  10 +
 .../Entities/IStatementParentEntity.cs        |  10 +
 .../Entities/Statement.cs                     |  51 ---
 .../Entities/Statement`1.cs                   |  47 +++
 10 files changed, 406 insertions(+), 371 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/CallTypeExtensions.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionInfo.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionInfo.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionParentEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/IStatementParentEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CallTypeExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CallTypeExtensions.cs
new file mode 100644
index 00000000000..6b9564e49dc
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CallTypeExtensions.cs
@@ -0,0 +1,27 @@
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal static class CallTypeExtensions
+    {
+        /// <summary>
+        /// Adjust the expression kind <paramref name="k"/> to match this call type.
+        /// </summary>
+        public static ExprKind AdjustKind(this Expression.CallType ct, ExprKind k)
+        {
+            if (k == ExprKind.ADDRESS_OF)
+            {
+                return k;
+            }
+
+            switch (ct)
+            {
+                case Expression.CallType.Dynamic:
+                case Expression.CallType.UserOperator:
+                    return ExprKind.OPERATOR_INVOCATION;
+                default:
+                    return k;
+            }
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 6c738da3af1..e343414a4cb 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -2,8 +2,6 @@ using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.CSharp.Entities.Expressions;
-using Semmle.Extraction.CSharp.Populators;
-using Semmle.Extraction.Entities;
 using Semmle.Extraction.Kinds;
 using System;
 using System.IO;
@@ -11,14 +9,6 @@ using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    public interface IExpressionParentEntity : IEntity
-    {
-        /// <summary>
-        /// Whether this entity is the parent of a top-level expression.
-        /// </summary>
-        bool IsTopLevelParent { get; }
-    }
-
     internal class Expression : FreshEntity, IExpressionParentEntity
     {
         private readonly IExpressionInfo info;
@@ -308,314 +298,4 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
     }
-
-    internal static class CallTypeExtensions
-    {
-        /// <summary>
-        /// Adjust the expression kind <paramref name="k"/> to match this call type.
-        /// </summary>
-        public static ExprKind AdjustKind(this Expression.CallType ct, ExprKind k)
-        {
-            if (k == ExprKind.ADDRESS_OF)
-            {
-                return k;
-            }
-
-            switch (ct)
-            {
-                case Expression.CallType.Dynamic:
-                case Expression.CallType.UserOperator:
-                    return ExprKind.OPERATOR_INVOCATION;
-                default:
-                    return k;
-            }
-        }
-    }
-
-    internal abstract class Expression<TExpressionSyntax> : Expression
-        where TExpressionSyntax : ExpressionSyntax
-    {
-        public TExpressionSyntax Syntax { get; }
-
-        protected Expression(ExpressionNodeInfo info)
-            : base(info)
-        {
-            Syntax = (TExpressionSyntax)info.Node;
-        }
-
-        /// <summary>
-        /// Populates expression-type specific relations in the trap file. The general relations
-        /// <code>expressions</code> and <code>expr_location</code> are populated by the constructor
-        /// (should not fail), so even if expression-type specific population fails (e.g., in
-        /// standalone extraction), the expression created via
-        /// <see cref="Expression.Create(Context, ExpressionSyntax, IEntity, int, ITypeSymbol)"/> will
-        /// still be valid.
-        /// </summary>
-        protected abstract void PopulateExpression(TextWriter trapFile);
-
-        protected new Expression TryPopulate()
-        {
-            cx.Try(Syntax, null, () => PopulateExpression(cx.TrapWriter.Writer));
-            return this;
-        }
-    }
-
-    /// <summary>
-    /// Holds all information required to create an Expression entity.
-    /// </summary>
-    internal interface IExpressionInfo
-    {
-        Context Context { get; }
-
-        /// <summary>
-        /// The type of the expression.
-        /// </summary>
-        AnnotatedTypeSymbol? Type { get; }
-
-        /// <summary>
-        /// The location of the expression.
-        /// </summary>
-        Extraction.Entities.Location Location { get; }
-
-        /// <summary>
-        /// The kind of the expression.
-        /// </summary>
-        ExprKind Kind { get; }
-
-        /// <summary>
-        /// The parent of the expression.
-        /// </summary>
-        IExpressionParentEntity Parent { get; }
-
-        /// <summary>
-        /// The child index of the expression.
-        /// </summary>
-        int Child { get; }
-
-        /// <summary>
-        /// Holds if this is an implicit expression.
-        /// </summary>
-        bool IsCompilerGenerated { get; }
-
-        /// <summary>
-        /// Gets a string representation of the value.
-        /// null is encoded as the string "null".
-        /// If the expression does not have a value, then this
-        /// is null.
-        /// </summary>
-        string ExprValue { get; }
-
-        NullableFlowState FlowState { get; }
-    }
-
-    /// <summary>
-    /// Explicitly constructed expression information.
-    /// </summary>
-    internal class ExpressionInfo : IExpressionInfo
-    {
-        public Context Context { get; }
-        public AnnotatedTypeSymbol? Type { get; }
-        public Extraction.Entities.Location Location { get; }
-        public ExprKind Kind { get; }
-        public IExpressionParentEntity Parent { get; }
-        public int Child { get; }
-        public bool IsCompilerGenerated { get; }
-        public string ExprValue { get; }
-
-        public ExpressionInfo(Context cx, AnnotatedTypeSymbol? type, Extraction.Entities.Location location, ExprKind kind,
-            IExpressionParentEntity parent, int child, bool isCompilerGenerated, string value)
-        {
-            Context = cx;
-            Type = type;
-            Location = location;
-            Kind = kind;
-            Parent = parent;
-            Child = child;
-            ExprValue = value;
-            IsCompilerGenerated = isCompilerGenerated;
-        }
-
-        // Synthetic expressions don't have a flow state.
-        public NullableFlowState FlowState => NullableFlowState.None;
-    }
-
-    /// <summary>
-    /// Expression information constructed from a syntax node.
-    /// </summary>
-    internal class ExpressionNodeInfo : IExpressionInfo
-    {
-        public ExpressionNodeInfo(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child) :
-            this(cx, node, parent, child, cx.GetTypeInfo(node))
-        {
-        }
-
-        public ExpressionNodeInfo(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child, TypeInfo typeInfo)
-        {
-            Context = cx;
-            Node = node;
-            Parent = parent;
-            Child = child;
-            TypeInfo = typeInfo;
-            Conversion = cx.GetModel(node).GetConversion(node);
-        }
-
-        public Context Context { get; }
-        public ExpressionSyntax Node { get; private set; }
-        public IExpressionParentEntity Parent { get; set; }
-        public int Child { get; set; }
-        public TypeInfo TypeInfo { get; }
-        public Microsoft.CodeAnalysis.CSharp.Conversion Conversion { get; }
-
-        public AnnotatedTypeSymbol ResolvedType => new AnnotatedTypeSymbol(TypeInfo.Type.DisambiguateType(), TypeInfo.Nullability.Annotation);
-        public AnnotatedTypeSymbol ConvertedType => new AnnotatedTypeSymbol(TypeInfo.ConvertedType.DisambiguateType(), TypeInfo.ConvertedNullability.Annotation);
-
-        private AnnotatedTypeSymbol? cachedType;
-        private bool cachedTypeSet;
-        public AnnotatedTypeSymbol? Type
-        {
-            get
-            {
-                if (cachedTypeSet)
-                    return cachedType;
-
-                var type = ResolvedType;
-
-                if (type.Symbol == null)
-                    type.Symbol = (TypeInfo.Type ?? TypeInfo.ConvertedType).DisambiguateType();
-
-                // Roslyn workaround: It can't work out the type of "new object[0]"
-                // Clearly a bug.
-                if (type.Symbol?.TypeKind == Microsoft.CodeAnalysis.TypeKind.Error)
-                {
-                    if (Node is ArrayCreationExpressionSyntax arrayCreation)
-                    {
-                        var elementType = Context.GetType(arrayCreation.Type.ElementType);
-
-                        if (elementType.Symbol != null)
-                            // There seems to be no way to create an array with a nullable element at present.
-                            return new AnnotatedTypeSymbol(Context.Compilation.CreateArrayTypeSymbol(elementType.Symbol, arrayCreation.Type.RankSpecifiers.Count), NullableAnnotation.NotAnnotated);
-                    }
-
-                    Context.ModelError(Node, "Failed to determine type");
-                }
-
-                cachedType = type;
-                cachedTypeSet = true;
-
-                return type;
-            }
-        }
-
-        private Microsoft.CodeAnalysis.Location location;
-
-        public Microsoft.CodeAnalysis.Location CodeAnalysisLocation
-        {
-            get
-            {
-                if (location == null)
-                    location = Node.FixedLocation();
-                return location;
-            }
-            set
-            {
-                location = value;
-            }
-        }
-
-        public SemanticModel Model => Context.GetModel(Node);
-
-        public string ExprValue
-        {
-            get
-            {
-                var c = Model.GetConstantValue(Node);
-                if (c.HasValue)
-                {
-                    return Expression.ValueAsString(c.Value);
-                }
-
-                if (TryGetBoolValueFromLiteral(out var val))
-                {
-                    return Expression.ValueAsString(val);
-                }
-
-                return null;
-            }
-        }
-
-        private Extraction.Entities.Location cachedLocation;
-
-        public Extraction.Entities.Location Location
-        {
-            get
-            {
-                if (cachedLocation == null)
-                    cachedLocation = Context.Create(CodeAnalysisLocation);
-                return cachedLocation;
-            }
-
-            set
-            {
-                cachedLocation = value;
-            }
-        }
-
-        public ExprKind Kind { get; set; } = ExprKind.UNKNOWN;
-
-        public bool IsCompilerGenerated { get; set; }
-
-        public ExpressionNodeInfo SetParent(IExpressionParentEntity parent, int child)
-        {
-            Parent = parent;
-            Child = child;
-            return this;
-        }
-
-        public ExpressionNodeInfo SetKind(ExprKind kind)
-        {
-            Kind = kind;
-            return this;
-        }
-
-        public ExpressionNodeInfo SetType(AnnotatedTypeSymbol? type)
-        {
-            cachedType = type;
-            cachedTypeSet = true;
-            return this;
-        }
-
-        public ExpressionNodeInfo SetNode(ExpressionSyntax node)
-        {
-            Node = node;
-            return this;
-        }
-
-        private SymbolInfo cachedSymbolInfo;
-
-        public SymbolInfo SymbolInfo
-        {
-            get
-            {
-                if (cachedSymbolInfo.Symbol == null && cachedSymbolInfo.CandidateReason == CandidateReason.None)
-                    cachedSymbolInfo = Model.GetSymbolInfo(Node);
-                return cachedSymbolInfo;
-            }
-        }
-
-        public NullableFlowState FlowState => TypeInfo.Nullability.FlowState;
-
-        private bool TryGetBoolValueFromLiteral(out bool val)
-        {
-            var isTrue = Node.IsKind(SyntaxKind.TrueLiteralExpression);
-            var isFalse = Node.IsKind(SyntaxKind.FalseLiteralExpression);
-
-            val = isTrue;
-            return isTrue || isFalse;
-        }
-
-        public bool IsBoolLiteral()
-        {
-            return TryGetBoolValueFromLiteral(out var _);
-        }
-    }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionInfo.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionInfo.cs
new file mode 100644
index 00000000000..feb1eaa2d93
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionInfo.cs
@@ -0,0 +1,36 @@
+using Microsoft.CodeAnalysis;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Explicitly constructed expression information.
+    /// </summary>
+    internal class ExpressionInfo : IExpressionInfo
+    {
+        public Context Context { get; }
+        public AnnotatedTypeSymbol? Type { get; }
+        public Extraction.Entities.Location Location { get; }
+        public ExprKind Kind { get; }
+        public IExpressionParentEntity Parent { get; }
+        public int Child { get; }
+        public bool IsCompilerGenerated { get; }
+        public string ExprValue { get; }
+
+        public ExpressionInfo(Context cx, AnnotatedTypeSymbol? type, Extraction.Entities.Location location, ExprKind kind,
+            IExpressionParentEntity parent, int child, bool isCompilerGenerated, string value)
+        {
+            Context = cx;
+            Type = type;
+            Location = location;
+            Kind = kind;
+            Parent = parent;
+            Child = child;
+            ExprValue = value;
+            IsCompilerGenerated = isCompilerGenerated;
+        }
+
+        // Synthetic expressions don't have a flow state.
+        public NullableFlowState FlowState => NullableFlowState.None;
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
new file mode 100644
index 00000000000..febb84ded7c
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
@@ -0,0 +1,189 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.CSharp.Populators;
+using Semmle.Extraction.Entities;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Expression information constructed from a syntax node.
+    /// </summary>
+    internal class ExpressionNodeInfo : IExpressionInfo
+    {
+        public ExpressionNodeInfo(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child) :
+            this(cx, node, parent, child, cx.GetTypeInfo(node))
+        {
+        }
+
+        public ExpressionNodeInfo(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child, TypeInfo typeInfo)
+        {
+            Context = cx;
+            Node = node;
+            Parent = parent;
+            Child = child;
+            TypeInfo = typeInfo;
+            Conversion = cx.GetModel(node).GetConversion(node);
+        }
+
+        public Context Context { get; }
+        public ExpressionSyntax Node { get; private set; }
+        public IExpressionParentEntity Parent { get; set; }
+        public int Child { get; set; }
+        public TypeInfo TypeInfo { get; }
+        public Microsoft.CodeAnalysis.CSharp.Conversion Conversion { get; }
+
+        public AnnotatedTypeSymbol ResolvedType => new AnnotatedTypeSymbol(TypeInfo.Type.DisambiguateType(), TypeInfo.Nullability.Annotation);
+        public AnnotatedTypeSymbol ConvertedType => new AnnotatedTypeSymbol(TypeInfo.ConvertedType.DisambiguateType(), TypeInfo.ConvertedNullability.Annotation);
+
+        private AnnotatedTypeSymbol? cachedType;
+        private bool cachedTypeSet;
+        public AnnotatedTypeSymbol? Type
+        {
+            get
+            {
+                if (cachedTypeSet)
+                    return cachedType;
+
+                var type = ResolvedType;
+
+                if (type.Symbol == null)
+                    type.Symbol = (TypeInfo.Type ?? TypeInfo.ConvertedType).DisambiguateType();
+
+                // Roslyn workaround: It can't work out the type of "new object[0]"
+                // Clearly a bug.
+                if (type.Symbol?.TypeKind == Microsoft.CodeAnalysis.TypeKind.Error)
+                {
+                    if (Node is ArrayCreationExpressionSyntax arrayCreation)
+                    {
+                        var elementType = Context.GetType(arrayCreation.Type.ElementType);
+
+                        if (elementType.Symbol != null)
+                            // There seems to be no way to create an array with a nullable element at present.
+                            return new AnnotatedTypeSymbol(Context.Compilation.CreateArrayTypeSymbol(elementType.Symbol, arrayCreation.Type.RankSpecifiers.Count), NullableAnnotation.NotAnnotated);
+                    }
+
+                    Context.ModelError(Node, "Failed to determine type");
+                }
+
+                cachedType = type;
+                cachedTypeSet = true;
+
+                return type;
+            }
+        }
+
+        private Microsoft.CodeAnalysis.Location location;
+
+        public Microsoft.CodeAnalysis.Location CodeAnalysisLocation
+        {
+            get
+            {
+                if (location == null)
+                    location = Node.FixedLocation();
+                return location;
+            }
+            set
+            {
+                location = value;
+            }
+        }
+
+        public SemanticModel Model => Context.GetModel(Node);
+
+        public string ExprValue
+        {
+            get
+            {
+                var c = Model.GetConstantValue(Node);
+                if (c.HasValue)
+                {
+                    return Expression.ValueAsString(c.Value);
+                }
+
+                if (TryGetBoolValueFromLiteral(out var val))
+                {
+                    return Expression.ValueAsString(val);
+                }
+
+                return null;
+            }
+        }
+
+        private Extraction.Entities.Location cachedLocation;
+
+        public Extraction.Entities.Location Location
+        {
+            get
+            {
+                if (cachedLocation == null)
+                    cachedLocation = Context.Create(CodeAnalysisLocation);
+                return cachedLocation;
+            }
+
+            set
+            {
+                cachedLocation = value;
+            }
+        }
+
+        public ExprKind Kind { get; set; } = ExprKind.UNKNOWN;
+
+        public bool IsCompilerGenerated { get; set; }
+
+        public ExpressionNodeInfo SetParent(IExpressionParentEntity parent, int child)
+        {
+            Parent = parent;
+            Child = child;
+            return this;
+        }
+
+        public ExpressionNodeInfo SetKind(ExprKind kind)
+        {
+            Kind = kind;
+            return this;
+        }
+
+        public ExpressionNodeInfo SetType(AnnotatedTypeSymbol? type)
+        {
+            cachedType = type;
+            cachedTypeSet = true;
+            return this;
+        }
+
+        public ExpressionNodeInfo SetNode(ExpressionSyntax node)
+        {
+            Node = node;
+            return this;
+        }
+
+        private SymbolInfo cachedSymbolInfo;
+
+        public SymbolInfo SymbolInfo
+        {
+            get
+            {
+                if (cachedSymbolInfo.Symbol == null && cachedSymbolInfo.CandidateReason == CandidateReason.None)
+                    cachedSymbolInfo = Model.GetSymbolInfo(Node);
+                return cachedSymbolInfo;
+            }
+        }
+
+        public NullableFlowState FlowState => TypeInfo.Nullability.FlowState;
+
+        private bool TryGetBoolValueFromLiteral(out bool val)
+        {
+            var isTrue = Node.IsKind(SyntaxKind.TrueLiteralExpression);
+            var isFalse = Node.IsKind(SyntaxKind.FalseLiteralExpression);
+
+            val = isTrue;
+            return isTrue || isFalse;
+        }
+
+        public bool IsBoolLiteral()
+        {
+            return TryGetBoolValueFromLiteral(out var _);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
new file mode 100644
index 00000000000..c16f0679c10
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
@@ -0,0 +1,34 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal abstract class Expression<TExpressionSyntax> : Expression
+        where TExpressionSyntax : ExpressionSyntax
+    {
+        public TExpressionSyntax Syntax { get; }
+
+        protected Expression(ExpressionNodeInfo info)
+            : base(info)
+        {
+            Syntax = (TExpressionSyntax)info.Node;
+        }
+
+        /// <summary>
+        /// Populates expression-type specific relations in the trap file. The general relations
+        /// <code>expressions</code> and <code>expr_location</code> are populated by the constructor
+        /// (should not fail), so even if expression-type specific population fails (e.g., in
+        /// standalone extraction), the expression created via
+        /// <see cref="Expression.Create(Context, ExpressionSyntax, IEntity, int, ITypeSymbol)"/> will
+        /// still be valid.
+        /// </summary>
+        protected abstract void PopulateExpression(TextWriter trapFile);
+
+        protected new Expression TryPopulate()
+        {
+            cx.Try(Syntax, null, () => PopulateExpression(cx.TrapWriter.Writer));
+            return this;
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionInfo.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionInfo.cs
new file mode 100644
index 00000000000..1a43a6fbd02
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionInfo.cs
@@ -0,0 +1,53 @@
+using Microsoft.CodeAnalysis;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Holds all information required to create an Expression entity.
+    /// </summary>
+    internal interface IExpressionInfo
+    {
+        Context Context { get; }
+
+        /// <summary>
+        /// The type of the expression.
+        /// </summary>
+        AnnotatedTypeSymbol? Type { get; }
+
+        /// <summary>
+        /// The location of the expression.
+        /// </summary>
+        Extraction.Entities.Location Location { get; }
+
+        /// <summary>
+        /// The kind of the expression.
+        /// </summary>
+        ExprKind Kind { get; }
+
+        /// <summary>
+        /// The parent of the expression.
+        /// </summary>
+        IExpressionParentEntity Parent { get; }
+
+        /// <summary>
+        /// The child index of the expression.
+        /// </summary>
+        int Child { get; }
+
+        /// <summary>
+        /// Holds if this is an implicit expression.
+        /// </summary>
+        bool IsCompilerGenerated { get; }
+
+        /// <summary>
+        /// Gets a string representation of the value.
+        /// null is encoded as the string "null".
+        /// If the expression does not have a value, then this
+        /// is null.
+        /// </summary>
+        string ExprValue { get; }
+
+        NullableFlowState FlowState { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionParentEntity.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionParentEntity.cs
new file mode 100644
index 00000000000..a8e4df3d6ca
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IExpressionParentEntity.cs
@@ -0,0 +1,10 @@
+namespace Semmle.Extraction.CSharp.Entities
+{
+    public interface IExpressionParentEntity : IEntity
+    {
+        /// <summary>
+        /// Whether this entity is the parent of a top-level expression.
+        /// </summary>
+        bool IsTopLevelParent { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/IStatementParentEntity.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IStatementParentEntity.cs
new file mode 100644
index 00000000000..40bc0f218c0
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/IStatementParentEntity.cs
@@ -0,0 +1,10 @@
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Whether this entity is the parent of a top-level statement.
+    /// </summary>
+    public interface IStatementParentEntity : IEntity
+    {
+        bool IsTopLevelParent { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
index 44bd7f80583..7a5bdcd2a58 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
@@ -1,19 +1,8 @@
 using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.CSharp.Populators;
 using Microsoft.CodeAnalysis.CSharp;
-using Semmle.Extraction.Entities;
-using System.IO;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    /// <summary>
-    /// Whether this entity is the parent of a top-level statement.
-    /// </summary>
-    public interface IStatementParentEntity : IEntity
-    {
-        bool IsTopLevelParent { get; }
-    }
-
     internal abstract class Statement : FreshEntity, IExpressionParentEntity, IStatementParentEntity
     {
         protected Statement(Context cx) : base(cx) { }
@@ -37,44 +26,4 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NeedsLabel;
     }
-
-    internal abstract class Statement<TSyntax> : Statement where TSyntax : CSharpSyntaxNode
-    {
-        protected readonly TSyntax Stmt;
-        private readonly int child;
-        private readonly Kinds.StmtKind kind;
-        private readonly IStatementParentEntity parent;
-        private readonly Location location;
-
-        protected override CSharpSyntaxNode GetStatementSyntax() => Stmt;
-
-        protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child, Location location)
-            : base(cx)
-        {
-            Stmt = stmt;
-            this.parent = parent;
-            this.child = child;
-            this.location = location;
-            this.kind = kind;
-            cx.BindComments(this, location.symbol);
-        }
-
-        protected sealed override void Populate(TextWriter trapFile)
-        {
-            trapFile.statements(this, kind);
-            if (parent.IsTopLevelParent)
-                trapFile.stmt_parent_top_level(this, child, parent);
-            else
-                trapFile.stmt_parent(this, child, parent);
-            trapFile.stmt_location(this, location);
-            PopulateStatement(trapFile);
-        }
-
-        protected abstract void PopulateStatement(TextWriter trapFile);
-
-        protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
-            : this(cx, stmt, kind, parent, child, cx.Create(stmt.FixedLocation())) { }
-
-        public override string ToString() => Label.ToString();
-    }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
new file mode 100644
index 00000000000..89b2b1696fd
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
@@ -0,0 +1,47 @@
+using Semmle.Extraction.CSharp.Populators;
+using Microsoft.CodeAnalysis.CSharp;
+using Semmle.Extraction.Entities;
+using System.IO;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal abstract class Statement<TSyntax> : Statement where TSyntax : CSharpSyntaxNode
+    {
+        protected readonly TSyntax Stmt;
+        private readonly int child;
+        private readonly Kinds.StmtKind kind;
+        private readonly IStatementParentEntity parent;
+        private readonly Location location;
+
+        protected override CSharpSyntaxNode GetStatementSyntax() => Stmt;
+
+        protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child, Location location)
+            : base(cx)
+        {
+            Stmt = stmt;
+            this.parent = parent;
+            this.child = child;
+            this.location = location;
+            this.kind = kind;
+            cx.BindComments(this, location.symbol);
+        }
+
+        protected sealed override void Populate(TextWriter trapFile)
+        {
+            trapFile.statements(this, kind);
+            if (parent.IsTopLevelParent)
+                trapFile.stmt_parent_top_level(this, child, parent);
+            else
+                trapFile.stmt_parent(this, child, parent);
+            trapFile.stmt_location(this, location);
+            PopulateStatement(trapFile);
+        }
+
+        protected abstract void PopulateStatement(TextWriter trapFile);
+
+        protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
+            : this(cx, stmt, kind, parent, child, cx.Create(stmt.FixedLocation())) { }
+
+        public override string ToString() => Label.ToString();
+    }
+}

From 1cd7fd6cf7789ff04a4ce37b90aa852bc73509b4 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:24:29 +0100
Subject: [PATCH 343/429] Simplify 'AstLineCounter'

---
 .../Semmle.Extraction.CSharp/Populators/Methods.cs | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs
index 148160b8815..28a96c24e43 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Populators
             public override LineCounts DefaultVisit(SyntaxNode node)
             {
                 var text = node.SyntaxTree.GetText().GetSubText(node.GetLocation().SourceSpan).ToString();
-                return Semmle.Util.LineCounter.ComputeLineCounts(text);
+                return LineCounter.ComputeLineCounts(text);
             }
 
             public override LineCounts VisitMethodDeclaration(MethodDeclarationSyntax method)
@@ -29,7 +29,7 @@ namespace Semmle.Extraction.CSharp.Populators
                 var textSpan = new Microsoft.CodeAnalysis.Text.TextSpan(start, end - start);
 
                 var text = body.SyntaxTree.GetText().GetSubText(textSpan) + "\r\n";
-                return Semmle.Util.LineCounter.ComputeLineCounts(text);
+                return LineCounter.ComputeLineCounts(text);
             }
 
             public override LineCounts VisitConstructorDeclaration(ConstructorDeclarationSyntax method)
@@ -52,14 +52,10 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             foreach (var decl in symbol.DeclaringSyntaxReferences)
             {
-                cx.NumberOfLines(trapFile, (CSharpSyntaxNode)decl.GetSyntax(), callable);
+                var node = (CSharpSyntaxNode)decl.GetSyntax();
+                var lineCounts = node.Accept(new AstLineCounter());
+                trapFile.numlines(callable, lineCounts);
             }
         }
-
-        public static void NumberOfLines(this Context cx, TextWriter trapFile, CSharpSyntaxNode node, IEntity callable)
-        {
-            var lineCounts = node.Accept(new AstLineCounter());
-            trapFile.numlines(callable, lineCounts);
-        }
     }
 }

From 6f07230725cc392877bbfae87ecfeb43a316a65d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:26:28 +0100
Subject: [PATCH 344/429] Relocate 'AstLineCounter'

---
 .../Method.AstLineCounter.cs}                     | 14 ++------------
 .../Semmle.Extraction.CSharp/Entities/Method.cs   | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 14 deletions(-)
 rename csharp/extractor/Semmle.Extraction.CSharp/{Populators/Methods.cs => Entities/Method.AstLineCounter.cs} (79%)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
similarity index 79%
rename from csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs
rename to csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
index 28a96c24e43..d567b6f6b56 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/Methods.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
@@ -4,9 +4,9 @@ using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Util;
 using System.IO;
 
-namespace Semmle.Extraction.CSharp.Populators
+namespace Semmle.Extraction.CSharp.Entities
 {
-    public static class MethodExtensions
+    public abstract partial class Method
     {
         private class AstLineCounter : CSharpSyntaxVisitor<LineCounts>
         {
@@ -47,15 +47,5 @@ namespace Semmle.Extraction.CSharp.Populators
                 return Visit(node.OperatorToken, node.Body ?? (SyntaxNode)node.ExpressionBody);
             }
         }
-
-        public static void NumberOfLines(this Context cx, TextWriter trapFile, ISymbol symbol, IEntity callable)
-        {
-            foreach (var decl in symbol.DeclaringSyntaxReferences)
-            {
-                var node = (CSharpSyntaxNode)decl.GetSyntax();
-                var lineCounts = node.Accept(new AstLineCounter());
-                trapFile.numlines(callable, lineCounts);
-            }
-        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 6a52087e384..f036e373217 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -1,4 +1,5 @@
 using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.CSharp.Populators;
 using System.Collections.Generic;
@@ -7,7 +8,7 @@ using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    public abstract class Method : CachedSymbol<IMethodSymbol>, IExpressionParentEntity, IStatementParentEntity
+    public abstract partial class Method : CachedSymbol<IMethodSymbol>, IExpressionParentEntity, IStatementParentEntity
     {
         protected Method(Context cx, IMethodSymbol init)
             : base(cx, init) { }
@@ -83,11 +84,21 @@ namespace Semmle.Extraction.CSharp.Entities
                        else
                            Expression.Create(Context, expr, this, 0);
 
-                       Context.NumberOfLines(trapFile, BodyDeclaringSymbol, this);
+                       NumberOfLines(trapFile, BodyDeclaringSymbol, this);
                    });
             }
         }
 
+        public static void NumberOfLines(TextWriter trapFile, ISymbol symbol, IEntity callable)
+        {
+            foreach (var decl in symbol.DeclaringSyntaxReferences)
+            {
+                var node = (CSharpSyntaxNode)decl.GetSyntax();
+                var lineCounts = node.Accept(new AstLineCounter());
+                trapFile.numlines(callable, lineCounts);
+            }
+        }
+
         public void Overrides(TextWriter trapFile)
         {
             foreach (var explicitInterface in symbol.ExplicitInterfaceImplementations

From 4f693be33b1b58b32bb60131e8e4e01844d281f3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 10 Feb 2021 09:47:02 +0100
Subject: [PATCH 345/429] Move location creation to instance method on context

---
 .../Entities/Attribute.cs                     |  2 +-
 .../Entities/CommentBlock.cs                  |  4 +--
 .../Entities/CommentLine.cs                   |  4 +--
 .../Entities/Compilations/Diagnostic.cs       |  2 +-
 .../Entities/Constructor.cs                   |  2 +-
 .../Entities/ExpressionNodeInfo.cs            |  2 +-
 .../Entities/Expressions/Discard.cs           |  2 +-
 .../Entities/Expressions/Initializer.cs       |  2 +-
 .../Expressions/InterpolatedString.cs         |  2 +-
 .../ObjectCreation/AnonymousObjectCreation.cs |  2 +-
 .../Expressions/Patterns/BinaryPattern.cs     |  2 +-
 .../Entities/Expressions/Patterns/Pattern.cs  |  4 +--
 .../Expressions/Patterns/PositionalPattern.cs |  2 +-
 .../Expressions/Patterns/PropertyPattern.cs   |  2 +-
 .../Expressions/Patterns/RecursivePattern.cs  |  4 +--
 .../Expressions/Patterns/RelationalPattern.cs |  2 +-
 .../Expressions/Patterns/UnaryPattern.cs      |  2 +-
 .../Entities/Expressions/Query.cs             |  6 ++--
 .../Entities/Expressions/Switch.cs            |  2 +-
 .../Expressions/VariableDeclaration.cs        |  6 ++--
 .../Entities/Field.cs                         |  4 +--
 .../Entities/NamespaceDeclaration.cs          |  4 +--
 .../Entities/Parameter.cs                     |  2 +-
 .../PreprocessorDirective.cs                  |  2 +-
 .../Entities/Property.cs                      |  2 +-
 .../Entities/Statement`1.cs                   |  2 +-
 .../Entities/Statements/Case.cs               |  2 +-
 .../Entities/Statements/Catch.cs              |  2 +-
 .../Entities/Statements/Do.cs                 |  2 +-
 .../Entities/Statements/ForEach.cs            |  2 +-
 .../Entities/Statements/LocalFunction.cs      |  2 +-
 .../Entities/Symbol.cs                        |  4 +--
 .../Entities/TypeMention.cs                   |  2 +-
 .../Entities/Types/NamedType.cs               |  2 +-
 .../Entities/Types/TupleType.cs               |  2 +-
 .../Entities/Types/TypeParameter.cs           |  2 +-
 .../Entities/UsingDirective.cs                |  4 +--
 .../Populators/CompilationUnitVisitor.cs      |  2 +-
 .../Populators/DirectiveVisitor.cs            |  8 ++---
 csharp/extractor/Semmle.Extraction/Context.cs | 34 ++++++++++++++-----
 .../Semmle.Extraction/Entities/Assembly.cs    |  2 +-
 .../Entities/ExtractionError.cs               |  2 +-
 .../Entities/GeneratedLocation.cs             |  2 +-
 .../Semmle.Extraction/Entities/Location.cs    | 26 --------------
 .../Entities/SourceLocation.cs                |  2 +-
 csharp/extractor/Semmle.Extraction/Message.cs |  4 +--
 46 files changed, 85 insertions(+), 95 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
index 9fef80b383a..e1663350055 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
@@ -118,7 +118,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private Semmle.Extraction.Entities.Location location;
         private Semmle.Extraction.Entities.Location Location =>
-            location ?? (location = Semmle.Extraction.Entities.Location.Create(Context, attributeSyntax is null ? entity.ReportingLocation : attributeSyntax.Name.GetLocation()));
+            location ?? (location = Context.CreateLocation(attributeSyntax is null ? entity.ReportingLocation : attributeSyntax.Name.GetLocation()));
 
         public override bool NeedsPopulation => true;
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
index ab6802cf457..9f105bb1e1a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.commentblock(this);
             var child = 0;
-            trapFile.commentblock_location(this, Context.Create(symbol.Location));
+            trapFile.commentblock_location(this, Context.CreateLocation(symbol.Location));
             foreach (var l in symbol.CommentLines)
             {
                 trapFile.commentblock_child(this, (CommentLine)l, child++);
@@ -24,7 +24,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.WriteSubId(Context.Create(symbol.Location));
+            trapFile.WriteSubId(Context.CreateLocation(symbol.Location));
             trapFile.Write(";commentblock");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
index e390cb8c509..5ba3bbd87f4 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            location = Context.Create(Location);
+            location = Context.CreateLocation(Location);
             trapFile.commentline(this, Type == CommentLineType.MultilineContinuation ? CommentLineType.Multiline : Type, Text, RawText);
             trapFile.commentline_location(this, location);
         }
@@ -34,7 +34,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.WriteSubId(Context.Create(Location));
+            trapFile.WriteSubId(Context.CreateLocation(Location));
             trapFile.Write(";commentline");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
index 2900e5b0ae0..ddf53d6bbe1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected override void Populate(TextWriter trapFile)
         {
             trapFile.diagnostics(this, (int)diagnostic.Severity, diagnostic.Id, diagnostic.Descriptor.Title.ToString(),
-                diagnostic.GetMessage(), Extraction.Entities.Location.Create(cx, diagnostic.Location));
+                diagnostic.GetMessage(), cx.CreateLocation(diagnostic.Location));
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
index 499e6ec418a..0e4c2bbe9c0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -60,7 +60,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             var initInfo = new ExpressionInfo(Context,
                 AnnotatedTypeSymbol.CreateNotAnnotated(initializerType),
-                Context.Create(initializer.ThisOrBaseKeyword.GetLocation()),
+                Context.CreateLocation(initializer.ThisOrBaseKeyword.GetLocation()),
                 Kinds.ExprKind.CONSTRUCTOR_INIT,
                 this,
                 -1,
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
index febb84ded7c..6968ca65abb 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
@@ -118,7 +118,7 @@ namespace Semmle.Extraction.CSharp.Entities
             get
             {
                 if (cachedLocation == null)
-                    cachedLocation = Context.Create(CodeAnalysisLocation);
+                    cachedLocation = Context.CreateLocation(CodeAnalysisLocation);
                 return cachedLocation;
             }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Discard.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Discard.cs
index ef35f901b92..4f2eecca9da 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Discard.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Discard.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         }
 
         private Discard(Context cx, CSharpSyntaxNode syntax, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, cx.GetType(syntax), cx.Create(syntax.GetLocation()), ExprKind.DISCARD, parent, child, false, null))
+            base(new ExpressionInfo(cx, cx.GetType(syntax), cx.CreateLocation(syntax.GetLocation()), ExprKind.DISCARD, parent, child, false, null))
         {
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
index d96a44527d8..14fea3d4ce7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
@@ -137,7 +137,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 var addMethod = Method.Create(cx, collectionInfo.Symbol as IMethodSymbol);
                 var voidType = AnnotatedTypeSymbol.CreateNotAnnotated(cx.Compilation.GetSpecialType(SpecialType.System_Void));
 
-                var invocation = new Expression(new ExpressionInfo(cx, voidType, cx.Create(i.GetLocation()), ExprKind.METHOD_INVOCATION, this, child++, false, null));
+                var invocation = new Expression(new ExpressionInfo(cx, voidType, cx.CreateLocation(i.GetLocation()), ExprKind.METHOD_INVOCATION, this, child++, false, null));
 
                 if (addMethod != null)
                     trapFile.expr_call(invocation, addMethod);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
index 152ff145897..836aae35beb 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     case SyntaxKind.InterpolatedStringText:
                         // Create a string literal
                         var interpolatedText = (InterpolatedStringTextSyntax)c;
-                        new Expression(new ExpressionInfo(cx, Type, cx.Create(c.GetLocation()), ExprKind.STRING_LITERAL, this, child++, false, interpolatedText.TextToken.Text));
+                        new Expression(new ExpressionInfo(cx, Type, cx.CreateLocation(c.GetLocation()), ExprKind.STRING_LITERAL, this, child++, false, interpolatedText.TextToken.Text));
                         break;
                     default:
                         throw new InternalError(c, $"Unhandled interpolation kind {c.Kind()}");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
index 5703c3101a2..5a94a4333e8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
@@ -36,7 +36,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 var property = cx.GetModel(init).GetDeclaredSymbol(init);
                 var propEntity = Property.Create(cx, property);
                 var type = property.GetAnnotatedType();
-                var loc = cx.Create(init.GetLocation());
+                var loc = cx.CreateLocation(init.GetLocation());
 
                 var assignment = new Expression(new ExpressionInfo(cx, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, false, null));
                 Create(cx, init.Expression, assignment, 0);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/BinaryPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/BinaryPattern.cs
index 33ea47d057b..2d0292ae720 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/BinaryPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/BinaryPattern.cs
@@ -9,7 +9,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal class BinaryPattern : Expression
     {
         public BinaryPattern(Context cx, BinaryPatternSyntax syntax, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.Create(syntax.GetLocation()), GetKind(syntax.OperatorToken, syntax), parent, child, false, null))
+            base(new ExpressionInfo(cx, null, cx.CreateLocation(syntax.GetLocation()), GetKind(syntax.OperatorToken, syntax), parent, child, false, null))
         {
             Pattern.Create(cx, syntax.Left, this, 0);
             Pattern.Create(cx, syntax.Right, this, 1);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs
index 65912ba12f1..05f3aab2526 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs
@@ -34,7 +34,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                             if (cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol)
                             {
                                 var type = symbol.GetAnnotatedType();
-                                return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.Create(syntax.GetLocation()), false, parent, child);
+                                return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.CreateLocation(syntax.GetLocation()), false, parent, child);
                             }
                             if (designation is DiscardDesignationSyntax)
                             {
@@ -61,7 +61,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                             {
                                 var type = symbol.GetAnnotatedType();
 
-                                return VariableDeclaration.Create(cx, symbol, type, null, cx.Create(syntax.GetLocation()), true, parent, child);
+                                return VariableDeclaration.Create(cx, symbol, type, null, cx.CreateLocation(syntax.GetLocation()), true, parent, child);
                             }
 
                             throw new InternalError(varPattern, "Unable to get the declared symbol of the var pattern designation.");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PositionalPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PositionalPattern.cs
index 0f3c2bf8800..f0ae03ae9dc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PositionalPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PositionalPattern.cs
@@ -7,7 +7,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal class PositionalPattern : Expression
     {
         internal PositionalPattern(Context cx, PositionalPatternClauseSyntax posPc, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.Create(posPc.GetLocation()), ExprKind.POSITIONAL_PATTERN, parent, child, false, null))
+            base(new ExpressionInfo(cx, null, cx.CreateLocation(posPc.GetLocation()), ExprKind.POSITIONAL_PATTERN, parent, child, false, null))
         {
             child = 0;
             foreach (var sub in posPc.Subpatterns)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PropertyPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PropertyPattern.cs
index ed947990045..7bd13e7a8a3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PropertyPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/PropertyPattern.cs
@@ -7,7 +7,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal class PropertyPattern : Expression
     {
         internal PropertyPattern(Context cx, PropertyPatternClauseSyntax pp, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.Create(pp.GetLocation()), ExprKind.PROPERTY_PATTERN, parent, child, false, null))
+            base(new ExpressionInfo(cx, null, cx.CreateLocation(pp.GetLocation()), ExprKind.PROPERTY_PATTERN, parent, child, false, null))
         {
             child = 0;
             var trapFile = cx.TrapWriter.Writer;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs
index 02246311648..d29292b3073 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs
@@ -16,7 +16,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         /// <param name="parent">The parent pattern/expression.</param>
         /// <param name="child">The child index of this pattern.</param>
         public RecursivePattern(Context cx, RecursivePatternSyntax syntax, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.Create(syntax.GetLocation()), ExprKind.RECURSIVE_PATTERN, parent, child, false, null))
+            base(new ExpressionInfo(cx, null, cx.CreateLocation(syntax.GetLocation()), ExprKind.RECURSIVE_PATTERN, parent, child, false, null))
         {
             // Extract the type access
             if (syntax.Type is TypeSyntax t)
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             {
                 var type = symbol.GetAnnotatedType();
 
-                VariableDeclaration.Create(cx, symbol, type, null, cx.Create(syntax.GetLocation()), false, this, 0);
+                VariableDeclaration.Create(cx, symbol, type, null, cx.CreateLocation(syntax.GetLocation()), false, this, 0);
             }
 
             if (syntax.PositionalPatternClause is PositionalPatternClauseSyntax posPc)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RelationalPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RelationalPattern.cs
index 77efd5668c4..c1a140005dc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RelationalPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RelationalPattern.cs
@@ -9,7 +9,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal class RelationalPattern : Expression
     {
         public RelationalPattern(Context cx, RelationalPatternSyntax syntax, IExpressionParentEntity parent, int child) :
-             base(new ExpressionInfo(cx, null, cx.Create(syntax.GetLocation()), GetKind(syntax.OperatorToken), parent, child, false, null))
+             base(new ExpressionInfo(cx, null, cx.CreateLocation(syntax.GetLocation()), GetKind(syntax.OperatorToken), parent, child, false, null))
         {
             Expression.Create(cx, syntax.Expression, this, 0);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/UnaryPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/UnaryPattern.cs
index d80c390efff..ce2cf773a92 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/UnaryPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/UnaryPattern.cs
@@ -7,7 +7,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal class UnaryPattern : Expression
     {
         public UnaryPattern(Context cx, UnaryPatternSyntax syntax, IExpressionParentEntity parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.Create(syntax.GetLocation()), ExprKind.NOT_PATTERN, parent, child, false, null))
+            base(new ExpressionInfo(cx, null, cx.CreateLocation(syntax.GetLocation()), ExprKind.NOT_PATTERN, parent, child, false, null))
         {
             Pattern.Create(cx, syntax.Pattern, this, 0);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
index 1db6c39fef2..f919aaca568 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             public QueryCall(Context cx, IMethodSymbol method, SyntaxNode clause, IExpressionParentEntity parent, int child)
                 : base(new ExpressionInfo(cx, method?.GetAnnotatedReturnType(),
-                        cx.Create(clause.GetLocation()),
+                        cx.CreateLocation(clause.GetLocation()),
                         ExprKind.METHOD_INVOCATION, parent, child, false, null))
             {
                 if (method != null)
@@ -89,7 +89,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     variableSymbol,
                     declType,
                     declTypeSyntax,
-                    cx.Create(node.GetLocation()),
+                    cx.CreateLocation(node.GetLocation()),
                     true,
                     parent,
                     child
@@ -97,7 +97,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
                 Expression.Create(cx, Expr, decl, 0);
 
-                var nameLoc = cx.Create(name.GetLocation());
+                var nameLoc = cx.CreateLocation(name.GetLocation());
                 var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 1, false, null));
                 cx.TrapWriter.Writer.expr_access(access, LocalVariable.Create(cx, variableSymbol));
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
index 5fdc08c66d3..a6095ec63a2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
@@ -29,7 +29,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     {
         internal SwitchCase(Context cx, SwitchExpressionArmSyntax arm, Switch parent, int child) :
             base(new ExpressionInfo(
-                cx, cx.GetType(arm.Expression), cx.Create(arm.GetLocation()),
+                cx, cx.GetType(arm.Expression), cx.CreateLocation(arm.GetLocation()),
                 ExprKind.SWITCH_CASE, parent, child, false, null))
         {
             Expressions.Pattern.Create(cx, arm.Pattern, this, 0);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
index 349236e893a..674f45b3f21 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
@@ -50,7 +50,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         public static Expression CreateParenthesized(Context cx, DeclarationExpressionSyntax node, ParenthesizedVariableDesignationSyntax designation, IExpressionParentEntity parent, int child)
         {
             AnnotatedTypeSymbol? type = null; // Should ideally be a corresponding tuple type
-            var tuple = new Expression(new ExpressionInfo(cx, type, cx.Create(node.GetLocation()), ExprKind.TUPLE, parent, child, false, null));
+            var tuple = new Expression(new ExpressionInfo(cx, type, cx.CreateLocation(node.GetLocation()), ExprKind.TUPLE, parent, child, false, null));
 
             cx.Try(null, null, () =>
             {
@@ -65,7 +65,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         public static Expression CreateParenthesized(Context cx, VarPatternSyntax varPattern, ParenthesizedVariableDesignationSyntax designation, IExpressionParentEntity parent, int child)
         {
             AnnotatedTypeSymbol? type = null; // Should ideally be a corresponding tuple type
-            var tuple = new Expression(new ExpressionInfo(cx, type, cx.Create(varPattern.GetLocation()), ExprKind.TUPLE, parent, child, false, null));
+            var tuple = new Expression(new ExpressionInfo(cx, type, cx.CreateLocation(varPattern.GetLocation()), ExprKind.TUPLE, parent, child, false, null));
 
             cx.Try(null, null, () =>
             {
@@ -123,7 +123,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             Create(cx, node, node.Designation, parent, child);
 
         public static VariableDeclaration Create(Context cx, CSharpSyntaxNode c, AnnotatedTypeSymbol? type, IExpressionParentEntity parent, int child) =>
-            new VariableDeclaration(new ExpressionInfo(cx, type, cx.Create(c.FixedLocation()), ExprKind.LOCAL_VAR_DECL, parent, child, false, null));
+            new VariableDeclaration(new ExpressionInfo(cx, type, cx.CreateLocation(c.FixedLocation()), ExprKind.LOCAL_VAR_DECL, parent, child, false, null));
 
         public static VariableDeclaration Create(Context cx, CatchDeclarationSyntax d, bool isVar, IExpressionParentEntity parent, int child)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
index aadd9d2fbab..d17b2f003aa 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
@@ -65,7 +65,7 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 Context.PopulateLater(() =>
                 {
-                    var loc = Context.Create(initializer.GetLocation());
+                    var loc = Context.CreateLocation(initializer.GetLocation());
 
                     var fieldAccess = AddInitializerAssignment(trapFile, initializer.Initializer.Value, loc, null, ref child);
 
@@ -86,7 +86,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     ? Expression.ValueAsString(symbol.ConstantValue)
                     : null;
 
-                var loc = Context.Create(initializer.GetLocation());
+                var loc = Context.CreateLocation(initializer.GetLocation());
 
                 AddInitializerAssignment(trapFile, initializer.EqualsValue.Value, loc, constValue, ref child);
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
index 17f9a198a39..3a19417008a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.WriteSubId(Context.Create(ReportingLocation));
+            trapFile.WriteSubId(Context.CreateLocation(ReportingLocation));
             trapFile.Write(";namespacedeclaration");
         }
 
@@ -31,7 +31,7 @@ namespace Semmle.Extraction.CSharp.Entities
             var @namespace = (INamespaceSymbol)Context.GetModel(node).GetSymbolInfo(node.Name).Symbol;
             var ns = Namespace.Create(Context, @namespace);
             trapFile.namespace_declarations(this, ns);
-            trapFile.namespace_declaration_location(this, Context.Create(node.Name.GetLocation()));
+            trapFile.namespace_declaration_location(this, Context.CreateLocation(node.Name.GetLocation()));
 
             var visitor = new Populators.TypeOrNamespaceVisitor(Context, trapFile, this);
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index c42a3edd236..325a77b6dd2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -110,7 +110,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.@params(this, Name, type.TypeRef, Ordinal, ParamKind, Parent, Original);
 
             foreach (var l in symbol.Locations)
-                trapFile.param_location(this, Context.Create(l));
+                trapFile.param_location(this, Context.CreateLocation(l));
 
             if (!IsSourceDeclaration || !symbol.FromSource())
                 return;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
index 6ea6172a2d3..4575dd8b8dc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulatePreprocessor(trapFile);
 
             trapFile.preprocessor_directive_active(this, trivia.IsActive);
-            trapFile.preprocessor_directive_location(this, cx.Create(ReportingLocation));
+            trapFile.preprocessor_directive_location(this, cx.CreateLocation(ReportingLocation));
 
             if (!cx.Extractor.Standalone)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
index 08d5ae47c5e..6795c4a12df 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
@@ -84,7 +84,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 {
                     Context.PopulateLater(() =>
                     {
-                        var loc = Context.Create(initializer.GetLocation());
+                        var loc = Context.CreateLocation(initializer.GetLocation());
                         var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(symbol.Type);
                         var simpleAssignExpr = new Expression(new ExpressionInfo(Context, annotatedType, loc, ExprKind.SIMPLE_ASSIGN, this, child++, false, null));
                         Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 0));
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
index 89b2b1696fd..1d8dd43f702 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
@@ -40,7 +40,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected abstract void PopulateStatement(TextWriter trapFile);
 
         protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
-            : this(cx, stmt, kind, parent, child, cx.Create(stmt.FixedLocation())) { }
+            : this(cx, stmt, kind, parent, child, cx.CreateLocation(stmt.FixedLocation())) { }
 
         public override string ToString() => Label.ToString();
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
index e2a712c006b..8046bdb6e26 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
     internal abstract class Case<TSyntax> : Statement<TSyntax> where TSyntax : SwitchLabelSyntax
     {
         protected Case(Context cx, TSyntax node, Switch parent, int child)
-            : base(cx, node, StmtKind.CASE, parent, child, cx.Create(node.GetLocation())) { }
+            : base(cx, node, StmtKind.CASE, parent, child, cx.CreateLocation(node.GetLocation())) { }
 
         public static Statement Create(Context cx, SwitchLabelSyntax node, Switch parent, int child)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
index db1a0d413c1..b9bddab82e2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         private static readonly string systemExceptionName = typeof(System.Exception).ToString();
 
         private Catch(Context cx, CatchClauseSyntax node, Try parent, int child)
-            : base(cx, node, StmtKind.CATCH, parent, child, cx.Create(node.GetLocation())) { }
+            : base(cx, node, StmtKind.CATCH, parent, child, cx.CreateLocation(node.GetLocation())) { }
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
index a0cd9da7372..7cdcfb1f57b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
     internal class Do : Statement<DoStatementSyntax>
     {
         private Do(Context cx, DoStatementSyntax node, IStatementParentEntity parent, int child)
-            : base(cx, node, StmtKind.DO, parent, child, cx.Create(node.GetLocation())) { }
+            : base(cx, node, StmtKind.DO, parent, child, cx.CreateLocation(node.GetLocation())) { }
 
         public static Do Create(Context cx, DoStatementSyntax node, IStatementParentEntity parent, int child)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
index 6696086b19c..4e4cce00926 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
@@ -35,7 +35,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             var typeSymbol = semanticModel.GetDeclaredSymbol(Stmt);
             var type = typeSymbol.GetAnnotatedType();
 
-            var location = cx.Create(Stmt.Identifier.GetLocation());
+            var location = cx.CreateLocation(Stmt.Identifier.GetLocation());
 
             Expressions.VariableDeclaration.Create(cx, typeSymbol, type, Stmt.Type, location, Stmt.Type.IsVar, this, 0);
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
index eb81f27cb3a..5e417fd8885 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
     internal class LocalFunction : Statement<LocalFunctionStatementSyntax>
     {
         private LocalFunction(Context cx, LocalFunctionStatementSyntax node, IStatementParentEntity parent, int child)
-            : base(cx, node, StmtKind.LOCAL_FUNCTION, parent, child, cx.Create(node.GetLocation())) { }
+            : base(cx, node, StmtKind.LOCAL_FUNCTION, parent, child, cx.CreateLocation(node.GetLocation())) { }
 
         public static LocalFunction Create(Context cx, LocalFunctionStatementSyntax node, IStatementParentEntity parent, int child)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
index 5e0850ba8c8..f7a493af78e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
@@ -78,7 +78,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 if (loc != null)
                 {
                     // Some built in operators lack locations, so loc is null.
-                    yield return Context.Create(ReportingLocation);
+                    yield return Context.CreateLocation(ReportingLocation);
                     if (Context.Extractor.OutputPath != null && loc.Kind == LocationKind.SourceFile)
                         yield return Assembly.CreateOutputAssembly(Context);
                 }
@@ -124,7 +124,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => Context.Defines(symbol);
 
-        public Extraction.Entities.Location Location => Context.Create(ReportingLocation);
+        public Extraction.Entities.Location Location => Context.CreateLocation(ReportingLocation);
 
         protected void PopulateMetadataHandle(TextWriter trapFile)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
index 8d6074f3e8d..e05c2d0c102 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
@@ -118,7 +118,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private void Emit(TextWriter trapFile, Microsoft.CodeAnalysis.Location loc, IEntity parent, Type type)
         {
             trapFile.type_mention(this, type.TypeRef, parent);
-            trapFile.type_mention_location(this, cx.Create(loc));
+            trapFile.type_mention_location(this, cx.CreateLocation(loc));
         }
 
         public static TypeMention Create(Context cx, TypeSyntax syntax, IEntity parent, Type type, Microsoft.CodeAnalysis.Location loc = null)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
index bded5f60c57..0d95d776592 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -106,7 +106,7 @@ namespace Semmle.Extraction.CSharp.Entities
             get
             {
                 foreach (var l in GetLocations(symbol))
-                    yield return Context.Create(l);
+                    yield return Context.CreateLocation(l);
 
                 if (Context.Extractor.OutputPath != null && symbol.DeclaringSyntaxReferences.Any())
                     yield return Assembly.CreateOutputAssembly(Context);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
index 4ddc258f5c7..6f6ff85cf77 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
@@ -53,7 +53,7 @@ namespace Semmle.Extraction.CSharp.Entities
             // about what locations are available for a tuple type.
             // Sometimes it's the source code, and sometimes it's empty.
             foreach (var l in symbol.Locations)
-                trapFile.type_location(this, Context.Create(l));
+                trapFile.type_location(this, Context.CreateLocation(l));
         }
 
         private readonly Lazy<Field[]> tupleElementsLazy;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
index b4d35f7b506..e92a3891704 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
@@ -54,7 +54,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             foreach (var l in symbol.Locations)
             {
-                trapFile.type_location(this, Context.Create(l));
+                trapFile.type_location(this, Context.CreateLocation(l));
             }
 
             if (IsSourceDeclaration)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
index caa12ab0082..d08a1320ba2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
@@ -30,7 +30,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 {
                     var ns = Namespace.Create(cx, namespaceSymbol);
                     trapFile.using_namespace_directives(this, ns);
-                    trapFile.using_directive_location(this, cx.Create(ReportingLocation));
+                    trapFile.using_directive_location(this, cx.CreateLocation(ReportingLocation));
                 }
                 else
                 {
@@ -44,7 +44,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 // A "using static"
                 var m = Type.Create(cx, (ITypeSymbol)info.Symbol);
                 trapFile.using_static_directives(this, m.TypeRef);
-                trapFile.using_directive_location(this, cx.Create(ReportingLocation));
+                trapFile.using_directive_location(this, cx.CreateLocation(ReportingLocation));
             }
 
             if (parent != null)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
index bebdee933cd..72f015464a3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Populators
         public override void VisitExternAliasDirective(ExternAliasDirectiveSyntax node)
         {
             // This information is not yet extracted.
-            cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), Extraction.Entities.Location.Create(cx, node.GetLocation()), "", Severity.Info);
+            cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), cx.CreateLocation(node.GetLocation()), "", Severity.Info);
         }
 
         public override void VisitCompilationUnit(CompilationUnitSyntax compilationUnit)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
index 9ec8d095290..0c400728554 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/DirectiveVisitor.cs
@@ -67,7 +67,7 @@ namespace Semmle.Extraction.CSharp.Populators
             if (regionStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start region", null,
-                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                    cx.CreateLocation(node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
 
@@ -100,7 +100,7 @@ namespace Semmle.Extraction.CSharp.Populators
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
-                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                    cx.CreateLocation(node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
 
@@ -113,7 +113,7 @@ namespace Semmle.Extraction.CSharp.Populators
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
-                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                    cx.CreateLocation(node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
 
@@ -126,7 +126,7 @@ namespace Semmle.Extraction.CSharp.Populators
             if (ifStarts.Count == 0)
             {
                 cx.ExtractionError("Couldn't find start if", null,
-                    Extraction.Entities.Location.Create(cx, node.GetLocation()), null, Util.Logging.Severity.Warning);
+                    cx.CreateLocation(node.GetLocation()), null, Util.Logging.Severity.Warning);
                 return;
             }
 
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index 99e877f5ef2..7f5ef6b1110 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -77,7 +77,7 @@ namespace Semmle.Extraction
         {
             if (idLabelCache.ContainsKey(id))
             {
-                this.Extractor.Message(new Message("Label collision for " + id, entity.Label.ToString(), Entities.Location.Create(this, entity.ReportingLocation), "", Severity.Warning));
+                this.Extractor.Message(new Message("Label collision for " + id, entity.Label.ToString(), CreateLocation(entity.ReportingLocation), "", Severity.Warning));
             }
             else
             {
@@ -211,11 +211,11 @@ namespace Semmle.Extraction
                 }
                 catch (InternalError ex)
                 {
-                    ExtractionError(new Message(ex.Text, ex.EntityText, Entities.Location.Create(this, ex.Location), ex.StackTrace));
+                    ExtractionError(new Message(ex.Text, ex.EntityText, CreateLocation(ex.Location), ex.StackTrace));
                 }
                 catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
                 {
-                    ExtractionError($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(this), ex.StackTrace);
+                    ExtractionError($"Uncaught exception. {ex.Message}", null, CreateLocation(), ex.StackTrace);
                 }
             }
         }
@@ -361,7 +361,7 @@ namespace Semmle.Extraction
                     throw new InternalError("Unexpected TrapStackBehaviour");
             }
 
-            var a = duplicationGuard && this.Create(entity.ReportingLocation) is NonGeneratedSourceLocation loc
+            var a = duplicationGuard && CreateLocation(entity.ReportingLocation) is NonGeneratedSourceLocation loc
                 ? (Action)(() => WithDuplicationGuard(new Key(entity, loc), () => entity.Populate(TrapWriter.Writer)))
                 : (Action)(() => this.Try(null, optionalSymbol, () => entity.Populate(TrapWriter.Writer)));
 
@@ -436,15 +436,15 @@ namespace Semmle.Extraction
         {
             if (!(optionalSymbol is null))
             {
-                ExtractionError(message, optionalSymbol.ToDisplayString(), Entities.Location.Create(this, optionalSymbol.Locations.FirstOrDefault()));
+                ExtractionError(message, optionalSymbol.ToDisplayString(), CreateLocation(optionalSymbol.Locations.FirstOrDefault()));
             }
             else if (!(optionalEntity is null))
             {
-                ExtractionError(message, optionalEntity.Label.ToString(), Entities.Location.Create(this, optionalEntity.ReportingLocation));
+                ExtractionError(message, optionalEntity.Label.ToString(), CreateLocation(optionalEntity.ReportingLocation));
             }
             else
             {
-                ExtractionError(message, null, Entities.Location.Create(this));
+                ExtractionError(message, null, CreateLocation());
             }
         }
 
@@ -517,11 +517,11 @@ namespace Semmle.Extraction
                 }
                 else if (ex is InternalError ie)
                 {
-                    message = new Message(ie.Text, ie.EntityText, Entities.Location.Create(this, ie.Location), ex.StackTrace);
+                    message = new Message(ie.Text, ie.EntityText, CreateLocation(ie.Location), ex.StackTrace);
                 }
                 else
                 {
-                    message = new Message($"Uncaught exception. {ex.Message}", null, Entities.Location.Create(this), ex.StackTrace);
+                    message = new Message($"Uncaught exception. {ex.Message}", null, CreateLocation(), ex.StackTrace);
                 }
 
                 ExtractionError(message);
@@ -536,5 +536,21 @@ namespace Semmle.Extraction
         {
             TrapWriter.Emit(tuple);
         }
+
+        public Entities.Location CreateLocation()
+        {
+            return SourceTree == null
+                ? GeneratedLocation.Create(this)
+                : CreateLocation(Microsoft.CodeAnalysis.Location.Create(SourceTree, Microsoft.CodeAnalysis.Text.TextSpan.FromBounds(0, 0)));
+        }
+
+        public Entities.Location CreateLocation(Microsoft.CodeAnalysis.Location? location)
+        {
+            return (location == null || location.Kind == LocationKind.None)
+                ? GeneratedLocation.Create(this)
+                : location.IsInSource
+                    ? NonGeneratedSourceLocation.Create(this, location)
+                    : Assembly.Create(this, location);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
index df3a5757618..e8b1e2cb46b 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
@@ -48,7 +48,7 @@ namespace Semmle.Extraction.Entities
             return false;
         }
 
-        public static new Location Create(Context cx, Microsoft.CodeAnalysis.Location loc) => AssemblyConstructorFactory.Instance.CreateEntity(cx, loc, loc);
+        public static Location Create(Context cx, Microsoft.CodeAnalysis.Location loc) => AssemblyConstructorFactory.Instance.CreateEntity(cx, loc, loc);
 
         private class AssemblyConstructorFactory : ICachedEntityFactory<Microsoft.CodeAnalysis.Location?, Assembly>
         {
diff --git a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
index 3df0ce3bb61..96aabb57f8e 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.Entities
         protected override void Populate(TextWriter trapFile)
         {
             trapFile.extractor_messages(this, msg.Severity, "C# extractor", msg.Text, msg.EntityText ?? string.Empty,
-                msg.Location ?? Location.Create(cx), msg.StackTrace ?? string.Empty);
+                msg.Location ?? cx.CreateLocation(), msg.StackTrace ?? string.Empty);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
diff --git a/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
index 31b5f55b0e6..6d05263aecd 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
@@ -28,7 +28,7 @@ namespace Semmle.Extraction.Entities
 
         public override bool Equals(object? obj) => obj != null && obj.GetType() == typeof(GeneratedLocation);
 
-        public static new GeneratedLocation Create(Context cx) => GeneratedLocationFactory.Instance.CreateEntity(cx, typeof(GeneratedLocation), null);
+        public static GeneratedLocation Create(Context cx) => GeneratedLocationFactory.Instance.CreateEntity(cx, typeof(GeneratedLocation), null);
 
         private class GeneratedLocationFactory : ICachedEntityFactory<string?, GeneratedLocation>
         {
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Location.cs b/csharp/extractor/Semmle.Extraction/Entities/Location.cs
index b25436e9a41..cdd3c9a50dc 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Location.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Location.cs
@@ -8,34 +8,8 @@ namespace Semmle.Extraction.Entities
         protected Location(Context cx, Microsoft.CodeAnalysis.Location? init)
             : base(cx, init) { }
 
-        public static Location Create(Context cx, Microsoft.CodeAnalysis.Location? loc) =>
-            (loc == null || loc.Kind == Microsoft.CodeAnalysis.LocationKind.None)
-                ? GeneratedLocation.Create(cx)
-                : loc.IsInSource
-                    ? NonGeneratedSourceLocation.Create(cx, loc)
-                    : Assembly.Create(cx, loc);
-
-        public static Location Create(Context cx)
-        {
-            return cx.SourceTree == null
-                ? GeneratedLocation.Create(cx)
-                : Create(cx, Microsoft.CodeAnalysis.Location.Create(cx.SourceTree, TextSpan.FromBounds(0, 0)));
-        }
-
         public override Microsoft.CodeAnalysis.Location? ReportingLocation => symbol;
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
     }
-
-    public static class LocationExtensions
-    {
-        /// <summary>
-        /// Creates a Location entity.
-        /// </summary>
-        /// <param name="cx">The extraction context.</param>
-        /// <param name="location">The CodeAnalysis location.</param>
-        /// <returns>The Location entity.</returns>
-        public static Location Create(this Context cx, Microsoft.CodeAnalysis.Location? location) =>
-            Location.Create(cx, location);
-    }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
index e7bc4e3ea44..ae69f95449a 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.Entities
             FileEntity = File.Create(Context, Position.Path);
         }
 
-        public static new Location Create(Context cx, Microsoft.CodeAnalysis.Location loc) => SourceLocationFactory.Instance.CreateEntity(cx, loc, loc);
+        public static Location Create(Context cx, Microsoft.CodeAnalysis.Location loc) => SourceLocationFactory.Instance.CreateEntity(cx, loc, loc);
 
         public override void Populate(TextWriter trapFile)
         {
diff --git a/csharp/extractor/Semmle.Extraction/Message.cs b/csharp/extractor/Semmle.Extraction/Message.cs
index 0a2a62e13a2..a100a69a285 100644
--- a/csharp/extractor/Semmle.Extraction/Message.cs
+++ b/csharp/extractor/Semmle.Extraction/Message.cs
@@ -28,12 +28,12 @@ namespace Semmle.Extraction
 
         public static Message Create(Context cx, string text, ISymbol symbol, string? stackTrace = null, Severity severity = Severity.Error)
         {
-            return new Message(text, symbol.ToString(), Entities.Location.Create(cx, symbol.Locations.FirstOrDefault()), stackTrace, severity);
+            return new Message(text, symbol.ToString(), cx.CreateLocation(symbol.Locations.FirstOrDefault()), stackTrace, severity);
         }
 
         public static Message Create(Context cx, string text, SyntaxNode node, string? stackTrace = null, Severity severity = Severity.Error)
         {
-            return new Message(text, node.ToString(), Entities.Location.Create(cx, node.GetLocation()), stackTrace, severity);
+            return new Message(text, node.ToString(), cx.CreateLocation(node.GetLocation()), stackTrace, severity);
         }
 
         public override string ToString() => Text;

From 6cc858b9ef5aeaff8b7cb991af0f24895255daa1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 15 Feb 2021 09:19:18 +0100
Subject: [PATCH 346/429] Move AstLineCounter to top level class

---
 .../Entities/Method.AstLineCounter.cs         | 51 -------------------
 .../Entities/Method.cs                        |  2 +-
 .../Populators/AstLineCounter.cs              | 48 +++++++++++++++++
 3 files changed, 49 insertions(+), 52 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Populators/AstLineCounter.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
deleted file mode 100644
index d567b6f6b56..00000000000
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.AstLineCounter.cs
+++ /dev/null
@@ -1,51 +0,0 @@
-using Microsoft.CodeAnalysis;
-using Microsoft.CodeAnalysis.CSharp;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Util;
-using System.IO;
-
-namespace Semmle.Extraction.CSharp.Entities
-{
-    public abstract partial class Method
-    {
-        private class AstLineCounter : CSharpSyntaxVisitor<LineCounts>
-        {
-            public override LineCounts DefaultVisit(SyntaxNode node)
-            {
-                var text = node.SyntaxTree.GetText().GetSubText(node.GetLocation().SourceSpan).ToString();
-                return LineCounter.ComputeLineCounts(text);
-            }
-
-            public override LineCounts VisitMethodDeclaration(MethodDeclarationSyntax method)
-            {
-                return Visit(method.Identifier, method.Body ?? (SyntaxNode)method.ExpressionBody);
-            }
-
-            public static LineCounts Visit(SyntaxToken identifier, SyntaxNode body)
-            {
-                var start = identifier.GetLocation().SourceSpan.Start;
-                var end = body.GetLocation().SourceSpan.End - 1;
-
-                var textSpan = new Microsoft.CodeAnalysis.Text.TextSpan(start, end - start);
-
-                var text = body.SyntaxTree.GetText().GetSubText(textSpan) + "\r\n";
-                return LineCounter.ComputeLineCounts(text);
-            }
-
-            public override LineCounts VisitConstructorDeclaration(ConstructorDeclarationSyntax method)
-            {
-                return Visit(method.Identifier, (SyntaxNode)method.Body ?? method.ExpressionBody);
-            }
-
-            public override LineCounts VisitDestructorDeclaration(DestructorDeclarationSyntax method)
-            {
-                return Visit(method.Identifier, (SyntaxNode)method.Body ?? method.ExpressionBody);
-            }
-
-            public override LineCounts VisitOperatorDeclaration(OperatorDeclarationSyntax node)
-            {
-                return Visit(node.OperatorToken, node.Body ?? (SyntaxNode)node.ExpressionBody);
-            }
-        }
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index f036e373217..00bf8f3638e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -8,7 +8,7 @@ using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    public abstract partial class Method : CachedSymbol<IMethodSymbol>, IExpressionParentEntity, IStatementParentEntity
+    public abstract class Method : CachedSymbol<IMethodSymbol>, IExpressionParentEntity, IStatementParentEntity
     {
         protected Method(Context cx, IMethodSymbol init)
             : base(cx, init) { }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/AstLineCounter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/AstLineCounter.cs
new file mode 100644
index 00000000000..a185675ee27
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/AstLineCounter.cs
@@ -0,0 +1,48 @@
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Util;
+
+namespace Semmle.Extraction.CSharp.Populators
+{
+    internal class AstLineCounter : CSharpSyntaxVisitor<LineCounts>
+    {
+        public override LineCounts DefaultVisit(SyntaxNode node)
+        {
+            var text = node.SyntaxTree.GetText().GetSubText(node.GetLocation().SourceSpan).ToString();
+            return LineCounter.ComputeLineCounts(text);
+        }
+
+        public override LineCounts VisitMethodDeclaration(MethodDeclarationSyntax method)
+        {
+            return Visit(method.Identifier, method.Body ?? (SyntaxNode)method.ExpressionBody);
+        }
+
+        public static LineCounts Visit(SyntaxToken identifier, SyntaxNode body)
+        {
+            var start = identifier.GetLocation().SourceSpan.Start;
+            var end = body.GetLocation().SourceSpan.End - 1;
+
+            var textSpan = new Microsoft.CodeAnalysis.Text.TextSpan(start, end - start);
+
+            var text = body.SyntaxTree.GetText().GetSubText(textSpan) + "\r\n";
+            return LineCounter.ComputeLineCounts(text);
+        }
+
+        public override LineCounts VisitConstructorDeclaration(ConstructorDeclarationSyntax method)
+        {
+            return Visit(method.Identifier, (SyntaxNode)method.Body ?? method.ExpressionBody);
+        }
+
+        public override LineCounts VisitDestructorDeclaration(DestructorDeclarationSyntax method)
+        {
+            return Visit(method.Identifier, (SyntaxNode)method.Body ?? method.ExpressionBody);
+        }
+
+        public override LineCounts VisitOperatorDeclaration(OperatorDeclarationSyntax node)
+        {
+            return Visit(node.OperatorToken, node.Body ?? (SyntaxNode)node.ExpressionBody);
+        }
+    }
+
+}

From 2de7fbe062e9371ef18262d167634fa2f29a44ff Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 15 Feb 2021 10:18:12 +0100
Subject: [PATCH 347/429] Fix build after rebase

---
 .../Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
index 4e4cce00926..e7bb987574e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
@@ -45,7 +45,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
             if (info.Equals(default))
             {
-                cx.ExtractionError("Could not get foreach statement info", null, Location.Create(cx, this.ReportingLocation), severity: Util.Logging.Severity.Info);
+                cx.ExtractionError("Could not get foreach statement info", null, cx.CreateLocation(this.ReportingLocation), severity: Util.Logging.Severity.Info);
                 return;
             }
 

From c7072aef16559cbd1a366bb350b6f03553949742 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Mon, 15 Feb 2021 10:34:20 +0100
Subject: [PATCH 348/429] update A.java test

---
 java/ql/test/query-tests/security/CWE-502/A.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-502/A.java b/java/ql/test/query-tests/security/CWE-502/A.java
index 3b3de5f8ed2..d0a074d5900 100644
--- a/java/ql/test/query-tests/security/CWE-502/A.java
+++ b/java/ql/test/query-tests/security/CWE-502/A.java
@@ -88,10 +88,10 @@ public class A {
   public void deserializeSnakeYaml4(Socket sock) {
     Yaml yaml = new Yaml(new Constructor(A.class));
     InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); //OK
-    Object o2 = yaml.loadAll(input); //OK
-    Object o3 = yaml.parse(new InputStreamReader(input)); //OK
-    A o4 = yaml.loadAs(input, A.class); //OK
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //OK
+    Object o = yaml.load(input); //unsafe
+    Object o2 = yaml.loadAll(input); //unsafe
+    Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
+    A o4 = yaml.loadAs(input, A.class); //unsafe
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
   }
 }

From 504d119749143302ff45e6583928a8aad82ae489 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Mon, 15 Feb 2021 10:58:17 +0100
Subject: [PATCH 349/429] adjust max parameter number

---
 java/ql/src/semmle/code/java/frameworks/apache/Lang.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index c9af49464e0..2e124235bb7 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -45,7 +45,7 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
 
   override predicate returnsTaintFrom(int src) {
     this.hasName(["addAll", "addFirst"]) and
-    src = [0 .. getNumberOfParameters()]
+    src = [0 .. getNumberOfParameters() - 1]
     or
     this.hasName([
         "clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse",

From 00a0b12dad114993342306163e0f1d98fc6a82f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Mon, 15 Feb 2021 11:23:40 +0100
Subject: [PATCH 350/429] update expected results

---
 .../CWE-502/UnsafeDeserialization.expected       | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
index 672a692c03f..f575a093d6e 100644
--- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
+++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
@@ -16,6 +16,11 @@ edges
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream |
 | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes |
 | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s |
@@ -46,6 +51,12 @@ nodes
 | A.java:73:28:73:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | A.java:74:24:74:28 | input | semmle.label | input |
 | A.java:75:24:75:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| A.java:91:26:91:30 | input | semmle.label | input |
+| A.java:92:30:92:34 | input | semmle.label | input |
+| A.java:93:28:93:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:94:24:94:28 | input | semmle.label | input |
+| A.java:95:24:95:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
 | B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -74,6 +85,11 @@ nodes
 | A.java:73:17:73:56 | parse(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
 | A.java:74:12:74:38 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
 | A.java:75:12:75:61 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
+| A.java:91:16:91:31 | load(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input | Unsafe deserialization of $@. | A.java:90:25:90:45 | getInputStream(...) | user input |
+| A.java:92:17:92:35 | loadAll(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input | Unsafe deserialization of $@. | A.java:90:25:90:45 | getInputStream(...) | user input |
+| A.java:93:17:93:56 | parse(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:90:25:90:45 | getInputStream(...) | user input |
+| A.java:94:12:94:38 | loadAs(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input | Unsafe deserialization of $@. | A.java:90:25:90:45 | getInputStream(...) | user input |
+| A.java:95:12:95:61 | loadAs(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:90:25:90:45 | getInputStream(...) | user input |
 | B.java:8:12:8:46 | parseObject(...) | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | Unsafe deserialization of $@. | B.java:7:31:7:51 | getInputStream(...) | user input |
 | B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
 | B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |

From f79b3144e3478a3d65cbf548b7a0d9446dfdd2bd Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 11:31:31 +0100
Subject: [PATCH 351/429] C++: Refactor IdentityFunction.qll.

---
 .../code/cpp/models/implementations/IdentityFunction.qll | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
index bd188cffe49..60afd2b25ef 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
@@ -6,12 +6,9 @@ import semmle.code.cpp.models.interfaces.SideEffect
 /**
  * The standard function templates `std::move` and `std::forward`.
  */
-private class IdentityFunction extends DataFlowFunction, SideEffectFunction, AliasFunction {
-  IdentityFunction() {
-    this.getNamespace().getParentNamespace() instanceof GlobalNamespace and
-    this.getNamespace().getName() = "std" and
-    this.getName() = ["move", "forward"]
-  }
+private class IdentityFunction extends DataFlowFunction, SideEffectFunction, AliasFunction,
+  FunctionTemplateInstantiation {
+  IdentityFunction() { this.hasQualifiedName("std", ["move", "forward"]) }
 
   override predicate hasOnlySpecificReadSideEffects() { any() }
 

From e5db0ef16bbd4f128af86e2e7ab5d726abb3489c Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 15 Feb 2021 11:58:26 +0100
Subject: [PATCH 352/429] remove the `RequestExpr` requirement from
 `FormParsers.qll`, and use API graphs.

---
 .../javascript/frameworks/FormParsers.qll     | 78 +++++++------------
 1 file changed, 28 insertions(+), 50 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
index e8f9b76a40e..73e00a8e96f 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
@@ -5,28 +5,20 @@
 import javascript
 
 /**
- * Classes and predicate modelling the `Busboy` library.
+ * A source of remote flow from the `Busboy` library.
  */
-private module Busboy {
-  /**
-   * A `Busboy` instance that has request data flowing into it.
-   */
-  private DataFlow::NewNode busboy() {
-    result = DataFlow::moduleImport("busboy").getAnInstantiation() and
-    exists(MethodCallExpr pipe |
-      pipe.calls(any(HTTP::RequestExpr req), "pipe") and
-      result.flowsToExpr(pipe.getArgument(0))
-    )
+private class BusBoyRemoteFlow extends RemoteFlowSource {
+  BusBoyRemoteFlow() {
+    this =
+      API::moduleImport("busboy")
+          .getInstance()
+          .getMember("on")
+          .getParameter(1)
+          .getAParameter()
+          .getAnImmediateUse()
   }
 
-  /**
-   * A source of remote flow from the `Busboy` library.
-   */
-  class BusBoyRemoteFlow extends RemoteFlowSource {
-    BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
-
-    override string getSourceType() { result = "parsed user value from Busbuy" }
-  }
+  override string getSourceType() { result = "parsed user value from Busbuy" }
 }
 
 /**
@@ -34,17 +26,16 @@ private module Busboy {
  */
 private class FormidableRemoteFlow extends RemoteFlowSource {
   FormidableRemoteFlow() {
-    exists(DataFlow::CallNode parse, DataFlow::InvokeNode formidable |
-      formidable = DataFlow::moduleImport("formidable").getACall()
+    exists(API::Node formidable |
+      formidable = API::moduleImport("formidable").getReturn()
       or
-      formidable = DataFlow::moduleMember("formidable", "formidable").getACall()
+      formidable = API::moduleImport("formidable").getMember("formidable").getReturn()
       or
       formidable =
-        DataFlow::moduleMember("formidable", ["IncomingForm", "Formidable"]).getAnInstantiation()
+        API::moduleImport("formidable").getMember(["IncomingForm", "Formidable"]).getInstance()
     |
-      parse = formidable.getAMemberCall("parse") and
-      parse.getArgument(0).asExpr() instanceof HTTP::RequestExpr and
-      this = parse.getABoundCallbackParameter(1, any(int i | i > 0))
+      this =
+        formidable.getMember("parse").getACall().getABoundCallbackParameter(1, any(int i | i > 0))
     )
   }
 
@@ -52,34 +43,21 @@ private class FormidableRemoteFlow extends RemoteFlowSource {
 }
 
 /**
- * Predicates and classes modelling the `multiparty` library.
+ * A source of remote flow from the `Multiparty` library.
  */
-private module Multiparty {
-  /**
-   * Gets an instance of of `Multiparty` form parser that parses a HTTP request object.
-   * The `parse` call is the method call that receives the HTTP request object.
-   */
-  private DataFlow::SourceNode form(DataFlow::MethodCallNode parse) {
-    result = DataFlow::moduleMember("multiparty", "Form").getAnInstantiation() and
-    parse = result.getAMethodCall("parse") and
-    parse.getArgument(0).asExpr() instanceof HTTP::RequestExpr
-  }
-
-  /**
-   * A source of remote flow from the `Multiparty` library.
-   */
-  class MultipartyRemoteFlow extends RemoteFlowSource {
-    MultipartyRemoteFlow() {
-      exists(DataFlow::MethodCallNode parse | exists(form(parse)) |
-        this = parse.getABoundCallbackParameter(1, any(int i | i > 0))
+private class MultipartyRemoteFlow extends RemoteFlowSource {
+  MultipartyRemoteFlow() {
+    exists(API::Node form | form = API::moduleImport("multiparty").getMember("Form").getInstance() |
+      exists(API::CallNode parse | parse = form.getMember("parse").getACall() |
+        this = parse.getParameter(1).getAParameter().getAnImmediateUse()
       )
       or
-      exists(DataFlow::MethodCallNode on | on = form(_).getAMethodCall("on") |
+      exists(API::CallNode on | on = form.getMember("on").getACall() |
         on.getArgument(0).mayHaveStringValue(["part", "file", "field"]) and
-        this = on.getABoundCallbackParameter(1, _)
+        this = on.getParameter(1).getAParameter().getAnImmediateUse()
       )
-    }
-
-    override string getSourceType() { result = "parsed user value from Multiparty" }
+    )
   }
+
+  override string getSourceType() { result = "parsed user value from Multiparty" }
 }

From 0f9b044814edf7fe30fafe7044755466e354d92b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 15 Feb 2021 12:04:51 +0100
Subject: [PATCH 353/429] C++: Model vector versions of BSD-style reads and
 writes.

---
 .../code/cpp/models/implementations/Recv.qll  |  5 +++-
 .../code/cpp/models/implementations/Send.qll  |  5 +++-
 .../defaulttainttracking.cpp                  | 28 +++++++++++++++++--
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
index ef919c9eb39..691ba528f42 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Recv.qll
@@ -18,7 +18,10 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
         "recvfrom", // recvfrom(socket, dest, len, flags, from, fromlen)
         "recvmsg", // recvmsg(socket, msg, flags)
         "read", // read(socket, dest, len)
-        "pread" // pread(socket, dest, len, offset)
+        "pread", // pread(socket, dest, len, offset)
+        "readv", // readv(socket, dest, len)
+        "preadv", // readv(socket, dest, len, offset)
+        "preadv2" // readv2(socket, dest, len, offset, flags)
       ])
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
index 2a6cd0bac51..6086bc7748f 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Send.qll
@@ -16,7 +16,10 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
         "send", // send(socket, buf, len, flags)
         "sendto", // sendto(socket, buf, len, flags, to, tolen)
         "sendmsg", // sendmsg(socket, msg, flags)
-        "write" // write(socket, buf, len);
+        "write", // write(socket, buf, len)
+        "writev", // writev(socket, buf, len)
+        "pwritev", // pwritev(socket, buf, len, offset)
+        "pwritev2" // pwritev2(socket, buf, len, offset, flags)
       ])
   }
 
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
index 6156e80015c..020a2f90b9e 100644
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -228,10 +228,34 @@ void test_recv() {
 	sink(*buffer); // $ ast,ir
 }
 
-// --- send ---
+// --- send and related functions ---
 
 int send(int, const void*, int, int);
 
 void test_send(char* buffer, int length) {
   send(0, buffer, length, 0); // $ remote
-}
\ No newline at end of file
+}
+
+struct iovec {
+  void  *iov_base;
+  unsigned iov_len;
+};
+
+int readv(int, const struct iovec*, int);
+int writev(int, const struct iovec*, int);
+
+void sink(const iovec* iovs);
+void sink(iovec);
+
+int test_readv_and_writev(iovec* iovs) {
+  readv(0, iovs, 16);
+  sink(iovs); // $ast,ir
+  sink(iovs[0]); // $ast MISSING: ir
+  sink(*iovs); // $ast MISSING: ir
+
+  char* p = (char*)iovs[1].iov_base;
+  sink(p); // $ MISSING: ast,ir
+  sink(*p); // $ MISSING: ast,ir
+
+  writev(0, iovs, 16); // $ remote
+}

From a9071a62a0c77f1e046f144073ae361c4f5748d4 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 12:15:17 +0100
Subject: [PATCH 354/429] C++: Refactor Memcpy.qll and include bsl model.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
index 02fa810142f..25229279db1 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
@@ -20,7 +20,7 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
     // memcpy(dest, src, num)
     // memmove(dest, src, num)
     // memmove(dest, src, num, remaining)
-    this.hasGlobalOrStdName(["memcpy", "memmove"])
+    this.hasQualifiedName(["", "std", "bsl"], ["memcpy", "memmove"])
     or
     // bcopy(src, dest, num)
     // mempcpy(dest, src, num)

From 74ce7369f8d5ea5b4f1be2e112d32da18ba64391 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 15 Feb 2021 12:35:16 +0100
Subject: [PATCH 355/429] Update
 javascript/change-notes/2021-02-09-form-parsers.md

Co-authored-by: Asger F <asgerf@github.com>
---
 javascript/change-notes/2021-02-09-form-parsers.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/javascript/change-notes/2021-02-09-form-parsers.md b/javascript/change-notes/2021-02-09-form-parsers.md
index 4ad87cff32b..ec45a6c144d 100644
--- a/javascript/change-notes/2021-02-09-form-parsers.md
+++ b/javascript/change-notes/2021-02-09-form-parsers.md
@@ -1,6 +1,7 @@
 lgtm,codescanning
 * Server side form parsing libraries are now recognized as source of remote user input. 
-    [multer](https://www.npmjs.com/package/multer) and
-    [busboy](https://www.npmjs.com/package/busboy) and
-    [formidable](https://www.npmjs.com/package/formidable) and
-    [multiparty](https://www.npmjs.com/package/formidable)
\ No newline at end of file
+  Affected packages are
+    [multer](https://www.npmjs.com/package/multer),
+    [busboy](https://www.npmjs.com/package/busboy),
+    [formidable](https://www.npmjs.com/package/formidable), and
+    [multiparty](https://www.npmjs.com/package/formidable).

From 2a3d20d9a94a9abc835fd98c5aa0f88478b1c51a Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 12:36:18 +0100
Subject: [PATCH 356/429] C++: Refactor Memset.qll and include bsl model.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
index 6636b34fe9d..7d6a470589d 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
@@ -15,7 +15,9 @@ import semmle.code.cpp.models.interfaces.SideEffect
 private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction {
   MemsetFunction() {
-    this.hasGlobalOrStdName(["memset", "wmemset"])
+    this.hasQualifiedName(["", "std", "bsl"], "memset")
+    or
+    this.hasGlobalOrStdName("wmemset")
     or
     this.hasGlobalName([bzero(), "__builtin_memset", "__builtin_memset_chk"])
   }

From da38377e365b8f50fa2c9a77a6b112e961e0bff8 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 12:12:29 +0000
Subject: [PATCH 357/429] C++: Simplify code.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll          | 13 +++++++++++++
 .../code/cpp/models/implementations/Memcpy.qll      |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 35ae092780d..1f488bfeb5f 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -139,6 +139,19 @@ class Declaration extends Locatable, @declaration {
     this.hasQualifiedName("std", "", name)
   }
 
+  /**
+   * Holds if this declaration has the given name in the global namespace,
+   * the `std` namespace or the `bsl` namespace.
+   * We treat `std` and `bsl` as the same in a bunch of our models.
+   */
+  predicate hasGlobalOrStdishName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+    or
+    this.hasQualifiedName("bsl", "", name)
+  }
+
   /** Gets a specifier of this declaration. */
   Specifier getASpecifier() { none() } // overridden in subclasses
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
index 25229279db1..3b02ba58e11 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
@@ -20,7 +20,7 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
     // memcpy(dest, src, num)
     // memmove(dest, src, num)
     // memmove(dest, src, num, remaining)
-    this.hasQualifiedName(["", "std", "bsl"], ["memcpy", "memmove"])
+    this.hasGlobalOrStdishName(["memcpy", "memmove"])
     or
     // bcopy(src, dest, num)
     // mempcpy(dest, src, num)

From 79e3bf80c3e639e795269f1fc179c4e7474afde3 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 12:13:25 +0000
Subject: [PATCH 358/429] C++: Simplify code.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll          | 13 +++++++++++++
 .../code/cpp/models/implementations/Memset.qll      |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 35ae092780d..1f488bfeb5f 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -139,6 +139,19 @@ class Declaration extends Locatable, @declaration {
     this.hasQualifiedName("std", "", name)
   }
 
+  /**
+   * Holds if this declaration has the given name in the global namespace,
+   * the `std` namespace or the `bsl` namespace.
+   * We treat `std` and `bsl` as the same in a bunch of our models.
+   */
+  predicate hasGlobalOrStdishName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+    or
+    this.hasQualifiedName("bsl", "", name)
+  }
+
   /** Gets a specifier of this declaration. */
   Specifier getASpecifier() { none() } // overridden in subclasses
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
index 7d6a470589d..5e3f446713f 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
 private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction {
   MemsetFunction() {
-    this.hasQualifiedName(["", "std", "bsl"], "memset")
+    this.hasGlobalOrStdishName("memset")
     or
     this.hasGlobalOrStdName("wmemset")
     or

From c9af97b742ccc9bc544896a7266743eaa2479f77 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 12:30:31 +0000
Subject: [PATCH 359/429] C++: Model bsl functions in Pure.qll.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll          | 13 +++++++++++++
 .../semmle/code/cpp/models/implementations/Pure.qll |  8 ++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 35ae092780d..1f488bfeb5f 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -139,6 +139,19 @@ class Declaration extends Locatable, @declaration {
     this.hasQualifiedName("std", "", name)
   }
 
+  /**
+   * Holds if this declaration has the given name in the global namespace,
+   * the `std` namespace or the `bsl` namespace.
+   * We treat `std` and `bsl` as the same in a bunch of our models.
+   */
+  predicate hasGlobalOrStdishName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+    or
+    this.hasQualifiedName("bsl", "", name)
+  }
+
   /** Gets a specifier of this declaration. */
   Specifier getASpecifier() { none() } // overridden in subclasses
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
index 0dfa7fe6d76..4682032f284 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
 private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureStrFunction() {
-    hasGlobalOrStdName([
+    hasGlobalOrStdishName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
         "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
       ])
@@ -92,7 +92,7 @@ private string strcmp() {
 /** String standard `strlen` function, and related functions for computing string lengths. */
 private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   StrLenFunction() {
-    hasGlobalOrStdName(["strlen", "strnlen", "wcslen"])
+    hasGlobalOrStdishName(["strlen", "strnlen", "wcslen"])
     or
     hasGlobalName(["_mbslen", "_mbslen_l", "_mbstrlen", "_mbstrlen_l"])
   }
@@ -125,7 +125,7 @@ private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFun
 
 /** Pure functions. */
 private class PureFunction extends TaintFunction, SideEffectFunction {
-  PureFunction() { hasGlobalOrStdName(["abs", "labs"]) }
+  PureFunction() { hasGlobalOrStdishName(["abs", "labs"]) }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     exists(ParameterIndex i |
@@ -144,7 +144,7 @@ private class PureFunction extends TaintFunction, SideEffectFunction {
 private class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureMemFunction() {
-    hasGlobalOrStdName([
+    hasGlobalOrStdishName([
         "memchr", "__builtin_memchr", "memrchr", "rawmemchr", "memcmp", "__builtin_memcmp", "memmem"
       ]) or
     this.hasGlobalName("memfrob")

From 27c479a8baf6103ccb0ae2182292973c45b26251 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 15 Feb 2021 13:51:29 +0100
Subject: [PATCH 360/429] Python: Limit `RequestInputAccess` to immediate uses

This fixes some spurious results that occurred when we considered
_any_ use of `request.something` to be a source, even ones we had
tracked into other functions. To prevent this, using
`getAnImmediateUse` better captures the fact that we want the source
to be just the actual attribute access.
---
 python/ql/src/semmle/python/frameworks/Flask.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index c0702ab7391..fe394c6c8ac 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -312,7 +312,7 @@ private module FlaskModel {
 
     RequestInputAccess() {
       // attributes
-      this = flask::request().getMember(attr_name).getAUse() and
+      this = flask::request().getMember(attr_name).getAnImmediateUse() and
       attr_name in [
           // str
           "path", "full_path", "base_url", "url", "access_control_request_method",

From 2ca12aa6125a84436938d82bda3d8baf1d9a1d67 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Mon, 15 Feb 2021 14:21:12 +0100
Subject: [PATCH 361/429] Update
 python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 .../src/semmle/python/dataflow/new/internal/DataFlowPublic.qll  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index b86bdd2a3cf..3d844047327 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -175,7 +175,7 @@ class CallCfgNode extends CfgNode {
    */
   Node getFunction() { result.asCfgNode() = node.getFunction() }
 
-  /** Gets the data-flow node corresponding to the nth argument of the call corresponding to this data-flow node */
+  /** Gets the data-flow node corresponding to the i'th argument of the call corresponding to this data-flow node */
   Node getArg(int i) { result.asCfgNode() = node.getArg(i) }
 
   /** Gets the data-flow node corresponding to the named argument of the call corresponding to this data-flow node */

From 923e1c5e9ba9232586a8d0156a56a526be27dfc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Mon, 15 Feb 2021 14:41:18 +0100
Subject: [PATCH 362/429] add change note for new ArrayUtils support

---
 java/change-notes/2021-02-15-commons-array-utils.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-02-15-commons-array-utils.md

diff --git a/java/change-notes/2021-02-15-commons-array-utils.md b/java/change-notes/2021-02-15-commons-array-utils.md
new file mode 100644
index 00000000000..a689a08e98c
--- /dev/null
+++ b/java/change-notes/2021-02-15-commons-array-utils.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang ArrayUtils library.

From 3d3f4ba797675f9a3bebe767148a47824578e286 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Mon, 15 Feb 2021 14:53:16 +0100
Subject: [PATCH 363/429] add change note

---
 java/change-notes/2021-02-15-snakeyaml-fn-fix.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 java/change-notes/2021-02-15-snakeyaml-fn-fix.md

diff --git a/java/change-notes/2021-02-15-snakeyaml-fn-fix.md b/java/change-notes/2021-02-15-snakeyaml-fn-fix.md
new file mode 100644
index 00000000000..ed08bdfe8c6
--- /dev/null
+++ b/java/change-notes/2021-02-15-snakeyaml-fn-fix.md
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* The query "Unsafe Deserialization" (`java/unsafe-deserialization`) has been
+  improved to report those cases where SnakeYaml `Constructor` is used to fix
+  the unmarshaled object graph root's type but injection is still possible in
+  nested nodes of the object graph.

From 3afe934a05c694412215be4be80c546169fb9d5d Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 15:40:17 +0000
Subject: [PATCH 364/429] C++: Model bsl functions in Swap.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll
index 285d20b8660..b79f7afe5d9 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll
@@ -9,7 +9,7 @@ import semmle.code.cpp.models.interfaces.Alias
  * ```
  */
 private class Swap extends DataFlowFunction {
-  Swap() { this.hasQualifiedName("std", "swap") }
+  Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and

From 9d19752d9a9dfd89ac21f5b7337d3de94226cb40 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 15:42:34 +0000
Subject: [PATCH 365/429] C++: Model bsl functions in Strcat.qll.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll          | 13 +++++++++++++
 .../code/cpp/models/implementations/Strcat.qll      |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 35ae092780d..1f488bfeb5f 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -139,6 +139,19 @@ class Declaration extends Locatable, @declaration {
     this.hasQualifiedName("std", "", name)
   }
 
+  /**
+   * Holds if this declaration has the given name in the global namespace,
+   * the `std` namespace or the `bsl` namespace.
+   * We treat `std` and `bsl` as the same in a bunch of our models.
+   */
+  predicate hasGlobalOrStdishName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+    or
+    this.hasQualifiedName("bsl", "", name)
+  }
+
   /** Gets a specifier of this declaration. */
   Specifier getASpecifier() { none() } // overridden in subclasses
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
index f31d688d010..6dbed650cfa 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
   StrcatFunction() {
-    this.hasGlobalOrStdName([
+    this.hasGlobalOrStdishName([
         "strcat", // strcat(dst, src)
         "strncat", // strncat(dst, src, max_amount)
         "wcscat", // wcscat(dst, src)

From fd91a972a596f36761eabca1836156685afc7183 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 15:43:31 +0000
Subject: [PATCH 366/429] C++: Model bsl functions in Strcpy.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
index e01d364c5a7..72f993b7a4a 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
  */
 class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction {
   StrcpyFunction() {
-    this.hasGlobalOrStdName([
+    this.hasGlobalOrStdishName([
         "strcpy", // strcpy(dst, src)
         "wcscpy", // wcscpy(dst, src)
         "strncpy", // strncpy(dst, src, max_amount)

From fd2e0292c31533758219180dfa3ffb2b14de1255 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:00:37 +0000
Subject: [PATCH 367/429] C++: Model bsl functions in Strtok.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
index 659494ef2dd..3b7e97a53d0 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.Taint
  */
 private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
   Strtok() {
-    this.hasGlobalOrStdName("strtok") or
+    this.hasGlobalOrStdishName("strtok") or
     this.hasGlobalName(["strtok_r", "_strtok_l", "wcstok", "_wcstok_l", "_mbstok", "_mbstok_l"])
   }
 

From ba6e6337f3e002105f4b3288afa6246caf998d8d Mon Sep 17 00:00:00 2001
From: Ian Lynagh <igfoo@github.com>
Date: Mon, 15 Feb 2021 16:08:03 +0000
Subject: [PATCH 368/429] C++: Fix TopLevelFunction's qldoc

---
 cpp/ql/src/semmle/code/cpp/Function.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Function.qll b/cpp/ql/src/semmle/code/cpp/Function.qll
index 4ddf852f49f..ac345e8a29a 100644
--- a/cpp/ql/src/semmle/code/cpp/Function.qll
+++ b/cpp/ql/src/semmle/code/cpp/Function.qll
@@ -680,7 +680,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
 
 /**
  * A C/C++ non-member function (a function that is not a member of any
- * class). For example the in the following code, `MyFunction` is a
+ * class). For example, in the following code, `MyFunction` is a
  * `TopLevelFunction` but `MyMemberFunction` is not:
  * ```
  * void MyFunction() {

From b670e5b04bba0f83897201922d371cdcd8a43b71 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:12:35 +0000
Subject: [PATCH 369/429] C++: Model bsl functions in Printf.qll.

---
 .../cpp/models/implementations/Printf.qll     | 30 +++++++------------
 1 file changed, 11 insertions(+), 19 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
index 1767261efac..f70493e9f83 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -15,7 +15,7 @@ private class Printf extends FormattingFunction, AliasFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdName(["printf", "wprintf"]) or
+      hasGlobalOrStdishName(["printf", "wprintf"]) or
       hasGlobalName(["printf_s", "wprintf_s", "g_printf"])
     ) and
     not exists(getDefinition().getFile().getRelativePath())
@@ -23,10 +23,7 @@ private class Printf extends FormattingFunction, AliasFunction {
 
   override int getFormatParameterIndex() { result = 0 }
 
-  deprecated override predicate isWideCharDefault() {
-    hasGlobalOrStdName("wprintf") or
-    hasGlobalName("wprintf_s")
-  }
+  deprecated override predicate isWideCharDefault() { hasName(["wprintf", "wprintf_s"]) }
 
   override predicate isOutputGlobal() { any() }
 
@@ -44,7 +41,7 @@ private class Fprintf extends FormattingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdName(["fprintf", "fwprintf"]) or
+      hasGlobalOrStdishName(["fprintf", "fwprintf"]) or
       hasGlobalName("g_fprintf")
     ) and
     not exists(getDefinition().getFile().getRelativePath())
@@ -52,7 +49,7 @@ private class Fprintf extends FormattingFunction {
 
   override int getFormatParameterIndex() { result = 1 }
 
-  deprecated override predicate isWideCharDefault() { hasGlobalOrStdName("fwprintf") }
+  deprecated override predicate isWideCharDefault() { hasName("fwprintf") }
 
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
 }
@@ -64,7 +61,7 @@ private class Sprintf extends FormattingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdName([
+      hasGlobalOrStdishName([
           "sprintf", // sprintf(dst, format, args...)
           "wsprintf" // wsprintf(dst, format, args...)
         ])
@@ -90,22 +87,20 @@ private class Sprintf extends FormattingFunction {
   }
 
   override int getFormatParameterIndex() {
-    hasGlobalName("g_strdup_printf") and result = 0
+    hasName("g_strdup_printf") and result = 0
     or
-    hasGlobalName("__builtin___sprintf_chk") and result = 3
+    hasName("__builtin___sprintf_chk") and result = 3
     or
     not getName() = ["g_strdup_printf", "__builtin___sprintf_chk"] and
     result = 1
   }
 
   override int getOutputParameterIndex(boolean isStream) {
-    not hasGlobalName("g_strdup_printf") and result = 0 and isStream = false
+    not hasName("g_strdup_printf") and result = 0 and isStream = false
   }
 
   override int getFirstFormatArgumentIndex() {
-    if hasGlobalName("__builtin___sprintf_chk")
-    then result = 4
-    else result = getNumberOfParameters()
+    if hasName("__builtin___sprintf_chk") then result = 4 else result = getNumberOfParameters()
   }
 }
 
@@ -116,7 +111,7 @@ private class SnprintfImpl extends Snprintf {
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdName([
+      hasGlobalOrStdishName([
           "snprintf", // C99 defines snprintf
           "swprintf" // The s version of wide-char printf is also always the n version
         ])
@@ -163,10 +158,7 @@ private class SnprintfImpl extends Snprintf {
   }
 
   override predicate returnsFullFormatLength() {
-    (
-      hasGlobalOrStdName("snprintf") or
-      hasGlobalName(["g_snprintf", "__builtin___snprintf_chk", "snprintf_s"])
-    ) and
+    hasName(["snprintf", "g_snprintf", "__builtin___snprintf_chk", "snprintf_s"]) and
     not exists(getDefinition().getFile().getRelativePath())
   }
 

From d9c6f7bc3564956be9d72f4470920971726b66eb Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:12:46 +0000
Subject: [PATCH 370/429] C++: Model bsl functions in Scanf.qll.

---
 cpp/ql/src/semmle/code/cpp/commons/Scanf.qll | 32 ++++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll b/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
index 4b75bbe27d2..aec047cea6b 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
@@ -34,10 +34,10 @@ class Scanf extends ScanfFunction {
   Scanf() {
     this instanceof TopLevelFunction and
     (
-      hasName("scanf") or // scanf(format, args...)
-      hasName("wscanf") or // wscanf(format, args...)
-      hasName("_scanf_l") or // _scanf_l(format, locale, args...)
-      hasName("_wscanf_l") // _wscanf_l(format, locale, args...)
+      hasGlobalOrStdishName("scanf") or // scanf(format, args...)
+      hasGlobalOrStdishName("wscanf") or // wscanf(format, args...)
+      hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
+      hasGlobalName("_wscanf_l") // _wscanf_l(format, locale, args...)
     )
   }
 
@@ -53,10 +53,10 @@ class Fscanf extends ScanfFunction {
   Fscanf() {
     this instanceof TopLevelFunction and
     (
-      hasName("fscanf") or // fscanf(src_stream, format, args...)
-      hasName("fwscanf") or // fwscanf(src_stream, format, args...)
-      hasName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-      hasName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
+      hasGlobalOrStdishName("fscanf") or // fscanf(src_stream, format, args...)
+      hasGlobalOrStdishName("fwscanf") or // fwscanf(src_stream, format, args...)
+      hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
+      hasGlobalName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
     )
   }
 
@@ -72,10 +72,10 @@ class Sscanf extends ScanfFunction {
   Sscanf() {
     this instanceof TopLevelFunction and
     (
-      hasName("sscanf") or // sscanf(src_stream, format, args...)
-      hasName("swscanf") or // swscanf(src, format, args...)
-      hasName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-      hasName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
+      hasGlobalOrStdishName("sscanf") or // sscanf(src_stream, format, args...)
+      hasGlobalOrStdishName("swscanf") or // swscanf(src, format, args...)
+      hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
+      hasGlobalName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
     )
   }
 
@@ -91,10 +91,10 @@ class Snscanf extends ScanfFunction {
   Snscanf() {
     this instanceof TopLevelFunction and
     (
-      hasName("_snscanf") or // _snscanf(src, max_amount, format, args...)
-      hasName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
-      hasName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
-      hasName("_snwscanf_l") // _snwscanf_l(src, max_amount, format, locale, args...)
+      hasGlobalName("_snscanf") or // _snscanf(src, max_amount, format, args...)
+      hasGlobalName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
+      hasGlobalName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
+      hasGlobalName("_snwscanf_l") // _snwscanf_l(src, max_amount, format, locale, args...)
       // note that the max_amount is not a limit on the output length, it's an input length
       // limit used with non null-terminated strings.
     )

From b6b90b59eb7f3d06c7fd5e81e30aa2530d330b69 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:22:52 +0000
Subject: [PATCH 371/429] C++: Model bsl functions in SmartPointer.qll.

---
 .../semmle/code/cpp/models/implementations/SmartPointer.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index b13b4a8801d..c6152624792 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -4,14 +4,14 @@ import semmle.code.cpp.models.interfaces.Taint
  * The `std::shared_ptr` and `std::unique_ptr` template classes.
  */
 private class UniqueOrSharedPtr extends Class {
-  UniqueOrSharedPtr() { this.hasQualifiedName("std", ["shared_ptr", "unique_ptr"]) }
+  UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) }
 }
 
 /**
  * The `std::make_shared` and `std::make_unique` template functions.
  */
 private class MakeUniqueOrShared extends TaintFunction {
-  MakeUniqueOrShared() { this.hasQualifiedName("std", ["make_shared", "make_unique"]) }
+  MakeUniqueOrShared() { this.hasQualifiedName(["bsl", "std"], ["make_shared", "make_unique"]) }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // Exclude the specializations of `std::make_shared` and `std::make_unique` that allocate arrays

From 8c4563b7e399a944a343241b6879a792d8b9f7c5 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 5 Feb 2021 11:19:23 +0100
Subject: [PATCH 372/429] Code quality improvements

---
 .../Populators/CompilationUnitVisitor.cs      | 10 ++---
 .../Populators/TypeContainerVisitor.cs        | 40 +++++++++++--------
 .../Populators/TypeOrNamespaceVisitor.cs      |  4 +-
 3 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
index 72f015464a3..c8adceebe38 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -13,30 +13,30 @@ namespace Semmle.Extraction.CSharp.Populators
         public override void VisitExternAliasDirective(ExternAliasDirectiveSyntax node)
         {
             // This information is not yet extracted.
-            cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), cx.CreateLocation(node.GetLocation()), "", Severity.Info);
+            Cx.ExtractionError("Not implemented extern alias directive", node.ToFullString(), Cx.CreateLocation(node.GetLocation()), "", Severity.Info);
         }
 
         public override void VisitCompilationUnit(CompilationUnitSyntax compilationUnit)
         {
             foreach (var m in compilationUnit.ChildNodes())
             {
-                cx.Try(m, null, () => ((CSharpSyntaxNode)m).Accept(this));
+                Cx.Try(m, null, () => ((CSharpSyntaxNode)m).Accept(this));
             }
 
             // Gather comments:
             foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span, descendIntoTrivia: true))
             {
-                CommentPopulator.ExtractComment(cx, trivia);
+                CommentPopulator.ExtractComment(Cx, trivia);
             }
 
             foreach (var trivia in compilationUnit.GetLeadingTrivia())
             {
-                CommentPopulator.ExtractComment(cx, trivia);
+                CommentPopulator.ExtractComment(Cx, trivia);
             }
 
             foreach (var trivia in compilationUnit.GetTrailingTrivia())
             {
-                CommentPopulator.ExtractComment(cx, trivia);
+                CommentPopulator.ExtractComment(Cx, trivia);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
index 6e5b45e9e3a..f72de1c2f08 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
@@ -11,16 +11,17 @@ namespace Semmle.Extraction.CSharp.Populators
 {
     public class TypeContainerVisitor : CSharpSyntaxVisitor
     {
-        protected Context cx { get; }
-        protected IEntity parent { get; }
-        protected TextWriter trapFile { get; }
+        protected Context Cx { get; }
+        protected IEntity Parent { get; }
+        protected TextWriter TrapFile { get; }
         private readonly Lazy<Func<SyntaxNode, AttributeData>> attributeLookup;
 
         public TypeContainerVisitor(Context cx, TextWriter trapFile, IEntity parent)
         {
-            this.cx = cx;
-            this.parent = parent;
-            this.trapFile = trapFile;
+            Cx = cx;
+            Parent = parent;
+            TrapFile = trapFile;
+
             attributeLookup = new Lazy<Func<SyntaxNode, AttributeData>>(() =>
                 {
                     var dict = new Dictionary<SyntaxNode, AttributeData>();
@@ -40,46 +41,51 @@ namespace Semmle.Extraction.CSharp.Populators
 
         public override void VisitDelegateDeclaration(DelegateDeclarationSyntax node)
         {
-            Entities.NamedType.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+            Entities.NamedType.Create(Cx, Cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(TrapFile, Parent);
         }
 
         public override void VisitRecordDeclaration(RecordDeclarationSyntax node)
         {
-            Entities.Type.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+            ExtractTypeDeclaration(node);
         }
 
-        public override void VisitClassDeclaration(ClassDeclarationSyntax classDecl)
+        public override void VisitClassDeclaration(ClassDeclarationSyntax node)
         {
-            Entities.Type.Create(cx, cx.GetModel(classDecl).GetDeclaredSymbol(classDecl)).ExtractRecursive(trapFile, parent);
+            ExtractTypeDeclaration(node);
         }
 
         public override void VisitStructDeclaration(StructDeclarationSyntax node)
         {
-            Entities.Type.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+            ExtractTypeDeclaration(node);
         }
 
         public override void VisitEnumDeclaration(EnumDeclarationSyntax node)
         {
-            Entities.Type.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+            ExtractTypeDeclaration(node);
         }
 
         public override void VisitInterfaceDeclaration(InterfaceDeclarationSyntax node)
         {
-            Entities.Type.Create(cx, cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(trapFile, parent);
+            ExtractTypeDeclaration(node);
+        }
+
+        private void ExtractTypeDeclaration(BaseTypeDeclarationSyntax node)
+        {
+            Entities.Type.Create(Cx, Cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(TrapFile, Parent);
         }
 
         public override void VisitAttributeList(AttributeListSyntax node)
         {
-            if (cx.Extractor.Standalone)
+            if (Cx.Extractor.Standalone)
                 return;
 
-            var outputAssembly = Assembly.CreateOutputAssembly(cx);
+            var outputAssembly = Assembly.CreateOutputAssembly(Cx);
             foreach (var attribute in node.Attributes)
             {
                 if (attributeLookup.Value(attribute) is AttributeData attributeData)
                 {
-                    var ae = Semmle.Extraction.CSharp.Entities.Attribute.Create(cx, attributeData, outputAssembly);
-                    cx.BindComments(ae, attribute.GetLocation());
+                    var ae = Semmle.Extraction.CSharp.Entities.Attribute.Create(Cx, attributeData, outputAssembly);
+                    Cx.BindComments(ae, attribute.GetLocation());
                 }
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs
index aacdc5d2a4f..a3daae08a60 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeOrNamespaceVisitor.cs
@@ -13,12 +13,12 @@ namespace Semmle.Extraction.CSharp.Populators
         {
             // Only deal with "using namespace" not "using X = Y"
             if (usingDirective.Alias == null)
-                new UsingDirective(cx, usingDirective, (NamespaceDeclaration)parent);
+                new UsingDirective(Cx, usingDirective, (NamespaceDeclaration)Parent);
         }
 
         public override void VisitNamespaceDeclaration(NamespaceDeclarationSyntax node)
         {
-            NamespaceDeclaration.Create(cx, node, (NamespaceDeclaration)parent);
+            NamespaceDeclaration.Create(Cx, node, (NamespaceDeclaration)Parent);
         }
     }
 }

From 595bb025f9601ac72717a5b4d77625167c9e6cda Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:34:07 +0000
Subject: [PATCH 373/429] C++: Model bsl functions in StdMap.qll.

---
 .../cpp/models/implementations/StdMap.qll     | 46 ++++++++++++++-----
 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
index f261038735d..baf4774ce76 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -5,13 +5,20 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
+/**
+ * The `std::map` and `std::unordered_map` template classes.
+ */
+private class MapOrUnorderedMap extends Class {
+  MapOrUnorderedMap() { this.hasQualifiedName(["std", "bsl"], ["map", "unordered_map"]) }
+}
+
 /**
  * Additional model for map constructors using iterator inputs.
  */
 private class StdMapConstructor extends Constructor, TaintFunction {
   StdMapConstructor() {
-    this.hasQualifiedName("std", "map", "map") or
-    this.hasQualifiedName("std", "unordered_map", "unordered_map")
+    this.hasQualifiedName(["std", "bsl"], "map", "map") or
+    this.hasQualifiedName(["std", "bsl"], "unordered_map", "unordered_map")
   }
 
   /**
@@ -37,7 +44,8 @@ private class StdMapConstructor extends Constructor, TaintFunction {
  */
 private class StdMapInsert extends TaintFunction {
   StdMapInsert() {
-    this.hasQualifiedName("std", ["map", "unordered_map"], ["insert", "insert_or_assign"])
+    this.hasName(["insert", "insert_or_assign"]) and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -56,7 +64,8 @@ private class StdMapInsert extends TaintFunction {
  */
 private class StdMapEmplace extends TaintFunction {
   StdMapEmplace() {
-    this.hasQualifiedName("std", ["map", "unordered_map"], ["emplace", "emplace_hint"])
+    this.hasName(["emplace", "emplace_hint"]) and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -79,7 +88,10 @@ private class StdMapEmplace extends TaintFunction {
  * The standard map `try_emplace` function.
  */
 private class StdMapTryEmplace extends TaintFunction {
-  StdMapTryEmplace() { this.hasQualifiedName("std", ["map", "unordered_map"], "try_emplace") }
+  StdMapTryEmplace() {
+    this.hasName("try_emplace") and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter apart from the key to qualifier and return value
@@ -106,7 +118,10 @@ private class StdMapTryEmplace extends TaintFunction {
  * The standard map `merge` function.
  */
 private class StdMapMerge extends TaintFunction {
-  StdMapMerge() { this.hasQualifiedName("std", ["map", "unordered_map"], "merge") }
+  StdMapMerge() {
+    this.hasName("merge") and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // container1.merge(container2)
@@ -119,7 +134,10 @@ private class StdMapMerge extends TaintFunction {
  * The standard map functions `at` and `operator[]`.
  */
 private class StdMapAt extends TaintFunction {
-  StdMapAt() { this.hasQualifiedName("std", ["map", "unordered_map"], ["at", "operator[]"]) }
+  StdMapAt() {
+    this.hasName(["at", "operator[]"]) and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to referenced return value
@@ -136,7 +154,10 @@ private class StdMapAt extends TaintFunction {
  * The standard map `find` function.
  */
 private class StdMapFind extends TaintFunction {
-  StdMapFind() { this.hasQualifiedName("std", ["map", "unordered_map"], "find") }
+  StdMapFind() {
+    this.hasName("find") and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
@@ -148,7 +169,10 @@ private class StdMapFind extends TaintFunction {
  * The standard map `erase` function.
  */
 private class StdMapErase extends TaintFunction {
-  StdMapErase() { this.hasQualifiedName("std", ["map", "unordered_map"], "erase") }
+  StdMapErase() {
+    this.hasName("erase") and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to iterator return value
@@ -163,8 +187,8 @@ private class StdMapErase extends TaintFunction {
  */
 private class StdMapEqualRange extends TaintFunction {
   StdMapEqualRange() {
-    this.hasQualifiedName("std", ["map", "unordered_map"],
-      ["lower_bound", "upper_bound", "equal_range"])
+    this.hasName(["lower_bound", "upper_bound", "equal_range"]) and
+    this.getDeclaringType() instanceof MapOrUnorderedMap
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From 4a0791200696089d69a8f24da130321187d89463 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Mon, 15 Feb 2021 16:36:49 +0000
Subject: [PATCH 374/429] C++: Small code improvement.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
index baf4774ce76..6925fb110fc 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -16,10 +16,7 @@ private class MapOrUnorderedMap extends Class {
  * Additional model for map constructors using iterator inputs.
  */
 private class StdMapConstructor extends Constructor, TaintFunction {
-  StdMapConstructor() {
-    this.hasQualifiedName(["std", "bsl"], "map", "map") or
-    this.hasQualifiedName(["std", "bsl"], "unordered_map", "unordered_map")
-  }
+  StdMapConstructor() { this.getDeclaringType() instanceof MapOrUnorderedMap }
 
   /**
    * Gets the index of a parameter to this function that is an iterator.

From 6a4b54ec892a0e8e4bebd0d790d9ba02146afdc3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 13 Nov 2020 18:25:41 +0100
Subject: [PATCH 375/429] C#: Extract global statements

---
 .../Entities/OrdinaryMethod.cs                |  5 +++
 .../Entities/Statement.cs                     | 36 +++++++++++++---
 .../Entities/Statement`1.cs                   | 32 +++++----------
 .../Entities/Statements/Factory.cs            |  2 +-
 .../Statements/GlobalStatementsBlock.cs       | 41 +++++++++++++++++++
 .../Populators/CompilationUnitVisitor.cs      | 30 ++++++++++++++
 .../Populators/TypeContainerVisitor.cs        |  8 +++-
 .../Semmle.Extraction.CSharp/Tuples.cs        | 10 +++++
 csharp/ql/src/semmle/code/csharp/Callable.qll |  3 ++
 csharp/ql/src/semmle/code/csharp/PrintAst.qll |  3 +-
 csharp/ql/src/semmle/code/csharp/Stmt.qll     |  6 +++
 csharp/ql/src/semmlecode.csharp.dbscheme      |  5 +++
 .../test/library-tests/csharp9/GlobalStmt.cs  | 25 +++++++++++
 .../csharp9/LocalFunctions.expected           |  1 +
 .../library-tests/csharp9/PrintAst.expected   | 31 ++++++++++++++
 .../library-tests/csharp9/globalStmt.expected | 10 +++++
 .../test/library-tests/csharp9/globalStmt.ql  | 15 +++++++
 17 files changed, 232 insertions(+), 31 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
 create mode 100644 csharp/ql/test/library-tests/csharp9/GlobalStmt.cs
 create mode 100644 csharp/ql/test/library-tests/csharp9/globalStmt.expected
 create mode 100644 csharp/ql/test/library-tests/csharp9/globalStmt.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
index d81fc25f72b..d9e95c342ac 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
@@ -51,6 +51,11 @@ namespace Semmle.Extraction.CSharp.Entities
             Overrides(trapFile);
             ExtractRefReturn(trapFile, symbol, this);
             ExtractCompilerGenerated(trapFile);
+
+            if (SymbolEqualityComparer.Default.Equals(symbol, Context.Compilation.GetEntryPoint(System.Threading.CancellationToken.None)))
+            {
+                trapFile.entry_methods(this);
+            }
         }
 
         public static new OrdinaryMethod Create(Context cx, IMethodSymbol method) => OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
index 7a5bdcd2a58..94ab9a7ce61 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement.cs
@@ -1,13 +1,41 @@
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Microsoft.CodeAnalysis.CSharp;
+using System.IO;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
     internal abstract class Statement : FreshEntity, IExpressionParentEntity, IStatementParentEntity
     {
-        protected Statement(Context cx) : base(cx) { }
+        private readonly int child;
+        private readonly Kinds.StmtKind kind;
+        private readonly IStatementParentEntity parent;
 
-        public static Statement Create(Context cx, StatementSyntax node, Statement parent, int child) =>
+        protected Statement(Context cx, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
+            : base(cx)
+        {
+            this.kind = kind;
+            this.parent = parent;
+            this.child = child;
+        }
+
+        protected override void Populate(TextWriter trapFile)
+        {
+            trapFile.statements(this, kind);
+            if (parent.IsTopLevelParent)
+            {
+                trapFile.stmt_parent_top_level(this, child, parent);
+            }
+            else
+            {
+                trapFile.stmt_parent(this, child, parent);
+            }
+
+            PopulateStatement(trapFile);
+        }
+
+        protected abstract void PopulateStatement(TextWriter trapFile);
+
+        public static Statement Create(Context cx, StatementSyntax node, IStatementParentEntity parent, int child) =>
             Statements.Factory.Create(cx, node, parent, child);
 
         /// <summary>
@@ -16,14 +44,10 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         public virtual int NumberOfStatements => 1;
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => GetStatementSyntax().GetLocation();
-
         bool IExpressionParentEntity.IsTopLevelParent => false;
 
         bool IStatementParentEntity.IsTopLevelParent => false;
 
-        protected abstract CSharpSyntaxNode GetStatementSyntax();
-
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NeedsLabel;
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
index 1d8dd43f702..8ea6650d4f7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
@@ -8,40 +8,28 @@ namespace Semmle.Extraction.CSharp.Entities
     internal abstract class Statement<TSyntax> : Statement where TSyntax : CSharpSyntaxNode
     {
         protected readonly TSyntax Stmt;
-        private readonly int child;
-        private readonly Kinds.StmtKind kind;
-        private readonly IStatementParentEntity parent;
         private readonly Location location;
 
-        protected override CSharpSyntaxNode GetStatementSyntax() => Stmt;
-
         protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child, Location location)
-            : base(cx)
+            : base(cx, kind, parent, child)
         {
             Stmt = stmt;
-            this.parent = parent;
-            this.child = child;
             this.location = location;
-            this.kind = kind;
             cx.BindComments(this, location.symbol);
         }
 
-        protected sealed override void Populate(TextWriter trapFile)
-        {
-            trapFile.statements(this, kind);
-            if (parent.IsTopLevelParent)
-                trapFile.stmt_parent_top_level(this, child, parent);
-            else
-                trapFile.stmt_parent(this, child, parent);
-            trapFile.stmt_location(this, location);
-            PopulateStatement(trapFile);
-        }
-
-        protected abstract void PopulateStatement(TextWriter trapFile);
-
         protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
             : this(cx, stmt, kind, parent, child, cx.CreateLocation(stmt.FixedLocation())) { }
 
+        protected sealed override void Populate(TextWriter trapFile)
+        {
+            base.Populate(trapFile);
+
+            trapFile.stmt_location(this, location);
+        }
+
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Stmt.GetLocation();
+
         public override string ToString() => Label.ToString();
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Factory.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Factory.cs
index 69ebdca1c16..2960982061e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Factory.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Factory.cs
@@ -5,7 +5,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 {
     internal static class Factory
     {
-        internal static Statement Create(Context cx, StatementSyntax node, Statement parent, int child)
+        internal static Statement Create(Context cx, StatementSyntax node, IStatementParentEntity parent, int child)
         {
             switch (node.Kind())
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
new file mode 100644
index 00000000000..ca1d5ba2c5b
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
@@ -0,0 +1,41 @@
+using Semmle.Extraction.Kinds;
+using System.Linq;
+using System.IO;
+using Semmle.Extraction.Entities;
+
+namespace Semmle.Extraction.CSharp.Entities.Statements
+{
+    internal class GlobalStatementsBlock : Statement
+    {
+        private GlobalStatementsBlock(Context cx, Method parent)
+            : base(cx, StmtKind.BLOCK, parent, 0) { }
+
+        public override Microsoft.CodeAnalysis.Location ReportingLocation
+        {
+            get
+            {
+                // We only create a `GlobalStatementsBlock` if there are global statements. This also means that the
+                // entry point is going to be the generated method around those global statements
+                return cx.Compilation.GetEntryPoint(System.Threading.CancellationToken.None)
+                    ?.DeclaringSyntaxReferences
+                    .FirstOrDefault()
+                    ?.GetSyntax()
+                    .GetLocation();
+            }
+        }
+
+        public static GlobalStatementsBlock Create(Context cx, Method parent)
+        {
+            var ret = new GlobalStatementsBlock(cx, parent);
+            ret.TryPopulate();
+            return ret;
+        }
+
+        protected override void PopulateStatement(TextWriter trapFile)
+        {
+            trapFile.global_stmt_block(this);
+
+            trapFile.stmt_location(this, cx.CreateLocation(ReportingLocation));
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
index c8adceebe38..58e5404ccd7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/CompilationUnitVisitor.cs
@@ -2,6 +2,9 @@ using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Util.Logging;
+using Semmle.Extraction.CSharp.Entities;
+using Semmle.Extraction.CSharp.Entities.Statements;
+using System.Linq;
 
 namespace Semmle.Extraction.CSharp.Populators
 {
@@ -23,6 +26,8 @@ namespace Semmle.Extraction.CSharp.Populators
                 Cx.Try(m, null, () => ((CSharpSyntaxNode)m).Accept(this));
             }
 
+            ExtractGlobalStatements(compilationUnit);
+
             // Gather comments:
             foreach (var trivia in compilationUnit.DescendantTrivia(compilationUnit.Span, descendIntoTrivia: true))
             {
@@ -39,5 +44,30 @@ namespace Semmle.Extraction.CSharp.Populators
                 CommentPopulator.ExtractComment(Cx, trivia);
             }
         }
+
+        private void ExtractGlobalStatements(CompilationUnitSyntax compilationUnit)
+        {
+            var globalStatements = compilationUnit
+                .ChildNodes()
+                .OfType<GlobalStatementSyntax>()
+                .ToList();
+
+            if (!globalStatements.Any())
+            {
+                return;
+            }
+
+            var entryPoint = Cx.Compilation.GetEntryPoint(System.Threading.CancellationToken.None);
+            var entryMethod = Method.Create(Cx, entryPoint);
+            var block = GlobalStatementsBlock.Create(Cx, entryMethod);
+
+            for (var i = 0; i < globalStatements.Count; i++)
+            {
+                if (globalStatements[i].Statement is object)
+                {
+                    Statement.Create(Cx, globalStatements[i].Statement, block, i);
+                }
+            }
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
index f72de1c2f08..ededf2978b9 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
@@ -39,6 +39,12 @@ namespace Semmle.Extraction.CSharp.Populators
             throw new InternalError(node, "Unhandled top-level syntax node");
         }
 
+        public override void VisitGlobalStatement(GlobalStatementSyntax node)
+        {
+            // Intentionally left empty.
+            // Global statements are handled in CompilationUnitVisitor
+        }
+
         public override void VisitDelegateDeclaration(DelegateDeclarationSyntax node)
         {
             Entities.NamedType.Create(Cx, Cx.GetModel(node).GetDeclaredSymbol(node)).ExtractRecursive(TrapFile, Parent);
@@ -84,7 +90,7 @@ namespace Semmle.Extraction.CSharp.Populators
             {
                 if (attributeLookup.Value(attribute) is AttributeData attributeData)
                 {
-                    var ae = Semmle.Extraction.CSharp.Entities.Attribute.Create(Cx, attributeData, outputAssembly);
+                    var ae = Entities.Attribute.Create(Cx, attributeData, outputAssembly);
                     Cx.BindComments(ae, attribute.GetLocation());
                 }
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index df39d6a836c..75c0f633cc0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -379,6 +379,11 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("methods", method, name, declType, retType, originalDefinition);
         }
 
+        internal static void entry_methods(this TextWriter trapFile, Method method)
+        {
+            trapFile.WriteTuple("entry_methods", method);
+        }
+
         internal static void modifiers(this TextWriter trapFile, Label entity, string modifier)
         {
             trapFile.WriteTuple("modifiers", entity, modifier);
@@ -509,6 +514,11 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("stackalloc_array_creation", array);
         }
 
+        internal static void global_stmt_block(this TextWriter trapFile, Entities.Statements.GlobalStatementsBlock block)
+        {
+            trapFile.WriteTuple("global_stmt_block", block);
+        }
+
         internal static void stmt_location(this TextWriter trapFile, Statement stmt, Location location)
         {
             trapFile.WriteTuple("stmt_location", stmt, location);
diff --git a/csharp/ql/src/semmle/code/csharp/Callable.qll b/csharp/ql/src/semmle/code/csharp/Callable.qll
index 7238f4576f9..8f2c1bd4471 100644
--- a/csharp/ql/src/semmle/code/csharp/Callable.qll
+++ b/csharp/ql/src/semmle/code/csharp/Callable.qll
@@ -292,6 +292,9 @@ class Method extends Callable, Virtualizable, Attributable, @method {
   }
 
   override string getAPrimaryQlClass() { result = "Method" }
+
+  /** Holds if this method is the entry method of the compilation. */
+  predicate isEntry() { entry_methods(this) }
 }
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/PrintAst.qll b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
index 024dfc2a05e..1cac4a5f238 100644
--- a/csharp/ql/src/semmle/code/csharp/PrintAst.qll
+++ b/csharp/ql/src/semmle/code/csharp/PrintAst.qll
@@ -134,7 +134,8 @@ private newtype TPrintAstNode =
   TParametersNode(Parameterizable parameterizable) {
     shouldPrint(parameterizable, _) and
     parameterizable.getNumberOfParameters() > 0 and
-    not isNotNeeded(parameterizable)
+    not isNotNeeded(parameterizable) and
+    exists(Parameter p | p.getDeclaringElement() = parameterizable and shouldPrint(p, _))
   } or
   TAttributesNode(Attributable attributable) {
     shouldPrint(attributable, _) and
diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index 15199896390..aaa8890cd34 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -33,6 +33,9 @@ class Stmt extends ControlFlowElement, @stmt {
 
   override Location getALocation() { stmt_location(this, result) }
 
+  /** Holds if this statement is a global statement. */
+  predicate isGlobal() { this.getParent().(BlockStmt).isGlobalStatementContainer() }
+
   /**
    * Gets the singleton statement contained in this statement, by removing
    * enclosing block statements.
@@ -70,6 +73,9 @@ class BlockStmt extends Stmt, @block_stmt {
   /** Holds if this block is an empty block with no statements. */
   predicate isEmpty() { not exists(this.getAStmt()) }
 
+  /** Holds if this block is the container of the global statements. */
+  predicate isGlobalStatementContainer() { global_stmt_block(this) }
+
   override Stmt stripSingletonBlocks() {
     if getNumberOfStmts() = 1
     then result = getAChildStmt().stripSingletonBlocks()
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 16936565fbe..1cea35ace06 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -843,6 +843,9 @@ local_function_stmts(
     unique int fn: @local_function_stmt ref,
     int stmt: @local_function ref);
 
+entry_methods(
+  unique int id: @method ref);
+
 /** VARIABLES **/
 
 @variable = @local_scope_variable | @field;
@@ -972,6 +975,8 @@ case @stmt.kind of
 
 @goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
 
+global_stmt_block(
+  unique int id: @block_stmt ref);
 
 stmt_location(
   unique int id: @stmt ref,
diff --git a/csharp/ql/test/library-tests/csharp9/GlobalStmt.cs b/csharp/ql/test/library-tests/csharp9/GlobalStmt.cs
new file mode 100644
index 00000000000..6b8958d7fbd
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/GlobalStmt.cs
@@ -0,0 +1,25 @@
+/*
+  Global statements are not allowed in 'library' target.
+
+  semmle-extractor-options: --standalone
+*/
+
+using System;
+
+[assembly: Attr] // not a global stmt
+
+Console.WriteLine("1");
+Console.WriteLine("2");
+M();
+
+void M()
+{
+}
+
+public class Attr : Attribute
+{
+  void M1()
+  {
+    Console.WriteLine("3");
+  }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/csharp9/LocalFunctions.expected b/csharp/ql/test/library-tests/csharp9/LocalFunctions.expected
index fd746b2a58b..c57ece05e59 100644
--- a/csharp/ql/test/library-tests/csharp9/LocalFunctions.expected
+++ b/csharp/ql/test/library-tests/csharp9/LocalFunctions.expected
@@ -1,6 +1,7 @@
 noBody
 | LocalFunction.cs:16:9:16:41 | localExtern |
 localFunctionModifier
+| GlobalStmt.cs:15:1:17:1 | M | private |
 | LambdaModifier.cs:8:9:8:36 | m | private |
 | LocalFunction.cs:9:9:12:9 | mul | async |
 | LocalFunction.cs:9:9:12:9 | mul | private |
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index e203842664b..66dc25dfedb 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -389,6 +389,37 @@ FunctionPointer.cs:
 #   50|     14: [Class] B
 #-----|       3: (Base types)
 #   50|         0: [TypeMention] A
+GlobalStmt.cs:
+#    7| [Class] <Program>$
+#    7|   4: [Method] <Main>$
+#    7|     4: [BlockStmt] {...}
+#   11|       0: [ExprStmt] ...;
+#   11|         0: [MethodCall] call to method WriteLine
+#   11|           -1: [TypeAccess] access to type Console
+#   11|             0: [TypeMention] Console
+#   11|           0: [StringLiteral] "1"
+#   12|       1: [ExprStmt] ...;
+#   12|         0: [MethodCall] call to method WriteLine
+#   12|           -1: [TypeAccess] access to type Console
+#   12|             0: [TypeMention] Console
+#   12|           0: [StringLiteral] "2"
+#   13|       2: [ExprStmt] ...;
+#   13|         0: [LocalFunctionCall] call to local function M
+#   13|           -1: [LocalFunctionAccess] access to local function M
+#   15|       3: [LocalFunctionStmt] M(...)
+#   15|         0: [LocalFunction] M
+#   16|           4: [BlockStmt] {...}
+#   19| [Class] Attr
+#-----|   3: (Base types)
+#   19|     0: [TypeMention] Attribute
+#   21|   5: [Method] M1
+#   21|     -1: [TypeMention] Void
+#   22|     4: [BlockStmt] {...}
+#   23|       0: [ExprStmt] ...;
+#   23|         0: [MethodCall] call to method WriteLine
+#   23|           -1: [TypeAccess] access to type Console
+#   23|             0: [TypeMention] Console
+#   23|           0: [StringLiteral] "3"
 InitOnlyProperty.cs:
 #    3| [Class] Base
 #    5|   5: [Property] Prop0
diff --git a/csharp/ql/test/library-tests/csharp9/globalStmt.expected b/csharp/ql/test/library-tests/csharp9/globalStmt.expected
new file mode 100644
index 00000000000..7063a67d6bc
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/globalStmt.expected
@@ -0,0 +1,10 @@
+global_stmt
+| GlobalStmt.cs:11:1:11:23 | ...; |
+| GlobalStmt.cs:12:1:12:23 | ...; |
+| GlobalStmt.cs:13:1:13:4 | ...; |
+| GlobalStmt.cs:15:1:17:1 | M(...) |
+globalBlock
+| GlobalStmt.cs:7:1:25:1 | {...} | GlobalStmt.cs:7:1:25:1 | <Main>$ | file://:0:0:0:0 | args | GlobalStmt.cs:7:1:25:1 | <Program>$ |
+methods
+| GlobalStmt.cs:7:1:25:1 | <Main>$ | entry |
+| GlobalStmt.cs:21:8:21:9 | M1 | non-entry |
diff --git a/csharp/ql/test/library-tests/csharp9/globalStmt.ql b/csharp/ql/test/library-tests/csharp9/globalStmt.ql
new file mode 100644
index 00000000000..586f34d4ade
--- /dev/null
+++ b/csharp/ql/test/library-tests/csharp9/globalStmt.ql
@@ -0,0 +1,15 @@
+import csharp
+
+query predicate global_stmt(Stmt stmt) { stmt.isGlobal() }
+
+query predicate globalBlock(BlockStmt block, Method m, Parameter p, Type t) {
+  block.isGlobalStatementContainer() and
+  block.getEnclosingCallable() = m and
+  m.getDeclaringType() = t and
+  m.getAParameter() = p
+}
+
+query predicate methods(Method m, string entry) {
+  m.getFile().getStem() = "GlobalStmt" and
+  if m.isEntry() then entry = "entry" else entry = "non-entry"
+}

From b79d5ab44b4eb9716cd942b1d56de6739ce16049 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 8 Dec 2020 11:22:34 +0100
Subject: [PATCH 376/429] Fix labeled stmt factory method parameter types

---
 .../Entities/Statements/Labeled.cs                    | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
index 1fce622b347..fe69af917ba 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
@@ -6,17 +6,18 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 {
     internal class Labeled : Statement<LabeledStatementSyntax>
     {
-        private readonly Statement parent;
+        private readonly IStatementParentEntity parent;
         private readonly int child;
+        private Statement labelledStmt;
 
-        private Labeled(Context cx, LabeledStatementSyntax stmt, Statement parent, int child)
+        private Labeled(Context cx, LabeledStatementSyntax stmt, IStatementParentEntity parent, int child)
             : base(cx, stmt, StmtKind.LABEL, parent, child)
         {
             this.parent = parent;
             this.child = child;
         }
 
-        public static Labeled Create(Context cx, LabeledStatementSyntax node, Statement parent, int child)
+        public static Labeled Create(Context cx, LabeledStatementSyntax node, IStatementParentEntity parent, int child)
         {
             var ret = new Labeled(cx, node, parent, child);
             ret.TryPopulate();
@@ -27,13 +28,11 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         {
             trapFile.exprorstmt_name(this, Stmt.Identifier.ToString());
 
-            // For compatilibty with the Mono extractor, make insert the labelled statement into the same block
+            // For compatibility with the Mono extractor, make insert the labelled statement into the same block
             // as this one. The parent MUST be a block statement.
             labelledStmt = Statement.Create(cx, Stmt.Statement, parent, child + 1);
         }
 
-        private Statement labelledStmt;
-
         public override int NumberOfStatements => 1 + labelledStmt.NumberOfStatements;
     }
 }

From 423fee3069a87882686ff8669245c9218f37e5ef Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 2 Feb 2021 09:13:26 +0100
Subject: [PATCH 377/429] Fix argument location of top level statement entry
 point

---
 .../Semmle.Extraction.CSharp/Entities/Parameter.cs         | 7 +++++++
 csharp/ql/test/library-tests/csharp9/PrintAst.expected     | 2 ++
 csharp/ql/test/library-tests/csharp9/globalStmt.expected   | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 325a77b6dd2..9a8e6765804 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -112,6 +112,13 @@ namespace Semmle.Extraction.CSharp.Entities
             foreach (var l in symbol.Locations)
                 trapFile.param_location(this, Context.CreateLocation(l));
 
+            if (!symbol.Locations.Any() &&
+                symbol.ContainingSymbol is IMethodSymbol ms &&
+                ms.Name == WellKnownMemberNames.TopLevelStatementsEntryPointMethodName)
+            {
+                trapFile.param_location(this, Context.CreateLocation());
+            }
+
             if (!IsSourceDeclaration || !symbol.FromSource())
                 return;
 
diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.expected b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
index 66dc25dfedb..e09c7067139 100644
--- a/csharp/ql/test/library-tests/csharp9/PrintAst.expected
+++ b/csharp/ql/test/library-tests/csharp9/PrintAst.expected
@@ -392,6 +392,8 @@ FunctionPointer.cs:
 GlobalStmt.cs:
 #    7| [Class] <Program>$
 #    7|   4: [Method] <Main>$
+#-----|     2: (Parameters)
+#    1|       0: [Parameter] args
 #    7|     4: [BlockStmt] {...}
 #   11|       0: [ExprStmt] ...;
 #   11|         0: [MethodCall] call to method WriteLine
diff --git a/csharp/ql/test/library-tests/csharp9/globalStmt.expected b/csharp/ql/test/library-tests/csharp9/globalStmt.expected
index 7063a67d6bc..dc7ccea6ad1 100644
--- a/csharp/ql/test/library-tests/csharp9/globalStmt.expected
+++ b/csharp/ql/test/library-tests/csharp9/globalStmt.expected
@@ -4,7 +4,7 @@ global_stmt
 | GlobalStmt.cs:13:1:13:4 | ...; |
 | GlobalStmt.cs:15:1:17:1 | M(...) |
 globalBlock
-| GlobalStmt.cs:7:1:25:1 | {...} | GlobalStmt.cs:7:1:25:1 | <Main>$ | file://:0:0:0:0 | args | GlobalStmt.cs:7:1:25:1 | <Program>$ |
+| GlobalStmt.cs:7:1:25:1 | {...} | GlobalStmt.cs:7:1:25:1 | <Main>$ | GlobalStmt.cs:1:1:1:0 | args | GlobalStmt.cs:7:1:25:1 | <Program>$ |
 methods
 | GlobalStmt.cs:7:1:25:1 | <Main>$ | entry |
 | GlobalStmt.cs:21:8:21:9 | M1 | non-entry |

From a14db7a04f905be8b886a4992aebe325fe7abcfb Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 12 Feb 2021 12:27:38 +0100
Subject: [PATCH 378/429] Fix code review findings

---
 .../extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 9a8e6765804..bb87fccdd74 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -114,7 +114,8 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (!symbol.Locations.Any() &&
                 symbol.ContainingSymbol is IMethodSymbol ms &&
-                ms.Name == WellKnownMemberNames.TopLevelStatementsEntryPointMethodName)
+                ms.Name == WellKnownMemberNames.TopLevelStatementsEntryPointMethodName &&
+                ms.ContainingType.Name == WellKnownMemberNames.TopLevelStatementsEntryPointTypeName)
             {
                 trapFile.param_location(this, Context.CreateLocation());
             }

From 4967664d0904f1cc543df508dfdf7d7f0512fa01 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 12 Feb 2021 12:37:15 +0100
Subject: [PATCH 379/429] Rework global statement extraction without DB scheme
 change

---
 .../Entities/OrdinaryMethod.cs                      |  5 -----
 .../Entities/Statements/GlobalStatementsBlock.cs    | 13 +++++++------
 csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs | 10 ----------
 csharp/ql/src/semmle/code/csharp/Callable.qll       |  3 ---
 csharp/ql/src/semmle/code/csharp/Stmt.qll           |  4 +++-
 csharp/ql/src/semmle/code/csharp/commons/Util.qll   |  6 +++++-
 csharp/ql/src/semmlecode.csharp.dbscheme            |  5 -----
 csharp/ql/test/library-tests/csharp9/globalStmt.ql  |  3 ++-
 8 files changed, 17 insertions(+), 32 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
index d9e95c342ac..d81fc25f72b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
@@ -51,11 +51,6 @@ namespace Semmle.Extraction.CSharp.Entities
             Overrides(trapFile);
             ExtractRefReturn(trapFile, symbol, this);
             ExtractCompilerGenerated(trapFile);
-
-            if (SymbolEqualityComparer.Default.Equals(symbol, Context.Compilation.GetEntryPoint(System.Threading.CancellationToken.None)))
-            {
-                trapFile.entry_methods(this);
-            }
         }
 
         public static new OrdinaryMethod Create(Context cx, IMethodSymbol method) => OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
index ca1d5ba2c5b..062a09e3fae 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
@@ -7,16 +7,19 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 {
     internal class GlobalStatementsBlock : Statement
     {
+        private readonly Method parent;
+
         private GlobalStatementsBlock(Context cx, Method parent)
-            : base(cx, StmtKind.BLOCK, parent, 0) { }
+            : base(cx, StmtKind.BLOCK, parent, 0)
+        {
+            this.parent = parent;
+        }
 
         public override Microsoft.CodeAnalysis.Location ReportingLocation
         {
             get
             {
-                // We only create a `GlobalStatementsBlock` if there are global statements. This also means that the
-                // entry point is going to be the generated method around those global statements
-                return cx.Compilation.GetEntryPoint(System.Threading.CancellationToken.None)
+                return parent.symbol
                     ?.DeclaringSyntaxReferences
                     .FirstOrDefault()
                     ?.GetSyntax()
@@ -33,8 +36,6 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            trapFile.global_stmt_block(this);
-
             trapFile.stmt_location(this, cx.CreateLocation(ReportingLocation));
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
index 75c0f633cc0..df39d6a836c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs
@@ -379,11 +379,6 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("methods", method, name, declType, retType, originalDefinition);
         }
 
-        internal static void entry_methods(this TextWriter trapFile, Method method)
-        {
-            trapFile.WriteTuple("entry_methods", method);
-        }
-
         internal static void modifiers(this TextWriter trapFile, Label entity, string modifier)
         {
             trapFile.WriteTuple("modifiers", entity, modifier);
@@ -514,11 +509,6 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteTuple("stackalloc_array_creation", array);
         }
 
-        internal static void global_stmt_block(this TextWriter trapFile, Entities.Statements.GlobalStatementsBlock block)
-        {
-            trapFile.WriteTuple("global_stmt_block", block);
-        }
-
         internal static void stmt_location(this TextWriter trapFile, Statement stmt, Location location)
         {
             trapFile.WriteTuple("stmt_location", stmt, location);
diff --git a/csharp/ql/src/semmle/code/csharp/Callable.qll b/csharp/ql/src/semmle/code/csharp/Callable.qll
index 8f2c1bd4471..7238f4576f9 100644
--- a/csharp/ql/src/semmle/code/csharp/Callable.qll
+++ b/csharp/ql/src/semmle/code/csharp/Callable.qll
@@ -292,9 +292,6 @@ class Method extends Callable, Virtualizable, Attributable, @method {
   }
 
   override string getAPrimaryQlClass() { result = "Method" }
-
-  /** Holds if this method is the entry method of the compilation. */
-  predicate isEntry() { entry_methods(this) }
 }
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index aaa8890cd34..375e698d1cb 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -74,7 +74,9 @@ class BlockStmt extends Stmt, @block_stmt {
   predicate isEmpty() { not exists(this.getAStmt()) }
 
   /** Holds if this block is the container of the global statements. */
-  predicate isGlobalStatementContainer() { global_stmt_block(this) }
+  predicate isGlobalStatementContainer() {
+    this.getEnclosingCallable().hasQualifiedName("<Program>$.<Main>$")
+  }
 
   override Stmt stripSingletonBlocks() {
     if getNumberOfStmts() = 1
diff --git a/csharp/ql/src/semmle/code/csharp/commons/Util.qll b/csharp/ql/src/semmle/code/csharp/commons/Util.qll
index 203d84cbef6..10a0dce936c 100644
--- a/csharp/ql/src/semmle/code/csharp/commons/Util.qll
+++ b/csharp/ql/src/semmle/code/csharp/commons/Util.qll
@@ -5,7 +5,11 @@ import csharp
 /** A `Main` method. */
 class MainMethod extends Method {
   MainMethod() {
-    this.hasName("Main") and
+    (
+      this.hasName("Main")
+      or
+      this.hasQualifiedName("<Program>$.<Main>$")
+    ) and
     this.isStatic() and
     (this.getReturnType() instanceof VoidType or this.getReturnType() instanceof IntType) and
     if this.getNumberOfParameters() = 1
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 1cea35ace06..16936565fbe 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -843,9 +843,6 @@ local_function_stmts(
     unique int fn: @local_function_stmt ref,
     int stmt: @local_function ref);
 
-entry_methods(
-  unique int id: @method ref);
-
 /** VARIABLES **/
 
 @variable = @local_scope_variable | @field;
@@ -975,8 +972,6 @@ case @stmt.kind of
 
 @goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
 
-global_stmt_block(
-  unique int id: @block_stmt ref);
 
 stmt_location(
   unique int id: @stmt ref,
diff --git a/csharp/ql/test/library-tests/csharp9/globalStmt.ql b/csharp/ql/test/library-tests/csharp9/globalStmt.ql
index 586f34d4ade..ff0ca8f661a 100644
--- a/csharp/ql/test/library-tests/csharp9/globalStmt.ql
+++ b/csharp/ql/test/library-tests/csharp9/globalStmt.ql
@@ -1,4 +1,5 @@
 import csharp
+private import semmle.code.csharp.commons.Util
 
 query predicate global_stmt(Stmt stmt) { stmt.isGlobal() }
 
@@ -11,5 +12,5 @@ query predicate globalBlock(BlockStmt block, Method m, Parameter p, Type t) {
 
 query predicate methods(Method m, string entry) {
   m.getFile().getStem() = "GlobalStmt" and
-  if m.isEntry() then entry = "entry" else entry = "non-entry"
+  if m instanceof MainMethod then entry = "entry" else entry = "non-entry"
 }

From 9bb501c595bf33d5d6af451801015914a30561b2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 15 Feb 2021 21:30:56 +0100
Subject: [PATCH 380/429] Fix failing tests

---
 csharp/ql/test/library-tests/csharp9/ForeachExtension.cs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs b/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
index 0ef36fbc7d9..6e2af21e323 100644
--- a/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
+++ b/csharp/ql/test/library-tests/csharp9/ForeachExtension.cs
@@ -46,5 +46,3 @@ class Program
         yield return 1;
     }
 }
-
-// semmle-extractor-options: /r:System.Linq.dll
\ No newline at end of file

From 9c2ca939862b7bc232e994667991596045a767bf Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 15 Feb 2021 21:38:02 +0100
Subject: [PATCH 381/429] Use 'Declaration::hasQualifiedName/2' in 'MainMethod'

---
 csharp/ql/src/semmle/code/csharp/commons/Util.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/commons/Util.qll b/csharp/ql/src/semmle/code/csharp/commons/Util.qll
index 10a0dce936c..d1b9b3b7894 100644
--- a/csharp/ql/src/semmle/code/csharp/commons/Util.qll
+++ b/csharp/ql/src/semmle/code/csharp/commons/Util.qll
@@ -8,7 +8,7 @@ class MainMethod extends Method {
     (
       this.hasName("Main")
       or
-      this.hasQualifiedName("<Program>$.<Main>$")
+      this.hasQualifiedName("<Program>$", "<Main>$")
     ) and
     this.isStatic() and
     (this.getReturnType() instanceof VoidType or this.getReturnType() instanceof IntType) and

From 3e2a6fca21191b6a24ecb8110e55a147b1b56a71 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 10:57:16 +0100
Subject: [PATCH 382/429] C#: Simplify CIL.GenericContext contract

---
 .../Entities/TypeSignatureDecoder.cs          |  5 ++--
 .../Semmle.Extraction.CIL/GenericContext.cs   | 28 +------------------
 2 files changed, 4 insertions(+), 29 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
index dcb986f1526..2ec82226d55 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Reflection.Metadata;
 using System.Collections.Immutable;
+using System.Linq;
 
 namespace Semmle.Extraction.CIL.Entities
 {
@@ -29,10 +30,10 @@ namespace Semmle.Extraction.CIL.Entities
             genericType.Construct(typeArguments);
 
         Type ISignatureTypeProvider<Type, GenericContext>.GetGenericMethodParameter(GenericContext genericContext, int index) =>
-            genericContext.GetGenericMethodParameter(index);
+            genericContext.MethodParameters.ElementAt(index);
 
         Type ISignatureTypeProvider<Type, GenericContext>.GetGenericTypeParameter(GenericContext genericContext, int index) =>
-            genericContext.GetGenericTypeParameter(index);
+            genericContext.TypeParameters.ElementAt(index);
 
         Type ISignatureTypeProvider<Type, GenericContext>.GetModifiedType(Type modifier, Type unmodifiedType, bool isRequired) =>
             new ModifiedType(cx, unmodifiedType, modifier, isRequired);
diff --git a/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs b/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs
index 6db62bf5bbf..1e9aa21e399 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs
@@ -23,34 +23,8 @@ namespace Semmle.Extraction.CIL
         public abstract IEnumerable<Entities.Type> TypeParameters { get; }
 
         /// <summary>
-        /// The list of generic method parameters.
+        /// The list of generic method parameters/arguments.
         /// </summary>
         public abstract IEnumerable<Entities.Type> MethodParameters { get; }
-
-        /// <summary>
-        /// Gets the `p`th type parameter.
-        /// </summary>
-        /// <param name="p">The index of the parameter.</param>
-        /// <returns>
-        /// For constructed types, the supplied type.
-        /// For unbound types, the type parameter.
-        /// </returns>
-        public Entities.Type GetGenericTypeParameter(int p)
-        {
-            return TypeParameters.ElementAt(p);
-        }
-
-        /// <summary>
-        /// Gets the `p`th method type parameter.
-        /// </summary>
-        /// <param name="p">The index of the parameter.</param>
-        /// <returns>
-        /// For constructed types, the supplied type.
-        /// For unbound types, the type parameter.
-        /// </returns>
-        public Entities.Type GetGenericMethodParameter(int p)
-        {
-            return MethodParameters.ElementAt(p);
-        }
     }
 }

From 61e952766cc95f58ea61f2b674c7d4ed845bfa06 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 11:06:24 +0100
Subject: [PATCH 383/429] Convert CIL.GenericContext to interface

---
 .../Context.Factories.cs                      | 10 ++++----
 .../Semmle.Extraction.CIL/Context.cs          |  2 +-
 .../Semmle.Extraction.CIL/EmptyContext.cs     | 12 ++++++----
 .../Entities/DefinitionMethod.cs              |  2 +-
 .../Entities/ExceptionRegion.cs               |  4 ++--
 .../Semmle.Extraction.CIL/Entities/Field.cs   | 11 +++++++--
 .../Entities/ITypeSignature.cs                |  2 +-
 .../Entities/MemberReferenceField.cs          |  4 ++--
 .../Entities/MemberReferenceMethod.cs         |  6 ++---
 .../Semmle.Extraction.CIL/Entities/Method.cs  |  4 ++--
 .../Entities/MethodSpecificationMethod.cs     |  2 +-
 .../Entities/MethodTypeParameter.cs           |  2 +-
 .../Entities/Property.cs                      |  4 ++--
 .../Entities/SignatureDecoder.cs              | 24 +++++++++----------
 .../Semmle.Extraction.CIL/Entities/Type.cs    |  2 +-
 .../Entities/TypeContainer.cs                 | 10 ++++++--
 .../Entities/TypeParameter.cs                 |  4 ++--
 .../Entities/TypeSignatureDecoder.cs          | 14 +++++------
 .../{GenericContext.cs => IGenericContext.cs} | 14 ++++-------
 19 files changed, 72 insertions(+), 61 deletions(-)
 rename csharp/extractor/Semmle.Extraction.CIL/{GenericContext.cs => IGenericContext.cs} (59%)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs b/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
index dd09727f3c0..36e420e3628 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
@@ -95,11 +95,11 @@ namespace Semmle.Extraction.CIL
         /// <param name="h">The handle of the entity.</param>
         /// <param name="genericContext">The generic context.</param>
         /// <returns></returns>
-        public IExtractedEntity CreateGeneric(GenericContext genericContext, Handle h) => genericHandleFactory[genericContext, h];
+        public IExtractedEntity CreateGeneric(IGenericContext genericContext, Handle h) => genericHandleFactory[genericContext, h];
 
-        private readonly GenericContext defaultGenericContext;
+        private readonly IGenericContext defaultGenericContext;
 
-        private IExtractedEntity CreateGenericHandle(GenericContext gc, Handle handle)
+        private IExtractedEntity CreateGenericHandle(IGenericContext gc, Handle handle)
         {
             IExtractedEntity entity;
             switch (handle.Kind)
@@ -136,7 +136,7 @@ namespace Semmle.Extraction.CIL
             return entity;
         }
 
-        private IExtractedEntity Create(GenericContext gc, MemberReferenceHandle handle)
+        private IExtractedEntity Create(IGenericContext gc, MemberReferenceHandle handle)
         {
             var mr = MdReader.GetMemberReference(handle);
             switch (mr.GetKind())
@@ -228,7 +228,7 @@ namespace Semmle.Extraction.CIL
 
         #endregion
 
-        private readonly CachedFunction<GenericContext, Handle, IExtractedEntity> genericHandleFactory;
+        private readonly CachedFunction<IGenericContext, Handle, IExtractedEntity> genericHandleFactory;
 
         /// <summary>
         /// Gets the short name of a member, without the preceding interface qualifier.
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Context.cs b/csharp/extractor/Semmle.Extraction.CIL/Context.cs
index ae662f2e87c..99113714b7c 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Context.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Context.cs
@@ -37,7 +37,7 @@ namespace Semmle.Extraction.CIL
 
             globalNamespace = new Lazy<Entities.Namespace>(() => Populate(new Entities.Namespace(this, "", null)));
             systemNamespace = new Lazy<Entities.Namespace>(() => Populate(new Entities.Namespace(this, "System")));
-            genericHandleFactory = new CachedFunction<GenericContext, Handle, IExtractedEntity>(CreateGenericHandle);
+            genericHandleFactory = new CachedFunction<IGenericContext, Handle, IExtractedEntity>(CreateGenericHandle);
             namespaceFactory = new CachedFunction<StringHandle, Entities.Namespace>(n => CreateNamespace(MdReader.GetString(n)));
             namespaceDefinitionFactory = new CachedFunction<NamespaceDefinitionHandle, Entities.Namespace>(CreateNamespace);
             sourceFiles = new CachedFunction<PDB.ISourceFile, Entities.PdbSourceFile>(path => new Entities.PdbSourceFile(this, path));
diff --git a/csharp/extractor/Semmle.Extraction.CIL/EmptyContext.cs b/csharp/extractor/Semmle.Extraction.CIL/EmptyContext.cs
index 70c73be1151..1105bc39cba 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/EmptyContext.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/EmptyContext.cs
@@ -5,14 +5,18 @@ namespace Semmle.Extraction.CIL
     /// <summary>
     /// A generic context which does not contain any type parameters.
     /// </summary>
-    public class EmptyContext : GenericContext
+    public class EmptyContext : IGenericContext
     {
-        public EmptyContext(Context cx) : base(cx)
+        public EmptyContext(Context cx)
         {
+            Cx = cx;
         }
 
-        public override IEnumerable<Entities.Type> TypeParameters { get { yield break; } }
+        public Context Cx { get; }
+
+        public IEnumerable<Entities.Type> TypeParameters { get { yield break; } }
+
+        public IEnumerable<Entities.Type> MethodParameters { get { yield break; } }
 
-        public override IEnumerable<Entities.Type> MethodParameters { get { yield break; } }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/DefinitionMethod.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/DefinitionMethod.cs
index 175da806597..8ff7fcf24bf 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/DefinitionMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/DefinitionMethod.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override IList<LocalVariable>? LocalVariables => locals;
 
-        public DefinitionMethod(GenericContext gc, MethodDefinitionHandle handle) : base(gc)
+        public DefinitionMethod(IGenericContext gc, MethodDefinitionHandle handle) : base(gc)
         {
             md = Cx.MdReader.GetMethodDefinition(handle);
             this.gc = gc;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ExceptionRegion.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ExceptionRegion.cs
index 75303e7903b..3026ff03030 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ExceptionRegion.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ExceptionRegion.cs
@@ -7,13 +7,13 @@ namespace Semmle.Extraction.CIL.Entities
     /// </summary>
     internal class ExceptionRegion : UnlabelledEntity
     {
-        private readonly GenericContext gc;
+        private readonly IGenericContext gc;
         private readonly MethodImplementation method;
         private readonly int index;
         private readonly System.Reflection.Metadata.ExceptionRegion r;
         private readonly Dictionary<int, Instruction> jump_table;
 
-        public ExceptionRegion(GenericContext gc, MethodImplementation method, int index, System.Reflection.Metadata.ExceptionRegion r, Dictionary<int, Instruction> jump_table) : base(gc.Cx)
+        public ExceptionRegion(IGenericContext gc, MethodImplementation method, int index, System.Reflection.Metadata.ExceptionRegion r, Dictionary<int, Instruction> jump_table) : base(gc.Cx)
         {
             this.gc = gc;
             this.method = method;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
index 3f051796887..670b24b4d86 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
@@ -8,10 +8,11 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// An entity representing a field.
     /// </summary>
-    internal abstract class Field : GenericContext, IMember, ICustomModifierReceiver
+    internal abstract class Field : IGenericContext, IMember, ICustomModifierReceiver
     {
-        protected Field(Context cx) : base(cx)
+        protected Field(Context cx)
         {
+            Cx = cx;
         }
 
         public Label Label { get; set; }
@@ -61,5 +62,11 @@ namespace Semmle.Extraction.CIL.Entities
         }
 
         TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        public abstract IEnumerable<Type> TypeParameters { get; }
+
+        public abstract IEnumerable<Type> MethodParameters { get; }
+
+        public Context Cx { get; }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
index 81dcf7b7804..beaecdfab6f 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
@@ -4,6 +4,6 @@ namespace Semmle.Extraction.CIL.Entities
 {
     internal interface ITypeSignature
     {
-        void WriteId(TextWriter trapFile, GenericContext gc);
+        void WriteId(TextWriter trapFile, IGenericContext gc);
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceField.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceField.cs
index f8017a729e8..136ece10a8c 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceField.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceField.cs
@@ -8,10 +8,10 @@ namespace Semmle.Extraction.CIL.Entities
     {
         private readonly MemberReferenceHandle handle;
         private readonly MemberReference mr;
-        private readonly GenericContext gc;
+        private readonly IGenericContext gc;
         private readonly Type declType;
 
-        public MemberReferenceField(GenericContext gc, MemberReferenceHandle handle) : base(gc.Cx)
+        public MemberReferenceField(IGenericContext gc, MemberReferenceHandle handle) : base(gc.Cx)
         {
             this.handle = handle;
             this.gc = gc;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceMethod.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceMethod.cs
index cacbc6ab874..703bb717cee 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MemberReferenceMethod.cs
@@ -12,10 +12,10 @@ namespace Semmle.Extraction.CIL.Entities
         private readonly MemberReferenceHandle handle;
         private readonly MemberReference mr;
         private readonly Type declaringType;
-        private readonly GenericContext parent;
+        private readonly IGenericContext parent;
         private readonly Method? sourceDeclaration;
 
-        public MemberReferenceMethod(GenericContext gc, MemberReferenceHandle handle) : base(gc)
+        public MemberReferenceMethod(IGenericContext gc, MemberReferenceHandle handle) : base(gc)
         {
             this.handle = handle;
             this.gc = gc;
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CIL.Entities
 
             signature = mr.DecodeMethodSignature(new SignatureDecoder(), gc);
 
-            parent = (GenericContext)Cx.CreateGeneric(gc, mr.Parent);
+            parent = (IGenericContext)Cx.CreateGeneric(gc, mr.Parent);
 
             var declType = parent is Method parentMethod
                 ? parentMethod.DeclaringType
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
index 30e94c8e16a..d1302837c16 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
@@ -12,10 +12,10 @@ namespace Semmle.Extraction.CIL.Entities
     internal abstract class Method : TypeContainer, IMember, ICustomModifierReceiver, IParameterizable
     {
         protected MethodTypeParameter[]? genericParams;
-        protected GenericContext gc;
+        protected IGenericContext gc;
         protected MethodSignature<ITypeSignature> signature;
 
-        protected Method(GenericContext gc) : base(gc.Cx)
+        protected Method(IGenericContext gc) : base(gc.Cx)
         {
             this.gc = gc;
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
index 26811ce6c80..a3f87b14a8e 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CIL.Entities
         private readonly Method unboundMethod;
         private readonly ImmutableArray<Type> typeParams;
 
-        public MethodSpecificationMethod(GenericContext gc, MethodSpecificationHandle handle) : base(gc)
+        public MethodSpecificationMethod(IGenericContext gc, MethodSpecificationHandle handle) : base(gc)
         {
             this.handle = handle;
             ms = Cx.MdReader.GetMethodSpecification(handle);
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
index db5e56acb17..1795eb29269 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
@@ -21,7 +21,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override string Name => "!" + index;
 
-        public MethodTypeParameter(GenericContext gc, Method m, int index) : base(gc)
+        public MethodTypeParameter(IGenericContext gc, Method m, int index) : base(gc)
         {
             method = m;
             this.index = index;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
index 5fb22b40409..a6c864a8cb6 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
@@ -14,9 +14,9 @@ namespace Semmle.Extraction.CIL.Entities
         private readonly Type type;
         private readonly PropertyDefinition pd;
         public override string IdSuffix => ";cil-property";
-        private readonly GenericContext gc;
+        private readonly IGenericContext gc;
 
-        public Property(GenericContext gc, Type type, PropertyDefinitionHandle handle) : base(gc.Cx)
+        public Property(IGenericContext gc, Type type, PropertyDefinitionHandle handle) : base(gc.Cx)
         {
             this.gc = gc;
             this.handle = handle;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
index a955ef685c0..308846ff30a 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.shape = shape;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('[');
@@ -38,7 +38,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('&');
@@ -54,7 +54,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.signature = signature;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 FunctionPointerType.WriteName(
                     trapFile.Write,
@@ -84,7 +84,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.typeArguments = typeArguments;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 genericType.WriteId(trapFile, gc);
                 trapFile.Write('<');
@@ -112,7 +112,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.index = index;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext outerGc)
+            public void WriteId(TextWriter trapFile, IGenericContext outerGc)
             {
                 if (!ReferenceEquals(innerGc, outerGc) && innerGc is Method method)
                 {
@@ -132,7 +132,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.index = index;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 trapFile.Write("T!");
                 trapFile.Write(index);
@@ -158,7 +158,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.isRequired = isRequired;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 unmodifiedType.WriteId(trapFile, gc);
                 trapFile.Write(isRequired ? " modreq(" : " modopt(");
@@ -186,7 +186,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('*');
@@ -207,7 +207,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.typeCode = typeCode;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 trapFile.Write(typeCode.Id());
             }
@@ -227,7 +227,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write("[]");
@@ -248,7 +248,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.handle = handle;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 var type = (Type)gc.Cx.Create(handle);
                 type.WriteId(trapFile);
@@ -269,7 +269,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.handle = handle;
             }
 
-            public void WriteId(TextWriter trapFile, GenericContext gc)
+            public void WriteId(TextWriter trapFile, IGenericContext gc)
             {
                 var type = (Type)gc.Cx.Create(handle);
                 type.WriteId(trapFile);
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
index edeb1a54136..2df850f5ce9 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
@@ -198,7 +198,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public sealed override IEnumerable<Type> MethodParameters => Enumerable.Empty<Type>();
 
-        public static Type DecodeType(GenericContext gc, TypeSpecificationHandle handle) =>
+        public static Type DecodeType(IGenericContext gc, TypeSpecificationHandle handle) =>
             gc.Cx.MdReader.GetTypeSpecification(handle).DecodeSignature(gc.Cx.TypeSignatureDecoder, gc);
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
index a7b7a006af6..43e261de75a 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
@@ -8,10 +8,13 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// Base class for all type containers (namespaces, types, methods).
     /// </summary>
-    public abstract class TypeContainer : GenericContext, IExtractedEntity
+    public abstract class TypeContainer : IGenericContext, IExtractedEntity
     {
-        protected TypeContainer(Context cx) : base(cx)
+        public Context Cx { get; }
+
+        protected TypeContainer(Context cx)
         {
+            Cx = cx;
         }
 
         public virtual Label Label { get; set; }
@@ -42,5 +45,8 @@ namespace Semmle.Extraction.CIL.Entities
         }
 
         TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        public abstract IEnumerable<Type> MethodParameters { get; }
+        public abstract IEnumerable<Type> TypeParameters { get; }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeParameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeParameter.cs
index 7c8d2222fa5..fd18374ed2d 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeParameter.cs
@@ -9,9 +9,9 @@ namespace Semmle.Extraction.CIL.Entities
 {
     internal abstract class TypeParameter : Type
     {
-        protected readonly GenericContext gc;
+        protected readonly IGenericContext gc;
 
-        protected TypeParameter(GenericContext gc) : base(gc.Cx)
+        protected TypeParameter(IGenericContext gc) : base(gc.Cx)
         {
             this.gc = gc;
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
index 2ec82226d55..4417becc58d 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeSignatureDecoder.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// Decodes a type signature and produces a Type, for use by DecodeSignature() and friends.
     /// </summary>
-    public class TypeSignatureDecoder : ISignatureTypeProvider<Type, GenericContext>
+    public class TypeSignatureDecoder : ISignatureTypeProvider<Type, IGenericContext>
     {
         private readonly Context cx;
 
@@ -23,22 +23,22 @@ namespace Semmle.Extraction.CIL.Entities
         Type IConstructedTypeProvider<Type>.GetByReferenceType(Type elementType) =>
             new ByRefType(cx, elementType);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetFunctionPointerType(MethodSignature<Type> signature) =>
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetFunctionPointerType(MethodSignature<Type> signature) =>
             cx.Populate(new FunctionPointerType(cx, signature));
 
         Type IConstructedTypeProvider<Type>.GetGenericInstantiation(Type genericType, ImmutableArray<Type> typeArguments) =>
             genericType.Construct(typeArguments);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetGenericMethodParameter(GenericContext genericContext, int index) =>
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetGenericMethodParameter(IGenericContext genericContext, int index) =>
             genericContext.MethodParameters.ElementAt(index);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetGenericTypeParameter(GenericContext genericContext, int index) =>
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetGenericTypeParameter(IGenericContext genericContext, int index) =>
             genericContext.TypeParameters.ElementAt(index);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetModifiedType(Type modifier, Type unmodifiedType, bool isRequired) =>
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetModifiedType(Type modifier, Type unmodifiedType, bool isRequired) =>
             new ModifiedType(cx, unmodifiedType, modifier, isRequired);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetPinnedType(Type elementType) => elementType;
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetPinnedType(Type elementType) => elementType;
 
         Type IConstructedTypeProvider<Type>.GetPointerType(Type elementType) =>
             cx.Populate(new PointerType(cx, elementType));
@@ -54,7 +54,7 @@ namespace Semmle.Extraction.CIL.Entities
         Type ISimpleTypeProvider<Type>.GetTypeFromReference(MetadataReader reader, TypeReferenceHandle handle, byte rawTypeKind) =>
             (Type)cx.Create(handle);
 
-        Type ISignatureTypeProvider<Type, GenericContext>.GetTypeFromSpecification(MetadataReader reader, GenericContext genericContext, TypeSpecificationHandle handle, byte rawTypeKind) =>
+        Type ISignatureTypeProvider<Type, IGenericContext>.GetTypeFromSpecification(MetadataReader reader, IGenericContext genericContext, TypeSpecificationHandle handle, byte rawTypeKind) =>
             throw new NotImplementedException();
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs b/csharp/extractor/Semmle.Extraction.CIL/IGenericContext.cs
similarity index 59%
rename from csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs
rename to csharp/extractor/Semmle.Extraction.CIL/IGenericContext.cs
index 1e9aa21e399..21c69f7aeb4 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/GenericContext.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/IGenericContext.cs
@@ -1,5 +1,4 @@
 using System.Collections.Generic;
-using System.Linq;
 
 namespace Semmle.Extraction.CIL
 {
@@ -7,24 +6,19 @@ namespace Semmle.Extraction.CIL
     /// When we decode a type/method signature, we need access to
     /// generic parameters.
     /// </summary>
-    public abstract class GenericContext
+    public interface IGenericContext
     {
-        public Context Cx { get; }
-
-        protected GenericContext(Context cx)
-        {
-            this.Cx = cx;
-        }
+        Context Cx { get; }
 
         /// <summary>
         /// The list of generic type parameters/arguments, including type parameters/arguments of
         /// containing types.
         /// </summary>
-        public abstract IEnumerable<Entities.Type> TypeParameters { get; }
+        IEnumerable<Entities.Type> TypeParameters { get; }
 
         /// <summary>
         /// The list of generic method parameters/arguments.
         /// </summary>
-        public abstract IEnumerable<Entities.Type> MethodParameters { get; }
+        IEnumerable<Entities.Type> MethodParameters { get; }
     }
 }

From 67caf3cad0587223f9eae289f54ed66f12771dfb Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 11:27:31 +0100
Subject: [PATCH 384/429] Remove redundant IEntity implemented interface
 declaration and explit interface member implemenration

---
 csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs   | 2 +-
 .../Semmle.Extraction.CIL/Entities/Instruction.cs          | 7 +------
 .../Semmle.Extraction.CIL/Entities/TypeContainer.cs        | 5 ++---
 .../extractor/Semmle.Extraction.CIL/ExtractionProduct.cs   | 4 ++--
 4 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
index 670b24b4d86..a195a7432c7 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
@@ -61,7 +61,7 @@ namespace Semmle.Extraction.CIL.Entities
             cx2.Populate(this);
         }
 
-        TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
 
         public abstract IEnumerable<Type> TypeParameters { get; }
 
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
index 75d0aab454a..033010e18a3 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Instruction.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// A CIL instruction.
     /// </summary>
-    internal class Instruction : UnlabelledEntity, IEntity
+    internal class Instruction : UnlabelledEntity
     {
         /// <summary>
         /// The additional data following the opcode, if any.
@@ -289,11 +289,6 @@ namespace Semmle.Extraction.CIL.Entities
             }
         }
 
-        Label IEntity.Label
-        {
-            get; set;
-        }
-
         private readonly byte[] data;
 
         private int PayloadSize => payloadSizes[(int)PayloadType];
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
index 43e261de75a..66ee54ddc8d 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
@@ -31,8 +31,6 @@ namespace Semmle.Extraction.CIL.Entities
 
         public abstract string IdSuffix { get; }
 
-        Location IEntity.ReportingLocation => throw new NotImplementedException();
-
         public void Extract(Context cx2) { cx2.Populate(this); }
 
         public abstract IEnumerable<IExtractionProduct> Contents { get; }
@@ -44,7 +42,8 @@ namespace Semmle.Extraction.CIL.Entities
             return writer.ToString();
         }
 
-        TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+        public Location ReportingLocation => throw new NotImplementedException();
 
         public abstract IEnumerable<Type> MethodParameters { get; }
         public abstract IEnumerable<Type> TypeParameters { get; }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs b/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
index 52415af9349..62aaad0d8e5 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
@@ -71,7 +71,7 @@ namespace Semmle.Extraction.CIL
             cx.Cx.AddFreshLabel(this);
         }
 
-        TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
     }
 
     /// <summary>
@@ -115,7 +115,7 @@ namespace Semmle.Extraction.CIL
             return writer.ToString();
         }
 
-        TrapStackBehaviour IEntity.TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
     }
 
     /// <summary>

From e7853cc3a052ecdc9d645b95d05ef2c7dcb6e3c6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 11:47:56 +0100
Subject: [PATCH 385/429] Simplify TypeContainer class

---
 .../Entities/TypeContainer.cs                 | 35 ++-----------------
 1 file changed, 2 insertions(+), 33 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
index 66ee54ddc8d..d8058593277 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
@@ -8,43 +8,12 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// Base class for all type containers (namespaces, types, methods).
     /// </summary>
-    public abstract class TypeContainer : IGenericContext, IExtractedEntity
+    public abstract class TypeContainer : LabelledEntity, IGenericContext
     {
-        public Context Cx { get; }
-
-        protected TypeContainer(Context cx)
+        protected TypeContainer(Context cx) : base(cx)
         {
-            Cx = cx;
         }
 
-        public virtual Label Label { get; set; }
-
-        public abstract void WriteId(TextWriter trapFile);
-
-        public void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write(IdSuffix);
-            trapFile.Write('\"');
-        }
-
-        public abstract string IdSuffix { get; }
-
-        public void Extract(Context cx2) { cx2.Populate(this); }
-
-        public abstract IEnumerable<IExtractionProduct> Contents { get; }
-
-        public override string ToString()
-        {
-            using var writer = new StringWriter();
-            WriteQuotedId(writer);
-            return writer.ToString();
-        }
-
-        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-        public Location ReportingLocation => throw new NotImplementedException();
-
         public abstract IEnumerable<Type> MethodParameters { get; }
         public abstract IEnumerable<Type> TypeParameters { get; }
     }

From 67289a498fb1783d5f2e8d2fa736223dcf1035d1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 13:52:38 +0100
Subject: [PATCH 386/429] Share entity base classes between CIL and source
 extraction

---
 .../Entities/Assembly.cs                      |   3 +-
 .../Entities/Attribute.cs                     |   6 +-
 .../Entities/Base/IExtractedEntity.cs         |  16 ++
 .../Entities/Base/IExtractionProduct.cs       |  24 +++
 .../{ => Entities/Base}/IGenericContext.cs    |   0
 .../Entities/Base/LabelledEntity.cs           |  39 ++++
 .../Entities/Base/Tuple.cs                    |  22 +++
 .../Entities/Base/UnlabelledEntity.cs         |  31 +++
 .../Semmle.Extraction.CIL/Entities/Event.cs   |   3 +-
 .../Semmle.Extraction.CIL/Entities/Field.cs   |  33 +---
 .../Semmle.Extraction.CIL/Entities/File.cs    |   3 +-
 .../Semmle.Extraction.CIL/Entities/Folder.cs  |   3 +-
 .../Entities/LocalVariable.cs                 |   3 +-
 .../Semmle.Extraction.CIL/Entities/Method.cs  |   3 +-
 .../Entities/Namespace.cs                     |   4 +-
 .../Entities/Parameter.cs                     |  17 +-
 .../Entities/Property.cs                      |   2 +-
 .../Entities/SourceLocation.cs                |   3 +-
 .../Semmle.Extraction.CIL/Entities/Type.cs    |   8 +-
 .../ExtractionProduct.cs                      | 140 --------------
 .../extractor/Semmle.Extraction.CIL/Tuples.cs |   8 +-
 .../Entities/Compilations/Diagnostic.cs       |   2 +-
 .../Entities/Expression.cs                    |  12 +-
 .../Entities/Expression`1.cs                  |   2 +-
 .../Entities/Expressions/Access.cs            |   4 +-
 .../Entities/Expressions/ArrayCreation.cs     |  14 +-
 .../Entities/Expressions/Assignment.cs        |  18 +-
 .../Entities/Expressions/Await.cs             |   2 +-
 .../Entities/Expressions/Binary.cs            |   4 +-
 .../Entities/Expressions/Cast.cs              |   6 +-
 .../Entities/Expressions/Checked.cs           |   2 +-
 .../Entities/Expressions/Conditional.cs       |   6 +-
 .../Entities/Expressions/Default.cs           |   2 +-
 .../Entities/Expressions/ElementAccess.cs     |  10 +-
 .../Entities/Expressions/ImplicitCast.cs      |   8 +-
 .../Entities/Expressions/Initializer.cs       |  38 ++--
 .../Expressions/InterpolatedString.cs         |   4 +-
 .../Entities/Expressions/Invocation.cs        |  22 +--
 .../Entities/Expressions/IsPattern.cs         |   4 +-
 .../Entities/Expressions/Lambda.cs            |  18 +-
 .../Entities/Expressions/MakeRef.cs           |   2 +-
 .../Entities/Expressions/MemberAccess.cs      |   6 +-
 .../ObjectCreation/AnonymousObjectCreation.cs |  20 +-
 .../ObjectCreation/BaseObjectCreation.cs      |  16 +-
 .../ObjectCreation/ExplicitObjectCreation.cs  |   2 +-
 .../Expressions/PointerMemberAccess.cs        |   2 +-
 .../Entities/Expressions/PostfixUnary.cs      |   2 +-
 .../Entities/Expressions/RangeExpression.cs   |   4 +-
 .../Entities/Expressions/Ref.cs               |   2 +-
 .../Entities/Expressions/RefType.cs           |   2 +-
 .../Entities/Expressions/RefValue.cs          |   4 +-
 .../Entities/Expressions/Sizeof.cs            |   2 +-
 .../Entities/Expressions/Switch.cs            |   4 +-
 .../Entities/Expressions/Throw.cs             |   2 +-
 .../Entities/Expressions/Tuple.cs             |   2 +-
 .../Entities/Expressions/TypeAccess.cs        |   8 +-
 .../Entities/Expressions/TypeOf.cs            |   2 +-
 .../Entities/Expressions/Unary.cs             |   2 +-
 .../Entities/Expressions/Unchecked.cs         |   2 +-
 .../PreprocessorDirectives/ElifDirective.cs   |   2 +-
 .../PreprocessorDirectives/IfDirective.cs     |   2 +-
 .../PreprocessorDirectives/LineDirective.cs   |   2 +-
 .../PragmaChecksumDirective.cs                |   2 +-
 .../PreprocessorDirective.cs                  |   6 +-
 .../Entities/Property.cs                      |   2 +-
 .../Entities/Statements/Block.cs              |   2 +-
 .../Entities/Statements/Case.cs               |   8 +-
 .../Entities/Statements/Catch.cs              |  12 +-
 .../Entities/Statements/Checked.cs            |   2 +-
 .../Entities/Statements/Do.cs                 |   4 +-
 .../Statements/ExpressionStatement.cs         |   4 +-
 .../Entities/Statements/Fixed.cs              |   4 +-
 .../Entities/Statements/For.cs                |  10 +-
 .../Entities/Statements/ForEach.cs            |  28 +--
 .../Entities/Statements/Goto.cs               |   4 +-
 .../Entities/Statements/If.cs                 |   6 +-
 .../Entities/Statements/Labeled.cs            |   2 +-
 .../Entities/Statements/LocalDeclaration.cs   |   4 +-
 .../Entities/Statements/LocalFunction.cs      |   4 +-
 .../Entities/Statements/Lock.cs               |   4 +-
 .../Entities/Statements/Return.cs             |   2 +-
 .../Entities/Statements/Switch.cs             |   6 +-
 .../Entities/Statements/Throw.cs              |   2 +-
 .../Entities/Statements/Try.cs                |   6 +-
 .../Entities/Statements/Unchecked.cs          |   2 +-
 .../Entities/Statements/Unsafe.cs             |   2 +-
 .../Entities/Statements/Using.cs              |   6 +-
 .../Entities/Statements/While.cs              |   4 +-
 .../Entities/Statements/Yield.cs              |   2 +-
 .../Entities/TypeMention.cs                   |  22 +--
 .../Entities/Types/Type.cs                    |   1 +
 .../Entities/UsingDirective.cs                |  14 +-
 csharp/extractor/Semmle.Extraction/Context.cs |  26 +--
 .../Base/CachedEntity`1.cs}                   |  59 +++---
 .../Semmle.Extraction/Entities/Base/Entity.cs |  64 +++++++
 .../Entities/Base/FreshEntity.cs              |  38 ++++
 .../Entities/Base/ICachedEntityFactory.cs     |  14 ++
 .../Base/ICachedEntityFactoryExtensions.cs    |  35 ++++
 .../Entities/Base/IEntity.cs                  |  53 ++++++
 .../Entities/Base/LabelledEntity.cs           |  18 ++
 .../Entities/Base/UnlabelledEntity.cs         |  22 +++
 .../Entities/ExtractionError.cs               |   2 +-
 .../Entities/SourceLocation.cs                |   2 +-
 csharp/extractor/Semmle.Extraction/Entity.cs  | 177 ------------------
 .../Semmle.Extraction/FreshEntity.cs          |  59 ------
 .../Semmle.Extraction/TrapStackBehaviour.cs   |  28 +++
 106 files changed, 705 insertions(+), 710 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractedEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractionProduct.cs
 rename csharp/extractor/Semmle.Extraction.CIL/{ => Entities/Base}/IGenericContext.cs (100%)
 create mode 100644 csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CIL/Entities/Base/Tuple.cs
 create mode 100644 csharp/extractor/Semmle.Extraction.CIL/Entities/Base/UnlabelledEntity.cs
 delete mode 100644 csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
 rename csharp/extractor/Semmle.Extraction/{Symbol.cs => Entities/Base/CachedEntity`1.cs} (63%)
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/FreshEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactory.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactoryExtensions.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
 delete mode 100644 csharp/extractor/Semmle.Extraction/Entity.cs
 delete mode 100644 csharp/extractor/Semmle.Extraction/FreshEntity.cs
 create mode 100644 csharp/extractor/Semmle.Extraction/TrapStackBehaviour.cs

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
index 5c0a834909c..ba332b2db97 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
@@ -40,6 +40,7 @@ namespace Semmle.Extraction.CIL.Entities
             trapFile.Write(FullName);
             trapFile.Write("#file:///");
             trapFile.Write(Cx.AssemblyPath.Replace("\\", "/"));
+            trapFile.Write(";assembly");
         }
 
         public override bool Equals(object? obj)
@@ -49,8 +50,6 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override int GetHashCode() => 7 * file.GetHashCode();
 
-        public override string IdSuffix => ";assembly";
-
         private string FullName => assemblyName.GetPublicKey() is null ? assemblyName.FullName + ", PublicKeyToken=null" : assemblyName.FullName;
 
         public override IEnumerable<IExtractionProduct> Contents
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Attribute.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Attribute.cs
index c862bc3fc4e..d79215f0adf 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Attribute.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Attribute.cs
@@ -12,9 +12,9 @@ namespace Semmle.Extraction.CIL.Entities
     {
         private readonly CustomAttributeHandle handle;
         private readonly CustomAttribute attrib;
-        private readonly IEntity @object;
+        private readonly IExtractedEntity @object;
 
-        public Attribute(Context cx, IEntity @object, CustomAttributeHandle handle) : base(cx)
+        public Attribute(Context cx, IExtractedEntity @object, CustomAttributeHandle handle) : base(cx)
         {
             attrib = cx.MdReader.GetCustomAttribute(handle);
             this.handle = handle;
@@ -80,7 +80,7 @@ namespace Semmle.Extraction.CIL.Entities
             return value?.ToString() ?? "null";
         }
 
-        public static IEnumerable<IExtractionProduct> Populate(Context cx, IEntity @object, CustomAttributeHandleCollection attributes)
+        public static IEnumerable<IExtractionProduct> Populate(Context cx, IExtractedEntity @object, CustomAttributeHandleCollection attributes)
         {
             foreach (var attrib in attributes)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractedEntity.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractedEntity.cs
new file mode 100644
index 00000000000..080227a63b9
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractedEntity.cs
@@ -0,0 +1,16 @@
+using System.Collections.Generic;
+
+namespace Semmle.Extraction.CIL
+{
+    /// <summary>
+    /// A CIL entity which has been extracted.
+    /// </summary>
+    public interface IExtractedEntity : IExtractionProduct, IEntity
+    {
+        /// <summary>
+        /// The contents of the entity.
+        /// </summary>
+
+        IEnumerable<IExtractionProduct> Contents { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractionProduct.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractionProduct.cs
new file mode 100644
index 00000000000..6383d7e1b4c
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IExtractionProduct.cs
@@ -0,0 +1,24 @@
+namespace Semmle.Extraction.CIL
+{
+    /// <summary>
+    /// Something that is extracted from an entity.
+    /// </summary>
+    ///
+    /// <remarks>
+    /// The extraction algorithm proceeds as follows:
+    /// - Construct entity
+    /// - Call Extract()
+    /// - IExtractedEntity check if already extracted
+    /// - Enumerate Contents to produce more extraction products
+    /// - Extract these until there is nothing left to extract
+    /// </remarks>
+    public interface IExtractionProduct
+    {
+        /// <summary>
+        /// Perform further extraction/population of this item as necessary.
+        /// </summary>
+        ///
+        /// <param name="cx">The extraction context.</param>
+        void Extract(Context cx);
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/IGenericContext.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IGenericContext.cs
similarity index 100%
rename from csharp/extractor/Semmle.Extraction.CIL/IGenericContext.cs
rename to csharp/extractor/Semmle.Extraction.CIL/Entities/Base/IGenericContext.cs
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
new file mode 100644
index 00000000000..a66ecbb1fab
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
@@ -0,0 +1,39 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+
+namespace Semmle.Extraction.CIL
+{
+    /// <summary>
+    /// An entity that needs to be populated during extraction.
+    /// This assigns a key and optionally extracts its contents.
+    /// </summary>
+    public abstract class LabelledEntity : Extraction.LabelledEntity, IExtractedEntity
+    {
+        // todo: with .NET 5 this can override the base context, and change the return type.
+        public Context Cx { get; }
+
+        protected LabelledEntity(Context cx) : base(cx.Cx)
+        {
+            this.Cx = cx;
+        }
+
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => throw new NotImplementedException();
+
+        public void Extract(Context cx2)
+        {
+            cx2.Populate(this);
+        }
+
+        public override string ToString()
+        {
+            using var writer = new StringWriter();
+            WriteQuotedId(writer);
+            return writer.ToString();
+        }
+
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        public abstract IEnumerable<IExtractionProduct> Contents { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/Tuple.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/Tuple.cs
new file mode 100644
index 00000000000..5657f072c9c
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/Tuple.cs
@@ -0,0 +1,22 @@
+namespace Semmle.Extraction.CIL
+{
+    /// <summary>
+    /// A tuple that is an extraction product.
+    /// </summary>
+    internal class Tuple : IExtractionProduct
+    {
+        private readonly Extraction.Tuple tuple;
+
+        public Tuple(string name, params object[] args)
+        {
+            tuple = new Extraction.Tuple(name, args);
+        }
+
+        public void Extract(Context cx)
+        {
+            cx.Cx.Emit(tuple);
+        }
+
+        public override string ToString() => tuple.ToString();
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/UnlabelledEntity.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/UnlabelledEntity.cs
new file mode 100644
index 00000000000..d8c18d291eb
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/UnlabelledEntity.cs
@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+
+namespace Semmle.Extraction.CIL
+{
+    /// <summary>
+    /// An entity that has contents to extract. There is no need to populate
+    /// a key as it's done in the contructor.
+    /// </summary>
+    public abstract class UnlabelledEntity : Extraction.UnlabelledEntity, IExtractedEntity
+    {
+        // todo: with .NET 5 this can override the base context, and change the return type.
+        public Context Cx { get; }
+
+        protected UnlabelledEntity(Context cx) : base(cx.Cx)
+        {
+            Cx = cx;
+        }
+
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => throw new NotImplementedException();
+
+        public void Extract(Context cx2)
+        {
+            cx2.Extract(this);
+        }
+
+        public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
+
+        public abstract IEnumerable<IExtractionProduct> Contents { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
index e2e27484a4c..a6ca9364e0f 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
@@ -25,10 +25,9 @@ namespace Semmle.Extraction.CIL.Entities
             parent.WriteId(trapFile);
             trapFile.Write('.');
             trapFile.Write(Cx.ShortName(ed.Name));
+            trapFile.Write(";cil-event");
         }
 
-        public override string IdSuffix => ";cil-event";
-
         public override bool Equals(object? obj)
         {
             return obj is Event e && handle.Equals(e.handle);
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
index a195a7432c7..8decef24128 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
@@ -8,41 +8,27 @@ namespace Semmle.Extraction.CIL.Entities
     /// <summary>
     /// An entity representing a field.
     /// </summary>
-    internal abstract class Field : IGenericContext, IMember, ICustomModifierReceiver
+    internal abstract class Field : LabelledEntity, IGenericContext, IMember, ICustomModifierReceiver
     {
-        protected Field(Context cx)
+        protected Field(Context cx) : base(cx)
         {
-            Cx = cx;
         }
 
-        public Label Label { get; set; }
-
-        public void WriteId(TextWriter trapFile)
+        public override void WriteId(TextWriter trapFile)
         {
             trapFile.WriteSubId(DeclaringType);
             trapFile.Write('.');
             trapFile.Write(Name);
+            trapFile.Write(";cil-field");
         }
 
-        public void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write(idSuffix);
-            trapFile.Write('\"');
-        }
-
-        private const string idSuffix = ";cil-field";
-
         public abstract string Name { get; }
 
         public abstract Type DeclaringType { get; }
 
-        public Location ReportingLocation => throw new NotImplementedException();
-
         public abstract Type Type { get; }
 
-        public virtual IEnumerable<IExtractionProduct> Contents
+        public override IEnumerable<IExtractionProduct> Contents
         {
             get
             {
@@ -56,17 +42,8 @@ namespace Semmle.Extraction.CIL.Entities
             }
         }
 
-        public void Extract(Context cx2)
-        {
-            cx2.Populate(this);
-        }
-
-        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-
         public abstract IEnumerable<Type> TypeParameters { get; }
 
         public abstract IEnumerable<Type> MethodParameters { get; }
-
-        public Context Cx { get; }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
index d5cb10a43db..4b612ae86af 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
@@ -17,6 +17,7 @@ namespace Semmle.Extraction.CIL.Entities
         public override void WriteId(TextWriter trapFile)
         {
             trapFile.Write(TransformedPath.DatabaseId);
+            trapFile.Write(";sourcefile");
         }
 
         public override bool Equals(object? obj)
@@ -39,7 +40,5 @@ namespace Semmle.Extraction.CIL.Entities
                 yield return Tuples.files(this, TransformedPath.Value, TransformedPath.NameWithoutExtension, TransformedPath.Extension);
             }
         }
-
-        public override string IdSuffix => ";sourcefile";
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
index 6121792600a..2294a525e4b 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
@@ -15,10 +15,9 @@ namespace Semmle.Extraction.CIL.Entities
         public override void WriteId(TextWriter trapFile)
         {
             trapFile.Write(transformedPath.DatabaseId);
+            trapFile.Write(";folder");
         }
 
-        public override string IdSuffix => ";folder";
-
         public override IEnumerable<IExtractionProduct> Contents
         {
             get
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
index d96c430f3c9..5d7a00c64c9 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
@@ -21,10 +21,9 @@ namespace Semmle.Extraction.CIL.Entities
             trapFile.WriteSubId(method);
             trapFile.Write('_');
             trapFile.Write(index);
+            trapFile.Write(";cil-local");
         }
 
-        public override string IdSuffix => ";cil-local";
-
         public override IEnumerable<IExtractionProduct> Contents
         {
             get
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
index d1302837c16..e2887963edf 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
@@ -62,10 +62,9 @@ namespace Semmle.Extraction.CIL.Entities
                 param.WriteId(trapFile, this);
             }
             trapFile.Write(')');
+            trapFile.Write(";cil-method");
         }
 
-        public override string IdSuffix => ";cil-method";
-
         protected IEnumerable<IExtractionProduct> PopulateFlags
         {
             get
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
index e916fd0020f..5f909b7b336 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
@@ -14,9 +14,6 @@ namespace Semmle.Extraction.CIL.Entities
 
         public bool IsGlobalNamespace => ParentNamespace is null;
 
-        public override string IdSuffix => ";namespace";
-
-
         public override void WriteId(TextWriter trapFile)
         {
             if (ParentNamespace != null && !ParentNamespace.IsGlobalNamespace)
@@ -25,6 +22,7 @@ namespace Semmle.Extraction.CIL.Entities
                 trapFile.Write('.');
             }
             trapFile.Write(Name);
+            trapFile.Write(";namespace");
         }
 
         public override bool Equals(object? obj)
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
index 90452fe9265..9cf96412309 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
@@ -8,41 +8,40 @@ namespace Semmle.Extraction.CIL.Entities
     /// </summary>
     internal sealed class Parameter : LabelledEntity
     {
-        private readonly IParameterizable method;
+        private readonly IParameterizable parameterizable;
         private readonly int index;
         private readonly Type type;
 
-        public Parameter(Context cx, IParameterizable m, int i, Type t) : base(cx)
+        public Parameter(Context cx, IParameterizable p, int i, Type t) : base(cx)
         {
-            method = m;
+            parameterizable = p;
             index = i;
             type = t;
         }
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.WriteSubId(method);
+            trapFile.WriteSubId(parameterizable);
             trapFile.Write('_');
             trapFile.Write(index);
+            trapFile.Write(";cil-parameter");
         }
 
         public override bool Equals(object? obj)
         {
-            return obj is Parameter param && method.Equals(param.method) && index == param.index;
+            return obj is Parameter param && parameterizable.Equals(param.parameterizable) && index == param.index;
         }
 
         public override int GetHashCode()
         {
-            return 23 * method.GetHashCode() + index;
+            return 23 * parameterizable.GetHashCode() + index;
         }
 
-        public override string IdSuffix => ";cil-parameter";
-
         public override IEnumerable<IExtractionProduct> Contents
         {
             get
             {
-                yield return Tuples.cil_parameter(this, method, index, type);
+                yield return Tuples.cil_parameter(this, parameterizable, index, type);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
index a6c864a8cb6..e605468827a 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
@@ -13,7 +13,6 @@ namespace Semmle.Extraction.CIL.Entities
         private readonly Handle handle;
         private readonly Type type;
         private readonly PropertyDefinition pd;
-        public override string IdSuffix => ";cil-property";
         private readonly IGenericContext gc;
 
         public Property(IGenericContext gc, Type type, PropertyDefinitionHandle handle) : base(gc.Cx)
@@ -38,6 +37,7 @@ namespace Semmle.Extraction.CIL.Entities
                 param.WriteId(trapFile, gc);
             }
             trapFile.Write(")");
+            trapFile.Write(";cil-property");
         }
 
         public override bool Equals(object? obj)
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
index f0f1667bca2..318cac14930 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
@@ -26,6 +26,7 @@ namespace Semmle.Extraction.CIL.Entities
             trapFile.Write(location.EndLine);
             trapFile.Write(',');
             trapFile.Write(location.EndColumn);
+            trapFile.Write(";sourcelocation");
         }
 
         public override bool Equals(object? obj)
@@ -43,7 +44,5 @@ namespace Semmle.Extraction.CIL.Entities
                 yield return Tuples.locations_default(this, file, location.StartLine, location.StartColumn, location.EndLine, location.EndColumn);
             }
         }
-
-        public override string IdSuffix => ";sourcelocation";
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
index 2df850f5ce9..9f78c5066e0 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
@@ -11,7 +11,6 @@ namespace Semmle.Extraction.CIL.Entities
     /// </summary>
     public abstract class Type : TypeContainer, IMember
     {
-        public override string IdSuffix => ";cil-type";
         internal const string AssemblyTypeNameSeparator = "::";
         internal const string PrimitiveTypePrefix = "builtin" + AssemblyTypeNameSeparator + "System.";
 
@@ -46,7 +45,12 @@ namespace Semmle.Extraction.CIL.Entities
         /// </param>
         public abstract void WriteId(TextWriter trapFile, bool inContext);
 
-        public sealed override void WriteId(TextWriter trapFile) => WriteId(trapFile, false);
+        public sealed override void WriteId(TextWriter trapFile)
+        {
+            WriteId(trapFile, false);
+            trapFile.Write(";cil-type");
+        }
+
 
         /// <summary>
         /// Returns the friendly qualified name of types, such as
diff --git a/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs b/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
deleted file mode 100644
index 62aaad0d8e5..00000000000
--- a/csharp/extractor/Semmle.Extraction.CIL/ExtractionProduct.cs
+++ /dev/null
@@ -1,140 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.IO;
-
-namespace Semmle.Extraction.CIL
-{
-    /// <summary>
-    /// Something that is extracted from an entity.
-    /// </summary>
-    ///
-    /// <remarks>
-    /// The extraction algorithm proceeds as follows:
-    /// - Construct entity
-    /// - Call Extract()
-    /// - IExtractedEntity check if already extracted
-    /// - Enumerate Contents to produce more extraction products
-    /// - Extract these until there is nothing left to extract
-    /// </remarks>
-    public interface IExtractionProduct
-    {
-        /// <summary>
-        /// Perform further extraction/population of this item as necessary.
-        /// </summary>
-        ///
-        /// <param name="cx">The extraction context.</param>
-        void Extract(Context cx);
-    }
-
-    /// <summary>
-    /// An entity which has been extracted.
-    /// </summary>
-    public interface IExtractedEntity : IEntity, IExtractionProduct
-    {
-        /// <summary>
-        /// The contents of the entity.
-        /// </summary>
-        IEnumerable<IExtractionProduct> Contents { get; }
-    }
-
-    /// <summary>
-    /// An entity that has contents to extract. There is no need to populate
-    /// a key as it's done in the contructor.
-    /// </summary>
-    public abstract class UnlabelledEntity : IExtractedEntity
-    {
-        public abstract IEnumerable<IExtractionProduct> Contents { get; }
-        public Label Label { get; set; }
-
-        public void WriteId(System.IO.TextWriter trapFile)
-        {
-            trapFile.Write('*');
-        }
-
-        public void WriteQuotedId(TextWriter trapFile)
-        {
-            WriteId(trapFile);
-        }
-
-        public Microsoft.CodeAnalysis.Location ReportingLocation => throw new NotImplementedException();
-
-        public virtual void Extract(Context cx2)
-        {
-            cx2.Extract(this);
-        }
-
-        public Context Cx { get; }
-
-        protected UnlabelledEntity(Context cx)
-        {
-            this.Cx = cx;
-            cx.Cx.AddFreshLabel(this);
-        }
-
-        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-    }
-
-    /// <summary>
-    /// An entity that needs to be populated during extraction.
-    /// This assigns a key and optionally extracts its contents.
-    /// </summary>
-    public abstract class LabelledEntity : IExtractedEntity
-    {
-        public abstract IEnumerable<IExtractionProduct> Contents { get; }
-        public Label Label { get; set; }
-        public Microsoft.CodeAnalysis.Location ReportingLocation => throw new NotImplementedException();
-
-        public abstract void WriteId(System.IO.TextWriter trapFile);
-
-        public abstract string IdSuffix { get; }
-
-        public void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write(IdSuffix);
-            trapFile.Write('\"');
-        }
-
-        public void Extract(Context cx2)
-        {
-            cx2.Populate(this);
-        }
-
-        public Context Cx { get; }
-
-        protected LabelledEntity(Context cx)
-        {
-            this.Cx = cx;
-        }
-
-        public override string ToString()
-        {
-            using var writer = new StringWriter();
-            WriteQuotedId(writer);
-            return writer.ToString();
-        }
-
-        public TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
-    }
-
-    /// <summary>
-    /// A tuple that is an extraction product.
-    /// </summary>
-    internal class Tuple : IExtractionProduct
-    {
-        private readonly Extraction.Tuple tuple;
-
-        public Tuple(string name, params object[] args)
-        {
-            tuple = new Extraction.Tuple(name, args);
-        }
-
-        public void Extract(Context cx)
-        {
-            cx.Cx.Emit(tuple);
-        }
-
-        public override string ToString() => tuple.ToString();
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Tuples.cs b/csharp/extractor/Semmle.Extraction.CIL/Tuples.cs
index 0ae92386c3e..c8ed3445c6f 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Tuples.cs
@@ -14,10 +14,10 @@ namespace Semmle.Extraction.CIL
         internal static Tuple cil_adder(Event member, Method method) =>
             new Tuple("cil_adder", member, method);
 
-        internal static Tuple cil_access(Instruction i, IEntity m) =>
+        internal static Tuple cil_access(Instruction i, IExtractedEntity m) =>
             new Tuple("cil_access", i, m);
 
-        internal static Tuple cil_attribute(Attribute attribute, IEntity @object, Method constructor) =>
+        internal static Tuple cil_attribute(Attribute attribute, IExtractedEntity @object, Method constructor) =>
             new Tuple("cil_attribute", attribute, @object, constructor);
 
         internal static Tuple cil_attribute_named_argument(Attribute attribute, string name, string value) =>
@@ -197,7 +197,7 @@ namespace Semmle.Extraction.CIL
         internal static Tuple cil_custom_modifiers(ICustomModifierReceiver receiver, Type modifier, bool isRequired) =>
             new Tuple("cil_custom_modifiers", receiver, modifier, isRequired ? 1 : 0);
 
-        internal static Tuple cil_type_annotation(IEntity receiver, TypeAnnotation annotation) =>
+        internal static Tuple cil_type_annotation(IExtractedEntity receiver, TypeAnnotation annotation) =>
             new Tuple("cil_type_annotation", receiver, (int)annotation);
 
         internal static Tuple containerparent(Folder parent, IFileOrFolder child) =>
@@ -215,7 +215,7 @@ namespace Semmle.Extraction.CIL
         internal static Tuple locations_default(PdbSourceLocation label, File file, int startLine, int startCol, int endLine, int endCol) =>
             new Tuple("locations_default", label, file, startLine, startCol, endLine, endCol);
 
-        internal static Tuple metadata_handle(IEntity entity, Assembly assembly, int handleValue) =>
+        internal static Tuple metadata_handle(IExtractedEntity entity, Assembly assembly, int handleValue) =>
             new Tuple("metadata_handle", entity, assembly, handleValue);
 
         internal static Tuple namespaces(Namespace ns, string name) =>
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
index ddf53d6bbe1..def6edbf5ad 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Diagnostic.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected override void Populate(TextWriter trapFile)
         {
             trapFile.diagnostics(this, (int)diagnostic.Severity, diagnostic.Id, diagnostic.Descriptor.Title.ToString(),
-                diagnostic.GetMessage(), cx.CreateLocation(diagnostic.Location));
+                diagnostic.GetMessage(), Context.CreateLocation(diagnostic.Location));
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index e343414a4cb..e96410fb8f5 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -29,7 +29,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected sealed override void Populate(TextWriter trapFile)
         {
-            var type = Type.HasValue ? Entities.Type.Create(cx, Type.Value) : NullType.Create(cx);
+            var type = Type.HasValue ? Entities.Type.Create(Context, Type.Value) : NullType.Create(Context);
             trapFile.expressions(this, Kind, type.TypeRef);
             if (info.Parent.IsTopLevelParent)
                 trapFile.expr_parent_top_level(this, info.Child, info.Parent);
@@ -39,7 +39,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (Type.HasValue && !Type.Value.HasObliviousNullability())
             {
-                var n = NullabilityEntity.Create(cx, Nullability.Create(Type.Value));
+                var n = NullabilityEntity.Create(Context, Nullability.Create(Type.Value));
                 trapFile.type_nullability(this, n);
             }
 
@@ -170,10 +170,10 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <param name="node">The expression.</param>
         public void OperatorCall(TextWriter trapFile, ExpressionSyntax node)
         {
-            var @operator = cx.GetSymbolInfo(node);
+            var @operator = Context.GetSymbolInfo(node);
             if (@operator.Symbol is IMethodSymbol method)
             {
-                var callType = GetCallType(cx, node);
+                var callType = GetCallType(Context, node);
                 if (callType == CallType.Dynamic)
                 {
                     UserOperator.OperatorSymbol(method.Name, out var operatorName);
@@ -181,7 +181,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     return;
                 }
 
-                trapFile.expr_call(this, Method.Create(cx, method));
+                trapFile.expr_call(this, Method.Create(Context, method));
             }
         }
 
@@ -267,7 +267,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private void PopulateArgument(TextWriter trapFile, ArgumentSyntax arg, int child)
         {
-            var expr = Create(cx, arg.Expression, this, child);
+            var expr = Create(Context, arg.Expression, this, child);
             int mode;
             switch (arg.RefOrOutKeyword.Kind())
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
index c16f0679c10..6c027076472 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression`1.cs
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected new Expression TryPopulate()
         {
-            cx.Try(Syntax, null, () => PopulateExpression(cx.TrapWriter.Writer));
+            Context.Try(Syntax, null, () => PopulateExpression(Context.TrapWriter.Writer));
             return this;
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Access.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Access.cs
index d4d4c86c507..8ef72f8085c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Access.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Access.cs
@@ -47,12 +47,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             if (!(target is null))
             {
-                cx.TrapWriter.Writer.expr_access(this, target);
+                Context.TrapWriter.Writer.expr_access(this, target);
             }
 
             if (implicitThis && !symbol.IsStatic)
             {
-                This.CreateImplicit(cx, symbol.ContainingType, Location, this, -1);
+                This.CreateImplicit(Context, symbol.ContainingType, Location, this, -1);
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ArrayCreation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ArrayCreation.cs
index ea818862d80..3d6d3b95722 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ArrayCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ArrayCreation.cs
@@ -31,7 +31,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             if (TypeSyntax is null)
             {
-                cx.ModelError(Syntax, "Array has unexpected type syntax");
+                Context.ModelError(Syntax, "Array has unexpected type syntax");
             }
 
             var firstLevelSizes = TypeSyntax.RankSpecifiers.First()?.Sizes ?? SyntaxFactory.SeparatedList<ExpressionSyntax>();
@@ -44,20 +44,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             {
                 for (var sizeIndex = 0; sizeIndex < firstLevelSizes.Count; sizeIndex++)
                 {
-                    Create(cx, firstLevelSizes[sizeIndex], this, sizeIndex);
+                    Create(Context, firstLevelSizes[sizeIndex], this, sizeIndex);
                 }
                 explicitlySized = true;
             }
 
             if (!(Initializer is null))
             {
-                ArrayInitializer.Create(new ExpressionNodeInfo(cx, Initializer, this, InitializerIndex));
+                ArrayInitializer.Create(new ExpressionNodeInfo(Context, Initializer, this, InitializerIndex));
             }
 
             if (explicitlySized)
                 trapFile.explicitly_sized_array_creation(this);
 
-            TypeMention.Create(cx, TypeSyntax, this, Type);
+            TypeMention.Create(Context, TypeSyntax, this, Type);
         }
 
         private void SetArraySizes(InitializerExpressionSyntax initializer, int rank)
@@ -69,7 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     return;
                 }
 
-                Literal.CreateGenerated(cx, this, level, cx.Compilation.GetSpecialType(SpecialType.System_Int32), initializer.Expressions.Count, Location);
+                Literal.CreateGenerated(Context, this, level, Context.Compilation.GetSpecialType(SpecialType.System_Int32), initializer.Expressions.Count, Location);
 
                 initializer = initializer.Expressions.FirstOrDefault() as InitializerExpressionSyntax;
             }
@@ -143,7 +143,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            ArrayInitializer.Create(new ExpressionNodeInfo(cx, Syntax.Initializer, this, InitializerIndex));
+            ArrayInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, InitializerIndex));
             trapFile.implicitly_typed_array_creation(this);
             trapFile.stackalloc_array_creation(this);
         }
@@ -159,7 +159,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             if (Syntax.Initializer != null)
             {
-                ArrayInitializer.Create(new ExpressionNodeInfo(cx, Syntax.Initializer, this, InitializerIndex));
+                ArrayInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, InitializerIndex));
             }
 
             trapFile.implicitly_typed_array_creation(this);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
index f785ce65da3..3325c8075a3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
@@ -26,17 +26,17 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             if (operatorKind.HasValue)
             {
                 // Convert assignment such as `a += b` into `a = a + b`.
-                var simpleAssignExpr = new Expression(new ExpressionInfo(cx, Type, Location, ExprKind.SIMPLE_ASSIGN, this, 2, false, null));
-                Create(cx, Syntax.Left, simpleAssignExpr, 1);
-                var opexpr = new Expression(new ExpressionInfo(cx, Type, Location, operatorKind.Value, simpleAssignExpr, 0, false, null));
-                Create(cx, Syntax.Left, opexpr, 0);
-                Create(cx, Syntax.Right, opexpr, 1);
+                var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.SIMPLE_ASSIGN, this, 2, false, null));
+                Create(Context, Syntax.Left, simpleAssignExpr, 1);
+                var opexpr = new Expression(new ExpressionInfo(Context, Type, Location, operatorKind.Value, simpleAssignExpr, 0, false, null));
+                Create(Context, Syntax.Left, opexpr, 0);
+                Create(Context, Syntax.Right, opexpr, 1);
                 opexpr.OperatorCall(trapFile, Syntax);
             }
             else
             {
-                Create(cx, Syntax.Left, this, 1);
-                Create(cx, Syntax.Right, this, 0);
+                Create(Context, Syntax.Left, this, 1);
+                Create(Context, Syntax.Right, this, 0);
 
                 if (Kind == ExprKind.ADD_EVENT || Kind == ExprKind.REMOVE_EVENT)
                 {
@@ -148,12 +148,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     case ExprKind.ASSIGN_COALESCE:
                         return ExprKind.NULL_COALESCING;
                     default:
-                        cx.ModelError(Syntax, "Couldn't unfold assignment of type " + kind);
+                        Context.ModelError(Syntax, "Couldn't unfold assignment of type " + kind);
                         return ExprKind.UNKNOWN;
                 }
             }
         }
 
-        public new CallType CallType => GetCallType(cx, Syntax);
+        public new CallType CallType => GetCallType(Context, Syntax);
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Await.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Await.cs
index 2f8726c8070..34088d9564a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Await.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Await.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Binary.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Binary.cs
index 32ee3be5f73..74dcc9ff85f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Binary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Binary.cs
@@ -17,8 +17,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         protected override void PopulateExpression(TextWriter trapFile)
         {
             OperatorCall(trapFile, Syntax);
-            CreateDeferred(cx, Syntax.Left, this, 0);
-            CreateDeferred(cx, Syntax.Right, this, 1);
+            CreateDeferred(Context, Syntax.Left, this, 0);
+            CreateDeferred(Context, Syntax.Right, this, 1);
         }
 
         private static ExprKind GetKind(Context cx, BinaryExpressionSyntax node)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Cast.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Cast.cs
index 6f2551ec904..2afe7a9b37e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Cast.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Cast.cs
@@ -16,17 +16,17 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, ExpressionIndex);
+            Create(Context, Syntax.Expression, this, ExpressionIndex);
 
             if (Kind == ExprKind.CAST)
             {  // Type cast
-                TypeAccess.Create(new ExpressionNodeInfo(cx, Syntax.Type, this, TypeAccessIndex));
+                TypeAccess.Create(new ExpressionNodeInfo(Context, Syntax.Type, this, TypeAccessIndex));
             }
             else
             {
                 // Type conversion
                 OperatorCall(trapFile, Syntax);
-                TypeMention.Create(cx, Syntax.Type, this, Type);
+                TypeMention.Create(Context, Syntax.Type, this, Type);
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Checked.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Checked.cs
index e6958c4511c..4be8b378937 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Checked.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Checked.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Conditional.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Conditional.cs
index bfa4a836feb..193c88b112a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Conditional.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Conditional.cs
@@ -12,9 +12,9 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Condition, this, 0);
-            Create(cx, Syntax.WhenTrue, this, 1);
-            Create(cx, Syntax.WhenFalse, this, 2);
+            Create(Context, Syntax.Condition, this, 0);
+            Create(Context, Syntax.WhenTrue, this, 1);
+            Create(Context, Syntax.WhenFalse, this, 2);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
index 326516bba1b..9e1b42834b1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            TypeAccess.Create(cx, Syntax.Type, this, 0);
+            TypeAccess.Create(Context, Syntax.Type, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
index 59e573984fe..e860731ece3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
@@ -22,22 +22,22 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             if (Kind == ExprKind.POINTER_INDIRECTION)
             {
-                var qualifierInfo = new ExpressionNodeInfo(cx, qualifier, this, 0);
-                var add = new Expression(new ExpressionInfo(cx, qualifierInfo.Type, Location, ExprKind.ADD, this, 0, false, null));
+                var qualifierInfo = new ExpressionNodeInfo(Context, qualifier, this, 0);
+                var add = new Expression(new ExpressionInfo(Context, qualifierInfo.Type, Location, ExprKind.ADD, this, 0, false, null));
                 qualifierInfo.SetParent(add, 0);
                 CreateFromNode(qualifierInfo);
                 PopulateArguments(trapFile, argumentList, 1);
             }
             else
             {
-                Create(cx, qualifier, this, -1);
+                Create(Context, qualifier, this, -1);
                 PopulateArguments(trapFile, argumentList, 0);
 
-                var symbolInfo = cx.GetSymbolInfo(base.Syntax);
+                var symbolInfo = Context.GetSymbolInfo(base.Syntax);
 
                 if (symbolInfo.Symbol is IPropertySymbol indexer)
                 {
-                    trapFile.expr_access(this, Indexer.Create(cx, indexer));
+                    trapFile.expr_access(this, Indexer.Create(Context, indexer));
                 }
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs
index eccead4a4de..96d8dec039a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         public ImplicitCast(ExpressionNodeInfo info)
             : base(new ExpressionInfo(info.Context, info.ConvertedType, info.Location, ExprKind.CAST, info.Parent, info.Child, true, info.ExprValue))
         {
-            Expr = Factory.Create(new ExpressionNodeInfo(cx, info.Node, this, 0));
+            Expr = Factory.Create(new ExpressionNodeInfo(Context, info.Node, this, 0));
         }
 
         public ImplicitCast(ExpressionNodeInfo info, IMethodSymbol method)
@@ -22,11 +22,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             Expr = Factory.Create(info.SetParent(this, 0));
 
-            var target = Method.Create(cx, method);
+            var target = Method.Create(Context, method);
             if (target != null)
-                cx.TrapWriter.Writer.expr_call(this, target);
+                Context.TrapWriter.Writer.expr_call(this, target);
             else
-                cx.ModelError(info.Node, "Failed to resolve target for operator invocation");
+                Context.ModelError(info.Node, "Failed to resolve target for operator invocation");
         }
 
         /// <summary>
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
index 14fea3d4ce7..7e36d1ac789 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
@@ -26,12 +26,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 if (e.Kind() == SyntaxKind.ArrayInitializerExpression)
                 {
                     // Recursively create another array initializer
-                    Create(new ExpressionNodeInfo(cx, (InitializerExpressionSyntax)e, this, child++));
+                    Create(new ExpressionNodeInfo(Context, (InitializerExpressionSyntax)e, this, child++));
                 }
                 else
                 {
                     // Create the expression normally.
-                    Create(cx, e, this, child++);
+                    Create(Context, e, this, child++);
                 }
             }
         }
@@ -61,7 +61,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            ArrayInitializer.Create(new ExpressionNodeInfo(cx, Syntax, this, -1));
+            ArrayInitializer.Create(new ExpressionNodeInfo(Context, Syntax, this, -1));
             trapFile.implicitly_typed_array_creation(this);
         }
     }
@@ -81,9 +81,9 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             {
                 if (init is AssignmentExpressionSyntax assignment)
                 {
-                    var assignmentInfo = new ExpressionNodeInfo(cx, init, this, child++).SetKind(ExprKind.SIMPLE_ASSIGN);
+                    var assignmentInfo = new ExpressionNodeInfo(Context, init, this, child++).SetKind(ExprKind.SIMPLE_ASSIGN);
                     var assignmentEntity = new Expression(assignmentInfo);
-                    var typeInfoRight = cx.GetTypeInfo(assignment.Right);
+                    var typeInfoRight = Context.GetTypeInfo(assignment.Right);
                     if (typeInfoRight.Type is null)
                         // The type may be null for nested initializers such as
                         // ```csharp
@@ -92,15 +92,15 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         // In this case we take the type from the assignment
                         // `As = { [0] = a }` instead
                         typeInfoRight = assignmentInfo.TypeInfo;
-                    CreateFromNode(new ExpressionNodeInfo(cx, assignment.Right, assignmentEntity, 0, typeInfoRight));
+                    CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 0, typeInfoRight));
 
-                    var target = cx.GetSymbolInfo(assignment.Left);
+                    var target = Context.GetSymbolInfo(assignment.Left);
 
                     // If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
 
                     var access = target.Symbol is null ?
-                        new Expression(new ExpressionNodeInfo(cx, assignment.Left, assignmentEntity, 1).SetKind(ExprKind.ARRAY_ACCESS)) :
-                        Access.Create(new ExpressionNodeInfo(cx, assignment.Left, assignmentEntity, 1), target.Symbol, false, cx.CreateEntity(target.Symbol));
+                        new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1).SetKind(ExprKind.ARRAY_ACCESS)) :
+                        Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1), target.Symbol, false, Context.CreateEntity(target.Symbol));
 
                     if (assignment.Left is ImplicitElementAccessSyntax iea)
                     {
@@ -109,14 +109,14 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         var indexChild = 0;
                         foreach (var arg in iea.ArgumentList.Arguments)
                         {
-                            Expression.Create(cx, arg.Expression, access, indexChild++);
+                            Expression.Create(Context, arg.Expression, access, indexChild++);
                         }
                     }
                 }
                 else
                 {
-                    cx.ModelError(init, "Unexpected object initialization");
-                    Create(cx, init, this, child++);
+                    Context.ModelError(init, "Unexpected object initialization");
+                    Create(Context, init, this, child++);
                 }
             }
         }
@@ -133,16 +133,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             var child = 0;
             foreach (var i in Syntax.Expressions)
             {
-                var collectionInfo = cx.GetModel(Syntax).GetCollectionInitializerSymbolInfo(i);
-                var addMethod = Method.Create(cx, collectionInfo.Symbol as IMethodSymbol);
-                var voidType = AnnotatedTypeSymbol.CreateNotAnnotated(cx.Compilation.GetSpecialType(SpecialType.System_Void));
+                var collectionInfo = Context.GetModel(Syntax).GetCollectionInitializerSymbolInfo(i);
+                var addMethod = Method.Create(Context, collectionInfo.Symbol as IMethodSymbol);
+                var voidType = AnnotatedTypeSymbol.CreateNotAnnotated(Context.Compilation.GetSpecialType(SpecialType.System_Void));
 
-                var invocation = new Expression(new ExpressionInfo(cx, voidType, cx.CreateLocation(i.GetLocation()), ExprKind.METHOD_INVOCATION, this, child++, false, null));
+                var invocation = new Expression(new ExpressionInfo(Context, voidType, Context.CreateLocation(i.GetLocation()), ExprKind.METHOD_INVOCATION, this, child++, false, null));
 
                 if (addMethod != null)
                     trapFile.expr_call(invocation, addMethod);
                 else
-                    cx.ModelError(Syntax, "Unable to find an Add() method for collection initializer");
+                    Context.ModelError(Syntax, "Unable to find an Add() method for collection initializer");
 
                 if (i.Kind() == SyntaxKind.ComplexElementInitializerExpression)
                 {
@@ -154,12 +154,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     var addChild = 0;
                     foreach (var arg in init.Expressions)
                     {
-                        Create(cx, arg, invocation, addChild++);
+                        Create(Context, arg, invocation, addChild++);
                     }
                 }
                 else
                 {
-                    Create(cx, i, invocation, 0);
+                    Create(Context, i, invocation, 0);
                 }
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
index 836aae35beb..ee69580f83a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
@@ -22,12 +22,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 {
                     case SyntaxKind.Interpolation:
                         var interpolation = (InterpolationSyntax)c;
-                        Create(cx, interpolation.Expression, this, child++);
+                        Create(Context, interpolation.Expression, this, child++);
                         break;
                     case SyntaxKind.InterpolatedStringText:
                         // Create a string literal
                         var interpolatedText = (InterpolatedStringTextSyntax)c;
-                        new Expression(new ExpressionInfo(cx, Type, cx.CreateLocation(c.GetLocation()), ExprKind.STRING_LITERAL, this, child++, false, interpolatedText.TextToken.Text));
+                        new Expression(new ExpressionInfo(Context, Type, Context.CreateLocation(c.GetLocation()), ExprKind.STRING_LITERAL, this, child++, false, interpolatedText.TextToken.Text));
                         break;
                     default:
                         throw new InternalError(c, $"Unhandled interpolation kind {c.Kind()}");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
index 638822f3d27..2585ffe327f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
@@ -37,15 +37,15 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     memberName = memberAccess.Name.Identifier.Text;
                     if (Syntax.Expression.Kind() == SyntaxKind.SimpleMemberAccessExpression)
                         // Qualified method call; `x.M()`
-                        Create(cx, memberAccess.Expression, this, child++);
+                        Create(Context, memberAccess.Expression, this, child++);
                     else
                         // Pointer member access; `x->M()`
-                        Create(cx, Syntax.Expression, this, child++);
+                        Create(Context, Syntax.Expression, this, child++);
                     break;
                 case MemberBindingExpressionSyntax memberBinding:
                     // Conditionally qualified method call; `x?.M()`
                     memberName = memberBinding.Name.Identifier.Text;
-                    Create(cx, FindConditionalQualifier(memberBinding), this, child++);
+                    Create(Context, FindConditionalQualifier(memberBinding), this, child++);
                     MakeConditional(trapFile);
                     break;
                 case SimpleNameSyntax simpleName when (Kind == ExprKind.METHOD_INVOCATION):
@@ -55,10 +55,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     {
                         // Implicit `this` qualifier; add explicitly
 
-                        if (cx.GetModel(Syntax).GetEnclosingSymbol(Location.symbol.SourceSpan.Start) is IMethodSymbol callingMethod)
-                            This.CreateImplicit(cx, callingMethod.ContainingType, Location, this, child++);
+                        if (Context.GetModel(Syntax).GetEnclosingSymbol(Location.symbol.SourceSpan.Start) is IMethodSymbol callingMethod)
+                            This.CreateImplicit(Context, callingMethod.ContainingType, Location, this, child++);
                         else
-                            cx.ModelError(Syntax, "Couldn't determine implicit this type");
+                            Context.ModelError(Syntax, "Couldn't determine implicit this type");
                     }
                     else
                     {
@@ -68,7 +68,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     break;
                 default:
                     // Delegate or function pointer call; `d()`
-                    Create(cx, Syntax.Expression, this, child++);
+                    Create(Context, Syntax.Expression, this, child++);
                     break;
             }
 
@@ -78,7 +78,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 if (memberName != null)
                     trapFile.dynamic_member_name(this, memberName);
                 else
-                    cx.ModelError(Syntax, "Unable to get name for dynamic call.");
+                    Context.ModelError(Syntax, "Unable to get name for dynamic call.");
             }
 
             PopulateArguments(trapFile, Syntax.ArgumentList, child);
@@ -86,11 +86,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             if (target == null)
             {
                 if (!isDynamicCall && !IsDelegateLikeCall(info))
-                    cx.ModelError(Syntax, "Unable to resolve target for call. (Compilation error?)");
+                    Context.ModelError(Syntax, "Unable to resolve target for call. (Compilation error?)");
                 return;
             }
 
-            var targetKey = Method.Create(cx, target);
+            var targetKey = Method.Create(Context, target);
             trapFile.expr_call(this, targetKey);
         }
 
@@ -125,7 +125,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         .Where(method => method.Parameters.Length >= Syntax.ArgumentList.Arguments.Count)
                         .Where(method => method.Parameters.Count(p => !p.HasExplicitDefaultValue) <= Syntax.ArgumentList.Arguments.Count);
 
-                    return cx.Extractor.Standalone ?
+                    return Context.Extractor.Standalone ?
                         candidates.FirstOrDefault() :
                         candidates.SingleOrDefault();
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/IsPattern.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/IsPattern.cs
index 741d108ba01..1c335474a68 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/IsPattern.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/IsPattern.cs
@@ -12,8 +12,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
-            Expressions.Pattern.Create(cx, Syntax.Pattern, this, 1);
+            Create(Context, Syntax.Expression, this, 0);
+            Expressions.Pattern.Create(Context, Syntax.Pattern, this, 1);
         }
 
         public static Expression Create(ExpressionNodeInfo info) => new IsPattern(info).TryPopulate();
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs
index 40f200ef5ef..2cd23101b1c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs
@@ -17,34 +17,34 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         private void VisitParameter(ParameterSyntax p)
         {
-            var symbol = cx.GetModel(p).GetDeclaredSymbol(p);
-            Parameter.Create(cx, symbol, this);
+            var symbol = Context.GetModel(p).GetDeclaredSymbol(p);
+            Parameter.Create(Context, symbol, this);
         }
 
         private Lambda(ExpressionNodeInfo info, CSharpSyntaxNode body, IEnumerable<ParameterSyntax> @params)
             : base(info)
         {
-            if (cx.GetModel(info.Node).GetSymbolInfo(info.Node).Symbol is IMethodSymbol symbol)
+            if (Context.GetModel(info.Node).GetSymbolInfo(info.Node).Symbol is IMethodSymbol symbol)
             {
-                Modifier.ExtractModifiers(cx, info.Context.TrapWriter.Writer, this, symbol);
+                Modifier.ExtractModifiers(Context, info.Context.TrapWriter.Writer, this, symbol);
             }
             else
             {
-                cx.ModelError(info.Node, "Unknown declared symbol");
+                Context.ModelError(info.Node, "Unknown declared symbol");
             }
 
             // No need to use `Populate` as the population happens later
-            cx.PopulateLater(() =>
+            Context.PopulateLater(() =>
             {
                 foreach (var param in @params)
                     VisitParameter(param);
 
                 if (body is ExpressionSyntax exprBody)
-                    Create(cx, exprBody, this, 0);
+                    Create(Context, exprBody, this, 0);
                 else if (body is BlockSyntax blockBody)
-                    Statements.Block.Create(cx, blockBody, this, 0);
+                    Statements.Block.Create(Context, blockBody, this, 0);
                 else
-                    cx.ModelError(body, "Unhandled lambda body");
+                    Context.ModelError(body, "Unhandled lambda body");
             });
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MakeRef.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MakeRef.cs
index 751d6b6e92c..66f2fd8676a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MakeRef.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MakeRef.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MemberAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MemberAccess.cs
index 7d2777540f0..fa9d3c9a6dd 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MemberAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MemberAccess.cs
@@ -9,16 +9,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         private MemberAccess(ExpressionNodeInfo info, ExpressionSyntax qualifier, ISymbol target) : base(info)
         {
             var trapFile = info.Context.TrapWriter.Writer;
-            Qualifier = Create(cx, qualifier, this, -1);
+            Qualifier = Create(Context, qualifier, this, -1);
 
             if (target == null)
             {
                 if (info.Kind != ExprKind.DYNAMIC_MEMBER_ACCESS)
-                    cx.ModelError(info.Node, "Could not determine target for member access");
+                    Context.ModelError(info.Node, "Could not determine target for member access");
             }
             else
             {
-                var t = cx.CreateEntity(target);
+                var t = Context.CreateEntity(target);
                 trapFile.expr_access(this, t);
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
index 5a94a4333e8..df291c4e9fd 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
@@ -17,32 +17,32 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            var target = cx.GetSymbolInfo(Syntax);
+            var target = Context.GetSymbolInfo(Syntax);
             var method = (IMethodSymbol)target.Symbol;
 
             if (method != null)
             {
-                trapFile.expr_call(this, Method.Create(cx, method));
+                trapFile.expr_call(this, Method.Create(Context, method));
             }
             var child = 0;
 
             var objectInitializer = Syntax.Initializers.Any() ?
-                new Expression(new ExpressionInfo(cx, Type, Location, ExprKind.OBJECT_INIT, this, -1, false, null)) :
+                new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.OBJECT_INIT, this, -1, false, null)) :
                 null;
 
             foreach (var init in Syntax.Initializers)
             {
                 // Create an "assignment"
-                var property = cx.GetModel(init).GetDeclaredSymbol(init);
-                var propEntity = Property.Create(cx, property);
+                var property = Context.GetModel(init).GetDeclaredSymbol(init);
+                var propEntity = Property.Create(Context, property);
                 var type = property.GetAnnotatedType();
-                var loc = cx.CreateLocation(init.GetLocation());
+                var loc = Context.CreateLocation(init.GetLocation());
 
-                var assignment = new Expression(new ExpressionInfo(cx, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, false, null));
-                Create(cx, init.Expression, assignment, 0);
-                Property.Create(cx, property);
+                var assignment = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, false, null));
+                Create(Context, init.Expression, assignment, 0);
+                Property.Create(Context, property);
 
-                var access = new Expression(new ExpressionInfo(cx, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 1, false, null));
+                var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 1, false, null));
                 trapFile.expr_access(access, propEntity);
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/BaseObjectCreation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/BaseObjectCreation.cs
index 10f4df8bf7f..6f2c38b63db 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/BaseObjectCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/BaseObjectCreation.cs
@@ -22,22 +22,22 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 PopulateArguments(trapFile, Syntax.ArgumentList, 0);
             }
 
-            var target = cx.GetModel(Syntax).GetSymbolInfo(Syntax);
+            var target = Context.GetModel(Syntax).GetSymbolInfo(Syntax);
             if (target.Symbol is IMethodSymbol method)
             {
-                trapFile.expr_call(this, Method.Create(cx, method));
+                trapFile.expr_call(this, Method.Create(Context, method));
             }
 
-            if (IsDynamicObjectCreation(cx, Syntax))
+            if (IsDynamicObjectCreation(Context, Syntax))
             {
-                if (cx.GetModel(Syntax).GetTypeInfo(Syntax).Type is INamedTypeSymbol type &&
+                if (Context.GetModel(Syntax).GetTypeInfo(Syntax).Type is INamedTypeSymbol type &&
                     !string.IsNullOrEmpty(type.Name))
                 {
                     trapFile.dynamic_member_name(this, type.Name);
                 }
                 else
                 {
-                    cx.ModelError(Syntax, "Unable to get name for dynamic object creation.");
+                    Context.ModelError(Syntax, "Unable to get name for dynamic object creation.");
                 }
             }
 
@@ -46,13 +46,13 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 switch (Syntax.Initializer.Kind())
                 {
                     case SyntaxKind.CollectionInitializerExpression:
-                        CollectionInitializer.Create(new ExpressionNodeInfo(cx, Syntax.Initializer, this, -1).SetType(Type));
+                        CollectionInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, -1).SetType(Type));
                         break;
                     case SyntaxKind.ObjectInitializerExpression:
-                        ObjectInitializer.Create(new ExpressionNodeInfo(cx, Syntax.Initializer, this, -1).SetType(Type));
+                        ObjectInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, -1).SetType(Type));
                         break;
                     default:
-                        cx.ModelError("Unhandled initializer in object creation");
+                        Context.ModelError("Unhandled initializer in object creation");
                         break;
                 }
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/ExplicitObjectCreation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/ExplicitObjectCreation.cs
index 51b2db20a9e..f51ab0cb810 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/ExplicitObjectCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/ExplicitObjectCreation.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             base.PopulateExpression(trapFile);
 
-            TypeMention.Create(cx, Syntax.Type, this, Type);
+            TypeMention.Create(Context, Syntax.Type, this, Type);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PointerMemberAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PointerMemberAccess.cs
index 01df338d1b3..a8ea0a30780 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PointerMemberAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PointerMemberAccess.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
 
             // !! We do not currently look at the member (or store the member name).
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs
index 30c6058d95f..24d07441964 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, operand, this, 0);
+            Create(Context, operand, this, 0);
             OperatorCall(trapFile, Syntax);
 
             if ((operatorKind == ExprKind.POST_INCR || operatorKind == ExprKind.POST_DECR) &&
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RangeExpression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RangeExpression.cs
index db5cd138155..2011f4ae367 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RangeExpression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RangeExpression.cs
@@ -13,9 +13,9 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         protected override void PopulateExpression(TextWriter trapFile)
         {
             if (!(Syntax.LeftOperand is null))
-                Expression.Create(cx, Syntax.LeftOperand, this, 0);
+                Expression.Create(Context, Syntax.LeftOperand, this, 0);
             if (!(Syntax.RightOperand is null))
-                Expression.Create(cx, Syntax.RightOperand, this, 1);
+                Expression.Create(Context, Syntax.RightOperand, this, 1);
         }
 
         public static Expression Create(ExpressionNodeInfo info) => new RangeExpression(info).TryPopulate();
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Ref.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Ref.cs
index 5b38b9b8ee6..ef28f5d7e25 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Ref.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Ref.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefType.cs
index 37f7e2a3f76..815a5928f51 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefType.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefValue.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefValue.cs
index 2372cc4bb09..7d9187533ae 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefValue.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/RefValue.cs
@@ -12,8 +12,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
-            Create(cx, Syntax.Type, this, 1);   // A type-access
+            Create(Context, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Type, this, 1);   // A type-access
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Sizeof.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Sizeof.cs
index a4b89928e00..d55fe1781ce 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Sizeof.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Sizeof.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            TypeAccess.Create(cx, Syntax.Type, this, 0);
+            TypeAccess.Create(Context, Syntax.Type, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
index a6095ec63a2..3dbe496cd4c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Switch.cs
@@ -17,10 +17,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            SwitchedExpr = Expression.Create(cx, Syntax.GoverningExpression, this, -1);
+            SwitchedExpr = Expression.Create(Context, Syntax.GoverningExpression, this, -1);
             for (var i = 0; i < Syntax.Arms.Count; i++)
             {
-                new SwitchCase(cx, Syntax.Arms[i], this, i);
+                new SwitchCase(Context, Syntax.Arms[i], this, i);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Throw.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Throw.cs
index 5ef8feaebb6..36d0b34bf95 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Throw.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Throw.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Tuple.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Tuple.cs
index f2911bdcf75..726f8f540d7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Tuple.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Tuple.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             var child = 0;
             foreach (var argument in Syntax.Arguments.Select(a => a.Expression))
             {
-                Expression.Create(cx, argument, this, child++);
+                Expression.Create(Context, argument, this, child++);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeAccess.cs
index e5c0fd3ac66..54b9730e3d7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeAccess.cs
@@ -18,17 +18,17 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     if (Type?.Symbol.ContainingType is null)
                     {
                         // namespace qualifier
-                        TypeMention.Create(cx, maes.Name, this, Type, Syntax.GetLocation());
+                        TypeMention.Create(Context, maes.Name, this, Type, Syntax.GetLocation());
                     }
                     else
                     {
                         // type qualifier
-                        TypeMention.Create(cx, maes.Name, this, Type);
-                        Create(cx, maes.Expression, this, -1);
+                        TypeMention.Create(Context, maes.Name, this, Type);
+                        Create(Context, maes.Expression, this, -1);
                     }
                     return;
                 default:
-                    TypeMention.Create(cx, (TypeSyntax)Syntax, this, Type);
+                    TypeMention.Create(Context, (TypeSyntax)Syntax, this, Type);
                     return;
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeOf.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeOf.cs
index 686e4156528..6e5dc3e05f1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeOf.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/TypeOf.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            TypeAccess.Create(cx, Syntax.Type, this, TypeAccessIndex);
+            TypeAccess.Create(Context, Syntax.Type, this, TypeAccessIndex);
         }
 
         public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Microsoft.CodeAnalysis.ITypeSymbol type, Extraction.Entities.Location location)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs
index f3c2c73b074..8cad73d6565 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Operand, this, 0);
+            Create(Context, Syntax.Operand, this, 0);
             OperatorCall(trapFile, Syntax);
 
             if ((operatorKind == ExprKind.PRE_INCR || operatorKind == ExprKind.PRE_DECR) &&
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unchecked.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unchecked.cs
index 5ffcf414132..016c3fcefc8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unchecked.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unchecked.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(cx, Syntax.Expression, this, 0);
+            Create(Context, Syntax.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
index ace89464b96..ece87fd1f42 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/ElifDirective.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.directive_elifs(this, trivia.BranchTaken, trivia.ConditionValue, start, index);
 
-            Expression.Create(cx, trivia.Condition, this, 0);
+            Expression.Create(Context, trivia.Condition, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
index e1b81e60d8a..29c6f741620 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/IfDirective.cs
@@ -16,7 +16,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.directive_ifs(this, trivia.BranchTaken, trivia.ConditionValue);
 
-            Expression.Create(cx, trivia.Condition, this, 0);
+            Expression.Create(Context, trivia.Condition, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
index 54681d317e9..470f54f379a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs
@@ -31,7 +31,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
                 if (!string.IsNullOrWhiteSpace(trivia.File.ValueText))
                 {
-                    var file = Extraction.Entities.File.Create(cx, trivia.File.ValueText);
+                    var file = Extraction.Entities.File.Create(Context, trivia.File.ValueText);
                     trapFile.directive_line_file(this, file);
                 }
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
index dff901fa826..572b77e2c73 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PragmaChecksumDirective.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected override void PopulatePreprocessor(TextWriter trapFile)
         {
-            var file = Extraction.Entities.File.Create(cx, trivia.File.ValueText);
+            var file = Extraction.Entities.File.Create(Context, trivia.File.ValueText);
             trapFile.pragma_checksums(this, file, trivia.Guid.ToString(), trivia.Bytes.ToString());
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
index 4575dd8b8dc..13e702603ab 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/PreprocessorDirective.cs
@@ -23,11 +23,11 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulatePreprocessor(trapFile);
 
             trapFile.preprocessor_directive_active(this, trivia.IsActive);
-            trapFile.preprocessor_directive_location(this, cx.CreateLocation(ReportingLocation));
+            trapFile.preprocessor_directive_location(this, Context.CreateLocation(ReportingLocation));
 
-            if (!cx.Extractor.Standalone)
+            if (!Context.Extractor.Standalone)
             {
-                var compilation = Compilation.Create(cx);
+                var compilation = Compilation.Create(Context);
                 trapFile.preprocessor_directive_compilation(this, compilation);
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
index 6795c4a12df..b91b7582b51 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected Property(Context cx, IPropertySymbol init)
             : base(cx, init)
         {
-            type = new Lazy<Type>(() => Type.Create(Context, symbol.Type));
+            type = new Lazy<Type>(() => Type.Create(base.Context, symbol.Type));
         }
 
         private readonly Lazy<Type> type;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Block.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Block.cs
index c3e2e15baf3..c50cad9b6cd 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Block.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Block.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             var child = 0;
-            foreach (var childStmt in Stmt.Statements.Select(c => Statement.Create(cx, c, this, child)))
+            foreach (var childStmt in Stmt.Statements.Select(c => Statement.Create(Context, c, this, child)))
             {
                 child += childStmt.NumberOfStatements;
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
index 8046bdb6e26..73a2582060b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs
@@ -36,8 +36,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             var value = Stmt.Value;
-            Expression.Create(cx, value, this, 0);
-            Switch.LabelForValue(cx.GetModel(Stmt).GetConstantValue(value).Value);
+            Expression.Create(Context, value, this, 0);
+            Switch.LabelForValue(Context.GetModel(Stmt).GetConstantValue(value).Value);
         }
 
         public static CaseLabel Create(Context cx, CaseSwitchLabelSyntax node, Switch parent, int child)
@@ -70,11 +70,11 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expressions.Pattern.Create(cx, Stmt.Pattern, this, 0);
+            Expressions.Pattern.Create(Context, Stmt.Pattern, this, 0);
 
             if (Stmt.WhenClause != null)
             {
-                Expression.Create(cx, Stmt.WhenClause.Condition, this, 1);
+                Expression.Create(Context, Stmt.WhenClause.Condition, this, 1);
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
index b9bddab82e2..f7484c72d56 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs
@@ -19,26 +19,26 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
             if (hasVariableDeclaration) // A catch clause of the form 'catch(Ex ex) { ... }'
             {
-                var decl = Expressions.VariableDeclaration.Create(cx, Stmt.Declaration, false, this, 0);
-                trapFile.catch_type(this, Type.Create(cx, decl.Type).TypeRef, true);
+                var decl = Expressions.VariableDeclaration.Create(Context, Stmt.Declaration, false, this, 0);
+                trapFile.catch_type(this, Type.Create(Context, decl.Type).TypeRef, true);
             }
             else if (isSpecificCatchClause) // A catch clause of the form 'catch(Ex) { ... }'
             {
-                trapFile.catch_type(this, Type.Create(cx, cx.GetType(Stmt.Declaration.Type)).TypeRef, true);
+                trapFile.catch_type(this, Type.Create(Context, Context.GetType(Stmt.Declaration.Type)).TypeRef, true);
             }
             else // A catch clause of the form 'catch { ... }'
             {
-                var exception = Type.Create(cx, cx.Compilation.GetTypeByMetadataName(systemExceptionName));
+                var exception = Type.Create(Context, Context.Compilation.GetTypeByMetadataName(systemExceptionName));
                 trapFile.catch_type(this, exception, false);
             }
 
             if (Stmt.Filter != null)
             {
                 // For backward compatibility, the catch filter clause is child number 2.
-                Expression.Create(cx, Stmt.Filter.FilterExpression, this, 2);
+                Expression.Create(Context, Stmt.Filter.FilterExpression, this, 2);
             }
 
-            Create(cx, Stmt.Block, this, 1);
+            Create(Context, Stmt.Block, this, 1);
         }
 
         public static Catch Create(Context cx, CatchClauseSyntax node, Try parent, int child)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Checked.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Checked.cs
index 4ce000bed3f..0f5766fad23 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Checked.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Checked.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Statement.Create(cx, Stmt.Block, this, 0);
+            Statement.Create(Context, Stmt.Block, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
index 7cdcfb1f57b..e3518505270 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Do.cs
@@ -19,8 +19,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Create(cx, Stmt.Statement, this, 1);
-            Expression.Create(cx, Stmt.Condition, this, 0);
+            Create(Context, Stmt.Statement, this, 1);
+            Expression.Create(Context, Stmt.Condition, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ExpressionStatement.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ExpressionStatement.cs
index 252e867efa9..76d369bde23 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ExpressionStatement.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ExpressionStatement.cs
@@ -18,9 +18,9 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             if (Stmt.Expression != null)
-                Expression.Create(cx, Stmt.Expression, this, 0);
+                Expression.Create(Context, Stmt.Expression, this, 0);
             else
-                cx.ModelError(Stmt, "Invalid expression statement");
+                Context.ModelError(Stmt, "Invalid expression statement");
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Fixed.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Fixed.cs
index 7cd8350c7d1..1d01b1708f2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Fixed.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Fixed.cs
@@ -19,8 +19,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            VariableDeclarations.Populate(cx, Stmt.Declaration, this, -1, childIncrement: -1);
-            Create(cx, Stmt.Statement, this, 0);
+            VariableDeclarations.Populate(Context, Stmt.Declaration, this, -1, childIncrement: -1);
+            Create(Context, Stmt.Statement, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/For.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/For.cs
index 15c7151a8a6..678373168f6 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/For.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/For.cs
@@ -22,25 +22,25 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             var child = -1;
 
             if (Stmt.Declaration != null)
-                VariableDeclarations.Populate(cx, Stmt.Declaration, this, child, childIncrement: -1);
+                VariableDeclarations.Populate(Context, Stmt.Declaration, this, child, childIncrement: -1);
 
             foreach (var init in Stmt.Initializers)
             {
-                Expression.Create(cx, init, this, child--);
+                Expression.Create(Context, init, this, child--);
             }
 
             if (Stmt.Condition != null)
             {
-                Expression.Create(cx, Stmt.Condition, this, 0);
+                Expression.Create(Context, Stmt.Condition, this, 0);
             }
 
             child = 1;
             foreach (var inc in Stmt.Incrementors)
             {
-                Expression.Create(cx, inc, this, child++);
+                Expression.Create(Context, inc, this, child++);
             }
 
-            Statement.Create(cx, Stmt.Statement, this, 1 + Stmt.Incrementors.Count);
+            Statement.Create(Context, Stmt.Statement, this, 1 + Stmt.Incrementors.Count);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
index e7bb987574e..bd9b1528a13 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/ForEach.cs
@@ -29,23 +29,23 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Expression, this, 1);
+            Expression.Create(Context, Stmt.Expression, this, 1);
 
-            var semanticModel = cx.GetModel(Stmt);
+            var semanticModel = Context.GetModel(Stmt);
             var typeSymbol = semanticModel.GetDeclaredSymbol(Stmt);
             var type = typeSymbol.GetAnnotatedType();
 
-            var location = cx.CreateLocation(Stmt.Identifier.GetLocation());
+            var location = Context.CreateLocation(Stmt.Identifier.GetLocation());
 
-            Expressions.VariableDeclaration.Create(cx, typeSymbol, type, Stmt.Type, location, Stmt.Type.IsVar, this, 0);
+            Expressions.VariableDeclaration.Create(Context, typeSymbol, type, Stmt.Type, location, Stmt.Type.IsVar, this, 0);
 
-            Statement.Create(cx, Stmt.Statement, this, 2);
+            Statement.Create(Context, Stmt.Statement, this, 2);
 
             var info = semanticModel.GetForEachStatementInfo(Stmt);
 
             if (info.Equals(default))
             {
-                cx.ExtractionError("Could not get foreach statement info", null, cx.CreateLocation(this.ReportingLocation), severity: Util.Logging.Severity.Info);
+                Context.ExtractionError("Could not get foreach statement info", null, Context.CreateLocation(this.ReportingLocation), severity: Util.Logging.Severity.Info);
                 return;
             }
 
@@ -53,31 +53,31 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
             if (info.GetEnumeratorMethod != null)
             {
-                var m = Method.Create(cx, info.GetEnumeratorMethod);
+                var m = Method.Create(Context, info.GetEnumeratorMethod);
                 trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.GetEnumeratorMethod);
             }
 
             if (info.MoveNextMethod != null)
             {
-                var m = Method.Create(cx, info.MoveNextMethod);
+                var m = Method.Create(Context, info.MoveNextMethod);
                 trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.MoveNextMethod);
             }
 
             if (info.DisposeMethod != null)
             {
-                var m = Method.Create(cx, info.DisposeMethod);
+                var m = Method.Create(Context, info.DisposeMethod);
                 trapFile.foreach_stmt_desugar(this, m, ForeachSymbolType.DisposeMethod);
             }
 
             if (info.CurrentProperty != null)
             {
-                var p = Property.Create(cx, info.CurrentProperty);
+                var p = Property.Create(Context, info.CurrentProperty);
                 trapFile.foreach_stmt_desugar(this, p, ForeachSymbolType.CurrentProperty);
             }
 
             if (info.ElementType != null)
             {
-                var t = Type.Create(cx, info.ElementType);
+                var t = Type.Create(Context, info.ElementType);
                 trapFile.foreach_stmt_desugar(this, t, ForeachSymbolType.ElementType);
             }
         }
@@ -97,9 +97,9 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Variable, this, 0);
-            Expression.Create(cx, Stmt.Expression, this, 1);
-            Statement.Create(cx, Stmt.Statement, this, 2);
+            Expression.Create(Context, Stmt.Variable, this, 0);
+            Expression.Create(Context, Stmt.Expression, this, 1);
+            Statement.Create(Context, Stmt.Statement, this, 2);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Goto.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Goto.cs
index 772d69cff7c..20548dd056a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Goto.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Goto.cs
@@ -40,8 +40,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
                     trapFile.exprorstmt_name(this, target);
                     break;
                 case StmtKind.GOTO_CASE:
-                    Expr = Expression.Create(cx, Stmt.Expression, this, 0);
-                    ConstantValue = Switch.LabelForValue(cx.GetModel(Stmt).GetConstantValue(Stmt.Expression).Value);
+                    Expr = Expression.Create(Context, Stmt.Expression, this, 0);
+                    ConstantValue = Switch.LabelForValue(Context.GetModel(Stmt).GetConstantValue(Stmt.Expression).Value);
                     break;
                 case StmtKind.GOTO_DEFAULT:
                     ConstantValue = Switch.DefaultLabel;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/If.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/If.cs
index b132c6ebe54..010cd9a793b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/If.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/If.cs
@@ -18,12 +18,12 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Condition, this, 0);
+            Expression.Create(Context, Stmt.Condition, this, 0);
 
-            Create(cx, Stmt.Statement, this, 1);
+            Create(Context, Stmt.Statement, this, 1);
 
             if (Stmt.Else != null)
-                Create(cx, Stmt.Else.Statement, this, 2);
+                Create(Context, Stmt.Else.Statement, this, 2);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
index fe69af917ba..d549008daaf 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Labeled.cs
@@ -30,7 +30,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
             // For compatibility with the Mono extractor, make insert the labelled statement into the same block
             // as this one. The parent MUST be a block statement.
-            labelledStmt = Statement.Create(cx, Stmt.Statement, parent, child + 1);
+            labelledStmt = Statement.Create(Context, Stmt.Statement, parent, child + 1);
         }
 
         public override int NumberOfStatements => 1 + labelledStmt.NumberOfStatements;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalDeclaration.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalDeclaration.cs
index 87559681fd8..b147e5693ca 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalDeclaration.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalDeclaration.cs
@@ -30,8 +30,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            VariableDeclarations.Populate(cx, Stmt.Declaration, this, 0);
-            cx.BindComments(this, Stmt.GetLocation());
+            VariableDeclarations.Populate(Context, Stmt.Declaration, this, 0);
+            Context.BindComments(this, Stmt.GetLocation());
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
index 5e417fd8885..aaebd538c67 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/LocalFunction.cs
@@ -26,7 +26,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         {
             get
             {
-                var m = cx.GetModel(Stmt);
+                var m = Context.GetModel(Stmt);
                 return m.GetDeclaredSymbol(Stmt) as IMethodSymbol;
             }
         }
@@ -34,7 +34,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         /// <summary>
         /// Gets the function defined by this local statement.
         /// </summary>
-        private Entities.LocalFunction Function => Entities.LocalFunction.Create(cx, Symbol);
+        private Entities.LocalFunction Function => Entities.LocalFunction.Create(Context, Symbol);
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Lock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Lock.cs
index fbcb346b367..141edcea63a 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Lock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Lock.cs
@@ -18,8 +18,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Expression, this, 0);
-            Statement.Create(cx, Stmt.Statement, this, 1);
+            Expression.Create(Context, Stmt.Expression, this, 0);
+            Statement.Create(Context, Stmt.Statement, this, 1);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Return.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Return.cs
index 2ff04b82b87..64692630b4c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Return.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Return.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             if (Stmt.Expression != null)
-                Expression.Create(cx, Stmt.Expression, this, 0);
+                Expression.Create(Context, Stmt.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Switch.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Switch.cs
index f64067be9c4..df73554f389 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Switch.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Switch.cs
@@ -30,17 +30,17 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Expression, this, 0);
+            Expression.Create(Context, Stmt.Expression, this, 0);
             var childIndex = 0;
 
             foreach (var section in Stmt.Sections)
             {
-                foreach (var stmt in section.Labels.Select(label => Case<SwitchLabelSyntax>.Create(cx, label, this, childIndex)))
+                foreach (var stmt in section.Labels.Select(label => Case<SwitchLabelSyntax>.Create(Context, label, this, childIndex)))
                 {
                     childIndex += stmt.NumberOfStatements;
                 }
 
-                foreach (var stmt in section.Statements.Select(s => Create(cx, s, this, childIndex)))
+                foreach (var stmt in section.Statements.Select(s => Create(Context, s, this, childIndex)))
                 {
                     childIndex += stmt.NumberOfStatements;
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Throw.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Throw.cs
index c550b1f1e39..dbff60d890b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Throw.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Throw.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             if (Stmt.Expression != null)
-                Expression.Create(cx, Stmt.Expression, this, 0);
+                Expression.Create(Context, Stmt.Expression, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Try.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Try.cs
index 5a6937790c2..bb17c2beaa2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Try.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Try.cs
@@ -22,14 +22,14 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             var child = 1;
             foreach (var c in Stmt.Catches)
             {
-                Catch.Create(cx, c, this, child++);
+                Catch.Create(Context, c, this, child++);
             }
 
-            Create(cx, Stmt.Block, this, 0);
+            Create(Context, Stmt.Block, this, 0);
 
             if (Stmt.Finally != null)
             {
-                Create(cx, Stmt.Finally.Block, this, -1);
+                Create(Context, Stmt.Finally.Block, this, -1);
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unchecked.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unchecked.cs
index 2d69bdc8d4c..37de04f870b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unchecked.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unchecked.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Statement.Create(cx, Stmt.Block, this, 0);
+            Statement.Create(Context, Stmt.Block, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unsafe.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unsafe.cs
index 4e371604333..936c5e84296 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unsafe.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Unsafe.cs
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Create(cx, Stmt.Block, this, 0);
+            Create(Context, Stmt.Block, this, 0);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Using.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Using.cs
index 93d0f6a88ff..b62e6556a8c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Using.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Using.cs
@@ -20,13 +20,13 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         protected override void PopulateStatement(TextWriter trapFile)
         {
             if (Stmt.Declaration != null)
-                VariableDeclarations.Populate(cx, Stmt.Declaration, this, -1, childIncrement: -1);
+                VariableDeclarations.Populate(Context, Stmt.Declaration, this, -1, childIncrement: -1);
 
             if (Stmt.Expression != null)
-                Expression.Create(cx, Stmt.Expression, this, 0);
+                Expression.Create(Context, Stmt.Expression, this, 0);
 
             if (Stmt.Statement != null)
-                Statement.Create(cx, Stmt.Statement, this, 1);
+                Statement.Create(Context, Stmt.Statement, this, 1);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/While.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/While.cs
index 8def91a8418..99e96e7b683 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/While.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/While.cs
@@ -18,8 +18,8 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            Expression.Create(cx, Stmt.Condition, this, 0);
-            Create(cx, Stmt.Statement, this, 1);
+            Expression.Create(Context, Stmt.Condition, this, 0);
+            Create(Context, Stmt.Statement, this, 1);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Yield.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Yield.cs
index 9aace8e0b83..605a7cacdbc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Yield.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Yield.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         {
             if (Stmt.Expression != null)
             {
-                Expression.Create(cx, Stmt.Expression, this, 0);
+                Expression.Create(Context, Stmt.Expression, this, 0);
             }
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
index e05c2d0c102..57f309cad8b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 case NullableTypeSyntax nts:
                     // int[]? -> int[] -> int
                     // int?   -> int?
-                    return cx.GetTypeInfo(nts.ElementType).Type.IsReferenceType
+                    return Context.GetTypeInfo(nts.ElementType).Type.IsReferenceType
                         ? GetArrayElementType(nts.ElementType)
                         : nts;
                 case PointerTypeSyntax pts:
@@ -65,7 +65,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 case SyntaxKind.ArrayType:
                 case SyntaxKind.PointerType:
                     Emit(trapFile, loc ?? syntax.GetLocation(), parent, type);
-                    Create(cx, GetArrayElementType(syntax), this, GetArrayElementType(type));
+                    Create(Context, GetArrayElementType(syntax), this, GetArrayElementType(type));
                     return;
                 case SyntaxKind.NullableType:
                     var nts = (NullableTypeSyntax)syntax;
@@ -74,39 +74,39 @@ namespace Semmle.Extraction.CSharp.Entities
                         if (!nt.symbol.IsReferenceType)
                         {
                             Emit(trapFile, loc ?? syntax.GetLocation(), parent, type);
-                            Create(cx, nts.ElementType, this, nt.TypeArguments[0]);
+                            Create(Context, nts.ElementType, this, nt.TypeArguments[0]);
                         }
                         else
                         {
-                            Create(cx, nts.ElementType, parent, type);
+                            Create(Context, nts.ElementType, parent, type);
                         }
                     }
                     else if (type is ArrayType)
                     {
-                        Create(cx, nts.ElementType, parent, type);
+                        Create(Context, nts.ElementType, parent, type);
                     }
                     return;
                 case SyntaxKind.TupleType:
                     var tts = (TupleTypeSyntax)syntax;
                     var tt = (TupleType)type;
                     Emit(trapFile, loc ?? syntax.GetLocation(), parent, type);
-                    tts.Elements.Zip(tt.TupleElements, (s, t) => Create(cx, s.Type, this, t.Type)).Enumerate();
+                    tts.Elements.Zip(tt.TupleElements, (s, t) => Create(Context, s.Type, this, t.Type)).Enumerate();
                     return;
                 case SyntaxKind.GenericName:
                     Emit(trapFile, loc ?? syntax.GetLocation(), parent, type);
-                    cx.PopulateLater(() =>
+                    Context.PopulateLater(() =>
                         ((GenericNameSyntax)syntax)
                             .TypeArgumentList
                             .Arguments
-                            .Zip(type.TypeMentions, (s, t) => Create(cx, s, this, t)).Enumerate());
+                            .Zip(type.TypeMentions, (s, t) => Create(Context, s, this, t)).Enumerate());
                     return;
                 case SyntaxKind.QualifiedName:
                     var qns = (QualifiedNameSyntax)syntax;
-                    var right = Create(cx, qns.Right, parent, type);
+                    var right = Create(Context, qns.Right, parent, type);
                     if (type.ContainingType is object)
                     {
                         // Type qualifier
-                        Create(cx, qns.Left, right, type.ContainingType);
+                        Create(Context, qns.Left, right, type.ContainingType);
                     }
                     return;
                 default:
@@ -118,7 +118,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private void Emit(TextWriter trapFile, Microsoft.CodeAnalysis.Location loc, IEntity parent, Type type)
         {
             trapFile.type_mention(this, type.TypeRef, parent);
-            trapFile.type_mention_location(this, cx.CreateLocation(loc));
+            trapFile.type_mention_location(this, Context.CreateLocation(loc));
         }
 
         public static TypeMention Create(Context cx, TypeSyntax syntax, IEntity parent, Type type, Microsoft.CodeAnalysis.Location loc = null)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
index 8c96a334565..34fc6f5ccba 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
@@ -326,6 +326,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected Type(Context cx, T init)
             : base(cx, init) { }
 
+        // todo: change this with .net 5 to be an override
         public new T symbol => (T)base.symbol;
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
index d08a1320ba2..96ce5f339cf 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
@@ -21,30 +21,30 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected override void Populate(TextWriter trapFile)
         {
-            var info = cx.GetModel(node).GetSymbolInfo(node.Name);
+            var info = Context.GetModel(node).GetSymbolInfo(node.Name);
 
             if (node.StaticKeyword.Kind() == SyntaxKind.None)
             {
                 // A normal using
                 if (info.Symbol is INamespaceSymbol namespaceSymbol)
                 {
-                    var ns = Namespace.Create(cx, namespaceSymbol);
+                    var ns = Namespace.Create(Context, namespaceSymbol);
                     trapFile.using_namespace_directives(this, ns);
-                    trapFile.using_directive_location(this, cx.CreateLocation(ReportingLocation));
+                    trapFile.using_directive_location(this, Context.CreateLocation(ReportingLocation));
                 }
                 else
                 {
-                    cx.Extractor.MissingNamespace(node.Name.ToFullString(), cx.FromSource);
-                    cx.ModelError(node, "Namespace not found");
+                    Context.Extractor.MissingNamespace(node.Name.ToFullString(), Context.FromSource);
+                    Context.ModelError(node, "Namespace not found");
                     return;
                 }
             }
             else
             {
                 // A "using static"
-                var m = Type.Create(cx, (ITypeSymbol)info.Symbol);
+                var m = Type.Create(Context, (ITypeSymbol)info.Symbol);
                 trapFile.using_static_directives(this, m.TypeRef);
-                trapFile.using_directive_location(this, cx.CreateLocation(ReportingLocation));
+                trapFile.using_directive_location(this, Context.CreateLocation(ReportingLocation));
             }
 
             if (parent != null)
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index 7f5ef6b1110..a4b84d5d047 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -73,7 +73,7 @@ namespace Semmle.Extraction
         }
 
 #if DEBUG_LABELS
-        private void CheckEntityHasUniqueLabel(string id, ICachedEntity entity)
+        private void CheckEntityHasUniqueLabel(string id, CachedEntity entity)
         {
             if (idLabelCache.ContainsKey(id))
             {
@@ -89,12 +89,12 @@ namespace Semmle.Extraction
         public Label GetNewLabel() => new Label(GetNewId());
 
         public TEntity CreateEntity<TInit, TEntity>(ICachedEntityFactory<TInit, TEntity> factory, object cacheKey, TInit init)
-            where TEntity : ICachedEntity =>
+            where TEntity : CachedEntity =>
             cacheKey is ISymbol s ? CreateEntity(factory, s, init, symbolEntityCache) : CreateEntity(factory, cacheKey, init, objectEntityCache);
 
         public TEntity CreateEntityFromSymbol<TSymbol, TEntity>(ICachedEntityFactory<TSymbol, TEntity> factory, TSymbol init)
             where TSymbol : ISymbol
-            where TEntity : ICachedEntity => CreateEntity(factory, init, init, symbolEntityCache);
+            where TEntity : CachedEntity => CreateEntity(factory, init, init, symbolEntityCache);
 
         /// <summary>
         /// Creates and populates a new entity, or returns the existing one from the cache.
@@ -104,9 +104,9 @@ namespace Semmle.Extraction
         /// <param name="init">The initializer for the entity.</param>
         /// <param name="dictionary">The dictionary to use for caching.</param>
         /// <returns>The new/existing entity.</returns>
-        private TEntity CreateEntity<TInit, TCacheKey, TEntity>(ICachedEntityFactory<TInit, TEntity> factory, TCacheKey cacheKey, TInit init, IDictionary<TCacheKey, ICachedEntity> dictionary)
+        private TEntity CreateEntity<TInit, TCacheKey, TEntity>(ICachedEntityFactory<TInit, TEntity> factory, TCacheKey cacheKey, TInit init, IDictionary<TCacheKey, CachedEntity> dictionary)
             where TCacheKey : notnull
-            where TEntity : ICachedEntity
+            where TEntity : CachedEntity
         {
             if (dictionary.TryGetValue(cacheKey, out var cached))
                 return (TEntity)cached;
@@ -143,7 +143,7 @@ namespace Semmle.Extraction
         /// </summary>
         /// <param name="entity">The entity to extract.</param>
         /// <returns>True only on the first call for a particular entity.</returns>
-        public bool ExtractGenerics(ICachedEntity entity)
+        public bool ExtractGenerics(CachedEntity entity)
         {
             if (extractedGenerics.Contains(entity.Label))
             {
@@ -158,18 +158,18 @@ namespace Semmle.Extraction
         /// Creates a fresh label with ID "*", and set it on the
         /// supplied <paramref name="entity"/> object.
         /// </summary>
-        public void AddFreshLabel(IEntity entity)
+        public void AddFreshLabel(Entity entity)
         {
             entity.Label = GetNewLabel();
             entity.DefineFreshLabel(TrapWriter.Writer);
         }
 
 #if DEBUG_LABELS
-        private readonly Dictionary<string, ICachedEntity> idLabelCache = new Dictionary<string, ICachedEntity>();
+        private readonly Dictionary<string, CachedEntity> idLabelCache = new Dictionary<string, CachedEntity>();
 #endif
 
-        private readonly IDictionary<object, ICachedEntity> objectEntityCache = new Dictionary<object, ICachedEntity>();
-        private readonly IDictionary<ISymbol, ICachedEntity> symbolEntityCache = new Dictionary<ISymbol, ICachedEntity>(10000, SymbolEqualityComparer.Default);
+        private readonly IDictionary<object, CachedEntity> objectEntityCache = new Dictionary<object, CachedEntity>();
+        private readonly IDictionary<ISymbol, CachedEntity> symbolEntityCache = new Dictionary<ISymbol, CachedEntity>(10000, SymbolEqualityComparer.Default);
         private readonly HashSet<Label> extractedGenerics = new HashSet<Label>();
 
         /// <summary>
@@ -325,7 +325,7 @@ namespace Semmle.Extraction
         /// <param name="optionalSymbol">Symbol for reporting errors.</param>
         /// <param name="entity">The entity to populate.</param>
         /// <exception cref="InternalError">Thrown on invalid trap stack behaviour.</exception>
-        public void Populate(ISymbol? optionalSymbol, ICachedEntity entity)
+        public void Populate(ISymbol? optionalSymbol, CachedEntity entity)
         {
             if (writingLabel)
             {
@@ -406,7 +406,7 @@ namespace Semmle.Extraction
         /// <param name="cx">Extractor context.</param>
         /// <param name="entity">Program entity.</param>
         /// <param name="l">Location of the entity.</param>
-        public void BindComments(IEntity entity, Microsoft.CodeAnalysis.Location l)
+        public void BindComments(Entity entity, Microsoft.CodeAnalysis.Location l)
         {
             var duplicationGuardKey = tagStack.Count > 0 ? tagStack.Peek() : null;
             CommentGenerator.AddElement(entity.Label, duplicationGuardKey, l);
@@ -432,7 +432,7 @@ namespace Semmle.Extraction
         /// <param name="message">The text of the message.</param>
         /// <param name="optionalSymbol">The symbol of the error, or null.</param>
         /// <param name="optionalEntity">The entity of the error, or null.</param>
-        public void ExtractionError(string message, ISymbol? optionalSymbol, IEntity optionalEntity)
+        public void ExtractionError(string message, ISymbol? optionalSymbol, Entity optionalEntity)
         {
             if (!(optionalSymbol is null))
             {
diff --git a/csharp/extractor/Semmle.Extraction/Symbol.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
similarity index 63%
rename from csharp/extractor/Semmle.Extraction/Symbol.cs
rename to csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
index 2585ffd037f..a5b5798d28b 100644
--- a/csharp/extractor/Semmle.Extraction/Symbol.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
@@ -3,26 +3,38 @@ using Microsoft.CodeAnalysis;
 
 namespace Semmle.Extraction
 {
+    /// <summary>
+    /// A cached entity.
+    ///
+    /// The <see cref="Entity.Id"/> property is used as label in caching.
+    /// </summary>
+    public abstract class CachedEntity : LabelledEntity
+    {
+        protected CachedEntity(Context context) : base(context)
+        {
+        }
+
+        /// <summary>
+        /// Populates the <see cref="Label"/> field and generates output in the trap file
+        /// as required. Is only called when <see cref="NeedsPopulation"/> returns
+        /// <code>true</code> and the entity has not already been populated.
+        /// </summary>
+        public abstract void Populate(TextWriter trapFile);
+
+        public abstract bool NeedsPopulation { get; }
+    }
+
     /// <summary>
     /// An abstract symbol, which encapsulates a data type (such as a C# symbol).
     /// </summary>
     /// <typeparam name="TSymbol">The type of the symbol.</typeparam>
-    public abstract class CachedEntity<TSymbol> : ICachedEntity
+    public abstract class CachedEntity<TSymbol> : CachedEntity
     {
-        protected CachedEntity(Context context, TSymbol init)
+        protected CachedEntity(Context context, TSymbol symbol) : base(context)
         {
-            Context = context;
-            symbol = init;
+            this.symbol = symbol;
         }
 
-        public Label Label { get; set; }
-
-        public abstract Microsoft.CodeAnalysis.Location? ReportingLocation { get; }
-
-        public override string ToString() => Label.ToString();
-
-        public abstract void Populate(TextWriter trapFile);
-
         /// <summary>
         /// For debugging.
         /// </summary>
@@ -36,33 +48,16 @@ namespace Semmle.Extraction
             }
         }
 
-        public Context Context
-        {
-            get;
-        }
-
         public TSymbol symbol
         {
             get;
         }
 
-        object? ICachedEntity.UnderlyingObject => symbol;
+        //object? ICachedEntity.UnderlyingObject => symbol;
 
         public TSymbol UnderlyingObject => symbol;
 
-        public abstract void WriteId(System.IO.TextWriter trapFile);
-
-        public virtual void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write('\"');
-        }
-
-        public abstract bool NeedsPopulation
-        {
-            get;
-        }
+        public override bool NeedsPopulation { get; }
 
         public override int GetHashCode() => symbol is null ? 0 : symbol.GetHashCode();
 
@@ -72,7 +67,7 @@ namespace Semmle.Extraction
             return other?.GetType() == GetType() && Equals(other.symbol, symbol);
         }
 
-        public abstract TrapStackBehaviour TrapStackBehaviour { get; }
+        public override TrapStackBehaviour TrapStackBehaviour { get; }
     }
 
     /// <summary>
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
new file mode 100644
index 00000000000..888f6a4329e
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
@@ -0,0 +1,64 @@
+using Microsoft.CodeAnalysis;
+using System;
+using System.IO;
+
+namespace Semmle.Extraction
+{
+    public abstract class Entity : IEntity
+    {
+        protected Context Context { get; }
+
+        protected Entity(Context context)
+        {
+            this.Context = context;
+        }
+
+        public Label Label { get; set; }
+
+        public abstract void WriteId(TextWriter trapFile);
+
+        public abstract void WriteQuotedId(TextWriter trapFile);
+
+        public abstract Location? ReportingLocation { get; }
+
+        public abstract TrapStackBehaviour TrapStackBehaviour { get; }
+
+        public void DefineLabel(TextWriter trapFile, Extractor extractor)
+        {
+            trapFile.WriteLabel(this);
+            trapFile.Write("=");
+            try
+            {
+                WriteQuotedId(trapFile);
+            }
+            catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
+            {
+                trapFile.WriteLine("\"");
+                extractor.Message(new Message($"Unhandled exception generating id: {ex.Message}", ToString() ?? "", null, ex.StackTrace));
+            }
+            trapFile.WriteLine();
+        }
+
+        public void DefineFreshLabel(TextWriter trapFile)
+        {
+            trapFile.WriteLabel(this);
+            trapFile.WriteLine("=*");
+        }
+
+#if DEBUG_LABELS
+        /// <summary>
+        /// Generates a debug string for this entity.
+        /// </summary>
+        public string GetDebugLabel()
+        {
+            using var writer = new StringWriter();
+            writer.WriteLabel(Label.Value);
+            writer.Write('=');
+            WriteQuotedId(writer);
+            return writer.ToString();
+        }
+#endif
+
+        public override string ToString() => Label.ToString();
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/FreshEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/FreshEntity.cs
new file mode 100644
index 00000000000..721a6f05e21
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/FreshEntity.cs
@@ -0,0 +1,38 @@
+using System.IO;
+
+namespace Semmle.Extraction
+{
+    /// <summary>
+    /// An entity which has a default "*" ID assigned to it.
+    /// </summary>
+    public abstract class FreshEntity : UnlabelledEntity
+    {
+        protected FreshEntity(Context cx) : base(cx)
+        {
+        }
+
+        protected abstract void Populate(TextWriter trapFile);
+
+        protected void TryPopulate()
+        {
+            Context.Try(null, null, () => Populate(Context.TrapWriter.Writer));
+        }
+
+        /// <summary>
+        /// For debugging.
+        /// </summary>
+        public string DebugContents
+        {
+            get
+            {
+                using var writer = new StringWriter();
+                Populate(writer);
+                return writer.ToString();
+            }
+        }
+
+        public override Microsoft.CodeAnalysis.Location? ReportingLocation => null;
+
+        public override TrapStackBehaviour TrapStackBehaviour { get; }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactory.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactory.cs
new file mode 100644
index 00000000000..7c03dd61002
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactory.cs
@@ -0,0 +1,14 @@
+namespace Semmle.Extraction
+{
+    /// <summary>
+    /// A factory for creating cached entities.
+    /// </summary>
+    /// <typeparam name="TInit">The type of the initializer.</typeparam>
+    public interface ICachedEntityFactory<in TInit, out TEntity> where TEntity : CachedEntity
+    {
+        /// <summary>
+        /// Initializes the entity, but does not generate any trap code.
+        /// </summary>
+        TEntity Create(Context cx, TInit init);
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactoryExtensions.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactoryExtensions.cs
new file mode 100644
index 00000000000..b311fccb7ab
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/ICachedEntityFactoryExtensions.cs
@@ -0,0 +1,35 @@
+using Microsoft.CodeAnalysis;
+
+namespace Semmle.Extraction
+{
+    public static class ICachedEntityFactoryExtensions
+    {
+        /// <summary>
+        /// Creates and populates a new entity, or returns the existing one from the cache,
+        /// based on the supplied cache key.
+        /// </summary>
+        /// <typeparam name="TInit">The type used to construct the entity.</typeparam>
+        /// <typeparam name="TEntity">The type of the entity to create.</typeparam>
+        /// <param name="factory">The factory used to construct the entity.</param>
+        /// <param name="cx">The extractor context.</param>
+        /// <param name="cacheKey">The key used for caching.</param>
+        /// <param name="init">The initializer for the entity.</param>
+        /// <returns>The entity.</returns>
+        public static TEntity CreateEntity<TInit, TEntity>(this ICachedEntityFactory<TInit, TEntity> factory, Context cx, object cacheKey, TInit init)
+            where TEntity : CachedEntity => cx.CreateEntity(factory, cacheKey, init);
+
+        /// <summary>
+        /// Creates and populates a new entity from an `ISymbol`, or returns the existing one
+        /// from the cache.
+        /// </summary>
+        /// <typeparam name="TSymbol">The type used to construct the entity.</typeparam>
+        /// <typeparam name="TEntity">The type of the entity to create.</typeparam>
+        /// <param name="factory">The factory used to construct the entity.</param>
+        /// <param name="cx">The extractor context.</param>
+        /// <param name="init">The initializer for the entity.</param>
+        /// <returns>The entity.</returns>
+        public static TEntity CreateEntityFromSymbol<TSymbol, TEntity>(this ICachedEntityFactory<TSymbol, TEntity> factory, Context cx, TSymbol init)
+            where TSymbol : ISymbol
+            where TEntity : CachedEntity => cx.CreateEntityFromSymbol(factory, init);
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
new file mode 100644
index 00000000000..5aadbeb9e4d
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
@@ -0,0 +1,53 @@
+using Microsoft.CodeAnalysis;
+using System.IO;
+
+namespace Semmle.Extraction
+{
+    /// <summary>
+    /// Any program entity which has a corresponding label in the trap file.
+    ///
+    /// Entities are divided into two types: normal entities and cached
+    /// entities.
+    ///
+    /// Normal entities implement <see cref="FreshEntity"/> directly, and they
+    /// (may) emit contents to the trap file during object construction.
+    ///
+    /// Cached entities implement <see cref="CachedEntity"/>, and they
+    /// emit contents to the trap file when <see cref="CachedEntity.Populate"/>
+    /// is called. Caching prevents <see cref="CachedEntity.Populate"/>
+    /// from being called on entities that have already been emitted.
+    /// </summary>
+    public interface IEntity
+    {
+        /// <summary>
+        /// The label of the entity, as it is in the trap file.
+        /// For example, "#123".
+        /// </summary>
+        Label Label { get; set; }
+
+        /// <summary>
+        /// Writes the unique identifier of this entitiy to a trap file.
+        /// </summary>
+        /// <param name="trapFile">The trapfile to write to.</param>
+        void WriteId(TextWriter trapFile);
+
+        /// <summary>
+        /// Writes the quoted identifier of this entity,
+        /// which could be @"..." or *
+        /// </summary>
+        /// <param name="trapFile">The trapfile to write to.</param>
+        void WriteQuotedId(TextWriter trapFile);
+
+        /// <summary>
+        /// The location for reporting purposes.
+        /// </summary>
+        Location? ReportingLocation { get; }
+
+        /// <summary>
+        /// How the entity handles .push and .pop.
+        /// </summary>
+        TrapStackBehaviour TrapStackBehaviour { get; }
+
+        void DefineLabel(TextWriter trapFile, Extractor extractor);
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
new file mode 100644
index 00000000000..12a98ce2303
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
@@ -0,0 +1,18 @@
+using System.IO;
+
+namespace Semmle.Extraction
+{
+    public abstract class LabelledEntity : Entity
+    {
+        protected LabelledEntity(Context cx) : base(cx)
+        {
+        }
+
+        public override void WriteQuotedId(TextWriter trapFile)
+        {
+            trapFile.Write("@\"");
+            WriteId(trapFile);
+            trapFile.Write('\"');
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
new file mode 100644
index 00000000000..6b6a22eb4b5
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
@@ -0,0 +1,22 @@
+using System.IO;
+
+namespace Semmle.Extraction
+{
+    public abstract class UnlabelledEntity : Entity
+    {
+        protected UnlabelledEntity(Context cx) : base(cx)
+        {
+            cx.AddFreshLabel(this);
+        }
+
+        public sealed override void WriteId(TextWriter writer)
+        {
+            writer.Write('*');
+        }
+
+        public sealed override void WriteQuotedId(TextWriter writer)
+        {
+            WriteId(writer);
+        }
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
index 96aabb57f8e..f7be2995923 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/ExtractionError.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.Entities
         protected override void Populate(TextWriter trapFile)
         {
             trapFile.extractor_messages(this, msg.Severity, "C# extractor", msg.Text, msg.EntityText ?? string.Empty,
-                msg.Location ?? cx.CreateLocation(), msg.StackTrace ?? string.Empty);
+                msg.Location ?? Context.CreateLocation(), msg.StackTrace ?? string.Empty);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
diff --git a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
index ae69f95449a..6b9d495db19 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.Entities
             : base(cx, init)
         {
             Position = init.GetLineSpan();
-            FileEntity = File.Create(Context, Position.Path);
+            FileEntity = File.Create(base.Context, Position.Path);
         }
 
         public static Location Create(Context cx, Microsoft.CodeAnalysis.Location loc) => SourceLocationFactory.Instance.CreateEntity(cx, loc, loc);
diff --git a/csharp/extractor/Semmle.Extraction/Entity.cs b/csharp/extractor/Semmle.Extraction/Entity.cs
deleted file mode 100644
index 8839b6ede2a..00000000000
--- a/csharp/extractor/Semmle.Extraction/Entity.cs
+++ /dev/null
@@ -1,177 +0,0 @@
-using Microsoft.CodeAnalysis;
-using System;
-using System.IO;
-
-namespace Semmle.Extraction
-{
-    /// <summary>
-    /// Any program entity which has a corresponding label in the trap file.
-    ///
-    /// Entities are divided into two types: normal entities and cached
-    /// entities.
-    ///
-    /// Normal entities implement <see cref="IEntity"/> directly, and they
-    /// (may) emit contents to the trap file during object construction.
-    ///
-    /// Cached entities implement <see cref="ICachedEntity"/>, and they
-    /// emit contents to the trap file when <see cref="ICachedEntity.Populate"/>
-    /// is called. Caching prevents <see cref="ICachedEntity.Populate"/>
-    /// from being called on entities that have already been emitted.
-    /// </summary>
-    public interface IEntity
-    {
-        /// <summary>
-        /// The label of the entity, as it is in the trap file.
-        /// For example, "#123".
-        /// </summary>
-        Label Label { set; get; }
-
-        /// <summary>
-        /// Writes the unique identifier of this entitiy to a trap file.
-        /// </summary>
-        /// <param name="trapFile">The trapfile to write to.</param>
-        void WriteId(TextWriter trapFile);
-
-        /// <summary>
-        /// Writes the quoted identifier of this entity,
-        /// which could be @"..." or *
-        /// </summary>
-        /// <param name="trapFile">The trapfile to write to.</param>
-        void WriteQuotedId(TextWriter trapFile);
-
-        /// <summary>
-        /// The location for reporting purposes.
-        /// </summary>
-        Location? ReportingLocation { get; }
-
-        /// <summary>
-        /// How the entity handles .push and .pop.
-        /// </summary>
-        TrapStackBehaviour TrapStackBehaviour { get; }
-    }
-
-    /// <summary>
-    /// How an entity behaves with respect to .push and .pop
-    /// </summary>
-    public enum TrapStackBehaviour
-    {
-        /// <summary>
-        /// The entity must not be extracted inside a .push/.pop
-        /// </summary>
-        NoLabel,
-
-        /// <summary>
-        /// The entity defines its own label, creating a .push/.pop
-        /// </summary>
-        PushesLabel,
-
-        /// <summary>
-        /// The entity must be extracted inside a .push/.pop
-        /// </summary>
-        NeedsLabel,
-
-        /// <summary>
-        /// The entity can be extracted inside or outside of a .push/.pop
-        /// </summary>
-        OptionalLabel
-    }
-
-    /// <summary>
-    /// A cached entity.
-    ///
-    /// The <see cref="IEntity.Id"/> property is used as label in caching.
-    /// </summary>
-    public interface ICachedEntity : IEntity
-    {
-        /// <summary>
-        /// Populates the <see cref="Label"/> field and generates output in the trap file
-        /// as required. Is only called when <see cref="NeedsPopulation"/> returns
-        /// <code>true</code> and the entity has not already been populated.
-        /// </summary>
-        void Populate(TextWriter trapFile);
-
-        bool NeedsPopulation { get; }
-
-        object? UnderlyingObject { get; }
-    }
-
-    /// <summary>
-    /// A factory for creating cached entities.
-    /// </summary>
-    /// <typeparam name="TInit">The type of the initializer.</typeparam>
-    public interface ICachedEntityFactory<in TInit, out TEntity> where TEntity : ICachedEntity
-    {
-        /// <summary>
-        /// Initializes the entity, but does not generate any trap code.
-        /// </summary>
-        TEntity Create(Context cx, TInit init);
-    }
-
-    public static class ICachedEntityFactoryExtensions
-    {
-        /// <summary>
-        /// Creates and populates a new entity, or returns the existing one from the cache,
-        /// based on the supplied cache key.
-        /// </summary>
-        /// <typeparam name="TInit">The type used to construct the entity.</typeparam>
-        /// <typeparam name="TEntity">The type of the entity to create.</typeparam>
-        /// <param name="factory">The factory used to construct the entity.</param>
-        /// <param name="cx">The extractor context.</param>
-        /// <param name="cacheKey">The key used for caching.</param>
-        /// <param name="init">The initializer for the entity.</param>
-        /// <returns>The entity.</returns>
-        public static TEntity CreateEntity<TInit, TEntity>(this ICachedEntityFactory<TInit, TEntity> factory, Context cx, object cacheKey, TInit init)
-            where TEntity : ICachedEntity => cx.CreateEntity(factory, cacheKey, init);
-
-        /// <summary>
-        /// Creates and populates a new entity from an `ISymbol`, or returns the existing one
-        /// from the cache.
-        /// </summary>
-        /// <typeparam name="TSymbol">The type used to construct the entity.</typeparam>
-        /// <typeparam name="TEntity">The type of the entity to create.</typeparam>
-        /// <param name="factory">The factory used to construct the entity.</param>
-        /// <param name="cx">The extractor context.</param>
-        /// <param name="init">The initializer for the entity.</param>
-        /// <returns>The entity.</returns>
-        public static TEntity CreateEntityFromSymbol<TSymbol, TEntity>(this ICachedEntityFactory<TSymbol, TEntity> factory, Context cx, TSymbol init)
-            where TSymbol : ISymbol
-            where TEntity : ICachedEntity => cx.CreateEntityFromSymbol(factory, init);
-
-        public static void DefineLabel(this IEntity entity, TextWriter trapFile, Extractor extractor)
-        {
-            trapFile.WriteLabel(entity);
-            trapFile.Write("=");
-            try
-            {
-                entity.WriteQuotedId(trapFile);
-            }
-            catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
-            {
-                trapFile.WriteLine("\"");
-                extractor.Message(new Message($"Unhandled exception generating id: {ex.Message}", entity.ToString() ?? "", null, ex.StackTrace));
-            }
-            trapFile.WriteLine();
-        }
-
-        public static void DefineFreshLabel(this IEntity entity, TextWriter trapFile)
-        {
-            trapFile.WriteLabel(entity);
-            trapFile.WriteLine("=*");
-        }
-
-        /// <summary>
-        /// Generates a debug string for this entity.
-        /// </summary>
-        /// <param name="entity">The entity to view.</param>
-        /// <returns>The debug string.</returns>
-        public static string GetDebugLabel(this IEntity entity)
-        {
-            using var writer = new StringWriter();
-            writer.WriteLabel(entity.Label.Value);
-            writer.Write('=');
-            entity.WriteQuotedId(writer);
-            return writer.ToString();
-        }
-
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction/FreshEntity.cs b/csharp/extractor/Semmle.Extraction/FreshEntity.cs
deleted file mode 100644
index e8569cd9c91..00000000000
--- a/csharp/extractor/Semmle.Extraction/FreshEntity.cs
+++ /dev/null
@@ -1,59 +0,0 @@
-using System.IO;
-
-namespace Semmle.Extraction
-{
-    /// <summary>
-    /// An entity which has a default "*" ID assigned to it.
-    /// </summary>
-    public abstract class FreshEntity : IEntity
-    {
-        protected Context cx { get; }
-
-        protected FreshEntity(Context cx)
-        {
-            this.cx = cx;
-            cx.AddFreshLabel(this);
-        }
-
-        public Label Label
-        {
-            get; set;
-        }
-
-        public void WriteId(TextWriter writer)
-        {
-            writer.Write('*');
-        }
-
-        public void WriteQuotedId(TextWriter writer)
-        {
-            WriteId(writer);
-        }
-
-        protected abstract void Populate(TextWriter trapFile);
-
-        protected void TryPopulate()
-        {
-            cx.Try(null, null, () => Populate(cx.TrapWriter.Writer));
-        }
-
-        /// <summary>
-        /// For debugging.
-        /// </summary>
-        public string DebugContents
-        {
-            get
-            {
-                using var writer = new StringWriter();
-                Populate(writer);
-                return writer.ToString();
-            }
-        }
-
-        public override string ToString() => Label.ToString();
-
-        public virtual Microsoft.CodeAnalysis.Location? ReportingLocation => null;
-
-        public abstract TrapStackBehaviour TrapStackBehaviour { get; }
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction/TrapStackBehaviour.cs b/csharp/extractor/Semmle.Extraction/TrapStackBehaviour.cs
new file mode 100644
index 00000000000..0966a4816af
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/TrapStackBehaviour.cs
@@ -0,0 +1,28 @@
+namespace Semmle.Extraction
+{
+    /// <summary>
+    /// How an entity behaves with respect to .push and .pop
+    /// </summary>
+    public enum TrapStackBehaviour
+    {
+        /// <summary>
+        /// The entity must not be extracted inside a .push/.pop
+        /// </summary>
+        NoLabel,
+
+        /// <summary>
+        /// The entity defines its own label, creating a .push/.pop
+        /// </summary>
+        PushesLabel,
+
+        /// <summary>
+        /// The entity must be extracted inside a .push/.pop
+        /// </summary>
+        NeedsLabel,
+
+        /// <summary>
+        /// The entity can be extracted inside or outside of a .push/.pop
+        /// </summary>
+        OptionalLabel
+    }
+}

From 199e937e9e06535a644baf774f419bef5b18e7e2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 11 Feb 2021 14:24:24 +0100
Subject: [PATCH 387/429] C#: Rename CachedEntity.symbol to Symbol

---
 .../Entities/Accessor.cs                      | 18 ++---
 .../Entities/Attribute.cs                     | 10 +--
 .../Entities/CommentBlock.cs                  |  8 +--
 .../Entities/CommentLine.cs                   |  6 +-
 .../Entities/Constructor.cs                   | 22 +++---
 .../Entities/Conversion.cs                    |  4 +-
 .../Entities/Destructor.cs                    |  2 +-
 .../Entities/Event.cs                         | 18 ++---
 .../Entities/EventAccessor.cs                 | 12 ++--
 .../Entities/Expression.cs                    |  2 +-
 .../Entities/Expressions/Invocation.cs        |  2 +-
 .../Entities/Field.cs                         | 40 +++++------
 .../Entities/Indexer.cs                       | 34 ++++-----
 .../Entities/LocalFunction.cs                 |  8 +--
 .../Entities/LocalVariable.cs                 |  8 +--
 .../Entities/Method.cs                        | 60 ++++++++--------
 .../Entities/Modifier.cs                      |  4 +-
 .../Entities/Namespace.cs                     | 14 ++--
 .../Entities/OrdinaryMethod.cs                | 14 ++--
 .../Entities/Parameter.cs                     | 58 +++++++--------
 .../Entities/Property.cs                      | 32 ++++-----
 .../Entities/Statement`1.cs                   |  2 +-
 .../Statements/GlobalStatementsBlock.cs       |  4 +-
 .../Entities/Symbol.cs                        | 30 ++++----
 .../Entities/TypeMention.cs                   |  6 +-
 .../Entities/Types/ArrayType.cs               |  6 +-
 .../Entities/Types/FunctionPointerType.cs     |  6 +-
 .../Entities/Types/NamedType.cs               | 52 +++++++-------
 .../Entities/Types/Nullability.cs             |  6 +-
 .../Entities/Types/PointerType.cs             |  2 +-
 .../Entities/Types/TupleType.cs               |  8 +--
 .../Entities/Types/Type.cs                    | 70 +++++++++----------
 .../Entities/Types/TypeParameter.cs           | 36 +++++-----
 .../Entities/UserOperator.cs                  | 18 ++---
 .../Semmle.Extraction/Entities/Assembly.cs    |  4 +-
 .../Entities/Base/CachedEntity`1.cs           | 17 ++---
 .../Semmle.Extraction/Entities/Folder.cs      | 10 +--
 .../Semmle.Extraction/Entities/Location.cs    |  2 +-
 .../Entities/SourceLocation.cs                |  2 +-
 csharp/extractor/Semmle.Extraction/Message.cs |  4 +-
 40 files changed, 327 insertions(+), 334 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs
index 08782ec36a7..d5a20e8eef6 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs
@@ -29,9 +29,9 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <summary>
         /// Gets the property symbol associated with this accessor.
         /// </summary>
-        private IPropertySymbol PropertySymbol => GetPropertySymbol(symbol);
+        private IPropertySymbol PropertySymbol => GetPropertySymbol(Symbol);
 
-        public new Accessor OriginalDefinition => Create(Context, symbol.OriginalDefinition);
+        public new Accessor OriginalDefinition => Create(Context, Symbol.OriginalDefinition);
 
         public override void Populate(TextWriter trapFile)
         {
@@ -42,42 +42,42 @@ namespace Semmle.Extraction.CSharp.Entities
             var prop = PropertySymbol;
             if (prop == null)
             {
-                Context.ModelError(symbol, "Unhandled accessor associated symbol");
+                Context.ModelError(Symbol, "Unhandled accessor associated symbol");
                 return;
             }
 
             var parent = Property.Create(Context, prop);
             int kind;
             Accessor unboundAccessor;
-            if (SymbolEqualityComparer.Default.Equals(symbol, prop.GetMethod))
+            if (SymbolEqualityComparer.Default.Equals(Symbol, prop.GetMethod))
             {
                 kind = 1;
                 unboundAccessor = Create(Context, prop.OriginalDefinition.GetMethod);
             }
-            else if (SymbolEqualityComparer.Default.Equals(symbol, prop.SetMethod))
+            else if (SymbolEqualityComparer.Default.Equals(Symbol, prop.SetMethod))
             {
                 kind = 2;
                 unboundAccessor = Create(Context, prop.OriginalDefinition.SetMethod);
             }
             else
             {
-                Context.ModelError(symbol, "Unhandled accessor kind");
+                Context.ModelError(Symbol, "Unhandled accessor kind");
                 return;
             }
 
-            trapFile.accessors(this, kind, symbol.Name, parent, unboundAccessor);
+            trapFile.accessors(this, kind, Symbol.Name, parent, unboundAccessor);
 
             foreach (var l in Locations)
                 trapFile.accessor_location(this, l);
 
             Overrides(trapFile);
 
-            if (symbol.FromSource() && Block == null)
+            if (Symbol.FromSource() && Block == null)
             {
                 trapFile.compiler_generated(this);
             }
 
-            if (symbol.IsInitOnly)
+            if (Symbol.IsInitOnly)
             {
                 trapFile.init_only_accessors(this);
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
index e1663350055..ba1d2093765 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
@@ -47,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            var type = Type.Create(Context, symbol.AttributeClass);
+            var type = Type.Create(Context, Symbol.AttributeClass);
             trapFile.attributes(this, type.TypeRef, entity);
             trapFile.attribute_location(this, Location);
 
@@ -69,10 +69,10 @@ namespace Semmle.Extraction.CSharp.Entities
             var ctorArguments = attributeSyntax?.ArgumentList?.Arguments.Where(a => a.NameEquals == null).ToList();
 
             var childIndex = 0;
-            for (var i = 0; i < symbol.ConstructorArguments.Length; i++)
+            for (var i = 0; i < Symbol.ConstructorArguments.Length; i++)
             {
-                var constructorArgument = symbol.ConstructorArguments[i];
-                var paramName = symbol.AttributeConstructor?.Parameters[i].Name;
+                var constructorArgument = Symbol.ConstructorArguments[i];
+                var paramName = Symbol.AttributeConstructor?.Parameters[i].Name;
                 var argSyntax = ctorArguments?.SingleOrDefault(a => a.NameColon != null && a.NameColon.Name.Identifier.Text == paramName);
 
                 if (argSyntax == null &&                            // couldn't find named argument
@@ -89,7 +89,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     childIndex++);
             }
 
-            foreach (var namedArgument in symbol.NamedArguments)
+            foreach (var namedArgument in Symbol.NamedArguments)
             {
                 var expr = CreateExpressionFromArgument(
                     namedArgument.Value,
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
index 9f105bb1e1a..e06b6aebe7f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
@@ -13,8 +13,8 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.commentblock(this);
             var child = 0;
-            trapFile.commentblock_location(this, Context.CreateLocation(symbol.Location));
-            foreach (var l in symbol.CommentLines)
+            trapFile.commentblock_location(this, Context.CreateLocation(Symbol.Location));
+            foreach (var l in Symbol.CommentLines)
             {
                 trapFile.commentblock_child(this, (CommentLine)l, child++);
             }
@@ -24,11 +24,11 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.WriteSubId(Context.CreateLocation(symbol.Location));
+            trapFile.WriteSubId(Context.CreateLocation(Symbol.Location));
             trapFile.Write(";commentblock");
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => symbol.Location;
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.Location;
 
         public void BindTo(Label entity, CommentBinding binding)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
index 5ba3bbd87f4..102ea262b39 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
@@ -13,10 +13,10 @@ namespace Semmle.Extraction.CSharp.Entities
             RawText = raw;
         }
 
-        public Microsoft.CodeAnalysis.Location Location => symbol.Item1;
+        public Microsoft.CodeAnalysis.Location Location => Symbol.Item1;
         public CommentLineType Type { get; private set; }
 
-        public string Text { get { return symbol.Item2; } }
+        public string Text { get { return Symbol.Item2; } }
         public string RawText { get; private set; }
 
         private Location location;
@@ -28,7 +28,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.commentline_location(this, location);
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => location.symbol;
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => location.Symbol;
 
         public override bool NeedsPopulation => true;
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
index 0e4c2bbe9c0..d04e80324ff 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -19,10 +19,10 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateModifiers(trapFile);
             ContainingType.PopulateGenerics();
 
-            trapFile.constructors(this, symbol.ContainingType.Name, ContainingType, (Constructor)OriginalDefinition);
+            trapFile.constructors(this, Symbol.ContainingType.Name, ContainingType, (Constructor)OriginalDefinition);
             trapFile.constructor_location(this, Location);
 
-            if (symbol.IsImplicitlyDeclared)
+            if (Symbol.IsImplicitlyDeclared)
             {
                 var lineCounts = new LineCounts() { Total = 2, Code = 1, Comment = 0 };
                 trapFile.numlines(this, lineCounts);
@@ -48,10 +48,10 @@ namespace Semmle.Extraction.CSharp.Entities
             switch (initializer.Kind())
             {
                 case SyntaxKind.BaseConstructorInitializer:
-                    initializerType = symbol.ContainingType.BaseType;
+                    initializerType = Symbol.ContainingType.BaseType;
                     break;
                 case SyntaxKind.ThisConstructorInitializer:
-                    initializerType = symbol.ContainingType;
+                    initializerType = Symbol.ContainingType;
                     break;
                 default:
                     Context.ModelError(initializer, "Unknown initializer");
@@ -73,7 +73,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (target == null)
             {
-                Context.ModelError(symbol, "Unable to resolve call");
+                Context.ModelError(Symbol, "Unable to resolve call");
                 return;
             }
 
@@ -90,7 +90,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                return symbol.DeclaringSyntaxReferences
+                return Symbol.DeclaringSyntaxReferences
                     .Select(r => r.GetSyntax())
                     .OfType<ConstructorDeclarationSyntax>()
                     .FirstOrDefault();
@@ -114,15 +114,15 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            if (symbol.IsStatic)
+            if (Symbol.IsStatic)
                 trapFile.Write("static");
             trapFile.WriteSubId(ContainingType);
-            AddParametersToId(Context, trapFile, symbol);
+            AddParametersToId(Context, trapFile, Symbol);
             trapFile.Write(";constructor");
         }
 
         private ConstructorDeclarationSyntax GetSyntax() =>
-            symbol.DeclaringSyntaxReferences.Select(r => r.GetSyntax()).OfType<ConstructorDeclarationSyntax>().FirstOrDefault();
+            Symbol.DeclaringSyntaxReferences.Select(r => r.GetSyntax()).OfType<ConstructorDeclarationSyntax>().FirstOrDefault();
 
         public override Microsoft.CodeAnalysis.Location FullLocation => ReportingLocation;
 
@@ -136,12 +136,12 @@ namespace Semmle.Extraction.CSharp.Entities
                     return syn.Identifier.GetLocation();
                 }
 
-                if (symbol.IsImplicitlyDeclared)
+                if (Symbol.IsImplicitlyDeclared)
                 {
                     return ContainingType.ReportingLocation;
                 }
 
-                return symbol.ContainingType.Locations.FirstOrDefault();
+                return Symbol.ContainingType.Locations.FirstOrDefault();
             }
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Conversion.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Conversion.cs
index aa125cae0a1..05a752cb35c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Conversion.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Conversion.cs
@@ -17,11 +17,11 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                return symbol.DeclaringSyntaxReferences
+                return Symbol.DeclaringSyntaxReferences
                     .Select(r => r.GetSyntax())
                     .OfType<ConversionOperatorDeclarationSyntax>()
                     .Select(s => s.FixedLocation())
-                    .Concat(symbol.Locations)
+                    .Concat(Symbol.Locations)
                     .FirstOrDefault();
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Destructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Destructor.cs
index a5c4acc3c03..0862baa3600 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Destructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Destructor.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateModifiers(trapFile);
             ContainingType.PopulateGenerics();
 
-            trapFile.destructors(this, string.Format("~{0}", symbol.ContainingType.Name), ContainingType, OriginalDefinition(Context, this, symbol));
+            trapFile.destructors(this, string.Format("~{0}", Symbol.ContainingType.Name), ContainingType, OriginalDefinition(Context, this, Symbol));
             trapFile.destructor_location(this, Location);
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
index 5c24cf97655..fe095ed4462 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
@@ -14,20 +14,20 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.WriteSubId(ContainingType);
             trapFile.Write('.');
-            Method.AddExplicitInterfaceQualifierToId(Context, trapFile, symbol.ExplicitInterfaceImplementations);
-            trapFile.Write(symbol.Name);
+            Method.AddExplicitInterfaceQualifierToId(Context, trapFile, Symbol.ExplicitInterfaceImplementations);
+            trapFile.Write(Symbol.Name);
             trapFile.Write(";event");
         }
 
         public override void Populate(TextWriter trapFile)
         {
-            PopulateNullability(trapFile, symbol.GetAnnotatedType());
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
 
-            var type = Type.Create(Context, symbol.Type);
-            trapFile.events(this, symbol.GetName(), ContainingType, type.TypeRef, Create(Context, symbol.OriginalDefinition));
+            var type = Type.Create(Context, Symbol.Type);
+            trapFile.events(this, Symbol.GetName(), ContainingType, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var adder = symbol.AddMethod;
-            var remover = symbol.RemoveMethod;
+            var adder = Symbol.AddMethod;
+            var remover = Symbol.RemoveMethod;
 
             if (!(adder is null))
                 Method.Create(Context, adder);
@@ -39,10 +39,10 @@ namespace Semmle.Extraction.CSharp.Entities
             BindComments();
 
             var declSyntaxReferences = IsSourceDeclaration
-                ? symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray()
+                ? Symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray()
                 : Enumerable.Empty<SyntaxNode>();
 
-            foreach (var explicitInterface in symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
+            foreach (var explicitInterface in Symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
             {
                 trapFile.explicitly_implements(this, explicitInterface.TypeRef);
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs
index c75b6766dc7..82be6a6e406 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs
@@ -11,7 +11,7 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <summary>
         /// Gets the event symbol associated with this accessor.
         /// </summary>
-        private IEventSymbol EventSymbol => symbol.AssociatedSymbol as IEventSymbol;
+        private IEventSymbol EventSymbol => Symbol.AssociatedSymbol as IEventSymbol;
 
         public override void Populate(TextWriter trapFile)
         {
@@ -21,30 +21,30 @@ namespace Semmle.Extraction.CSharp.Entities
             var @event = EventSymbol;
             if (@event == null)
             {
-                Context.ModelError(symbol, "Unhandled event accessor associated symbol");
+                Context.ModelError(Symbol, "Unhandled event accessor associated symbol");
                 return;
             }
 
             var parent = Event.Create(Context, @event);
             int kind;
             EventAccessor unboundAccessor;
-            if (SymbolEqualityComparer.Default.Equals(symbol, @event.AddMethod))
+            if (SymbolEqualityComparer.Default.Equals(Symbol, @event.AddMethod))
             {
                 kind = 1;
                 unboundAccessor = Create(Context, @event.OriginalDefinition.AddMethod);
             }
-            else if (SymbolEqualityComparer.Default.Equals(symbol, @event.RemoveMethod))
+            else if (SymbolEqualityComparer.Default.Equals(Symbol, @event.RemoveMethod))
             {
                 kind = 2;
                 unboundAccessor = Create(Context, @event.OriginalDefinition.RemoveMethod);
             }
             else
             {
-                Context.ModelError(symbol, "Undhandled event accessor kind");
+                Context.ModelError(Symbol, "Undhandled event accessor kind");
                 return;
             }
 
-            trapFile.event_accessors(this, kind, symbol.Name, parent, unboundAccessor);
+            trapFile.event_accessors(this, kind, Symbol.Name, parent, unboundAccessor);
 
             foreach (var l in Locations)
                 trapFile.event_accessor_location(this, l);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index e96410fb8f5..fe62bf8323b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -57,7 +57,7 @@ namespace Semmle.Extraction.CSharp.Entities
             type.PopulateGenerics();
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => Location.symbol;
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Location.Symbol;
 
         bool IExpressionParentEntity.IsTopLevelParent => false;
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
index 2585ffe327f..408556dff63 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
@@ -55,7 +55,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     {
                         // Implicit `this` qualifier; add explicitly
 
-                        if (Context.GetModel(Syntax).GetEnclosingSymbol(Location.symbol.SourceSpan.Start) is IMethodSymbol callingMethod)
+                        if (Context.GetModel(Syntax).GetEnclosingSymbol(Location.Symbol.SourceSpan.Start) is IMethodSymbol callingMethod)
                             This.CreateImplicit(Context, callingMethod.ContainingType, Location, this, child++);
                         else
                             Context.ModelError(Syntax, "Couldn't determine implicit this type");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
index d17b2f003aa..1c435ebd7d1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private Field(Context cx, IFieldSymbol init)
             : base(cx, init)
         {
-            type = new Lazy<Type>(() => Entities.Type.Create(cx, symbol.Type));
+            type = new Lazy<Type>(() => Entities.Type.Create(cx, Symbol.Type));
         }
 
         public static Field Create(Context cx, IFieldSymbol field) => FieldFactory.Instance.CreateEntityFromSymbol(cx, field);
@@ -22,43 +22,43 @@ namespace Semmle.Extraction.CSharp.Entities
         // Do not populate backing fields.
         // Populate Tuple fields.
         public override bool NeedsPopulation =>
-            (base.NeedsPopulation && !symbol.IsImplicitlyDeclared) || symbol.ContainingType.IsTupleType;
+            (base.NeedsPopulation && !Symbol.IsImplicitlyDeclared) || Symbol.ContainingType.IsTupleType;
 
         public override void Populate(TextWriter trapFile)
         {
             PopulateMetadataHandle(trapFile);
             PopulateAttributes();
             ContainingType.PopulateGenerics();
-            PopulateNullability(trapFile, symbol.GetAnnotatedType());
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
 
-            var unboundFieldKey = Field.Create(Context, symbol.OriginalDefinition);
-            trapFile.fields(this, (symbol.IsConst ? 2 : 1), symbol.Name, ContainingType, Type.TypeRef, unboundFieldKey);
+            var unboundFieldKey = Field.Create(Context, Symbol.OriginalDefinition);
+            trapFile.fields(this, (Symbol.IsConst ? 2 : 1), Symbol.Name, ContainingType, Type.TypeRef, unboundFieldKey);
 
             PopulateModifiers(trapFile);
 
-            if (symbol.IsVolatile)
+            if (Symbol.IsVolatile)
                 Modifier.HasModifier(Context, trapFile, this, "volatile");
 
-            if (symbol.IsConst)
+            if (Symbol.IsConst)
             {
                 Modifier.HasModifier(Context, trapFile, this, "const");
 
-                if (symbol.HasConstantValue)
+                if (Symbol.HasConstantValue)
                 {
-                    trapFile.constant_value(this, Expression.ValueAsString(symbol.ConstantValue));
+                    trapFile.constant_value(this, Expression.ValueAsString(Symbol.ConstantValue));
                 }
             }
 
             foreach (var l in Locations)
                 trapFile.field_location(this, l);
 
-            if (!IsSourceDeclaration || !symbol.FromSource())
+            if (!IsSourceDeclaration || !Symbol.FromSource())
                 return;
 
-            Context.BindComments(this, Location.symbol);
+            Context.BindComments(this, Location.Symbol);
 
             var child = 0;
-            foreach (var initializer in symbol.DeclaringSyntaxReferences
+            foreach (var initializer in Symbol.DeclaringSyntaxReferences
                 .Select(n => n.GetSyntax())
                 .OfType<VariableDeclaratorSyntax>()
                 .Where(n => n.Initializer != null))
@@ -69,21 +69,21 @@ namespace Semmle.Extraction.CSharp.Entities
 
                     var fieldAccess = AddInitializerAssignment(trapFile, initializer.Initializer.Value, loc, null, ref child);
 
-                    if (!symbol.IsStatic)
+                    if (!Symbol.IsStatic)
                     {
-                        This.CreateImplicit(Context, symbol.ContainingType, Location, fieldAccess, -1);
+                        This.CreateImplicit(Context, Symbol.ContainingType, Location, fieldAccess, -1);
                     }
                 });
             }
 
-            foreach (var initializer in symbol.DeclaringSyntaxReferences
+            foreach (var initializer in Symbol.DeclaringSyntaxReferences
                 .Select(n => n.GetSyntax())
                 .OfType<EnumMemberDeclarationSyntax>()
                 .Where(n => n.EqualsValue != null))
             {
                 // Mark fields that have explicit initializers.
-                var constValue = symbol.HasConstantValue
-                    ? Expression.ValueAsString(symbol.ConstantValue)
+                var constValue = Symbol.HasConstantValue
+                    ? Expression.ValueAsString(Symbol.ConstantValue)
                     : null;
 
                 var loc = Context.CreateLocation(initializer.GetLocation());
@@ -93,7 +93,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (IsSourceDeclaration)
             {
-                foreach (var syntax in symbol.DeclaringSyntaxReferences
+                foreach (var syntax in Symbol.DeclaringSyntaxReferences
                   .Select(d => d.GetSyntax())
                   .OfType<VariableDeclaratorSyntax>()
                   .Select(d => d.Parent)
@@ -107,7 +107,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private Expression AddInitializerAssignment(TextWriter trapFile, ExpressionSyntax initializer, Extraction.Entities.Location loc,
             string constValue, ref int child)
         {
-            var type = symbol.GetAnnotatedType();
+            var type = Symbol.GetAnnotatedType();
             var simpleAssignExpr = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, false, constValue));
             Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 0));
             var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, false, constValue));
@@ -124,7 +124,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write(" ");
             trapFile.WriteSubId(ContainingType);
             trapFile.Write('.');
-            trapFile.Write(symbol.Name);
+            trapFile.Write(Symbol.Name);
             trapFile.Write(";field");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
index 70b15a6fe16..04bc319c93e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
@@ -10,22 +10,22 @@ namespace Semmle.Extraction.CSharp.Entities
         protected Indexer(Context cx, IPropertySymbol init)
             : base(cx, init) { }
 
-        private Indexer OriginalDefinition => IsSourceDeclaration ? this : Create(Context, symbol.OriginalDefinition);
+        private Indexer OriginalDefinition => IsSourceDeclaration ? this : Create(Context, Symbol.OriginalDefinition);
 
         public override void Populate(TextWriter trapFile)
         {
-            PopulateNullability(trapFile, symbol.GetAnnotatedType());
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
 
-            var type = Type.Create(Context, symbol.Type);
-            trapFile.indexers(this, symbol.GetName(useMetadataName: true), ContainingType, type.TypeRef, OriginalDefinition);
+            var type = Type.Create(Context, Symbol.Type);
+            trapFile.indexers(this, Symbol.GetName(useMetadataName: true), ContainingType, type.TypeRef, OriginalDefinition);
             foreach (var l in Locations)
                 trapFile.indexer_location(this, l);
 
-            var getter = symbol.GetMethod;
-            var setter = symbol.SetMethod;
+            var getter = Symbol.GetMethod;
+            var setter = Symbol.SetMethod;
 
             if (getter is null && setter is null)
-                Context.ModelError(symbol, "No indexer accessor defined");
+                Context.ModelError(Symbol, "No indexer accessor defined");
 
             if (!(getter is null))
                 Method.Create(Context, getter);
@@ -33,10 +33,10 @@ namespace Semmle.Extraction.CSharp.Entities
             if (!(setter is null))
                 Method.Create(Context, setter);
 
-            for (var i = 0; i < symbol.Parameters.Length; ++i)
+            for (var i = 0; i < Symbol.Parameters.Length; ++i)
             {
-                var original = Parameter.Create(Context, symbol.OriginalDefinition.Parameters[i], OriginalDefinition);
-                Parameter.Create(Context, symbol.Parameters[i], this, original);
+                var original = Parameter.Create(Context, Symbol.OriginalDefinition.Parameters[i], OriginalDefinition);
+                Parameter.Create(Context, Symbol.Parameters[i], this, original);
             }
 
             if (IsSourceDeclaration)
@@ -46,7 +46,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 {
                     // The expression may need to reference parameters in the getter.
                     // So we need to arrange that the expression is populated after the getter.
-                    Context.PopulateLater(() => Expression.CreateFromNode(new ExpressionNodeInfo(Context, expressionBody, this, 0).SetType(symbol.GetAnnotatedType())));
+                    Context.PopulateLater(() => Expression.CreateFromNode(new ExpressionNodeInfo(Context, expressionBody, this, 0).SetType(Symbol.GetAnnotatedType())));
                 }
             }
 
@@ -54,11 +54,11 @@ namespace Semmle.Extraction.CSharp.Entities
             BindComments();
 
             var declSyntaxReferences = IsSourceDeclaration
-                ? symbol.DeclaringSyntaxReferences.
+                ? Symbol.DeclaringSyntaxReferences.
                 Select(d => d.GetSyntax()).OfType<IndexerDeclarationSyntax>().ToArray()
                 : Enumerable.Empty<IndexerDeclarationSyntax>();
 
-            foreach (var explicitInterface in symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
+            foreach (var explicitInterface in Symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
             {
                 trapFile.explicitly_implements(this, explicitInterface.TypeRef);
 
@@ -77,9 +77,9 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             trapFile.WriteSubId(ContainingType);
             trapFile.Write('.');
-            trapFile.Write(symbol.MetadataName);
+            trapFile.Write(Symbol.MetadataName);
             trapFile.Write('(');
-            trapFile.BuildList(",", symbol.Parameters, (p, tb0) => tb0.WriteSubId(Type.Create(Context, p.Type)));
+            trapFile.BuildList(",", Symbol.Parameters, (p, tb0) => tb0.WriteSubId(Type.Create(Context, p.Type)));
             trapFile.Write(");indexer");
         }
 
@@ -87,11 +87,11 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                return symbol.DeclaringSyntaxReferences
+                return Symbol.DeclaringSyntaxReferences
                     .Select(r => r.GetSyntax())
                     .OfType<IndexerDeclarationSyntax>()
                     .Select(s => s.GetLocation())
-                    .Concat(symbol.Locations)
+                    .Concat(Symbol.Locations)
                     .First();
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
index b376566e841..efc50f7f85f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
@@ -34,10 +34,10 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateMethod(trapFile);
             PopulateModifiers(trapFile);
 
-            var originalDefinition = IsSourceDeclaration ? this : Create(Context, symbol.OriginalDefinition);
-            var returnType = Type.Create(Context, symbol.ReturnType);
-            trapFile.local_functions(this, symbol.Name, returnType, originalDefinition);
-            ExtractRefReturn(trapFile, symbol, this);
+            var originalDefinition = IsSourceDeclaration ? this : Create(Context, Symbol.OriginalDefinition);
+            var returnType = Type.Create(Context, Symbol.ReturnType);
+            trapFile.local_functions(this, Symbol.Name, returnType, originalDefinition);
+            ExtractRefReturn(trapFile, Symbol, this);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NeedsLabel;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
index e988ec2c815..4f9a0c4f7f6 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
@@ -23,12 +23,12 @@ namespace Semmle.Extraction.CSharp.Entities
         public void PopulateManual(Expression parent, bool isVar)
         {
             var trapFile = Context.TrapWriter.Writer;
-            var (kind, type) = symbol is ILocalSymbol l
+            var (kind, type) = Symbol is ILocalSymbol l
                 ? (l.IsRef ? 3 : l.IsConst ? 2 : 1, l.GetAnnotatedType())
                 : (1, parent.Type);
-            trapFile.localvars(this, kind, symbol.Name, isVar ? 1 : 0, Type.Create(Context, type).TypeRef, parent);
+            trapFile.localvars(this, kind, Symbol.Name, isVar ? 1 : 0, Type.Create(Context, type).TypeRef, parent);
 
-            if (symbol is ILocalSymbol local)
+            if (Symbol is ILocalSymbol local)
             {
                 PopulateNullability(trapFile, local.GetAnnotatedType());
                 if (local.IsRef)
@@ -47,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private void DefineConstantValue(TextWriter trapFile)
         {
-            if (symbol is ILocalSymbol local && local.HasConstantValue)
+            if (Symbol is ILocalSymbol local && local.HasConstantValue)
             {
                 trapFile.constant_value(this, Expression.ValueAsString(local.ConstantValue));
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 00bf8f3638e..8a1572796bc 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -16,8 +16,8 @@ namespace Semmle.Extraction.CSharp.Entities
         protected void PopulateParameters()
         {
             var originalMethod = OriginalDefinition;
-            IEnumerable<IParameterSymbol> parameters = symbol.Parameters;
-            IEnumerable<IParameterSymbol> originalParameters = originalMethod.symbol.Parameters;
+            IEnumerable<IParameterSymbol> parameters = Symbol.Parameters;
+            IEnumerable<IParameterSymbol> originalParameters = originalMethod.Symbol.Parameters;
 
             if (IsReducedExtension)
             {
@@ -25,14 +25,14 @@ namespace Semmle.Extraction.CSharp.Entities
                 {
                     // Non-generic reduced extensions must be extracted exactly like the
                     // non-reduced counterparts
-                    parameters = symbol.ReducedFrom.Parameters;
+                    parameters = Symbol.ReducedFrom.Parameters;
                 }
                 else
                 {
                     // Constructed reduced extensions are special because their non-reduced
                     // counterparts are not constructed. Therefore, we need to manually add
                     // the `this` parameter based on the type of the receiver
-                    var originalThisParamSymbol = originalMethod.symbol.Parameters.First();
+                    var originalThisParamSymbol = originalMethod.Symbol.Parameters.First();
                     var originalThisParam = Parameter.Create(Context, originalThisParamSymbol, originalMethod);
                     ConstructedExtensionParameter.Create(Context, this, originalThisParam);
                     originalParameters = originalParameters.Skip(1);
@@ -47,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 Parameter.Create(Context, p.paramSymbol, this, original);
             }
 
-            if (symbol.IsVararg)
+            if (Symbol.IsVararg)
             {
                 // Mono decided that "__arglist" should be an explicit parameter,
                 // so now we need to populate it.
@@ -101,7 +101,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public void Overrides(TextWriter trapFile)
         {
-            foreach (var explicitInterface in symbol.ExplicitInterfaceImplementations
+            foreach (var explicitInterface in Symbol.ExplicitInterfaceImplementations
                 .Where(sym => sym.MethodKind == MethodKind.Ordinary)
                 .Select(impl => Type.Create(Context, impl.ContainingType)))
             {
@@ -109,14 +109,14 @@ namespace Semmle.Extraction.CSharp.Entities
 
                 if (IsSourceDeclaration)
                 {
-                    foreach (var syntax in symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).OfType<MethodDeclarationSyntax>())
+                    foreach (var syntax in Symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).OfType<MethodDeclarationSyntax>())
                         TypeMention.Create(Context, syntax.ExplicitInterfaceSpecifier.Name, this, explicitInterface);
                 }
             }
 
-            if (symbol.OverriddenMethod != null)
+            if (Symbol.OverriddenMethod != null)
             {
-                trapFile.overrides(this, Method.Create(Context, symbol.OverriddenMethod));
+                trapFile.overrides(this, Method.Create(Context, Symbol.OverriddenMethod));
             }
         }
 
@@ -125,22 +125,22 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         private static void BuildMethodId(Method m, TextWriter trapFile)
         {
-            m.symbol.ReturnType.BuildOrWriteId(m.Context, trapFile, m.symbol);
+            m.Symbol.ReturnType.BuildOrWriteId(m.Context, trapFile, m.Symbol);
             trapFile.Write(" ");
 
             trapFile.WriteSubId(m.ContainingType);
 
-            AddExplicitInterfaceQualifierToId(m.Context, trapFile, m.symbol.ExplicitInterfaceImplementations);
+            AddExplicitInterfaceQualifierToId(m.Context, trapFile, m.Symbol.ExplicitInterfaceImplementations);
 
             trapFile.Write(".");
-            trapFile.Write(m.symbol.Name);
+            trapFile.Write(m.Symbol.Name);
 
-            if (m.symbol.IsGenericMethod)
+            if (m.Symbol.IsGenericMethod)
             {
-                if (SymbolEqualityComparer.Default.Equals(m.symbol, m.symbol.OriginalDefinition))
+                if (SymbolEqualityComparer.Default.Equals(m.Symbol, m.Symbol.OriginalDefinition))
                 {
                     trapFile.Write('`');
-                    trapFile.Write(m.symbol.TypeParameters.Length);
+                    trapFile.Write(m.Symbol.TypeParameters.Length);
                 }
                 else
                 {
@@ -149,13 +149,13 @@ namespace Semmle.Extraction.CSharp.Entities
                     // Type arguments with different nullability can result in
                     // a constructed method with different nullability of its parameters and return type,
                     // so we need to create a distinct database entity for it.
-                    trapFile.BuildList(",", m.symbol.GetAnnotatedTypeArguments(), (ta, tb0) => { ta.Symbol.BuildOrWriteId(m.Context, tb0, m.symbol); trapFile.Write((int)ta.Nullability); });
+                    trapFile.BuildList(",", m.Symbol.GetAnnotatedTypeArguments(), (ta, tb0) => { ta.Symbol.BuildOrWriteId(m.Context, tb0, m.Symbol); trapFile.Write((int)ta.Nullability); });
                     trapFile.Write('>');
                 }
             }
 
-            AddParametersToId(m.Context, trapFile, m.symbol);
-            switch (m.symbol.MethodKind)
+            AddParametersToId(m.Context, trapFile, m.Symbol);
+            switch (m.Symbol.MethodKind)
             {
                 case MethodKind.PropertyGet:
                     trapFile.Write(";getter");
@@ -224,7 +224,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 trapFile.AppendList(",", explicitInterfaceImplementations.Select(impl => cx.CreateEntity(impl.ContainingType)));
         }
 
-        public virtual string Name => symbol.Name;
+        public virtual string Name => Symbol.Name;
 
         /// <summary>
         /// Creates a method of the appropriate subtype.
@@ -278,28 +278,28 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public Method OriginalDefinition =>
             IsReducedExtension
-                ? Create(Context, symbol.ReducedFrom)
-                : Create(Context, symbol.OriginalDefinition);
+                ? Create(Context, Symbol.ReducedFrom)
+                : Create(Context, Symbol.OriginalDefinition);
 
         public override Microsoft.CodeAnalysis.Location FullLocation => ReportingLocation;
 
-        public override bool IsSourceDeclaration => symbol.IsSourceDeclaration();
+        public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
 
         /// <summary>
         /// Whether this method has type parameters.
         /// </summary>
-        public bool IsGeneric => symbol.IsGenericMethod;
+        public bool IsGeneric => Symbol.IsGenericMethod;
 
         /// <summary>
         /// Whether this method has unbound type parameters.
         /// </summary>
-        public bool IsUnboundGeneric => IsGeneric && SymbolEqualityComparer.Default.Equals(symbol.ConstructedFrom, symbol);
+        public bool IsUnboundGeneric => IsGeneric && SymbolEqualityComparer.Default.Equals(Symbol.ConstructedFrom, Symbol);
 
         public bool IsBoundGeneric => IsGeneric && !IsUnboundGeneric;
 
-        private bool IsReducedExtension => symbol.MethodKind == MethodKind.ReducedExtension;
+        private bool IsReducedExtension => Symbol.MethodKind == MethodKind.ReducedExtension;
 
-        protected IMethodSymbol ConstructedFromSymbol => symbol.ConstructedFrom.ReducedFrom ?? symbol.ConstructedFrom;
+        protected IMethodSymbol ConstructedFromSymbol => Symbol.ConstructedFrom.ReducedFrom ?? Symbol.ConstructedFrom;
 
         bool IExpressionParentEntity.IsTopLevelParent => true;
 
@@ -316,19 +316,19 @@ namespace Semmle.Extraction.CSharp.Entities
                 if (isFullyConstructed)
                 {
                     trapFile.constructed_generic(this, Method.Create(Context, ConstructedFromSymbol));
-                    foreach (var tp in symbol.GetAnnotatedTypeArguments())
+                    foreach (var tp in Symbol.GetAnnotatedTypeArguments())
                     {
                         trapFile.type_arguments(Type.Create(Context, tp.Symbol), child, this);
                         child++;
                     }
 
-                    var nullability = new Nullability(symbol);
+                    var nullability = new Nullability(Symbol);
                     if (!nullability.IsOblivious)
                         trapFile.type_nullability(this, NullabilityEntity.Create(Context, nullability));
                 }
                 else
                 {
-                    foreach (var typeParam in symbol.TypeParameters.Select(tp => TypeParameter.Create(Context, tp)))
+                    foreach (var typeParam in Symbol.TypeParameters.Select(tp => TypeParameter.Create(Context, tp)))
                     {
                         trapFile.type_parameters(typeParam, child, this);
                         child++;
@@ -354,7 +354,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateMethodBody(trapFile);
             PopulateGenerics(trapFile);
             PopulateMetadataHandle(trapFile);
-            PopulateNullability(trapFile, symbol.GetAnnotatedReturnType());
+            PopulateNullability(trapFile, Symbol.GetAnnotatedReturnType());
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.PushesLabel;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
index 4b2725b89f3..b644558f799 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            trapFile.Write(symbol);
+            trapFile.Write(Symbol);
             trapFile.Write(";modifier");
         }
 
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.modifiers(Label, symbol);
+            trapFile.modifiers(Label, Symbol);
         }
 
         public static string AccessbilityModifier(Accessibility access)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
index 6ae31c82b64..31e66656eb3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
@@ -12,11 +12,11 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.namespaces(this, symbol.Name);
+            trapFile.namespaces(this, Symbol.Name);
 
-            if (symbol.ContainingNamespace != null)
+            if (Symbol.ContainingNamespace != null)
             {
-                var parent = Create(Context, symbol.ContainingNamespace);
+                var parent = Create(Context, Symbol.ContainingNamespace);
                 trapFile.parent_namespace(this, parent);
             }
         }
@@ -25,11 +25,11 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            if (!symbol.IsGlobalNamespace)
+            if (!Symbol.IsGlobalNamespace)
             {
-                trapFile.WriteSubId(Create(Context, symbol.ContainingNamespace));
+                trapFile.WriteSubId(Create(Context, Symbol.ContainingNamespace));
                 trapFile.Write('.');
-                trapFile.Write(symbol.Name);
+                trapFile.Write(Symbol.Name);
             }
             trapFile.Write(";namespace");
         }
@@ -47,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override int GetHashCode() => QualifiedName.GetHashCode();
 
-        private string QualifiedName => symbol.ToDisplayString();
+        private string QualifiedName => Symbol.ToDisplayString();
 
         public override bool Equals(object obj)
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
index d81fc25f72b..90f17d70ea4 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
@@ -11,20 +11,20 @@ namespace Semmle.Extraction.CSharp.Entities
         private OrdinaryMethod(Context cx, IMethodSymbol init)
             : base(cx, init) { }
 
-        public override string Name => symbol.GetName();
+        public override string Name => Symbol.GetName();
 
-        protected override IMethodSymbol BodyDeclaringSymbol => symbol.PartialImplementationPart ?? symbol;
+        protected override IMethodSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
 
         public IMethodSymbol SourceDeclaration
         {
             get
             {
-                var reducedFrom = symbol.ReducedFrom ?? symbol;
+                var reducedFrom = Symbol.ReducedFrom ?? Symbol;
                 return reducedFrom.OriginalDefinition;
             }
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => symbol.GetSymbolLocation();
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.GetSymbolLocation();
 
         public override void Populate(TextWriter trapFile)
         {
@@ -32,12 +32,12 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateModifiers(trapFile);
             ContainingType.PopulateGenerics();
 
-            var returnType = Type.Create(Context, symbol.ReturnType);
+            var returnType = Type.Create(Context, Symbol.ReturnType);
             trapFile.methods(this, Name, ContainingType, returnType.TypeRef, OriginalDefinition);
 
             if (IsSourceDeclaration)
             {
-                foreach (var declaration in symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax()).OfType<MethodDeclarationSyntax>())
+                foreach (var declaration in Symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax()).OfType<MethodDeclarationSyntax>())
                 {
                     Context.BindComments(this, declaration.Identifier.GetLocation());
                     TypeMention.Create(Context, declaration.ReturnType, this, returnType);
@@ -49,7 +49,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             PopulateGenerics(trapFile);
             Overrides(trapFile);
-            ExtractRefReturn(trapFile, symbol, this);
+            ExtractRefReturn(trapFile, Symbol, this);
             ExtractCompilerGenerated(trapFile);
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index bb87fccdd74..b1b7a5444fe 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities
             Original = original ?? this;
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => symbol.GetSymbolLocation();
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.GetSymbolLocation();
 
         public enum Kind
         {
@@ -35,9 +35,9 @@ namespace Semmle.Extraction.CSharp.Entities
                 // actually numbered from 1.
                 // This is to be consistent from the original (unreduced) extension method.
                 var isReducedExtension =
-                    symbol.ContainingSymbol is IMethodSymbol method &&
+                    Symbol.ContainingSymbol is IMethodSymbol method &&
                     method.MethodKind == MethodKind.ReducedExtension;
-                return symbol.Ordinal + (isReducedExtension ? 1 : 0);
+                return Symbol.Ordinal + (isReducedExtension ? 1 : 0);
             }
         }
 
@@ -45,7 +45,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                switch (symbol.RefKind)
+                switch (Symbol.RefKind)
                 {
                     case RefKind.Out:
                         return Kind.Out;
@@ -54,12 +54,12 @@ namespace Semmle.Extraction.CSharp.Entities
                     case RefKind.In:
                         return Kind.In;
                     default:
-                        if (symbol.IsParams)
+                        if (Symbol.IsParams)
                             return Kind.Params;
 
                         if (Ordinal == 0)
                         {
-                            if (symbol.ContainingSymbol is IMethodSymbol method && method.IsExtensionMethod)
+                            if (Symbol.ContainingSymbol is IMethodSymbol method && method.IsExtensionMethod)
                                 return Kind.This;
                         }
                         return Kind.None;
@@ -76,7 +76,7 @@ namespace Semmle.Extraction.CSharp.Entities
         public override void WriteId(TextWriter trapFile)
         {
             if (Parent == null)
-                Parent = Method.Create(Context, symbol.ContainingSymbol as IMethodSymbol);
+                Parent = Method.Create(Context, Symbol.ContainingSymbol as IMethodSymbol);
             trapFile.WriteSubId(Parent);
             trapFile.Write('_');
             trapFile.Write(Ordinal);
@@ -92,42 +92,42 @@ namespace Semmle.Extraction.CSharp.Entities
                 // Very rarely, two parameters have the same name according to the data model.
                 // This breaks our database constraints.
                 // Generate an impossible name to ensure that it doesn't conflict.
-                var conflictingCount = symbol.ContainingSymbol.GetParameters().Count(p => p.Ordinal < symbol.Ordinal && p.Name == symbol.Name);
-                return conflictingCount > 0 ? symbol.Name + "`" + conflictingCount : symbol.Name;
+                var conflictingCount = Symbol.ContainingSymbol.GetParameters().Count(p => p.Ordinal < Symbol.Ordinal && p.Name == Symbol.Name);
+                return conflictingCount > 0 ? Symbol.Name + "`" + conflictingCount : Symbol.Name;
             }
         }
 
         public override void Populate(TextWriter trapFile)
         {
             PopulateAttributes();
-            PopulateNullability(trapFile, symbol.GetAnnotatedType());
-            PopulateRefKind(trapFile, symbol.RefKind);
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
+            PopulateRefKind(trapFile, Symbol.RefKind);
 
-            if (symbol.Name != Original.symbol.Name)
-                Context.ModelError(symbol, "Inconsistent parameter declaration");
+            if (Symbol.Name != Original.Symbol.Name)
+                Context.ModelError(Symbol, "Inconsistent parameter declaration");
 
-            var type = Type.Create(Context, symbol.Type);
+            var type = Type.Create(Context, Symbol.Type);
             trapFile.@params(this, Name, type.TypeRef, Ordinal, ParamKind, Parent, Original);
 
-            foreach (var l in symbol.Locations)
+            foreach (var l in Symbol.Locations)
                 trapFile.param_location(this, Context.CreateLocation(l));
 
-            if (!symbol.Locations.Any() &&
-                symbol.ContainingSymbol is IMethodSymbol ms &&
+            if (!Symbol.Locations.Any() &&
+                Symbol.ContainingSymbol is IMethodSymbol ms &&
                 ms.Name == WellKnownMemberNames.TopLevelStatementsEntryPointMethodName &&
                 ms.ContainingType.Name == WellKnownMemberNames.TopLevelStatementsEntryPointTypeName)
             {
                 trapFile.param_location(this, Context.CreateLocation());
             }
 
-            if (!IsSourceDeclaration || !symbol.FromSource())
+            if (!IsSourceDeclaration || !Symbol.FromSource())
                 return;
 
             BindComments();
 
             if (IsSourceDeclaration)
             {
-                foreach (var syntax in symbol.DeclaringSyntaxReferences
+                foreach (var syntax in Symbol.DeclaringSyntaxReferences
                     .Select(d => d.GetSyntax())
                     .OfType<ParameterSyntax>()
                     .Where(s => s.Type != null))
@@ -136,21 +136,21 @@ namespace Semmle.Extraction.CSharp.Entities
                 }
             }
 
-            if (symbol.HasExplicitDefaultValue && Context.Defines(symbol))
+            if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
             {
                 // This is a slight bug in the dbscheme
                 // We should really define param_default(param, string)
                 // And use parameter child #0 to encode the default expression.
-                var defaultValue = GetParameterDefaultValue(symbol);
+                var defaultValue = GetParameterDefaultValue(Symbol);
                 if (defaultValue == null)
                 {
                     // In case this parameter belongs to an accessor of an indexer, we need
                     // to get the default value from the corresponding parameter belonging
                     // to the indexer itself
-                    var method = (IMethodSymbol)symbol.ContainingSymbol;
+                    var method = (IMethodSymbol)Symbol.ContainingSymbol;
                     if (method != null)
                     {
-                        var i = method.Parameters.IndexOf(symbol);
+                        var i = method.Parameters.IndexOf(Symbol);
                         var indexer = (IPropertySymbol)method.AssociatedSymbol;
                         if (indexer != null)
                             defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
@@ -167,7 +167,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override bool IsSourceDeclaration => symbol.IsSourceDeclaration();
+        public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
 
         bool IExpressionParentEntity.IsTopLevelParent => true;
 
@@ -239,7 +239,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.param_location(this, GeneratedLocation.Create(Context));
         }
 
-        protected override int Ordinal => ((Method)Parent).OriginalDefinition.symbol.Parameters.Length;
+        protected override int Ordinal => ((Method)Parent).OriginalDefinition.Symbol.Parameters.Length;
 
         public override int GetHashCode()
         {
@@ -266,20 +266,20 @@ namespace Semmle.Extraction.CSharp.Entities
         private readonly ITypeSymbol constructedType;
 
         private ConstructedExtensionParameter(Context cx, Method method, Parameter original)
-            : base(cx, original.symbol, method, original)
+            : base(cx, original.Symbol, method, original)
         {
-            constructedType = method.symbol.ReceiverType;
+            constructedType = method.Symbol.ReceiverType;
         }
 
         public override void Populate(TextWriter trapFile)
         {
             var typeKey = Type.Create(Context, constructedType);
-            trapFile.@params(this, Original.symbol.Name, typeKey.TypeRef, 0, Kind.This, Parent, Original);
+            trapFile.@params(this, Original.Symbol.Name, typeKey.TypeRef, 0, Kind.This, Parent, Original);
             trapFile.param_location(this, Original.Location);
         }
 
         public static ConstructedExtensionParameter Create(Context cx, Method method, Parameter parameter) =>
-            ExtensionParamFactory.Instance.CreateEntity(cx, (new SymbolEqualityWrapper(parameter.symbol), new SymbolEqualityWrapper(method.symbol.ReceiverType)), (method, parameter));
+            ExtensionParamFactory.Instance.CreateEntity(cx, (new SymbolEqualityWrapper(parameter.Symbol), new SymbolEqualityWrapper(method.Symbol.ReceiverType)), (method, parameter));
 
         private class ExtensionParamFactory : ICachedEntityFactory<(Method, Parameter), ConstructedExtensionParameter>
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
index b91b7582b51..085047d0812 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities
         protected Property(Context cx, IPropertySymbol init)
             : base(cx, init)
         {
-            type = new Lazy<Type>(() => Type.Create(base.Context, symbol.Type));
+            type = new Lazy<Type>(() => Type.Create(base.Context, Symbol.Type));
         }
 
         private readonly Lazy<Type> type;
@@ -27,8 +27,8 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write(" ");
             trapFile.WriteSubId(ContainingType);
             trapFile.Write('.');
-            Method.AddExplicitInterfaceQualifierToId(Context, trapFile, symbol.ExplicitInterfaceImplementations);
-            trapFile.Write(symbol.Name);
+            Method.AddExplicitInterfaceQualifierToId(Context, trapFile, Symbol.ExplicitInterfaceImplementations);
+            trapFile.Write(Symbol.Name);
             trapFile.Write(";property");
         }
 
@@ -38,14 +38,14 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateAttributes();
             PopulateModifiers(trapFile);
             BindComments();
-            PopulateNullability(trapFile, symbol.GetAnnotatedType());
-            PopulateRefKind(trapFile, symbol.RefKind);
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
+            PopulateRefKind(trapFile, Symbol.RefKind);
 
             var type = Type;
-            trapFile.properties(this, symbol.GetName(), ContainingType, type.TypeRef, Create(Context, symbol.OriginalDefinition));
+            trapFile.properties(this, Symbol.GetName(), ContainingType, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var getter = symbol.GetMethod;
-            var setter = symbol.SetMethod;
+            var getter = Symbol.GetMethod;
+            var setter = Symbol.SetMethod;
 
             if (!(getter is null))
                 Method.Create(Context, getter);
@@ -54,11 +54,11 @@ namespace Semmle.Extraction.CSharp.Entities
                 Method.Create(Context, setter);
 
             var declSyntaxReferences = IsSourceDeclaration ?
-                symbol.DeclaringSyntaxReferences.
+                Symbol.DeclaringSyntaxReferences.
                 Select(d => d.GetSyntax()).OfType<PropertyDeclarationSyntax>().ToArray()
                 : Enumerable.Empty<PropertyDeclarationSyntax>();
 
-            foreach (var explicitInterface in symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
+            foreach (var explicitInterface in Symbol.ExplicitInterfaceImplementations.Select(impl => Type.Create(Context, impl.ContainingType)))
             {
                 trapFile.explicitly_implements(this, explicitInterface.TypeRef);
 
@@ -69,7 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             foreach (var l in Locations)
                 trapFile.property_location(this, l);
 
-            if (IsSourceDeclaration && symbol.FromSource())
+            if (IsSourceDeclaration && Symbol.FromSource())
             {
                 var expressionBody = ExpressionBody;
                 if (expressionBody != null)
@@ -85,14 +85,14 @@ namespace Semmle.Extraction.CSharp.Entities
                     Context.PopulateLater(() =>
                     {
                         var loc = Context.CreateLocation(initializer.GetLocation());
-                        var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(symbol.Type);
+                        var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(Symbol.Type);
                         var simpleAssignExpr = new Expression(new ExpressionInfo(Context, annotatedType, loc, ExprKind.SIMPLE_ASSIGN, this, child++, false, null));
                         Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 0));
                         var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 1, false, null));
                         trapFile.expr_access(access, this);
-                        if (!symbol.IsStatic)
+                        if (!Symbol.IsStatic)
                         {
-                            This.CreateImplicit(Context, symbol.ContainingType, Location, access, -1);
+                            This.CreateImplicit(Context, Symbol.ContainingType, Location, access, -1);
                         }
                     });
                 }
@@ -106,11 +106,11 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                return symbol.DeclaringSyntaxReferences
+                return Symbol.DeclaringSyntaxReferences
                     .Select(r => r.GetSyntax())
                     .OfType<PropertyDeclarationSyntax>()
                     .Select(s => s.GetLocation())
-                    .Concat(symbol.Locations)
+                    .Concat(Symbol.Locations)
                     .First();
             }
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
index 8ea6650d4f7..21dd32e17cf 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statement`1.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             Stmt = stmt;
             this.location = location;
-            cx.BindComments(this, location.symbol);
+            cx.BindComments(this, location.Symbol);
         }
 
         protected Statement(Context cx, TSyntax stmt, Kinds.StmtKind kind, IStatementParentEntity parent, int child)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
index 062a09e3fae..011437fac9b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/GlobalStatementsBlock.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
         {
             get
             {
-                return parent.symbol
+                return parent.Symbol
                     ?.DeclaringSyntaxReferences
                     .FirstOrDefault()
                     ?.GetSyntax()
@@ -36,7 +36,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
 
         protected override void PopulateStatement(TextWriter trapFile)
         {
-            trapFile.stmt_location(this, cx.CreateLocation(ReportingLocation));
+            trapFile.stmt_location(this, Context.CreateLocation(ReportingLocation));
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
index f7a493af78e..2ac5c6e90e5 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Symbol.cs
@@ -14,18 +14,18 @@ namespace Semmle.Extraction.CSharp.Entities
         protected CachedSymbol(Context cx, T init)
             : base(cx, init) { }
 
-        public virtual Type ContainingType => symbol.ContainingType != null ? Type.Create(Context, symbol.ContainingType) : null;
+        public virtual Type ContainingType => Symbol.ContainingType != null ? Type.Create(Context, Symbol.ContainingType) : null;
 
         public void PopulateModifiers(TextWriter trapFile)
         {
-            Modifier.ExtractModifiers(Context, trapFile, this, symbol);
+            Modifier.ExtractModifiers(Context, trapFile, this, Symbol);
         }
 
         protected void PopulateAttributes()
         {
             // Only extract attributes for source declarations
-            if (ReferenceEquals(symbol, symbol.OriginalDefinition))
-                Attribute.ExtractAttributes(Context, symbol, this);
+            if (ReferenceEquals(Symbol, Symbol.OriginalDefinition))
+                Attribute.ExtractAttributes(Context, Symbol, this);
         }
 
         protected void PopulateNullability(TextWriter trapFile, AnnotatedTypeSymbol type)
@@ -55,7 +55,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected void ExtractCompilerGenerated(TextWriter trapFile)
         {
-            if (symbol.IsImplicitlyDeclared)
+            if (Symbol.IsImplicitlyDeclared)
                 trapFile.compiler_generated(this);
         }
 
@@ -63,12 +63,12 @@ namespace Semmle.Extraction.CSharp.Entities
         /// The location which is stored in the database and is used when highlighing source code.
         /// It's generally short, e.g. a method name.
         /// </summary>
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => symbol.Locations.FirstOrDefault();
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.Locations.FirstOrDefault();
 
         /// <summary>
         /// The full text span of the entity, e.g. for binding comments.
         /// </summary>
-        public virtual Microsoft.CodeAnalysis.Location FullLocation => symbol.Locations.FirstOrDefault();
+        public virtual Microsoft.CodeAnalysis.Location FullLocation => Symbol.Locations.FirstOrDefault();
 
         public virtual IEnumerable<Extraction.Entities.Location> Locations
         {
@@ -91,11 +91,11 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         protected void BindComments()
         {
-            if (!symbol.IsImplicitlyDeclared && IsSourceDeclaration && symbol.FromSource())
+            if (!Symbol.IsImplicitlyDeclared && IsSourceDeclaration && Symbol.FromSource())
                 Context.BindComments(this, FullLocation);
         }
 
-        protected virtual T BodyDeclaringSymbol => symbol;
+        protected virtual T BodyDeclaringSymbol => Symbol;
 
         public BlockSyntax Block
         {
@@ -120,9 +120,9 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public virtual bool IsSourceDeclaration => symbol.IsSourceDeclaration();
+        public virtual bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
 
-        public override bool NeedsPopulation => Context.Defines(symbol);
+        public override bool NeedsPopulation => Context.Defines(Symbol);
 
         public Extraction.Entities.Location Location => Context.CreateLocation(ReportingLocation);
 
@@ -143,15 +143,15 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                var handleProp = GetPropertyInfo(symbol, "Handle");
-                object handleObj = symbol;
+                var handleProp = GetPropertyInfo(Symbol, "Handle");
+                object handleObj = Symbol;
 
                 if (handleProp is null)
                 {
-                    var underlyingSymbolProp = GetPropertyInfo(symbol, "UnderlyingSymbol");
+                    var underlyingSymbolProp = GetPropertyInfo(Symbol, "UnderlyingSymbol");
                     if (underlyingSymbolProp is object)
                     {
-                        if (underlyingSymbolProp.GetValue(symbol) is object underlying)
+                        if (underlyingSymbolProp.GetValue(Symbol) is object underlying)
                         {
                             handleProp = GetPropertyInfo(underlying, "Handle");
                             handleObj = underlying;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
index 57f309cad8b..e2fd72eae56 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/TypeMention.cs
@@ -48,8 +48,8 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 case ArrayType at:
                     return GetArrayElementType(at.ElementType);
-                case NamedType nt when nt.symbol.IsBoundSpan() ||
-                                       nt.symbol.IsBoundReadOnlySpan():
+                case NamedType nt when nt.Symbol.IsBoundSpan() ||
+                                       nt.Symbol.IsBoundReadOnlySpan():
                     return nt.TypeArguments.Single();
                 case PointerType pt:
                     return GetArrayElementType(pt.PointedAtType);
@@ -71,7 +71,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     var nts = (NullableTypeSyntax)syntax;
                     if (type is NamedType nt)
                     {
-                        if (!nt.symbol.IsReferenceType)
+                        if (!nt.Symbol.IsReferenceType)
                         {
                             Emit(trapFile, loc ?? syntax.GetLocation(), parent, type);
                             Create(Context, nts.ElementType, this, nt.TypeArguments[0]);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
index 4ec1db558e5..62a10396b4b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
@@ -9,12 +9,12 @@ namespace Semmle.Extraction.CSharp.Entities
         private ArrayType(Context cx, IArrayTypeSymbol init)
             : base(cx, init)
         {
-            elementLazy = new Lazy<Type>(() => Create(cx, symbol.ElementType));
+            elementLazy = new Lazy<Type>(() => Create(cx, Symbol.ElementType));
         }
 
         private readonly Lazy<Type> elementLazy;
 
-        public int Rank => symbol.Rank;
+        public int Rank => Symbol.Rank;
 
         public Type ElementType => elementLazy.Value;
 
@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CSharp.Entities
         public override void WriteId(TextWriter trapFile)
         {
             trapFile.WriteSubId(ElementType);
-            symbol.BuildArraySuffix(trapFile);
+            Symbol.BuildArraySuffix(trapFile);
             trapFile.Write(";type");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
index 1bf68a4c3c2..903de837a73 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            symbol.BuildTypeId(Context, trapFile, symbol);
+            Symbol.BuildTypeId(Context, trapFile, Symbol);
             trapFile.Write(";functionpointertype");
         }
 
@@ -21,8 +21,8 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.function_pointer_calling_conventions(this, (int)symbol.Signature.CallingConvention);
-            foreach (var (conv, i) in symbol.Signature.UnmanagedCallingConventionTypes.Select((nt, i) => (Create(Context, nt), i)))
+            trapFile.function_pointer_calling_conventions(this, (int)Symbol.Signature.CallingConvention);
+            foreach (var (conv, i) in Symbol.Signature.UnmanagedCallingConventionTypes.Select((nt, i) => (Create(Context, nt), i)))
             {
                 trapFile.has_unmanaged_calling_conventions(this, i, conv.TypeRef);
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
index 0d95d776592..4c250e22692 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private NamedType(Context cx, INamedTypeSymbol init, bool constructUnderlyingTupleType)
             : base(cx, init)
         {
-            typeArgumentsLazy = new Lazy<Type[]>(() => symbol.TypeArguments.Select(t => Create(cx, t)).ToArray());
+            typeArgumentsLazy = new Lazy<Type[]>(() => Symbol.TypeArguments.Select(t => Create(cx, t)).ToArray());
             this.constructUnderlyingTupleType = constructUnderlyingTupleType;
         }
 
@@ -30,32 +30,32 @@ namespace Semmle.Extraction.CSharp.Entities
         public static NamedType CreateNamedTypeFromTupleType(Context cx, INamedTypeSymbol type) =>
             UnderlyingTupleTypeFactory.Instance.CreateEntity(cx, (new SymbolEqualityWrapper(type), typeof(TupleType)), type);
 
-        public override bool NeedsPopulation => base.NeedsPopulation || symbol.TypeKind == TypeKind.Error;
+        public override bool NeedsPopulation => base.NeedsPopulation || Symbol.TypeKind == TypeKind.Error;
 
         public override void Populate(TextWriter trapFile)
         {
-            if (symbol.TypeKind == TypeKind.Error)
+            if (Symbol.TypeKind == TypeKind.Error)
             {
-                Context.Extractor.MissingType(symbol.ToString(), Context.FromSource);
+                Context.Extractor.MissingType(Symbol.ToString(), Context.FromSource);
                 return;
             }
 
             if (UsesTypeRef)
                 trapFile.typeref_type((NamedTypeRef)TypeRef, this);
 
-            if (symbol.IsGenericType)
+            if (Symbol.IsGenericType)
             {
-                if (symbol.IsBoundNullable())
+                if (Symbol.IsBoundNullable())
                 {
                     // An instance of Nullable<T>
-                    trapFile.nullable_underlying_type(this, Create(Context, symbol.TypeArguments[0]).TypeRef);
+                    trapFile.nullable_underlying_type(this, Create(Context, Symbol.TypeArguments[0]).TypeRef);
                 }
-                else if (symbol.IsReallyUnbound())
+                else if (Symbol.IsReallyUnbound())
                 {
-                    for (var i = 0; i < symbol.TypeParameters.Length; ++i)
+                    for (var i = 0; i < Symbol.TypeParameters.Length; ++i)
                     {
-                        TypeParameter.Create(Context, symbol.TypeParameters[i]);
-                        var param = symbol.TypeParameters[i];
+                        TypeParameter.Create(Context, Symbol.TypeParameters[i]);
+                        var param = Symbol.TypeParameters[i];
                         var typeParameter = TypeParameter.Create(Context, param);
                         trapFile.type_parameters(typeParameter, i, this);
                     }
@@ -63,11 +63,11 @@ namespace Semmle.Extraction.CSharp.Entities
                 else
                 {
                     var unbound = constructUnderlyingTupleType
-                        ? CreateNamedTypeFromTupleType(Context, symbol.ConstructedFrom)
-                        : Type.Create(Context, symbol.ConstructedFrom);
+                        ? CreateNamedTypeFromTupleType(Context, Symbol.ConstructedFrom)
+                        : Type.Create(Context, Symbol.ConstructedFrom);
                     trapFile.constructed_generic(this, unbound.TypeRef);
 
-                    for (var i = 0; i < symbol.TypeArguments.Length; ++i)
+                    for (var i = 0; i < Symbol.TypeArguments.Length; ++i)
                     {
                         trapFile.type_arguments(TypeArguments[i].TypeRef, i, this);
                     }
@@ -76,19 +76,19 @@ namespace Semmle.Extraction.CSharp.Entities
 
             PopulateType(trapFile, constructUnderlyingTupleType);
 
-            if (symbol.EnumUnderlyingType != null)
+            if (Symbol.EnumUnderlyingType != null)
             {
-                trapFile.enum_underlying_type(this, Type.Create(Context, symbol.EnumUnderlyingType).TypeRef);
+                trapFile.enum_underlying_type(this, Type.Create(Context, Symbol.EnumUnderlyingType).TypeRef);
             }
 
             // Class location
-            if (!symbol.IsGenericType || symbol.IsReallyUnbound())
+            if (!Symbol.IsGenericType || Symbol.IsReallyUnbound())
             {
                 foreach (var l in Locations)
                     trapFile.type_location(this, l);
             }
 
-            if (symbol.IsAnonymousType)
+            if (Symbol.IsAnonymousType)
             {
                 trapFile.anonymous_types(this);
             }
@@ -105,10 +105,10 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                foreach (var l in GetLocations(symbol))
+                foreach (var l in GetLocations(Symbol))
                     yield return Context.CreateLocation(l);
 
-                if (Context.Extractor.OutputPath != null && symbol.DeclaringSyntaxReferences.Any())
+                if (Context.Extractor.OutputPath != null && Symbol.DeclaringSyntaxReferences.Any())
                     yield return Assembly.CreateOutputAssembly(Context);
             }
         }
@@ -124,9 +124,9 @@ namespace Semmle.Extraction.CSharp.Entities
                 );
         }
 
-        public override Microsoft.CodeAnalysis.Location ReportingLocation => GetLocations(symbol).FirstOrDefault();
+        public override Microsoft.CodeAnalysis.Location ReportingLocation => GetLocations(Symbol).FirstOrDefault();
 
-        private bool IsAnonymousType() => symbol.IsAnonymousType || symbol.Name.Contains("__AnonymousType");
+        private bool IsAnonymousType() => Symbol.IsAnonymousType || Symbol.Name.Contains("__AnonymousType");
 
         public override void WriteId(TextWriter trapFile)
         {
@@ -136,7 +136,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
             else
             {
-                symbol.BuildTypeId(Context, trapFile, symbol, constructUnderlyingTupleType);
+                Symbol.BuildTypeId(Context, trapFile, Symbol, constructUnderlyingTupleType);
                 trapFile.Write(";type");
             }
         }
@@ -167,9 +167,9 @@ namespace Semmle.Extraction.CSharp.Entities
         // Create typerefs for constructed error types in case they are fully defined elsewhere.
         // We cannot use `!this.NeedsPopulation` because this would not be stable as it would depend on
         // the assembly that was being extracted at the time.
-        private bool UsesTypeRef => symbol.TypeKind == TypeKind.Error || SymbolEqualityComparer.Default.Equals(symbol.OriginalDefinition, symbol);
+        private bool UsesTypeRef => Symbol.TypeKind == TypeKind.Error || SymbolEqualityComparer.Default.Equals(Symbol.OriginalDefinition, Symbol);
 
-        public override Type TypeRef => UsesTypeRef ? (Type)NamedTypeRef.Create(Context, symbol) : this;
+        public override Type TypeRef => UsesTypeRef ? (Type)NamedTypeRef.Create(Context, Symbol) : this;
     }
 
     internal class NamedTypeRef : Type<INamedTypeSymbol>
@@ -203,7 +203,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.typerefs(this, symbol.Name);
+            trapFile.typerefs(this, Symbol.Name);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
index 106efdd0cde..a0d9e2a1f8c 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
@@ -110,10 +110,10 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.nullability(this, symbol.Annotation);
+            trapFile.nullability(this, Symbol.Annotation);
 
             var i = 0;
-            foreach (var s in symbol.NullableParameters)
+            foreach (var s in Symbol.NullableParameters)
             {
                 trapFile.nullability_parent(Create(Context, s), i, this);
                 i++;
@@ -122,7 +122,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            symbol.WriteId(trapFile);
+            Symbol.WriteId(trapFile);
         }
 
         public static NullabilityEntity Create(Context cx, Nullability init) => NullabilityFactory.Instance.CreateEntity(cx, init, init);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
index e2fbb8677cc..dd9b749f53e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private PointerType(Context cx, IPointerTypeSymbol init)
             : base(cx, init)
         {
-            PointedAtType = Create(cx, symbol.PointedAtType);
+            PointedAtType = Create(cx, Symbol.PointedAtType);
         }
 
         public override void WriteId(TextWriter trapFile)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
index 6f6ff85cf77..18321f84d32 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
@@ -24,7 +24,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private TupleType(Context cx, INamedTypeSymbol init) : base(cx, init)
         {
-            tupleElementsLazy = new Lazy<Field[]>(() => symbol.TupleElements.Select(t => Field.Create(cx, t)).ToArray());
+            tupleElementsLazy = new Lazy<Field[]>(() => Symbol.TupleElements.Select(t => Field.Create(cx, t)).ToArray());
         }
 
         // All tuple types are "local types"
@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(TextWriter trapFile)
         {
-            symbol.BuildTypeId(Context, trapFile, symbol);
+            Symbol.BuildTypeId(Context, trapFile, Symbol);
             trapFile.Write(";tuple");
         }
 
@@ -41,7 +41,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateType(trapFile);
             PopulateGenerics();
 
-            var underlyingType = NamedType.CreateNamedTypeFromTupleType(Context, symbol.TupleUnderlyingType ?? symbol);
+            var underlyingType = NamedType.CreateNamedTypeFromTupleType(Context, Symbol.TupleUnderlyingType ?? Symbol);
 
             trapFile.tuple_underlying_type(this, underlyingType);
 
@@ -52,7 +52,7 @@ namespace Semmle.Extraction.CSharp.Entities
             // Note: symbol.Locations seems to be very inconsistent
             // about what locations are available for a tuple type.
             // Sometimes it's the source code, and sometimes it's empty.
-            foreach (var l in symbol.Locations)
+            foreach (var l in Symbol.Locations)
                 trapFile.type_location(this, Context.CreateLocation(l));
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
index 34fc6f5ccba..3931c6ef1d8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
 
         public override bool NeedsPopulation =>
-            base.NeedsPopulation || symbol.TypeKind == TypeKind.Dynamic || symbol.TypeKind == TypeKind.TypeParameter;
+            base.NeedsPopulation || Symbol.TypeKind == TypeKind.Dynamic || Symbol.TypeKind == TypeKind.TypeParameter;
 
         public static bool ConstructedOrParentIsConstructed(INamedTypeSymbol symbol)
         {
@@ -75,24 +75,24 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write("types(");
             trapFile.WriteColumn(this);
             trapFile.Write(',');
-            trapFile.WriteColumn((int)GetClassType(Context, symbol, constructUnderlyingTupleType));
+            trapFile.WriteColumn((int)GetClassType(Context, Symbol, constructUnderlyingTupleType));
             trapFile.Write(",\"");
-            symbol.BuildDisplayName(Context, trapFile, constructUnderlyingTupleType);
+            Symbol.BuildDisplayName(Context, trapFile, constructUnderlyingTupleType);
             trapFile.WriteLine("\")");
 
             // Visit base types
             var baseTypes = new List<Type>();
-            if (symbol.GetNonObjectBaseType(Context) is INamedTypeSymbol @base)
+            if (Symbol.GetNonObjectBaseType(Context) is INamedTypeSymbol @base)
             {
                 var baseKey = Create(Context, @base);
                 trapFile.extend(this, baseKey.TypeRef);
-                if (symbol.TypeKind != TypeKind.Struct)
+                if (Symbol.TypeKind != TypeKind.Struct)
                     baseTypes.Add(baseKey);
             }
 
-            if (!(base.symbol is IArrayTypeSymbol))
+            if (!(base.Symbol is IArrayTypeSymbol))
             {
-                foreach (var t in base.symbol.Interfaces.Select(i => Create(Context, i)))
+                foreach (var t in base.Symbol.Interfaces.Select(i => Create(Context, i)))
                 {
                     trapFile.implement(this, t.TypeRef);
                     baseTypes.Add(t);
@@ -100,17 +100,17 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             var containingType = ContainingType;
-            if (containingType != null && symbol.Kind != SymbolKind.TypeParameter)
+            if (containingType != null && Symbol.Kind != SymbolKind.TypeParameter)
             {
-                var originalDefinition = symbol.TypeKind == TypeKind.Error ? this : Create(Context, symbol.OriginalDefinition);
+                var originalDefinition = Symbol.TypeKind == TypeKind.Error ? this : Create(Context, Symbol.OriginalDefinition);
                 trapFile.nested_types(this, containingType, originalDefinition);
             }
-            else if (symbol.ContainingNamespace != null)
+            else if (Symbol.ContainingNamespace != null)
             {
-                trapFile.parent_namespace(this, Namespace.Create(Context, symbol.ContainingNamespace));
+                trapFile.parent_namespace(this, Namespace.Create(Context, Symbol.ContainingNamespace));
             }
 
-            if (symbol is IArrayTypeSymbol array)
+            if (Symbol is IArrayTypeSymbol array)
             {
                 // They are in the namespace of the original object
                 var elementType = array.ElementType;
@@ -119,7 +119,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     trapFile.parent_namespace(this, Namespace.Create(Context, ns));
             }
 
-            if (symbol is IPointerTypeSymbol pointer)
+            if (Symbol is IPointerTypeSymbol pointer)
             {
                 var elementType = pointer.PointedAtType;
                 var ns = elementType.TypeKind == TypeKind.TypeParameter ? Context.Compilation.GlobalNamespace : elementType.ContainingNamespace;
@@ -128,26 +128,26 @@ namespace Semmle.Extraction.CSharp.Entities
                     trapFile.parent_namespace(this, Namespace.Create(Context, ns));
             }
 
-            if (symbol.BaseType != null && symbol.BaseType.SpecialType == SpecialType.System_MulticastDelegate)
+            if (Symbol.BaseType != null && Symbol.BaseType.SpecialType == SpecialType.System_MulticastDelegate)
             {
                 // This is a delegate.
                 // The method "Invoke" has the return type.
-                var invokeMethod = ((INamedTypeSymbol)symbol).DelegateInvokeMethod;
+                var invokeMethod = ((INamedTypeSymbol)Symbol).DelegateInvokeMethod;
                 ExtractParametersForDelegateLikeType(trapFile, invokeMethod,
                     t => trapFile.delegate_return_type(this, t));
             }
 
-            if (symbol is IFunctionPointerTypeSymbol functionPointer)
+            if (Symbol is IFunctionPointerTypeSymbol functionPointer)
             {
                 ExtractParametersForDelegateLikeType(trapFile, functionPointer.Signature,
                     t => trapFile.function_pointer_return_type(this, t));
             }
 
-            Modifier.ExtractModifiers(Context, trapFile, this, symbol);
+            Modifier.ExtractModifiers(Context, trapFile, this, Symbol);
 
-            if (IsSourceDeclaration && symbol.FromSource())
+            if (IsSourceDeclaration && Symbol.FromSource())
             {
-                var declSyntaxReferences = symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray();
+                var declSyntaxReferences = Symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray();
 
                 var baseLists = declSyntaxReferences.OfType<ClassDeclarationSyntax>().Select(c => c.BaseList);
                 baseLists = baseLists.Concat(declSyntaxReferences.OfType<InterfaceDeclarationSyntax>().Select(c => c.BaseList));
@@ -157,7 +157,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     .Where(bl => bl != null)
                     .SelectMany(bl => bl.Types)
                     .Zip(
-                        baseTypes.Where(bt => bt.symbol.SpecialType != SpecialType.System_Object),
+                        baseTypes.Where(bt => bt.Symbol.SpecialType != SpecialType.System_Object),
                         (s, t) => TypeMention.Create(Context, s.Type, this, t))
                     .Enumerate();
             }
@@ -171,7 +171,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 var originalParam = invokeMethod.OriginalDefinition.Parameters[i];
                 var originalParamEntity = SymbolEqualityComparer.Default.Equals(param, originalParam)
                     ? null
-                    : DelegateTypeParameter.Create(Context, originalParam, Create(Context, ((INamedTypeSymbol)symbol).OriginalDefinition));
+                    : DelegateTypeParameter.Create(Context, originalParam, Create(Context, ((INamedTypeSymbol)Symbol).OriginalDefinition));
                 DelegateTypeParameter.Create(Context, param, this, originalParamEntity);
             }
 
@@ -187,12 +187,12 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         public void ExtractRecursive()
         {
-            foreach (var l in symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax().GetLocation()))
+            foreach (var l in Symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax().GetLocation()))
             {
                 Context.BindComments(this, l);
             }
 
-            foreach (var member in symbol.GetMembers())
+            foreach (var member in Symbol.GetMembers())
             {
                 switch (member.Kind)
                 {
@@ -211,21 +211,21 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         public void PopulateGenerics()
         {
-            if (symbol == null || !NeedsPopulation || !Context.ExtractGenerics(this))
+            if (Symbol == null || !NeedsPopulation || !Context.ExtractGenerics(this))
                 return;
 
             var members = new List<ISymbol>();
 
-            foreach (var member in symbol.GetMembers())
+            foreach (var member in Symbol.GetMembers())
                 members.Add(member);
-            foreach (var member in symbol.GetTypeMembers())
+            foreach (var member in Symbol.GetTypeMembers())
                 members.Add(member);
 
             // Mono extractor puts all BASE interface members as members of the current interface.
 
-            if (symbol.TypeKind == TypeKind.Interface)
+            if (Symbol.TypeKind == TypeKind.Interface)
             {
-                foreach (var baseInterface in symbol.Interfaces)
+                foreach (var baseInterface in Symbol.Interfaces)
                 {
                     foreach (var member in baseInterface.GetMembers())
                         members.Add(member);
@@ -239,10 +239,10 @@ namespace Semmle.Extraction.CSharp.Entities
                 Context.CreateEntity(member);
             }
 
-            if (symbol.BaseType != null)
-                Create(Context, symbol.BaseType).PopulateGenerics();
+            if (Symbol.BaseType != null)
+                Create(Context, Symbol.BaseType).PopulateGenerics();
 
-            foreach (var i in symbol.Interfaces)
+            foreach (var i in Symbol.Interfaces)
             {
                 Create(Context, i).PopulateGenerics();
             }
@@ -250,7 +250,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public void ExtractRecursive(TextWriter trapFile, IEntity parent)
         {
-            if (symbol.ContainingSymbol.Kind == SymbolKind.Namespace && !symbol.ContainingNamespace.IsGlobalNamespace)
+            if (Symbol.ContainingSymbol.Kind == SymbolKind.Namespace && !Symbol.ContainingNamespace.IsGlobalNamespace)
             {
                 trapFile.parent_namespace_declaration(this, (NamespaceDeclaration)parent);
             }
@@ -315,10 +315,10 @@ namespace Semmle.Extraction.CSharp.Entities
         public override bool Equals(object obj)
         {
             var other = obj as Type;
-            return other?.GetType() == GetType() && SymbolEqualityComparer.Default.Equals(other.symbol, symbol);
+            return other?.GetType() == GetType() && SymbolEqualityComparer.Default.Equals(other.Symbol, Symbol);
         }
 
-        public override int GetHashCode() => SymbolEqualityComparer.Default.GetHashCode(symbol);
+        public override int GetHashCode() => SymbolEqualityComparer.Default.GetHashCode(Symbol);
     }
 
     internal abstract class Type<T> : Type where T : ITypeSymbol
@@ -327,6 +327,6 @@ namespace Semmle.Extraction.CSharp.Entities
             : base(cx, init) { }
 
         // todo: change this with .net 5 to be an override
-        public new T symbol => (T)base.symbol;
+        public new T Symbol => (T)base.Symbol;
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
index e92a3891704..fc8ac7e39d8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
@@ -24,22 +24,22 @@ namespace Semmle.Extraction.CSharp.Entities
             var constraints = new TypeParameterConstraints(Context);
             trapFile.type_parameter_constraints(constraints, this);
 
-            if (symbol.HasReferenceTypeConstraint)
+            if (Symbol.HasReferenceTypeConstraint)
                 trapFile.general_type_parameter_constraints(constraints, 1);
 
-            if (symbol.HasValueTypeConstraint)
+            if (Symbol.HasValueTypeConstraint)
                 trapFile.general_type_parameter_constraints(constraints, 2);
 
-            if (symbol.HasConstructorConstraint)
+            if (Symbol.HasConstructorConstraint)
                 trapFile.general_type_parameter_constraints(constraints, 3);
 
-            if (symbol.HasUnmanagedTypeConstraint)
+            if (Symbol.HasUnmanagedTypeConstraint)
                 trapFile.general_type_parameter_constraints(constraints, 4);
 
-            if (symbol.ReferenceTypeConstraintNullableAnnotation == NullableAnnotation.Annotated)
+            if (Symbol.ReferenceTypeConstraintNullableAnnotation == NullableAnnotation.Annotated)
                 trapFile.general_type_parameter_constraints(constraints, 5);
 
-            foreach (var abase in symbol.GetAnnotatedTypeConstraints())
+            foreach (var abase in Symbol.GetAnnotatedTypeConstraints())
             {
                 var t = Create(Context, abase.Symbol);
                 trapFile.specific_type_parameter_constraints(constraints, t.TypeRef);
@@ -47,19 +47,19 @@ namespace Semmle.Extraction.CSharp.Entities
                     trapFile.specific_type_parameter_nullability(constraints, t.TypeRef, NullabilityEntity.Create(Context, Nullability.Create(abase)));
             }
 
-            trapFile.types(this, Kinds.TypeKind.TYPE_PARAMETER, symbol.Name);
+            trapFile.types(this, Kinds.TypeKind.TYPE_PARAMETER, Symbol.Name);
 
-            var parentNs = Namespace.Create(Context, symbol.TypeParameterKind == TypeParameterKind.Method ? Context.Compilation.GlobalNamespace : symbol.ContainingNamespace);
+            var parentNs = Namespace.Create(Context, Symbol.TypeParameterKind == TypeParameterKind.Method ? Context.Compilation.GlobalNamespace : Symbol.ContainingNamespace);
             trapFile.parent_namespace(this, parentNs);
 
-            foreach (var l in symbol.Locations)
+            foreach (var l in Symbol.Locations)
             {
                 trapFile.type_location(this, Context.CreateLocation(l));
             }
 
             if (IsSourceDeclaration)
             {
-                var declSyntaxReferences = symbol.DeclaringSyntaxReferences
+                var declSyntaxReferences = Symbol.DeclaringSyntaxReferences
                     .Select(d => d.GetSyntax())
                     .Select(s => s.Parent)
                     .Where(p => p != null)
@@ -69,7 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 clauses = clauses.Concat(declSyntaxReferences.OfType<ClassDeclarationSyntax>().SelectMany(c => c.ConstraintClauses));
                 clauses = clauses.Concat(declSyntaxReferences.OfType<InterfaceDeclarationSyntax>().SelectMany(c => c.ConstraintClauses));
                 clauses = clauses.Concat(declSyntaxReferences.OfType<StructDeclarationSyntax>().SelectMany(c => c.ConstraintClauses));
-                foreach (var clause in clauses.Where(c => c.Name.Identifier.Text == symbol.Name))
+                foreach (var clause in clauses.Where(c => c.Name.Identifier.Text == Symbol.Name))
                 {
                     TypeMention.Create(Context, clause.Name, this, this);
                     foreach (var constraint in clause.Constraints.OfType<TypeConstraintSyntax>())
@@ -92,13 +92,13 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             get
             {
-                switch (symbol.Variance)
+                switch (Symbol.Variance)
                 {
                     case VarianceKind.None: return Variance.None;
                     case VarianceKind.Out: return Variance.Out;
                     case VarianceKind.In: return Variance.In;
                     default:
-                        throw new InternalError($"Unexpected VarianceKind {symbol.Variance}");
+                        throw new InternalError($"Unexpected VarianceKind {Symbol.Variance}");
                 }
             }
         }
@@ -107,22 +107,22 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             string kind;
             IEntity containingEntity;
-            switch (symbol.TypeParameterKind)
+            switch (Symbol.TypeParameterKind)
             {
                 case TypeParameterKind.Method:
                     kind = "methodtypeparameter";
-                    containingEntity = Method.Create(Context, (IMethodSymbol)symbol.ContainingSymbol);
+                    containingEntity = Method.Create(Context, (IMethodSymbol)Symbol.ContainingSymbol);
                     break;
                 case TypeParameterKind.Type:
                     kind = "typeparameter";
-                    containingEntity = Create(Context, symbol.ContainingType);
+                    containingEntity = Create(Context, Symbol.ContainingType);
                     break;
                 default:
-                    throw new InternalError(symbol, $"Unhandled type parameter kind {symbol.TypeParameterKind}");
+                    throw new InternalError(Symbol, $"Unhandled type parameter kind {Symbol.TypeParameterKind}");
             }
             trapFile.WriteSubId(containingEntity);
             trapFile.Write('_');
-            trapFile.Write(symbol.Ordinal);
+            trapFile.Write(Symbol.Ordinal);
             trapFile.Write(';');
             trapFile.Write(kind);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs
index d4c6fa457c1..2643363773b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UserOperator.cs
@@ -15,10 +15,10 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateMethod(trapFile);
             PopulateModifiers(trapFile);
 
-            var returnType = Type.Create(Context, symbol.ReturnType);
+            var returnType = Type.Create(Context, Symbol.ReturnType);
             trapFile.operators(this,
-                symbol.Name,
-                OperatorSymbol(Context, symbol.Name),
+                Symbol.Name,
+                OperatorSymbol(Context, Symbol.Name),
                 ContainingType,
                 returnType.TypeRef,
                 (UserOperator)OriginalDefinition);
@@ -28,7 +28,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (IsSourceDeclaration)
             {
-                var declSyntaxReferences = symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax()).ToArray();
+                var declSyntaxReferences = Symbol.DeclaringSyntaxReferences.Select(s => s.GetSyntax()).ToArray();
                 foreach (var declaration in declSyntaxReferences.OfType<OperatorDeclarationSyntax>())
                     TypeMention.Create(Context, declaration.ReturnType, this, returnType);
                 foreach (var declaration in declSyntaxReferences.OfType<ConversionOperatorDeclarationSyntax>())
@@ -38,7 +38,7 @@ namespace Semmle.Extraction.CSharp.Entities
             ContainingType.PopulateGenerics();
         }
 
-        public override bool NeedsPopulation => Context.Defines(symbol) || IsImplicitOperator(out _);
+        public override bool NeedsPopulation => Context.Defines(Symbol) || IsImplicitOperator(out _);
 
         public override Type ContainingType
         {
@@ -57,22 +57,22 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <returns></returns>
         private bool IsImplicitOperator(out ITypeSymbol containingType)
         {
-            containingType = symbol.ContainingType;
+            containingType = Symbol.ContainingType;
             if (containingType != null)
             {
                 var containingNamedType = containingType as INamedTypeSymbol;
                 return containingNamedType == null ||
-                    !containingNamedType.GetMembers(symbol.Name).Contains(symbol);
+                    !containingNamedType.GetMembers(Symbol.Name).Contains(Symbol);
             }
 
-            var pointerType = symbol.Parameters.Select(p => p.Type).OfType<IPointerTypeSymbol>().FirstOrDefault();
+            var pointerType = Symbol.Parameters.Select(p => p.Type).OfType<IPointerTypeSymbol>().FirstOrDefault();
             if (pointerType != null)
             {
                 containingType = pointerType;
                 return true;
             }
 
-            Context.ModelError(symbol, "Unexpected implicit operator");
+            Context.ModelError(Symbol, "Unexpected implicit operator");
             return true;
         }
 
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
index e8b1e2cb46b..42fe1f2b30b 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Assembly.cs
@@ -38,12 +38,12 @@ namespace Semmle.Extraction.Entities
         public override bool NeedsPopulation => true;
 
         public override int GetHashCode() =>
-            symbol == null ? 91187354 : symbol.GetHashCode();
+            Symbol == null ? 91187354 : Symbol.GetHashCode();
 
         public override bool Equals(object? obj)
         {
             if (obj is Assembly other && other.GetType() == typeof(Assembly))
-                return Equals(symbol, other.symbol);
+                return Equals(Symbol, other.Symbol);
 
             return false;
         }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
index a5b5798d28b..6e676ab90e1 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/CachedEntity`1.cs
@@ -30,9 +30,11 @@ namespace Semmle.Extraction
     /// <typeparam name="TSymbol">The type of the symbol.</typeparam>
     public abstract class CachedEntity<TSymbol> : CachedEntity
     {
+        public TSymbol Symbol { get; }
+
         protected CachedEntity(Context context, TSymbol symbol) : base(context)
         {
-            this.symbol = symbol;
+            this.Symbol = symbol;
         }
 
         /// <summary>
@@ -48,23 +50,14 @@ namespace Semmle.Extraction
             }
         }
 
-        public TSymbol symbol
-        {
-            get;
-        }
-
-        //object? ICachedEntity.UnderlyingObject => symbol;
-
-        public TSymbol UnderlyingObject => symbol;
-
         public override bool NeedsPopulation { get; }
 
-        public override int GetHashCode() => symbol is null ? 0 : symbol.GetHashCode();
+        public override int GetHashCode() => Symbol is null ? 0 : Symbol.GetHashCode();
 
         public override bool Equals(object? obj)
         {
             var other = obj as CachedEntity<TSymbol>;
-            return other?.GetType() == GetType() && Equals(other.symbol, symbol);
+            return other?.GetType() == GetType() && Equals(other.Symbol, Symbol);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour { get; }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Folder.cs b/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
index 917d15419e8..c84a6247d69 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
@@ -8,8 +8,8 @@ namespace Semmle.Extraction.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.folders(this, symbol.Value, symbol.NameWithoutExtension);
-            if (symbol.ParentDirectory is PathTransformer.ITransformedPath parent)
+            trapFile.folders(this, Symbol.Value, Symbol.NameWithoutExtension);
+            if (Symbol.ParentDirectory is PathTransformer.ITransformedPath parent)
                 trapFile.containerparent(Create(Context, parent), this);
         }
 
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.Entities
 
         public override void WriteId(System.IO.TextWriter trapFile)
         {
-            trapFile.Write(symbol.DatabaseId);
+            trapFile.Write(Symbol.DatabaseId);
             trapFile.Write(";folder");
         }
 
@@ -35,11 +35,11 @@ namespace Semmle.Extraction.Entities
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
 
-        public override int GetHashCode() => symbol.GetHashCode();
+        public override int GetHashCode() => Symbol.GetHashCode();
 
         public override bool Equals(object? obj)
         {
-            return obj is Folder folder && Equals(folder.symbol, symbol);
+            return obj is Folder folder && Equals(folder.Symbol, Symbol);
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Location.cs b/csharp/extractor/Semmle.Extraction/Entities/Location.cs
index cdd3c9a50dc..b2bfff06374 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Location.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Location.cs
@@ -8,7 +8,7 @@ namespace Semmle.Extraction.Entities
         protected Location(Context cx, Microsoft.CodeAnalysis.Location? init)
             : base(cx, init) { }
 
-        public override Microsoft.CodeAnalysis.Location? ReportingLocation => symbol;
+        public override Microsoft.CodeAnalysis.Location? ReportingLocation => Symbol;
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;
     }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
index 6b9d495db19..4e1726d6d07 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/SourceLocation.cs
@@ -30,7 +30,7 @@ namespace Semmle.Extraction.Entities
                 Position.Span.Start.Line + 1, Position.Span.Start.Character + 1,
                 Position.Span.End.Line + 1, Position.Span.End.Character);
 
-            var mapped = symbol!.GetMappedLineSpan();
+            var mapped = Symbol!.GetMappedLineSpan();
             if (mapped.HasMappedPath && mapped.IsValid)
             {
                 var mappedLoc = Create(Context, Microsoft.CodeAnalysis.Location.Create(mapped.Path, default, mapped.Span));
diff --git a/csharp/extractor/Semmle.Extraction/Message.cs b/csharp/extractor/Semmle.Extraction/Message.cs
index a100a69a285..c68efa66ce0 100644
--- a/csharp/extractor/Semmle.Extraction/Message.cs
+++ b/csharp/extractor/Semmle.Extraction/Message.cs
@@ -44,8 +44,8 @@ namespace Semmle.Extraction
             sb.Append(Text);
             if (!string.IsNullOrEmpty(EntityText))
                 sb.Append(" in ").Append(EntityText);
-            if (!(Location is null) && !(Location.UnderlyingObject is null))
-                sb.Append(" at ").Append(Location.UnderlyingObject.GetLineSpan());
+            if (!(Location is null) && !(Location.Symbol is null))
+                sb.Append(" at ").Append(Location.Symbol.GetLineSpan());
             if (!string.IsNullOrEmpty(StackTrace))
                 sb.Append(" ").Append(StackTrace);
             return sb.ToString();

From a75b952333272eb8e133e12fe99edb6bd437c286 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 15 Feb 2021 09:58:31 +0100
Subject: [PATCH 388/429] Fix Type.GetQualifiedName()

---
 .../Semmle.Extraction.CIL/Entities/Method.cs         |  3 ++-
 .../Semmle.Extraction.CIL/Entities/Namespace.cs      |  3 ++-
 .../extractor/Semmle.Extraction.CIL/Entities/Type.cs |  7 ++-----
 .../Semmle.Extraction.CIL/Entities/TypeContainer.cs  | 12 ++++++++++--
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
index e2887963edf..d1302837c16 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
@@ -62,9 +62,10 @@ namespace Semmle.Extraction.CIL.Entities
                 param.WriteId(trapFile, this);
             }
             trapFile.Write(')');
-            trapFile.Write(";cil-method");
         }
 
+        public override string IdSuffix => ";cil-method";
+
         protected IEnumerable<IExtractionProduct> PopulateFlags
         {
             get
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
index 5f909b7b336..5d498c5ac54 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
@@ -22,9 +22,10 @@ namespace Semmle.Extraction.CIL.Entities
                 trapFile.Write('.');
             }
             trapFile.Write(Name);
-            trapFile.Write(";namespace");
         }
 
+        public override string IdSuffix => ";namespacee";
+
         public override bool Equals(object? obj)
         {
             if (obj is Namespace ns && Name == ns.Name)
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
index 9f78c5066e0..ad5a6ababaa 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
@@ -45,12 +45,9 @@ namespace Semmle.Extraction.CIL.Entities
         /// </param>
         public abstract void WriteId(TextWriter trapFile, bool inContext);
 
-        public sealed override void WriteId(TextWriter trapFile)
-        {
-            WriteId(trapFile, false);
-            trapFile.Write(";cil-type");
-        }
+        public sealed override void WriteId(TextWriter trapFile) => WriteId(trapFile, false);
 
+        public override string IdSuffix => ";cil-type";
 
         /// <summary>
         /// Returns the friendly qualified name of types, such as
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
index d8058593277..106b6fe83be 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
@@ -1,5 +1,3 @@
-using System;
-using Microsoft.CodeAnalysis;
 using System.Collections.Generic;
 using System.IO;
 
@@ -14,6 +12,16 @@ namespace Semmle.Extraction.CIL.Entities
         {
         }
 
+        public abstract string IdSuffix { get; }
+
+        public override void WriteQuotedId(TextWriter trapFile)
+        {
+            trapFile.Write("@\"");
+            WriteId(trapFile);
+            trapFile.Write(IdSuffix);
+            trapFile.Write('\"');
+        }
+
         public abstract IEnumerable<Type> MethodParameters { get; }
         public abstract IEnumerable<Type> TypeParameters { get; }
     }

From 04f15ad43a10ca303ce5eb7a353e72d108f8bb58 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 16 Feb 2021 09:49:09 +0000
Subject: [PATCH 389/429] C++: BSL support in StdPairConstructor.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
index 9076220cc22..755f6a48520 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
@@ -44,7 +44,7 @@ class StdPairCopyishConstructor extends Constructor, TaintFunction {
  * Additional model for `std::pair` constructors.
  */
 private class StdPairConstructor extends Constructor, TaintFunction {
-  StdPairConstructor() { this.hasQualifiedName("std", "pair", "pair") }
+  StdPairConstructor() { this.getDeclaringType() instanceof StdPair }
 
   /**
    * Gets the index of a parameter to this function that is a reference to

From 3a1888166030838644aa9e1d0b1c4c47d9f7aca3 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 15 Feb 2021 00:00:48 +0100
Subject: [PATCH 390/429] Python: Restructure query file location

Since I can never remember the CWE numbers
---
 .../ExternalAPIs}/ExternalAPISinkExample.py                     | 0
 .../ExternalAPIs}/ExternalAPITaintStepExample.py                | 0
 .../CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIs.qll  | 0
 .../ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.qhelp       | 0
 .../ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.ql          | 0
 .../ExternalAPIs}/UntrustedDataToExternalAPI.qhelp              | 0
 .../ExternalAPIs}/UntrustedDataToExternalAPI.ql                 | 0
 .../BindToAllInterfaces}/BindToAllInterfaces.py                 | 0
 .../BindToAllInterfaces}/BindToAllInterfaces.qhelp              | 0
 .../BindToAllInterfaces}/BindToAllInterfaces.ql                 | 0
 .../{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.py    | 0
 .../{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.qhelp | 0
 .../{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.ql    | 0
 .../HTTPSRequestWithoutCertValidation.qhelp}                    | 0
 .../HTTPSRequestWithoutCertValidation.ql}                       | 0
 .../HTTPSRequestWithoutCertValidation}/examples/make_request.py | 0
 .../HardcodedCredentials}/HardcodedCredentials.py               | 0
 .../HardcodedCredentials}/HardcodedCredentials.qhelp            | 0
 .../HardcodedCredentials}/HardcodedCredentials.ql               | 0
 .../IncompleteUrlSanitizer}/IncompleteHostnameRegExp.qhelp      | 0
 .../IncompleteUrlSanitizer}/IncompleteHostnameRegExp.ql         | 0
 .../IncompleteUrlSubstringSanitization.qhelp                    | 0
 .../IncompleteUrlSubstringSanitization.ql                       | 0
 .../examples/IncompleteHostnameRegExp.py                        | 0
 .../examples/IncompleteUrlSubstringSanitization.py              | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.py             | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.qhelp          | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.ql             | 0
 .../InsecureTemporaryFile}/SecureTemporaryFile.py               | 0
 .../Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.qhelp      | 0
 .../Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.ql         | 0
 .../Jinja2RenderWithoutEscape}/examples/jinja2.py               | 0
 .../SSHMissingHostKeyValidation.qhelp}                          | 0
 .../SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql} | 0
 .../SSHMissingHostKeyValidation}/examples/paramiko_host_key.py  | 0
 .../WeakFilePermissions}/WeakFilePermissions.qhelp              | 0
 .../WeakFilePermissions}/WeakFilePermissions.ql                 | 0
 .../{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.qhelp       | 0
 .../Security/{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.ql | 0
 .../src/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.qhelp | 0
 .../ql/src/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.ql | 0
 .../TLS}/examples/insecure_default_protocol.py                  | 0
 .../{CWE-327 => Crypto/TLS}/examples/insecure_protocol.py       | 0
 .../WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp}              | 2 +-
 .../WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql}                 | 0
 .../WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py}      | 0
 .../WeakCryptoKey/WeakCryptoKey.qhelp}                          | 0
 .../WeakCrypto.ql => Crypto/WeakCryptoKey/WeakCryptoKey.ql}     | 0
 .../SensitiveDataExposure}/CleartextLogging.qhelp               | 0
 .../SensitiveDataExposure}/CleartextLogging.ql                  | 0
 .../SensitiveDataExposure}/CleartextStorage.qhelp               | 0
 .../SensitiveDataExposure}/CleartextStorage.ql                  | 0
 .../SensitiveDataExposure}/examples/password_in_cookie.py       | 0
 .../StackTraceExposure}/StackTraceExposure.py                   | 0
 .../StackTraceExposure}/StackTraceExposure.qhelp                | 0
 .../StackTraceExposure}/StackTraceExposure.ql                   | 0
 .../{CWE-094 => Injection/CodeInjection}/CodeInjection.qhelp    | 0
 .../{CWE-094 => Injection/CodeInjection}/CodeInjection.ql       | 0
 .../CodeInjection}/examples/code_injection.py                   | 0
 .../CommandInjection}/CommandInjection.qhelp                    | 0
 .../{CWE-078 => Injection/CommandInjection}/CommandInjection.ql | 0
 .../CommandInjection}/examples/command_injection.py             | 0
 .../OpenRedirect/OpenRedirect.qhelp}                            | 0
 .../UrlRedirect.ql => Injection/OpenRedirect/OpenRedirect.ql}   | 0
 .../OpenRedirect}/examples/redirect_bad.py                      | 0
 .../OpenRedirect}/examples/redirect_good.py                     | 0
 .../{CWE-022 => Injection/PathInjection}/PathInjection.qhelp    | 0
 .../{CWE-022 => Injection/PathInjection}/PathInjection.ql       | 0
 .../PathInjection}/examples/tainted_path.py                     | 0
 .../{CWE-079 => Injection/ReflectedXss}/ReflectedXss.qhelp      | 0
 .../{CWE-079 => Injection/ReflectedXss}/ReflectedXss.ql         | 0
 .../{CWE-079 => Injection/ReflectedXss}/examples/xss.py         | 0
 .../{CWE-089 => Injection/SqlInjection}/SqlInjection.qhelp      | 0
 .../{CWE-089 => Injection/SqlInjection}/SqlInjection.ql         | 0
 .../SqlInjection}/examples/sql_injection.py                     | 0
 .../src/Security/{CWE-022 => Injection/TarSlip}/TarSlip.qhelp   | 0
 .../ql/src/Security/{CWE-022 => Injection/TarSlip}/TarSlip.ql   | 0
 .../{CWE-022 => Injection/TarSlip}/examples/tarslip_bad.py      | 0
 .../{CWE-022 => Injection/TarSlip}/examples/tarslip_good.py     | 0
 .../{CWE-502 => Injection/UnsafeDeserialization}/JsonGood.py    | 0
 .../UnsafeDeserialization}/UnpicklingBad.py                     | 0
 .../UnsafeDeserialization}/UnsafeDeserialization.qhelp          | 0
 .../UnsafeDeserialization}/UnsafeDeserialization.ql             | 0
 83 files changed, 1 insertion(+), 1 deletion(-)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPISinkExample.py (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPITaintStepExample.py (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIs.qll (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.qhelp (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.ql (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/UntrustedDataToExternalAPI.qhelp (100%)
 rename python/ql/src/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/UntrustedDataToExternalAPI.ql (100%)
 rename python/ql/src/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces.py (100%)
 rename python/ql/src/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces.qhelp (100%)
 rename python/ql/src/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces.ql (100%)
 rename python/ql/src/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.py (100%)
 rename python/ql/src/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.qhelp (100%)
 rename python/ql/src/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.ql (100%)
 rename python/ql/src/Security/{CWE-295/RequestWithoutValidation.qhelp => BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp} (100%)
 rename python/ql/src/Security/{CWE-295/RequestWithoutValidation.ql => BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql} (100%)
 rename python/ql/src/Security/{CWE-295 => BadPractice/HTTPSRequestWithoutCertValidation}/examples/make_request.py (100%)
 rename python/ql/src/Security/{CWE-798 => BadPractice/HardcodedCredentials}/HardcodedCredentials.py (100%)
 rename python/ql/src/Security/{CWE-798 => BadPractice/HardcodedCredentials}/HardcodedCredentials.qhelp (100%)
 rename python/ql/src/Security/{CWE-798 => BadPractice/HardcodedCredentials}/HardcodedCredentials.ql (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteHostnameRegExp.qhelp (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteHostnameRegExp.ql (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteUrlSubstringSanitization.qhelp (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteUrlSubstringSanitization.ql (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/examples/IncompleteHostnameRegExp.py (100%)
 rename python/ql/src/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/examples/IncompleteUrlSubstringSanitization.py (100%)
 rename python/ql/src/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.py (100%)
 rename python/ql/src/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.qhelp (100%)
 rename python/ql/src/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.ql (100%)
 rename python/ql/src/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/SecureTemporaryFile.py (100%)
 rename python/ql/src/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.qhelp (100%)
 rename python/ql/src/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.ql (100%)
 rename python/ql/src/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/examples/jinja2.py (100%)
 rename python/ql/src/Security/{CWE-295/MissingHostKeyValidation.qhelp => BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp} (100%)
 rename python/ql/src/Security/{CWE-295/MissingHostKeyValidation.ql => BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql} (100%)
 rename python/ql/src/Security/{CWE-295 => BadPractice/SSHMissingHostKeyValidation}/examples/paramiko_host_key.py (100%)
 rename python/ql/src/Security/{CWE-732 => BadPractice/WeakFilePermissions}/WeakFilePermissions.qhelp (100%)
 rename python/ql/src/Security/{CWE-732 => BadPractice/WeakFilePermissions}/WeakFilePermissions.ql (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.qhelp (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.ql (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.qhelp (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.ql (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/examples/insecure_default_protocol.py (100%)
 rename python/ql/src/Security/{CWE-327 => Crypto/TLS}/examples/insecure_protocol.py (100%)
 rename python/ql/src/Security/{CWE-327/BrokenCryptoAlgorithm.qhelp => Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp} (97%)
 rename python/ql/src/Security/{CWE-327/BrokenCryptoAlgorithm.ql => Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql} (100%)
 rename python/ql/src/Security/{CWE-327/examples/broken_crypto.py => Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py} (100%)
 rename python/ql/src/Security/{CWE-326/WeakCrypto.qhelp => Crypto/WeakCryptoKey/WeakCryptoKey.qhelp} (100%)
 rename python/ql/src/Security/{CWE-326/WeakCrypto.ql => Crypto/WeakCryptoKey/WeakCryptoKey.ql} (100%)
 rename python/ql/src/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextLogging.qhelp (100%)
 rename python/ql/src/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextLogging.ql (100%)
 rename python/ql/src/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextStorage.qhelp (100%)
 rename python/ql/src/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextStorage.ql (100%)
 rename python/ql/src/Security/{CWE-312 => Exposure/SensitiveDataExposure}/examples/password_in_cookie.py (100%)
 rename python/ql/src/Security/{CWE-209 => Exposure/StackTraceExposure}/StackTraceExposure.py (100%)
 rename python/ql/src/Security/{CWE-209 => Exposure/StackTraceExposure}/StackTraceExposure.qhelp (100%)
 rename python/ql/src/Security/{CWE-209 => Exposure/StackTraceExposure}/StackTraceExposure.ql (100%)
 rename python/ql/src/Security/{CWE-094 => Injection/CodeInjection}/CodeInjection.qhelp (100%)
 rename python/ql/src/Security/{CWE-094 => Injection/CodeInjection}/CodeInjection.ql (100%)
 rename python/ql/src/Security/{CWE-094 => Injection/CodeInjection}/examples/code_injection.py (100%)
 rename python/ql/src/Security/{CWE-078 => Injection/CommandInjection}/CommandInjection.qhelp (100%)
 rename python/ql/src/Security/{CWE-078 => Injection/CommandInjection}/CommandInjection.ql (100%)
 rename python/ql/src/Security/{CWE-078 => Injection/CommandInjection}/examples/command_injection.py (100%)
 rename python/ql/src/Security/{CWE-601/UrlRedirect.qhelp => Injection/OpenRedirect/OpenRedirect.qhelp} (100%)
 rename python/ql/src/Security/{CWE-601/UrlRedirect.ql => Injection/OpenRedirect/OpenRedirect.ql} (100%)
 rename python/ql/src/Security/{CWE-601 => Injection/OpenRedirect}/examples/redirect_bad.py (100%)
 rename python/ql/src/Security/{CWE-601 => Injection/OpenRedirect}/examples/redirect_good.py (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/PathInjection}/PathInjection.qhelp (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/PathInjection}/PathInjection.ql (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/PathInjection}/examples/tainted_path.py (100%)
 rename python/ql/src/Security/{CWE-079 => Injection/ReflectedXss}/ReflectedXss.qhelp (100%)
 rename python/ql/src/Security/{CWE-079 => Injection/ReflectedXss}/ReflectedXss.ql (100%)
 rename python/ql/src/Security/{CWE-079 => Injection/ReflectedXss}/examples/xss.py (100%)
 rename python/ql/src/Security/{CWE-089 => Injection/SqlInjection}/SqlInjection.qhelp (100%)
 rename python/ql/src/Security/{CWE-089 => Injection/SqlInjection}/SqlInjection.ql (100%)
 rename python/ql/src/Security/{CWE-089 => Injection/SqlInjection}/examples/sql_injection.py (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/TarSlip}/TarSlip.qhelp (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/TarSlip}/TarSlip.ql (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/TarSlip}/examples/tarslip_bad.py (100%)
 rename python/ql/src/Security/{CWE-022 => Injection/TarSlip}/examples/tarslip_good.py (100%)
 rename python/ql/src/Security/{CWE-502 => Injection/UnsafeDeserialization}/JsonGood.py (100%)
 rename python/ql/src/Security/{CWE-502 => Injection/UnsafeDeserialization}/UnpicklingBad.py (100%)
 rename python/ql/src/Security/{CWE-502 => Injection/UnsafeDeserialization}/UnsafeDeserialization.qhelp (100%)
 rename python/ql/src/Security/{CWE-502 => Injection/UnsafeDeserialization}/UnsafeDeserialization.ql (100%)

diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPISinkExample.py b/python/ql/src/POI/ExternalAPIs/ExternalAPISinkExample.py
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPISinkExample.py
rename to python/ql/src/POI/ExternalAPIs/ExternalAPISinkExample.py
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPITaintStepExample.py b/python/ql/src/POI/ExternalAPIs/ExternalAPITaintStepExample.py
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPITaintStepExample.py
rename to python/ql/src/POI/ExternalAPIs/ExternalAPITaintStepExample.py
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
rename to python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp b/python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
rename to python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql b/python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
rename to python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qhelp b/python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qhelp
rename to python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql b/python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.ql
similarity index 100%
rename from python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
rename to python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.py b/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.py
similarity index 100%
rename from python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.py
rename to python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.py
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp b/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qhelp
similarity index 100%
rename from python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp
rename to python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qhelp
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
similarity index 100%
rename from python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
rename to python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.py b/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.py
similarity index 100%
rename from python/ql/src/Security/CWE-215/FlaskDebug.py
rename to python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.py
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.qhelp b/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-215/FlaskDebug.qhelp
rename to python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qhelp
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.ql b/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql
similarity index 100%
rename from python/ql/src/Security/CWE-215/FlaskDebug.ql
rename to python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp b/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
rename to python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql b/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql
similarity index 100%
rename from python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
rename to python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql
diff --git a/python/ql/src/Security/CWE-295/examples/make_request.py b/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/examples/make_request.py
similarity index 100%
rename from python/ql/src/Security/CWE-295/examples/make_request.py
rename to python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/examples/make_request.py
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.py b/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.py
similarity index 100%
rename from python/ql/src/Security/CWE-798/HardcodedCredentials.py
rename to python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.py
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.qhelp b/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
rename to python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qhelp
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
similarity index 100%
rename from python/ql/src/Security/CWE-798/HardcodedCredentials.ql
rename to python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qhelp
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
similarity index 100%
rename from python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qhelp
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
similarity index 100%
rename from python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
diff --git a/python/ql/src/Security/CWE-020/examples/IncompleteHostnameRegExp.py b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteHostnameRegExp.py
similarity index 100%
rename from python/ql/src/Security/CWE-020/examples/IncompleteHostnameRegExp.py
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteHostnameRegExp.py
diff --git a/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py b/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteUrlSubstringSanitization.py
similarity index 100%
rename from python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
rename to python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteUrlSubstringSanitization.py
diff --git a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.py b/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
similarity index 100%
rename from python/ql/src/Security/CWE-377/InsecureTemporaryFile.py
rename to python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
diff --git a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp b/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
rename to python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qhelp
diff --git a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql b/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql
similarity index 100%
rename from python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
rename to python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql
diff --git a/python/ql/src/Security/CWE-377/SecureTemporaryFile.py b/python/ql/src/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
similarity index 100%
rename from python/ql/src/Security/CWE-377/SecureTemporaryFile.py
rename to python/ql/src/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp b/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
rename to python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qhelp
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
similarity index 100%
rename from python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
rename to python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
diff --git a/python/ql/src/Security/CWE-079/examples/jinja2.py b/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/examples/jinja2.py
similarity index 100%
rename from python/ql/src/Security/CWE-079/examples/jinja2.py
rename to python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/examples/jinja2.py
diff --git a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.qhelp b/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-295/MissingHostKeyValidation.qhelp
rename to python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp
diff --git a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql b/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql
similarity index 100%
rename from python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
rename to python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql
diff --git a/python/ql/src/Security/CWE-295/examples/paramiko_host_key.py b/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/examples/paramiko_host_key.py
similarity index 100%
rename from python/ql/src/Security/CWE-295/examples/paramiko_host_key.py
rename to python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/examples/paramiko_host_key.py
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp b/python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp
rename to python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qhelp
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql
similarity index 100%
rename from python/ql/src/Security/CWE-732/WeakFilePermissions.ql
rename to python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql
diff --git a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp b/python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
rename to python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.qhelp
diff --git a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql b/python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.ql
similarity index 100%
rename from python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
rename to python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.ql
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp b/python/ql/src/Security/Crypto/TLS/InsecureProtocol.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
rename to python/ql/src/Security/Crypto/TLS/InsecureProtocol.qhelp
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/Crypto/TLS/InsecureProtocol.ql
similarity index 100%
rename from python/ql/src/Security/CWE-327/InsecureProtocol.ql
rename to python/ql/src/Security/Crypto/TLS/InsecureProtocol.ql
diff --git a/python/ql/src/Security/CWE-327/examples/insecure_default_protocol.py b/python/ql/src/Security/Crypto/TLS/examples/insecure_default_protocol.py
similarity index 100%
rename from python/ql/src/Security/CWE-327/examples/insecure_default_protocol.py
rename to python/ql/src/Security/Crypto/TLS/examples/insecure_default_protocol.py
diff --git a/python/ql/src/Security/CWE-327/examples/insecure_protocol.py b/python/ql/src/Security/Crypto/TLS/examples/insecure_protocol.py
similarity index 100%
rename from python/ql/src/Security/CWE-327/examples/insecure_protocol.py
rename to python/ql/src/Security/Crypto/TLS/examples/insecure_protocol.py
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp
similarity index 97%
rename from python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
rename to python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp
index ba5ab4d10c1..01c8460d14c 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp
@@ -36,7 +36,7 @@
                example uses AES, which is a stronger modern algorithm.
           </p>
 
-          <sample src="examples/broken_crypto.py" />
+          <sample src="examples/weak_crypto_algorithm.py" />
 
           <p>
                WARNING: Although the second example above is more robust,
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql
similarity index 100%
rename from python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
rename to python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql
diff --git a/python/ql/src/Security/CWE-327/examples/broken_crypto.py b/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py
similarity index 100%
rename from python/ql/src/Security/CWE-327/examples/broken_crypto.py
rename to python/ql/src/Security/Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py
diff --git a/python/ql/src/Security/CWE-326/WeakCrypto.qhelp b/python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-326/WeakCrypto.qhelp
rename to python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.qhelp
diff --git a/python/ql/src/Security/CWE-326/WeakCrypto.ql b/python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql
similarity index 100%
rename from python/ql/src/Security/CWE-326/WeakCrypto.ql
rename to python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql
diff --git a/python/ql/src/Security/CWE-312/CleartextLogging.qhelp b/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-312/CleartextLogging.qhelp
rename to python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.qhelp
diff --git a/python/ql/src/Security/CWE-312/CleartextLogging.ql b/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
similarity index 100%
rename from python/ql/src/Security/CWE-312/CleartextLogging.ql
rename to python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
diff --git a/python/ql/src/Security/CWE-312/CleartextStorage.qhelp b/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-312/CleartextStorage.qhelp
rename to python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.qhelp
diff --git a/python/ql/src/Security/CWE-312/CleartextStorage.ql b/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
similarity index 100%
rename from python/ql/src/Security/CWE-312/CleartextStorage.ql
rename to python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
diff --git a/python/ql/src/Security/CWE-312/examples/password_in_cookie.py b/python/ql/src/Security/Exposure/SensitiveDataExposure/examples/password_in_cookie.py
similarity index 100%
rename from python/ql/src/Security/CWE-312/examples/password_in_cookie.py
rename to python/ql/src/Security/Exposure/SensitiveDataExposure/examples/password_in_cookie.py
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.py b/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.py
similarity index 100%
rename from python/ql/src/Security/CWE-209/StackTraceExposure.py
rename to python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.py
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.qhelp b/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-209/StackTraceExposure.qhelp
rename to python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.qhelp
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.ql
similarity index 100%
rename from python/ql/src/Security/CWE-209/StackTraceExposure.ql
rename to python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.ql
diff --git a/python/ql/src/Security/CWE-094/CodeInjection.qhelp b/python/ql/src/Security/Injection/CodeInjection/CodeInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-094/CodeInjection.qhelp
rename to python/ql/src/Security/Injection/CodeInjection/CodeInjection.qhelp
diff --git a/python/ql/src/Security/CWE-094/CodeInjection.ql b/python/ql/src/Security/Injection/CodeInjection/CodeInjection.ql
similarity index 100%
rename from python/ql/src/Security/CWE-094/CodeInjection.ql
rename to python/ql/src/Security/Injection/CodeInjection/CodeInjection.ql
diff --git a/python/ql/src/Security/CWE-094/examples/code_injection.py b/python/ql/src/Security/Injection/CodeInjection/examples/code_injection.py
similarity index 100%
rename from python/ql/src/Security/CWE-094/examples/code_injection.py
rename to python/ql/src/Security/Injection/CodeInjection/examples/code_injection.py
diff --git a/python/ql/src/Security/CWE-078/CommandInjection.qhelp b/python/ql/src/Security/Injection/CommandInjection/CommandInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-078/CommandInjection.qhelp
rename to python/ql/src/Security/Injection/CommandInjection/CommandInjection.qhelp
diff --git a/python/ql/src/Security/CWE-078/CommandInjection.ql b/python/ql/src/Security/Injection/CommandInjection/CommandInjection.ql
similarity index 100%
rename from python/ql/src/Security/CWE-078/CommandInjection.ql
rename to python/ql/src/Security/Injection/CommandInjection/CommandInjection.ql
diff --git a/python/ql/src/Security/CWE-078/examples/command_injection.py b/python/ql/src/Security/Injection/CommandInjection/examples/command_injection.py
similarity index 100%
rename from python/ql/src/Security/CWE-078/examples/command_injection.py
rename to python/ql/src/Security/Injection/CommandInjection/examples/command_injection.py
diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.qhelp b/python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-601/UrlRedirect.qhelp
rename to python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.qhelp
diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.ql b/python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.ql
similarity index 100%
rename from python/ql/src/Security/CWE-601/UrlRedirect.ql
rename to python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.ql
diff --git a/python/ql/src/Security/CWE-601/examples/redirect_bad.py b/python/ql/src/Security/Injection/OpenRedirect/examples/redirect_bad.py
similarity index 100%
rename from python/ql/src/Security/CWE-601/examples/redirect_bad.py
rename to python/ql/src/Security/Injection/OpenRedirect/examples/redirect_bad.py
diff --git a/python/ql/src/Security/CWE-601/examples/redirect_good.py b/python/ql/src/Security/Injection/OpenRedirect/examples/redirect_good.py
similarity index 100%
rename from python/ql/src/Security/CWE-601/examples/redirect_good.py
rename to python/ql/src/Security/Injection/OpenRedirect/examples/redirect_good.py
diff --git a/python/ql/src/Security/CWE-022/PathInjection.qhelp b/python/ql/src/Security/Injection/PathInjection/PathInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-022/PathInjection.qhelp
rename to python/ql/src/Security/Injection/PathInjection/PathInjection.qhelp
diff --git a/python/ql/src/Security/CWE-022/PathInjection.ql b/python/ql/src/Security/Injection/PathInjection/PathInjection.ql
similarity index 100%
rename from python/ql/src/Security/CWE-022/PathInjection.ql
rename to python/ql/src/Security/Injection/PathInjection/PathInjection.ql
diff --git a/python/ql/src/Security/CWE-022/examples/tainted_path.py b/python/ql/src/Security/Injection/PathInjection/examples/tainted_path.py
similarity index 100%
rename from python/ql/src/Security/CWE-022/examples/tainted_path.py
rename to python/ql/src/Security/Injection/PathInjection/examples/tainted_path.py
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.qhelp b/python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-079/ReflectedXss.qhelp
rename to python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.qhelp
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.ql
similarity index 100%
rename from python/ql/src/Security/CWE-079/ReflectedXss.ql
rename to python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.ql
diff --git a/python/ql/src/Security/CWE-079/examples/xss.py b/python/ql/src/Security/Injection/ReflectedXss/examples/xss.py
similarity index 100%
rename from python/ql/src/Security/CWE-079/examples/xss.py
rename to python/ql/src/Security/Injection/ReflectedXss/examples/xss.py
diff --git a/python/ql/src/Security/CWE-089/SqlInjection.qhelp b/python/ql/src/Security/Injection/SqlInjection/SqlInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-089/SqlInjection.qhelp
rename to python/ql/src/Security/Injection/SqlInjection/SqlInjection.qhelp
diff --git a/python/ql/src/Security/CWE-089/SqlInjection.ql b/python/ql/src/Security/Injection/SqlInjection/SqlInjection.ql
similarity index 100%
rename from python/ql/src/Security/CWE-089/SqlInjection.ql
rename to python/ql/src/Security/Injection/SqlInjection/SqlInjection.ql
diff --git a/python/ql/src/Security/CWE-089/examples/sql_injection.py b/python/ql/src/Security/Injection/SqlInjection/examples/sql_injection.py
similarity index 100%
rename from python/ql/src/Security/CWE-089/examples/sql_injection.py
rename to python/ql/src/Security/Injection/SqlInjection/examples/sql_injection.py
diff --git a/python/ql/src/Security/CWE-022/TarSlip.qhelp b/python/ql/src/Security/Injection/TarSlip/TarSlip.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-022/TarSlip.qhelp
rename to python/ql/src/Security/Injection/TarSlip/TarSlip.qhelp
diff --git a/python/ql/src/Security/CWE-022/TarSlip.ql b/python/ql/src/Security/Injection/TarSlip/TarSlip.ql
similarity index 100%
rename from python/ql/src/Security/CWE-022/TarSlip.ql
rename to python/ql/src/Security/Injection/TarSlip/TarSlip.ql
diff --git a/python/ql/src/Security/CWE-022/examples/tarslip_bad.py b/python/ql/src/Security/Injection/TarSlip/examples/tarslip_bad.py
similarity index 100%
rename from python/ql/src/Security/CWE-022/examples/tarslip_bad.py
rename to python/ql/src/Security/Injection/TarSlip/examples/tarslip_bad.py
diff --git a/python/ql/src/Security/CWE-022/examples/tarslip_good.py b/python/ql/src/Security/Injection/TarSlip/examples/tarslip_good.py
similarity index 100%
rename from python/ql/src/Security/CWE-022/examples/tarslip_good.py
rename to python/ql/src/Security/Injection/TarSlip/examples/tarslip_good.py
diff --git a/python/ql/src/Security/CWE-502/JsonGood.py b/python/ql/src/Security/Injection/UnsafeDeserialization/JsonGood.py
similarity index 100%
rename from python/ql/src/Security/CWE-502/JsonGood.py
rename to python/ql/src/Security/Injection/UnsafeDeserialization/JsonGood.py
diff --git a/python/ql/src/Security/CWE-502/UnpicklingBad.py b/python/ql/src/Security/Injection/UnsafeDeserialization/UnpicklingBad.py
similarity index 100%
rename from python/ql/src/Security/CWE-502/UnpicklingBad.py
rename to python/ql/src/Security/Injection/UnsafeDeserialization/UnpicklingBad.py
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp b/python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
rename to python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qhelp
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql
similarity index 100%
rename from python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
rename to python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql

From 1d6f9bee08373bdc89b07fba40de3941265e603f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 16 Feb 2021 11:48:36 +0100
Subject: [PATCH 391/429] Python: Update qlrefs

---
 .../Security/CVE-2018-1281/BindToAllInterfaces.qlref            | 2 +-
 .../ExternalAPIsUsedWithUntrustedData.qlref                     | 2 +-
 .../CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref       | 2 +-
 .../query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref | 2 +-
 .../Security/CWE-020/IncompleteUrlSubstringSanitization.qlref   | 2 +-
 .../Security/CWE-022-PathInjection/PathInjection.qlref          | 2 +-
 .../ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref  | 2 +-
 .../query-tests/Security/CWE-078-py2/CommandInjection.qlref     | 2 +-
 .../ql/test/query-tests/Security/CWE-078/CommandInjection.qlref | 2 +-
 .../query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref    | 2 +-
 python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref  | 2 +-
 python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref  | 2 +-
 python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref | 2 +-
 .../test/query-tests/Security/CWE-209/StackTraceExposure.qlref  | 2 +-
 python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref    | 2 +-
 .../query-tests/Security/CWE-295/MissingHostKeyValidation.qlref | 2 +-
 .../query-tests/Security/CWE-295/RequestWithoutValidation.qlref | 2 +-
 .../ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref | 2 +-
 .../ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref | 2 +-
 python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref    | 2 +-
 .../query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref    | 2 +-
 .../query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref  | 2 +-
 .../ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref | 2 +-
 .../query-tests/Security/CWE-377/InsecureTemporaryFile.qlref    | 2 +-
 .../query-tests/Security/CWE-502/UnsafeDeserialization.qlref    | 2 +-
 python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref   | 2 +-
 .../test/query-tests/Security/CWE-732/WeakFilePermissions.qlref | 2 +-
 .../query-tests/Security/CWE-798/HardcodedCredentials.qlref     | 2 +-
 28 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
index f06cc3d869d..29aa18f4b41 100644
--- a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
+++ b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
@@ -1 +1 @@
-Security/CVE-2018-1281/BindToAllInterfaces.ql
\ No newline at end of file
+Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
index c91bf44f815..af8f30055eb 100644
--- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
+++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
@@ -1 +1 @@
-Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
+POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
index 03c06feeec8..91c47f14b1c 100644
--- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
+++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
@@ -1 +1 @@
-Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
+POI/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
index e818d947252..7c132ddf232 100644
--- a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
+++ b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
@@ -1 +1 @@
-Security/CWE-020/IncompleteHostnameRegExp.ql
\ No newline at end of file
+Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
index 3fa6794419d..f41c8ec32d5 100644
--- a/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
+++ b/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
@@ -1 +1 @@
-Security/CWE-020/IncompleteUrlSubstringSanitization.ql
\ No newline at end of file
+Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref b/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
index d43482cc509..510e08f427f 100644
--- a/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
@@ -1 +1 @@
-Security/CWE-022/PathInjection.ql
+Security/Injection/PathInjection/PathInjection.ql
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
index cfede0c92b2..178cd6e0a8d 100644
--- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
+++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
@@ -1 +1 @@
-Security/CWE-022/TarSlip.ql
+Security/Injection/TarSlip/TarSlip.ql
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
index e38b88f2919..91951ea271b 100644
--- a/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
@@ -1 +1 @@
-Security/CWE-078/CommandInjection.ql
+Security/Injection/CommandInjection/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
index e38b88f2919..91951ea271b 100644
--- a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
@@ -1 +1 @@
-Security/CWE-078/CommandInjection.ql
+Security/Injection/CommandInjection/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
index 9fefcf4a030..4cdcd0c5567 100644
--- a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
+++ b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
@@ -1 +1 @@
-Security/CWE-079/Jinja2WithoutEscaping.ql
+Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
index e0efe102416..d92b3d701d5 100644
--- a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
+++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
@@ -1 +1 @@
-Security/CWE-079/ReflectedXss.ql
+Security/Injection/ReflectedXss/ReflectedXss.ql
diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
index d1d02cbe8d3..c2d12830195 100644
--- a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
@@ -1 +1 @@
-Security/CWE-089/SqlInjection.ql
+Security/Injection/SqlInjection/SqlInjection.ql
diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
index fe9adbf3b64..f912faeb71a 100644
--- a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
@@ -1 +1 @@
-Security/CWE-094/CodeInjection.ql
+Security/Injection/CodeInjection/CodeInjection.ql
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
index 18cf2d49a1a..927502b954c 100644
--- a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
+++ b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
@@ -1 +1 @@
-Security/CWE-209/StackTraceExposure.ql
+Security/Exposure/StackTraceExposure/StackTraceExposure.ql
diff --git a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
index 0e21a3ac14f..67a0f7a60de 100644
--- a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
+++ b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
@@ -1 +1 @@
-Security/CWE-215/FlaskDebug.ql
+Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql
diff --git a/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref b/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
index c366095516a..174098ffea7 100644
--- a/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
+++ b/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
@@ -1 +1 @@
-Security/CWE-295/MissingHostKeyValidation.ql
+Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
index 7ad4d4d2ae3..c8e27ca0561 100644
--- a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
+++ b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
@@ -1 +1 @@
-Security/CWE-295/RequestWithoutValidation.ql
+Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
index de9273391c8..176057d5c62 100644
--- a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
+++ b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
@@ -1 +1 @@
-Security/CWE-312/CleartextLogging.ql
\ No newline at end of file
+Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
index a32206e8d6a..1feacb96d8c 100644
--- a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
+++ b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
@@ -1 +1 @@
-Security/CWE-312/CleartextStorage.ql
\ No newline at end of file
+Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref b/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
index 75676139ac3..18cfd5a12bc 100644
--- a/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
+++ b/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
@@ -1 +1 @@
-Security/CWE-326/WeakCrypto.ql
+Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
index 3f7aff53700..4fb0ce84c4d 100644
--- a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
+++ b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
@@ -1 +1 @@
-Security/CWE-327/BrokenCryptoAlgorithm.ql
+Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
index 13599b14931..899586366e8 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
@@ -1 +1 @@
-Security/CWE-327/InsecureDefaultProtocol.ql
+Security/Crypto/TLS/InsecureDefaultProtocol.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
index c06a937ff57..8225a5c47ef 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
@@ -1 +1 @@
-Security/CWE-327/InsecureProtocol.ql
+Security/Crypto/TLS/InsecureProtocol.ql
diff --git a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
index 68a27dfb269..ee6d466921c 100644
--- a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
+++ b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
@@ -1 +1 @@
-Security/CWE-377/InsecureTemporaryFile.ql
+Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
index fa9c0ceb3cb..49f13932a15 100644
--- a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
+++ b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
@@ -1 +1 @@
-Security/CWE-502/UnsafeDeserialization.ql
+Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
index 8b63d80f0db..ce10eb1f21a 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
@@ -1,2 +1,2 @@
-Security/CWE-601/UrlRedirect.ql
+Security/Injection/OpenRedirect/OpenRedirect.ql
 
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
index 9e177187c49..8a8619a4a2d 100644
--- a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
+++ b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
@@ -1 +1 @@
-Security/CWE-732/WeakFilePermissions.ql
+Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql
diff --git a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
index 0d0fafa271c..9ced1d74449 100644
--- a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
+++ b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
@@ -1 +1 @@
-Security/CWE-798/HardcodedCredentials.ql
\ No newline at end of file
+Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
\ No newline at end of file

From 86268d49ed9749a68db6a7e35d96268d0c31885b Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:10:57 +0000
Subject: [PATCH 392/429] C++: Refactor StdContainer.qll.

---
 .../models/implementations/StdContainer.qll   | 117 ++++++++++++++++--
 1 file changed, 105 insertions(+), 12 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index e7abde30e8c..497d828fd03 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -5,6 +5,41 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
+/**
+ * The `std::array` template class.
+ */
+private class Array extends Class {
+  Array() { this.hasQualifiedName(["std", "bsl"], "array") }
+}
+
+/**
+ * The `std::deque` template class.
+ */
+private class Deque extends Class {
+  Deque() { this.hasQualifiedName(["std", "bsl"], "deque") }
+}
+
+/**
+ * The `std::forward_list` template class.
+ */
+private class ForwardList extends Class {
+  ForwardList() { this.hasQualifiedName(["std", "bsl"], "forward_list") }
+}
+
+/**
+ * The `std::list` template class.
+ */
+private class List extends Class {
+  List() { this.hasQualifiedName(["std", "bsl"], "list") }
+}
+
+/**
+ * The `std::vector` template class.
+ */
+private class Vector extends Class {
+  Vector() { this.hasQualifiedName(["std", "bsl"], "vector") }
+}
+
 /**
  * Additional model for standard container constructors that reference the
  * value type of the container (that is, the `T` in `std::vector<T>`).  For
@@ -15,7 +50,10 @@ import semmle.code.cpp.models.interfaces.Iterator
  */
 private class StdSequenceContainerConstructor extends Constructor, TaintFunction {
   StdSequenceContainerConstructor() {
-    this.getDeclaringType().hasQualifiedName("std", ["vector", "deque", "list", "forward_list"])
+    this.getDeclaringType() instanceof Vector or
+    this.getDeclaringType() instanceof Deque or
+    this.getDeclaringType() instanceof List or
+    this.getDeclaringType() instanceof ForwardList
   }
 
   /**
@@ -50,7 +88,13 @@ private class StdSequenceContainerConstructor extends Constructor, TaintFunction
  * The standard container function `data`.
  */
 private class StdSequenceContainerData extends TaintFunction {
-  StdSequenceContainerData() { this.hasQualifiedName("std", ["array", "vector"], "data") }
+  StdSequenceContainerData() {
+    this.hasName("data") and
+    (
+      this.getDeclaringType() instanceof Vector or
+      this.getDeclaringType() instanceof Array
+    )
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from container itself (qualifier) to return value
@@ -69,8 +113,19 @@ private class StdSequenceContainerData extends TaintFunction {
  */
 private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
-    this.hasQualifiedName("std", ["vector", "deque", "list"], "push_back") or
-    this.hasQualifiedName("std", ["deque", "list", "forward_list"], "push_front")
+    this.hasName("push_back") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List
+    )
+    or
+    this.hasName("push_front") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -85,8 +140,22 @@ private class StdSequenceContainerPush extends TaintFunction {
  */
 private class StdSequenceContainerFrontBack extends TaintFunction {
   StdSequenceContainerFrontBack() {
-    this.hasQualifiedName("std", ["array", "vector", "deque", "list", "forward_list"], "front") or
-    this.hasQualifiedName("std", ["array", "vector", "deque", "list"], "back")
+    this.hasName("front") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
+    or
+    this.hasName("back") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -101,8 +170,15 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
  */
 private class StdSequenceContainerInsert extends TaintFunction {
   StdSequenceContainerInsert() {
-    this.hasQualifiedName("std", ["vector", "deque", "list"], "insert") or
-    this.hasQualifiedName("std", "forward_list", "insert_after")
+    this.hasName("insert") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
+    or
+    this.hasName("insert_after") and
+    this.getDeclaringType() instanceof ForwardList
   }
 
   /**
@@ -138,7 +214,13 @@ private class StdSequenceContainerInsert extends TaintFunction {
  */
 private class StdSequenceContainerAssign extends TaintFunction {
   StdSequenceContainerAssign() {
-    this.hasQualifiedName("std", ["vector", "deque", "list", "forward_list"], "assign")
+    this.hasName("assign") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   /**
@@ -170,7 +252,12 @@ private class StdSequenceContainerAssign extends TaintFunction {
  */
 private class StdSequenceContainerAt extends TaintFunction {
   StdSequenceContainerAt() {
-    this.hasQualifiedName("std", ["vector", "array", "deque"], ["at", "operator[]"])
+    this.hasName(["at", "operator[]"]) and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -188,7 +275,10 @@ private class StdSequenceContainerAt extends TaintFunction {
  * The standard vector `emplace` function.
  */
 class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() { this.hasQualifiedName("std", "vector", "emplace") }
+  StdVectorEmplace() {
+    this.hasName("emplace") and
+    this.getDeclaringType() instanceof Vector
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
@@ -205,7 +295,10 @@ class StdVectorEmplace extends TaintFunction {
  * The standard vector `emplace_back` function.
  */
 class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() { this.hasQualifiedName("std", "vector", "emplace_back") }
+  StdVectorEmplaceBack() {
+    this.hasName("emplace_back") and
+    this.getDeclaringType() instanceof Vector
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier

From b25f1fd44acf9fc677beb4065f13917d6aa8e5d6 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:37:43 +0000
Subject: [PATCH 393/429] C++: Address review.

---
 .../models/implementations/StdContainer.qll   | 88 +++++--------------
 1 file changed, 24 insertions(+), 64 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 497d828fd03..f416d8e9810 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -89,11 +89,8 @@ private class StdSequenceContainerConstructor extends Constructor, TaintFunction
  */
 private class StdSequenceContainerData extends TaintFunction {
   StdSequenceContainerData() {
-    this.hasName("data") and
-    (
-      this.getDeclaringType() instanceof Vector or
-      this.getDeclaringType() instanceof Array
-    )
+    this.getClassAndName("data") instanceof Array or
+    this.getClassAndName("data") instanceof Vector
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -113,19 +110,10 @@ private class StdSequenceContainerData extends TaintFunction {
  */
 private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
-    this.hasName("push_back") and
-    (
-      this.getDeclaringType() instanceof Array or
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof List
-    )
-    or
-    this.hasName("push_front") and
-    (
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof ForwardList or
-      this.getDeclaringType() instanceof List
-    )
+    this.getClassAndName("push_back") instanceof Array or
+    this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
+    this.getClassAndName("push_front") instanceof ForwardList or
+    this.getClassAndName("push_back") instanceof List or
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -140,22 +128,11 @@ private class StdSequenceContainerPush extends TaintFunction {
  */
 private class StdSequenceContainerFrontBack extends TaintFunction {
   StdSequenceContainerFrontBack() {
-    this.hasName("front") and
-    (
-      this.getDeclaringType() instanceof Array or
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof ForwardList or
-      this.getDeclaringType() instanceof List or
-      this.getDeclaringType() instanceof Vector
-    )
-    or
-    this.hasName("back") and
-    (
-      this.getDeclaringType() instanceof Array or
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof List or
-      this.getDeclaringType() instanceof Vector
-    )
+    this.getClassAndName(["front", "back"]) instanceof Array or
+    this.getClassAndName(["front", "back"]) instanceof Deque or
+    this.getClassAndName("front") instanceof ForwardList or
+    this.getClassAndName(["front", "back"]) instanceof List or
+    this.getClassAndName(["front", "back"]) instanceof Vector
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -170,15 +147,10 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
  */
 private class StdSequenceContainerInsert extends TaintFunction {
   StdSequenceContainerInsert() {
-    this.hasName("insert") and
-    (
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof List or
-      this.getDeclaringType() instanceof Vector
-    )
-    or
-    this.hasName("insert_after") and
-    this.getDeclaringType() instanceof ForwardList
+    this.getClassAndName("insert") instanceof Deque or
+    this.getClassAndName("insert") instanceof List or
+    this.getClassAndName("insert") instanceof Vector or
+    this.getClassAndName("insert_after") instanceof ForwardList
   }
 
   /**
@@ -214,13 +186,10 @@ private class StdSequenceContainerInsert extends TaintFunction {
  */
 private class StdSequenceContainerAssign extends TaintFunction {
   StdSequenceContainerAssign() {
-    this.hasName("assign") and
-    (
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof ForwardList or
-      this.getDeclaringType() instanceof List or
-      this.getDeclaringType() instanceof Vector
-    )
+    this.getClassAndName("assign") instanceof Deque or
+    this.getClassAndName("assign") instanceof ForwardList or
+    this.getClassAndName("assign") instanceof List or
+    this.getClassAndName("assign") instanceof Vector
   }
 
   /**
@@ -252,12 +221,9 @@ private class StdSequenceContainerAssign extends TaintFunction {
  */
 private class StdSequenceContainerAt extends TaintFunction {
   StdSequenceContainerAt() {
-    this.hasName(["at", "operator[]"]) and
-    (
-      this.getDeclaringType() instanceof Array or
-      this.getDeclaringType() instanceof Deque or
-      this.getDeclaringType() instanceof Vector
-    )
+    this.getClassAndName(["at", "operator[]"]) instanceof Array or
+    this.getClassAndName(["at", "operator[]"]) instanceof Deque or
+    this.getClassAndName(["at", "operator[]"]) instanceof Vector
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -275,10 +241,7 @@ private class StdSequenceContainerAt extends TaintFunction {
  * The standard vector `emplace` function.
  */
 class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() {
-    this.hasName("emplace") and
-    this.getDeclaringType() instanceof Vector
-  }
+  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
@@ -295,10 +258,7 @@ class StdVectorEmplace extends TaintFunction {
  * The standard vector `emplace_back` function.
  */
 class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() {
-    this.hasName("emplace_back") and
-    this.getDeclaringType() instanceof Vector
-  }
+  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier

From 5dc57e9cc297e57aaa0ba829f9ee575e71b974c6 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:49:44 +0000
Subject: [PATCH 394/429] C++: Address review.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll                | 4 ++--
 .../src/semmle/code/cpp/models/implementations/Pure.qll   | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 1f488bfeb5f..7ac79fd99c1 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -142,9 +142,9 @@ class Declaration extends Locatable, @declaration {
   /**
    * Holds if this declaration has the given name in the global namespace,
    * the `std` namespace or the `bsl` namespace.
-   * We treat `std` and `bsl` as the same in a bunch of our models.
+   * We treat `std` and `bsl` as the same in some of our models.
    */
-  predicate hasGlobalOrStdishName(string name) {
+  predicate hasGlobalOrStdOrBslName(string name) {
     this.hasGlobalName(name)
     or
     this.hasQualifiedName("std", "", name)
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
index 4682032f284..d81ac80deb8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
 private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureStrFunction() {
-    hasGlobalOrStdishName([
+    hasGlobalOrStdOrBslName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
         "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
       ])
@@ -92,7 +92,7 @@ private string strcmp() {
 /** String standard `strlen` function, and related functions for computing string lengths. */
 private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   StrLenFunction() {
-    hasGlobalOrStdishName(["strlen", "strnlen", "wcslen"])
+    hasGlobalOrStdOrBslName(["strlen", "strnlen", "wcslen"])
     or
     hasGlobalName(["_mbslen", "_mbslen_l", "_mbstrlen", "_mbstrlen_l"])
   }
@@ -125,7 +125,7 @@ private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFun
 
 /** Pure functions. */
 private class PureFunction extends TaintFunction, SideEffectFunction {
-  PureFunction() { hasGlobalOrStdishName(["abs", "labs"]) }
+  PureFunction() { hasGlobalOrStdOrBslName(["abs", "labs"]) }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     exists(ParameterIndex i |
@@ -144,7 +144,7 @@ private class PureFunction extends TaintFunction, SideEffectFunction {
 private class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureMemFunction() {
-    hasGlobalOrStdishName([
+    hasGlobalOrStdOrBslName([
         "memchr", "__builtin_memchr", "memrchr", "rawmemchr", "memcmp", "__builtin_memcmp", "memmem"
       ]) or
     this.hasGlobalName("memfrob")

From a42700f09e96d479941d58acdc4d95338d816dc9 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:52:39 +0000
Subject: [PATCH 395/429] C++: Address review.

---
 .../cpp/models/implementations/StdMap.qll     | 33 ++++---------------
 1 file changed, 7 insertions(+), 26 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
index 6925fb110fc..ae3fab9f077 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -41,8 +41,7 @@ private class StdMapConstructor extends Constructor, TaintFunction {
  */
 private class StdMapInsert extends TaintFunction {
   StdMapInsert() {
-    this.hasName(["insert", "insert_or_assign"]) and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
+    this.getClassAndName(["insert", "insert_or_assign"]) instanceof MapOrUnorderedMap
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -60,10 +59,7 @@ private class StdMapInsert extends TaintFunction {
  * The standard map `emplace` and `emplace_hint` functions.
  */
 private class StdMapEmplace extends TaintFunction {
-  StdMapEmplace() {
-    this.hasName(["emplace", "emplace_hint"]) and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapEmplace() { this.getClassAndName(["emplace", "emplace_hint"]) instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from the last parameter (which may be the value part used to
@@ -85,10 +81,7 @@ private class StdMapEmplace extends TaintFunction {
  * The standard map `try_emplace` function.
  */
 private class StdMapTryEmplace extends TaintFunction {
-  StdMapTryEmplace() {
-    this.hasName("try_emplace") and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapTryEmplace() { this.getClassAndName("try_emplace") instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter apart from the key to qualifier and return value
@@ -115,10 +108,7 @@ private class StdMapTryEmplace extends TaintFunction {
  * The standard map `merge` function.
  */
 private class StdMapMerge extends TaintFunction {
-  StdMapMerge() {
-    this.hasName("merge") and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapMerge() { this.getClassAndName("merge") instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // container1.merge(container2)
@@ -131,10 +121,7 @@ private class StdMapMerge extends TaintFunction {
  * The standard map functions `at` and `operator[]`.
  */
 private class StdMapAt extends TaintFunction {
-  StdMapAt() {
-    this.hasName(["at", "operator[]"]) and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapAt() { this.getClassAndName(["at", "operator[]"]) instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to referenced return value
@@ -151,10 +138,7 @@ private class StdMapAt extends TaintFunction {
  * The standard map `find` function.
  */
 private class StdMapFind extends TaintFunction {
-  StdMapFind() {
-    this.hasName("find") and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapFind() { this.getClassAndName("find") instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
@@ -166,10 +150,7 @@ private class StdMapFind extends TaintFunction {
  * The standard map `erase` function.
  */
 private class StdMapErase extends TaintFunction {
-  StdMapErase() {
-    this.hasName("erase") and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
-  }
+  StdMapErase() { this.getCLassAndName("erase") instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to iterator return value

From 30659f3ecf7ae2ecf9c470b51c6ea464d9b1f729 Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:54:21 +0000
Subject: [PATCH 396/429] C++: Address review.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll           |  4 ++--
 cpp/ql/src/semmle/code/cpp/commons/Scanf.qll         | 12 ++++++------
 .../code/cpp/models/implementations/Printf.qll       |  8 ++++----
 .../code/cpp/models/implementations/Strcat.qll       |  2 +-
 .../code/cpp/models/implementations/Strcpy.qll       |  2 +-
 .../code/cpp/models/implementations/Strtok.qll       |  2 +-
 6 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 1f488bfeb5f..7ac79fd99c1 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -142,9 +142,9 @@ class Declaration extends Locatable, @declaration {
   /**
    * Holds if this declaration has the given name in the global namespace,
    * the `std` namespace or the `bsl` namespace.
-   * We treat `std` and `bsl` as the same in a bunch of our models.
+   * We treat `std` and `bsl` as the same in some of our models.
    */
-  predicate hasGlobalOrStdishName(string name) {
+  predicate hasGlobalOrStdOrBslName(string name) {
     this.hasGlobalName(name)
     or
     this.hasQualifiedName("std", "", name)
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll b/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
index aec047cea6b..461030f389d 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Scanf.qll
@@ -34,8 +34,8 @@ class Scanf extends ScanfFunction {
   Scanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName("scanf") or // scanf(format, args...)
-      hasGlobalOrStdishName("wscanf") or // wscanf(format, args...)
+      hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
+      hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
       hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
       hasGlobalName("_wscanf_l") // _wscanf_l(format, locale, args...)
     )
@@ -53,8 +53,8 @@ class Fscanf extends ScanfFunction {
   Fscanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName("fscanf") or // fscanf(src_stream, format, args...)
-      hasGlobalOrStdishName("fwscanf") or // fwscanf(src_stream, format, args...)
+      hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
+      hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
       hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
       hasGlobalName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
     )
@@ -72,8 +72,8 @@ class Sscanf extends ScanfFunction {
   Sscanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName("sscanf") or // sscanf(src_stream, format, args...)
-      hasGlobalOrStdishName("swscanf") or // swscanf(src, format, args...)
+      hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
+      hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
       hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
       hasGlobalName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
     )
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
index f70493e9f83..ed201a14587 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -15,7 +15,7 @@ private class Printf extends FormattingFunction, AliasFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName(["printf", "wprintf"]) or
+      hasGlobalOrStdOrBslName(["printf", "wprintf"]) or
       hasGlobalName(["printf_s", "wprintf_s", "g_printf"])
     ) and
     not exists(getDefinition().getFile().getRelativePath())
@@ -41,7 +41,7 @@ private class Fprintf extends FormattingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName(["fprintf", "fwprintf"]) or
+      hasGlobalOrStdOrBslName(["fprintf", "fwprintf"]) or
       hasGlobalName("g_fprintf")
     ) and
     not exists(getDefinition().getFile().getRelativePath())
@@ -61,7 +61,7 @@ private class Sprintf extends FormattingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName([
+      hasGlobalOrStdOrBslName([
           "sprintf", // sprintf(dst, format, args...)
           "wsprintf" // wsprintf(dst, format, args...)
         ])
@@ -111,7 +111,7 @@ private class SnprintfImpl extends Snprintf {
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdishName([
+      hasGlobalOrStdOrBslName([
           "snprintf", // C99 defines snprintf
           "swprintf" // The s version of wide-char printf is also always the n version
         ])
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
index 6dbed650cfa..ee9af547582 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
   StrcatFunction() {
-    this.hasGlobalOrStdishName([
+    this.hasGlobalOrStdOrBslName([
         "strcat", // strcat(dst, src)
         "strncat", // strncat(dst, src, max_amount)
         "wcscat", // wcscat(dst, src)
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
index 72f993b7a4a..432fbf999ef 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
  */
 class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction {
   StrcpyFunction() {
-    this.hasGlobalOrStdishName([
+    this.hasGlobalOrStdOrBslName([
         "strcpy", // strcpy(dst, src)
         "wcscpy", // wcscpy(dst, src)
         "strncpy", // strncpy(dst, src, max_amount)
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
index 3b7e97a53d0..f2cb6498819 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll
@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.Taint
  */
 private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
   Strtok() {
-    this.hasGlobalOrStdishName("strtok") or
+    this.hasGlobalOrStdOrBslName("strtok") or
     this.hasGlobalName(["strtok_r", "_strtok_l", "wcstok", "_wcstok_l", "_mbstok", "_mbstok_l"])
   }
 

From 3f17171f13d33fc7d0ddbfefd4f0ef12014e57be Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 11:55:03 +0000
Subject: [PATCH 397/429] C++: Address review.

---
 cpp/ql/src/semmle/code/cpp/Declaration.qll                   | 4 ++--
 cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Declaration.qll b/cpp/ql/src/semmle/code/cpp/Declaration.qll
index 1f488bfeb5f..7ac79fd99c1 100644
--- a/cpp/ql/src/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/src/semmle/code/cpp/Declaration.qll
@@ -142,9 +142,9 @@ class Declaration extends Locatable, @declaration {
   /**
    * Holds if this declaration has the given name in the global namespace,
    * the `std` namespace or the `bsl` namespace.
-   * We treat `std` and `bsl` as the same in a bunch of our models.
+   * We treat `std` and `bsl` as the same in some of our models.
    */
-  predicate hasGlobalOrStdishName(string name) {
+  predicate hasGlobalOrStdOrBslName(string name) {
     this.hasGlobalName(name)
     or
     this.hasQualifiedName("std", "", name)
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
index 5e3f446713f..d646be0363d 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
 private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction {
   MemsetFunction() {
-    this.hasGlobalOrStdishName("memset")
+    this.hasGlobalOrStdOrBslName("memset")
     or
     this.hasGlobalOrStdName("wmemset")
     or

From 8494fcf45fcb7c21abbd5640cc28106b85afc653 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 16 Feb 2021 13:15:01 +0100
Subject: [PATCH 398/429] Python: Move query tests to reflect new file layout

---
 .../ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.expected     | 0
 .../ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.qlref        | 0
 .../ExternalAPIs}/UntrustedDataToExternalAPI.expected            | 0
 .../ExternalAPIs}/UntrustedDataToExternalAPI.qlref               | 0
 .../{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/test.py  | 0
 .../BindToAllInterfaces}/BindToAllInterfaces.expected            | 0
 .../BindToAllInterfaces}/BindToAllInterfaces.qlref               | 0
 .../BindToAllInterfaces}/BindToAllInterfaces_test.py             | 0
 .../{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/options   | 0
 .../FlaskRunWithDebug}/FlaskDebug.expected                       | 0
 .../{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.qlref  | 0
 .../query-tests/Security/BadPractice/FlaskRunWithDebug/options   | 1 +
 .../Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/test.py  | 0
 .../RequestWithoutValidation.expected                            | 0
 .../RequestWithoutValidation.qlref                               | 0
 .../HTTPSRequestWithoutCertValidation}/make_request.py           | 0
 .../BadPractice/HTTPSRequestWithoutCertValidation/options        | 1 +
 .../HardcodedCredentials}/HardcodedCredentials.expected          | 0
 .../HardcodedCredentials}/HardcodedCredentials.qlref             | 0
 .../{CWE-798 => BadPractice/HardcodedCredentials}/test.py        | 0
 .../IncompleteUrlSanitizer}/IncompleteHostnameRegExp.expected    | 0
 .../IncompleteUrlSanitizer}/IncompleteHostnameRegExp.qlref       | 0
 .../IncompleteUrlSubstringSanitization.expected                  | 0
 .../IncompleteUrlSubstringSanitization.qlref                     | 0
 .../{CWE-020 => BadPractice/IncompleteUrlSanitizer}/hosttest.py  | 0
 .../{CWE-020 => BadPractice/IncompleteUrlSanitizer}/urltest.py   | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.expected        | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.py              | 0
 .../InsecureTemporaryFile}/InsecureTemporaryFile.qlref           | 0
 .../InsecureTemporaryFile}/SecureTemporaryFile.py                | 0
 .../Security/BadPractice/InsecureTemporaryFile/options           | 1 +
 .../Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.expected    | 0
 .../Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.qlref       | 0
 .../Jinja2RenderWithoutEscape}/jinja2_escaping.py                | 0
 .../Jinja2RenderWithoutEscape}/options                           | 0
 .../MissingHostKeyValidation.expected                            | 0
 .../SSHMissingHostKeyValidation}/MissingHostKeyValidation.qlref  | 0
 .../Security/BadPractice/SSHMissingHostKeyValidation/options     | 1 +
 .../SSHMissingHostKeyValidation}/paramiko_host_key.py            | 0
 .../WeakFilePermissions}/WeakFilePermissions.expected            | 0
 .../WeakFilePermissions}/WeakFilePermissions.qlref               | 0
 .../query-tests/Security/BadPractice/WeakFilePermissions/options | 1 +
 .../{CWE-732 => BadPractice/WeakFilePermissions}/test.py         | 0
 python/ql/test/query-tests/Security/CWE-079/options              | 1 -
 python/ql/test/query-tests/Security/CWE-209/options              | 1 -
 python/ql/test/query-tests/Security/CWE-215/options              | 1 -
 python/ql/test/query-tests/Security/CWE-295/options              | 1 -
 python/ql/test/query-tests/Security/CWE-312/options              | 1 -
 python/ql/test/query-tests/Security/CWE-326/options              | 1 -
 python/ql/test/query-tests/Security/CWE-327/options              | 1 -
 python/ql/test/query-tests/Security/CWE-377/options              | 1 -
 python/ql/test/query-tests/Security/CWE-601/options              | 1 -
 python/ql/test/query-tests/Security/CWE-732/options              | 1 -
 .../{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.expected     | 0
 .../{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.qlref        | 0
 .../Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.expected   | 0
 .../Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.py         | 0
 .../Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.qlref      | 0
 python/ql/test/query-tests/Security/Crypto/TLS/options           | 1 +
 .../WeakCryptoAlgorithm}/BrokenCryptoAlgorithm.expected          | 0
 .../WeakCryptoAlgorithm}/BrokenCryptoAlgorithm.qlref             | 0
 .../{CWE-327 => Crypto/WeakCryptoAlgorithm}/TestNode.expected    | 0
 .../Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/TestNode.ql | 0
 .../test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options | 1 +
 .../{CWE-327 => Crypto/WeakCryptoAlgorithm}/test_cryptography.py | 0
 .../{CWE-327 => Crypto/WeakCryptoAlgorithm}/test_pycrypto.py     | 0
 .../{CWE-326 => Crypto/WeakCryptoKey}/WeakCrypto.expected        | 0
 .../Security/{CWE-326 => Crypto/WeakCryptoKey}/WeakCrypto.qlref  | 0
 python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options | 1 +
 .../Security/{CWE-326 => Crypto/WeakCryptoKey}/weak_crypto.py    | 0
 .../SensitiveDataExposure}/CleartextLogging.expected             | 0
 .../SensitiveDataExposure}/CleartextLogging.qlref                | 0
 .../SensitiveDataExposure}/CleartextStorage.expected             | 0
 .../SensitiveDataExposure}/CleartextStorage.qlref                | 0
 .../query-tests/Security/Exposure/SensitiveDataExposure/options  | 1 +
 .../SensitiveDataExposure}/password_in_cookie.py                 | 0
 .../Security/{CWE-312 => Exposure/SensitiveDataExposure}/test.py | 0
 .../StackTraceExposure}/StackTraceExposure.expected              | 0
 .../StackTraceExposure}/StackTraceExposure.qlref                 | 0
 .../query-tests/Security/Exposure/StackTraceExposure/options     | 1 +
 .../Security/{CWE-209 => Exposure/StackTraceExposure}/test.py    | 0
 .../{CWE-094 => Injection/CodeInjection}/CodeInjection.expected  | 0
 .../{CWE-094 => Injection/CodeInjection}/CodeInjection.qlref     | 0
 .../{CWE-094 => Injection/CodeInjection}/code_injection.py       | 0
 .../CommandInjection-py2}/CommandInjection.expected              | 0
 .../CommandInjection-py2}/CommandInjection.qlref                 | 0
 .../CommandInjection-py2}/command_injection.py                   | 0
 .../{CWE-078-py2 => Injection/CommandInjection-py2}/options      | 0
 .../CommandInjection}/CommandInjection.expected                  | 0
 .../CommandInjection}/CommandInjection.qlref                     | 0
 .../{CWE-078 => Injection/CommandInjection}/command_injection.py | 0
 .../Security/{CWE-078 => Injection/CommandInjection}/options     | 0
 .../{CWE-601 => Injection/OpenRedirect}/UrlRedirect.expected     | 0
 .../{CWE-601 => Injection/OpenRedirect}/UrlRedirect.qlref        | 0
 .../ql/test/query-tests/Security/Injection/OpenRedirect/options  | 1 +
 .../Security/{CWE-601 => Injection/OpenRedirect}/test.py         | 0
 .../{CWE-079 => Injection/ReflectedXss}/ReflectedXss.expected    | 0
 .../{CWE-079 => Injection/ReflectedXss}/ReflectedXss.qlref       | 0
 .../{CWE-079 => Injection/ReflectedXss}/reflected_xss.py         | 0
 .../{CWE-089 => Injection/SqlInjection}/SqlInjection.expected    | 0
 .../{CWE-089 => Injection/SqlInjection}/SqlInjection.qlref       | 0
 .../{CWE-089 => Injection/SqlInjection}/sql_injection.py         | 0
 .../TarSlip/PathInjection}/PathInjection.expected                | 0
 .../TarSlip/PathInjection}/PathInjection.qlref                   | 0
 .../TarSlip/PathInjection}/path_injection.py                     | 0
 .../TarSlip/PathInjection}/test.py                               | 0
 .../TarSlip/PathInjection}/test_chaining.py                      | 0
 .../{CWE-022-TarSlip => Injection/TarSlip}/TarSlip.expected      | 0
 .../{CWE-022-TarSlip => Injection/TarSlip}/TarSlip.qlref         | 0
 python/ql/test/query-tests/Security/Injection/TarSlip/options    | 1 +
 .../Security/{CWE-022-TarSlip => Injection/TarSlip}/tarslip.py   | 0
 .../UnsafeDeserialization}/UnsafeDeserialization.expected        | 0
 .../UnsafeDeserialization}/UnsafeDeserialization.qlref           | 0
 .../UnsafeDeserialization}/unsafe_deserialization.py             | 0
 114 files changed, 12 insertions(+), 10 deletions(-)
 rename python/ql/test/query-tests/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.expected (100%)
 rename python/ql/test/query-tests/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.qlref (100%)
 rename python/ql/test/query-tests/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/UntrustedDataToExternalAPI.expected (100%)
 rename python/ql/test/query-tests/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/UntrustedDataToExternalAPI.qlref (100%)
 rename python/ql/test/query-tests/{Security/CWE-020-ExternalAPIs => POI/ExternalAPIs}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces.expected (100%)
 rename python/ql/test/query-tests/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces.qlref (100%)
 rename python/ql/test/query-tests/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/BindToAllInterfaces_test.py (100%)
 rename python/ql/test/query-tests/Security/{CVE-2018-1281 => BadPractice/BindToAllInterfaces}/options (100%)
 rename python/ql/test/query-tests/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/FlaskDebug.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
 rename python/ql/test/query-tests/Security/{CWE-215 => BadPractice/FlaskRunWithDebug}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/HTTPSRequestWithoutCertValidation}/RequestWithoutValidation.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/HTTPSRequestWithoutCertValidation}/RequestWithoutValidation.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/HTTPSRequestWithoutCertValidation}/make_request.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
 rename python/ql/test/query-tests/Security/{CWE-798 => BadPractice/HardcodedCredentials}/HardcodedCredentials.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-798 => BadPractice/HardcodedCredentials}/HardcodedCredentials.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-798 => BadPractice/HardcodedCredentials}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteHostnameRegExp.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteHostnameRegExp.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteUrlSubstringSanitization.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/IncompleteUrlSubstringSanitization.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/hosttest.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-020 => BadPractice/IncompleteUrlSanitizer}/urltest.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/InsecureTemporaryFile.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-377 => BadPractice/InsecureTemporaryFile}/SecureTemporaryFile.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
 rename python/ql/test/query-tests/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/Jinja2WithoutEscaping.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-079 => BadPractice/Jinja2RenderWithoutEscape}/jinja2_escaping.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-TarSlip => BadPractice/Jinja2RenderWithoutEscape}/options (100%)
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/SSHMissingHostKeyValidation}/MissingHostKeyValidation.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/SSHMissingHostKeyValidation}/MissingHostKeyValidation.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
 rename python/ql/test/query-tests/Security/{CWE-295 => BadPractice/SSHMissingHostKeyValidation}/paramiko_host_key.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-732 => BadPractice/WeakFilePermissions}/WeakFilePermissions.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-732 => BadPractice/WeakFilePermissions}/WeakFilePermissions.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
 rename python/ql/test/query-tests/Security/{CWE-732 => BadPractice/WeakFilePermissions}/test.py (100%)
 delete mode 100644 python/ql/test/query-tests/Security/CWE-079/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-209/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-215/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-295/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-312/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-326/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-327/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-377/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-601/options
 delete mode 100644 python/ql/test/query-tests/Security/CWE-732/options
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/TLS}/InsecureDefaultProtocol.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/TLS}/InsecureProtocol.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Crypto/TLS/options
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/BrokenCryptoAlgorithm.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/BrokenCryptoAlgorithm.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/TestNode.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/TestNode.ql (100%)
 create mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/test_cryptography.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => Crypto/WeakCryptoAlgorithm}/test_pycrypto.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-326 => Crypto/WeakCryptoKey}/WeakCrypto.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-326 => Crypto/WeakCryptoKey}/WeakCrypto.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
 rename python/ql/test/query-tests/Security/{CWE-326 => Crypto/WeakCryptoKey}/weak_crypto.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextLogging.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextLogging.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextStorage.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/CleartextStorage.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/password_in_cookie.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-312 => Exposure/SensitiveDataExposure}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-209 => Exposure/StackTraceExposure}/StackTraceExposure.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-209 => Exposure/StackTraceExposure}/StackTraceExposure.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
 rename python/ql/test/query-tests/Security/{CWE-209 => Exposure/StackTraceExposure}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-094 => Injection/CodeInjection}/CodeInjection.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-094 => Injection/CodeInjection}/CodeInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-094 => Injection/CodeInjection}/code_injection.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-078-py2 => Injection/CommandInjection-py2}/CommandInjection.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-078-py2 => Injection/CommandInjection-py2}/CommandInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-078-py2 => Injection/CommandInjection-py2}/command_injection.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-078-py2 => Injection/CommandInjection-py2}/options (100%)
 rename python/ql/test/query-tests/Security/{CWE-078 => Injection/CommandInjection}/CommandInjection.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-078 => Injection/CommandInjection}/CommandInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-078 => Injection/CommandInjection}/command_injection.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-078 => Injection/CommandInjection}/options (100%)
 rename python/ql/test/query-tests/Security/{CWE-601 => Injection/OpenRedirect}/UrlRedirect.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-601 => Injection/OpenRedirect}/UrlRedirect.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Injection/OpenRedirect/options
 rename python/ql/test/query-tests/Security/{CWE-601 => Injection/OpenRedirect}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-079 => Injection/ReflectedXss}/ReflectedXss.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-079 => Injection/ReflectedXss}/ReflectedXss.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-079 => Injection/ReflectedXss}/reflected_xss.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-089 => Injection/SqlInjection}/SqlInjection.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-089 => Injection/SqlInjection}/SqlInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-089 => Injection/SqlInjection}/sql_injection.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-PathInjection => Injection/TarSlip/PathInjection}/PathInjection.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-PathInjection => Injection/TarSlip/PathInjection}/PathInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-PathInjection => Injection/TarSlip/PathInjection}/path_injection.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-PathInjection => Injection/TarSlip/PathInjection}/test.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-PathInjection => Injection/TarSlip/PathInjection}/test_chaining.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-TarSlip => Injection/TarSlip}/TarSlip.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-022-TarSlip => Injection/TarSlip}/TarSlip.qlref (100%)
 create mode 100644 python/ql/test/query-tests/Security/Injection/TarSlip/options
 rename python/ql/test/query-tests/Security/{CWE-022-TarSlip => Injection/TarSlip}/tarslip.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-502 => Injection/UnsafeDeserialization}/UnsafeDeserialization.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-502 => Injection/UnsafeDeserialization}/UnsafeDeserialization.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-502 => Injection/UnsafeDeserialization}/unsafe_deserialization.py (100%)

diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected b/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
rename to python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
rename to python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
rename to python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
rename to python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py b/python/ql/test/query-tests/POI/ExternalAPIs/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py
rename to python/ql/test/query-tests/POI/ExternalAPIs/test.py
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
rename to python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.expected
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
rename to python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces_test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py
rename to python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces_test.py
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/options b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/options
similarity index 100%
rename from python/ql/test/query-tests/Security/CVE-2018-1281/options
rename to python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/options
diff --git a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
rename to python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.expected
diff --git a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
rename to python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
diff --git a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
new file mode 100644
index 00000000000..e552c11e561
--- /dev/null
+++ b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/CWE-215/test.py b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-215/test.py
rename to python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
rename to python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.expected
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
rename to python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-295/make_request.py b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/make_request.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/make_request.py
rename to python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/make_request.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
rename to python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.expected
diff --git a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
rename to python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-798/test.py b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-798/test.py
rename to python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-020/hosttest.py b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/hosttest.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/hosttest.py
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/hosttest.py
diff --git a/python/ql/test/query-tests/Security/CWE-020/urltest.py b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/urltest.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-020/urltest.py
rename to python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/urltest.py
diff --git a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected
rename to python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.expected
diff --git a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.py b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.py
rename to python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
diff --git a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
rename to python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-377/SecureTemporaryFile.py b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-377/SecureTemporaryFile.py
rename to python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
rename to python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
rename to python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
rename to python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/options b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-TarSlip/options
rename to python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options
diff --git a/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.expected b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.expected
rename to python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.expected
diff --git a/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
rename to python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
diff --git a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-295/paramiko_host_key.py b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/paramiko_host_key.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-295/paramiko_host_key.py
rename to python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/paramiko_host_key.py
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
rename to python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.expected
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
rename to python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
diff --git a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
new file mode 100644
index 00000000000..e552c11e561
--- /dev/null
+++ b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/CWE-732/test.py b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-732/test.py
rename to python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-079/options b/python/ql/test/query-tests/Security/CWE-079/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-079/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-209/options b/python/ql/test/query-tests/Security/CWE-209/options
deleted file mode 100644
index 2729d5a143a..00000000000
--- a/python/ql/test/query-tests/Security/CWE-209/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=2
diff --git a/python/ql/test/query-tests/Security/CWE-215/options b/python/ql/test/query-tests/Security/CWE-215/options
deleted file mode 100644
index 84717fe64cf..00000000000
--- a/python/ql/test/query-tests/Security/CWE-215/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/CWE-295/options b/python/ql/test/query-tests/Security/CWE-295/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-295/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-312/options b/python/ql/test/query-tests/Security/CWE-312/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-312/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-326/options b/python/ql/test/query-tests/Security/CWE-326/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-326/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-327/options b/python/ql/test/query-tests/Security/CWE-327/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-327/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-377/options b/python/ql/test/query-tests/Security/CWE-377/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-377/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-601/options b/python/ql/test/query-tests/Security/CWE-601/options
deleted file mode 100644
index 28b616e5f19..00000000000
--- a/python/ql/test/query-tests/Security/CWE-601/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --lang=3 --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/CWE-732/options b/python/ql/test/query-tests/Security/CWE-732/options
deleted file mode 100644
index 84717fe64cf..00000000000
--- a/python/ql/test/query-tests/Security/CWE-732/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
rename to python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
rename to python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
rename to python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
rename to python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.py
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
rename to python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/options b/python/ql/test/query-tests/Security/Crypto/TLS/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Crypto/TLS/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-327/TestNode.expected b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/TestNode.expected
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/TestNode.ql b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.ql
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/TestNode.ql
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-327/test_cryptography.py b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_cryptography.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/test_cryptography.py
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_cryptography.py
diff --git a/python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_pycrypto.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_pycrypto.py
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.expected b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-326/WeakCrypto.expected
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.expected
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-326/weak_crypto.py b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/weak_crypto.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-326/weak_crypto.py
rename to python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/weak_crypto.py
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py
diff --git a/python/ql/test/query-tests/Security/CWE-312/test.py b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-312/test.py
rename to python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
rename to python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.expected
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
rename to python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref
diff --git a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
new file mode 100644
index 00000000000..59cbd921362
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=2
diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-209/test.py
rename to python/ql/test/query-tests/Security/Exposure/StackTraceExposure/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
rename to python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-094/code_injection.py b/python/ql/test/query-tests/Security/Injection/CodeInjection/code_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-094/code_injection.py
rename to python/ql/test/query-tests/Security/Injection/CodeInjection/code_injection.py
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.expected b/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.expected
rename to python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref b/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/command_injection.py b/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/command_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078-py2/command_injection.py
rename to python/ql/test/query-tests/Security/Injection/CommandInjection-py2/command_injection.py
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/options b/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/options
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078-py2/options
rename to python/ql/test/query-tests/Security/Injection/CommandInjection-py2/options
diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
rename to python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-078/command_injection.py b/python/ql/test/query-tests/Security/Injection/CommandInjection/command_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078/command_injection.py
rename to python/ql/test/query-tests/Security/Injection/CommandInjection/command_injection.py
diff --git a/python/ql/test/query-tests/Security/CWE-078/options b/python/ql/test/query-tests/Security/Injection/CommandInjection/options
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-078/options
rename to python/ql/test/query-tests/Security/Injection/CommandInjection/options
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
rename to python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.expected
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref b/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
rename to python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/options b/python/ql/test/query-tests/Security/Injection/OpenRedirect/options
new file mode 100644
index 00000000000..2c9a5f0a13c
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Injection/OpenRedirect/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3 --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/Injection/OpenRedirect/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-601/test.py
rename to python/ql/test/query-tests/Security/Injection/OpenRedirect/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
rename to python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.expected
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref b/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
rename to python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-079/reflected_xss.py b/python/ql/test/query-tests/Security/Injection/ReflectedXss/reflected_xss.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-079/reflected_xss.py
rename to python/ql/test/query-tests/Security/Injection/ReflectedXss/reflected_xss.py
diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
rename to python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref b/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-089/sql_injection.py b/python/ql/test/query-tests/Security/Injection/SqlInjection/sql_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-089/sql_injection.py
rename to python/ql/test/query-tests/Security/Injection/SqlInjection/sql_injection.py
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.expected b/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.expected
rename to python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref b/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py b/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/path_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py
rename to python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/path_injection.py
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/test.py b/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-PathInjection/test.py
rename to python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test.py
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/test_chaining.py b/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test_chaining.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-PathInjection/test_chaining.py
rename to python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test_chaining.py
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected
rename to python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.expected
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref b/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
rename to python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/options b/python/ql/test/query-tests/Security/Injection/TarSlip/options
new file mode 100644
index 00000000000..b7721e6c509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/Injection/TarSlip/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py b/python/ql/test/query-tests/Security/Injection/TarSlip/tarslip.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py
rename to python/ql/test/query-tests/Security/Injection/TarSlip/tarslip.py
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
rename to python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.expected
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref b/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
rename to python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-502/unsafe_deserialization.py b/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/unsafe_deserialization.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-502/unsafe_deserialization.py
rename to python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/unsafe_deserialization.py

From 4b9e37f62d4ff31b6a4f99eedcd8ca5ce93f7668 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 16 Feb 2021 14:37:11 +0100
Subject: [PATCH 399/429] Docs: Update list of support frameworks in Python

So it follows what is we actually support with https://github.com/github/codeql/blob/6eafa9d3968a9f4752ef07e7d5159699591079c3/python/ql/src/semmle/python/Frameworks.qll
---
 docs/codeql/support/reusables/frameworks.rst | 23 ++++++++++----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 4427407fe9d..c04e717e295 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -122,19 +122,20 @@ JavaScript and TypeScript built-in support
 Python built-in support
 ====================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
 
    Name, Category
-   Bottle, Web framework
-   CherryPy, Web framework
-   Django, Web application framework
-   Falcon, Web API framework
-   Flask, Microframework
-   Pyramid, Web application framework
-   Tornado, Web application framework and asynchronous networking library
-   Turbogears, Web framework
-   Twisted, Networking engine
-   WebOb, WSGI request library
+   Django, Web framework
+   Flask, Web framework
+   Tornado, Web framework
+   PyYAML, Serialization
+   dill, Serialization
+   fabric, Utility library
+   invoke, Utility library
+   mysql-connector-python, Database
+   MySQLdb, Database
+   psycopg2, Database
+   sqlite3, Database

From b7ea469e2652acac8074fe162260da14ade32ac9 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 3 Feb 2021 11:10:07 +0100
Subject: [PATCH 400/429] Python: Add tests for flask blueprints

---
 .../frameworks/flask/external_blueprint.py    |  7 +++++
 .../frameworks/flask/routing_test.py          | 27 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py

diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py b/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
new file mode 100644
index 00000000000..4c43b627eb2
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
@@ -0,0 +1,7 @@
+import flask
+
+bp3 = flask.Blueprint("bp3", __name__)
+
+@bp3.route("/bp3/example") # $ MISSING: routeSetup="/bp3/example"
+def bp3_example(): # $ MISSING: requestHandler
+    return "bp 3 example"
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
index 813e3751152..3475e27455f 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
@@ -93,5 +93,32 @@ class WithoutKnownRoute2(MethodView):
         pass
 
 
+# Blueprints
+#
+# see https://flask.palletsprojects.com/en/1.1.x/blueprints/
+
+bp1 = flask.Blueprint("bp1", __name__)
+
+@bp1.route("/bp1/example/<foo>") # $ MISSING: routeSetup="/bp1/example/<foo>"
+def bp1_example(foo): # $ MISSING: requestHandler routedParameter=foo
+    return "bp 1 example foo={}".format(foo)
+
+app.register_blueprint(bp1) # by default, URL of blueprints are not changed
+
+
+bp2 = flask.Blueprint("bp2", __name__)
+
+@bp2.route("/example") # $ MISSING: routeSetup="/example"
+def bp2_example(): # $ MISSING: requestHandler
+    return "bp 2 example"
+
+app.register_blueprint(bp2, url_prefix="/bp2") # but it is possible to add a url_prefix
+
+
+from external_blueprint import bp3
+app.register_blueprint(bp3)
+
+
 if __name__ == "__main__":
+    print(app.url_map)
     app.run(debug=True)

From 1e1cb874360707bc5fea0e9bfb3028e812600248 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 3 Feb 2021 11:32:40 +0100
Subject: [PATCH 401/429] Python: Model flask blueprints

---
 ...2021-02-03-flask-add-blueprint-modeling.md |  2 +
 .../ql/src/semmle/python/frameworks/Flask.qll | 40 +++++++++++++++++--
 .../frameworks/flask/external_blueprint.py    |  6 +--
 .../frameworks/flask/routing_test.py          | 12 +++---
 4 files changed, 47 insertions(+), 13 deletions(-)
 create mode 100644 python/change-notes/2021-02-03-flask-add-blueprint-modeling.md

diff --git a/python/change-notes/2021-02-03-flask-add-blueprint-modeling.md b/python/change-notes/2021-02-03-flask-add-blueprint-modeling.md
new file mode 100644
index 00000000000..62776a7adb4
--- /dev/null
+++ b/python/change-notes/2021-02-03-flask-add-blueprint-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of flask blueprints (`flask.Blueprint`), specifically request handlers defined with such blueprints. This can result in new sources of remote user input (`RemoteFlowSource`) -- since we're now able to detect routed parameters -- and new XSS sinks from the responses of these request handlers.
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index fe394c6c8ac..30afff25922 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -72,6 +72,30 @@ private module FlaskModel {
       API::Node response_class() { result = [classRef(), instance()].getMember("response_class") }
     }
 
+    /**
+     * Provides models for the `flask.Blueprint` class
+     *
+     * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Blueprint.
+     */
+    module Blueprint {
+      /** Gets a reference to the `flask.Blueprint` class. */
+      API::Node classRef() { result = flask().getMember("Blueprint") }
+
+      /** Gets a reference to an instance of `flask.Blueprint`. */
+      API::Node instance() { result = classRef().getReturn() }
+
+      /**
+       * Gets a reference to the attribute `attr_name` of an instance of `flask.Blueprint`.
+       */
+      private API::Node instance_attr(string attr_name) { result = instance().getMember(attr_name) }
+
+      /** Gets a reference to the `route` method on an instance of `flask.Blueprint`. */
+      API::Node route() { result = instance_attr("route") }
+
+      /** Gets a reference to the `add_url_rule` method on an instance of `flask.Blueprint`. */
+      API::Node add_url_rule() { result = instance_attr("add_url_rule") }
+    }
+
     // -------------------------------------------------------------------------
     // flask.views
     // -------------------------------------------------------------------------
@@ -222,12 +246,16 @@ private module FlaskModel {
   }
 
   /**
-   * A call to the `route` method on an instance of `flask.Flask`.
+   * A call to the `route` method on an instance of `flask.Flask` or an instance of `flask.Blueprint`.
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.route
    */
   private class FlaskAppRouteCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
-    FlaskAppRouteCall() { this.getFunction() = flask::Flask::route().getAUse() }
+    FlaskAppRouteCall() {
+      this.getFunction() = flask::Flask::route().getAUse()
+      or
+      this.getFunction() = flask::Blueprint::route().getAUse()
+    }
 
     override DataFlow::Node getUrlPatternArg() {
       result in [this.getArg(0), this.getArgByName("rule")]
@@ -237,12 +265,16 @@ private module FlaskModel {
   }
 
   /**
-   * A call to the `add_url_rule` method on an instance of `flask.Flask`.
+   * A call to the `add_url_rule` method on an instance of `flask.Flask` or an instance of `flask.Blueprint`.
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.add_url_rule
    */
   private class FlaskAppAddUrlRuleCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
-    FlaskAppAddUrlRuleCall() { this.getFunction() = flask::Flask::add_url_rule().getAUse() }
+    FlaskAppAddUrlRuleCall() {
+      this.getFunction() = flask::Flask::add_url_rule().getAUse()
+      or
+      this.getFunction() = flask::Blueprint::add_url_rule().getAUse()
+    }
 
     override DataFlow::Node getUrlPatternArg() {
       result in [this.getArg(0), this.getArgByName("rule")]
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py b/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
index 4c43b627eb2..d426cb37867 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
@@ -2,6 +2,6 @@ import flask
 
 bp3 = flask.Blueprint("bp3", __name__)
 
-@bp3.route("/bp3/example") # $ MISSING: routeSetup="/bp3/example"
-def bp3_example(): # $ MISSING: requestHandler
-    return "bp 3 example"
+@bp3.route("/bp3/example") # $ routeSetup="/bp3/example"
+def bp3_example(): # $ requestHandler
+    return "bp 3 example" # $ HttpResponse
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
index 3475e27455f..1bbff4fed37 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
@@ -99,18 +99,18 @@ class WithoutKnownRoute2(MethodView):
 
 bp1 = flask.Blueprint("bp1", __name__)
 
-@bp1.route("/bp1/example/<foo>") # $ MISSING: routeSetup="/bp1/example/<foo>"
-def bp1_example(foo): # $ MISSING: requestHandler routedParameter=foo
-    return "bp 1 example foo={}".format(foo)
+@bp1.route("/bp1/example/<foo>") # $ routeSetup="/bp1/example/<foo>"
+def bp1_example(foo): # $ requestHandler routedParameter=foo
+    return "bp 1 example foo={}".format(foo) # $ HttpResponse
 
 app.register_blueprint(bp1) # by default, URL of blueprints are not changed
 
 
 bp2 = flask.Blueprint("bp2", __name__)
 
-@bp2.route("/example") # $ MISSING: routeSetup="/example"
-def bp2_example(): # $ MISSING: requestHandler
-    return "bp 2 example"
+@bp2.route("/example") # $ routeSetup="/example"
+def bp2_example(): # $ requestHandler
+    return "bp 2 example" # $ HttpResponse
 
 app.register_blueprint(bp2, url_prefix="/bp2") # but it is possible to add a url_prefix
 

From bc8e61366b7f3dc4f16d2eafefdec8a04e3bcbe5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 16 Feb 2021 15:29:25 +0100
Subject: [PATCH 402/429] Python: Clarify comment about flask blueprint URL
 prefixes

---
 .../library-tests/frameworks/flask/routing_test.py            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
index 1bbff4fed37..11e44f52e71 100644
--- a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
@@ -103,7 +103,7 @@ bp1 = flask.Blueprint("bp1", __name__)
 def bp1_example(foo): # $ requestHandler routedParameter=foo
     return "bp 1 example foo={}".format(foo) # $ HttpResponse
 
-app.register_blueprint(bp1) # by default, URL of blueprints are not changed
+app.register_blueprint(bp1) # by default, URLs of blueprints are not prefixed
 
 
 bp2 = flask.Blueprint("bp2", __name__)
@@ -112,7 +112,7 @@ bp2 = flask.Blueprint("bp2", __name__)
 def bp2_example(): # $ requestHandler
     return "bp 2 example" # $ HttpResponse
 
-app.register_blueprint(bp2, url_prefix="/bp2") # but it is possible to add a url_prefix
+app.register_blueprint(bp2, url_prefix="/bp2") # but it is possible to add a URL prefix
 
 
 from external_blueprint import bp3

From bf03c0f419253fff4056ecc826e200f82a3368f8 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 11 Feb 2021 17:49:43 +0000
Subject: [PATCH 403/429] Port InlineExpectationsTest for the Java analysis

---
 config/identical-files.json                   |   1 +
 .../TestUtilities/InlineExpectationsTest.qll  | 343 ++++++++++++++++++
 .../InlineExpectationsTestPrivate.qll         |  12 +
 3 files changed, 356 insertions(+)
 create mode 100644 java/ql/test/TestUtilities/InlineExpectationsTest.qll
 create mode 100644 java/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 5a8efc3405a..d68dabba861 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -356,6 +356,7 @@
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
diff --git a/java/ql/test/TestUtilities/InlineExpectationsTest.qll b/java/ql/test/TestUtilities/InlineExpectationsTest.qll
new file mode 100644
index 00000000000..35798415078
--- /dev/null
+++ b/java/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -0,0 +1,343 @@
+/**
+ * Provides a library for writing QL tests whose success or failure is based on expected results
+ * embedded in the test source code as comments, rather than a `.expected` file.
+ *
+ * To add this framework to a new language:
+ * - Add a file `InlineExpectationsTestPrivate.qll` that defines a `LineComment` class. This class
+ *   must support a `getContents` method that returns the contents of the given comment, _excluding_
+ *   the comment indicator itself. It should also define `toString` and `getLocation` as usual.
+ *
+ * To create a new inline expectations test:
+ * - Declare a class that extends `InlineExpectationsTest`. In the characteristic predicate of the
+ * new class, bind `this` to a unique string (usually the name of the test).
+ * - Override the `hasActualResult()` predicate to produce the actual results of the query. For each
+ * result, specify a `Location`, a text description of the element for which the result was
+ * reported, a short string to serve as the tag to identify expected results for this test, and the
+ * expected value of the result.
+ * - Override `getARelevantTag()` to return the set of tags that can be produced by
+ * `hasActualResult()`. Often this is just a single tag.
+ *
+ * Example:
+ * ```ql
+ * class ConstantValueTest extends InlineExpectationsTest {
+ *   ConstantValueTest() { this = "ConstantValueTest" }
+ *
+ *   override string getARelevantTag() {
+ *     // We only use one tag for this test.
+ *     result = "const"
+ *   }
+ *
+ *   override predicate hasActualResult(
+ *     Location location, string element, string tag, string value
+ *   ) {
+ *     exists(Expr e |
+ *       tag = "const" and // The tag for this test.
+ *       value = e.getValue() and // The expected value. Will only hold for constant expressions.
+ *       location = e.getLocation() and // The location of the result to be reported.
+ *       element = e.toString() // The display text for the result.
+ *     )
+ *   }
+ * }
+ * ```
+ *
+ * There is no need to write a `select` clause or query predicate. All of the differences between
+ * expected results and actual results will be reported in the `failures()` query predicate.
+ *
+ * To annotate the test source code with an expected result, place a comment starting with a `$` on the
+ * same line as the expected result, with text of the following format as the body of the comment:
+ *
+ * `tag=expected-value`
+ *
+ * Where `tag` is the value of the `tag` parameter from `hasActualResult()`, and `expected-value` is
+ * the value of the `value` parameter from `hasActualResult()`. The `=expected-value` portion may be
+ * omitted, in which case `expected-value` is treated as the empty string. Multiple expectations may
+ * be placed in the same comment. Any actual result that
+ * appears on a line that does not contain a matching expected result comment will be reported with
+ * a message of the form "Unexpected result: tag=value". Any expected result comment for which there
+ * is no matching actual result will be reported with a message of the form
+ * "Missing result: tag=expected-value".
+ *
+ * Example:
+ * ```cpp
+ * int i = x + 5;  // $const=5
+ * int j = y + (7 - 3)  // $const=7 const=3 const=4  // The result of the subtraction is a constant.
+ * ```
+ *
+ * For tests that contain known missing and spurious results, it is possible to further
+ * annotate that a particular expected result is known to be spurious, or that a particular
+ * missing result is known to be missing:
+ *
+ * `$ SPURIOUS: tag=expected-value`  // Spurious result
+ * `$ MISSING: tag=expected-value`  // Missing result
+ *
+ * A spurious expectation is treated as any other expected result, except that if there is no
+ * matching actual result, the message will be of the form "Fixed spurious result: tag=value". A
+ * missing expectation is treated as if there were no expected result, except that if a
+ * matching expected result is found, the message will be of the form
+ * "Fixed missing result: tag=value".
+ *
+ * A single line can contain all the expected, spurious and missing results of that line. For instance:
+ * `$ tag1=value1 SPURIOUS: tag2=value2 MISSING: tag3=value3`.
+ *
+ * If the same result value is expected for two or more tags on the same line, there is a shorthand
+ * notation available:
+ *
+ * `tag1,tag2=expected-value`
+ *
+ * is equivalent to:
+ *
+ * `tag1=expected-value tag2=expected-value`
+ */
+
+private import InlineExpectationsTestPrivate
+
+/**
+ * Base class for tests with inline expectations. The test extends this class to provide the actual
+ * results of the query, which are then compared with the expected results in comments to produce a
+ * list of failure messages that point out where the actual results differ from the expected
+ * results.
+ */
+abstract class InlineExpectationsTest extends string {
+  bindingset[this]
+  InlineExpectationsTest() { any() }
+
+  /**
+   * Returns all tags that can be generated by this test. Most tests will only ever produce a single
+   * tag. Any expected result comments for a tag that is not returned by the `getARelevantTag()`
+   * predicate for an active test will be ignored. This makes it possible to write multiple tests in
+   * different `.ql` files that all query the same source code.
+   */
+  abstract string getARelevantTag();
+
+  /**
+   * Returns the actual results of the query that is being tested. Each result consist of the
+   * following values:
+   * - `location` - The source code location of the result. Any expected result comment must appear
+   *   on the start line of this location.
+   * - `element` - Display text for the element on which the result is reported.
+   * - `tag` - The tag that marks this result as coming from this test. This must be one of the tags
+   *   returned by `getARelevantTag()`.
+   * - `value` - The value of the result, which will be matched against the value associated with
+   *   `tag` in any expected result comment on that line.
+   */
+  abstract predicate hasActualResult(Location location, string element, string tag, string value);
+
+  final predicate hasFailureMessage(FailureLocatable element, string message) {
+    exists(ActualResult actualResult |
+      actualResult.getTest() = this and
+      element = actualResult and
+      (
+        exists(FalseNegativeExpectation falseNegative |
+          falseNegative.matchesActualResult(actualResult) and
+          message = "Fixed missing result:" + falseNegative.getExpectationText()
+        )
+        or
+        not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
+        message = "Unexpected result: " + actualResult.getExpectationText()
+      )
+    )
+    or
+    exists(ValidExpectation expectation |
+      not exists(ActualResult actualResult | expectation.matchesActualResult(actualResult)) and
+      expectation.getTag() = getARelevantTag() and
+      element = expectation and
+      (
+        expectation instanceof GoodExpectation and
+        message = "Missing result:" + expectation.getExpectationText()
+        or
+        expectation instanceof FalsePositiveExpectation and
+        message = "Fixed spurious result:" + expectation.getExpectationText()
+      )
+    )
+    or
+    exists(InvalidExpectation expectation |
+      element = expectation and
+      message = "Invalid expectation syntax: " + expectation.getExpectation()
+    )
+  }
+}
+
+/**
+ * RegEx pattern to match a comment containing one or more expected results. The comment must have
+ * `$` as its first non-whitespace character. Any subsequent character
+ * is treated as part of the expected results, except that the comment may contain a `//` sequence
+ * to treat the remainder of the line as a regular (non-interpreted) comment.
+ */
+private string expectationCommentPattern() { result = "\\s*\\$((?:[^/]|/[^/])*)(?://.*)?" }
+
+/**
+ * The possible columns in an expectation comment. The `TDefaultColumn` branch represents the first
+ * column in a comment. This column is not precedeeded by a name. `TNamedColumn(name)` represents a
+ * column containing expected results preceeded by the string `name:`.
+ */
+private newtype TColumn =
+  TDefaultColumn() or
+  TNamedColumn(string name) { name = ["MISSING", "SPURIOUS"] }
+
+bindingset[start, content]
+private int getEndOfColumnPosition(int start, string content) {
+  result =
+    min(string name, int cand |
+      exists(TNamedColumn(name)) and
+      cand = content.indexOf(name + ":") and
+      cand > start
+    |
+      cand
+    )
+  or
+  not exists(string name |
+    exists(TNamedColumn(name)) and
+    content.indexOf(name + ":") > start
+  ) and
+  result = content.length()
+}
+
+private predicate getAnExpectation(
+  LineComment comment, TColumn column, string expectation, string tags, string value
+) {
+  exists(string content |
+    content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and
+    (
+      column = TDefaultColumn() and
+      exists(int end |
+        end = getEndOfColumnPosition(0, content) and
+        expectation = content.prefix(end).regexpFind(expectationPattern(), _, _).trim()
+      )
+      or
+      exists(string name, int start, int end |
+        column = TNamedColumn(name) and
+        start = content.indexOf(name + ":") + name.length() + 1 and
+        end = getEndOfColumnPosition(start, content) and
+        expectation = content.substring(start, end).regexpFind(expectationPattern(), _, _).trim()
+      )
+    )
+  ) and
+  tags = expectation.regexpCapture(expectationPattern(), 1) and
+  if exists(expectation.regexpCapture(expectationPattern(), 2))
+  then value = expectation.regexpCapture(expectationPattern(), 2)
+  else value = ""
+}
+
+private string getColumnString(TColumn column) {
+  column = TDefaultColumn() and result = ""
+  or
+  column = TNamedColumn(result)
+}
+
+/**
+ * RegEx pattern to match a single expected result, not including the leading `$`. It consists of one or
+ * more comma-separated tags containing only letters, digits, `-` and `_` (note that the first character
+ * must not be a digit), optionally followed by `=` and the expected value.
+ */
+private string expectationPattern() {
+  exists(string tag, string tags, string value |
+    tag = "[A-Za-z-_][A-Za-z-_0-9]*" and
+    tags = "((?:" + tag + ")(?:\\s*,\\s*" + tag + ")*)" and
+    value = "((?:\"[^\"]*\"|'[^']*'|\\S+)*)" and
+    result = tags + "(?:=" + value + ")?"
+  )
+}
+
+private newtype TFailureLocatable =
+  TActualResult(
+    InlineExpectationsTest test, Location location, string element, string tag, string value
+  ) {
+    test.hasActualResult(location, element, tag, value)
+  } or
+  TValidExpectation(LineComment comment, string tag, string value, string knownFailure) {
+    exists(TColumn column, string tags |
+      getAnExpectation(comment, column, _, tags, value) and
+      tag = tags.splitAt(",") and
+      knownFailure = getColumnString(column)
+    )
+  } or
+  TInvalidExpectation(LineComment comment, string expectation) {
+    getAnExpectation(comment, _, expectation, _, _) and
+    not expectation.regexpMatch(expectationPattern())
+  }
+
+class FailureLocatable extends TFailureLocatable {
+  string toString() { none() }
+
+  Location getLocation() { none() }
+
+  final string getExpectationText() { result = getTag() + "=" + getValue() }
+
+  string getTag() { none() }
+
+  string getValue() { none() }
+}
+
+class ActualResult extends FailureLocatable, TActualResult {
+  InlineExpectationsTest test;
+  Location location;
+  string element;
+  string tag;
+  string value;
+
+  ActualResult() { this = TActualResult(test, location, element, tag, value) }
+
+  override string toString() { result = element }
+
+  override Location getLocation() { result = location }
+
+  InlineExpectationsTest getTest() { result = test }
+
+  override string getTag() { result = tag }
+
+  override string getValue() { result = value }
+}
+
+abstract private class Expectation extends FailureLocatable {
+  LineComment comment;
+
+  override string toString() { result = comment.toString() }
+
+  override Location getLocation() { result = comment.getLocation() }
+}
+
+private class ValidExpectation extends Expectation, TValidExpectation {
+  string tag;
+  string value;
+  string knownFailure;
+
+  ValidExpectation() { this = TValidExpectation(comment, tag, value, knownFailure) }
+
+  override string getTag() { result = tag }
+
+  override string getValue() { result = value }
+
+  string getKnownFailure() { result = knownFailure }
+
+  predicate matchesActualResult(ActualResult actualResult) {
+    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
+    getLocation().getFile() = actualResult.getLocation().getFile() and
+    getTag() = actualResult.getTag() and
+    getValue() = actualResult.getValue()
+  }
+}
+
+/* Note: These next three classes correspond to all the possible values of type `TColumn`. */
+class GoodExpectation extends ValidExpectation {
+  GoodExpectation() { getKnownFailure() = "" }
+}
+
+class FalsePositiveExpectation extends ValidExpectation {
+  FalsePositiveExpectation() { getKnownFailure() = "SPURIOUS" }
+}
+
+class FalseNegativeExpectation extends ValidExpectation {
+  FalseNegativeExpectation() { getKnownFailure() = "MISSING" }
+}
+
+class InvalidExpectation extends Expectation, TInvalidExpectation {
+  string expectation;
+
+  InvalidExpectation() { this = TInvalidExpectation(comment, expectation) }
+
+  string getExpectation() { result = expectation }
+}
+
+query predicate failures(FailureLocatable element, string message) {
+  exists(InlineExpectationsTest test | test.hasFailureMessage(element, message))
+}
diff --git a/java/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll b/java/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll
new file mode 100644
index 00000000000..e2c0e0091ba
--- /dev/null
+++ b/java/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll
@@ -0,0 +1,12 @@
+import java
+
+/**
+ * A class representing line comments in Java, which is simply Javadoc restricted
+ * to EOL comments, with an extra accessor used by the InlineExpectations core code
+ */
+class LineComment extends Javadoc {
+  LineComment() { isEolComment(this) }
+
+  /** Gets the contents of the given comment, _without_ the preceding comment marker (`//`). */
+  string getContents() { result = this.getChild(0).toString() }
+}

From a2eeffa9c0cced684ace5ff6780e5afaaa8ed1fc Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 9 Feb 2021 14:21:39 +0000
Subject: [PATCH 404/429] Add support for Apache Commons Lang StringUtils

---
 .../2021-02-09-commons-string-utils.md        |   2 +
 .../code/java/frameworks/apache/Lang.qll      |  55 +
 .../frameworks/apache-commons-lang3/Test.java | 278 +++++
 .../apache-commons-lang3/flow.expected        |   0
 .../frameworks/apache-commons-lang3/flow.ql   |  30 +
 .../frameworks/apache-commons-lang3/options   |   1 +
 .../org/apache/commons/lang3/StringUtils.java | 963 ++++++++++++++++++
 7 files changed, 1329 insertions(+)
 create mode 100644 java/change-notes/2021-02-09-commons-string-utils.md
 create mode 100644 java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
 create mode 100644 java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected
 create mode 100644 java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql
 create mode 100644 java/ql/test/library-tests/frameworks/apache-commons-lang3/options
 create mode 100644 java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/StringUtils.java

diff --git a/java/change-notes/2021-02-09-commons-string-utils.md b/java/change-notes/2021-02-09-commons-string-utils.md
new file mode 100644
index 00000000000..0e2a4037fb2
--- /dev/null
+++ b/java/change-notes/2021-02-09-commons-string-utils.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang StringUtils library.
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 6f5c8e0d8d1..6bec45240d7 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -63,3 +63,58 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
     src = [0, 2]
   }
 }
+
+private Type getAnExcludedParameterType() {
+  result instanceof PrimitiveType or
+  result.(RefType).hasQualifiedName("java.nio.charset", "Charset") or
+  result.(RefType).hasQualifiedName("java.util", "Locale")
+}
+
+private class ApacheStringUtilsTaintPreservingMethod extends TaintPreservingCallable {
+  ApacheStringUtilsTaintPreservingMethod() {
+    this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "StringUtils") and
+    this.hasName([
+        "abbreviate", "abbreviateMiddle", "appendIfMissing", "appendIfMissingIgnoreCase",
+        "capitalize", "center", "chomp", "chop", "defaultIfBlank", "defaultIfEmpty",
+        "defaultString", "deleteWhitespace", "difference", "firstNonBlank", "firstNonEmpty",
+        "getBytes", "getCommonPrefix", "getDigits", "getIfBlank", "getIfEmpty", "join", "joinWith",
+        "left", "leftPad", "lowerCase", "mid", "normalizeSpace", "overlay", "prependIfMissing",
+        "prependIfMissingIgnoreCase", "remove", "removeAll", "removeEnd", "removeEndIgnoreCase",
+        "removeFirst", "removeIgnoreCase", "removePattern", "removeStart", "removeStartIgnoreCase",
+        "repeat", "replace", "replaceAll", "replaceChars", "replaceEach", "replaceEachRepeatedly",
+        "replaceFirst", "replaceIgnoreCase", "replaceOnce", "replaceOnceIgnoreCase",
+        "replacePattern", "reverse", "reverseDelimited", "right", "rightPad", "rotate", "split",
+        "splitByCharacterType", "splitByCharacterTypeCamelCase", "splitByWholeSeparator",
+        "splitByWholeSeparatorPreserveAllTokens", "splitPreserveAllTokens", "strip", "stripAccents",
+        "stripAll", "stripEnd", "stripStart", "stripToEmpty", "stripToNull", "substring",
+        "substringAfter", "substringAfterLast", "substringBefore", "substringBeforeLast",
+        "substringBetween", "substringsBetween", "swapCase", "toCodePoints", "toEncodedString",
+        "toRootLowerCase", "toRootUpperCase", "toString", "trim", "trimToEmpty", "trimToNull",
+        "truncate", "uncapitalize", "unwrap", "upperCase", "valueOf", "wrap", "wrapIfMissing"
+      ])
+  }
+
+  private predicate isExcludedParameter(int arg) {
+    this.getName().matches(["appendIfMissing%", "prependIfMissing%"]) and arg = [2, 3]
+    or
+    this.getName().matches(["remove%", "split%", "substring%", "strip%"]) and
+    arg = [1 .. getNumberOfParameters() - 1]
+    or
+    this.getName().matches(["chomp", "getBytes", "replace%", "toString", "unwrap"]) and arg = 1
+    or
+    this.getName() = "join" and
+    // Exclude joins of types that render numerically (char[] and non-primitive arrays
+    // are still considered taint sources)
+    exists(PrimitiveType pt |
+      this.getParameterType(arg).(Array).getComponentType() = pt and
+      not pt instanceof CharacterType
+    ) and
+    arg = 0
+  }
+
+  override predicate returnsTaintFrom(int arg) {
+    arg = [0 .. getNumberOfParameters() - 1] and
+    not this.getParameterType(arg) = getAnExcludedParameterType() and
+    not isExcludedParameter(arg)
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
new file mode 100644
index 00000000000..0a554a7d449
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
@@ -0,0 +1,278 @@
+import org.apache.commons.lang3.StringUtils;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+
+class Test {
+    String taint() { return "tainted"; }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+
+        // All these calls should convey taint to `sink` except as noted.
+        sink(StringUtils.abbreviate(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviate(taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviate(taint(), "...", 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviate("Untainted", taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviate(taint(), "...", 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviate("Untainted", taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviateMiddle(taint(), "...", 0)); // $hasTaintFlow=y
+        sink(StringUtils.abbreviateMiddle("Untainted", taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.appendIfMissing(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow=y
+        sink(StringUtils.appendIfMissing("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow=y
+        // (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
+        sink(StringUtils.appendIfMissing("prefix", "suffix", taint(), "candsuffix2"));
+        sink(StringUtils.appendIfMissing("prefix", "suffix", "candsuffix1", taint()));
+        sink(StringUtils.appendIfMissingIgnoreCase(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow=y
+        sink(StringUtils.appendIfMissingIgnoreCase("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow=y
+        // (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
+        sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", taint(), "candsuffix2"));
+        sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", "candsuffix1", taint()));
+        sink(StringUtils.capitalize(taint())); // $hasTaintFlow=y
+        sink(StringUtils.center(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.center(taint(), 0, 'x')); // $hasTaintFlow=y
+        sink(StringUtils.center(taint(), 0, "padding string")); // $hasTaintFlow=y
+        sink(StringUtils.center("Center me", 0, taint())); // $hasTaintFlow=y
+        sink(StringUtils.chomp(taint())); // $hasTaintFlow=y
+        sink(StringUtils.chomp(taint(), "separator")); // $hasTaintFlow=y
+        // GOOD: separator does not flow to the return value.
+        sink(StringUtils.chomp("Chomp me", taint()));
+        sink(StringUtils.chop(taint())); // $hasTaintFlow=y
+        sink(StringUtils.defaultIfBlank(taint(), "default")); // $hasTaintFlow=y
+        sink(StringUtils.defaultIfBlank("Perhaps blank", taint())); // $hasTaintFlow=y
+        sink(StringUtils.defaultIfEmpty(taint(), "default")); // $hasTaintFlow=y
+        sink(StringUtils.defaultIfEmpty("Perhaps empty", taint())); // $hasTaintFlow=y
+        sink(StringUtils.defaultString(taint())); // $hasTaintFlow=y
+        sink(StringUtils.defaultString(taint(), "default string")); // $hasTaintFlow=y
+        sink(StringUtils.defaultString("perhaps null", taint())); // $hasTaintFlow=y
+        sink(StringUtils.deleteWhitespace(taint())); // $hasTaintFlow=y
+        sink(StringUtils.difference(taint(), "rhs")); // $hasTaintFlow=y
+        sink(StringUtils.difference("lhs", taint())); // $hasTaintFlow=y
+        sink(StringUtils.firstNonBlank(taint(), "second string")); // $hasTaintFlow=y
+        sink(StringUtils.firstNonBlank("first string", taint())); // $hasTaintFlow=y
+        sink(StringUtils.firstNonEmpty(taint(), "second string")); // $hasTaintFlow=y
+        sink(StringUtils.firstNonEmpty("first string", taint())); // $hasTaintFlow=y
+        sink(StringUtils.getBytes(taint(), (Charset)null)); // $hasTaintFlow=y
+        sink(StringUtils.getBytes(taint(), "some charset")); // $hasTaintFlow=y
+        // GOOD: charset names are not a source of taint
+        sink(StringUtils.getBytes("some string", taint()));
+        sink(StringUtils.getCommonPrefix(taint(), "second string")); // $hasTaintFlow=y
+        sink(StringUtils.getCommonPrefix("first string", taint())); // $hasTaintFlow=y
+        sink(StringUtils.getDigits(taint())); // $hasTaintFlow=y
+        sink(StringUtils.getIfBlank(taint(), () -> "default")); // $hasTaintFlow=y
+        sink(StringUtils.getIfEmpty(taint(), () -> "default")); // $hasTaintFlow=y
+        // BAD (but not detected yet): latent taint in lambdas
+        sink(StringUtils.getIfBlank("maybe blank", () -> taint()));
+        sink(StringUtils.getIfEmpty("maybe blank", () -> taint()));
+        // GOOD: byte arrays render as numbers, so can't usefully convey most forms
+        // of tainted data.
+        sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' '));
+        sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' ', 0, 0));
+        sink(StringUtils.join(taint().toCharArray(), ' ')); // $hasTaintFlow=y
+        sink(StringUtils.join(taint().toCharArray(), ' ', 0, 0)); // $hasTaintFlow=y
+        // Testing the Iterable<?> overloads of `join`
+        List<String> taintedList = new ArrayList<>();
+        taintedList.add(taint());
+        sink(StringUtils.join(taintedList, ' ')); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedList, "sep")); // $hasTaintFlow=y
+        List<String> untaintedList = new ArrayList<>();
+        sink(StringUtils.join(untaintedList, taint())); // $hasTaintFlow=y
+        // Testing the Iterator<?> overloads of `join`
+        sink(StringUtils.join(taintedList.iterator(), ' ')); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedList.iterator(), "sep")); // $hasTaintFlow=y
+        sink(StringUtils.join(untaintedList.iterator(), taint())); // $hasTaintFlow=y
+        // Testing the List<?> overloads of `join`, which have start/end indices
+        sink(StringUtils.join(taintedList, ' ', 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedList, "sep", 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.join(untaintedList, taint(), 0, 0)); // $hasTaintFlow=y
+        // Testing the Object[] overloads of `join`, which may have start/end indices
+        Object[] taintedArray = new Object[] { taint() };
+        sink(StringUtils.join(taintedArray, ' ')); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedArray, "sep")); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedArray, ' ', 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.join(taintedArray, "sep", 0, 0)); // $hasTaintFlow=y
+        Object[] untaintedArray = new Object[] { "safe" };
+        sink(StringUtils.join(untaintedArray, taint())); // $hasTaintFlow=y
+        sink(StringUtils.join(untaintedArray, taint(), 0, 0)); // $hasTaintFlow=y
+        // Testing the variadic overload of `join` and `joinWith`
+        sink(StringUtils.join(taint(), "other string")); // $hasTaintFlow=y
+        sink(StringUtils.join("other string before", taint())); // $hasTaintFlow=y
+        sink(StringUtils.joinWith("separator", taint(), "other string")); // $hasTaintFlow=y
+        sink(StringUtils.joinWith("separator", "other string before", taint())); // $hasTaintFlow=y
+        sink(StringUtils.joinWith(taint(), "other string before", "other string after")); // $hasTaintFlow=y
+        // End of `join` tests
+        sink(StringUtils.left(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.leftPad(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.leftPad(taint(), 0, ' ')); // $hasTaintFlow=y
+        sink(StringUtils.leftPad(taint(), 0, "padding")); // $hasTaintFlow=y
+        sink(StringUtils.leftPad("to pad", 0, taint())); // $hasTaintFlow=y
+        sink(StringUtils.lowerCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.lowerCase(taint(), Locale.UK)); // $hasTaintFlow=y
+        sink(StringUtils.mid(taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.normalizeSpace(taint())); // $hasTaintFlow=y
+        sink(StringUtils.overlay(taint(), "overlay", 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.overlay("underlay", taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.prependIfMissing(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow=y
+        sink(StringUtils.prependIfMissing("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow=y
+        // (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
+        sink(StringUtils.prependIfMissing("original string", "append prefix", taint(), "check prefix 2"));
+        sink(StringUtils.prependIfMissing("original string", "append prefix", "check prefix 1", taint()));
+        sink(StringUtils.prependIfMissingIgnoreCase(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow=y
+        sink(StringUtils.prependIfMissingIgnoreCase("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow=y
+        // (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
+        sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", taint(), "check prefix 2"));
+        sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", "check prefix 1", taint()));
+        sink(StringUtils.remove(taint(), ' ')); // $hasTaintFlow=y
+        sink(StringUtils.remove(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeAll(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeEnd(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeEndIgnoreCase(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeFirst(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeIgnoreCase(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removePattern(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeStart(taint(), "delete me")); // $hasTaintFlow=y
+        sink(StringUtils.removeStartIgnoreCase(taint(), "delete me")); // $hasTaintFlow=y
+        // GOOD (next 9 calls): the removed string doesn't propagate to the return value
+        sink(StringUtils.remove("remove from", taint()));
+        sink(StringUtils.removeAll("remove from", taint()));
+        sink(StringUtils.removeEnd("remove from", taint()));
+        sink(StringUtils.removeEndIgnoreCase("remove from", taint()));
+        sink(StringUtils.removeFirst("remove from", taint()));
+        sink(StringUtils.removeIgnoreCase("remove from", taint()));
+        sink(StringUtils.removePattern("remove from", taint()));
+        sink(StringUtils.removeStart("remove from", taint()));
+        sink(StringUtils.removeStartIgnoreCase("remove from", taint()));
+        sink(StringUtils.repeat(taint(), 1)); // $hasTaintFlow=y
+        sink(StringUtils.repeat(taint(), "separator", 1)); // $hasTaintFlow=y
+        sink(StringUtils.repeat("repeat me", taint(), 1)); // $hasTaintFlow=y
+        sink(StringUtils.replace(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replace("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replace(taint(), "search", "replacement", 0)); // $hasTaintFlow=y
+        sink(StringUtils.replace("haystack", "search", taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.replaceAll(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replaceAll("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replaceChars(taint(), 'a', 'b')); // $hasTaintFlow=y
+        sink(StringUtils.replaceChars(taint(), "abc", "xyz")); // $hasTaintFlow=y
+        sink(StringUtils.replaceChars("haystack", "abc", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replaceEach(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow=y
+        sink(StringUtils.replaceEach("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow=y
+        sink(StringUtils.replaceEachRepeatedly(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow=y
+        sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow=y
+        sink(StringUtils.replaceFirst(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replaceFirst("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replaceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replaceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replaceOnce(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replaceOnce("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replaceOnceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replaceOnceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow=y
+        sink(StringUtils.replacePattern(taint(), "search", "replacement")); // $hasTaintFlow=y
+        sink(StringUtils.replacePattern("haystack", "search", taint())); // $hasTaintFlow=y
+        // GOOD (next 11 calls): searched string in replace methods does not flow to the return value.
+        sink(StringUtils.replace("haystack", taint(), "replacement"));
+        sink(StringUtils.replace("haystack", taint(), "replacement", 0));
+        sink(StringUtils.replaceAll("haystack", taint(), "replacement"));
+        sink(StringUtils.replaceChars("haystack", taint(), "xyz"));
+        sink(StringUtils.replaceEach("haystack", new String[] { taint() }, new String[] { "replacement" }));
+        sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { taint() }, new String[] { "replacement" }));
+        sink(StringUtils.replaceFirst("haystack", taint(), "replacement"));
+        sink(StringUtils.replaceIgnoreCase("haystack", taint(), "replacement"));
+        sink(StringUtils.replaceOnce("haystack", taint(), "replacement"));
+        sink(StringUtils.replaceOnceIgnoreCase("haystack", taint(), "replacement"));
+        sink(StringUtils.replacePattern("haystack", taint(), "replacement"));
+        sink(StringUtils.reverse(taint())); // $hasTaintFlow=y
+        sink(StringUtils.reverseDelimited(taint(), ',')); // $hasTaintFlow=y
+        sink(StringUtils.right(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.rightPad(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.rightPad(taint(), 0, ' ')); // $hasTaintFlow=y
+        sink(StringUtils.rightPad(taint(), 0, "padding")); // $hasTaintFlow=y
+        sink(StringUtils.rightPad("to pad", 0, taint())); // $hasTaintFlow=y
+        sink(StringUtils.rotate(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.split(taint())); // $hasTaintFlow=y
+        sink(StringUtils.split(taint(), ' ')); // $hasTaintFlow=y
+        sink(StringUtils.split(taint(), " ,; // $hasTaintFlow=y")); // $hasTaintFlow=y
+        sink(StringUtils.split(taint(), " ,; // $hasTaintFlow=y", 0)); // $hasTaintFlow=y
+        sink(StringUtils.splitByCharacterType(taint())); // $hasTaintFlow=y
+        sink(StringUtils.splitByCharacterTypeCamelCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.splitByWholeSeparator(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.splitByWholeSeparator(taint(), "separator", 0)); // $hasTaintFlow=y
+        sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator", 0)); // $hasTaintFlow=y
+        sink(StringUtils.splitPreserveAllTokens(taint())); // $hasTaintFlow=y
+        sink(StringUtils.splitPreserveAllTokens(taint(), ' ')); // $hasTaintFlow=y
+        sink(StringUtils.splitPreserveAllTokens(taint(), " ,;")); // $hasTaintFlow=y
+        sink(StringUtils.splitPreserveAllTokens(taint(), " ,;", 0)); // $hasTaintFlow=y
+        // GOOD (next 8 calls): separators don't propagate to the return value
+        sink(StringUtils.split("to split", taint()));
+        sink(StringUtils.split("to split", taint(), 0));
+        sink(StringUtils.splitPreserveAllTokens("to split", taint(), 0));
+        sink(StringUtils.splitByWholeSeparator("to split", taint()));
+        sink(StringUtils.splitByWholeSeparator("to split", taint(), 0));
+        sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint()));
+        sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint(), 0));
+        sink(StringUtils.splitPreserveAllTokens("to split", taint()));
+        sink(StringUtils.strip(taint())); // $hasTaintFlow=y
+        sink(StringUtils.strip(taint(), "charstoremove")); // $hasTaintFlow=y
+        sink(StringUtils.stripAccents(taint())); // $hasTaintFlow=y
+        sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")); // $hasTaintFlow=y
+        sink(StringUtils.stripEnd(taint(), "charstoremove")); // $hasTaintFlow=y
+        sink(StringUtils.stripStart(taint(), "charstoremove")); // $hasTaintFlow=y
+        // GOOD (next 4 calls): stripped chars do not flow to the return value.
+        sink(StringUtils.strip("original text", taint()));
+        sink(StringUtils.stripAll(new String[] { "original text" }, taint()));
+        sink(StringUtils.stripEnd("original text", taint()));
+        sink(StringUtils.stripStart("original text", taint()));
+        sink(StringUtils.stripToEmpty(taint())); // $hasTaintFlow=y
+        sink(StringUtils.stripToNull(taint())); // $hasTaintFlow=y
+        sink(StringUtils.substring(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.substring(taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.substringAfter(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.substringAfter(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.substringAfterLast(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.substringAfterLast(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.substringBefore(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.substringBeforeLast(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.substringBetween(taint(), "separator")); // $hasTaintFlow=y
+        sink(StringUtils.substringBetween(taint(), "start-tag", "end-tag")); // $hasTaintFlow=y
+        sink(StringUtils.substringsBetween(taint(), "start-tag", "end-tag")[0]); // $hasTaintFlow=y
+        // GOOD (next 9 calls): separators and bounding tags do not flow to the return value.
+        sink(StringUtils.substringAfter("original text", taint()));
+        sink(StringUtils.substringAfterLast("original text", taint()));
+        sink(StringUtils.substringBefore("original text", taint()));
+        sink(StringUtils.substringBeforeLast("original text", taint()));
+        sink(StringUtils.substringBetween("original text", taint()));
+        sink(StringUtils.substringBetween("original text", taint(), "end-tag"));
+        sink(StringUtils.substringBetween("original text", "start-tag", taint()));
+        sink(StringUtils.substringsBetween("original text", taint(), "end-tag")[0]);
+        sink(StringUtils.substringsBetween("original text", "start-tag", taint())[0]);
+        sink(StringUtils.swapCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.toCodePoints(taint())); // $hasTaintFlow=y
+        sink(StringUtils.toEncodedString(StringUtils.getBytes(taint(), "charset"), null)); // $hasTaintFlow=y
+        sink(StringUtils.toRootLowerCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.toRootUpperCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.toString(StringUtils.getBytes(taint(), "charset"), "charset")); // $hasTaintFlow=y
+        sink(StringUtils.trim(taint())); // $hasTaintFlow=y
+        sink(StringUtils.trimToEmpty(taint())); // $hasTaintFlow=y
+        sink(StringUtils.trimToNull(taint())); // $hasTaintFlow=y
+        sink(StringUtils.truncate(taint(), 0)); // $hasTaintFlow=y
+        sink(StringUtils.truncate(taint(), 0, 0)); // $hasTaintFlow=y
+        sink(StringUtils.uncapitalize(taint())); // $hasTaintFlow=y
+        sink(StringUtils.unwrap(taint(), '"')); // $hasTaintFlow=y
+        sink(StringUtils.unwrap(taint(), "separator")); // $hasTaintFlow=y
+        // GOOD: the wrapper string does not flow to the return value.
+        sink(StringUtils.unwrap("original string", taint()));
+        sink(StringUtils.upperCase(taint())); // $hasTaintFlow=y
+        sink(StringUtils.upperCase(taint(), null)); // $hasTaintFlow=y
+        sink(StringUtils.valueOf(taint().toCharArray())); // $hasTaintFlow=y
+        sink(StringUtils.wrap(taint(), '"')); // $hasTaintFlow=y
+        sink(StringUtils.wrap(taint(), "wrapper token")); // $hasTaintFlow=y
+        sink(StringUtils.wrap("wrap me", taint())); // $hasTaintFlow=y
+        sink(StringUtils.wrapIfMissing(taint(), '"')); // $hasTaintFlow=y
+        sink(StringUtils.wrapIfMissing(taint(), "wrapper token")); // $hasTaintFlow=y
+        sink(StringUtils.wrapIfMissing("wrap me", taint())); // $hasTaintFlow=y
+
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected b/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql b/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql
new file mode 100644
index 00000000000..110a4e96689
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql
@@ -0,0 +1,30 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:apache-commons-lang3" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = "y"
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/options b/java/ql/test/library-tests/frameworks/apache-commons-lang3/options
new file mode 100644
index 00000000000..8479c3984d7
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-lang3-3.7
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/StringUtils.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/StringUtils.java
new file mode 100644
index 00000000000..800b62a545b
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/StringUtils.java
@@ -0,0 +1,963 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3;
+
+import java.io.UnsupportedEncodingException;
+import java.nio.charset.Charset;
+import java.text.Normalizer;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.Set;
+import java.util.StringJoiner;
+import java.util.function.Supplier;
+import java.util.regex.Pattern;
+
+
+public class StringUtils {
+    public static String abbreviate(final String str, final int maxWidth) {
+      return null;
+    }
+
+    public static String abbreviate(final String str, final int offset, final int maxWidth) {
+      return null;
+    }
+
+    public static String abbreviate(final String str, final String abbrevMarker, final int maxWidth) {
+      return null;
+    }
+
+    public static String abbreviate(final String str, final String abbrevMarker, int offset, final int maxWidth) {
+      return null;
+    }
+
+    public static String abbreviateMiddle(final String str, final String middle, final int length) {
+      return null;
+    }
+
+    public static String appendIfMissing(final String str, final CharSequence suffix, final CharSequence... suffixes) {
+      return null;
+    }
+
+    public static String appendIfMissingIgnoreCase(final String str, final CharSequence suffix, final CharSequence... suffixes) {
+      return null;
+    }
+
+    public static String capitalize(final String str) {
+      return null;
+    }
+
+    public static String center(final String str, final int size) {
+      return null;
+    }
+
+    public static String center(String str, final int size, final char padChar) {
+      return null;
+    }
+
+    public static String center(String str, final int size, String padStr) {
+      return null;
+    }
+
+    public static String chomp(final String str) {
+      return null;
+    }
+
+    public static String chomp(final String str, final String separator) {
+      return null;
+    }
+
+    public static String chop(final String str) {
+      return null;
+    }
+
+    public static int compare(final String str1, final String str2) {
+      return 0;
+    }
+
+    public static int compare(final String str1, final String str2, final boolean nullIsLess) {
+      return 0;
+    }
+
+    public static int compareIgnoreCase(final String str1, final String str2) {
+      return 0;
+    }
+
+    public static int compareIgnoreCase(final String str1, final String str2, final boolean nullIsLess) {
+      return 0;
+    }
+
+    public static boolean contains(final CharSequence seq, final CharSequence searchSeq) {
+      return false;
+    }
+
+    public static boolean contains(final CharSequence seq, final int searchChar) {
+      return false;
+    }
+
+    public static boolean containsAny(final CharSequence cs, final char... searchChars) {
+      return false;
+    }
+
+    public static boolean containsAny(final CharSequence cs, final CharSequence searchChars) {
+      return false;
+    }
+
+    public static boolean containsAny(final CharSequence cs, final CharSequence... searchCharSequences) {
+      return false;
+    }
+
+    public static boolean containsAnyIgnoreCase(final CharSequence cs, final CharSequence... searchCharSequences) {
+      return false;
+    }
+
+    public static boolean containsIgnoreCase(final CharSequence str, final CharSequence searchStr) {
+      return false;
+    }
+
+    public static boolean containsNone(final CharSequence cs, final char... searchChars) {
+      return false;
+    }
+
+    public static boolean containsNone(final CharSequence cs, final String invalidChars) {
+      return false;
+    }
+
+    public static boolean containsOnly(final CharSequence cs, final char... valid) {
+      return false;
+    }
+
+    public static boolean containsOnly(final CharSequence cs, final String validChars) {
+      return false;
+    }
+
+    public static boolean containsWhitespace(final CharSequence seq) {
+      return false;
+    }
+
+    public static int countMatches(final CharSequence str, final char ch) {
+      return 0;
+    }
+
+    public static int countMatches(final CharSequence str, final CharSequence sub) {
+      return 0;
+    }
+
+    public static <T extends CharSequence> T defaultIfBlank(final T str, final T defaultStr) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T defaultIfEmpty(final T str, final T defaultStr) {
+      return null;
+    }
+
+    public static String defaultString(final String str) {
+      return null;
+    }
+
+    public static String defaultString(final String str, final String defaultStr) {
+      return null;
+    }
+
+    public static String deleteWhitespace(final String str) {
+      return null;
+    }
+
+    public static String difference(final String str1, final String str2) {
+      return null;
+    }
+
+    public static boolean endsWith(final CharSequence str, final CharSequence suffix) {
+      return false;
+    }
+
+    public static boolean endsWithAny(final CharSequence sequence, final CharSequence... searchStrings) {
+      return false;
+    }
+
+    public static boolean endsWithIgnoreCase(final CharSequence str, final CharSequence suffix) {
+      return false;
+    }
+
+    public static boolean equals(final CharSequence cs1, final CharSequence cs2) {
+      return false;
+    }
+
+    public static boolean equalsAny(final CharSequence string, final CharSequence... searchStrings) {
+      return false;
+    }
+
+    public static boolean equalsAnyIgnoreCase(final CharSequence string, final CharSequence...searchStrings) {
+      return false;
+    }
+
+    public static boolean equalsIgnoreCase(final CharSequence cs1, final CharSequence cs2) {
+      return false;
+    }
+
+    public static <T extends CharSequence> T firstNonBlank(final T... values) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T firstNonEmpty(final T... values) {
+      return null;
+    }
+
+    public static byte[] getBytes(final String string, final Charset charset) {
+      return null;
+    }
+
+    public static byte[] getBytes(final String string, final String charset) throws UnsupportedEncodingException {
+      return null;
+    }
+
+    public static String getCommonPrefix(final String... strs) {
+      return null;
+    }
+
+    public static String getDigits(final String str) {
+      return null;
+    }
+
+    public static int getFuzzyDistance(final CharSequence term, final CharSequence query, final Locale locale) {
+      return 0;
+    }
+
+    public static <T extends CharSequence> T getIfBlank(final T str, final Supplier<T> defaultSupplier) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T getIfEmpty(final T str, final Supplier<T> defaultSupplier) {
+      return null;
+    }
+
+    public static double getJaroWinklerDistance(final CharSequence first, final CharSequence second) {
+      return 0;
+    }
+
+    public static int getLevenshteinDistance(CharSequence s, CharSequence t) {
+      return 0;
+    }
+
+    public static int getLevenshteinDistance(CharSequence s, CharSequence t, final int threshold) {
+      return 0;
+    }
+
+    public static int indexOf(final CharSequence seq, final CharSequence searchSeq) {
+      return 0;
+    }
+
+    public static int indexOf(final CharSequence seq, final CharSequence searchSeq, final int startPos) {
+      return 0;
+    }
+
+    public static int indexOf(final CharSequence seq, final int searchChar) {
+      return 0;
+    }
+
+    public static int indexOf(final CharSequence seq, final int searchChar, final int startPos) {
+      return 0;
+    }
+
+    public static int indexOfAny(final CharSequence cs, final char... searchChars) {
+      return 0;
+    }
+
+    public static int indexOfAny(final CharSequence str, final CharSequence... searchStrs) {
+      return 0;
+    }
+
+    public static int indexOfAny(final CharSequence cs, final String searchChars) {
+      return 0;
+    }
+
+    public static int indexOfAnyBut(final CharSequence cs, final char... searchChars) {
+      return 0;
+    }
+
+    public static int indexOfAnyBut(final CharSequence seq, final CharSequence searchChars) {
+      return 0;
+    }
+
+    public static int indexOfDifference(final CharSequence... css) {
+      return 0;
+    }
+
+    public static int indexOfDifference(final CharSequence cs1, final CharSequence cs2) {
+      return 0;
+    }
+
+    public static int indexOfIgnoreCase(final CharSequence str, final CharSequence searchStr) {
+      return 0;
+    }
+
+    public static int indexOfIgnoreCase(final CharSequence str, final CharSequence searchStr, int startPos) {
+      return 0;
+    }
+
+    public static boolean isAllBlank(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isAllEmpty(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isAllLowerCase(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAllUpperCase(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAlpha(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAlphanumeric(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAlphanumericSpace(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAlphaSpace(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isAnyBlank(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isAnyEmpty(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isAsciiPrintable(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isBlank(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isEmpty(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isMixedCase(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isNoneBlank(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isNoneEmpty(final CharSequence... css) {
+      return false;
+    }
+
+    public static boolean isNotBlank(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isNotEmpty(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isNumeric(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isNumericSpace(final CharSequence cs) {
+      return false;
+    }
+
+    public static boolean isWhitespace(final CharSequence cs) {
+      return false;
+    }
+
+    public static String join(final boolean[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final boolean[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final byte[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final byte[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final char[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final char[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final double[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final double[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final float[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final float[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final int[] array, final char separator) {
+      return null;
+    }
+
+    public static String join(final int[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final Iterable<?> iterable, final char separator) {
+      return null;
+    }
+
+    public static String join(final Iterable<?> iterable, final String separator) {
+      return null;
+    }
+
+    public static String join(final Iterator<?> iterator, final char separator) {
+      return null;
+    }
+
+    public static String join(final Iterator<?> iterator, final String separator) {
+      return null;
+    }
+
+    public static String join(final List<?> list, final char separator, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final List<?> list, final String separator, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final long[] array, final char separator) {
+      return null;
+    }
+
+    public static String join(final long[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final Object[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final Object[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final Object[] array, final String delimiter) {
+      return null;
+    }
+
+    public static String join(final Object[] array, String delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static String join(final short[] array, final char delimiter) {
+      return null;
+    }
+
+    public static String join(final short[] array, final char delimiter, final int startIndex, final int endIndex) {
+      return null;
+    }
+
+    public static <T> String join(final T... elements) {
+      return null;
+    }
+
+    public static String joinWith(final String delimiter, final Object... array) {
+      return null;
+    }
+
+    public static int lastIndexOf(final CharSequence seq, final CharSequence searchSeq) {
+      return 0;
+    }
+
+    public static int lastIndexOf(final CharSequence seq, final CharSequence searchSeq, final int startPos) {
+      return 0;
+    }
+
+    public static int lastIndexOf(final CharSequence seq, final int searchChar) {
+      return 0;
+    }
+
+    public static int lastIndexOf(final CharSequence seq, final int searchChar, final int startPos) {
+      return 0;
+    }
+
+    public static int lastIndexOfAny(final CharSequence str, final CharSequence... searchStrs) {
+      return 0;
+    }
+
+    public static int lastIndexOfIgnoreCase(final CharSequence str, final CharSequence searchStr) {
+      return 0;
+    }
+
+    public static int lastIndexOfIgnoreCase(final CharSequence str, final CharSequence searchStr, int startPos) {
+      return 0;
+    }
+
+    public static int lastOrdinalIndexOf(final CharSequence str, final CharSequence searchStr, final int ordinal) {
+      return 0;
+    }
+
+    public static String left(final String str, final int len) {
+      return null;
+    }
+
+    public static String leftPad(final String str, final int size) {
+      return null;
+    }
+
+    public static String leftPad(final String str, final int size, final char padChar) {
+      return null;
+    }
+
+    public static String leftPad(final String str, final int size, String padStr) {
+      return null;
+    }
+
+    public static int length(final CharSequence cs) {
+      return 0;
+    }
+
+    public static String lowerCase(final String str) {
+      return null;
+    }
+
+    public static String lowerCase(final String str, final Locale locale) {
+      return null;
+    }
+
+    public static String mid(final String str, int pos, final int len) {
+      return null;
+    }
+
+    public static String normalizeSpace(final String str) {
+      return null;
+    }
+
+    public static int ordinalIndexOf(final CharSequence str, final CharSequence searchStr, final int ordinal) {
+      return 0;
+    }
+
+    public static String overlay(final String str, String overlay, int start, int end) {
+      return null;
+    }
+
+    public static String prependIfMissing(final String str, final CharSequence prefix, final CharSequence... prefixes) {
+      return null;
+    }
+
+    public static String prependIfMissingIgnoreCase(final String str, final CharSequence prefix, final CharSequence... prefixes) {
+      return null;
+    }
+
+    public static String remove(final String str, final char remove) {
+      return null;
+    }
+
+    public static String remove(final String str, final String remove) {
+      return null;
+    }
+
+    public static String removeAll(final String text, final String regex) {
+      return null;
+    }
+
+    public static String removeEnd(final String str, final String remove) {
+      return null;
+    }
+
+    public static String removeEndIgnoreCase(final String str, final String remove) {
+      return null;
+    }
+
+    public static String removeFirst(final String text, final String regex) {
+      return null;
+    }
+
+    public static String removeIgnoreCase(final String str, final String remove) {
+      return null;
+    }
+
+    public static String removePattern(final String source, final String regex) {
+      return null;
+    }
+
+    public static String removeStart(final String str, final String remove) {
+      return null;
+    }
+
+    public static String removeStartIgnoreCase(final String str, final String remove) {
+      return null;
+    }
+
+    public static String repeat(final char ch, final int repeat) {
+      return null;
+    }
+
+    public static String repeat(final String str, final int repeat) {
+      return null;
+    }
+
+    public static String repeat(final String str, final String separator, final int repeat) {
+      return null;
+    }
+
+    public static String replace(final String text, final String searchString, final String replacement) {
+      return null;
+    }
+
+    public static String replace(final String text, final String searchString, final String replacement, final int max) {
+      return null;
+    }
+
+    public static String replaceAll(final String text, final String regex, final String replacement) {
+      return null;
+    }
+
+    public static String replaceChars(final String str, final char searchChar, final char replaceChar) {
+      return null;
+    }
+
+    public static String replaceChars(final String str, final String searchChars, String replaceChars) {
+      return null;
+    }
+
+    public static String replaceEach(final String text, final String[] searchList, final String[] replacementList) {
+      return null;
+    }
+
+    public static String replaceEachRepeatedly(final String text, final String[] searchList, final String[] replacementList) {
+      return null;
+    }
+
+    public static String replaceFirst(final String text, final String regex, final String replacement) {
+      return null;
+    }
+
+   public static String replaceIgnoreCase(final String text, final String searchString, final String replacement) {
+     return null;
+   }
+
+    public static String replaceIgnoreCase(final String text, final String searchString, final String replacement, final int max) {
+      return null;
+    }
+
+    public static String replaceOnce(final String text, final String searchString, final String replacement) {
+      return null;
+    }
+
+    public static String replaceOnceIgnoreCase(final String text, final String searchString, final String replacement) {
+      return null;
+    }
+
+    public static String replacePattern(final String source, final String regex, final String replacement) {
+      return null;
+    }
+
+    public static String reverse(final String str) {
+      return null;
+    }
+
+    public static String reverseDelimited(final String str, final char separatorChar) {
+      return null;
+    }
+
+    public static String right(final String str, final int len) {
+      return null;
+    }
+
+    public static String rightPad(final String str, final int size) {
+      return null;
+    }
+
+    public static String rightPad(final String str, final int size, final char padChar) {
+      return null;
+    }
+
+    public static String rightPad(final String str, final int size, String padStr) {
+      return null;
+    }
+
+    public static String rotate(final String str, final int shift) {
+      return null;
+    }
+
+    public static String[] split(final String str) {
+      return null;
+    }
+
+    public static String[] split(final String str, final char separatorChar) {
+      return null;
+    }
+
+    public static String[] split(final String str, final String separatorChars) {
+      return null;
+    }
+
+    public static String[] split(final String str, final String separatorChars, final int max) {
+      return null;
+    }
+
+    public static String[] splitByCharacterType(final String str) {
+      return null;
+    }
+
+    public static String[] splitByCharacterTypeCamelCase(final String str) {
+      return null;
+    }
+
+    public static String[] splitByWholeSeparator(final String str, final String separator) {
+      return null;
+    }
+
+    public static String[] splitByWholeSeparator( final String str, final String separator, final int max) {
+      return null;
+    }
+
+    public static String[] splitByWholeSeparatorPreserveAllTokens(final String str, final String separator) {
+      return null;
+    }
+
+    public static String[] splitByWholeSeparatorPreserveAllTokens(final String str, final String separator, final int max) {
+      return null;
+    }
+
+    public static String[] splitPreserveAllTokens(final String str) {
+      return null;
+    }
+
+    public static String[] splitPreserveAllTokens(final String str, final char separatorChar) {
+      return null;
+    }
+
+    public static String[] splitPreserveAllTokens(final String str, final String separatorChars) {
+      return null;
+    }
+
+    public static String[] splitPreserveAllTokens(final String str, final String separatorChars, final int max) {
+      return null;
+    }
+
+    public static boolean startsWith(final CharSequence str, final CharSequence prefix) {
+      return false;
+    }
+
+    public static boolean startsWithAny(final CharSequence sequence, final CharSequence... searchStrings) {
+      return false;
+    }
+
+    public static boolean startsWithIgnoreCase(final CharSequence str, final CharSequence prefix) {
+      return false;
+    }
+
+    public static String strip(final String str) {
+      return null;
+    }
+
+    public static String strip(String str, final String stripChars) {
+      return null;
+    }
+
+    public static String stripAccents(final String input) {
+      return null;
+    }
+
+    public static String[] stripAll(final String... strs) {
+      return null;
+    }
+
+    public static String[] stripAll(final String[] strs, final String stripChars) {
+      return null;
+    }
+
+    public static String stripEnd(final String str, final String stripChars) {
+      return null;
+    }
+
+    public static String stripStart(final String str, final String stripChars) {
+      return null;
+    }
+
+    public static String stripToEmpty(final String str) {
+      return null;
+    }
+
+    public static String stripToNull(String str) {
+      return null;
+    }
+
+    public static String substring(final String str, int start) {
+      return null;
+    }
+
+    public static String substring(final String str, int start, int end) {
+      return null;
+    }
+
+    public static String substringAfter(final String str, final int separator) {
+      return null;
+    }
+
+    public static String substringAfter(final String str, final String separator) {
+      return null;
+    }
+
+    public static String substringAfterLast(final String str, final int separator) {
+      return null;
+    }
+
+    public static String substringAfterLast(final String str, final String separator) {
+      return null;
+    }
+
+    public static String substringBefore(final String str, final String separator) {
+      return null;
+    }
+
+    public static String substringBeforeLast(final String str, final String separator) {
+      return null;
+    }
+
+    public static String substringBetween(final String str, final String tag) {
+      return null;
+    }
+
+    public static String substringBetween(final String str, final String open, final String close) {
+      return null;
+    }
+
+    public static String[] substringsBetween(final String str, final String open, final String close) {
+      return null;
+    }
+
+    public static String swapCase(final String str) {
+      return null;
+    }
+
+    public static int[] toCodePoints(final CharSequence cs) {
+      return null;
+    }
+
+    public static String toEncodedString(final byte[] bytes, final Charset charset) {
+      return null;
+    }
+
+    public static String toRootLowerCase(final String source) {
+      return null;
+    }
+
+    public static String toRootUpperCase(final String source) {
+      return null;
+    }
+
+    public static String toString(final byte[] bytes, final String charsetName) throws UnsupportedEncodingException {
+      return null;
+    }
+
+    public static String trim(final String str) {
+      return null;
+    }
+
+    public static String trimToEmpty(final String str) {
+      return null;
+    }
+
+    public static String trimToNull(final String str) {
+      return null;
+    }
+
+    public static String truncate(final String str, final int maxWidth) {
+      return null;
+    }
+
+    public static String truncate(final String str, final int offset, final int maxWidth) {
+      return null;
+    }
+
+    public static String uncapitalize(final String str) {
+      return null;
+    }
+
+    public static String unwrap(final String str, final char wrapChar) {
+      return null;
+    }
+
+    public static String unwrap(final String str, final String wrapToken) {
+      return null;
+    }
+
+    public static String upperCase(final String str) {
+      return null;
+    }
+
+    public static String upperCase(final String str, final Locale locale) {
+      return null;
+    }
+
+    public static String valueOf(final char[] value) {
+      return null;
+    }
+
+    public static String wrap(final String str, final char wrapWith) {
+      return null;
+    }
+
+    public static String wrap(final String str, final String wrapWith) {
+      return null;
+    }
+
+    public static String wrapIfMissing(final String str, final char wrapWith) {
+      return null;
+    }
+
+    public static String wrapIfMissing(final String str, final String wrapWith) {
+      return null;
+    }
+
+    public StringUtils() {
+    }
+
+}

From 552f0a7c5e435ec17c6db04214b913c160a32a6e Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 15:55:41 +0000
Subject: [PATCH 405/429] C++: Address review.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
index ae3fab9f077..aecd98981e8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -150,7 +150,7 @@ private class StdMapFind extends TaintFunction {
  * The standard map `erase` function.
  */
 private class StdMapErase extends TaintFunction {
-  StdMapErase() { this.getCLassAndName("erase") instanceof MapOrUnorderedMap }
+  StdMapErase() { this.getClassAndName("erase") instanceof MapOrUnorderedMap }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to iterator return value
@@ -165,8 +165,7 @@ private class StdMapErase extends TaintFunction {
  */
 private class StdMapEqualRange extends TaintFunction {
   StdMapEqualRange() {
-    this.hasName(["lower_bound", "upper_bound", "equal_range"]) and
-    this.getDeclaringType() instanceof MapOrUnorderedMap
+    this.getClassAndName(["lower_bound", "upper_bound", "equal_range"]) instanceof MapOrUnorderedMap
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From a04883cafcdb29c8b910cde2adbb053a6ec0a37d Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 16:17:59 +0000
Subject: [PATCH 406/429] C++: Fix compilation.

---
 .../src/semmle/code/cpp/models/implementations/StdContainer.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index f416d8e9810..9176c6c3a1a 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -113,7 +113,7 @@ private class StdSequenceContainerPush extends TaintFunction {
     this.getClassAndName("push_back") instanceof Array or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
     this.getClassAndName("push_front") instanceof ForwardList or
-    this.getClassAndName("push_back") instanceof List or
+    this.getClassAndName("push_back") instanceof List
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From 3fb42194a5e4a134b34e2ed6dedd48dce5acabce Mon Sep 17 00:00:00 2001
From: Cornelius Riemenschneider <criemen@github.com>
Date: Tue, 16 Feb 2021 17:58:45 +0100
Subject: [PATCH 407/429] Apply suggestions from code review

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../semmle/code/cpp/models/implementations/StdContainer.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 9176c6c3a1a..367db1613fc 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -110,10 +110,10 @@ private class StdSequenceContainerData extends TaintFunction {
  */
 private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
-    this.getClassAndName("push_back") instanceof Array or
+    this.getClassAndName("push_back") instanceof Vector or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
     this.getClassAndName("push_front") instanceof ForwardList or
-    this.getClassAndName("push_back") instanceof List
+    this.getClassAndName(["push_back", "push_front"]) instanceof List
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

From 735e014b435269d4e6cd6ad6b4696f160d0bfa96 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 16 Feb 2021 17:22:59 +0000
Subject: [PATCH 408/429] C++: Model BSL in Gets.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
index f698a1209f4..08222c2cd6a 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
@@ -19,7 +19,7 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
     // gets(str)
     // fgets(str, num, stream)
     // fgetws(wstr, num, stream)
-    hasGlobalOrStdName(["gets", "fgets", "fgetws"])
+    hasGlobalOrStdOrBslName(["gets", "fgets", "fgetws"])
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -54,13 +54,13 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
   }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
-    not hasGlobalOrStdName("gets") and
+    not hasName("gets") and
     bufParam = 0 and
     countParam = 1
   }
 
   override predicate hasArrayWithUnknownSize(int bufParam) {
-    hasGlobalOrStdName("gets") and
+    hasName("gets") and
     bufParam = 0
   }
 

From 04eb0c774cb6456106b26967fb093b89b62ecc2e Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Tue, 16 Feb 2021 18:25:54 +0100
Subject: [PATCH 409/429] Python: Use `LocalSourceNode` in type tracker tests

One minor change to the tests results needed: there is no longer local
flow going into the `ModuleVariableNode` for `attr_ref` in the
`moduleattr.ql` test, but I think this is reasonable.
---
 .../dataflow/typetracking/moduleattr.expected |  1 -
 .../dataflow/typetracking/moduleattr.ql       | 10 ++++---
 .../dataflow/typetracking/tracked.ql          | 28 +++++++++----------
 3 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected b/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
index adfc8c5a379..82aa6e99c3c 100644
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
@@ -1,7 +1,6 @@
 module_tracker
 | import_as_attr.py:1:6:1:11 | ControlFlowNode for ImportExpr |
 module_attr_tracker
-| import_as_attr.py:0:0:0:0 | ModuleVariableNode for Global Variable attr_ref in Module import_as_attr |
 | import_as_attr.py:1:20:1:35 | ControlFlowNode for ImportMember |
 | import_as_attr.py:1:28:1:35 | GSSA Variable attr_ref |
 | import_as_attr.py:3:1:3:1 | GSSA Variable x |
diff --git a/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql b/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
index 1d3430493ab..b546dc7491d 100644
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
@@ -2,16 +2,18 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TypeTracker
 
-DataFlow::Node module_tracker(TypeTracker t) {
+DataFlow::LocalSourceNode module_tracker(TypeTracker t) {
   t.start() and
   result = DataFlow::importNode("module")
   or
   exists(TypeTracker t2 | result = module_tracker(t2).track(t2, t))
 }
 
-query DataFlow::Node module_tracker() { result = module_tracker(DataFlow::TypeTracker::end()) }
+query DataFlow::Node module_tracker() {
+  module_tracker(DataFlow::TypeTracker::end()).flowsTo(result)
+}
 
-DataFlow::Node module_attr_tracker(TypeTracker t) {
+DataFlow::LocalSourceNode module_attr_tracker(TypeTracker t) {
   t.startInAttr("attr") and
   result = module_tracker()
   or
@@ -19,5 +21,5 @@ DataFlow::Node module_attr_tracker(TypeTracker t) {
 }
 
 query DataFlow::Node module_attr_tracker() {
-  result = module_attr_tracker(DataFlow::TypeTracker::end())
+  module_attr_tracker(DataFlow::TypeTracker::end()).flowsTo(result)
 }
diff --git a/python/ql/test/experimental/dataflow/typetracking/tracked.ql b/python/ql/test/experimental/dataflow/typetracking/tracked.ql
index 0797e484c97..91ffe7e47c1 100644
--- a/python/ql/test/experimental/dataflow/typetracking/tracked.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/tracked.ql
@@ -6,7 +6,7 @@ import TestUtilities.InlineExpectationsTest
 // -----------------------------------------------------------------------------
 // tracked
 // -----------------------------------------------------------------------------
-DataFlow::Node tracked(TypeTracker t) {
+DataFlow::LocalSourceNode tracked(TypeTracker t) {
   t.start() and
   result.asCfgNode() = any(NameNode n | n.getId() = "tracked")
   or
@@ -20,7 +20,7 @@ class TrackedTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(DataFlow::Node e, TypeTracker t |
-      e = tracked(t) and
+      tracked(t).flowsTo(e) and
       // Module variables have no sensible location, and hence can't be annotated.
       not e instanceof DataFlow::ModuleVariableNode and
       tag = "tracked" and
@@ -34,14 +34,14 @@ class TrackedTest extends InlineExpectationsTest {
 // -----------------------------------------------------------------------------
 // int + str
 // -----------------------------------------------------------------------------
-DataFlow::Node int_type(TypeTracker t) {
+DataFlow::LocalSourceNode int_type(TypeTracker t) {
   t.start() and
   result.asCfgNode() = any(CallNode c | c.getFunction().(NameNode).getId() = "int")
   or
   exists(TypeTracker t2 | result = int_type(t2).track(t2, t))
 }
 
-DataFlow::Node string_type(TypeTracker t) {
+DataFlow::LocalSourceNode string_type(TypeTracker t) {
   t.start() and
   result.asCfgNode() = any(CallNode c | c.getFunction().(NameNode).getId() = "str")
   or
@@ -55,7 +55,7 @@ class TrackedIntTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(DataFlow::Node e, TypeTracker t |
-      e = int_type(t) and
+      int_type(t).flowsTo(e) and
       tag = "int" and
       location = e.getLocation() and
       value = t.getAttr() and
@@ -71,7 +71,7 @@ class TrackedStringTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(DataFlow::Node e, TypeTracker t |
-      e = string_type(t) and
+      string_type(t).flowsTo(e) and
       tag = "str" and
       location = e.getLocation() and
       value = t.getAttr() and
@@ -83,7 +83,7 @@ class TrackedStringTest extends InlineExpectationsTest {
 // -----------------------------------------------------------------------------
 // tracked_self
 // -----------------------------------------------------------------------------
-DataFlow::Node tracked_self(TypeTracker t) {
+DataFlow::LocalSourceNode tracked_self(TypeTracker t) {
   t.start() and
   exists(Function f |
     f.isMethod() and
@@ -101,7 +101,7 @@ class TrackedSelfTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(DataFlow::Node e, TypeTracker t |
-      e = tracked_self(t) and
+      tracked_self(t).flowsTo(e) and
       // Module variables have no sensible location, and hence can't be annotated.
       not e instanceof DataFlow::ModuleVariableNode and
       tag = "tracked_self" and
@@ -117,7 +117,7 @@ class TrackedSelfTest extends InlineExpectationsTest {
 // -----------------------------------------------------------------------------
 // This modeling follows the same pattern that we currently use in our real library modeling.
 /** Gets a reference to `foo` (fictive module). */
-private DataFlow::Node foo(DataFlow::TypeTracker t) {
+private DataFlow::LocalSourceNode foo(DataFlow::TypeTracker t) {
   t.start() and
   result = DataFlow::importNode("foo")
   or
@@ -125,10 +125,10 @@ private DataFlow::Node foo(DataFlow::TypeTracker t) {
 }
 
 /** Gets a reference to `foo` (fictive module). */
-DataFlow::Node foo() { result = foo(DataFlow::TypeTracker::end()) }
+DataFlow::Node foo() { foo(DataFlow::TypeTracker::end()).flowsTo(result) }
 
 /** Gets a reference to `foo.bar` (fictive module). */
-private DataFlow::Node foo_bar(DataFlow::TypeTracker t) {
+private DataFlow::LocalSourceNode foo_bar(DataFlow::TypeTracker t) {
   t.start() and
   result = DataFlow::importNode("foo.bar")
   or
@@ -139,10 +139,10 @@ private DataFlow::Node foo_bar(DataFlow::TypeTracker t) {
 }
 
 /** Gets a reference to `foo.bar` (fictive module). */
-DataFlow::Node foo_bar() { result = foo_bar(DataFlow::TypeTracker::end()) }
+DataFlow::Node foo_bar() { foo_bar(DataFlow::TypeTracker::end()).flowsTo(result) }
 
 /** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
-private DataFlow::Node foo_bar_baz(DataFlow::TypeTracker t) {
+private DataFlow::LocalSourceNode foo_bar_baz(DataFlow::TypeTracker t) {
   t.start() and
   result = DataFlow::importNode("foo.bar.baz")
   or
@@ -153,7 +153,7 @@ private DataFlow::Node foo_bar_baz(DataFlow::TypeTracker t) {
 }
 
 /** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
-DataFlow::Node foo_bar_baz() { result = foo_bar_baz(DataFlow::TypeTracker::end()) }
+DataFlow::Node foo_bar_baz() { foo_bar_baz(DataFlow::TypeTracker::end()).flowsTo(result) }
 
 class TrackedFooBarBaz extends InlineExpectationsTest {
   TrackedFooBarBaz() { this = "TrackedFooBarBaz" }

From e17d539883965f781698ebdd92d1dcb104921e7f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 16 Feb 2021 17:56:48 +0000
Subject: [PATCH 410/429] C++: Model BSL in Getenv.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
index 93b601de752..87e191241d2 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll
@@ -9,7 +9,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The POSIX function `getenv`.
  */
 class Getenv extends LocalFlowSourceFunction {
-  Getenv() { this.hasGlobalName("getenv") }
+  Getenv() { this.hasGlobalOrStdOrBslName("getenv") }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     (

From fa44cedd3804f4d43b4ad4157a09fefe7a92d513 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 16 Feb 2021 18:58:28 +0100
Subject: [PATCH 411/429] C++: Add isBarrier to CgiXss.ql.

---
 cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql     |  4 +++
 .../CWE/CWE-079/semmle/CgiXss/CgiXss.expected | 32 +++++++++----------
 .../CWE/CWE-079/semmle/CgiXss/search.c        | 20 +++++++++---
 3 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
index 24484a9dcaf..d1e2fa12913 100644
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -34,6 +34,10 @@ class Configuration extends TaintTrackingConfiguration {
   override predicate isSink(Element tainted) {
     exists(PrintStdoutCall call | call.getAnArgument() = tainted)
   }
+
+  override predicate isBarrier(Expr e) {
+    super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
+  }
 }
 
 from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
index 6f08104489e..de3326e74a5 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
@@ -8,14 +8,14 @@ edges
 | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
-| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
-| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
-| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
-| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
-| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
-| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
-| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
-| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
+| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
+| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
+| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
+| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
+| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
+| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
+| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
+| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
 nodes
 | search.c:14:24:14:28 | *query | semmle.label | *query |
 | search.c:14:24:14:28 | query | semmle.label | query |
@@ -29,12 +29,12 @@ nodes
 | search.c:23:39:23:43 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |
-| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
-| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
-| search.c:45:5:45:15 | Argument 0 | semmle.label | Argument 0 |
-| search.c:45:17:45:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
-| search.c:47:5:47:15 | Argument 0 | semmle.label | Argument 0 |
-| search.c:47:17:47:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
+| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
+| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
+| search.c:55:5:55:15 | Argument 0 | semmle.label | Argument 0 |
+| search.c:55:17:55:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
+| search.c:57:5:57:15 | Argument 0 | semmle.label | Argument 0 |
+| search.c:57:17:57:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
 #select
-| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
index df9a09ded59..987535fcafc 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
@@ -26,7 +26,7 @@ void bad_server2(char* query) {
   puts(do_search(query));
 }
 
-void good_server(char* query) {
+void good_server1(char* query) {
   puts("<p>Query results for ");
   // GOOD: Escape HTML characters before adding to a page
   char* query_escaped = escape_html(query);
@@ -37,14 +37,26 @@ void good_server(char* query) {
   puts(do_search(query));
 }
 
+int snprintf(char *, int, const char *, ...);
+
+void good_server2(char* query) {
+  puts("<p>Query results for ");
+  // GOOD: Only an integer is added to the page.
+  int i = 0;
+  snprintf(query, 16, "value=%i", &i);
+  printf("\n<p>%i</p>\n", i);
+}
+
 int main(int argc, char** argv) {
   char* raw_query = getenv("QUERY_STRING");
-  if (strcmp("good", argv[0]) == 0) {
-    good_server(raw_query);
+  if (strcmp("good1", argv[0]) == 0) {
+    good_server1(raw_query);
   } else if (strcmp("bad1", argv[0]) == 0) {
     bad_server1(raw_query);
-  } else {
+  } else if (strcmp("bad2", argv[0]) == 0) {
     bad_server2(raw_query);
+  } else if (strcmp("good2", argv[0]) == 0) {
+    good_server2(raw_query);
   }
 }
 

From 58230d6d0a333266d6dc95feac6b67c0e7868073 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 16 Feb 2021 18:00:23 +0000
Subject: [PATCH 412/429] C++: Model BSL in Fread.qll.

---
 cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
index 9524b18b0a2..df2d92fbc4f 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
@@ -2,7 +2,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.FlowSource
 
 private class Fread extends AliasFunction, RemoteFlowSourceFunction {
-  Fread() { this.hasGlobalName("fread") }
+  Fread() { this.hasGlobalOrStdOrBslName("fread") }
 
   override predicate parameterNeverEscapes(int n) {
     n = 0 or

From 3323683ab2be20c349ff839a9391bc8bb7fa3f4f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 16 Feb 2021 19:10:39 +0000
Subject: [PATCH 413/429] C++: Support BSL in Allocation.qll, Deallocation.qll.

---
 .../semmle/code/cpp/models/implementations/Allocation.qll | 6 +++---
 .../code/cpp/models/implementations/Deallocation.qll      | 8 ++++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
index 91ec1525834..25dae1c2fd1 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
@@ -15,7 +15,7 @@ private class MallocAllocationFunction extends AllocationFunction {
 
   MallocAllocationFunction() {
     // --- C library allocation
-    hasGlobalOrStdName("malloc") and // malloc(size)
+    hasGlobalOrStdOrBslName("malloc") and // malloc(size)
     sizeArg = 0
     or
     hasGlobalName([
@@ -104,7 +104,7 @@ private class CallocAllocationFunction extends AllocationFunction {
 
   CallocAllocationFunction() {
     // --- C library allocation
-    hasGlobalOrStdName("calloc") and // calloc(num, size)
+    hasGlobalOrStdOrBslName("calloc") and // calloc(num, size)
     sizeArg = 1 and
     multArg = 0
   }
@@ -124,7 +124,7 @@ private class ReallocAllocationFunction extends AllocationFunction {
 
   ReallocAllocationFunction() {
     // --- C library allocation
-    hasGlobalOrStdName("realloc") and // realloc(ptr, size)
+    hasGlobalOrStdOrBslName("realloc") and // realloc(ptr, size)
     sizeArg = 1 and
     reallocArg = 0
     or
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll
index b56c8c21949..6bd2916b733 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll
@@ -13,9 +13,13 @@ private class StandardDeallocationFunction extends DeallocationFunction {
   int freedArg;
 
   StandardDeallocationFunction() {
-    hasGlobalName([
+    hasGlobalOrStdOrBslName([
         // --- C library allocation
-        "free", "realloc",
+        "free", "realloc"
+      ]) and
+    freedArg = 0
+    or
+    hasGlobalName([
         // --- OpenSSL memory allocation
         "CRYPTO_free", "CRYPTO_secure_free"
       ]) and

From d98aae9fc159c676f4649cfb7a24aa0620449553 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 16 Feb 2021 23:44:03 +0100
Subject: [PATCH 414/429] Python: Expose framework identifier for route-setup
 and req handler

This makes collecting metrics on framework coverage a bit simpler (specifically
giving the RoutedParameter class a more descriptive result for getSourceType).

I guess it can also help a bit when trying to get an overview of a new DB, but
making metrics collection easier is my main motivation for this.
---
 python/ql/src/semmle/python/Concepts.qll      | 20 +++++++++++++++++--
 .../src/semmle/python/frameworks/Django.qll   |  4 ++++
 .../ql/src/semmle/python/frameworks/Flask.qll |  4 ++++
 .../src/semmle/python/frameworks/Stdlib.qll   |  2 ++
 .../src/semmle/python/frameworks/Tornado.qll  |  6 +++++-
 5 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index b81817d7f10..c6d1ce367e9 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -325,6 +325,9 @@ module HTTP {
        * requests for this route, if any. These automatically become a `RemoteFlowSource`.
        */
       Parameter getARoutedParameter() { result = range.getARoutedParameter() }
+
+      /** Gets a string that identifies the framework used for this route setup. */
+      string getFramework() { result = range.getFramework() }
     }
 
     /** Provides a class for modeling new HTTP routing APIs. */
@@ -359,6 +362,9 @@ module HTTP {
          * requests for this route, if any. These automatically become a `RemoteFlowSource`.
          */
         abstract Parameter getARoutedParameter();
+
+        /** Gets a string that identifies the framework used for this route setup. */
+        abstract string getFramework();
       }
     }
 
@@ -378,6 +384,9 @@ module HTTP {
        * requests, if any. These automatically become a `RemoteFlowSource`.
        */
       Parameter getARoutedParameter() { result = range.getARoutedParameter() }
+
+      /** Gets a string that identifies the framework used for this route setup. */
+      string getFramework() { result = range.getFramework() }
     }
 
     /** Provides a class for modeling new HTTP request handlers. */
@@ -396,6 +405,9 @@ module HTTP {
          * requests, if any. These automatically become a `RemoteFlowSource`.
          */
         abstract Parameter getARoutedParameter();
+
+        /** Gets a string that identifies the framework used for this request handler. */
+        abstract string getFramework();
       }
     }
 
@@ -408,13 +420,17 @@ module HTTP {
         result = rs.getARoutedParameter() and
         result in [this.getArg(_), this.getArgByName(_)]
       }
+
+      override string getFramework() { result = rs.getFramework() }
     }
 
     /** A parameter that will receive parts of the url when handling an incoming request. */
     private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
-      RoutedParameter() { this.getParameter() = any(RequestHandler handler).getARoutedParameter() }
+      RequestHandler handler;
 
-      override string getSourceType() { result = "RoutedParameter" }
+      RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }
+
+      override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }
     }
 
     /**
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 6e90d5adee0..fb9a77e1adc 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2158,6 +2158,8 @@ private module Django {
         result = vc.getARequestHandler()
       )
     }
+
+    override string getFramework() { result = "Django" }
   }
 
   /** A request handler defined in a django view class, that has no known route. */
@@ -2175,6 +2177,8 @@ private module Django {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = any(int i | i <= this.getRequestParamIndex() | this.getArg(i))
     }
+
+    override string getFramework() { result = "Django" }
   }
 
   /**
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index fe394c6c8ac..c719291f3ca 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -219,6 +219,8 @@ private module FlaskModel {
         )
       )
     }
+
+    override string getFramework() { result = "Flask" }
   }
 
   /**
@@ -277,6 +279,8 @@ private module FlaskModel {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = this.getArg(0)
     }
+
+    override string getFramework() { result = "Flask" }
   }
 
   // ---------------------------------------------------------------------------
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 5120534d014..e4b5dc91827 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1629,6 +1629,8 @@ private module Stdlib {
       }
 
       override Parameter getARoutedParameter() { none() }
+
+      override string getFramework() { result = "Stdlib" }
     }
   }
 
diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 4351188d8bb..a43edcaca90 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -486,7 +486,9 @@ private module Tornado {
   }
 
   /** A tornado route setup. */
-  abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range { }
+  abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range {
+    override string getFramework() { result = "Tornado" }
+  }
 
   /**
    * A regex that is used to set up a route.
@@ -561,6 +563,8 @@ private module Tornado {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = this.getArg(0)
     }
+
+    override string getFramework() { result = "Tornado" }
   }
 
   // ---------------------------------------------------------------------------

From f5d5460dde1768b82c7ac21bd022d99f8d3e427e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 17 Feb 2021 10:53:31 +0100
Subject: [PATCH 415/429] C++: Fix testcase.

---
 .../query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
index 987535fcafc..fd24379b890 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
@@ -37,13 +37,13 @@ void good_server1(char* query) {
   puts(do_search(query));
 }
 
-int snprintf(char *, int, const char *, ...);
+int scanf(const char *, ...);
 
 void good_server2(char* query) {
   puts("<p>Query results for ");
   // GOOD: Only an integer is added to the page.
   int i = 0;
-  snprintf(query, 16, "value=%i", &i);
+  sscanf(query, "value=%i", &i);
   printf("\n<p>%i</p>\n", i);
 }
 

From 2927d888cfb707df389b75626c07e35de7ad652d Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 11:20:00 +0100
Subject: [PATCH 416/429] Python: Fix location of PathInjection tests

---
 .../Injection/{TarSlip => }/PathInjection/PathInjection.expected  | 0
 .../Injection/{TarSlip => }/PathInjection/PathInjection.qlref     | 0
 .../Injection/{TarSlip => }/PathInjection/path_injection.py       | 0
 .../Security/Injection/{TarSlip => }/PathInjection/test.py        | 0
 .../Injection/{TarSlip => }/PathInjection/test_chaining.py        | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/test/query-tests/Security/Injection/{TarSlip => }/PathInjection/PathInjection.expected (100%)
 rename python/ql/test/query-tests/Security/Injection/{TarSlip => }/PathInjection/PathInjection.qlref (100%)
 rename python/ql/test/query-tests/Security/Injection/{TarSlip => }/PathInjection/path_injection.py (100%)
 rename python/ql/test/query-tests/Security/Injection/{TarSlip => }/PathInjection/test.py (100%)
 rename python/ql/test/query-tests/Security/Injection/{TarSlip => }/PathInjection/test_chaining.py (100%)

diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.expected b/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.expected
rename to python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.expected
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.qlref b/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/PathInjection.qlref
rename to python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/path_injection.py b/python/ql/test/query-tests/Security/Injection/PathInjection/path_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/path_injection.py
rename to python/ql/test/query-tests/Security/Injection/PathInjection/path_injection.py
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test.py b/python/ql/test/query-tests/Security/Injection/PathInjection/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test.py
rename to python/ql/test/query-tests/Security/Injection/PathInjection/test.py
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test_chaining.py b/python/ql/test/query-tests/Security/Injection/PathInjection/test_chaining.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/PathInjection/test_chaining.py
rename to python/ql/test/query-tests/Security/Injection/PathInjection/test_chaining.py

From 1b148c4c906645873ce1fafa960eb0021f693386 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 17 Feb 2021 11:20:00 +0100
Subject: [PATCH 417/429] C++: Add reduced testcase demonstrating the problem
 in codeql-c-analysis-team/issues/231.

---
 .../dataflow/taint-tests/localTaint.expected  | 15 +++++++++++
 .../dataflow/taint-tests/taint.cpp            | 26 +++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 9f038101d67..02ebcd3e1b7 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -6042,6 +6042,21 @@
 | taint.cpp:631:6:631:14 | call to _strnextc | taint.cpp:631:2:631:18 | ... = ... |  |
 | taint.cpp:631:6:631:14 | call to _strnextc | taint.cpp:632:7:632:7 | c |  |
 | taint.cpp:631:16:631:17 |  | taint.cpp:631:6:631:14 | call to _strnextc | TAINT |
+| taint.cpp:640:9:640:12 | this | taint.cpp:640:25:640:29 | this |  |
+| taint.cpp:643:33:643:38 | source | taint.cpp:645:20:645:25 | source |  |
+| taint.cpp:644:30:644:30 | c | taint.cpp:645:10:645:10 | c |  |
+| taint.cpp:644:30:644:30 | c | taint.cpp:646:8:646:8 | c |  |
+| taint.cpp:645:10:645:10 | ref arg c | taint.cpp:646:8:646:8 | c |  |
+| taint.cpp:645:12:645:15 | call to data | taint.cpp:645:3:645:8 | call to memcpy |  |
+| taint.cpp:645:20:645:25 | source | taint.cpp:645:3:645:8 | call to memcpy | TAINT |
+| taint.cpp:645:20:645:25 | source | taint.cpp:645:12:645:15 | ref arg call to data | TAINT |
+| taint.cpp:652:9:652:12 | this | taint.cpp:652:31:652:35 | this |  |
+| taint.cpp:655:35:655:40 | source | taint.cpp:657:20:657:25 | source |  |
+| taint.cpp:656:27:656:27 | c | taint.cpp:657:10:657:10 | c |  |
+| taint.cpp:656:27:656:27 | c | taint.cpp:658:8:658:8 | c |  |
+| taint.cpp:657:12:657:15 | call to data | taint.cpp:657:3:657:8 | call to memcpy |  |
+| taint.cpp:657:20:657:25 | source | taint.cpp:657:3:657:8 | call to memcpy | TAINT |
+| taint.cpp:657:20:657:25 | source | taint.cpp:657:12:657:15 | ref arg call to data | TAINT |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
index 44d84c0c0b0..9a55aaaaaba 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -630,4 +630,30 @@ void test__strnextc(const char* source) {
 	} while(c != '\0');
 	c = _strnextc("");
 	sink(c);
+}
+
+// --- taint through const specified function ---
+
+class C_no_const_member_function {
+  char* data_;
+public:
+  char* data() { return data_; }
+};
+
+void test_no_const_member(char* source) {
+  C_no_const_member_function c;
+  memcpy(c.data(), source, 16);
+  sink(c.data()); // $ ast MISSING: ir
+}
+
+class C_const_member_function {
+  char* data_;
+public:
+  char* data() const { return data_; }
+};
+
+void test_with_const_member(char* source) {
+  C_const_member_function c;
+  memcpy(c.data(), source, 16);
+  sink(c.data()); // $ MISSING: ast, ir
 }
\ No newline at end of file

From 1adb5105780859bd0ee57da7cad7258566edf2e7 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 11:24:11 +0100
Subject: [PATCH 418/429] Python: Add a single missing QLDoc

---
 python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll b/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
index da52edd6af1..b3482012e9a 100644
--- a/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
@@ -41,6 +41,7 @@ private import semmle.python.objects.ObjectInternal
  * A callable that is considered a "safe" external API from a security perspective.
  */
 class SafeExternalAPI extends Unit {
+  /** Gets a callable that is considered a "safe" external API from a security perspective. */
   abstract DataFlowPrivate::DataFlowCallable getSafeCallable();
 }
 

From dec026a820c8efa0813bf64145d01e60c8f9db13 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 11:26:02 +0100
Subject: [PATCH 419/429] Python: Fix security qlref to have single empty line

---
 .../BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref   | 2 +-
 .../BadPractice/HardcodedCredentials/HardcodedCredentials.qlref | 2 +-
 .../IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref       | 2 +-
 .../IncompleteUrlSubstringSanitization.qlref                    | 2 +-
 .../Exposure/SensitiveDataExposure/CleartextLogging.qlref       | 2 +-
 .../Exposure/SensitiveDataExposure/CleartextStorage.qlref       | 2 +-
 .../Security/Injection/OpenRedirect/UrlRedirect.qlref           | 1 -
 7 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
index 29aa18f4b41..adef42d0768 100644
--- a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
+++ b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
@@ -1 +1 @@
-Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
\ No newline at end of file
+Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
index 9ced1d74449..ff70ade48e7 100644
--- a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
+++ b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
@@ -1 +1 @@
-Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
\ No newline at end of file
+Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
index 7c132ddf232..2fac15c1228 100644
--- a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
+++ b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
@@ -1 +1 @@
-Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
\ No newline at end of file
+Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
index f41c8ec32d5..00a3a8dad07 100644
--- a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
+++ b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
@@ -1 +1 @@
-Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
\ No newline at end of file
+Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
index 176057d5c62..e6c1510a3b2 100644
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
@@ -1 +1 @@
-Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
\ No newline at end of file
+Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
index 1feacb96d8c..63f1d245881 100644
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
@@ -1 +1 @@
-Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
\ No newline at end of file
+Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref b/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
index ce10eb1f21a..492b7a69453 100644
--- a/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
+++ b/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
@@ -1,2 +1 @@
 Security/Injection/OpenRedirect/OpenRedirect.ql
-

From cf9ad0cdc5d88d128f95a5b19fc0fba62cbd242e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 11:29:33 +0100
Subject: [PATCH 420/429] Python: Move ExternalAPI queries back under Security

This was raised as a question at review, and I don't really have a good enough
argument for moving it under POI. At the end of the day, they are _security_
related enough I guess :)
---
 .../src/{POI => Security}/ExternalAPIs/ExternalAPISinkExample.py | 0
 .../ExternalAPIs/ExternalAPITaintStepExample.py                  | 0
 python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPIs.qll    | 0
 .../ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp         | 0
 .../ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql            | 0
 .../ExternalAPIs/UntrustedDataToExternalAPI.qhelp                | 0
 .../{POI => Security}/ExternalAPIs/UntrustedDataToExternalAPI.ql | 0
 .../POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref     | 1 -
 .../POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref            | 1 -
 .../ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected      | 0
 .../ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref         | 1 +
 .../ExternalAPIs/UntrustedDataToExternalAPI.expected             | 0
 .../Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref       | 1 +
 .../ql/test/query-tests/{POI => Security}/ExternalAPIs/test.py   | 0
 14 files changed, 2 insertions(+), 2 deletions(-)
 rename python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPISinkExample.py (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPITaintStepExample.py (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPIs.qll (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/UntrustedDataToExternalAPI.qhelp (100%)
 rename python/ql/src/{POI => Security}/ExternalAPIs/UntrustedDataToExternalAPI.ql (100%)
 delete mode 100644 python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
 delete mode 100644 python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref
 rename python/ql/test/query-tests/{POI => Security}/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
 rename python/ql/test/query-tests/{POI => Security}/ExternalAPIs/UntrustedDataToExternalAPI.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
 rename python/ql/test/query-tests/{POI => Security}/ExternalAPIs/test.py (100%)

diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPISinkExample.py b/python/ql/src/Security/ExternalAPIs/ExternalAPISinkExample.py
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/ExternalAPISinkExample.py
rename to python/ql/src/Security/ExternalAPIs/ExternalAPISinkExample.py
diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPITaintStepExample.py b/python/ql/src/Security/ExternalAPIs/ExternalAPITaintStepExample.py
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/ExternalAPITaintStepExample.py
rename to python/ql/src/Security/ExternalAPIs/ExternalAPITaintStepExample.py
diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/ExternalAPIs.qll
rename to python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll
diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp b/python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
rename to python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
diff --git a/python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql b/python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
rename to python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.qhelp b/python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
rename to python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
diff --git a/python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.ql b/python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.ql
similarity index 100%
rename from python/ql/src/POI/ExternalAPIs/UntrustedDataToExternalAPI.ql
rename to python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
deleted file mode 100644
index af8f30055eb..00000000000
--- a/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
+++ /dev/null
@@ -1 +0,0 @@
-POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref
deleted file mode 100644
index 91c47f14b1c..00000000000
--- a/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.qlref
+++ /dev/null
@@ -1 +0,0 @@
-POI/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected b/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
similarity index 100%
rename from python/ql/test/query-tests/POI/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
rename to python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
new file mode 100644
index 00000000000..1968cf40cb8
--- /dev/null
+++ b/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
@@ -0,0 +1 @@
+Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.expected
similarity index 100%
rename from python/ql/test/query-tests/POI/ExternalAPIs/UntrustedDataToExternalAPI.expected
rename to python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.expected
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
new file mode 100644
index 00000000000..bdbdbdb3ec7
--- /dev/null
+++ b/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
@@ -0,0 +1 @@
+Security/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/POI/ExternalAPIs/test.py b/python/ql/test/query-tests/Security/ExternalAPIs/test.py
similarity index 100%
rename from python/ql/test/query-tests/POI/ExternalAPIs/test.py
rename to python/ql/test/query-tests/Security/ExternalAPIs/test.py

From c07a60818c9f9af91496d12ff221940b971f0662 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 17 Feb 2021 10:49:28 +0000
Subject: [PATCH 421/429] C++: Simplify IteratorAssignArithmeticOperator.

---
 .../src/semmle/code/cpp/models/implementations/Iterator.qll   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
index e8ad3d454d8..24d5456293f 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -157,11 +157,9 @@ private class IteratorSubOperator extends Operator, TaintFunction {
  * A non-member `operator+=` or `operator-=` function for an iterator type.
  */
 private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunction, TaintFunction {
-  FunctionInput iteratorInput;
-
   IteratorAssignArithmeticOperator() {
     this.hasName(["operator+=", "operator-="]) and
-    iteratorInput = getIteratorArgumentInput(this, 0)
+    exists(getIteratorArgumentInput(this, 0))
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {

From 25beadcb0591ef119efee3720ac9a79412804678 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 17 Feb 2021 11:54:24 +0100
Subject: [PATCH 422/429] Update
 cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
index fd24379b890..77c830985d2 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
@@ -37,7 +37,7 @@ void good_server1(char* query) {
   puts(do_search(query));
 }
 
-int scanf(const char *, ...);
+int sscanf(const char *s, const char *format, ...);
 
 void good_server2(char* query) {
   puts("<p>Query results for ");
@@ -59,4 +59,3 @@ int main(int argc, char** argv) {
     good_server2(raw_query);
   }
 }
-

From a03507a544b8d2ecffa1344a5a5a3867ef62c403 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 17 Feb 2021 13:12:35 +0100
Subject: [PATCH 423/429] avoid cartesian product in isFilteredPropertyName

---
 .../dataflow/CleartextLoggingCustomizations.qll    | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
index 78a26eb4228..b0b9632a63c 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -221,20 +221,16 @@ module CleartextLogging {
   /**
    * Holds if `name` is filtered by e.g. a regular-expression test or a filter call.
    */
-  private predicate isFilteredPropertyName(DataFlow::Node name) {
+  private predicate isFilteredPropertyName(DataFlow::SourceNode name) {
     exists(DataFlow::MethodCallNode reduceCall |
-      reduceCall.getABoundCallbackParameter(0, 1).flowsTo(name) and
-      reduceCall.getMethodName() = "reduce"
+      reduceCall.getMethodName() = "reduce" and
+      reduceCall.getABoundCallbackParameter(0, 1) = name
     |
       reduceCall.getReceiver+().(DataFlow::MethodCallNode).getMethodName() = "filter"
     )
     or
-    exists(StringOps::RegExpTest test |
-      test.getStringOperand().getALocalSource() = name.getALocalSource()
-    )
+    exists(StringOps::RegExpTest test | test.getStringOperand().getALocalSource() = name)
     or
-    exists(MembershipCandidate test |
-      test.getAMemberNode().getALocalSource() = name.getALocalSource()
-    )
+    exists(MembershipCandidate test | test.getAMemberNode().getALocalSource() = name)
   }
 }

From a4de88d39c6370cec253966826d7d08ec66c859f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 13:11:40 +0100
Subject: [PATCH 424/429] Python: Update type-tracking snippet

based on what I learned in https://github.com/github/codeql/pull/5184
---
 python/.vscode/ql.code-snippets                          | 8 ++++----
 python/ql/src/semmle/python/dataflow/new/TypeTracker.qll | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/python/.vscode/ql.code-snippets b/python/.vscode/ql.code-snippets
index 80c6ef1290d..6ccb9aa6657 100644
--- a/python/.vscode/ql.code-snippets
+++ b/python/.vscode/ql.code-snippets
@@ -105,8 +105,8 @@
         "scope": "ql",
         "prefix": "type tracking",
         "body": [
-            "/** Gets a reference to a ${3:thing}. */",
-            "private DataFlow::Node ${1:myType}(DataFlow::TypeTracker t) {",
+            "/** Gets a reference to ${3:a thing}. */",
+            "private DataFlow::LocalSourceNode ${1:myType}(DataFlow::TypeTracker t) {",
             "  t.start() and",
             "  result = ${2:value}",
             "  or",
@@ -115,9 +115,9 @@
             "  )",
             "}",
             "",
-            "/** Gets a reference to a ${3:thing}. */",
+            "/** Gets a reference to $3. */",
             "DataFlow::Node $1() {",
-            "  result = $1(DataFlow::TypeTracker::end())",
+            "  $1(DataFlow::TypeTracker::end()).flowsTo(result)",
             "}"
         ],
         "description": "Type tracking predicate",
diff --git a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
index b6de3cd7764..be9b42d470e 100644
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -180,7 +180,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeN
  * It is recommended that all uses of this type are written in the following form,
  * for tracking some type `myType`:
  * ```
- * DataFlow::Node myType(DataFlow::TypeTracker t) {
+ * DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
  *   t.start() and
  *   result = < source of myType >
  *   or
@@ -189,7 +189,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeN
  *   )
  * }
  *
- * DataFlow::Node myType() { result = myType(DataFlow::TypeTracker::end()) }
+ * DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) }
  * ```
  *
  * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent

From 0cdb5c48cfed8556c556c7009cabde2b21bde08c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 13:14:23 +0100
Subject: [PATCH 425/429] Python: Remove type-tracking snippets for framework
 modeling

We won't need these anymore, since we can now use API graphs
---
 python/.vscode/ql.code-snippets | 200 --------------------------------
 1 file changed, 200 deletions(-)

diff --git a/python/.vscode/ql.code-snippets b/python/.vscode/ql.code-snippets
index 6ccb9aa6657..59f230193b0 100644
--- a/python/.vscode/ql.code-snippets
+++ b/python/.vscode/ql.code-snippets
@@ -123,92 +123,6 @@
         "description": "Type tracking predicate",
     },
 
-    "Type tracking module": {
-        "scope": "ql",
-        "prefix": "type tracking module",
-        "body": [
-            "// ---------------------------------------------------------------------------",
-            "// ${1:modulename}",
-            "// ---------------------------------------------------------------------------",
-            "/** Gets a reference to the `$1` module. */",
-            "private DataFlow::Node $1(DataFlow::TypeTracker t) {",
-            "  t.start() and",
-            "  result = DataFlow::importNode(\"$1\")",
-            "  or",
-            "  exists(DataFlow::TypeTracker t2 | result = $1(t2).track(t2, t))",
-            "}",
-            "",
-            "/** Gets a reference to the `$1` module. */",
-            "DataFlow::Node $1() { result = $1(DataFlow::TypeTracker::end()) }",
-            "",
-            "/**",
-            " * Gets a reference to the attribute `attr_name` of the `$1` module.",
-            " * WARNING: Only holds for a few predefined attributes.",
-            " */",
-            "private DataFlow::Node $1_attr(DataFlow::TypeTracker t, string attr_name) {",
-            "  attr_name in [\"${2:name}\"] and",
-            "  (",
-            "    t.start() and",
-            "    result = DataFlow::importNode(\"$1\" + \".\" + attr_name)",
-            "    or",
-            "    t.startInAttr(attr_name) and",
-            "    result = $1()",
-            "  )",
-            "  or",
-            "  // Due to bad performance when using normal setup with `$1_attr(t2, attr_name).track(t2, t)`",
-            "  // we have inlined that code and forced a join",
-            "  exists(DataFlow::TypeTracker t2 |",
-            "    exists(DataFlow::StepSummary summary |",
-            "      $1_attr_first_join(t2, attr_name, result, summary) and",
-            "      t = t2.append(summary)",
-            "    )",
-            "  )",
-            "}",
-            "",
-            "pragma[nomagic]",
-            "private predicate $1_attr_first_join(",
-            "  DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary",
-            ") {",
-            "  DataFlow::StepSummary::step($1_attr(t2, attr_name), res, summary)",
-            "}",
-            "",
-            "/**",
-            " * Gets a reference to the attribute `attr_name` of the `$1` module.",
-            " * WARNING: Only holds for a few predefined attributes.",
-            " */",
-            "private DataFlow::Node $1_attr(string attr_name) {",
-            "  result = $1_attr(DataFlow::TypeTracker::end(), attr_name)",
-            "}",
-            "",
-            "/** Provides models for the `$1` module. */",
-            "module $1 {",
-            "",
-            "}",
-        ],
-        "description": "Type tracking module",
-    },
-
-    "Type tracking module member": {
-        "scope": "ql",
-        "prefix": "type tracking module member",
-        "body": [
-             "/** Gets a reference to the `${1:module}.${2:member}` ${3:object/class}. */",
-             "private DataFlow::Node ${4:$2}(DataFlow::TypeTracker t) {",
-             "  t.start() and",
-             "  result = DataFlow::importNode(\"$1.$2\")",
-             "  or",
-             "  t.startInAttr(\"$2\") and",
-             "  result = $1()",
-             "  or",
-             "  exists(DataFlow::TypeTracker t2 | result = $4(t2).track(t2, t))",
-             "}",
-             " ",
-             "/** Gets a reference to the `$1.$2` $3. */",
-             "DataFlow::Node $4() { result = $4(DataFlow::TypeTracker::end()) }",
-        ],
-        "description": "Type tracking module member",
-    },
-
     "Taint tracking configuration": {
         "scope": "ql",
         "prefix": "taint tracking",
@@ -238,118 +152,4 @@
         ]
     },
 
-    "Type tracking submodule": {
-        "scope": "ql",
-        "prefix": "type tracking submodule",
-        "body": [
-            "    // -------------------------------------------------------------------------",
-            "    // ${1:parent}.${2:submodule}",
-            "    // -------------------------------------------------------------------------",
-            "    /** Gets a reference to the `$1.$2` module. */",
-            "    DataFlow::Node $2() { result = $1_attr(\"$2\") }",
-            "",
-            "    /** Provides models for the `$1.$2` module */",
-            "    module $2 {",
-            "      /**",
-            "       * Gets a reference to the attribute `attr_name` of the `$1.$2` module.",
-            "       * WARNING: Only holds for a few predefined attributes.",
-            "       */",
-            "      private DataFlow::Node $2_attr(DataFlow::TypeTracker t, string attr_name) {",
-            "        attr_name in [\"$3\"] and",
-            "        (",
-            "          t.start() and",
-            "          result = DataFlow::importNode(\"$1.$2\" + \".\" + attr_name)",
-            "          or",
-            "          t.startInAttr(attr_name) and",
-            "          result = $2()",
-            "        )",
-            "        or",
-            "        // Due to bad performance when using normal setup with `$2_attr(t2, attr_name).track(t2, t)`",
-            "        // we have inlined that code and forced a join",
-            "        exists(DataFlow::TypeTracker t2 |",
-            "          exists(DataFlow::StepSummary summary |",
-            "            $2_attr_first_join(t2, attr_name, result, summary) and",
-            "            t = t2.append(summary)",
-            "          )",
-            "        )",
-            "      }",
-            "",
-            "      pragma[nomagic]",
-            "      private predicate $2_attr_first_join(",
-            "        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,",
-            "        DataFlow::StepSummary summary",
-            "      ) {",
-            "        DataFlow::StepSummary::step($2_attr(t2, attr_name), res, summary)",
-            "      }",
-            "",
-            "      /**",
-            "       * Gets a reference to the attribute `attr_name` of the `$1.$2` module.",
-            "       * WARNING: Only holds for a few predefined attributes.",
-            "       */",
-            "      private DataFlow::Node $2_attr(string attr_name) {",
-            "        result = $2_attr(DataFlow::TypeTracker::end(), attr_name)",
-            "      }",
-            "    }",
-        ],
-        "description": "Type tracking submodule",
-    },
-
-    "Type tracking class": {
-        "scope": "ql",
-        "prefix": "type tracking class",
-        "body": [
-            "    /**",
-            "     * Provides models for the `${1:module}.${2:classname}` class",
-            "     *",
-            "     * See ${6:apiref}.",
-            "     */",
-            "    module $2 {",
-            "      /** Gets a reference to the `$1.$2` class. */",
-            "      private DataFlow::Node classRef(DataFlow::TypeTracker t) {",
-            "        t.start() and",
-            "        result = ${4:module}_attr(\"$2\")",
-            "        or",
-            "        // TODO: remove/expand this part of the template as needed",
-            "        // Handle `${5:toplevel}.$2` alias",
-            "        t.start() and",
-            "        result = $5_attr(\"$2\")",
-            "        or",
-            "        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))",
-            "      }",
-            "",
-            "      /** Gets a reference to the `$1.$2` class. */",
-            "      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }",
-            "",
-            "      /**",
-            "       * A source of instances of `$1.$2`, extend this class to model new instances.",
-            "       *",
-            "       * This can include instantiations of the class, return values from function",
-            "       * calls, or a special parameter that will be set when functions are called by an external",
-            "       * library.",
-            "       *",
-            "       * Use the predicate `$2::instance()` to get references to instances of `$1.$2`.",
-            "       */",
-            "      abstract class InstanceSource extends DataFlow::Node { }",
-            "",
-            "      /** A direct instantiation of `$1.$2`. */",
-            "      private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {",
-            "          override CallNode node;",
-            "",
-            "          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }",
-            "      }",
-            "",
-            "      /** Gets a reference to an instance of `$1.$2`. */",
-            "      private DataFlow::Node instance(DataFlow::TypeTracker t) {",
-            "        t.start() and",
-            "        result instanceof InstanceSource",
-            "        or",
-            "        exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))",
-            "      }",
-            "",
-            "      /** Gets a reference to an instance of `$1.$2`. */",
-            "      DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }",
-            "    }",
-        ],
-        "description": "Type tracking class",
-    },
 }

From 7afe3972d821de0c96d933a21642baa560597261 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 16:32:53 +0100
Subject: [PATCH 426/429] Revert "Merge pull request #5171 from
 RasmusWL/restructure-queries"

This reverts commit 8caafb3710cda146544b28d17523e81d9f6249b6, reversing
changes made to ec79094957aed4ccc6b8c21ee01b58c90198c013.
---
 .../BindToAllInterfaces.py                                      | 0
 .../BindToAllInterfaces.qhelp                                   | 0
 .../BindToAllInterfaces.ql                                      | 0
 .../ExternalAPISinkExample.py                                   | 0
 .../ExternalAPITaintStepExample.py                              | 0
 .../{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPIs.qll     | 1 -
 .../ExternalAPIsUsedWithUntrustedData.qhelp                     | 0
 .../ExternalAPIsUsedWithUntrustedData.ql                        | 0
 .../UntrustedDataToExternalAPI.qhelp                            | 0
 .../UntrustedDataToExternalAPI.ql                               | 0
 .../IncompleteHostnameRegExp.qhelp                              | 0
 .../IncompleteHostnameRegExp.ql                                 | 0
 .../IncompleteUrlSubstringSanitization.qhelp                    | 0
 .../IncompleteUrlSubstringSanitization.ql                       | 0
 .../examples/IncompleteHostnameRegExp.py                        | 0
 .../examples/IncompleteUrlSubstringSanitization.py              | 0
 .../{Injection/PathInjection => CWE-022}/PathInjection.qhelp    | 0
 .../{Injection/PathInjection => CWE-022}/PathInjection.ql       | 0
 .../src/Security/{Injection/TarSlip => CWE-022}/TarSlip.qhelp   | 0
 .../ql/src/Security/{Injection/TarSlip => CWE-022}/TarSlip.ql   | 0
 .../PathInjection => CWE-022}/examples/tainted_path.py          | 0
 .../{Injection/TarSlip => CWE-022}/examples/tarslip_bad.py      | 0
 .../{Injection/TarSlip => CWE-022}/examples/tarslip_good.py     | 0
 .../CommandInjection => CWE-078}/CommandInjection.qhelp         | 0
 .../{Injection/CommandInjection => CWE-078}/CommandInjection.ql | 0
 .../CommandInjection => CWE-078}/examples/command_injection.py  | 0
 .../Jinja2WithoutEscaping.qhelp                                 | 0
 .../Jinja2WithoutEscaping.ql                                    | 0
 .../{Injection/ReflectedXss => CWE-079}/ReflectedXss.qhelp      | 0
 .../{Injection/ReflectedXss => CWE-079}/ReflectedXss.ql         | 0
 .../Jinja2RenderWithoutEscape => CWE-079}/examples/jinja2.py    | 0
 .../{Injection/ReflectedXss => CWE-079}/examples/xss.py         | 0
 .../{Injection/SqlInjection => CWE-089}/SqlInjection.qhelp      | 0
 .../{Injection/SqlInjection => CWE-089}/SqlInjection.ql         | 0
 .../SqlInjection => CWE-089}/examples/sql_injection.py          | 0
 .../{Injection/CodeInjection => CWE-094}/CodeInjection.qhelp    | 0
 .../{Injection/CodeInjection => CWE-094}/CodeInjection.ql       | 0
 .../CodeInjection => CWE-094}/examples/code_injection.py        | 0
 .../StackTraceExposure => CWE-209}/StackTraceExposure.py        | 0
 .../StackTraceExposure => CWE-209}/StackTraceExposure.qhelp     | 0
 .../StackTraceExposure => CWE-209}/StackTraceExposure.ql        | 0
 .../{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.py    | 0
 .../{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.qhelp | 0
 .../{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.ql    | 0
 .../MissingHostKeyValidation.qhelp}                             | 0
 .../MissingHostKeyValidation.ql}                                | 0
 .../RequestWithoutValidation.qhelp}                             | 0
 .../RequestWithoutValidation.ql}                                | 0
 .../examples/make_request.py                                    | 0
 .../examples/paramiko_host_key.py                               | 0
 .../SensitiveDataExposure => CWE-312}/CleartextLogging.qhelp    | 0
 .../SensitiveDataExposure => CWE-312}/CleartextLogging.ql       | 0
 .../SensitiveDataExposure => CWE-312}/CleartextStorage.qhelp    | 0
 .../SensitiveDataExposure => CWE-312}/CleartextStorage.ql       | 0
 .../examples/password_in_cookie.py                              | 0
 .../WeakCryptoKey.qhelp => CWE-326/WeakCrypto.qhelp}            | 0
 .../WeakCryptoKey/WeakCryptoKey.ql => CWE-326/WeakCrypto.ql}    | 0
 .../BrokenCryptoAlgorithm.qhelp}                                | 2 +-
 .../WeakCryptoAlgorithm.ql => CWE-327/BrokenCryptoAlgorithm.ql} | 0
 .../{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.qhelp       | 0
 .../Security/{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.ql | 0
 .../src/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.qhelp | 0
 .../ql/src/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.ql | 0
 .../examples/broken_crypto.py}                                  | 0
 .../TLS => CWE-327}/examples/insecure_default_protocol.py       | 0
 .../{Crypto/TLS => CWE-327}/examples/insecure_protocol.py       | 0
 .../InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.py  | 0
 .../InsecureTemporaryFile.qhelp                                 | 0
 .../InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.ql  | 0
 .../InsecureTemporaryFile => CWE-377}/SecureTemporaryFile.py    | 0
 .../{Injection/UnsafeDeserialization => CWE-502}/JsonGood.py    | 0
 .../UnsafeDeserialization => CWE-502}/UnpicklingBad.py          | 0
 .../UnsafeDeserialization.qhelp                                 | 0
 .../UnsafeDeserialization => CWE-502}/UnsafeDeserialization.ql  | 0
 .../OpenRedirect.qhelp => CWE-601/UrlRedirect.qhelp}            | 0
 .../OpenRedirect/OpenRedirect.ql => CWE-601/UrlRedirect.ql}     | 0
 .../OpenRedirect => CWE-601}/examples/redirect_bad.py           | 0
 .../OpenRedirect => CWE-601}/examples/redirect_good.py          | 0
 .../WeakFilePermissions => CWE-732}/WeakFilePermissions.qhelp   | 0
 .../WeakFilePermissions => CWE-732}/WeakFilePermissions.ql      | 0
 .../HardcodedCredentials => CWE-798}/HardcodedCredentials.py    | 0
 .../HardcodedCredentials => CWE-798}/HardcodedCredentials.qhelp | 0
 .../HardcodedCredentials => CWE-798}/HardcodedCredentials.ql    | 0
 .../BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref   | 1 -
 .../Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref     | 1 -
 .../query-tests/Security/BadPractice/FlaskRunWithDebug/options  | 1 -
 .../RequestWithoutValidation.qlref                              | 1 -
 .../BadPractice/HTTPSRequestWithoutCertValidation/options       | 1 -
 .../BadPractice/HardcodedCredentials/HardcodedCredentials.qlref | 1 -
 .../IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref       | 1 -
 .../IncompleteUrlSubstringSanitization.qlref                    | 1 -
 .../InsecureTemporaryFile/InsecureTemporaryFile.qlref           | 1 -
 .../Security/BadPractice/InsecureTemporaryFile/options          | 1 -
 .../Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref       | 1 -
 .../SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref  | 1 -
 .../Security/BadPractice/SSHMissingHostKeyValidation/options    | 1 -
 .../BadPractice/WeakFilePermissions/WeakFilePermissions.qlref   | 1 -
 .../Security/BadPractice/WeakFilePermissions/options            | 1 -
 .../BindToAllInterfaces.expected                                | 0
 .../Security/CVE-2018-1281/BindToAllInterfaces.qlref            | 1 +
 .../BindToAllInterfaces_test.py                                 | 0
 .../{BadPractice/BindToAllInterfaces => CVE-2018-1281}/options  | 0
 .../ExternalAPIsUsedWithUntrustedData.expected                  | 0
 .../ExternalAPIsUsedWithUntrustedData.qlref                     | 1 +
 .../UntrustedDataToExternalAPI.expected                         | 0
 .../CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref       | 1 +
 .../Security/{ExternalAPIs => CWE-020-ExternalAPIs}/test.py     | 0
 .../IncompleteHostnameRegExp.expected                           | 0
 .../query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref | 1 +
 .../IncompleteUrlSubstringSanitization.expected                 | 0
 .../Security/CWE-020/IncompleteUrlSubstringSanitization.qlref   | 1 +
 .../{BadPractice/IncompleteUrlSanitizer => CWE-020}/hosttest.py | 0
 .../{BadPractice/IncompleteUrlSanitizer => CWE-020}/urltest.py  | 0
 .../PathInjection.expected                                      | 0
 .../Security/CWE-022-PathInjection/PathInjection.qlref          | 1 +
 .../PathInjection => CWE-022-PathInjection}/path_injection.py   | 0
 .../{Injection/PathInjection => CWE-022-PathInjection}/test.py  | 0
 .../PathInjection => CWE-022-PathInjection}/test_chaining.py    | 0
 .../{Injection/TarSlip => CWE-022-TarSlip}/TarSlip.expected     | 0
 .../ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref  | 1 +
 .../Jinja2RenderWithoutEscape => CWE-022-TarSlip}/options       | 0
 .../Security/{Injection/TarSlip => CWE-022-TarSlip}/tarslip.py  | 0
 .../CommandInjection.expected                                   | 0
 .../query-tests/Security/CWE-078-py2/CommandInjection.qlref     | 1 +
 .../CommandInjection-py2 => CWE-078-py2}/command_injection.py   | 0
 .../{Injection/CommandInjection-py2 => CWE-078-py2}/options     | 0
 .../CommandInjection => CWE-078}/CommandInjection.expected      | 0
 .../ql/test/query-tests/Security/CWE-078/CommandInjection.qlref | 1 +
 .../CommandInjection => CWE-078}/command_injection.py           | 0
 .../Security/{Injection/CommandInjection => CWE-078}/options    | 0
 .../Jinja2WithoutEscaping.expected                              | 0
 .../query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref    | 1 +
 .../{Injection/ReflectedXss => CWE-079}/ReflectedXss.expected   | 0
 python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref  | 1 +
 .../Jinja2RenderWithoutEscape => CWE-079}/jinja2_escaping.py    | 0
 python/ql/test/query-tests/Security/CWE-079/options             | 1 +
 .../{Injection/ReflectedXss => CWE-079}/reflected_xss.py        | 0
 .../{Injection/SqlInjection => CWE-089}/SqlInjection.expected   | 0
 python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref  | 1 +
 .../{Injection/SqlInjection => CWE-089}/sql_injection.py        | 0
 .../{Injection/CodeInjection => CWE-094}/CodeInjection.expected | 0
 python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref | 1 +
 .../{Injection/CodeInjection => CWE-094}/code_injection.py      | 0
 .../StackTraceExposure => CWE-209}/StackTraceExposure.expected  | 0
 .../test/query-tests/Security/CWE-209/StackTraceExposure.qlref  | 1 +
 python/ql/test/query-tests/Security/CWE-209/options             | 1 +
 .../Security/{Exposure/StackTraceExposure => CWE-209}/test.py   | 0
 .../FlaskRunWithDebug => CWE-215}/FlaskDebug.expected           | 0
 python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref    | 1 +
 python/ql/test/query-tests/Security/CWE-215/options             | 1 +
 .../Security/{BadPractice/FlaskRunWithDebug => CWE-215}/test.py | 0
 .../MissingHostKeyValidation.expected                           | 0
 .../query-tests/Security/CWE-295/MissingHostKeyValidation.qlref | 1 +
 .../RequestWithoutValidation.expected                           | 0
 .../query-tests/Security/CWE-295/RequestWithoutValidation.qlref | 1 +
 .../make_request.py                                             | 0
 python/ql/test/query-tests/Security/CWE-295/options             | 1 +
 .../paramiko_host_key.py                                        | 0
 .../SensitiveDataExposure => CWE-312}/CleartextLogging.expected | 0
 .../ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref | 1 +
 .../SensitiveDataExposure => CWE-312}/CleartextStorage.expected | 0
 .../ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref | 1 +
 python/ql/test/query-tests/Security/CWE-312/options             | 1 +
 .../SensitiveDataExposure => CWE-312}/password_in_cookie.py     | 0
 .../{Exposure/SensitiveDataExposure => CWE-312}/test.py         | 0
 .../{Crypto/WeakCryptoKey => CWE-326}/WeakCrypto.expected       | 0
 python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref    | 1 +
 python/ql/test/query-tests/Security/CWE-326/options             | 1 +
 .../Security/{Crypto/WeakCryptoKey => CWE-326}/weak_crypto.py   | 0
 .../BrokenCryptoAlgorithm.expected                              | 0
 .../query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref    | 1 +
 .../{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.expected    | 0
 .../query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref  | 1 +
 .../Security/{Crypto/TLS => CWE-327}/InsecureProtocol.expected  | 0
 .../Security/{Crypto/TLS => CWE-327}/InsecureProtocol.py        | 0
 .../ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref | 1 +
 .../{Crypto/WeakCryptoAlgorithm => CWE-327}/TestNode.expected   | 0
 .../{Crypto/WeakCryptoAlgorithm => CWE-327}/TestNode.ql         | 0
 python/ql/test/query-tests/Security/CWE-327/options             | 1 +
 .../WeakCryptoAlgorithm => CWE-327}/test_cryptography.py        | 0
 .../{Crypto/WeakCryptoAlgorithm => CWE-327}/test_pycrypto.py    | 0
 .../InsecureTemporaryFile.expected                              | 0
 .../InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.py  | 0
 .../query-tests/Security/CWE-377/InsecureTemporaryFile.qlref    | 1 +
 .../InsecureTemporaryFile => CWE-377}/SecureTemporaryFile.py    | 0
 python/ql/test/query-tests/Security/CWE-377/options             | 1 +
 .../UnsafeDeserialization.expected                              | 0
 .../query-tests/Security/CWE-502/UnsafeDeserialization.qlref    | 1 +
 .../UnsafeDeserialization => CWE-502}/unsafe_deserialization.py | 0
 .../{Injection/OpenRedirect => CWE-601}/UrlRedirect.expected    | 0
 python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref   | 2 ++
 python/ql/test/query-tests/Security/CWE-601/options             | 1 +
 .../Security/{Injection/OpenRedirect => CWE-601}/test.py        | 0
 .../WeakFilePermissions.expected                                | 0
 .../test/query-tests/Security/CWE-732/WeakFilePermissions.qlref | 1 +
 python/ql/test/query-tests/Security/CWE-732/options             | 1 +
 .../{BadPractice/WeakFilePermissions => CWE-732}/test.py        | 0
 .../HardcodedCredentials.expected                               | 0
 .../query-tests/Security/CWE-798/HardcodedCredentials.qlref     | 1 +
 .../{BadPractice/HardcodedCredentials => CWE-798}/test.py       | 0
 .../Security/Crypto/TLS/InsecureDefaultProtocol.qlref           | 1 -
 .../test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref | 1 -
 python/ql/test/query-tests/Security/Crypto/TLS/options          | 1 -
 .../Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref      | 1 -
 .../query-tests/Security/Crypto/WeakCryptoAlgorithm/options     | 1 -
 .../query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref  | 1 -
 .../ql/test/query-tests/Security/Crypto/WeakCryptoKey/options   | 1 -
 .../Exposure/SensitiveDataExposure/CleartextLogging.qlref       | 1 -
 .../Exposure/SensitiveDataExposure/CleartextStorage.qlref       | 1 -
 .../query-tests/Security/Exposure/SensitiveDataExposure/options | 1 -
 .../Exposure/StackTraceExposure/StackTraceExposure.qlref        | 1 -
 .../query-tests/Security/Exposure/StackTraceExposure/options    | 1 -
 .../ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref        | 1 -
 .../Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref      | 1 -
 .../Security/Injection/CodeInjection/CodeInjection.qlref        | 1 -
 .../Injection/CommandInjection-py2/CommandInjection.qlref       | 1 -
 .../Security/Injection/CommandInjection/CommandInjection.qlref  | 1 -
 .../Security/Injection/OpenRedirect/UrlRedirect.qlref           | 1 -
 .../ql/test/query-tests/Security/Injection/OpenRedirect/options | 1 -
 .../Security/Injection/PathInjection/PathInjection.qlref        | 1 -
 .../Security/Injection/ReflectedXss/ReflectedXss.qlref          | 1 -
 .../Security/Injection/SqlInjection/SqlInjection.qlref          | 1 -
 .../test/query-tests/Security/Injection/TarSlip/TarSlip.qlref   | 1 -
 python/ql/test/query-tests/Security/Injection/TarSlip/options   | 1 -
 .../Injection/UnsafeDeserialization/UnsafeDeserialization.qlref | 1 -
 225 files changed, 40 insertions(+), 42 deletions(-)
 rename python/ql/src/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/BindToAllInterfaces.py (100%)
 rename python/ql/src/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/BindToAllInterfaces.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/BindToAllInterfaces.ql (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPISinkExample.py (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPITaintStepExample.py (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPIs.qll (98%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.qhelp (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.ql (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/UntrustedDataToExternalAPI.qhelp (100%)
 rename python/ql/src/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/UntrustedDataToExternalAPI.ql (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteHostnameRegExp.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteHostnameRegExp.ql (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteUrlSubstringSanitization.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteUrlSubstringSanitization.ql (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/examples/IncompleteHostnameRegExp.py (100%)
 rename python/ql/src/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/examples/IncompleteUrlSubstringSanitization.py (100%)
 rename python/ql/src/Security/{Injection/PathInjection => CWE-022}/PathInjection.qhelp (100%)
 rename python/ql/src/Security/{Injection/PathInjection => CWE-022}/PathInjection.ql (100%)
 rename python/ql/src/Security/{Injection/TarSlip => CWE-022}/TarSlip.qhelp (100%)
 rename python/ql/src/Security/{Injection/TarSlip => CWE-022}/TarSlip.ql (100%)
 rename python/ql/src/Security/{Injection/PathInjection => CWE-022}/examples/tainted_path.py (100%)
 rename python/ql/src/Security/{Injection/TarSlip => CWE-022}/examples/tarslip_bad.py (100%)
 rename python/ql/src/Security/{Injection/TarSlip => CWE-022}/examples/tarslip_good.py (100%)
 rename python/ql/src/Security/{Injection/CommandInjection => CWE-078}/CommandInjection.qhelp (100%)
 rename python/ql/src/Security/{Injection/CommandInjection => CWE-078}/CommandInjection.ql (100%)
 rename python/ql/src/Security/{Injection/CommandInjection => CWE-078}/examples/command_injection.py (100%)
 rename python/ql/src/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-079}/Jinja2WithoutEscaping.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-079}/Jinja2WithoutEscaping.ql (100%)
 rename python/ql/src/Security/{Injection/ReflectedXss => CWE-079}/ReflectedXss.qhelp (100%)
 rename python/ql/src/Security/{Injection/ReflectedXss => CWE-079}/ReflectedXss.ql (100%)
 rename python/ql/src/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-079}/examples/jinja2.py (100%)
 rename python/ql/src/Security/{Injection/ReflectedXss => CWE-079}/examples/xss.py (100%)
 rename python/ql/src/Security/{Injection/SqlInjection => CWE-089}/SqlInjection.qhelp (100%)
 rename python/ql/src/Security/{Injection/SqlInjection => CWE-089}/SqlInjection.ql (100%)
 rename python/ql/src/Security/{Injection/SqlInjection => CWE-089}/examples/sql_injection.py (100%)
 rename python/ql/src/Security/{Injection/CodeInjection => CWE-094}/CodeInjection.qhelp (100%)
 rename python/ql/src/Security/{Injection/CodeInjection => CWE-094}/CodeInjection.ql (100%)
 rename python/ql/src/Security/{Injection/CodeInjection => CWE-094}/examples/code_injection.py (100%)
 rename python/ql/src/Security/{Exposure/StackTraceExposure => CWE-209}/StackTraceExposure.py (100%)
 rename python/ql/src/Security/{Exposure/StackTraceExposure => CWE-209}/StackTraceExposure.qhelp (100%)
 rename python/ql/src/Security/{Exposure/StackTraceExposure => CWE-209}/StackTraceExposure.ql (100%)
 rename python/ql/src/Security/{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.py (100%)
 rename python/ql/src/Security/{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.ql (100%)
 rename python/ql/src/Security/{BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp => CWE-295/MissingHostKeyValidation.qhelp} (100%)
 rename python/ql/src/Security/{BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql => CWE-295/MissingHostKeyValidation.ql} (100%)
 rename python/ql/src/Security/{BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp => CWE-295/RequestWithoutValidation.qhelp} (100%)
 rename python/ql/src/Security/{BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql => CWE-295/RequestWithoutValidation.ql} (100%)
 rename python/ql/src/Security/{BadPractice/HTTPSRequestWithoutCertValidation => CWE-295}/examples/make_request.py (100%)
 rename python/ql/src/Security/{BadPractice/SSHMissingHostKeyValidation => CWE-295}/examples/paramiko_host_key.py (100%)
 rename python/ql/src/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextLogging.qhelp (100%)
 rename python/ql/src/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextLogging.ql (100%)
 rename python/ql/src/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextStorage.qhelp (100%)
 rename python/ql/src/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextStorage.ql (100%)
 rename python/ql/src/Security/{Exposure/SensitiveDataExposure => CWE-312}/examples/password_in_cookie.py (100%)
 rename python/ql/src/Security/{Crypto/WeakCryptoKey/WeakCryptoKey.qhelp => CWE-326/WeakCrypto.qhelp} (100%)
 rename python/ql/src/Security/{Crypto/WeakCryptoKey/WeakCryptoKey.ql => CWE-326/WeakCrypto.ql} (100%)
 rename python/ql/src/Security/{Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp => CWE-327/BrokenCryptoAlgorithm.qhelp} (97%)
 rename python/ql/src/Security/{Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql => CWE-327/BrokenCryptoAlgorithm.ql} (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.qhelp (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.ql (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.qhelp (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.ql (100%)
 rename python/ql/src/Security/{Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py => CWE-327/examples/broken_crypto.py} (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/examples/insecure_default_protocol.py (100%)
 rename python/ql/src/Security/{Crypto/TLS => CWE-327}/examples/insecure_protocol.py (100%)
 rename python/ql/src/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.py (100%)
 rename python/ql/src/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.ql (100%)
 rename python/ql/src/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/SecureTemporaryFile.py (100%)
 rename python/ql/src/Security/{Injection/UnsafeDeserialization => CWE-502}/JsonGood.py (100%)
 rename python/ql/src/Security/{Injection/UnsafeDeserialization => CWE-502}/UnpicklingBad.py (100%)
 rename python/ql/src/Security/{Injection/UnsafeDeserialization => CWE-502}/UnsafeDeserialization.qhelp (100%)
 rename python/ql/src/Security/{Injection/UnsafeDeserialization => CWE-502}/UnsafeDeserialization.ql (100%)
 rename python/ql/src/Security/{Injection/OpenRedirect/OpenRedirect.qhelp => CWE-601/UrlRedirect.qhelp} (100%)
 rename python/ql/src/Security/{Injection/OpenRedirect/OpenRedirect.ql => CWE-601/UrlRedirect.ql} (100%)
 rename python/ql/src/Security/{Injection/OpenRedirect => CWE-601}/examples/redirect_bad.py (100%)
 rename python/ql/src/Security/{Injection/OpenRedirect => CWE-601}/examples/redirect_good.py (100%)
 rename python/ql/src/Security/{BadPractice/WeakFilePermissions => CWE-732}/WeakFilePermissions.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/WeakFilePermissions => CWE-732}/WeakFilePermissions.ql (100%)
 rename python/ql/src/Security/{BadPractice/HardcodedCredentials => CWE-798}/HardcodedCredentials.py (100%)
 rename python/ql/src/Security/{BadPractice/HardcodedCredentials => CWE-798}/HardcodedCredentials.qhelp (100%)
 rename python/ql/src/Security/{BadPractice/HardcodedCredentials => CWE-798}/HardcodedCredentials.ql (100%)
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
 delete mode 100644 python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
 rename python/ql/test/query-tests/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/BindToAllInterfaces.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/BindToAllInterfaces_test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/BindToAllInterfaces => CVE-2018-1281}/options (100%)
 rename python/ql/test/query-tests/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/ExternalAPIsUsedWithUntrustedData.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
 rename python/ql/test/query-tests/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/UntrustedDataToExternalAPI.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
 rename python/ql/test/query-tests/Security/{ExternalAPIs => CWE-020-ExternalAPIs}/test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteHostnameRegExp.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/IncompleteUrlSubstringSanitization.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/hosttest.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/IncompleteUrlSanitizer => CWE-020}/urltest.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/PathInjection => CWE-022-PathInjection}/PathInjection.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
 rename python/ql/test/query-tests/Security/{Injection/PathInjection => CWE-022-PathInjection}/path_injection.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/PathInjection => CWE-022-PathInjection}/test.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/PathInjection => CWE-022-PathInjection}/test_chaining.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/TarSlip => CWE-022-TarSlip}/TarSlip.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-022-TarSlip}/options (100%)
 rename python/ql/test/query-tests/Security/{Injection/TarSlip => CWE-022-TarSlip}/tarslip.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection-py2 => CWE-078-py2}/CommandInjection.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection-py2 => CWE-078-py2}/command_injection.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection-py2 => CWE-078-py2}/options (100%)
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection => CWE-078}/CommandInjection.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection => CWE-078}/command_injection.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/CommandInjection => CWE-078}/options (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-079}/Jinja2WithoutEscaping.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
 rename python/ql/test/query-tests/Security/{Injection/ReflectedXss => CWE-079}/ReflectedXss.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/Jinja2RenderWithoutEscape => CWE-079}/jinja2_escaping.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-079/options
 rename python/ql/test/query-tests/Security/{Injection/ReflectedXss => CWE-079}/reflected_xss.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/SqlInjection => CWE-089}/SqlInjection.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
 rename python/ql/test/query-tests/Security/{Injection/SqlInjection => CWE-089}/sql_injection.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/CodeInjection => CWE-094}/CodeInjection.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
 rename python/ql/test/query-tests/Security/{Injection/CodeInjection => CWE-094}/code_injection.py (100%)
 rename python/ql/test/query-tests/Security/{Exposure/StackTraceExposure => CWE-209}/StackTraceExposure.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-209/options
 rename python/ql/test/query-tests/Security/{Exposure/StackTraceExposure => CWE-209}/test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/FlaskRunWithDebug => CWE-215}/FlaskDebug.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-215/options
 rename python/ql/test/query-tests/Security/{BadPractice/FlaskRunWithDebug => CWE-215}/test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/SSHMissingHostKeyValidation => CWE-295}/MissingHostKeyValidation.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/HTTPSRequestWithoutCertValidation => CWE-295}/RequestWithoutValidation.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/HTTPSRequestWithoutCertValidation => CWE-295}/make_request.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-295/options
 rename python/ql/test/query-tests/Security/{BadPractice/SSHMissingHostKeyValidation => CWE-295}/paramiko_host_key.py (100%)
 rename python/ql/test/query-tests/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextLogging.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
 rename python/ql/test/query-tests/Security/{Exposure/SensitiveDataExposure => CWE-312}/CleartextStorage.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-312/options
 rename python/ql/test/query-tests/Security/{Exposure/SensitiveDataExposure => CWE-312}/password_in_cookie.py (100%)
 rename python/ql/test/query-tests/Security/{Exposure/SensitiveDataExposure => CWE-312}/test.py (100%)
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoKey => CWE-326}/WeakCrypto.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-326/options
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoKey => CWE-326}/weak_crypto.py (100%)
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoAlgorithm => CWE-327}/BrokenCryptoAlgorithm.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
 rename python/ql/test/query-tests/Security/{Crypto/TLS => CWE-327}/InsecureDefaultProtocol.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
 rename python/ql/test/query-tests/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.expected (100%)
 rename python/ql/test/query-tests/Security/{Crypto/TLS => CWE-327}/InsecureProtocol.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoAlgorithm => CWE-327}/TestNode.expected (100%)
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoAlgorithm => CWE-327}/TestNode.ql (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/options
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoAlgorithm => CWE-327}/test_cryptography.py (100%)
 rename python/ql/test/query-tests/Security/{Crypto/WeakCryptoAlgorithm => CWE-327}/test_pycrypto.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.expected (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/InsecureTemporaryFile.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/InsecureTemporaryFile => CWE-377}/SecureTemporaryFile.py (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-377/options
 rename python/ql/test/query-tests/Security/{Injection/UnsafeDeserialization => CWE-502}/UnsafeDeserialization.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
 rename python/ql/test/query-tests/Security/{Injection/UnsafeDeserialization => CWE-502}/unsafe_deserialization.py (100%)
 rename python/ql/test/query-tests/Security/{Injection/OpenRedirect => CWE-601}/UrlRedirect.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-601/options
 rename python/ql/test/query-tests/Security/{Injection/OpenRedirect => CWE-601}/test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/WeakFilePermissions => CWE-732}/WeakFilePermissions.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-732/options
 rename python/ql/test/query-tests/Security/{BadPractice/WeakFilePermissions => CWE-732}/test.py (100%)
 rename python/ql/test/query-tests/Security/{BadPractice/HardcodedCredentials => CWE-798}/HardcodedCredentials.expected (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
 rename python/ql/test/query-tests/Security/{BadPractice/HardcodedCredentials => CWE-798}/test.py (100%)
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/TLS/options
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
 delete mode 100644 python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
 delete mode 100644 python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
 delete mode 100644 python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
 delete mode 100644 python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/OpenRedirect/options
 delete mode 100644 python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref
 delete mode 100644 python/ql/test/query-tests/Security/Injection/TarSlip/options
 delete mode 100644 python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref

diff --git a/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.py b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.py
rename to python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.py
diff --git a/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qhelp b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qhelp
rename to python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp
diff --git a/python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
rename to python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
diff --git a/python/ql/src/Security/ExternalAPIs/ExternalAPISinkExample.py b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPISinkExample.py
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/ExternalAPISinkExample.py
rename to python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPISinkExample.py
diff --git a/python/ql/src/Security/ExternalAPIs/ExternalAPITaintStepExample.py b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPITaintStepExample.py
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/ExternalAPITaintStepExample.py
rename to python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPITaintStepExample.py
diff --git a/python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
similarity index 98%
rename from python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll
rename to python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
index b3482012e9a..da52edd6af1 100644
--- a/python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -41,7 +41,6 @@ private import semmle.python.objects.ObjectInternal
  * A callable that is considered a "safe" external API from a security perspective.
  */
 class SafeExternalAPI extends Unit {
-  /** Gets a callable that is considered a "safe" external API from a security perspective. */
   abstract DataFlowPrivate::DataFlowCallable getSafeCallable();
 }
 
diff --git a/python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
rename to python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
diff --git a/python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
rename to python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.qhelp b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qhelp
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.qhelp
rename to python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qhelp
diff --git a/python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.ql b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
similarity index 100%
rename from python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.ql
rename to python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qhelp b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qhelp
rename to python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
rename to python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qhelp b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qhelp
rename to python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
rename to python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteHostnameRegExp.py b/python/ql/src/Security/CWE-020/examples/IncompleteHostnameRegExp.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteHostnameRegExp.py
rename to python/ql/src/Security/CWE-020/examples/IncompleteHostnameRegExp.py
diff --git a/python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteUrlSubstringSanitization.py b/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteUrlSubstringSanitization.py
rename to python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
diff --git a/python/ql/src/Security/Injection/PathInjection/PathInjection.qhelp b/python/ql/src/Security/CWE-022/PathInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/PathInjection/PathInjection.qhelp
rename to python/ql/src/Security/CWE-022/PathInjection.qhelp
diff --git a/python/ql/src/Security/Injection/PathInjection/PathInjection.ql b/python/ql/src/Security/CWE-022/PathInjection.ql
similarity index 100%
rename from python/ql/src/Security/Injection/PathInjection/PathInjection.ql
rename to python/ql/src/Security/CWE-022/PathInjection.ql
diff --git a/python/ql/src/Security/Injection/TarSlip/TarSlip.qhelp b/python/ql/src/Security/CWE-022/TarSlip.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/TarSlip/TarSlip.qhelp
rename to python/ql/src/Security/CWE-022/TarSlip.qhelp
diff --git a/python/ql/src/Security/Injection/TarSlip/TarSlip.ql b/python/ql/src/Security/CWE-022/TarSlip.ql
similarity index 100%
rename from python/ql/src/Security/Injection/TarSlip/TarSlip.ql
rename to python/ql/src/Security/CWE-022/TarSlip.ql
diff --git a/python/ql/src/Security/Injection/PathInjection/examples/tainted_path.py b/python/ql/src/Security/CWE-022/examples/tainted_path.py
similarity index 100%
rename from python/ql/src/Security/Injection/PathInjection/examples/tainted_path.py
rename to python/ql/src/Security/CWE-022/examples/tainted_path.py
diff --git a/python/ql/src/Security/Injection/TarSlip/examples/tarslip_bad.py b/python/ql/src/Security/CWE-022/examples/tarslip_bad.py
similarity index 100%
rename from python/ql/src/Security/Injection/TarSlip/examples/tarslip_bad.py
rename to python/ql/src/Security/CWE-022/examples/tarslip_bad.py
diff --git a/python/ql/src/Security/Injection/TarSlip/examples/tarslip_good.py b/python/ql/src/Security/CWE-022/examples/tarslip_good.py
similarity index 100%
rename from python/ql/src/Security/Injection/TarSlip/examples/tarslip_good.py
rename to python/ql/src/Security/CWE-022/examples/tarslip_good.py
diff --git a/python/ql/src/Security/Injection/CommandInjection/CommandInjection.qhelp b/python/ql/src/Security/CWE-078/CommandInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/CommandInjection/CommandInjection.qhelp
rename to python/ql/src/Security/CWE-078/CommandInjection.qhelp
diff --git a/python/ql/src/Security/Injection/CommandInjection/CommandInjection.ql b/python/ql/src/Security/CWE-078/CommandInjection.ql
similarity index 100%
rename from python/ql/src/Security/Injection/CommandInjection/CommandInjection.ql
rename to python/ql/src/Security/CWE-078/CommandInjection.ql
diff --git a/python/ql/src/Security/Injection/CommandInjection/examples/command_injection.py b/python/ql/src/Security/CWE-078/examples/command_injection.py
similarity index 100%
rename from python/ql/src/Security/Injection/CommandInjection/examples/command_injection.py
rename to python/ql/src/Security/CWE-078/examples/command_injection.py
diff --git a/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qhelp b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qhelp
rename to python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
diff --git a/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
rename to python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
diff --git a/python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.qhelp b/python/ql/src/Security/CWE-079/ReflectedXss.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.qhelp
rename to python/ql/src/Security/CWE-079/ReflectedXss.qhelp
diff --git a/python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql
similarity index 100%
rename from python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.ql
rename to python/ql/src/Security/CWE-079/ReflectedXss.ql
diff --git a/python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/examples/jinja2.py b/python/ql/src/Security/CWE-079/examples/jinja2.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/examples/jinja2.py
rename to python/ql/src/Security/CWE-079/examples/jinja2.py
diff --git a/python/ql/src/Security/Injection/ReflectedXss/examples/xss.py b/python/ql/src/Security/CWE-079/examples/xss.py
similarity index 100%
rename from python/ql/src/Security/Injection/ReflectedXss/examples/xss.py
rename to python/ql/src/Security/CWE-079/examples/xss.py
diff --git a/python/ql/src/Security/Injection/SqlInjection/SqlInjection.qhelp b/python/ql/src/Security/CWE-089/SqlInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/SqlInjection/SqlInjection.qhelp
rename to python/ql/src/Security/CWE-089/SqlInjection.qhelp
diff --git a/python/ql/src/Security/Injection/SqlInjection/SqlInjection.ql b/python/ql/src/Security/CWE-089/SqlInjection.ql
similarity index 100%
rename from python/ql/src/Security/Injection/SqlInjection/SqlInjection.ql
rename to python/ql/src/Security/CWE-089/SqlInjection.ql
diff --git a/python/ql/src/Security/Injection/SqlInjection/examples/sql_injection.py b/python/ql/src/Security/CWE-089/examples/sql_injection.py
similarity index 100%
rename from python/ql/src/Security/Injection/SqlInjection/examples/sql_injection.py
rename to python/ql/src/Security/CWE-089/examples/sql_injection.py
diff --git a/python/ql/src/Security/Injection/CodeInjection/CodeInjection.qhelp b/python/ql/src/Security/CWE-094/CodeInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/CodeInjection/CodeInjection.qhelp
rename to python/ql/src/Security/CWE-094/CodeInjection.qhelp
diff --git a/python/ql/src/Security/Injection/CodeInjection/CodeInjection.ql b/python/ql/src/Security/CWE-094/CodeInjection.ql
similarity index 100%
rename from python/ql/src/Security/Injection/CodeInjection/CodeInjection.ql
rename to python/ql/src/Security/CWE-094/CodeInjection.ql
diff --git a/python/ql/src/Security/Injection/CodeInjection/examples/code_injection.py b/python/ql/src/Security/CWE-094/examples/code_injection.py
similarity index 100%
rename from python/ql/src/Security/Injection/CodeInjection/examples/code_injection.py
rename to python/ql/src/Security/CWE-094/examples/code_injection.py
diff --git a/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.py b/python/ql/src/Security/CWE-209/StackTraceExposure.py
similarity index 100%
rename from python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.py
rename to python/ql/src/Security/CWE-209/StackTraceExposure.py
diff --git a/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.qhelp b/python/ql/src/Security/CWE-209/StackTraceExposure.qhelp
similarity index 100%
rename from python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.qhelp
rename to python/ql/src/Security/CWE-209/StackTraceExposure.qhelp
diff --git a/python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
similarity index 100%
rename from python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.ql
rename to python/ql/src/Security/CWE-209/StackTraceExposure.ql
diff --git a/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.py b/python/ql/src/Security/CWE-215/FlaskDebug.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.py
rename to python/ql/src/Security/CWE-215/FlaskDebug.py
diff --git a/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qhelp b/python/ql/src/Security/CWE-215/FlaskDebug.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qhelp
rename to python/ql/src/Security/CWE-215/FlaskDebug.qhelp
diff --git a/python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql b/python/ql/src/Security/CWE-215/FlaskDebug.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql
rename to python/ql/src/Security/CWE-215/FlaskDebug.ql
diff --git a/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp
rename to python/ql/src/Security/CWE-295/MissingHostKeyValidation.qhelp
diff --git a/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql
rename to python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
diff --git a/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp b/python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp
rename to python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
diff --git a/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql
rename to python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
diff --git a/python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/examples/make_request.py b/python/ql/src/Security/CWE-295/examples/make_request.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/examples/make_request.py
rename to python/ql/src/Security/CWE-295/examples/make_request.py
diff --git a/python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/examples/paramiko_host_key.py b/python/ql/src/Security/CWE-295/examples/paramiko_host_key.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/examples/paramiko_host_key.py
rename to python/ql/src/Security/CWE-295/examples/paramiko_host_key.py
diff --git a/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.qhelp b/python/ql/src/Security/CWE-312/CleartextLogging.qhelp
similarity index 100%
rename from python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.qhelp
rename to python/ql/src/Security/CWE-312/CleartextLogging.qhelp
diff --git a/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.ql b/python/ql/src/Security/CWE-312/CleartextLogging.ql
similarity index 100%
rename from python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
rename to python/ql/src/Security/CWE-312/CleartextLogging.ql
diff --git a/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.qhelp b/python/ql/src/Security/CWE-312/CleartextStorage.qhelp
similarity index 100%
rename from python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.qhelp
rename to python/ql/src/Security/CWE-312/CleartextStorage.qhelp
diff --git a/python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.ql b/python/ql/src/Security/CWE-312/CleartextStorage.ql
similarity index 100%
rename from python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
rename to python/ql/src/Security/CWE-312/CleartextStorage.ql
diff --git a/python/ql/src/Security/Exposure/SensitiveDataExposure/examples/password_in_cookie.py b/python/ql/src/Security/CWE-312/examples/password_in_cookie.py
similarity index 100%
rename from python/ql/src/Security/Exposure/SensitiveDataExposure/examples/password_in_cookie.py
rename to python/ql/src/Security/CWE-312/examples/password_in_cookie.py
diff --git a/python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.qhelp b/python/ql/src/Security/CWE-326/WeakCrypto.qhelp
similarity index 100%
rename from python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.qhelp
rename to python/ql/src/Security/CWE-326/WeakCrypto.qhelp
diff --git a/python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql b/python/ql/src/Security/CWE-326/WeakCrypto.ql
similarity index 100%
rename from python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql
rename to python/ql/src/Security/CWE-326/WeakCrypto.ql
diff --git a/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
similarity index 97%
rename from python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp
rename to python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 01c8460d14c..ba5ab4d10c1 100644
--- a/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -36,7 +36,7 @@
                example uses AES, which is a stronger modern algorithm.
           </p>
 
-          <sample src="examples/weak_crypto_algorithm.py" />
+          <sample src="examples/broken_crypto.py" />
 
           <p>
                WARNING: Although the second example above is more robust,
diff --git a/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
similarity index 100%
rename from python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql
rename to python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
diff --git a/python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.qhelp
rename to python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
diff --git a/python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.ql b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.ql
rename to python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
diff --git a/python/ql/src/Security/Crypto/TLS/InsecureProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/InsecureProtocol.qhelp
rename to python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
diff --git a/python/ql/src/Security/Crypto/TLS/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/InsecureProtocol.ql
rename to python/ql/src/Security/CWE-327/InsecureProtocol.ql
diff --git a/python/ql/src/Security/Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py b/python/ql/src/Security/CWE-327/examples/broken_crypto.py
similarity index 100%
rename from python/ql/src/Security/Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py
rename to python/ql/src/Security/CWE-327/examples/broken_crypto.py
diff --git a/python/ql/src/Security/Crypto/TLS/examples/insecure_default_protocol.py b/python/ql/src/Security/CWE-327/examples/insecure_default_protocol.py
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/examples/insecure_default_protocol.py
rename to python/ql/src/Security/CWE-327/examples/insecure_default_protocol.py
diff --git a/python/ql/src/Security/Crypto/TLS/examples/insecure_protocol.py b/python/ql/src/Security/CWE-327/examples/insecure_protocol.py
similarity index 100%
rename from python/ql/src/Security/Crypto/TLS/examples/insecure_protocol.py
rename to python/ql/src/Security/CWE-327/examples/insecure_protocol.py
diff --git a/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
rename to python/ql/src/Security/CWE-377/InsecureTemporaryFile.py
diff --git a/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qhelp b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qhelp
rename to python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
diff --git a/python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql
rename to python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
diff --git a/python/ql/src/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py b/python/ql/src/Security/CWE-377/SecureTemporaryFile.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
rename to python/ql/src/Security/CWE-377/SecureTemporaryFile.py
diff --git a/python/ql/src/Security/Injection/UnsafeDeserialization/JsonGood.py b/python/ql/src/Security/CWE-502/JsonGood.py
similarity index 100%
rename from python/ql/src/Security/Injection/UnsafeDeserialization/JsonGood.py
rename to python/ql/src/Security/CWE-502/JsonGood.py
diff --git a/python/ql/src/Security/Injection/UnsafeDeserialization/UnpicklingBad.py b/python/ql/src/Security/CWE-502/UnpicklingBad.py
similarity index 100%
rename from python/ql/src/Security/Injection/UnsafeDeserialization/UnpicklingBad.py
rename to python/ql/src/Security/CWE-502/UnpicklingBad.py
diff --git a/python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qhelp b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qhelp
rename to python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
diff --git a/python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
similarity index 100%
rename from python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql
rename to python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
diff --git a/python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.qhelp b/python/ql/src/Security/CWE-601/UrlRedirect.qhelp
similarity index 100%
rename from python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.qhelp
rename to python/ql/src/Security/CWE-601/UrlRedirect.qhelp
diff --git a/python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.ql b/python/ql/src/Security/CWE-601/UrlRedirect.ql
similarity index 100%
rename from python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.ql
rename to python/ql/src/Security/CWE-601/UrlRedirect.ql
diff --git a/python/ql/src/Security/Injection/OpenRedirect/examples/redirect_bad.py b/python/ql/src/Security/CWE-601/examples/redirect_bad.py
similarity index 100%
rename from python/ql/src/Security/Injection/OpenRedirect/examples/redirect_bad.py
rename to python/ql/src/Security/CWE-601/examples/redirect_bad.py
diff --git a/python/ql/src/Security/Injection/OpenRedirect/examples/redirect_good.py b/python/ql/src/Security/CWE-601/examples/redirect_good.py
similarity index 100%
rename from python/ql/src/Security/Injection/OpenRedirect/examples/redirect_good.py
rename to python/ql/src/Security/CWE-601/examples/redirect_good.py
diff --git a/python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qhelp b/python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qhelp
rename to python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp
diff --git a/python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql
rename to python/ql/src/Security/CWE-732/WeakFilePermissions.ql
diff --git a/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.py b/python/ql/src/Security/CWE-798/HardcodedCredentials.py
similarity index 100%
rename from python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.py
rename to python/ql/src/Security/CWE-798/HardcodedCredentials.py
diff --git a/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qhelp b/python/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
similarity index 100%
rename from python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qhelp
rename to python/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
diff --git a/python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
similarity index 100%
rename from python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
rename to python/ql/src/Security/CWE-798/HardcodedCredentials.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref b/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
deleted file mode 100644
index adef42d0768..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
deleted file mode 100644
index 67a0f7a60de..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options b/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
deleted file mode 100644
index e552c11e561..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
deleted file mode 100644
index c8e27ca0561..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options b/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref b/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
deleted file mode 100644
index ff70ade48e7..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
deleted file mode 100644
index 2fac15c1228..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
deleted file mode 100644
index 00a3a8dad07..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
deleted file mode 100644
index ee6d466921c..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options b/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
deleted file mode 100644
index 4cdcd0c5567..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
deleted file mode 100644
index 174098ffea7..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options b/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
deleted file mode 100644
index 8a8619a4a2d..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options b/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
deleted file mode 100644
index e552c11e561..00000000000
--- a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.expected b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.expected
rename to python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
new file mode 100644
index 00000000000..f06cc3d869d
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.qlref
@@ -0,0 +1 @@
+Security/CVE-2018-1281/BindToAllInterfaces.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces_test.py b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces_test.py
rename to python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces_test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/options b/python/ql/test/query-tests/Security/CVE-2018-1281/options
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/options
rename to python/ql/test/query-tests/Security/CVE-2018-1281/options
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
rename to python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
new file mode 100644
index 00000000000..c91bf44f815
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
@@ -0,0 +1 @@
+Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.expected
rename to python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
new file mode 100644
index 00000000000..03c06feeec8
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref
@@ -0,0 +1 @@
+Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/test.py b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/ExternalAPIs/test.py
rename to python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.expected b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.expected
rename to python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
new file mode 100644
index 00000000000..e818d947252
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.qlref
@@ -0,0 +1 @@
+Security/CWE-020/IncompleteHostnameRegExp.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.expected b/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.expected
rename to python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected
diff --git a/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
new file mode 100644
index 00000000000..3fa6794419d
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref
@@ -0,0 +1 @@
+Security/CWE-020/IncompleteUrlSubstringSanitization.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/hosttest.py b/python/ql/test/query-tests/Security/CWE-020/hosttest.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/hosttest.py
rename to python/ql/test/query-tests/Security/CWE-020/hosttest.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/urltest.py b/python/ql/test/query-tests/Security/CWE-020/urltest.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/urltest.py
rename to python/ql/test/query-tests/Security/CWE-020/urltest.py
diff --git a/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.expected b/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.expected
rename to python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref b/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
new file mode 100644
index 00000000000..d43482cc509
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-022-PathInjection/PathInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-022/PathInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/PathInjection/path_injection.py b/python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/PathInjection/path_injection.py
rename to python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py
diff --git a/python/ql/test/query-tests/Security/Injection/PathInjection/test.py b/python/ql/test/query-tests/Security/CWE-022-PathInjection/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/PathInjection/test.py
rename to python/ql/test/query-tests/Security/CWE-022-PathInjection/test.py
diff --git a/python/ql/test/query-tests/Security/Injection/PathInjection/test_chaining.py b/python/ql/test/query-tests/Security/CWE-022-PathInjection/test_chaining.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/PathInjection/test_chaining.py
rename to python/ql/test/query-tests/Security/CWE-022-PathInjection/test_chaining.py
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.expected b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.expected
rename to python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected
diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
new file mode 100644
index 00000000000..cfede0c92b2
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
@@ -0,0 +1 @@
+Security/CWE-022/TarSlip.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options b/python/ql/test/query-tests/Security/CWE-022-TarSlip/options
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options
rename to python/ql/test/query-tests/Security/CWE-022-TarSlip/options
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/tarslip.py b/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/TarSlip/tarslip.py
rename to python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.expected
rename to python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
new file mode 100644
index 00000000000..e38b88f2919
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-078-py2/CommandInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-078/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/command_injection.py b/python/ql/test/query-tests/Security/CWE-078-py2/command_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection-py2/command_injection.py
rename to python/ql/test/query-tests/Security/CWE-078-py2/command_injection.py
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/options b/python/ql/test/query-tests/Security/CWE-078-py2/options
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection-py2/options
rename to python/ql/test/query-tests/Security/CWE-078-py2/options
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.expected
rename to python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
new file mode 100644
index 00000000000..e38b88f2919
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-078/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection/command_injection.py b/python/ql/test/query-tests/Security/CWE-078/command_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection/command_injection.py
rename to python/ql/test/query-tests/Security/CWE-078/command_injection.py
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection/options b/python/ql/test/query-tests/Security/CWE-078/options
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CommandInjection/options
rename to python/ql/test/query-tests/Security/CWE-078/options
diff --git a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected
rename to python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
new file mode 100644
index 00000000000..9fefcf4a030
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
@@ -0,0 +1 @@
+Security/CWE-079/Jinja2WithoutEscaping.ql
diff --git a/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.expected
rename to python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
new file mode 100644
index 00000000000..e0efe102416
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.qlref
@@ -0,0 +1 @@
+Security/CWE-079/ReflectedXss.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py b/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py
rename to python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
diff --git a/python/ql/test/query-tests/Security/CWE-079/options b/python/ql/test/query-tests/Security/CWE-079/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-079/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Injection/ReflectedXss/reflected_xss.py b/python/ql/test/query-tests/Security/CWE-079/reflected_xss.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/ReflectedXss/reflected_xss.py
rename to python/ql/test/query-tests/Security/CWE-079/reflected_xss.py
diff --git a/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.expected
rename to python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
new file mode 100644
index 00000000000..d1d02cbe8d3
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-089/SqlInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/SqlInjection/sql_injection.py b/python/ql/test/query-tests/Security/CWE-089/sql_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/SqlInjection/sql_injection.py
rename to python/ql/test/query-tests/Security/CWE-089/sql_injection.py
diff --git a/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.expected b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.expected
rename to python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
new file mode 100644
index 00000000000..fe9adbf3b64
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-094/CodeInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CodeInjection/code_injection.py b/python/ql/test/query-tests/Security/CWE-094/code_injection.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/CodeInjection/code_injection.py
rename to python/ql/test/query-tests/Security/CWE-094/code_injection.py
diff --git a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.expected b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.expected
rename to python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
new file mode 100644
index 00000000000..18cf2d49a1a
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref
@@ -0,0 +1 @@
+Security/CWE-209/StackTraceExposure.ql
diff --git a/python/ql/test/query-tests/Security/CWE-209/options b/python/ql/test/query-tests/Security/CWE-209/options
new file mode 100644
index 00000000000..2729d5a143a
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-209/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=2
diff --git a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/StackTraceExposure/test.py
rename to python/ql/test/query-tests/Security/CWE-209/test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.expected b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.expected
rename to python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
diff --git a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
new file mode 100644
index 00000000000..0e21a3ac14f
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
@@ -0,0 +1 @@
+Security/CWE-215/FlaskDebug.ql
diff --git a/python/ql/test/query-tests/Security/CWE-215/options b/python/ql/test/query-tests/Security/CWE-215/options
new file mode 100644
index 00000000000..84717fe64cf
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-215/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/test.py b/python/ql/test/query-tests/Security/CWE-215/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/test.py
rename to python/ql/test/query-tests/Security/CWE-215/test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.expected b/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.expected
rename to python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.expected
diff --git a/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref b/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
new file mode 100644
index 00000000000..c366095516a
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-295/MissingHostKeyValidation.qlref
@@ -0,0 +1 @@
+Security/CWE-295/MissingHostKeyValidation.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.expected b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.expected
rename to python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
new file mode 100644
index 00000000000..7ad4d4d2ae3
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.qlref
@@ -0,0 +1 @@
+Security/CWE-295/RequestWithoutValidation.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/make_request.py b/python/ql/test/query-tests/Security/CWE-295/make_request.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/make_request.py
rename to python/ql/test/query-tests/Security/CWE-295/make_request.py
diff --git a/python/ql/test/query-tests/Security/CWE-295/options b/python/ql/test/query-tests/Security/CWE-295/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-295/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/paramiko_host_key.py b/python/ql/test/query-tests/Security/CWE-295/paramiko_host_key.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/paramiko_host_key.py
rename to python/ql/test/query-tests/Security/CWE-295/paramiko_host_key.py
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected
rename to python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
new file mode 100644
index 00000000000..de9273391c8
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
@@ -0,0 +1 @@
+Security/CWE-312/CleartextLogging.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected
rename to python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
new file mode 100644
index 00000000000..a32206e8d6a
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
@@ -0,0 +1 @@
+Security/CWE-312/CleartextStorage.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/CWE-312/options b/python/ql/test/query-tests/Security/CWE-312/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-312/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py b/python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py
rename to python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py b/python/ql/test/query-tests/Security/CWE-312/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py
rename to python/ql/test/query-tests/Security/CWE-312/test.py
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.expected b/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.expected
rename to python/ql/test/query-tests/Security/CWE-326/WeakCrypto.expected
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref b/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
new file mode 100644
index 00000000000..75676139ac3
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-326/WeakCrypto.qlref
@@ -0,0 +1 @@
+Security/CWE-326/WeakCrypto.ql
diff --git a/python/ql/test/query-tests/Security/CWE-326/options b/python/ql/test/query-tests/Security/CWE-326/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-326/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/weak_crypto.py b/python/ql/test/query-tests/Security/CWE-326/weak_crypto.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/weak_crypto.py
rename to python/ql/test/query-tests/Security/CWE-326/weak_crypto.py
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.expected
rename to python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
new file mode 100644
index 00000000000..3f7aff53700
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
@@ -0,0 +1 @@
+Security/CWE-327/BrokenCryptoAlgorithm.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.expected
rename to python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
new file mode 100644
index 00000000000..13599b14931
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.qlref
@@ -0,0 +1 @@
+Security/CWE-327/InsecureDefaultProtocol.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.expected
rename to python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.py
rename to python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
new file mode 100644
index 00000000000..c06a937ff57
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.qlref
@@ -0,0 +1 @@
+Security/CWE-327/InsecureProtocol.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.expected b/python/ql/test/query-tests/Security/CWE-327/TestNode.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.expected
rename to python/ql/test/query-tests/Security/CWE-327/TestNode.expected
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.ql b/python/ql/test/query-tests/Security/CWE-327/TestNode.ql
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/TestNode.ql
rename to python/ql/test/query-tests/Security/CWE-327/TestNode.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327/options b/python/ql/test/query-tests/Security/CWE-327/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327/test_cryptography.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_cryptography.py
rename to python/ql/test/query-tests/Security/CWE-327/test_cryptography.py
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_pycrypto.py b/python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/test_pycrypto.py
rename to python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.expected b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.expected
rename to python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py
rename to python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.py
diff --git a/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
new file mode 100644
index 00000000000..68a27dfb269
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
@@ -0,0 +1 @@
+Security/CWE-377/InsecureTemporaryFile.ql
diff --git a/python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py b/python/ql/test/query-tests/Security/CWE-377/SecureTemporaryFile.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py
rename to python/ql/test/query-tests/Security/CWE-377/SecureTemporaryFile.py
diff --git a/python/ql/test/query-tests/Security/CWE-377/options b/python/ql/test/query-tests/Security/CWE-377/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-377/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.expected
rename to python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
new file mode 100644
index 00000000000..fa9c0ceb3cb
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.qlref
@@ -0,0 +1 @@
+Security/CWE-502/UnsafeDeserialization.ql
diff --git a/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/unsafe_deserialization.py b/python/ql/test/query-tests/Security/CWE-502/unsafe_deserialization.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/unsafe_deserialization.py
rename to python/ql/test/query-tests/Security/CWE-502/unsafe_deserialization.py
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.expected
rename to python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
new file mode 100644
index 00000000000..8b63d80f0db
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.qlref
@@ -0,0 +1,2 @@
+Security/CWE-601/UrlRedirect.ql
+
diff --git a/python/ql/test/query-tests/Security/CWE-601/options b/python/ql/test/query-tests/Security/CWE-601/options
new file mode 100644
index 00000000000..28b616e5f19
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-601/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3 --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/Injection/OpenRedirect/test.py
rename to python/ql/test/query-tests/Security/CWE-601/test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.expected
rename to python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
new file mode 100644
index 00000000000..9e177187c49
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
@@ -0,0 +1 @@
+Security/CWE-732/WeakFilePermissions.ql
diff --git a/python/ql/test/query-tests/Security/CWE-732/options b/python/ql/test/query-tests/Security/CWE-732/options
new file mode 100644
index 00000000000..84717fe64cf
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-732/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
diff --git a/python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/test.py b/python/ql/test/query-tests/Security/CWE-732/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/test.py
rename to python/ql/test/query-tests/Security/CWE-732/test.py
diff --git a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.expected b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.expected
rename to python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
diff --git a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
new file mode 100644
index 00000000000..0d0fafa271c
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.qlref
@@ -0,0 +1 @@
+Security/CWE-798/HardcodedCredentials.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/test.py b/python/ql/test/query-tests/Security/CWE-798/test.py
similarity index 100%
rename from python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/test.py
rename to python/ql/test/query-tests/Security/CWE-798/test.py
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref
deleted file mode 100644
index 899586366e8..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureDefaultProtocol.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Crypto/TLS/InsecureDefaultProtocol.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref b/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref
deleted file mode 100644
index 8225a5c47ef..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/TLS/InsecureProtocol.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Crypto/TLS/InsecureProtocol.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/TLS/options b/python/ql/test/query-tests/Security/Crypto/TLS/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/TLS/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
deleted file mode 100644
index 4fb0ce84c4d..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options b/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/WeakCryptoAlgorithm/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref
deleted file mode 100644
index 18cfd5a12bc..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/WeakCrypto.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql
diff --git a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options b/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/Crypto/WeakCryptoKey/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
deleted file mode 100644
index e6c1510a3b2..00000000000
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
deleted file mode 100644
index 63f1d245881..00000000000
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
diff --git a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref
deleted file mode 100644
index 927502b954c..00000000000
--- a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/StackTraceExposure.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Exposure/StackTraceExposure/StackTraceExposure.ql
diff --git a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options b/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
deleted file mode 100644
index 59cbd921362..00000000000
--- a/python/ql/test/query-tests/Security/Exposure/StackTraceExposure/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=2
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
deleted file mode 100644
index 1968cf40cb8..00000000000
--- a/python/ql/test/query-tests/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
diff --git a/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
deleted file mode 100644
index bdbdbdb3ec7..00000000000
--- a/python/ql/test/query-tests/Security/ExternalAPIs/UntrustedDataToExternalAPI.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/ExternalAPIs/UntrustedDataToExternalAPI.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref b/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref
deleted file mode 100644
index f912faeb71a..00000000000
--- a/python/ql/test/query-tests/Security/Injection/CodeInjection/CodeInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/CodeInjection/CodeInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref b/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref
deleted file mode 100644
index 91951ea271b..00000000000
--- a/python/ql/test/query-tests/Security/Injection/CommandInjection-py2/CommandInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/CommandInjection/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref b/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref
deleted file mode 100644
index 91951ea271b..00000000000
--- a/python/ql/test/query-tests/Security/Injection/CommandInjection/CommandInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/CommandInjection/CommandInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref b/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
deleted file mode 100644
index 492b7a69453..00000000000
--- a/python/ql/test/query-tests/Security/Injection/OpenRedirect/UrlRedirect.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/OpenRedirect/OpenRedirect.ql
diff --git a/python/ql/test/query-tests/Security/Injection/OpenRedirect/options b/python/ql/test/query-tests/Security/Injection/OpenRedirect/options
deleted file mode 100644
index 2c9a5f0a13c..00000000000
--- a/python/ql/test/query-tests/Security/Injection/OpenRedirect/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --lang=3 --max-import-depth=2 -p ../../lib
diff --git a/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref b/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref
deleted file mode 100644
index 510e08f427f..00000000000
--- a/python/ql/test/query-tests/Security/Injection/PathInjection/PathInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/PathInjection/PathInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref b/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref
deleted file mode 100644
index d92b3d701d5..00000000000
--- a/python/ql/test/query-tests/Security/Injection/ReflectedXss/ReflectedXss.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/ReflectedXss/ReflectedXss.ql
diff --git a/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref b/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref
deleted file mode 100644
index c2d12830195..00000000000
--- a/python/ql/test/query-tests/Security/Injection/SqlInjection/SqlInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/SqlInjection/SqlInjection.ql
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref b/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref
deleted file mode 100644
index 178cd6e0a8d..00000000000
--- a/python/ql/test/query-tests/Security/Injection/TarSlip/TarSlip.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/TarSlip/TarSlip.ql
diff --git a/python/ql/test/query-tests/Security/Injection/TarSlip/options b/python/ql/test/query-tests/Security/Injection/TarSlip/options
deleted file mode 100644
index b7721e6c509..00000000000
--- a/python/ql/test/query-tests/Security/Injection/TarSlip/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../../lib --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref b/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref
deleted file mode 100644
index 49f13932a15..00000000000
--- a/python/ql/test/query-tests/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql

From 48803504208ca27c7e0acd292cee77846c075b90 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 17 Feb 2021 11:24:11 +0100
Subject: [PATCH 427/429] Python: Add a single missing QLDoc

---
 python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
index da52edd6af1..b3482012e9a 100644
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -41,6 +41,7 @@ private import semmle.python.objects.ObjectInternal
  * A callable that is considered a "safe" external API from a security perspective.
  */
 class SafeExternalAPI extends Unit {
+  /** Gets a callable that is considered a "safe" external API from a security perspective. */
   abstract DataFlowPrivate::DataFlowCallable getSafeCallable();
 }
 

From 4df85b44de6aae8848a2eb0813fa6f30b19a38d9 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 17 Feb 2021 18:30:31 +0100
Subject: [PATCH 428/429] Update javascript/change-notes/2021-02-10-markdown.md

Co-authored-by: Asger F <asgerf@github.com>
---
 javascript/change-notes/2021-02-10-markdown.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/change-notes/2021-02-10-markdown.md b/javascript/change-notes/2021-02-10-markdown.md
index ed3dfb505e6..41072ef598f 100644
--- a/javascript/change-notes/2021-02-10-markdown.md
+++ b/javascript/change-notes/2021-02-10-markdown.md
@@ -1,5 +1,5 @@
 lgtm,codescanning
-* The dataflow libraries now model dataflow in markdown parsers.
+* The security queries now track taint through markdown parsers.
   Affected packages are
     [marked](https://npmjs.com/package/marked), 
     [markdown-table](https://npmjs.com/package/markdown-table), 

From cba9f421ad3ec153c5a6c4167bca5868502c8fab Mon Sep 17 00:00:00 2001
From: "Raul Garcia (MSFT)" <raul.garcia@microsoft.com>
Date: Wed, 17 Feb 2021 10:05:22 -0800
Subject: [PATCH 429/429] Changes to the Readme file

---
 .../Security Features/campaign/Solorigate-Readme.md           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
index 9caa17d1f3d..c6bdb98c73e 100644
--- a/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md	
+++ b/csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md	
@@ -2,9 +2,9 @@
 
 In early December, 2020 a sophisticated compromise campaign was uncovered, dubbed [Solorigate](https://aka.ms/solorigate).  A key feature of the campaign was a malicious software implant inserted into SolarWinds' Orion product on the build server. Studying the coding patterns and techniques used in the implant, Microsoft authored CodeQL queries as part of a larger effort to analyze our source code for any malicious modification - a brief summary of those efforts can be [found here](https://aka.ms/Solorigate-CodeQL-Blog). These queries here represent a mixture of techniques to look for code that shares features with the malicious Implant code.
 
-This ReadMe walks through what each query does and limitations of the approaches taken, suggestions for modifications, and general advice on using CodeQL to author backdoor hunting queries.  There are two approaches taken with the queries; the first is to look for syntactic characteristics used in the malicious implant, things like names and particular literals.  The second approach looks for semantic patterns – particular functionality and flow associated with the implant.  
+This ReadMe walks through what each query does and limitations of the approaches taken, suggestions for modifications, and general advice on using CodeQL to author backdoor hunting queries.  There are two approaches taken with the queries; the first is to look for syntactic characteristics used in the malicious implant, things like names and particular literals.  The second approach looks for semantic patterns – particular functionality and flow associated with the implant.  In both cases it is possible, and sometimes likely, that benign code will coincidentally match the patterns these queries look for, so all findings will need to be reviewed to either verify or rule out the providence of the source code being flagged.  The descriptions of each query try to capture the likely coincidence of findings in code of benign providence.
 
-When editing this queries for open sourcing, we tried to find the right balance between detection capability and false positive rate, mindful that different organizations have differing resources to review the findings.  We also excluded queries that we found to be resource intensive when executing without providing significant detective value over these queries here.  In the coming weeks we will post on [our blog](https://aka.ms/CST-SE-Blog) a walk through of our experience authoring and tuning these queries, as well as discussing the challenges we saw with the queries we didn't open source.
+When editing this queries for open sourcing, we tried to find the right balance between detection capability and false positive rate, mindful that different organizations have differing resources to review the findings.  We also excluded queries that we found to be resource intensive when executing without providing significant detective value over these queries here.  
 
 ## Syntactic queries