From 1233d81523e40bec36476573ac2b4dcbcd82dc85 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 15 Apr 2026 14:11:17 -0400 Subject: [PATCH 01/46] Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries --- actions/ql/lib/ext/config/poisonable_steps.yml | 4 ++-- .../src/Security/CWE-094/CodeInjectionMedium.ql | 17 +++++++++++------ .../CWE-829/UntrustedCheckoutCritical.md | 3 ++- .../CWE-829/UntrustedCheckoutCritical.ql | 2 +- .../Security/CWE-829/UntrustedCheckoutHigh.md | 3 ++- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 2 +- .../Security/CWE-829/UntrustedCheckoutMedium.md | 3 ++- ...026-04-15-untrusted-checkout-improvements.md | 6 ++++++ 8 files changed, 27 insertions(+), 13 deletions(-) create mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md diff --git a/actions/ql/lib/ext/config/poisonable_steps.yml b/actions/ql/lib/ext/config/poisonable_steps.yml index 3c1aec70a24..d15b8d7a6a5 100644 --- a/actions/ql/lib/ext/config/poisonable_steps.yml +++ b/actions/ql/lib/ext/config/poisonable_steps.yml @@ -70,7 +70,7 @@ extensions: - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] + - ["(python[\\d\\.]*)\\s+([\\-m]+)\\s+(\\w+)\\b", 2] # eg: pythonX -m anything(dir or file) - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] - - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] + - ["(go)\\s+(generate|run)\\s+([^\\s]+)", 3] - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] - diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 8bc3fe8f51a..22ab430105a 100644 --- a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -2,7 +2,7 @@ * @name Code injection * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary * code execution. - * @kind path-problem + * @ kind path-problem * @problem.severity warning * @security-severity 5.0 * @precision medium @@ -18,8 +18,13 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink -where mediumSeverityCodeInjection(source, sink) -select sink.getNode(), source, sink, - "Potential code injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() +// from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +// where mediumSeverityCodeInjection(source, sink) +// select sink.getNode(), source, sink, +// "Potential code injection in $@, which may be controlled by an external user.", sink, +// sink.getNode().asExpr().(Expression).getRawExpression() +from string test +where + test.regexpMatch("(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b") and + test = "python -m dir" //go run main/main.go //go run . +select test diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index 6060354b134..246e302e85b 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. ## Recommendation @@ -133,3 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index ad79a1ce776..8e8882f9cf5 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -51,5 +51,5 @@ where event.getName() = checkoutTriggers() and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) -select poisonable, checkout, poisonable, +select checkout, checkout, poisonable, "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName() diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index 6060354b134..f412421b7f1 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. ## Recommendation @@ -133,3 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 98b9aee33f7..5c2d4b3d56c 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -1,5 +1,5 @@ /** - * @name Checkout of untrusted code in trusted context + * @name Checkout of untrusted code in privileged context without privileged context use * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index 6060354b134..246e302e85b 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -1,6 +1,6 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. ## Recommendation @@ -133,3 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md new file mode 100644 index 00000000000..ef16e84e2c2 --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md @@ -0,0 +1,6 @@ +--- +category: majorAnalysis +--- +* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. Additionally alter 2 patterns in the detection such that now extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. This may lead to more results being detected by all 3 queries. +* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. +* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file From a342efca0e6e04889b87be3925db7b13d00e3a9a Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 15 Apr 2026 16:12:52 -0400 Subject: [PATCH 02/46] Revert accidental change --- .../src/Security/CWE-094/CodeInjectionMedium.ql | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 22ab430105a..8bc3fe8f51a 100644 --- a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -2,7 +2,7 @@ * @name Code injection * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary * code execution. - * @ kind path-problem + * @kind path-problem * @problem.severity warning * @security-severity 5.0 * @precision medium @@ -18,13 +18,8 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -// from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink -// where mediumSeverityCodeInjection(source, sink) -// select sink.getNode(), source, sink, -// "Potential code injection in $@, which may be controlled by an external user.", sink, -// sink.getNode().asExpr().(Expression).getRawExpression() -from string test -where - test.regexpMatch("(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b") and - test = "python -m dir" //go run main/main.go //go run . -select test +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +where mediumSeverityCodeInjection(source, sink) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() From c9e5dbda782fea39790bd736bebaa8a15d59226d Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 15 Apr 2026 16:26:38 -0400 Subject: [PATCH 03/46] Update actions/ql/lib/ext/config/poisonable_steps.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/ql/lib/ext/config/poisonable_steps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/lib/ext/config/poisonable_steps.yml b/actions/ql/lib/ext/config/poisonable_steps.yml index d15b8d7a6a5..cf7f71dccc9 100644 --- a/actions/ql/lib/ext/config/poisonable_steps.yml +++ b/actions/ql/lib/ext/config/poisonable_steps.yml @@ -72,5 +72,5 @@ extensions: - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] - ["(python[\\d\\.]*)\\s+([\\-m]+)\\s+(\\w+)\\b", 2] # eg: pythonX -m anything(dir or file) - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] - - ["(go)\\s+(generate|run)\\s+([^\\s]+)", 3] + - ["(go)\\s+(generate|run)(?:\\s+-[^\\s]+)*\\s+([^\\s]+)", 3] - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] From 589e1e5c197483f4ff8d31d70c12dda8a016c2d3 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 15 Apr 2026 16:27:06 -0400 Subject: [PATCH 04/46] Update actions/ql/lib/ext/config/poisonable_steps.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/ql/lib/ext/config/poisonable_steps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/lib/ext/config/poisonable_steps.yml b/actions/ql/lib/ext/config/poisonable_steps.yml index cf7f71dccc9..17b1408fa7c 100644 --- a/actions/ql/lib/ext/config/poisonable_steps.yml +++ b/actions/ql/lib/ext/config/poisonable_steps.yml @@ -70,7 +70,7 @@ extensions: - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] - - ["(python[\\d\\.]*)\\s+([\\-m]+)\\s+(\\w+)\\b", 2] # eg: pythonX -m anything(dir or file) + - ["(python[\\d\\.]*)\\s+-m\\s+([A-Za-z_][\\w\\.]*)\\b", 2] # eg: pythonX -m anything(dir or file) - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] - ["(go)\\s+(generate|run)(?:\\s+-[^\\s]+)*\\s+([^\\s]+)", 3] - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] From ed4e2bc5b93ae618ec07dff2c4ba0aa5f853555d Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 15 Apr 2026 16:29:57 -0400 Subject: [PATCH 05/46] Improve formatting helpfiles --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md | 2 +- actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md | 2 +- actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index 246e302e85b..a4fceb1f8da 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -133,4 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). -- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index f412421b7f1..a4fceb1f8da 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -133,4 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). -- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index 246e302e85b..a4fceb1f8da 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -133,4 +133,4 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). -- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). \ No newline at end of file +- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). From 81532c7ce672ecaa27077049278c8d9b82529bed Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 16 Apr 2026 11:37:03 -0400 Subject: [PATCH 06/46] Fix outstanding expected file --- .../UntrustedCheckoutCritical.expected | 78 +++++++++---------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 39e54b2bbae..e7c208d1bdb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -334,42 +334,42 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | From 7ef9e1b9392bae7c88bf7fb7c1f65c8036470eec Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 17 Apr 2026 15:19:40 +0200 Subject: [PATCH 07/46] C#: Rename SsaImpl input. --- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index b3a95977be9..274c495cf56 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -9,7 +9,7 @@ private import semmle.code.csharp.controlflow.Guards as Guards private import semmle.code.csharp.dataflow.internal.BaseSSA private import semmle.code.csharp.internal.Location -private module SsaInput implements SsaImplCommon::InputSig { +private module SsaImplInput implements SsaImplCommon::InputSig { class SourceVariable = Ssa::SourceVariable; /** @@ -41,7 +41,7 @@ private module SsaInput implements SsaImplCommon::InputSig } } -import SsaImplCommon::Make as Impl +import SsaImplCommon::Make as Impl class Definition = Impl::Definition; @@ -815,7 +815,7 @@ private module Cached { predicate variableWriteQualifier( BasicBlock bb, int i, QualifiedFieldOrPropSourceVariable v, boolean certain ) { - SsaInput::variableWrite(bb, i, v.getQualifier(), certain) and + SsaImplInput::variableWrite(bb, i, v.getQualifier(), certain) and // Eliminate corner case where a call definition can overlap with a // qualifier definition: if method `M` updates field `F`, then a call // to `M` is both an update of `x.M` and `x.M.M`, so the former call From 72d21a9a56c885f054cd2b4bcd0614f6e0586639 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 17 Apr 2026 15:25:22 +0200 Subject: [PATCH 08/46] C#: Instantiate shared SSA wrappers. --- .../lib/semmle/code/csharp/dataflow/SSA.qll | 4 ++- .../code/csharp/dataflow/internal/BaseSSA.qll | 25 ++++++++------ .../code/csharp/dataflow/internal/SsaImpl.qll | 33 +++++++++++++++++++ 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 8f5b04c6708..7670774da98 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -3,12 +3,14 @@ */ import csharp +private import internal.SsaImpl as SsaImpl +import SsaImpl::Ssa_ /** * Provides classes for working with static single assignment (SSA) form. */ module Ssa { - private import internal.SsaImpl as SsaImpl + import SsaImpl::Ssa_ pragma[nomagic] private predicate assignableDefinitionLocalScopeVariable( diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll index 63a9e782250..0e879ac9412 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll @@ -1,9 +1,20 @@ -import csharp +private import csharp as CS /** * Provides a simple SSA implementation for local scope variables. */ module BaseSsa { + private import BaseSsaImpl + + class SimpleLocalScopeVariable = BaseSsaImpl::SimpleLocalScopeVariable; + + module Ssa = SsaImpl::MakeSsa; + + import Ssa +} + +private module BaseSsaImpl { + private import CS private import AssignableDefinitions private import codeql.ssa.Ssa as SsaImplCommon @@ -13,7 +24,7 @@ module BaseSsa { predicate ref() { any() } cached - predicate backref() { (exists(any(SsaDefinition def).getARead()) implies any()) } + predicate backref() { (exists(any(BaseSsa::SsaDefinition def).getARead()) implies any()) } } /** @@ -112,11 +123,9 @@ module BaseSsa { } } - private module SsaImpl = SsaImplCommon::Make; - - private module SsaInput implements SsaImpl::SsaInputSig { - private import csharp as CS + module SsaImpl = SsaImplCommon::Make; + module SsaInput implements SsaImpl::SsaInputSig { class Expr = CS::Expr; class Parameter = CS::Parameter; @@ -139,8 +148,4 @@ module BaseSsa { w.isParameterInit(v) } } - - module Ssa = SsaImpl::MakeSsa; - - import Ssa } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 274c495cf56..0c2ecf96b8f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -43,6 +43,39 @@ private module SsaImplInput implements SsaImplCommon::InputSig as Impl +private module SsaInput implements Impl::SsaInputSig { + private import csharp as CS + + class Expr = CS::Expr; + + class Parameter = CS::Parameter; + + class VariableWrite extends AssignableDefinition { + Expr asExpr() { result = this.getExpr() } + + Expr getValue() { result = this.getSource() } + + predicate isParameterInit(Parameter p) { this.(ImplicitParameterDefinition).getParameter() = p } + } + + predicate explicitWrite(VariableWrite w, BasicBlock bb, int i, SsaImplInput::SourceVariable v) { + exists(AssignableDefinition ad | variableDefinition(bb, i, v, ad) | + w = ad or + w = getASameOutRefDefAfter(v, ad) + ) + or + exists(Parameter p | + implicitEntryDefinition(bb, v) and + i = -1 and + p = v.getAssignable() and + pragma[only_bind_out](p.getCallable()) = pragma[only_bind_out](v.getEnclosingCallable()) and + w.isParameterInit(p) + ) + } +} + +module Ssa_ = Impl::MakeSsa; + class Definition = Impl::Definition; class WriteDefinition = Impl::WriteDefinition; From e5d219a039342f15d64d3a49ece1e1c5fbf3aa79 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 13:38:28 +0200 Subject: [PATCH 09/46] C#: Simplify library instantiations. --- .../controlflow/ControlFlowReachability.qll | 12 +----------- .../semmle/code/csharp/controlflow/Guards.qll | 18 +----------------- .../semmle/code/csharp/dataflow/Nullness.qll | 4 ++-- 3 files changed, 4 insertions(+), 30 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll index 33d96a61fc7..4ec4dad9e1b 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll @@ -26,17 +26,7 @@ private module ControlFlowInput implements InputSig; class GuardValue = GuardsImpl::GuardValue; private module LogicInput implements GuardsImpl::LogicInputSig { - class SsaDefinition extends Ssa::Definition { - Expr getARead() { super.getARead() = result } - } - - class SsaExplicitWrite extends SsaDefinition instanceof Ssa::ExplicitDefinition { - Expr getValue() { result = super.getADefinition().getSource() } - } - - class SsaPhiDefinition extends SsaDefinition instanceof Ssa::PhiNode { - predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) { - super.hasInputFromBlock(inp, bb) - } - } - - class SsaParameterInit extends SsaDefinition instanceof Ssa::ParameterDefinition { - Parameter getParameter() { result = super.getParameter() } - } + import Ssa predicate additionalNullCheck(GuardsImpl::PreGuard guard, GuardValue val, Expr e, boolean isNull) { // Comparison with a non-`null` value, for example `x?.Length > 0` diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 63205e52ae5..6cd4fe31113 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -250,9 +250,9 @@ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { } private module NullnessConfig implements ControlFlowReachability::ConfigSig { - predicate source(ControlFlowNode node, Ssa::Definition def) { defMaybeNull(def, node, _, _) } + predicate source(ControlFlowNode node, SsaDefinition def) { defMaybeNull(def, node, _, _) } - predicate sink(ControlFlowNode node, Ssa::Definition def) { + predicate sink(ControlFlowNode node, SsaDefinition def) { exists(Dereference d | dereferenceAt(node, def, d) and not d instanceof NonNullExpr From fb438bf5127bd058de75f35e8d31897c84c5a08c Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:25:43 +0200 Subject: [PATCH 10/46] C#: Remove references to getAFirstReadAtNode. --- csharp/ql/lib/semmle/code/csharp/Assignable.qll | 6 +----- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index d2df0a5a05e..a86e9d6de5c 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,11 +500,7 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(ControlFlowNode cfn | cfn = result.getControlFlowNode() | - exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) | - this = def.getADefinition() - ) - ) + exists(Ssa::ExplicitDefinition def | result = def.getAFirstRead() | this = def.getADefinition()) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 6cd4fe31113..693a91a3ce5 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -241,7 +241,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * exception. */ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { - exists(def.getAFirstReadAtNode(cfn)) + def.getAFirstRead().getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and From 83c7a33e53c2d300820c3afaefad0d384c1ff696 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:45:46 +0200 Subject: [PATCH 11/46] C#: Deprecate member predicates Definition.getAFirstRead and getAFirstReadAtNode. --- .../ql/lib/semmle/code/csharp/Assignable.qll | 4 +- .../semmle/code/csharp/dataflow/Nullness.qll | 2 +- .../lib/semmle/code/csharp/dataflow/SSA.qll | 49 ++++++++++++++++++- .../dataflow/defuse/useUseEquivalence.ql | 4 +- 4 files changed, 53 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index a86e9d6de5c..066cdeaed15 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,7 +500,9 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(Ssa::ExplicitDefinition def | result = def.getAFirstRead() | this = def.getADefinition()) + exists(Ssa::ExplicitDefinition def | result = Ssa::ssaGetAFirstUse(def) | + this = def.getADefinition() + ) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 693a91a3ce5..726f695e9b7 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -241,7 +241,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * exception. */ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { - def.getAFirstRead().getControlFlowNode() = cfn + Ssa::ssaGetAFirstUse(def).getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 7670774da98..9568adf6c27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -149,6 +149,47 @@ module Ssa { } } + /** + * Gets a read of the source variable underlying the SSA definition `def` + * that can be reached from `def` without passing through any + * other SSA definition or read. Example: + * + * ```csharp + * int Field; + * + * void SetField(int i) { + * this.Field = i; + * Use(this.Field); + * if (i > 0) + * this.Field = i - 1; + * else if (i < 0) + * SetField(1); + * Use(this.Field); + * Use(this.Field); + * } + * ``` + * + * - The read of `i` on line 4 can be reached from the explicit SSA + * definition (wrapping an implicit entry definition) on line 3. + * - The reads of `i` on lines 6 and 7 are not the first reads of any SSA + * definition. + * - The read of `this.Field` on line 5 can be reached from the explicit SSA + * definition on line 4. + * - The read of `this.Field` on line 10 can be reached from the phi node + * between lines 9 and 10. + * - The read of `this.Field` on line 11 is not the first read of any SSA + * definition. + * + * Subsequent reads can be found by following the steps defined by + * `AssignableRead.getANextRead()`. + */ + AssignableRead ssaGetAFirstUse(SsaDefinition def) { + exists(ControlFlowNode cfn | + SsaImpl::firstReadSameVar(def, cfn) and + result.getControlFlowNode() = cfn + ) + } + /** * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition @@ -229,6 +270,8 @@ module Ssa { } /** + * DEPRECATED: Use `ssaGetAFirstUse` instead. + * * Gets a read of the source variable underlying this SSA definition that * can be reached from this SSA definition without passing through any * other SSA definition or read. Example: @@ -262,9 +305,11 @@ module Ssa { * Subsequent reads can be found by following the steps defined by * `AssignableRead.getANextRead()`. */ - final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) } + deprecated final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) } /** + * DEPRECATED: Use `ssaGetAFirstUse` instead. + * * Gets a read of the source variable underlying this SSA definition at * control flow node `cfn` that can be reached from this SSA definition * without passing through any other SSA definition or read. Example: @@ -298,7 +343,7 @@ module Ssa { * Subsequent reads can be found by following the steps defined by * `AssignableRead.getANextRead()`. */ - final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) { + deprecated final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) { SsaImpl::firstReadSameVar(this, cfn) and result.getControlFlowNode() = cfn } diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index bc3d6d422a6..b6610aa2554 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -42,9 +42,9 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea ) or exists(Ssa::Definition ssaDef | prev = TSsaDefinition(ssaDef) | - result = TLocalScopeVariableRead(ssaDef.getAFirstRead()) + result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or - not exists(ssaDef.getAFirstRead()) and + not exists(Ssa::ssaGetAFirstUse(ssaDef)) and exists(Ssa::PhiNode phi | phi.getAnInput() = ssaDef and result = TSsaDefinition(phi) From 2545f06b525a076d897789d3fbc420f83a671a98 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:59:01 +0200 Subject: [PATCH 12/46] C#: Deprecate member predicate Definition.getAReadAtNode. --- .../lib/semmle/code/csharp/controlflow/Guards.qll | 2 +- .../lib/semmle/code/csharp/dataflow/Nullness.qll | 14 +++++++------- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 ++++-- .../csharp/dataflow/internal/DataFlowPrivate.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 2 +- .../dataflow/internal/rangeanalysis/SsaUtils.qll | 6 +++--- 6 files changed, 17 insertions(+), 15 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 296df458ff2..45a73f008dd 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -586,7 +586,7 @@ private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { } private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode cfn) { - result = def.getAReadAtNode(cfn) + result = def.getARead() and cfn = result.getControlFlowNode() or result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and cfn = def.getControlFlowNode() diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 726f695e9b7..9af83aa767a 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -124,11 +124,9 @@ private predicate nonNullDef(Ssa::ExplicitDefinition def) { } /** - * Holds if `node` is a dereference `d` of SSA definition `def`. + * Holds if `d` is a dereference of SSA definition `def`. */ -private predicate dereferenceAt(ControlFlowNode node, Ssa::Definition def, Dereference d) { - d = def.getAReadAtNode(node) -} +private predicate dereferenceAt(Ssa::Definition def, Dereference d) { d = def.getARead() } private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | @@ -214,7 +212,7 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string ) or // A variable of nullable type may be null - exists(Dereference d | dereferenceAt(_, def, d) | + exists(Dereference d | dereferenceAt(def, d) | node = def.getControlFlowNode() and d.hasNullableType() and not def instanceof Ssa::PhiNode and @@ -254,7 +252,8 @@ private module NullnessConfig implements ControlFlowReachability::ConfigSig { predicate sink(ControlFlowNode node, SsaDefinition def) { exists(Dereference d | - dereferenceAt(node, def, d) and + dereferenceAt(def, d) and + node = d.getControlFlowNode() and not d instanceof NonNullExpr ) } @@ -271,7 +270,8 @@ predicate maybeNullDeref(Dereference d, Ssa::SourceVariable v, string msg, Eleme defMaybeNull(origin, src, msg, reason) and NullnessFlow::flow(src, origin, sink, ssa) and ssa.getSourceVariable() = v and - dereferenceAt(sink, ssa, d) and + dereferenceAt(ssa, d) and + sink = d.getControlFlowNode() and not d.isAlwaysNull(v) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 9568adf6c27..7d8809a700c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -236,9 +236,11 @@ module Ssa { * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi * node between lines 9 and 10. */ - final AssignableRead getARead() { result = this.getAReadAtNode(_) } + final AssignableRead getARead() { result = SsaImpl::getAReadAtNode(this, _) } /** + * DEPRECATED: Use `getARead()` instead. + * * Gets a read of the source variable underlying this SSA definition at * control flow node `cfn` that can be reached from this SSA definition * without passing through any other SSA definitions. Example: @@ -265,7 +267,7 @@ module Ssa { * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi * node between lines 9 and 10. */ - final AssignableRead getAReadAtNode(ControlFlowNode cfn) { + deprecated final AssignableRead getAReadAtNode(ControlFlowNode cfn) { result = SsaImpl::getAReadAtNode(this, cfn) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index c4d2a844103..c498d4aa3a9 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -273,7 +273,7 @@ module VariableCapture { exists(Ssa::Definition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and - exists(def.getAReadAtNode(e2)) + def.getARead().getControlFlowNode() = e2 ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index f6dd4911256..96245e460c7 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -245,7 +245,7 @@ private module Impl { ) } - ExprNode getARead(Ssa::Definition v) { exists(v.getAReadAtNode(result)) } + ExprNode getARead(Ssa::Definition v) { v.getARead().getControlFlowNode() = result } Field getField(ExprNode fa) { result = fa.getExpr().(FieldAccess).getTarget() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 55267fad17c..9ff12625a06 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -12,13 +12,13 @@ private class ExprNode = ControlFlowNodes::ExprNode; /** An SSA variable. */ class SsaVariable extends Definition { /** Gets a read of this SSA variable. */ - ExprNode getAUse() { exists(this.getAReadAtNode(result)) } + ExprNode getAUse() { this.getARead().getControlFlowNode() = result } } /** Gets a node that reads `src` via an SSA explicit definition. */ ExprNode getAnExplicitDefinitionRead(ExprNode src) { exists(ExplicitDefinition def | - exists(def.getAReadAtNode(result)) and + def.getARead().getControlFlowNode() = result and hasChild(def.getElement(), def.getADefinition().getSource(), def.getControlFlowNode(), src) ) } @@ -27,7 +27,7 @@ ExprNode getAnExplicitDefinitionRead(ExprNode src) { * Gets an expression that equals `v - delta`. */ ExprNode ssaRead(Definition v, int delta) { - exists(v.getAReadAtNode(result)) and delta = 0 + v.getARead().getControlFlowNode() = result and delta = 0 or exists(ExprNode::AddOperation add, int d1, ConstantIntegerExpr c | result = add and From c88a22ccf8e40cb80a94a278736229900bb8a9fd Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 16:21:29 +0200 Subject: [PATCH 13/46] C#: Replace most uses of Ssa::Definition with SsaDefinition. --- .../semmle/code/csharp/controlflow/Guards.qll | 24 ++++++++--------- .../semmle/code/csharp/dataflow/Nullness.qll | 26 +++++++++---------- .../dataflow/internal/DataFlowPrivate.qll | 4 +-- .../code/csharp/dataflow/internal/SsaImpl.qll | 4 +-- .../internal/rangeanalysis/RangeUtils.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 4 +-- .../rangeanalysis/SsaReadPositionSpecific.qll | 2 +- .../internal/rangeanalysis/SsaUtils.qll | 4 +-- .../Control-Flow/ConstantCondition.ql | 2 +- .../src/Likely Bugs/Dynamic/BadDynamicCall.ql | 2 +- .../ql/test/library-tests/csharp7/DefUse.ql | 2 +- .../dataflow/defuse/defUseEquivalence.ql | 2 +- .../defuse/parameterUseEquivalence.ql | 2 +- .../dataflow/defuse/useUseEquivalence.ql | 6 ++--- .../test/library-tests/dataflow/ssa/SSAPhi.ql | 2 +- .../test/library-tests/dataflow/ssa/SsaDef.ql | 2 +- .../library-tests/dataflow/ssa/SsaRead.ql | 2 +- .../dataflow/ssa/SsaUltimateDef.ql | 2 +- 18 files changed, 47 insertions(+), 47 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 45a73f008dd..48adada60d8 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -570,7 +570,7 @@ class AccessOrCallExpr extends Expr { * An expression can have more than one SSA qualifier in the presence * of control flow splitting. */ - Ssa::Definition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) } + SsaDefinition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) } } private Declaration getDeclarationTarget(Expr e) { @@ -578,14 +578,14 @@ private Declaration getDeclarationTarget(Expr e) { result = e.(Call).getTarget() } -private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { +private SsaDefinition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { e = getATrackedAccess(result, cfn) or not e = getATrackedAccess(_, _) and result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier(), cfn) } -private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode cfn) { +private AssignableAccess getATrackedAccess(SsaDefinition def, ControlFlowNode cfn) { result = def.getARead() and cfn = result.getControlFlowNode() or result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and @@ -593,7 +593,7 @@ private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode } private predicate ssaMustHaveValue(Expr e, GuardValue v) { - exists(Ssa::Definition def, BasicBlock bb | + exists(SsaDefinition def, BasicBlock bb | e = def.getARead() and e.getBasicBlock() = bb and Guards::ssaControls(def, bb, v) @@ -825,8 +825,8 @@ module Internal { ) or e = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u)) ).getARead() } @@ -840,8 +840,8 @@ module Internal { exists(Expr e1 | nonNullValueImplied(e1) and nonNullValueImpliedUnary(e1, e)) or e = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) ).getARead() } @@ -1104,7 +1104,7 @@ module Internal { private predicate nodeIsGuardedBySameSubExprSsaDef0( ControlFlowNode cfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g, ControlFlowNode subCfn, BasicBlock subCfnBB, AccessOrCallExpr sub, GuardValue v, - Ssa::Definition def + SsaDefinition def ) { nodeIsGuardedBySameSubExpr(cfn, guardedBB, guarded, g, sub, v) and def = sub.getAnSsaQualifier(subCfn) and @@ -1114,7 +1114,7 @@ module Internal { pragma[nomagic] private predicate nodeIsGuardedBySameSubExprSsaDef( ControlFlowNode guardedCfn, AccessOrCallExpr guarded, Guard g, ControlFlowNode subCfn, - AccessOrCallExpr sub, GuardValue v, Ssa::Definition def + AccessOrCallExpr sub, GuardValue v, SsaDefinition def ) { exists(BasicBlock guardedBB, BasicBlock subCfnBB | nodeIsGuardedBySameSubExprSsaDef0(guardedCfn, guardedBB, guarded, g, subCfn, subCfnBB, sub, @@ -1133,7 +1133,7 @@ module Internal { cached predicate isGuardedByExpr(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, GuardValue v) { isGuardedByExpr0(guarded, g, sub, v) and - forall(ControlFlowNode subCfn, Ssa::Definition def | + forall(ControlFlowNode subCfn, SsaDefinition def | nodeIsGuardedBySameSubExprSsaDef(_, guarded, g, subCfn, sub, v, def) | def = guarded.getAnSsaQualifier(_) @@ -1145,7 +1145,7 @@ module Internal { ControlFlowNodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, GuardValue v ) { nodeIsGuardedBySameSubExpr(guarded, _, _, g, sub, v) and - forall(ControlFlowNode subCfn, Ssa::Definition def | + forall(ControlFlowNode subCfn, SsaDefinition def | nodeIsGuardedBySameSubExprSsaDef(guarded, _, g, subCfn, sub, v, def) | def = diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 9af83aa767a..95dfcf3f0ec 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -67,8 +67,8 @@ class AlwaysNullExpr extends Expr { exists(AlwaysNullExpr e1, AlwaysNullExpr e2 | G::Internal::nullValueImpliedBinary(e1, e2, this)) or this = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u)) ).getARead() or exists(Callable target | @@ -94,8 +94,8 @@ class NonNullExpr extends Expr { this instanceof G::NullGuardedExpr or this = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) ).getARead() or exists(Callable target | @@ -126,7 +126,7 @@ private predicate nonNullDef(Ssa::ExplicitDefinition def) { /** * Holds if `d` is a dereference of SSA definition `def`. */ -private predicate dereferenceAt(Ssa::Definition def, Dereference d) { d = def.getARead() } +private predicate dereferenceAt(SsaDefinition def, Dereference d) { d = def.getARead() } private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | @@ -180,7 +180,7 @@ private predicate hasMultipleParamsArguments(Call c) { } /** Holds if `def` is an SSA definition that may be `null`. */ -private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string msg, Element reason) { +private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string msg, Element reason) { not nonNullDef(def) and ( // A variable compared to `null` might be `null` @@ -222,13 +222,13 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string ) } -private Ssa::Definition getAPseudoInput(Ssa::Definition def) { +private SsaDefinition getAPseudoInput(SsaDefinition def) { result = def.(Ssa::PhiNode).getAnInput() } // `def.getAnUltimateDefinition()` includes inputs into uncertain // definitions, but we only want inputs into pseudo nodes -private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { +private SsaDefinition getAnUltimateDefinition(SsaDefinition def) { result = getAPseudoInput*(def) and not result instanceof Ssa::PhiNode } @@ -238,7 +238,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * through an intermediate dereference that always throws a null reference * exception. */ -private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { +private predicate defReaches(SsaDefinition def, ControlFlowNode cfn) { Ssa::ssaGetAFirstUse(def).getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | @@ -266,7 +266,7 @@ private module NullnessConfig implements ControlFlowReachability::ConfigSig { private module NullnessFlow = ControlFlowReachability::Flow; predicate maybeNullDeref(Dereference d, Ssa::SourceVariable v, string msg, Element reason) { - exists(Ssa::Definition origin, Ssa::Definition ssa, ControlFlowNode src, ControlFlowNode sink | + exists(SsaDefinition origin, SsaDefinition ssa, ControlFlowNode src, ControlFlowNode sink | defMaybeNull(origin, src, msg, reason) and NullnessFlow::flow(src, origin, sink, ssa) and ssa.getSourceVariable() = v and @@ -334,8 +334,8 @@ class Dereference extends G::DereferenceableExpr { ) } - private predicate isAlwaysNull0(Ssa::Definition def) { - forall(Ssa::Definition input | input = getAnUltimateDefinition(def) | + private predicate isAlwaysNull0(SsaDefinition def) { + forall(SsaDefinition input | input = getAnUltimateDefinition(def) | input.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof AlwaysNullExpr ) and not nonNullDef(def) and @@ -352,7 +352,7 @@ class Dereference extends G::DereferenceableExpr { // Exclude fields and properties, as they may not have an accurate SSA representation v.getAssignable() instanceof LocalScopeVariable and ( - forex(Ssa::Definition def0 | this = def0.getARead() | this.isAlwaysNull0(def0)) + forex(SsaDefinition def0 | this = def0.getARead() | this.isAlwaysNull0(def0)) or exists(G::GuardValue nv | this.(G::GuardedExpr).mustHaveValue(nv) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index c498d4aa3a9..b6a6d398874 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -270,7 +270,7 @@ module VariableCapture { private predicate closureFlowStep(ControlFlowNodes::ExprNode e1, ControlFlowNodes::ExprNode e2) { e1.getExpr() = LocalFlow::getALastEvalNode(e2.getExpr()) or - exists(Ssa::Definition def, AssignableDefinition adef | + exists(SsaDefinition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and def.getARead().getControlFlowNode() = e2 @@ -2016,7 +2016,7 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead * SSA updates. */ predicate hasNonlocalValue() { - exists(Ssa::Definition def, Ssa::ImplicitDefinition idef | + exists(SsaDefinition def, Ssa::ImplicitDefinition idef | def.getARead() = this and idef = def.getAnUltimateDefinition() | diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 0c2ecf96b8f..a4d788001a7 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -915,9 +915,9 @@ private module Cached { } cached - predicate isLiveOutRefParameterDefinition(Ssa::Definition def, Parameter p) { + predicate isLiveOutRefParameterDefinition(SsaDefinition def, Parameter p) { p.isOutOrRef() and - exists(Ssa::SourceVariable v, Ssa::Definition def0, BasicBlock bb, int i | + exists(Ssa::SourceVariable v, SsaDefinition def0, BasicBlock bb, int i | v = def.getSourceVariable() and p = v.getAssignable() and def = def0.getAnUltimateDefinition() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll index e53e3a44276..fafb85440a2 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll @@ -106,7 +106,7 @@ private module Impl { * - `isEq = true` : `def == e + delta` * - `isEq = false` : `def != e + delta` */ - Guard eqFlowCond(Definition def, ExprNode e, int delta, boolean isEq, boolean testIsTrue) { + Guard eqFlowCond(SsaDefinition def, ExprNode e, int delta, boolean isEq, boolean testIsTrue) { exists(boolean eqpolarity | result.isEquality(ssaRead(def, delta), e, eqpolarity) and testIsTrue = [false, true] and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 96245e460c7..55b3ac31aa3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -13,7 +13,7 @@ module Private { class ConstantIntegerExpr = CU::ConstantIntegerExpr; - class SsaVariable = CS::Ssa::Definition; + class SsaVariable = CS::SsaDefinition; class SsaPhiNode = CS::Ssa::PhiNode; @@ -245,7 +245,7 @@ private module Impl { ) } - ExprNode getARead(Ssa::Definition v) { v.getARead().getControlFlowNode() = result } + ExprNode getARead(SsaDefinition v) { v.getARead().getControlFlowNode() = result } Field getField(ExprNode fa) { result = fa.getExpr().(FieldAccess).getTarget() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll index 6da6ec8b11e..18c843c0472 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll @@ -5,7 +5,7 @@ private import csharp as CS private import SsaReadPositionCommon -class SsaVariable = CS::Ssa::Definition; +class SsaVariable = CS::SsaDefinition; class SsaPhiNode = CS::Ssa::PhiNode; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 9ff12625a06..5681976a378 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -10,7 +10,7 @@ private import ConstantUtils private class ExprNode = ControlFlowNodes::ExprNode; /** An SSA variable. */ -class SsaVariable extends Definition { +class SsaVariable extends SsaDefinition { /** Gets a read of this SSA variable. */ ExprNode getAUse() { this.getARead().getControlFlowNode() = result } } @@ -26,7 +26,7 @@ ExprNode getAnExplicitDefinitionRead(ExprNode src) { /** * Gets an expression that equals `v - delta`. */ -ExprNode ssaRead(Definition v, int delta) { +ExprNode ssaRead(SsaDefinition v, int delta) { v.getARead().getControlFlowNode() = result and delta = 0 or exists(ExprNode::AddOperation add, int d1, ConstantIntegerExpr c | diff --git a/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql b/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql index 8e36f4f1ad1..295bdba1f7a 100644 --- a/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql +++ b/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql @@ -20,7 +20,7 @@ import semmle.code.csharp.controlflow.Guards as Guards import codeql.controlflow.queries.ConstantCondition as ConstCond module ConstCondInput implements ConstCond::InputSig { - class SsaDefinition = Ssa::Definition; + class SsaDefinition = Ssa::SsaDefinition; class GuardValue = Guards::GuardValue; diff --git a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql index 75f152b38de..4d68f6ee628 100644 --- a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql +++ b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql @@ -36,7 +36,7 @@ abstract class BadDynamicCall extends DynamicExpr { } private Type possibleTypeForRelevantSource(Variable v, int i, Expr source) { - exists(AssignableRead read, Ssa::Definition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | + exists(AssignableRead read, SsaDefinition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | read = this.getARelevantVariableAccess(i) and v = read.getTarget() and result = source.getType() and diff --git a/csharp/ql/test/library-tests/csharp7/DefUse.ql b/csharp/ql/test/library-tests/csharp7/DefUse.ql index 5957c009260..e696307be28 100644 --- a/csharp/ql/test/library-tests/csharp7/DefUse.ql +++ b/csharp/ql/test/library-tests/csharp7/DefUse.ql @@ -1,6 +1,6 @@ import csharp -from AssignableDefinition def, AssignableRead read, Ssa::Definition ult, Ssa::Definition ssaDef +from AssignableDefinition def, AssignableRead read, SsaDefinition ult, SsaDefinition ssaDef where ssaDef.getAnUltimateDefinition() = ult and ( diff --git a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql index c69890be8c3..800ae971759 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql @@ -29,7 +29,7 @@ predicate defUsePair(AssignableDefinition def, AssignableRead read) { } private LocalScopeVariableRead getAReachableUncertainRead(AssignableDefinition def) { - exists(Ssa::Definition ssaDef | + exists(SsaDefinition ssaDef | def = ssaDef.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() | result = ssaDef.getARead() diff --git a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql index 896092718a0..10b916ab3f4 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql @@ -23,7 +23,7 @@ predicate parameterUsePair(Parameter p, AssignableRead read) { private LocalScopeVariableRead getAReachableUncertainRead( AssignableDefinitions::ImplicitParameterDefinition p ) { - exists(Ssa::Definition ssaDef | + exists(SsaDefinition ssaDef | p.getParameter() = ssaDef.getAnUltimateDefinition().(Ssa::ParameterDefinition).getParameter() | result = ssaDef.getARead() diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index b6610aa2554..986707c018d 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -25,14 +25,14 @@ predicate useUsePair(LocalScopeVariableRead read1, LocalScopeVariableRead read2) private newtype TLocalScopeVariableReadOrSsaDef = TLocalScopeVariableRead(LocalScopeVariableRead read) or - TSsaDefinition(Ssa::Definition ssaDef) + TSsaDefinition(SsaDefinition ssaDef) private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableReadOrSsaDef prev) { exists(LocalScopeVariableRead read | prev = TLocalScopeVariableRead(read) | result = TLocalScopeVariableRead(read.getANextRead()) or not exists(read.getANextRead()) and - exists(Ssa::Definition ssaDef, Ssa::PhiNode phi, BasicBlock bb | + exists(SsaDefinition ssaDef, Ssa::PhiNode phi, BasicBlock bb | ssaDef.getARead() = read and phi.getAnInput() = ssaDef and phi.definesAt(_, bb, _) and @@ -41,7 +41,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea ) ) or - exists(Ssa::Definition ssaDef | prev = TSsaDefinition(ssaDef) | + exists(SsaDefinition ssaDef | prev = TSsaDefinition(ssaDef) | result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or not exists(Ssa::ssaGetAFirstUse(ssaDef)) and diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql index 90726a62880..db24031365a 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::PhiNode phi, Ssa::Definition input +from Ssa::SourceVariable v, Ssa::PhiNode phi, SsaDefinition input where phi.getAnInput() = input and v = phi.getSourceVariable() diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql index 5c9205fd68b..87c4f53a56b 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def +from Ssa::SourceVariable v, SsaDefinition def where v = def.getSourceVariable() select v, def diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql index 44e4cdc23d0..1cc573d3277 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def, AssignableRead read +from Ssa::SourceVariable v, SsaDefinition def, AssignableRead read where read = def.getARead() and v = def.getSourceVariable() diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql index 5d47aeb4b2c..df565c0edc0 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def, Ssa::Definition u +from Ssa::SourceVariable v, SsaDefinition def, SsaDefinition u where u = def.getAnUltimateDefinition() and v = def.getSourceVariable() From 9345c44e0f41624750a8d516441d0918d3ba3e9b Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 16:23:21 +0200 Subject: [PATCH 14/46] C#: Delete test for Definition.getElement. --- .../dataflow/ssa/SsaDefElement.expected | 277 ------------------ .../dataflow/ssa/SsaDefElement.ql | 4 - 2 files changed, 281 deletions(-) delete mode 100644 csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected delete mode 100644 csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected deleted file mode 100644 index b6e2beaae69..00000000000 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected +++ /dev/null @@ -1,277 +0,0 @@ -| Capture.cs:10:16:27:9 | SSA def(a) | Capture.cs:10:16:27:9 | Action a = ... | -| Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:17:17:17:21 | Int32 y = ... | -| Capture.cs:19:20:23:13 | SSA def(b) | Capture.cs:19:20:23:13 | Action b = ... | -| Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:19:24:23:13 | (...) => ... | -| Capture.cs:30:16:30:35 | SSA def(c) | Capture.cs:30:16:30:35 | Action c = ... | -| Capture.cs:52:16:52:43 | SSA def(b) | Capture.cs:52:16:52:43 | Action b = ... | -| Capture.cs:57:57:57:63 | SSA param(strings) | Capture.cs:57:57:57:63 | strings | -| Capture.cs:60:27:60:38 | SSA def(e) | Capture.cs:60:27:60:38 | Func e = ... | -| Capture.cs:65:45:65:51 | SSA param(strings) | Capture.cs:65:45:65:51 | strings | -| Capture.cs:68:32:68:32 | SSA param(s) | Capture.cs:68:32:68:32 | s | -| Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:32:68:49 | (...) => ... | -| Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:69:9:69:62 | M | -| Capture.cs:69:25:69:25 | SSA param(s) | Capture.cs:69:25:69:25 | s | -| Capture.cs:73:67:73:73 | SSA param(strings) | Capture.cs:73:67:73:73 | strings | -| Capture.cs:76:63:76:81 | SSA def(e) | Capture.cs:76:63:76:81 | Expression> e = ... | -| Capture.cs:81:28:81:28 | SSA param(i) | Capture.cs:81:28:81:28 | i | -| Capture.cs:81:34:81:36 | SSA def(i) | Capture.cs:81:34:81:36 | ...++ | -| Capture.cs:83:65:83:71 | SSA param(strings) | Capture.cs:83:65:83:71 | strings | -| Capture.cs:86:64:86:73 | SSA def(e) | Capture.cs:86:64:86:73 | Expression> e = ... | -| Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:86:68:86:73 | (...) => ... | -| Capture.cs:92:18:92:18 | SSA param(d) | Capture.cs:92:18:92:18 | d | -| Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:96:12:100:9 | (...) => ... | -| Capture.cs:98:17:98:21 | SSA def(x) | Capture.cs:98:17:98:21 | Int32 x = ... | -| Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:115:9:119:9 | M1 | -| Capture.cs:117:17:117:21 | SSA def(x) | Capture.cs:117:17:117:21 | Int32 x = ... | -| Capture.cs:163:9:166:9 | SSA capture def(g) | Capture.cs:163:9:166:9 | M7 | -| Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:183:13:186:13 | M11 | -| Capture.cs:198:28:198:44 | SSA def(eh) | Capture.cs:198:28:198:44 | MyEventHandler eh = ... | -| Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:198:33:198:44 | (...) => ... | -| Capture.cs:203:28:203:45 | SSA def(eh2) | Capture.cs:203:28:203:45 | MyEventHandler eh2 = ... | -| Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:203:34:203:45 | (...) => ... | -| Capture.cs:210:24:210:59 | SSA def(p) | Capture.cs:210:24:210:59 | Process p = ... | -| Capture.cs:212:30:212:71 | SSA def(exited) | Capture.cs:212:30:212:71 | EventHandler exited = ... | -| Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:212:39:212:71 | (...) => ... | -| Capture.cs:251:13:251:17 | SSA def(j) | Capture.cs:251:13:251:17 | ... = ... | -| Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | b | -| Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | Int32 i = ... | -| Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:9:25:30 | call to method Out | -| Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | call to method Out | -| Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | ... = ... | -| Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | S s | -| Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:30:49:30 | a | -| Consistency.cs:49:37:49:37 | SSA param(i) | Consistency.cs:49:37:49:37 | i | -| Consistency.cs:51:20:51:20 | SSA param(a) | Consistency.cs:51:20:51:20 | a | -| Consistency.cs:56:17:56:40 | SSA def(k) | Consistency.cs:56:17:56:40 | Int32 k = ... | -| Consistency.cs:57:9:57:13 | SSA def(k) | Consistency.cs:57:9:57:13 | ... = ... | -| Consistency.cs:58:9:58:13 | SSA def(k) | Consistency.cs:58:9:58:13 | ... = ... | -| DefUse.cs:3:26:3:26 | SSA param(w) | DefUse.cs:3:26:3:26 | w | -| DefUse.cs:5:13:5:17 | SSA def(x) | DefUse.cs:5:13:5:17 | Int32 x = ... | -| DefUse.cs:6:14:6:19 | SSA def(y) | DefUse.cs:6:14:6:19 | Int64 y = ... | -| DefUse.cs:13:13:13:18 | SSA def(y) | DefUse.cs:13:13:13:18 | ... = ... | -| DefUse.cs:18:13:18:18 | SSA def(y) | DefUse.cs:18:13:18:18 | ... = ... | -| DefUse.cs:19:13:19:18 | SSA def(w) | DefUse.cs:19:13:19:18 | ... = ... | -| DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:28:13:28:18 | ... = ... | -| DefUse.cs:29:13:29:18 | SSA def(w) | DefUse.cs:29:13:29:18 | ... = ... | -| DefUse.cs:39:13:39:18 | SSA def(y) | DefUse.cs:39:13:39:18 | ... = ... | -| DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:44:13:44:17 | Int32 z = ... | -| DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:47:9:47:24 | call to method outMethod | -| DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:50:9:50:24 | call to method refMethod | -| DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:53:9:53:17 | ... = ... | -| DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:56:9:56:16 | ... = ... | -| DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:63:9:63:18 | ... = ... | -| DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:66:9:66:18 | ... = ... | -| DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:67:19:67:27 | TestClass tc = ... | -| DefUse.cs:79:13:79:18 | SSA def(x1) | DefUse.cs:79:13:79:18 | Int32 x1 = ... | -| DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:80:16:80:32 | call to method refMethod | -| DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:83:13:83:18 | Int32 x2 = ... | -| DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:84:9:86:17 | call to method refOutMethod | -| DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:89:13:89:18 | Int32 x3 = ... | -| DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:91:9:93:17 | call to method refOutMethod | -| DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:91:9:93:17 | call to method refOutMethod | -| DefUse.cs:97:13:97:18 | SSA def(x5) | DefUse.cs:97:13:97:18 | Int32 x5 = ... | -| DefUse.cs:101:13:101:23 | SSA def(x5) | DefUse.cs:101:13:101:23 | ... = ... | -| DefUse.cs:104:9:104:15 | SSA def(x5) | DefUse.cs:104:9:104:15 | ... += ... | -| DefUse.cs:114:47:114:52 | SSA def(i) | DefUse.cs:114:47:114:52 | ... = ... | -| DefUse.cs:116:47:116:51 | SSA def(i) | DefUse.cs:116:47:116:51 | ... = ... | -| DefUse.cs:118:45:118:45 | SSA param(i) | DefUse.cs:118:45:118:45 | i | -| DefUse.cs:118:61:118:65 | SSA def(j) | DefUse.cs:118:61:118:65 | ... = ... | -| DefUse.cs:118:68:118:72 | SSA def(i) | DefUse.cs:118:68:118:72 | ... = ... | -| DefUse.cs:128:19:128:19 | SSA param(i) | DefUse.cs:128:19:128:19 | i | -| DefUse.cs:134:22:134:22 | SSA param(d) | DefUse.cs:134:22:134:22 | d | -| DefUse.cs:142:68:142:69 | SSA param(ie) | DefUse.cs:142:68:142:69 | ie | -| DefUse.cs:144:22:144:22 | SSA def(x) | DefUse.cs:144:22:144:22 | String x | -| DefUse.cs:155:9:155:18 | SSA def(this.Field4) | DefUse.cs:155:9:155:18 | ... = ... | -| DefUse.cs:160:10:160:16 | SSA entry def(this.Field4) | DefUse.cs:160:10:160:16 | FieldM2 | -| DefUse.cs:171:23:180:9 | SSA def(a) | DefUse.cs:171:23:180:9 | Action a = ... | -| DefUse.cs:184:9:184:18 | SSA def(this.Field5) | DefUse.cs:184:9:184:18 | ... = ... | -| DefUse.cs:186:9:190:9 | SSA def(a) | DefUse.cs:186:9:190:9 | ... = ... | -| DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:188:13:188:22 | ... = ... | -| DefUse.cs:191:9:191:11 | SSA call def(this.Field5) | DefUse.cs:191:9:191:11 | delegate call | -| DefaultParam.cs:3:20:3:20 | SSA param(b) | DefaultParam.cs:3:20:3:20 | b | -| DefaultParam.cs:3:30:3:30 | SSA param(s) | DefaultParam.cs:3:30:3:30 | s | -| DefaultParam.cs:3:34:3:35 | SSA param_default(s) | DefaultParam.cs:3:34:3:35 | "" | -| DefaultParam.cs:3:42:3:42 | SSA param(i) | DefaultParam.cs:3:42:3:42 | i | -| DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:42:3:42 | i | -| DefaultParam.cs:3:46:3:46 | SSA param_default(i) | DefaultParam.cs:3:46:3:46 | 0 | -| DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:4:5:6:5 | {...} | -| Example.cs:6:23:6:23 | SSA param(i) | Example.cs:6:23:6:23 | i | -| Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:8:9:8:22 | ... = ... | -| Example.cs:11:13:11:30 | SSA def(this.Field) | Example.cs:11:13:11:30 | ... = ... | -| Example.cs:13:13:13:23 | SSA call def(this.Field) | Example.cs:13:13:13:23 | call to method SetField | -| Example.cs:18:16:18:16 | SSA param(p) | Example.cs:18:16:18:16 | p | -| Example.cs:18:24:18:24 | SSA param(b) | Example.cs:18:24:18:24 | b | -| Example.cs:23:13:23:17 | SSA def(p) | Example.cs:23:13:23:17 | ... = ... | -| Fields.cs:16:17:16:17 | SSA entry def(this.xs) | Fields.cs:16:17:16:17 | F | -| Fields.cs:19:9:19:13 | SSA call def(this.xs) | Fields.cs:19:9:19:13 | call to method Upd | -| Fields.cs:20:9:20:14 | SSA def(x) | Fields.cs:20:9:20:14 | ... = ... | -| Fields.cs:22:13:22:17 | SSA call def(this.xs) | Fields.cs:22:13:22:17 | call to method Upd | -| Fields.cs:24:9:24:23 | SSA def(this.xs) | Fields.cs:24:9:24:23 | ... = ... | -| Fields.cs:28:17:28:17 | SSA entry def(Fields.stat) | Fields.cs:28:17:28:17 | G | -| Fields.cs:28:17:28:17 | SSA entry def(this.xs) | Fields.cs:28:17:28:17 | G | -| Fields.cs:30:13:30:28 | SSA def(f) | Fields.cs:30:13:30:28 | Fields f = ... | -| Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:30:13:30:28 | Fields f = ... | -| Fields.cs:30:17:30:28 | SSA call def(Fields.stat) | Fields.cs:30:17:30:28 | object creation of type Fields | -| Fields.cs:34:9:34:16 | SSA call def(Fields.stat) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:34:9:34:16 | SSA call def(f.xs) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:34:9:34:16 | SSA call def(this.xs) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(Fields.stat) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(f.xs) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(this.xs) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:42:9:42:23 | SSA def(this.xs) | Fields.cs:42:9:42:23 | ... = ... | -| Fields.cs:45:9:45:25 | SSA def(f.xs) | Fields.cs:45:9:45:25 | ... = ... | -| Fields.cs:47:9:47:14 | SSA def(z) | Fields.cs:47:9:47:14 | ... = ... | -| Fields.cs:49:13:49:28 | SSA def(f) | Fields.cs:49:13:49:28 | ... = ... | -| Fields.cs:49:13:49:28 | SSA qualifier def(f.xs) | Fields.cs:49:13:49:28 | ... = ... | -| Fields.cs:49:17:49:28 | SSA call def(Fields.stat) | Fields.cs:49:17:49:28 | object creation of type Fields | -| Fields.cs:51:9:51:20 | SSA call def(Fields.stat) | Fields.cs:51:9:51:20 | object creation of type Fields | -| Fields.cs:61:17:61:17 | SSA entry def(this.LoopField) | Fields.cs:61:17:61:17 | H | -| Fields.cs:61:17:61:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:61:17:61:17 | H | -| Fields.cs:74:17:74:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:74:17:74:17 | I | -| Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:77:13:77:45 | Fields f = ... | -| Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:78:23:78:54 | Action a = ... | -| Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:78:27:78:54 | (...) => ... | -| Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:79:23:79:35 | Action b = ... | -| Fields.cs:80:9:80:25 | SSA def(f.xs) | Fields.cs:80:9:80:25 | ... = ... | -| Fields.cs:81:9:81:11 | SSA call def(f.xs) | Fields.cs:81:9:81:11 | delegate call | -| Fields.cs:83:9:83:25 | SSA def(f.xs) | Fields.cs:83:9:83:25 | ... = ... | -| Fields.cs:85:9:85:22 | SSA def(this.xs) | Fields.cs:85:9:85:22 | ... = ... | -| Fields.cs:86:9:86:47 | SSA call def(f.xs) | Fields.cs:86:9:86:47 | call to method Select | -| Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:24:86:46 | (...) => ... | -| Fields.cs:87:9:87:22 | SSA def(this.xs) | Fields.cs:87:9:87:22 | ... = ... | -| Fields.cs:88:9:88:25 | SSA def(f.xs) | Fields.cs:88:9:88:25 | ... = ... | -| Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:24:89:46 | (...) => ... | -| Fields.cs:95:19:95:19 | SSA param(f) | Fields.cs:95:19:95:19 | f | -| Fields.cs:97:9:97:30 | SSA def(f.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:102:9:102:28 | SSA def(this.Field) | Fields.cs:102:9:102:28 | ... = ... | -| Fields.cs:107:33:107:33 | SSA param(f) | Fields.cs:107:33:107:33 | f | -| Fields.cs:109:10:109:10 | SSA entry def(this.Field) | Fields.cs:109:10:109:10 | K | -| Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:114:9:114:22 | call to method SetField | -| Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:114:9:114:22 | call to method SetField | -| Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | call to method SetField | -| MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:16:5:16 | M | -| MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationA.cs:5:16:5:16 | M | -| OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:7:10:7:10 | M | -| OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... | -| OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:9:10:33 | call to method OutRefM | -| OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:9:10:33 | call to method OutRefM | -| OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:13:9:13:33 | call to method OutRefM | -| OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:13:9:13:33 | call to method OutRefM | -| OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:9:16:37 | call to method OutRefM | -| OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:18:13:18:28 | OutRef t = ... | -| OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:18:13:18:28 | OutRef t = ... | -| OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM | -| OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM | -| OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:9:22:30 | call to method OutRefM2 | -| OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:24:9:24:30 | call to method OutRefM3 | -| OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:28:37:28:37 | j | -| OutRef.cs:30:9:30:13 | SSA def(i) | OutRef.cs:30:9:30:13 | ... = ... | -| OutRef.cs:31:9:31:13 | SSA def(j) | OutRef.cs:31:9:31:13 | ... = ... | -| OutRef.cs:34:38:34:38 | SSA param(j) | OutRef.cs:34:38:34:38 | j | -| OutRef.cs:36:9:36:13 | SSA def(i) | OutRef.cs:36:9:36:13 | ... = ... | -| OutRef.cs:39:24:39:24 | SSA param(b) | OutRef.cs:39:24:39:24 | b | -| OutRef.cs:39:35:39:35 | SSA param(j) | OutRef.cs:39:35:39:35 | j | -| OutRef.cs:42:13:42:17 | SSA def(j) | OutRef.cs:42:13:42:17 | ... = ... | -| Patterns.cs:7:16:7:23 | SSA def(o) | Patterns.cs:7:16:7:23 | Object o = ... | -| Patterns.cs:8:18:8:23 | SSA def(i1) | Patterns.cs:8:18:8:23 | Int32 i1 | -| Patterns.cs:12:23:12:31 | SSA def(s1) | Patterns.cs:12:23:12:31 | String s1 | -| Patterns.cs:24:18:24:23 | SSA def(i2) | Patterns.cs:24:18:24:23 | Int32 i2 | -| Patterns.cs:27:18:27:23 | SSA def(i3) | Patterns.cs:27:18:27:23 | Int32 i3 | -| Patterns.cs:30:18:30:26 | SSA def(s2) | Patterns.cs:30:18:30:26 | String s2 | -| Properties.cs:16:17:16:17 | SSA entry def(this.xs) | Properties.cs:16:17:16:17 | F | -| Properties.cs:19:9:19:13 | SSA call def(this.xs) | Properties.cs:19:9:19:13 | call to method Upd | -| Properties.cs:20:9:20:14 | SSA def(x) | Properties.cs:20:9:20:14 | ... = ... | -| Properties.cs:22:13:22:17 | SSA call def(this.xs) | Properties.cs:22:13:22:17 | call to method Upd | -| Properties.cs:24:9:24:23 | SSA def(this.xs) | Properties.cs:24:9:24:23 | ... = ... | -| Properties.cs:28:17:28:17 | SSA entry def(Properties.stat) | Properties.cs:28:17:28:17 | G | -| Properties.cs:28:17:28:17 | SSA entry def(this.xs) | Properties.cs:28:17:28:17 | G | -| Properties.cs:30:13:30:32 | SSA def(f) | Properties.cs:30:13:30:32 | Properties f = ... | -| Properties.cs:30:13:30:32 | SSA qualifier def(f.xs) | Properties.cs:30:13:30:32 | Properties f = ... | -| Properties.cs:30:17:30:32 | SSA call def(Properties.stat) | Properties.cs:30:17:30:32 | object creation of type Properties | -| Properties.cs:34:9:34:16 | SSA call def(Properties.stat) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:34:9:34:16 | SSA call def(f.xs) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:34:9:34:16 | SSA call def(this.xs) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(Properties.stat) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(f.xs) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(this.xs) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:42:9:42:23 | SSA def(this.xs) | Properties.cs:42:9:42:23 | ... = ... | -| Properties.cs:45:9:45:25 | SSA def(f.xs) | Properties.cs:45:9:45:25 | ... = ... | -| Properties.cs:47:9:47:14 | SSA def(z) | Properties.cs:47:9:47:14 | ... = ... | -| Properties.cs:49:13:49:32 | SSA def(f) | Properties.cs:49:13:49:32 | ... = ... | -| Properties.cs:49:13:49:32 | SSA qualifier def(f.xs) | Properties.cs:49:13:49:32 | ... = ... | -| Properties.cs:49:17:49:32 | SSA call def(Properties.stat) | Properties.cs:49:17:49:32 | object creation of type Properties | -| Properties.cs:51:9:51:24 | SSA call def(Properties.stat) | Properties.cs:51:9:51:24 | object creation of type Properties | -| Properties.cs:61:17:61:17 | SSA entry def(this.LoopProp) | Properties.cs:61:17:61:17 | H | -| Properties.cs:61:17:61:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:61:17:61:17 | H | -| Properties.cs:61:23:61:23 | SSA param(i) | Properties.cs:61:23:61:23 | i | -| Properties.cs:63:16:63:18 | SSA def(i) | Properties.cs:63:16:63:18 | ...-- | -| Properties.cs:70:17:70:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:70:17:70:17 | I | -| Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:73:13:73:32 | Properties f = ... | -| Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:74:23:74:54 | Action a = ... | -| Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:74:27:74:54 | (...) => ... | -| Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:75:23:75:35 | Action b = ... | -| Properties.cs:76:9:76:25 | SSA def(f.xs) | Properties.cs:76:9:76:25 | ... = ... | -| Properties.cs:77:9:77:11 | SSA call def(f.xs) | Properties.cs:77:9:77:11 | delegate call | -| Properties.cs:79:9:79:25 | SSA def(f.xs) | Properties.cs:79:9:79:25 | ... = ... | -| Properties.cs:81:9:81:22 | SSA def(this.xs) | Properties.cs:81:9:81:22 | ... = ... | -| Properties.cs:82:9:82:47 | SSA call def(f.xs) | Properties.cs:82:9:82:47 | call to method Select | -| Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:24:82:46 | (...) => ... | -| Properties.cs:83:9:83:22 | SSA def(this.xs) | Properties.cs:83:9:83:22 | ... = ... | -| Properties.cs:84:9:84:25 | SSA def(f.xs) | Properties.cs:84:9:84:25 | ... = ... | -| Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:24:85:46 | (...) => ... | -| Properties.cs:106:37:106:37 | SSA param(p) | Properties.cs:106:37:106:37 | p | -| Properties.cs:108:10:108:10 | SSA entry def(this.Props) | Properties.cs:108:10:108:10 | K | -| Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:113:9:113:22 | call to method SetProps | -| Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:113:9:113:22 | call to method SetProps | -| Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:113:9:113:22 | call to method SetProps | -| Test.cs:5:15:5:20 | SSA param(param1) | Test.cs:5:15:5:20 | param1 | -| Test.cs:5:67:5:72 | SSA param(param2) | Test.cs:5:67:5:72 | param2 | -| Test.cs:7:9:7:17 | SSA def(this.field) | Test.cs:7:9:7:17 | ... = ... | -| Test.cs:8:13:8:17 | SSA def(x) | Test.cs:8:13:8:17 | Int32 x = ... | -| Test.cs:13:13:13:15 | SSA def(x) | Test.cs:13:13:13:15 | ...++ | -| Test.cs:14:13:14:19 | SSA def(y) | Test.cs:14:13:14:19 | ... = ... | -| Test.cs:14:17:14:19 | SSA def(x) | Test.cs:14:17:14:19 | ++... | -| Test.cs:15:13:15:17 | SSA def(z) | Test.cs:15:13:15:17 | ... = ... | -| Test.cs:19:13:19:17 | SSA def(y) | Test.cs:19:13:19:17 | ... = ... | -| Test.cs:20:13:20:18 | SSA def(y) | Test.cs:20:13:20:18 | ... += ... | -| Test.cs:21:13:21:22 | SSA def(this.field) | Test.cs:21:13:21:22 | ... = ... | -| Test.cs:22:13:22:17 | SSA def(z) | Test.cs:22:13:22:17 | ... = ... | -| Test.cs:27:17:27:24 | SSA def(param1) | Test.cs:27:17:27:24 | ...++ | -| Test.cs:31:13:31:18 | SSA def(y) | Test.cs:31:13:31:18 | ... -= ... | -| Test.cs:34:18:34:22 | SSA def(i) | Test.cs:34:18:34:22 | Int32 i = ... | -| Test.cs:34:33:34:35 | SSA def(i) | Test.cs:34:33:34:35 | ...++ | -| Test.cs:36:13:36:18 | SSA def(x) | Test.cs:36:13:36:18 | ... += ... | -| Test.cs:39:22:39:22 | SSA def(w) | Test.cs:39:22:39:22 | Int32 w | -| Test.cs:39:22:39:22 | SSA phi(param1) | Test.cs:39:22:39:22 | Int32 w | -| Test.cs:41:13:41:23 | SSA def(param1) | Test.cs:41:13:41:23 | ... += ... | -| Test.cs:46:10:46:10 | SSA entry def(this.field) | Test.cs:46:10:46:10 | g | -| Test.cs:46:16:46:18 | SSA param(in) | Test.cs:46:16:46:18 | in | -| Test.cs:50:13:50:20 | SSA def(out) | Test.cs:50:13:50:20 | ... = ... | -| Test.cs:54:13:54:20 | SSA def(out) | Test.cs:54:13:54:20 | ... = ... | -| Test.cs:57:9:57:17 | SSA def(this.field) | Test.cs:57:9:57:17 | ... = ... | -| Test.cs:62:16:62:16 | SSA param(x) | Test.cs:62:16:62:16 | x | -| Test.cs:68:45:68:45 | SSA def(e) | Test.cs:68:45:68:45 | DivideByZeroException e | -| Test.cs:76:24:76:25 | SSA param(b1) | Test.cs:76:24:76:25 | b1 | -| Test.cs:76:33:76:34 | SSA param(b2) | Test.cs:76:33:76:34 | b2 | -| Test.cs:76:42:76:43 | SSA param(b3) | Test.cs:76:42:76:43 | b3 | -| Test.cs:76:51:76:52 | SSA param(b4) | Test.cs:76:51:76:52 | b4 | -| Test.cs:76:60:76:61 | SSA param(b5) | Test.cs:76:60:76:61 | b5 | -| Test.cs:76:69:76:70 | SSA param(b6) | Test.cs:76:69:76:70 | b6 | -| Test.cs:78:13:78:17 | SSA def(x) | Test.cs:78:13:78:17 | Int32 x = ... | -| Test.cs:108:13:108:17 | SSA def(x) | Test.cs:108:13:108:17 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(b) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(s) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(x) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(b) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(s) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(x) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:18:40:18:57 | SSA def(tuple) | Tuples.cs:18:40:18:57 | (Int32,(Boolean,String)) tuple = ... | -| Tuples.cs:20:9:20:34 | SSA def(this.Field) | Tuples.cs:20:9:20:34 | ... = ... | -| Tuples.cs:20:9:20:34 | SSA def(this.Property) | Tuples.cs:20:9:20:34 | ... = ... | -| Tuples.cs:23:9:23:37 | SSA def(x) | Tuples.cs:23:9:23:37 | ... = ... | -| Tuples.cs:25:13:25:28 | SSA def(t) | Tuples.cs:25:13:25:28 | Tuples t = ... | -| Tuples.cs:26:9:26:33 | SSA def(t.Field) | Tuples.cs:26:9:26:33 | ... = ... | -| Tuples.cs:26:9:26:33 | SSA def(this.Field) | Tuples.cs:26:9:26:33 | ... = ... | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql deleted file mode 100644 index e404aee7767..00000000000 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql +++ /dev/null @@ -1,4 +0,0 @@ -import csharp - -from Ssa::Definition def -select def, def.getElement() From ed6cdfc227f37e6b34d755699ca01aed1ce031d2 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 08:47:36 +0200 Subject: [PATCH 15/46] C#: Move isLiveOutRefParameterDefinition to top-level. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 +++++- .../code/csharp/dataflow/internal/DataFlowPrivate.qll | 4 ++-- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 4 ++++ .../library-tests/dataflow/callablereturnsarg/Common.qll | 2 +- .../dataflow/ssa/IsLiveOutRefParameterDefinition.ql | 4 ++-- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 7d8809a700c..53866c77004 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -190,6 +190,8 @@ module Ssa { ) } + predicate isLiveOutRefParameterDefinition = SsaImpl::isLiveOutRefParameterDefinition/2; + /** * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition @@ -408,10 +410,12 @@ module Ssa { } /** + * DEPRECATED: Use `isLiveOutRefParameterDefinition(SsaDefinition, Parameter)` instead. + * * Holds if this SSA definition assigns to `out`/`ref` parameter `p`, and the * parameter may remain unchanged throughout the rest of the enclosing callable. */ - final predicate isLiveOutRefParameterDefinition(Parameter p) { + deprecated final predicate isLiveOutRefParameterDefinition(Parameter p) { SsaImpl::isLiveOutRefParameterDefinition(this, p) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index b6a6d398874..0f553b6e036 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1244,7 +1244,7 @@ class SsaNode extends NodeImpl, TSsaNode { class SsaDefinitionNode extends SsaNode { override SsaImpl::DataFlowIntegration::SsaDefinitionNode node; - Ssa::Definition getDefinition() { result = node.getDefinition() } + SsaDefinition getDefinition() { result = node.getDefinition() } override ControlFlowNode getControlFlowNodeImpl() { result = this.getDefinition().getControlFlowNode() @@ -1613,7 +1613,7 @@ private module ReturnNodes { OutRefReturnNode() { exists(Parameter p | - this.getDefinition().isLiveOutRefParameterDefinition(p) and + Ssa::isLiveOutRefParameterDefinition(this.getDefinition(), p) and kind.getPosition() = p.getPosition() | p.isOut() and kind instanceof OutReturnKind diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index a4d788001a7..6966152475b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -914,6 +914,10 @@ private module Cached { Impl::uncertainWriteDefinitionInput(def, result) } + /** + * Holds if the SSA definition `def` assigns to `out`/`ref` parameter `p`, and the + * parameter may remain unchanged throughout the rest of the enclosing callable. + */ cached predicate isLiveOutRefParameterDefinition(SsaDefinition def, Parameter p) { p.isOutOrRef() and diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 3a3a55e42cc..95a93e24a2a 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -5,7 +5,7 @@ private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { exists(Ssa::ExplicitDefinition def, Parameter outRefParameter | outRefParameter.isOutOrRef() and ne.getExpr() = def.getADefinition().getSource() and - def.isLiveOutRefParameterDefinition(outRefParameter) and + Ssa::isLiveOutRefParameterDefinition(def, outRefParameter) and outRef = outRefParameter.getPosition() ) } diff --git a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql index ca43b497dd5..130d91fb6fe 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql @@ -1,7 +1,7 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def +from Ssa::SourceVariable v, SsaDefinition def where v = def.getSourceVariable() and - def.isLiveOutRefParameterDefinition(_) + Ssa::isLiveOutRefParameterDefinition(def, _) select v, def From a6c7f27fc12b015dd8cc2baec4d857b2ae2620ad Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 08:51:25 +0200 Subject: [PATCH 16/46] C#: Deprecate Definition.getEnclosingCallable. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 53866c77004..dd07dcb9f28 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -404,8 +404,12 @@ module Ssa { result.(ControlFlowElement).getControlFlowNode() = this.getControlFlowNode() } - /** Gets the callable to which this SSA definition belongs. */ - final Callable getEnclosingCallable() { + /** + * DEPRECATED: Use `getSourceVariable().getEnclosingCallable()` instead. + * + * Gets the callable to which this SSA definition belongs. + */ + deprecated final Callable getEnclosingCallable() { result = this.getSourceVariable().getEnclosingCallable() } From dc34b10cb6cc20b39dcb1522d2ecf81b0f91540c Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 16:04:36 +0200 Subject: [PATCH 17/46] C#: Replace Ssa::ExplicitDefinition with SsaExplicitWrite. --- .../ql/consistency-queries/SsaConsistency.ql | 4 +-- .../ql/lib/semmle/code/csharp/Assignable.qll | 4 +-- .../semmle/code/csharp/controlflow/Guards.qll | 10 ++---- .../semmle/code/csharp/dataflow/Nullness.qll | 16 ++++------ .../lib/semmle/code/csharp/dataflow/SSA.qll | 10 ++++-- .../dataflow/internal/DataFlowPrivate.qll | 11 +++---- .../code/csharp/dataflow/internal/SsaImpl.qll | 8 +++-- .../internal/rangeanalysis/RangeUtils.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 32 ++++++------------- .../internal/rangeanalysis/SsaUtils.qll | 14 ++++---- csharp/ql/src/Dead Code/DeadStoreOfLocal.ql | 2 +- .../src/Likely Bugs/Dynamic/BadDynamicCall.ql | 7 ++-- .../ql/test/library-tests/csharp7/DefUse.ql | 7 +--- .../dataflow/callablereturnsarg/Common.qll | 4 +-- .../dataflow/defuse/defUseEquivalence.ql | 6 +++- .../dataflow/ssa-large/countssa.ql | 4 +-- .../dataflow/ssa/BaseSsaConsistency.ql | 8 ++--- .../dataflow/ssa/SsaExplicitDef.ql | 4 +-- 18 files changed, 67 insertions(+), 86 deletions(-) diff --git a/csharp/ql/consistency-queries/SsaConsistency.ql b/csharp/ql/consistency-queries/SsaConsistency.ql index e9c9191b63a..003e7ddd5e9 100644 --- a/csharp/ql/consistency-queries/SsaConsistency.ql +++ b/csharp/ql/consistency-queries/SsaConsistency.ql @@ -7,8 +7,8 @@ query predicate localDeclWithSsaDef(LocalVariableDeclExpr d) { // Local variables in C# must be initialized before every use, so uninitialized // local variables should not have an SSA definition, as that would imply that // the declaration is live (can reach a use without passing through a definition) - exists(ExplicitDefinition def | - d = def.getADefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration() + exists(SsaExplicitWrite def | + d = def.getDefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration() | not d = any(ForeachStmt fs).getVariableDeclExpr() and not d = any(SpecificCatchClause scc).getVariableDeclExpr() and diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index 066cdeaed15..7bd432d48ce 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,9 +500,7 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(Ssa::ExplicitDefinition def | result = Ssa::ssaGetAFirstUse(def) | - this = def.getADefinition() - ) + exists(SsaExplicitWrite def | result = Ssa::ssaGetAFirstUse(def) | this = def.getDefinition()) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 48adada60d8..168ce6a1e5c 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -588,7 +588,7 @@ private SsaDefinition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { private AssignableAccess getATrackedAccess(SsaDefinition def, ControlFlowNode cfn) { result = def.getARead() and cfn = result.getControlFlowNode() or - result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and + result = def.(SsaExplicitWrite).getDefinition().getTargetAccess() and cfn = def.getControlFlowNode() } @@ -830,9 +830,7 @@ module Internal { ).getARead() } - private predicate nullDef(Ssa::ExplicitDefinition def) { - nullValueImplied(def.getADefinition().getSource()) - } + private predicate nullDef(SsaExplicitWrite def) { nullValueImplied(def.getValue()) } predicate nonNullValueImplied(Expr e) { nonNullValue(e) @@ -845,9 +843,7 @@ module Internal { ).getARead() } - private predicate nonNullDef(Ssa::ExplicitDefinition def) { - nonNullValueImplied(def.getADefinition().getSource()) - } + private predicate nonNullDef(SsaExplicitWrite def) { nonNullValueImplied(def.getValue()) } /** A callable that always returns a non-`null` value. */ private class NonNullCallable extends Callable { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 95dfcf3f0ec..662cd5a5d18 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -80,9 +80,7 @@ class AlwaysNullExpr extends Expr { } /** Holds if SSA definition `def` is always `null`. */ -private predicate nullDef(Ssa::ExplicitDefinition def) { - def.getADefinition().getSource() instanceof AlwaysNullExpr -} +private predicate nullDef(SsaExplicitWrite def) { def.getValue() instanceof AlwaysNullExpr } /** An expression that is never `null`. */ class NonNullExpr extends Expr { @@ -108,10 +106,10 @@ class NonNullExpr extends Expr { } /** Holds if SSA definition `def` is never `null`. */ -private predicate nonNullDef(Ssa::ExplicitDefinition def) { - def.getADefinition().getSource() instanceof NonNullExpr +private predicate nonNullDef(SsaExplicitWrite def) { + def.getValue() instanceof NonNullExpr or - exists(AssignableDefinition ad | ad = def.getADefinition() | + exists(AssignableDefinition ad | ad = def.getDefinition() | ad instanceof AssignableDefinitions::PatternDefinition or ad = @@ -191,7 +189,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m not de = any(Ssa::PhiNode phi).getARead() and // Don't use a check as reason if there is a `null` assignment // or argument - not def.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof MaybeNullExpr and + not def.(SsaExplicitWrite).getValue() instanceof MaybeNullExpr and not isMaybeNullArgument(def, _) ) or @@ -205,7 +203,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m ) or // If the source of a variable is `null` then the variable may be `null` - exists(AssignableDefinition adef | adef = def.(Ssa::ExplicitDefinition).getADefinition() | + exists(AssignableDefinition adef | adef = def.(SsaExplicitWrite).getDefinition() | adef.getSource() = maybeNullExpr(node.asExpr()) and reason = adef.getExpr() and msg = "because of $@ assignment" @@ -336,7 +334,7 @@ class Dereference extends G::DereferenceableExpr { private predicate isAlwaysNull0(SsaDefinition def) { forall(SsaDefinition input | input = getAnUltimateDefinition(def) | - input.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof AlwaysNullExpr + input.(SsaExplicitWrite).getValue() instanceof AlwaysNullExpr ) and not nonNullDef(def) and this = def.getARead() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index dd07dcb9f28..ed75874b842 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -428,19 +428,25 @@ module Ssa { } /** + * DEPRECATED: Use `SsaExplicitWrite` instead. + * * An SSA definition that corresponds to an explicit assignable definition. */ - class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition { + deprecated class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition { AssignableDefinition ad; ExplicitDefinition() { SsaImpl::explicitDefinition(this, _, ad) } /** + * DEPRECATED: Use `SsaExplicitWrite.getDefinition()` instead. + * * Gets an underlying assignable definition. The result is always unique, * except for pathological `out`/`ref` assignments like `M(out x, out x)`, * where there may be more than one underlying definition. */ - final AssignableDefinition getADefinition() { result = SsaImpl::getADefinition(this) } + deprecated final AssignableDefinition getADefinition() { + result = SsaImpl::getADefinition(this) + } /** * DEPRECATED. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index 0f553b6e036..b55b0cbd934 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -272,7 +272,7 @@ module VariableCapture { or exists(SsaDefinition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and - def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and + def.getAnUltimateDefinition().(SsaExplicitWrite).getDefinition() = adef and def.getARead().getControlFlowNode() = e2 ) } @@ -600,8 +600,8 @@ module LocalFlow { or ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo) or - exists(AssignableDefinition def, ControlFlowNode cfn, Ssa::ExplicitDefinition ssaDef | - ssaDef.getADefinition() = def and + exists(AssignableDefinition def, ControlFlowNode cfn, SsaExplicitWrite ssaDef | + ssaDef.getDefinition() = def and ssaDef.getControlFlowNode() = cfn and nodeFrom = TAssignableDefinitionNode(def, cfn) and nodeTo.(SsaDefinitionNode).getDefinition() = ssaDef @@ -2220,12 +2220,11 @@ private predicate readContentStep(Node node1, Content c, Node node2) { c instanceof ElementContent or exists( - ForeachStmt fs, Ssa::ExplicitDefinition def, - AssignableDefinitions::LocalVariableDefinition defTo + ForeachStmt fs, SsaExplicitWrite def, AssignableDefinitions::LocalVariableDefinition defTo | node1.asExpr() = fs.getIterableExpr() and defTo.getDeclaration() = fs.getVariableDeclExpr() and - def.getADefinition() = defTo and + def.getDefinition() = defTo and node2.(SsaDefinitionNode).getDefinition() = def and c instanceof ElementContent ) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 6966152475b..89c7276a1a2 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -825,7 +825,7 @@ private module Cached { } cached - AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { + deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | result = ad or result = getASameOutRefDefAfter(v, ad) @@ -858,7 +858,9 @@ private module Cached { } cached - predicate explicitDefinition(WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad) { + deprecated predicate explicitDefinition( + WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad + ) { exists(BasicBlock bb, int i | def.definesAt(v, bb, i) and variableDefinition(bb, i, v, ad) @@ -1023,7 +1025,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu * as we, conservatively, consider such definitions to be certain. */ predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { - def instanceof Ssa::ExplicitDefinition + def instanceof SsaExplicitWrite or def = any(Ssa::ImplicitQualifierDefinition qdef | diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll index fafb85440a2..b85f68883ab 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll @@ -19,7 +19,7 @@ private module Impl { } /** Holds if SSA definition `def` equals `e + delta`. */ - predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) { + predicate ssaUpdateStep(SsaExplicitWrite def, ExprNode e, int delta) { exists(ControlFlowNode cfn | cfn = def.getControlFlowNode() | e = cfn.(ExprNode::Assignment).getRightOperand() and delta = 0 and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 55b3ac31aa3..96d6b2b979a 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -35,7 +35,7 @@ module Private { class Expr = CS::ControlFlowNodes::ExprNode; - class VariableUpdate = CS::Ssa::ExplicitDefinition; + class VariableUpdate = CS::SsaExplicitWrite; class Field = CS::Field; @@ -122,37 +122,25 @@ private module Impl { } /** Returns the underlying variable update of the explicit SSA variable `v`. */ - Ssa::ExplicitDefinition getExplicitSsaAssignment(Ssa::ExplicitDefinition v) { result = v } + SsaExplicitWrite getExplicitSsaAssignment(SsaExplicitWrite v) { result = v } /** Returns the assignment of the variable update `def`. */ - ExprNode getExprFromSsaAssignment(Ssa::ExplicitDefinition def) { - exists(AssignableDefinition adef | - adef = def.getADefinition() and - hasChild(adef.getExpr(), adef.getSource(), def.getControlFlowNode(), result) - ) - or - exists(AssignableDefinitions::AssignOperationDefinition adef | - adef = def.getADefinition() and - result.getExpr() = adef.getSource() - ) - } + ExprNode getExprFromSsaAssignment(SsaExplicitWrite def) { result.getExpr() = def.getValue() } /** Holds if `def` can have any sign. */ - predicate explicitSsaDefWithAnySign(Ssa::ExplicitDefinition def) { - not exists(def.getADefinition().getSource()) and - not def.getElement() instanceof MutatorOperation + predicate explicitSsaDefWithAnySign(SsaExplicitWrite def) { + not exists(def.getValue()) and + not def.getDefiningExpr() instanceof MutatorOperation } /** Returns the operand of the operation if `def` is a decrement. */ - ExprNode getDecrementOperand(Ssa::ExplicitDefinition def) { - hasChild(def.getElement(), def.getElement().(DecrementOperation).getOperand(), - def.getControlFlowNode(), result) + ExprNode getDecrementOperand(SsaExplicitWrite def) { + result.getExpr() = def.getDefiningExpr().(DecrementOperation).getOperand() } /** Returns the operand of the operation if `def` is an increment. */ - ExprNode getIncrementOperand(Ssa::ExplicitDefinition def) { - hasChild(def.getElement(), def.getElement().(IncrementOperation).getOperand(), - def.getControlFlowNode(), result) + ExprNode getIncrementOperand(SsaExplicitWrite def) { + result.getExpr() = def.getDefiningExpr().(IncrementOperation).getOperand() } /** Gets the variable underlying the implicit SSA variable `def`. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 5681976a378..33afe07dae3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -17,9 +17,9 @@ class SsaVariable extends SsaDefinition { /** Gets a node that reads `src` via an SSA explicit definition. */ ExprNode getAnExplicitDefinitionRead(ExprNode src) { - exists(ExplicitDefinition def | + exists(SsaExplicitWrite def | def.getARead().getControlFlowNode() = result and - hasChild(def.getElement(), def.getADefinition().getSource(), def.getControlFlowNode(), src) + hasChild(def.getDefiningExpr(), def.getValue(), def.getControlFlowNode(), src) ) } @@ -45,15 +45,15 @@ ExprNode ssaRead(SsaDefinition v, int delta) { delta = d1 + c.getIntValue() ) or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PreIncrExpr) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PreIncrExpr) = result and delta = 0 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PreDecrExpr) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PreDecrExpr) = result and delta = 0 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PostIncrExpr) = result and delta = 1 // x++ === ++x - 1 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PostIncrExpr) = result and delta = 1 // x++ === ++x - 1 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PostDecrExpr) = result and delta = -1 // x-- === --x + 1 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PostDecrExpr) = result and delta = -1 // x-- === --x + 1 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0 or result.(ExprNode::AssignExpr).getRightOperand() = ssaRead(v, delta) } diff --git a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql index 12baac99c78..cf57707608b 100644 --- a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql +++ b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql @@ -92,7 +92,7 @@ class RelevantDefinition extends AssignableDefinition { private predicate isMaybeLive() { exists(LocalVariable v | v = this.getTarget() | // SSA definitions are only created for live variables - this = any(Ssa::ExplicitDefinition ssaDef).getADefinition() + this = any(SsaExplicitWrite ssaDef).getDefinition() or mayEscape(v) or diff --git a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql index 4d68f6ee628..afb44727e34 100644 --- a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql +++ b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql @@ -36,17 +36,16 @@ abstract class BadDynamicCall extends DynamicExpr { } private Type possibleTypeForRelevantSource(Variable v, int i, Expr source) { - exists(AssignableRead read, SsaDefinition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | + exists(AssignableRead read, SsaDefinition ssaDef, SsaExplicitWrite ultimateSsaDef | read = this.getARelevantVariableAccess(i) and v = read.getTarget() and result = source.getType() and read = ssaDef.getARead() and ultimateSsaDef = ssaDef.getAnUltimateDefinition() | - ultimateSsaDef.getADefinition() = - any(AssignableDefinition def | source = def.getSource().stripImplicit()) + ultimateSsaDef.getValue().stripImplicit() = source or - ultimateSsaDef.getADefinition() = + ultimateSsaDef.getDefinition() = any(AssignableDefinitions::ImplicitParameterDefinition p | source = p.getParameter().getAnAssignedValue().stripImplicit() ) diff --git a/csharp/ql/test/library-tests/csharp7/DefUse.ql b/csharp/ql/test/library-tests/csharp7/DefUse.ql index e696307be28..ccdd4db0157 100644 --- a/csharp/ql/test/library-tests/csharp7/DefUse.ql +++ b/csharp/ql/test/library-tests/csharp7/DefUse.ql @@ -3,11 +3,6 @@ import csharp from AssignableDefinition def, AssignableRead read, SsaDefinition ult, SsaDefinition ssaDef where ssaDef.getAnUltimateDefinition() = ult and - ( - ult.(Ssa::ExplicitDefinition).getADefinition() = def - or - ult.(Ssa::ParameterDefinition).getParameter() = - def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() - ) and + ult.(SsaExplicitWrite).getDefinition() = def and read = ssaDef.getARead() select def, read diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 95a93e24a2a..2af01c72333 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -2,9 +2,9 @@ import csharp private import semmle.code.csharp.controlflow.Guards private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { - exists(Ssa::ExplicitDefinition def, Parameter outRefParameter | + exists(SsaExplicitWrite def, Parameter outRefParameter | outRefParameter.isOutOrRef() and - ne.getExpr() = def.getADefinition().getSource() and + ne.getExpr() = def.getValue() and Ssa::isLiveOutRefParameterDefinition(def, outRefParameter) and outRef = outRefParameter.getPosition() ) diff --git a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql index 800ae971759..1897c97bd65 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql @@ -12,6 +12,10 @@ predicate defReaches( def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter().getControlFlowNode() ].getASuccessor() or + def.getTarget() = v and + cfn = + def.(AssignableDefinitions::ImplicitParameterDefinition).getEnclosingCallable().getEntryPoint() + or exists(ControlFlowNode mid | defReaches(def, v, mid) | not mid = any(AssignableDefinition ad | ad.getTarget() = v and ad.isCertain()) @@ -30,7 +34,7 @@ predicate defUsePair(AssignableDefinition def, AssignableRead read) { private LocalScopeVariableRead getAReachableUncertainRead(AssignableDefinition def) { exists(SsaDefinition ssaDef | - def = ssaDef.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() + def = ssaDef.getAnUltimateDefinition().(SsaExplicitWrite).getDefinition() | result = ssaDef.getARead() ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql b/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql index 94218ca6c7e..e9d2f74ff27 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql @@ -2,6 +2,6 @@ import csharp from int uses, int live where - uses = strictcount(Ssa::ExplicitDefinition ssa, AssignableRead read | read = ssa.getARead()) and - live = strictcount(Ssa::ExplicitDefinition ssa, BasicBlock bb | ssa.isLiveAtEndOfBlock(bb)) + uses = strictcount(SsaExplicitWrite ssa, AssignableRead read | read = ssa.getARead()) and + live = strictcount(SsaExplicitWrite ssa, BasicBlock bb | ssa.isLiveAtEndOfBlock(bb)) select uses, live diff --git a/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql b/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql index d68e39fb396..2634ef14a37 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql @@ -8,12 +8,8 @@ where ar = ssaDef.getARead() and def = ssaDef.getDefinition() and v = def.getTarget() and - not exists(Ssa::ExplicitDefinition edef | - edef.getADefinition() = def and - edef.getARead() = ar - ) and - not exists(Ssa::ParameterDefinition edef | - edef.getParameter() = def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() and + not exists(SsaExplicitWrite edef | + edef.getDefinition() = def and edef.getARead() = ar ) select ar, def diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql index bf4c70ee673..4e37c24b0cc 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::ExplicitDefinition def +from Ssa::SourceVariable v, SsaExplicitWrite def where v = def.getSourceVariable() -select v, def, def.getADefinition() +select v, def, def.getDefinition() From 31e06bc0a928783833e82c07bd8a835e4b69c621 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 14:56:52 +0200 Subject: [PATCH 18/46] C#: Remove SSA location overrides. --- .../lib/semmle/code/csharp/dataflow/SSA.qll | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index ed75874b842..39cbf602650 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -422,9 +422,6 @@ module Ssa { deprecated final predicate isLiveOutRefParameterDefinition(Parameter p) { SsaImpl::isLiveOutRefParameterDefinition(this, p) } - - /** Gets the location of this SSA definition. */ - override Location getLocation() { none() } } /** @@ -509,8 +506,6 @@ module Ssa { override Element getElement() { result = ad.getElement() } override string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = ad.getLocation() } } /** @@ -556,8 +551,6 @@ module Ssa { then result = "SSA capture def(" + this.getSourceVariable() + ")" else result = "SSA entry def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getCallable().getLocation() } } deprecated class ImplicitParameterDefinition = ParameterDefinition; @@ -625,8 +618,6 @@ module Ssa { } override string toString() { result = "SSA call def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getCall().getLocation() } } /** @@ -649,8 +640,6 @@ module Ssa { final Definition getQualifierDefinition() { result = q } override string toString() { result = "SSA qualifier def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getQualifierDefinition().getLocation() } } /** @@ -689,16 +678,6 @@ module Ssa { } override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } - - /* - * The location of a phi node is the same as the location of the first node - * in the basic block in which it is defined. - * - * Strictly speaking, the node is *before* the first node, but such a location - * does not exist in the source program. - */ - - override Location getLocation() { result = this.getBasicBlock().getFirstNode().getLocation() } } /** From 6ecdf3fe3298c16cd232a4852185e83205a79c40 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 14:59:22 +0200 Subject: [PATCH 19/46] C#: Replace Ssa::ImplicitParameterDefinition with SsaParameterInit. --- .../lib/semmle/code/csharp/dataflow/Nullness.qll | 6 ++---- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 3 +++ .../csharp/dataflow/internal/DataFlowPrivate.qll | 14 +++----------- .../code/csharp/dataflow/internal/SsaImpl.qll | 2 +- .../dataflow/defuse/parameterUseEquivalence.ql | 2 +- .../dataflow/ssa/SsaImplicitParameterDef.ql | 2 +- 6 files changed, 11 insertions(+), 18 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 662cd5a5d18..3fc4f05a278 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -126,7 +126,7 @@ private predicate nonNullDef(SsaExplicitWrite def) { */ private predicate dereferenceAt(SsaDefinition def, Dereference d) { d = def.getARead() } -private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { +private predicate isMaybeNullArgument(SsaParameterInit def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | p = def.getParameter() | @@ -320,9 +320,7 @@ class Dereference extends G::DereferenceableExpr { not p.getAnnotatedType().isNullableRefType() or p.fromSource() and - exists( - Ssa::ParameterDefinition def, AssignableDefinitions::ImplicitParameterDefinition pdef - | + exists(SsaParameterInit def, AssignableDefinitions::ImplicitParameterDefinition pdef | p = def.getParameter() | p.getUnboundDeclaration() = pdef.getParameter() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 39cbf602650..384e327ff7e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -553,6 +553,9 @@ module Ssa { } } + /** + * DEPRECATED: Use `SsaParameterInit` instead. + */ deprecated class ImplicitParameterDefinition = ParameterDefinition; final class ParameterDefinition = SsaImpl::ParameterDefinitionImpl; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index b55b0cbd934..f581628a79c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1302,12 +1302,6 @@ private module NearestLocationInputParamAfterCallable implements NearestLocation } private module ParameterNodes { - pragma[nomagic] - private predicate ssaParamDef(Ssa::ParameterDefinition ssaDef, Parameter p, Location l) { - p = ssaDef.getParameter() and - l = ssaDef.getLocation() - } - private module NearestLocationInputParamBeforeCallable implements NearestLocationInputSig { class C = Parameter; @@ -1358,11 +1352,9 @@ private module ParameterNodes { } /** Gets the SSA definition corresponding to this parameter, if any. */ - Ssa::ParameterDefinition getSsaDefinition() { - exists(Parameter p, Location l | - l = this.getParameterLocation(p) and - ssaParamDef(result, p, l) - ) + SsaParameterInit getSsaDefinition() { + result.getParameter() = parameter and + result.getBasicBlock() = callable.getABasicBlock() } override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 89c7276a1a2..715fe486759 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -1017,7 +1017,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu predicate ssaDefHasSource(WriteDefinition def) { // exclude flow directly from RHS to SSA definition, as we instead want to // go from RHS to matching assignable definition, and from there to SSA definition - def instanceof Ssa::ParameterDefinition + def instanceof SsaParameterInit } /** diff --git a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql index 10b916ab3f4..fdb1a6e8995 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql @@ -24,7 +24,7 @@ private LocalScopeVariableRead getAReachableUncertainRead( AssignableDefinitions::ImplicitParameterDefinition p ) { exists(SsaDefinition ssaDef | - p.getParameter() = ssaDef.getAnUltimateDefinition().(Ssa::ParameterDefinition).getParameter() + p.getParameter() = ssaDef.getAnUltimateDefinition().(SsaParameterInit).getParameter() | result = ssaDef.getARead() ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql index 253fdea1ffa..b1c28f020d1 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::ParameterDefinition def +from Ssa::SourceVariable v, SsaParameterInit def where v = def.getSourceVariable() select v, def, def.getParameter() From 9a7eb8dfb9f46914a6e714b144846c1b261f94bf Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 15:05:12 +0200 Subject: [PATCH 20/46] C#: Replace Ssa::PhiNode with SsaPhiDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll | 8 ++++---- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 +++++--- .../lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 2 +- .../internal/rangeanalysis/ModulusAnalysisSpecific.qll | 2 +- .../internal/rangeanalysis/SignAnalysisSpecific.qll | 2 +- .../internal/rangeanalysis/SsaReadPositionSpecific.qll | 2 +- .../library-tests/dataflow/defuse/useUseEquivalence.ql | 4 ++-- csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql | 2 +- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 3fc4f05a278..1cd9c71acfc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -186,7 +186,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m de.guardSuggestsMaybeNull(reason) and msg = "as suggested by $@ null check" and node = def.getControlFlowNode() and - not de = any(Ssa::PhiNode phi).getARead() and + not de = any(SsaPhiDefinition phi).getARead() and // Don't use a check as reason if there is a `null` assignment // or argument not def.(SsaExplicitWrite).getValue() instanceof MaybeNullExpr and @@ -213,7 +213,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m exists(Dereference d | dereferenceAt(def, d) | node = def.getControlFlowNode() and d.hasNullableType() and - not def instanceof Ssa::PhiNode and + not def instanceof SsaPhiDefinition and reason = def.getSourceVariable().getAssignable() and msg = "because it has a nullable type" ) @@ -221,14 +221,14 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m } private SsaDefinition getAPseudoInput(SsaDefinition def) { - result = def.(Ssa::PhiNode).getAnInput() + result = def.(SsaPhiDefinition).getAnInput() } // `def.getAnUltimateDefinition()` includes inputs into uncertain // definitions, but we only want inputs into pseudo nodes private SsaDefinition getAnUltimateDefinition(SsaDefinition def) { result = getAPseudoInput*(def) and - not result instanceof Ssa::PhiNode + not result instanceof SsaPhiDefinition } /** diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 384e327ff7e..81211505045 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -357,7 +357,7 @@ module Ssa { * includes inputs to phi nodes and the prior definitions of uncertain writes. */ private Definition getAPhiInputOrPriorDefinition() { - result = this.(PhiNode).getAnInput() or + result = this.(SsaPhiDefinition).getAnInput() or result = this.(UncertainDefinition).getPriorDefinition() } @@ -392,7 +392,7 @@ module Ssa { */ final Definition getAnUltimateDefinition() { result = this.getAPhiInputOrPriorDefinition*() and - not result instanceof PhiNode + not result instanceof SsaPhiDefinition } /** @@ -646,11 +646,13 @@ module Ssa { } /** + * DEPRECATED: Use `SsaPhiDefinition` instead. + * * An SSA phi node, that is, a pseudo definition for a variable at a point * in the flow graph where otherwise two or more definitions for the variable * would be visible. */ - class PhiNode extends Definition, SsaImpl::PhiNode { + deprecated class PhiNode extends Definition, SsaImpl::PhiNode { /** * Gets an input of this phi node. Example: * diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 715fe486759..74bc5651aee 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -873,7 +873,7 @@ private module Cached { } cached - Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { + deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { Impl::phiHasInputFromBlock(phi, result, bb) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll index fbc09e7ec52..34b5ec9a5e8 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll @@ -9,7 +9,7 @@ module Private { class SsaVariable = SU::SsaVariable; - class SsaPhiNode = CS::Ssa::PhiNode; + class SsaPhiNode = CS::SsaPhiDefinition; class Expr = CS::ControlFlowNodes::ExprNode; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 96d6b2b979a..77e30d239fd 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -15,7 +15,7 @@ module Private { class SsaVariable = CS::SsaDefinition; - class SsaPhiNode = CS::Ssa::PhiNode; + class SsaPhiNode = CS::SsaPhiDefinition; class VarAccess = RU::ExprNode::AssignableAccess; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll index 18c843c0472..77833591c3e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll @@ -7,7 +7,7 @@ private import SsaReadPositionCommon class SsaVariable = CS::SsaDefinition; -class SsaPhiNode = CS::Ssa::PhiNode; +class SsaPhiNode = CS::SsaPhiDefinition; class BasicBlock = CS::BasicBlock; diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index 986707c018d..c92dd13ab1e 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -32,7 +32,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea result = TLocalScopeVariableRead(read.getANextRead()) or not exists(read.getANextRead()) and - exists(SsaDefinition ssaDef, Ssa::PhiNode phi, BasicBlock bb | + exists(SsaDefinition ssaDef, SsaPhiDefinition phi, BasicBlock bb | ssaDef.getARead() = read and phi.getAnInput() = ssaDef and phi.definesAt(_, bb, _) and @@ -45,7 +45,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or not exists(Ssa::ssaGetAFirstUse(ssaDef)) and - exists(Ssa::PhiNode phi | + exists(SsaPhiDefinition phi | phi.getAnInput() = ssaDef and result = TSsaDefinition(phi) ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql index db24031365a..310bc40fcad 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::PhiNode phi, SsaDefinition input +from Ssa::SourceVariable v, SsaPhiDefinition phi, SsaDefinition input where phi.getAnInput() = input and v = phi.getSourceVariable() From 65f647a8c0221cb305bff37e712ed1e38f5d4d52 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 15:07:51 +0200 Subject: [PATCH 21/46] C#: Replace Ssa::UncertainDefinition with SsaUncertainWrite. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 ++++-- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 81211505045..d29ace056b9 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -358,7 +358,7 @@ module Ssa { */ private Definition getAPhiInputOrPriorDefinition() { result = this.(SsaPhiDefinition).getAnInput() or - result = this.(UncertainDefinition).getPriorDefinition() + result = this.(SsaUncertainWrite).getPriorDefinition() } /** @@ -686,12 +686,14 @@ module Ssa { } /** + * DEPRECATED: Use `SsaUncertainWrite` instead. + * * An SSA definition that represents an uncertain update of the underlying * assignable. Either an explicit update that is uncertain (`ref` assignments * need not be certain), an implicit non-local update via a call, or an * uncertain update of the qualifier. */ - class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition { + deprecated class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition { /** * Gets the immediately preceding definition. Since this update is uncertain, * the value from the preceding definition might still be valid. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 74bc5651aee..a610fd4bcd4 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -912,7 +912,7 @@ private module Cached { } cached - Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { + deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { Impl::uncertainWriteDefinitionInput(def, result) } From e1cd708c756e3f055595b0eb829b7cc1417de929 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 30 Apr 2026 13:33:32 +0200 Subject: [PATCH 22/46] Rust: Use verbose type paths in inline expectation comments --- .../type-inference/associated_types.rs | 12 +- .../type-inference/dereference.rs | 12 +- .../test/library-tests/type-inference/main.rs | 172 +++++++++--------- .../type-inference/pattern_matching.rs | 36 ++-- .../type-inference/raw_pointer.rs | 8 +- .../type-inference/regressions.rs | 4 +- .../type-inference/type-inference.ql | 9 +- .../typeinference/internal/TypeInference.qll | 29 ++- 8 files changed, 153 insertions(+), 129 deletions(-) diff --git a/rust/ql/test/library-tests/type-inference/associated_types.rs b/rust/ql/test/library-tests/type-inference/associated_types.rs index a678a531f8d..f382f68ec26 100644 --- a/rust/ql/test/library-tests/type-inference/associated_types.rs +++ b/rust/ql/test/library-tests/type-inference/associated_types.rs @@ -131,9 +131,9 @@ mod default_method_using_associated_type { println!("{:?}", y); let x5 = S2; - println!("{:?}", x5.m1()); // $ target=m1 type=x5.m1():A.S2 + println!("{:?}", x5.m1()); // $ target=m1 type=x5.m1()@Wrapper:S2 let x6 = S2; - println!("{:?}", x6.m2()); // $ target=m2 type=x6.m2():A.S2 + println!("{:?}", x6.m2()); // $ target=m2 type=x6.m2()@Wrapper:S2 } } @@ -400,10 +400,10 @@ mod generic_associated_type { pub fn test() { let s = S; // Call to the method in `impl` block - let _g1 = s.put(1i32); // $ target=S::put type=_g1:A.i32 + let _g1 = s.put(1i32); // $ target=S::put type=_g1@Wrapper:i32 // Call to default implementation in `trait` block - let _g2 = s.put_two(true, false); // $ target=MyTraitAssoc2::put_two MISSING: type=_g2:A.bool + let _g2 = s.put_two(true, false); // $ target=MyTraitAssoc2::put_two MISSING: type=_g2@Wrapper:bool } } @@ -534,12 +534,12 @@ mod generic_associated_type_name_clash { type Output = Result; fn get(&self) -> Self::Output { - Ok(self.0) // $ fieldof=ST type=Ok(...):Result type=Ok(...):T.Output type=Ok(...):E.Output + Ok(self.0) // $ fieldof=ST type=Ok(...)@Result:Output type=Ok(...)@Result:Output } } pub fn test() { - let _y = ST(true).get(); // $ type=_y:Result type=_y:T.bool type=_y:E.bool target=get + let _y = ST(true).get(); // $ type=_y@Result:bool type=_y@Result:bool target=get } } diff --git a/rust/ql/test/library-tests/type-inference/dereference.rs b/rust/ql/test/library-tests/type-inference/dereference.rs index 4767e07576f..99886987d99 100644 --- a/rust/ql/test/library-tests/type-inference/dereference.rs +++ b/rust/ql/test/library-tests/type-inference/dereference.rs @@ -46,7 +46,7 @@ impl S { fn explicit_monomorphic_dereference() { // Dereference with method call let a1 = MyIntPointer { value: 34i64 }; - let _b1 = a1.deref(); // $ target=MyIntPointer::deref type=_b1:TRef.i64 + let _b1 = a1.deref(); // $ target=MyIntPointer::deref type=_b1@&:i64 // Dereference with overloaded dereference operator let a2 = MyIntPointer { value: 34i64 }; @@ -60,7 +60,7 @@ fn explicit_monomorphic_dereference() { fn explicit_polymorphic_dereference() { // Explicit dereference with type parameter let c1 = MySmartPointer { value: 'a' }; - let _d1 = c1.deref(); // $ target=MySmartPointer::deref type=_d1:TRef.char + let _d1 = c1.deref(); // $ target=MySmartPointer::deref type=_d1@&:char // Explicit dereference with type parameter let c2 = MySmartPointer { value: 'a' }; @@ -74,7 +74,7 @@ fn explicit_polymorphic_dereference() { fn explicit_ref_dereference() { // Explicit dereference with type parameter let e1 = &'a'; - let _f1 = e1.deref(); // $ target=deref type=_f1:TRef.char + let _f1 = e1.deref(); // $ target=deref type=_f1@&:char // Explicit dereference with type parameter let e2 = &'a'; @@ -88,7 +88,7 @@ fn explicit_ref_dereference() { fn explicit_box_dereference() { // Explicit dereference with type parameter let g1: Box = Box::new('a'); // $ target=new - let _h1 = g1.deref(); // $ target=deref type=_h1:TRef.char + let _h1 = g1.deref(); // $ target=deref type=_h1@&:char // Explicit dereference with type parameter let g2: Box = Box::new('a'); // $ target=new @@ -109,9 +109,9 @@ fn implicit_dereference() { let _y = x.is_positive(); // $ target=is_positive type=_y:bool let z = MySmartPointer { value: S(0i64) }; - let z_ = z.foo(); // $ target=foo type=z_:TRef.i64 + let z_ = z.foo(); // $ target=foo type=z_@&:i64 - let v = Vec::new(); // $ target=new type=v:T.i32 + let v = Vec::new(); // $ target=new type=v@Vec:i32 let mut x = MySmartPointer { value: v }; x.push(0); // $ target=push } diff --git a/rust/ql/test/library-tests/type-inference/main.rs b/rust/ql/test/library-tests/type-inference/main.rs index ecb4816ebb0..78d6ef3a2ed 100644 --- a/rust/ql/test/library-tests/type-inference/main.rs +++ b/rust/ql/test/library-tests/type-inference/main.rs @@ -34,7 +34,7 @@ mod field_access { fn generic_field_access() { // Explicit type argument - let x = GenericThing:: { a: S }; // $ certainType=x:A.S + let x = GenericThing:: { a: S }; // $ certainType=x@GenericThing:S println!("{:?}", x.a); // $ fieldof=GenericThing // Implicit type argument @@ -427,7 +427,7 @@ mod method_non_parametric_trait_impl { let x = call_trait_m1(thing_s1); // $ type=x:S1 target=call_trait_m1 println!("{:?}", x); - let y = call_trait_m1(thing_s2); // $ type=y:MyThing type=y:A.S2 target=call_trait_m1 + let y = call_trait_m1(thing_s2); // $ type=y:MyThing type=y@MyThing:S2 target=call_trait_m1 println!("{:?}", y.a); // $ fieldof=MyThing // First implementation @@ -566,7 +566,7 @@ mod trait_default_self_type_parameter { // The trait bound on `T` uses the default for `A` which contains `Self` fn tp_uses_default(thing: S) -> i64 { - let _ms = thing.get_a(); // $ target=TraitWithSelfTp::get_a type=_ms:T.S + let _ms = thing.get_a(); // $ target=TraitWithSelfTp::get_a type=_ms@Option:S 0 } @@ -575,7 +575,7 @@ mod trait_default_self_type_parameter { fn get_a_through_tp(thing: &S) { // `thing` is a `TraitWithSelfTp` through the trait hierarchy - let _ms = get_a(thing); // $ target=get_a type=_ms:T.S + let _ms = get_a(thing); // $ target=get_a type=_ms@Option:S } struct MyStruct { @@ -593,7 +593,7 @@ mod trait_default_self_type_parameter { pub fn test() { let s = MyStruct { value: 0 }; - let _ms = get_a(&s); // $ target=get_a type=_ms:T.MyStruct + let _ms = get_a(&s); // $ target=get_a type=_ms@Option:MyStruct } } @@ -871,7 +871,7 @@ mod method_supertraits { fn type_param_trait_to_supertrait>(x: T) { // Test that `MyTrait3` is a subtrait of `MyTrait1>` - let a = x.m1(); // $ target=MyTrait1::m1 type=a:MyThing type=a:A.S1 + let a = x.m1(); // $ target=MyTrait1::m1 type=a@MyThing:S1 println!("{:?}", a); } @@ -898,7 +898,7 @@ mod method_supertraits { let s = call_trait_m1(x); // $ type=s:S1 target=call_trait_m1 let x = MyThing2 { a: S2 }; - let s = call_trait_m1(x); // $ type=s:MyThing type=s:A.S2 target=call_trait_m1 + let s = call_trait_m1(x); // $ type=s@MyThing:S2 target=call_trait_m1 } } @@ -1011,20 +1011,20 @@ mod type_aliases { println!("{:?}", p1); // Type can be only inferred from the type alias - let p2: MyPair = PairOption::PairNone(); // $ certainType=p2:Fst.S1 certainType=p2:Snd.S2 + let p2: MyPair = PairOption::PairNone(); // $ certainType=p2@PairOption:S1 certainType=p2@PairOption:S2 println!("{:?}", p2); // First type from alias, second from constructor - let p3: AnotherPair<_> = PairOption::PairSnd(S3); // $ certainType=p3:Fst.S2 + let p3: AnotherPair<_> = PairOption::PairSnd(S3); // $ certainType=p3@PairOption:S2 println!("{:?}", p3); // First type from alias definition, second from argument to alias - let p3: AnotherPair = PairOption::PairNone(); // $ certainType=p3:Fst.S2 certainType=p3:Snd.S3 + let p3: AnotherPair = PairOption::PairNone(); // $ certainType=p3@PairOption:S2 certainType=p3@PairOption:S3 println!("{:?}", p3); g(PairOption::PairSnd(PairOption::PairSnd(S3))); // $ target=g - let x: S7; // $ certainType=x:Result $ certainType=x:E.S1 $ certainType=x:T.S4 $ certainType=x:T.T41.S2 $ certainType=x:T.T42.S5 $ certainType=x:T.T42.T5.S2 + let x: S7; // $ certainType=x@Result:S1 $ certainType=x@Result:S4 $ certainType=x@Result.S4:S2 $ certainType=x@Result.S4:S5 $ certainType=x@Result.S4.S5:S2 } } @@ -1068,7 +1068,7 @@ mod option_methods { struct S; pub fn f() { - let x1 = MyOption::::new(); // $ certainType=x1:T.S target=new + let x1 = MyOption::::new(); // $ certainType=x1@MyOption:S target=new println!("{:?}", x1); let mut x2 = MyOption::new(); // $ target=new @@ -1192,14 +1192,14 @@ mod method_call_type_conversion { let x7 = S(&S2); // Non-implicit dereference with nested borrow in order to test that the // implicit dereference handling doesn't affect nested borrows. - let t = x7.m1(); // $ target=m1 type=t:& type=t:TRef.S2 + let t = x7.m1(); // $ target=m1 type=t:& type=t@&:S2 println!("{:?}", x7); let x9: String = "Hello".to_string(); // $ certainType=x9:String target=to_string // Implicit `String` -> `str` conversion happens via the `Deref` trait: // https://doc.rust-lang.org/std/string/struct.String.html#deref. - let u = x9.parse::(); // $ target=parse type=u:T.u32 + let u = x9.parse::(); // $ target=parse type=u@Result:u32 let my_thing = &MyInt { a: 37 }; // implicit borrow of a `&` @@ -1382,7 +1382,7 @@ mod builtins { let z = x + y; // $ type=z:i32 target=add let z = x.abs(); // $ target=abs $ type=z:i32 let c = 'c'; // $ certainType=c:char - let hello = "Hello"; // $ certainType=hello:TRef.str + let hello = "Hello"; // $ certainType=hello@&:str let f = 123.0f64; // $ certainType=f:f64 let t = true; // $ certainType=t:bool let f = false; // $ certainType=f:bool @@ -1403,8 +1403,8 @@ mod builtins { } } - let x = [1, 2, 3].my_method(); // $ target=my_method type=x:TRef.i32 - let x = <[_; 3]>::my_method(&[1, 2, 3]); // $ target=my_method type=x:TRef.i32 + let x = [1, 2, 3].my_method(); // $ target=my_method type=x@&:i32 + let x = <[_; 3]>::my_method(&[1, 2, 3]); // $ target=my_method type=x@&:i32 let x = <[i32; 3]>::my_func(); // $ target=my_func type=x:i32 impl MyTrait for [T] { @@ -1418,8 +1418,8 @@ mod builtins { } let s: &[i32] = &[1, 2, 3]; - let x = s.my_method(); // $ target=my_method type=x:TRef.i32 - let x = <[_]>::my_method(s); // $ target=my_method type=x:TRef.i32 + let x = s.my_method(); // $ target=my_method type=x@&:i32 + let x = <[_]>::my_method(s); // $ target=my_method type=x@&:i32 let x = <[i32]>::my_func(); // $ target=my_func type=x:i32 impl MyTrait for (T, i32) { @@ -1433,8 +1433,8 @@ mod builtins { } let p = (42, 7); - let x = p.my_method(); // $ target=my_method type=x:TRef.i32 - let x = <(_, _)>::my_method(&p); // $ target=my_method type=x:TRef.i32 + let x = p.my_method(); // $ target=my_method type=x@&:i32 + let x = <(_, _)>::my_method(&p); // $ target=my_method type=x@&:i32 let x = <(i32, i32)>::my_func(); // $ target=my_func type=x:i32 impl MyTrait for &T { @@ -1448,8 +1448,8 @@ mod builtins { } let r = &42; - let x = r.my_method(); // $ target=my_method type=x:TRef.i32 - let x = <&_>::my_method(&r); // $ target=my_method type=x:TRef.i32 + let x = r.my_method(); // $ target=my_method type=x@&:i32 + let x = <&_>::my_method(&r); // $ target=my_method type=x@&:i32 let x = <&i32>::my_func(); // $ target=my_func type=x:i32 impl MyTrait for *mut T { @@ -1464,8 +1464,8 @@ mod builtins { let mut v = 42; let p: *mut i32 = &mut v; - let x = unsafe { p.my_method() }; // $ target=my_method type=x:TRef.i32 - let x = unsafe { <*mut _>::my_method(&p) }; // $ target=my_method type=x:TRef.i32 + let x = unsafe { p.my_method() }; // $ target=my_method type=x@&:i32 + let x = unsafe { <*mut _>::my_method(&p) }; // $ target=my_method type=x@&:i32 let x = <*mut i32>::my_func(); // $ target=my_func type=x:i32 } } @@ -2046,7 +2046,7 @@ mod indexers { } pub fn f() { - let mut vec = MyVec::new(); // $ type=vec:T.S target=new + let mut vec = MyVec::new(); // $ type=vec@MyVec:S target=new vec.push(S); // $ target=push vec[0].foo(); // $ target=MyVec::index target=foo @@ -2262,24 +2262,24 @@ mod loops { for i in [1, 2, 3].map(|x| x + 1) {} // $ target=map target=add type=i:i32 for i in [1, 2, 3].into_iter() {} // $ target=into_iter type=i:i32 - let vals1 = [1u8, 2, 3]; // $ type=vals1:TArray.u8 + let vals1 = [1u8, 2, 3]; // $ type=vals1@[;]:u8 for u in vals1 {} // $ type=u:u8 - let vals2 = [1u16; 3]; // $ type=vals2:TArray.u16 + let vals2 = [1u16; 3]; // $ type=vals2@[;]:u16 for u in vals2 {} // $ type=u:u16 - let vals3: [u32; 3] = [1, 2, 3]; // $ certainType=vals3:TArray.u32 + let vals3: [u32; 3] = [1, 2, 3]; // $ certainType=vals3@[;]:u32 for u in vals3 {} // $ type=u:u32 - let vals4: [u64; 3] = [1; 3]; // $ certainType=vals4:TArray.u64 + let vals4: [u64; 3] = [1; 3]; // $ certainType=vals4@[;]:u64 for u in vals4 {} // $ type=u:u64 - let mut strings1 = ["foo", "bar", "baz"]; // $ type=strings1:TArray.TRef.str - for s in &strings1 {} // $ type=s:TRef.TRef.str - for s in &mut strings1 {} // $ type=s:TRefMut.TRef.str - for s in strings1 {} // $ type=s:TRef.str + let mut strings1 = ["foo", "bar", "baz"]; // $ type=strings1@[;].&:str + for s in &strings1 {} // $ type=s@&.&:str + for s in &mut strings1 {} // $ type=s@&mut.&:str + for s in strings1 {} // $ type=s@&:str - let strings2 = // $ type=strings2:TArray.String + let strings2 = // $ type=strings2@[;]:String [ String::from("foo"), // $ target=from String::from("bar"), // $ target=from @@ -2287,15 +2287,15 @@ mod loops { ]; for s in strings2 {} // $ type=s:String - let strings3 = // $ type=strings3:TRef.TArray.String + let strings3 = // $ type=strings3@&.[;]:String &[ String::from("foo"), // $ target=from String::from("bar"), // $ target=from String::from("baz"), // $ target=from ]; - for s in strings3 {} // $ type=s:TRef.String + for s in strings3 {} // $ type=s@&:String - let callables = [MyCallable::new(), MyCallable::new(), MyCallable::new()]; // $ target=new $ type=callables:TArray.MyCallable + let callables = [MyCallable::new(), MyCallable::new(), MyCallable::new()]; // $ target=new $ type=callables@[;]:MyCallable for c // $ type=c:MyCallable in callables { @@ -2305,13 +2305,13 @@ mod loops { // for loops with ranges for i in 0..10 {} // $ type=i:i32 - for u in [0u8..10] {} // $ type=u:Range type=u:Idx.u8 - let range = 0..10; // $ certainType=range:Range type=range:Idx.i32 + for u in [0u8..10] {} // $ type=u:Range type=u@Range:u8 + let range = 0..10; // $ certainType=range:Range type=range@Range:i32 for i in range {} // $ type=i:i32 let range_full = ..; // $ certainType=range_full:RangeFull - for i in &[1i64, 2i64, 3i64][range_full] {} // $ target=index MISSING: type=i:TRef.i64 + for i in &[1i64, 2i64, 3i64][range_full] {} // $ target=index MISSING: type=i@&:i64 - let range1 = // $ certainType=range1:Range type=range1:Idx.u16 + let range1 = // $ certainType=range1:Range type=range1@Range:u16 std::ops::Range { start: 0u16, end: 10u16, @@ -2320,39 +2320,39 @@ mod loops { // for loops with containers - let vals3 = vec![1, 2, 3]; // $ type=vals3:Vec $ MISSING: type=vals3:T.i32 + let vals3 = vec![1, 2, 3]; // $ type=vals3:Vec $ MISSING: type=vals3@Vec:i32 for i in vals3 {} // $ MISSING: type=i:i32 - let vals4a: Vec = [1u16, 2, 3].to_vec(); // $ certainType=vals4a:Vec certainType=vals4a:T.u16 + let vals4a: Vec = [1u16, 2, 3].to_vec(); // $ certainType=vals4a@Vec:u16 for u in vals4a {} // $ type=u:u16 - let vals4b = [1u16, 2, 3].to_vec(); // $ MISSING: type=vals4b:Vec type=vals4b:T.u16 + let vals4b = [1u16, 2, 3].to_vec(); // $ MISSING: type=vals4b:Vec type=vals4b@Vec:u16 for u in vals4b {} // $ MISSING: type=u:u16 - let vals5 = Vec::from([1u32, 2, 3]); // $ certainType=vals5:Vec target=from type=vals5:T.u32 + let vals5 = Vec::from([1u32, 2, 3]); // $ target=from type=vals5@Vec:u32 for u in vals5 {} // $ type=u:u32 - let vals6: Vec<&u64> = [1u64, 2, 3].iter().collect(); // $ certainType=vals6:Vec certainType=vals6:T.TRef.u64 - for u in vals6 {} // $ type=u:TRef.u64 + let vals6: Vec<&u64> = [1u64, 2, 3].iter().collect(); // $ certainType=vals6@Vec.&:u64 + for u in vals6 {} // $ type=u@&:u64 - let mut vals7 = Vec::new(); // $ target=new certainType=vals7:Vec type=vals7:T.u8 + let mut vals7 = Vec::new(); // $ target=new type=vals7@Vec:u8 vals7.push(1u8); // $ target=push for u in vals7 {} // $ type=u:u8 - let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ type=matrix1:Vec $ MISSING: type=matrix1:T.Vec type=matrix1:T.T.i32 + let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ type=matrix1:Vec $ MISSING: type=matrix1@T:Vec type=matrix1@Vec.Vec:i32 #[rustfmt::skip] - let _ = for row in matrix1 { // $ MISSING: type=row:Vec type=row:T.i32 + let _ = for row in matrix1 { // $ MISSING: type=row:Vec type=row@Vec:i32 for cell in row { // $ MISSING: type=cell:i32 } }; - let mut map1 = std::collections::HashMap::new(); // $ target=new type=map1:K.i32 type=map1:V.Box $ MISSING: type=map1:Hashmap type1=map1:V.T.TRef.str + let mut map1 = std::collections::HashMap::new(); // $ target=new type=map1@HashMap:i32 type=map1@HashMap.Box.&:str map1.insert(1, Box::new("one")); // $ target=insert target=new map1.insert(2, Box::new("two")); // $ target=insert target=new - for key in map1.keys() {} // $ target=keys type=key:TRef.i32 - for value in map1.values() {} // $ target=values type=value:TRef.Box type=value:TRef.T.TRef.str - for (key, value) in map1.iter() {} // $ target=iter type=key:TRef.i32 type=value:TRef.Box type=value:TRef.T.TRef.str - for (key, value) in &map1 {} // $ type=key:TRef.i32 type=value:TRef.Box type=value:TRef.T.TRef.str + for key in map1.keys() {} // $ target=keys type=key@&:i32 + for value in map1.values() {} // $ target=values type=value@&.Box.&:str + for (key, value) in map1.iter() {} // $ target=iter type=key@&:i32 type=value@&.Box.&:str + for (key, value) in &map1 {} // $ type=key@&:i32 type=value@&.Box.&:str // while loops @@ -2398,27 +2398,27 @@ mod explicit_type_args { } pub fn f() { - let x1: Option> = S1::assoc_fun(); // $ certainType=x1:T.T.S2 target=assoc_fun - let x2 = S1::::assoc_fun(); // $ certainType=x2:T.T.S2 target=assoc_fun - let x3 = S3::assoc_fun(); // $ certainType=x3:T.T.S2 target=assoc_fun - let x4 = S1::::method(S1::default()); // $ target=method target=default certainType=x4:T.S2 - let x5 = S3::method(S1::default()); // $ target=method target=default certainType=x5:T.S2 - let x6 = S4::(Default::default()); // $ type=x6:T4.S2 target=default - let x7 = S4(S2); // $ type=x7:T4.S2 - let x8 = S4(0); // $ type=x8:T4.i32 - let x9 = S4(S2::default()); // $ type=x9:T4.S2 target=default - let x10 = S5:: // $ certainType=x10:T5.S2 + let x1: Option> = S1::assoc_fun(); // $ certainType=x1@Option.S1:S2 target=assoc_fun + let x2 = S1::::assoc_fun(); // $ certainType=x2@Option.S1:S2 target=assoc_fun + let x3 = S3::assoc_fun(); // $ certainType=x3@Option.S1:S2 target=assoc_fun + let x4 = S1::::method(S1::default()); // $ target=method target=default certainType=x4@S1:S2 + let x5 = S3::method(S1::default()); // $ target=method target=default certainType=x5@S1:S2 + let x6 = S4::(Default::default()); // $ type=x6@S4:S2 target=default + let x7 = S4(S2); // $ type=x7@S4:S2 + let x8 = S4(0); // $ type=x8@S4:i32 + let x9 = S4(S2::default()); // $ type=x9@S4:S2 target=default + let x10 = S5:: // $ certainType=x10@S5:S2 { field: Default::default(), // $ target=default }; - let x11 = S5 { field: S2 }; // $ type=x11:T5.S2 - let x12 = S5 { field: 0 }; // $ type=x12:T5.i32 - let x13 = S5 // $ type=x13:T5.S2 + let x11 = S5 { field: S2 }; // $ type=x11@S5:S2 + let x12 = S5 { field: 0 }; // $ type=x12@S5:i32 + let x13 = S5 // $ type=x13@S5:S2 { field: S2::default(), // $ target=default }; let x14 = foo::(Default::default()); // $ certainType=x14:i32 target=default target=foo - let x15 = S1::::default(); // $ certainType=x15:T.S2 target=default + let x15 = S1::::default(); // $ certainType=x15@S1:S2 target=default } } @@ -2454,11 +2454,11 @@ mod tuples { // `a` and `b` to be inferred. let a = Default::default(); // $ target=default type=a:i64 let b = Default::default(); // $ target=default type=b:bool - let pair = (a, b); // $ type=pair:T0.i64 type=pair:T1.bool + let pair = (a, b); // $ type=pair@(T_2):i64 type=pair@(T_2):bool let i: i64 = pair.0; // $ fieldof=Tuple2 let j: bool = pair.1; // $ fieldof=Tuple2 - let pair = [1, 1].into(); // $ type=pair:(T_2) type=pair:T0.i32 type=pair:T1.i32 target=into + let pair = [1, 1].into(); // $ type=pair@(T_2):i32 type=pair@(T_2):i32 target=into match pair { (0, 0) => print!("unexpected"), _ => print!("expected"), @@ -2572,7 +2572,7 @@ mod if_expr { pub fn f(b: bool) -> Box> { let x = if b { let y = Default::default(); // $ target=default - y // $ type=y:T.i32 + y // $ type=y@S:i32 } else { S(2) }; @@ -2648,14 +2648,14 @@ mod context_typed { } pub fn f() { - let x = None; // $ type=x:T.i32 + let x = None; // $ type=x@Option:i32 let x: Option = x; - let x = Option::::None; // $ type=x:T.i32 - let x = Option::None::; // $ type=x:T.i32 + let x = Option::::None; // $ type=x@Option:i32 + let x = Option::None::; // $ type=x@Option:i32 fn pin_option(opt: Option, x: T) {} - let x = None; // $ type=x:T.i32 + let x = None; // $ type=x@Option:i32 pin_option(x, 0); // $ target=pin_option enum MyEither { @@ -2663,33 +2663,33 @@ mod context_typed { B { right: T2 }, } - let x = MyEither::A { left: 0 }; // $ type=x:T1.i32 type=x:T2.String + let x = MyEither::A { left: 0 }; // $ type=x@MyEither:i32 type=x@MyEither:String let x: MyEither = x; - let x = MyEither::<_, String>::A { left: 0 }; // $ type=x:T1.i32 certainType=x:T2.String + let x = MyEither::<_, String>::A { left: 0 }; // $ type=x@MyEither:i32 certainType=x@MyEither:String #[rustfmt::skip] - let x = MyEither::B:: { // $ certainType=x:T1.i32 type=x:T2.String + let x = MyEither::B:: { // $ certainType=x@MyEither:i32 type=x@MyEither:String right: String::new(), // $ target=new }; fn pin_my_either(e: MyEither, x: T) {} #[rustfmt::skip] - let x = MyEither::B { // $ type=x:T1.i32 type=x:T2.String + let x = MyEither::B { // $ type=x@MyEither:i32 type=x@MyEither:String right: String::new(), // $ target=new }; pin_my_either(x, 0); // $ target=pin_my_either - let x = Result::Ok(0); // $ type=x:E.String + let x = Result::Ok(0); // $ type=x@Result:String let x: Result = x; - let x = Result::::Ok(0); // $ type=x:E.String - let x = Result::Ok::(0); // $ type=x:E.String + let x = Result::::Ok(0); // $ type=x@Result:String + let x = Result::Ok::(0); // $ type=x@Result:String fn pin_result(res: Result, x: E) {} - let x = Result::Ok(0); // $ type=x:T.i32 type=x:E.bool + let x = Result::Ok(0); // $ type=x@Result:i32 type=x@Result:bool pin_result(x, false); // $ target=pin_result - let mut x = Vec::new(); // $ type=x:T.i32 target=new + let mut x = Vec::new(); // $ type=x@Vec:i32 target=new x.push(0); // $ target=push let y = Default::default(); // $ type=y:i32 target=default diff --git a/rust/ql/test/library-tests/type-inference/pattern_matching.rs b/rust/ql/test/library-tests/type-inference/pattern_matching.rs index 33e6b9f09f3..bc85b0ee96f 100755 --- a/rust/ql/test/library-tests/type-inference/pattern_matching.rs +++ b/rust/ql/test/library-tests/type-inference/pattern_matching.rs @@ -37,18 +37,18 @@ pub fn f() -> Option<()> { let value3 = 42; if let ref mesg = value3 { - let mesg = mesg; // $ type=mesg:TRef.i32 + let mesg = mesg; // $ type=mesg@&:i32 println!("{mesg}"); } let value4 = Some(42); if let Some(ref mesg) = value4 { - let mesg = mesg; // $ type=mesg:TRef.i32 + let mesg = mesg; // $ type=mesg@&:i32 println!("{mesg}"); } let ref value5 = 42; - let x = value5; // $ type=x:TRef.i32 + let x = value5; // $ type=x@&:i32 let my_record_struct = MyRecordStruct { value1: 42, @@ -102,27 +102,27 @@ pub fn f() -> Option<()> { ) => { let a = value1; // $ type=a:bool let b = x; // $ type=b:i32 - let c = y; // $ type=c:TRef.str + let c = y; // $ type=c@&:str (); } _ => (), } - let opt1 = Some(Default::default()); // $ type=opt1:T.i32 target=default + let opt1 = Some(Default::default()); // $ type=opt1@Option:i32 target=default #[rustfmt::skip] let _ = if let Some::(x) = opt1 { x; // $ type=x:i32 }; - let opt2 = Some(Default::default()); // $ type=opt2:T.i32 target=default + let opt2 = Some(Default::default()); // $ type=opt2@Option:i32 target=default #[rustfmt::skip] let _ = if let Option::Some::(x) = opt2 { x; // $ type=x:i32 }; - let opt3 = Some(Default::default()); // $ type=opt3:T.i32 target=default + let opt3 = Some(Default::default()); // $ type=opt3@Option:i32 target=default #[rustfmt::skip] let _ = if let Option::::Some(x) = opt3 { @@ -197,7 +197,7 @@ pub fn literal_patterns() { let string_val = "hello"; match string_val { "hello" => { - let hello_match = string_val; // $ certainType=hello_match:TRef.str + let hello_match = string_val; // $ certainType=hello_match@&:str println!("String literal: {}", hello_match); } _ => {} @@ -230,7 +230,7 @@ pub fn identifier_patterns() { // IdentPat with ref match &value { ref x => { - let ref_bound = x; // $ type=ref_bound:TRef.TRef.i32 + let ref_bound = x; // $ type=ref_bound@&.&:i32 println!("Reference identifier: {:?}", ref_bound); } } @@ -269,7 +269,7 @@ pub fn identifier_patterns() { let mut ref_mut_val = 5i32; match &mut ref_mut_val { ref mut x => { - let ref_mut_bound = x; // $ type=ref_mut_bound:TRefMut.TRefMut.i32 + let ref_mut_bound = x; // $ type=ref_mut_bound@&mut.&mut:i32 **ref_mut_bound += 1; // $ target=deref target=add_assign println!("Ref mut pattern"); } @@ -341,14 +341,14 @@ pub fn reference_patterns() { match &mut mutable_value { &mut ref x => { - let mut_ref_bound = x; // $ type=mut_ref_bound:TRef.i32 + let mut_ref_bound = x; // $ type=mut_ref_bound@&:i32 println!("Mutable ref pattern: {}", mut_ref_bound); } } match &value { ref x => { - let ref_pattern = x; // $ type=ref_pattern:TRef.TRef.i32 + let ref_pattern = x; // $ type=ref_pattern@&.&:i32 println!("Reference pattern: {}", ref_pattern); } } @@ -525,7 +525,7 @@ pub fn slice_patterns() { // SlicePat - Slice patterns match slice { [] => { - let empty_slice = slice; // $ certainType=empty_slice:TRef.TSlice.i32 + let empty_slice = slice; // $ certainType=empty_slice@&.[]:i32 println!("Empty slice: {:?}", empty_slice); } [x] => { @@ -540,7 +540,7 @@ pub fn slice_patterns() { [first, middle @ .., last] => { let slice_start = *first; // $ MISSING: type=slice_start:i32 let slice_end = *last; // $ MISSING: type=slice_end:i32 - let slice_middle = middle; // $ MISSING: type=slice_middle:TRef.TSlice.i32 + let slice_middle = middle; // $ MISSING: type=slice_middle@&.[]:i32 println!( "First: {}, last: {}, middle len: {}", slice_start, @@ -717,7 +717,7 @@ pub fn complex_nested_patterns() { } // Catch-all with identifier pattern other => { - let other_complex = other; // $ type=other_complex:T0.Point type=other_complex:T1.MyOption + let other_complex = other; // $ type=other_complex@(T_2):Point type=other_complex@(T_2):MyOption println!("Other complex data: {:?}", other_complex); } } @@ -750,7 +750,7 @@ pub fn patterns_in_let_statements() { // Let with reference pattern let value = 42i32; let ref ref_val = value; - let let_ref = ref_val; // $ certainType=let_ref:TRef.i32 + let let_ref = ref_val; // $ certainType=let_ref@&:i32 // Let with mutable pattern let mut mut_val = 10i32; @@ -779,13 +779,13 @@ pub fn patterns_in_function_parameters() { // Call the functions to use them let point = Point { x: 5, y: 10 }; - let extracted = extract_point(point); // $ target=extract_point certainType=extracted:T0.i32 certainType=extracted:T1.i32 + let extracted = extract_point(point); // $ target=extract_point certainType=extracted@(T_2):i32 certainType=extracted@(T_2):i32 let color = Color(200, 100, 50); let red = extract_color(color); // $ target=extract_color certainType=red:u8 let tuple = (42i32, 3.14f64, true); - let tuple_extracted = extract_tuple(tuple); // $ target=extract_tuple certainType=tuple_extracted:T0.i32 certainType=tuple_extracted:T1.bool + let tuple_extracted = extract_tuple(tuple); // $ target=extract_tuple certainType=tuple_extracted@(T_2):i32 certainType=tuple_extracted@(T_2):bool } #[rustfmt::skip] diff --git a/rust/ql/test/library-tests/type-inference/raw_pointer.rs b/rust/ql/test/library-tests/type-inference/raw_pointer.rs index bf4537f30ce..065396b35f5 100644 --- a/rust/ql/test/library-tests/type-inference/raw_pointer.rs +++ b/rust/ql/test/library-tests/type-inference/raw_pointer.rs @@ -12,7 +12,7 @@ fn raw_pointer_mut_deref(x: *mut bool) -> i32 { fn raw_const_borrow() { let a: i64 = 10; - let x = &raw const a; // $ type=x:TPtrConst.i64 + let x = &raw const a; // $ type=x@*const:i64 unsafe { let _y = *x; // $ type=_y:i64 } @@ -20,7 +20,7 @@ fn raw_const_borrow() { fn raw_mut_borrow() { let mut a = 10i32; - let x = &raw mut a; // $ type=x:TPtrMut.i32 + let x = &raw mut a; // $ type=x@*mut:i32 unsafe { let _y = *x; // $ type=_y:i32 } @@ -29,7 +29,7 @@ fn raw_mut_borrow() { fn raw_mut_write(cond: bool) { let a = 10i32; // The type of `ptr_written` must be inferred from the write below. - let ptr_written = null_mut(); // $ target=null_mut type=ptr_written:TPtrMut.i32 + let ptr_written = null_mut(); // $ target=null_mut type=ptr_written@*mut:i32 if cond { unsafe { // NOTE: This write is undefined behavior because `ptr_written` is a null pointer. @@ -41,7 +41,7 @@ fn raw_mut_write(cond: bool) { fn raw_type_from_deref(cond: bool) { // The type of `ptr_read` must be inferred from the read below. - let ptr_read = null_mut(); // $ target=null_mut type=ptr_read:TPtrMut.i64 + let ptr_read = null_mut(); // $ target=null_mut type=ptr_read@*mut:i64 if cond { unsafe { // NOTE: This read is undefined behavior because `ptr_read` is a null pointer. diff --git a/rust/ql/test/library-tests/type-inference/regressions.rs b/rust/ql/test/library-tests/type-inference/regressions.rs index 465475475bf..d854f55a1ad 100644 --- a/rust/ql/test/library-tests/type-inference/regressions.rs +++ b/rust/ql/test/library-tests/type-inference/regressions.rs @@ -149,7 +149,7 @@ mod regression5 { fn foo() -> S2 { let x = S1.into(); // $ target=into - x // $ type=x:T2.S1 + x // $ type=x@S2:S1 } } @@ -176,6 +176,6 @@ mod regression6 { } fn foo() { - let x = S(0) + S(1); // $ target=add1 $ SPURIOUS: target=add2 type=x:T.T.i32 + let x = S(0) + S(1); // $ target=add1 $ SPURIOUS: target=add2 type=x@S.S:i32 } } diff --git a/rust/ql/test/library-tests/type-inference/type-inference.ql b/rust/ql/test/library-tests/type-inference/type-inference.ql index c4653f557ac..fa07dd4471e 100644 --- a/rust/ql/test/library-tests/type-inference/type-inference.ql +++ b/rust/ql/test/library-tests/type-inference/type-inference.ql @@ -67,7 +67,7 @@ module TypeTest implements TestSig { predicate hasActualResult(Location location, string element, string tag, string value) { none() } predicate hasOptionalResult(Location location, string element, string tag, string value) { - exists(AstNode n, TypePath path, Type t | + exists(AstNode n, TypePath path, Type t, string at | t = TypeInference::inferType(n, path) and ( tag = "type" @@ -76,11 +76,8 @@ module TypeTest implements TestSig { tag = "certainType" ) and location = n.getLocation() and - ( - if path.isEmpty() - then value = element + ":" + t - else value = element + ":" + path.toString() + "." + t.toString() - ) and + (if path.isEmpty() then at = "" else at = "@" + TypePath::printTypePathVerbose(path)) and + value = element + at + ":" + t.toString() and element = [n.toString(), n.(IdentPat).getName().getText()] ) } diff --git a/shared/typeinference/codeql/typeinference/internal/TypeInference.qll b/shared/typeinference/codeql/typeinference/internal/TypeInference.qll index 1f4400d8f2d..cf82d77b5e1 100644 --- a/shared/typeinference/codeql/typeinference/internal/TypeInference.qll +++ b/shared/typeinference/codeql/typeinference/internal/TypeInference.qll @@ -275,7 +275,34 @@ module Make1 Input1> { class TypePath = UnboundList; /** Provides predicates for constructing `TypePath`s. */ - module TypePath = UnboundList; + module TypePath { + import UnboundList + + private string printTypeParameterVerbose(TypeParameter tp) { + exists(Type t | + t.getATypeParameter() = tp and + result = t.toString() + "<" + tp.toString() + ">" + ) + } + + /** + * Gets a verbose textual representation of `path`, which includes the names + * of the types that the type parameters belong to. + * + * For example, the verbose textual representation of the path `"T1.T2"` is + * `"S1.S2"`, provided that `T1` is a type parameter of `S1` and `T2` + * is a type parameter of `S2`. + */ + bindingset[path] + string printTypePathVerbose(TypePath path) { + result = + concat(int i, TypeParameter e | + e = path.getElement(i) + | + printTypeParameterVerbose(e), "." order by i + ) + } + } /** * A class that has a type tree associated with it. From 80d5e27b46885021323addc53026bbedcd913b30 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:03:03 +0200 Subject: [PATCH 23/46] C#: Deprecate Ssa::ImplicitEntryDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 4 +++- .../semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll | 5 +---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index d29ace056b9..edc7e6a6a89 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -529,11 +529,13 @@ module Ssa { } /** + * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitEntryDefinition` instead. + * * An SSA definition representing the implicit initialization of a variable * at the beginning of a callable. Either a local scope variable captured by * the callable or a field or property accessed inside the callable. */ - class ImplicitEntryDefinition extends ImplicitDefinition { + deprecated class ImplicitEntryDefinition extends ImplicitDefinition { ImplicitEntryDefinition() { exists(BasicBlock bb, SourceVariable v | this.definesAt(v, bb, -1) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index f581628a79c..7b1d35c6e5a 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1430,7 +1430,7 @@ private module ParameterNodes { } /** An implicit entry definition for a captured variable. */ - class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition { + deprecated class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition { private LocalScopeVariable v; SsaCapturedEntryDefinition() { this.getSourceVariable().getAssignable() = v } @@ -2011,9 +2011,6 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead exists(SsaDefinition def, Ssa::ImplicitDefinition idef | def.getARead() = this and idef = def.getAnUltimateDefinition() - | - idef instanceof Ssa::ImplicitEntryDefinition or - idef instanceof Ssa::ImplicitCallDefinition ) } } From de96b5acfd8910ec6e4970f5c3bad0362d01f3c4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:15:13 +0200 Subject: [PATCH 24/46] C#: Deprecate Ssa::ImplicitDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 +++++--- .../code/csharp/dataflow/internal/DataFlowPrivate.qll | 4 ++-- .../internal/rangeanalysis/SignAnalysisSpecific.qll | 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index edc7e6a6a89..be265188e5d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -509,13 +509,15 @@ module Ssa { } /** + * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitWrite` instead. + * * An SSA definition that does not correspond to an explicit variable definition. * Either an implicit initialization of a variable at the beginning of a callable * (`ImplicitEntryDefinition`), an implicit definition via a call * (`ImplicitCallDefinition`), or an implicit definition where the qualifier is * updated (`ImplicitQualifierDefinition`). */ - class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition { + deprecated class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition { ImplicitDefinition() { exists(BasicBlock bb, SourceVariable v, int i | this.definesAt(v, bb, i) | SsaImpl::implicitEntryDefinition(bb, v) and @@ -596,7 +598,7 @@ module Ssa { * An SSA definition representing the potential definition of a variable * via a call. */ - class ImplicitCallDefinition extends ImplicitDefinition { + class ImplicitCallDefinition extends SsaImplicitWrite { private Call c; ImplicitCallDefinition() { @@ -629,7 +631,7 @@ module Ssa { * An SSA definition representing the potential definition of a variable * via an SSA definition for the qualifier. */ - class ImplicitQualifierDefinition extends ImplicitDefinition, SsaImpl::WriteDefinition { + class ImplicitQualifierDefinition extends SsaImplicitWrite { private Definition q; ImplicitQualifierDefinition() { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index 7b1d35c6e5a..ccf65ddb37c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -2008,9 +2008,9 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead * SSA updates. */ predicate hasNonlocalValue() { - exists(SsaDefinition def, Ssa::ImplicitDefinition idef | + exists(SsaDefinition def | def.getARead() = this and - idef = def.getAnUltimateDefinition() + def.getAnUltimateDefinition() instanceof SsaImplicitWrite ) } } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 77e30d239fd..48ed00858a0 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -144,12 +144,12 @@ private module Impl { } /** Gets the variable underlying the implicit SSA variable `def`. */ - Declaration getImplicitSsaDeclaration(Ssa::ImplicitDefinition def) { + Declaration getImplicitSsaDeclaration(SsaImplicitWrite def) { result = def.getSourceVariable().getAssignable() } /** Holds if the variable underlying the implicit SSA variable `def` is not a field. */ - predicate nonFieldImplicitSsaDefinition(Ssa::ImplicitDefinition def) { + predicate nonFieldImplicitSsaDefinition(SsaImplicitWrite def) { not getImplicitSsaDeclaration(def) instanceof Field } From 55b83ca22aa04480b0bc901f1bbe9b99a9b47db1 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:20:54 +0200 Subject: [PATCH 25/46] C#: Deprecate Ssa::Definition in favour of SsaDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index be265188e5d..4a7f774af07 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -74,7 +74,7 @@ module Ssa { * Gets an SSA definition that has this variable as its underlying * source variable. */ - Definition getAnSsaDefinition() { result.getSourceVariable() = this } + SsaDefinition getAnSsaDefinition() { result.getSourceVariable() = this } } /** Provides different types of `SourceVariable`s. */ @@ -193,11 +193,13 @@ module Ssa { predicate isLiveOutRefParameterDefinition = SsaImpl::isLiveOutRefParameterDefinition/2; /** + * DEPRECATED: Use `SsaDefinition` instead. + * * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition * (`ImplicitDefinition`), or a phi node (`PhiNode`). */ - class Definition extends SsaImpl::Definition { + deprecated class Definition extends SsaImpl::Definition { /** Gets the control flow node of this SSA definition. */ final ControlFlowNode getControlFlowNode() { exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(0.maximum(i))) @@ -632,7 +634,7 @@ module Ssa { * via an SSA definition for the qualifier. */ class ImplicitQualifierDefinition extends SsaImplicitWrite { - private Definition q; + private SsaDefinition q; ImplicitQualifierDefinition() { exists(BasicBlock bb, int i, SourceVariables::QualifiedFieldOrPropSourceVariable v | @@ -644,7 +646,7 @@ module Ssa { } /** Gets the SSA definition for the qualifier. */ - final Definition getQualifierDefinition() { result = q } + final SsaDefinition getQualifierDefinition() { result = q } override string toString() { result = "SSA qualifier def(" + this.getSourceVariable() + ")" } } From bedadc9f04f388e6c13ef9c2a3f2584dc42a46cc Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 13:35:14 +0200 Subject: [PATCH 26/46] C#: Deprecate some SSA internals. --- .../code/csharp/dataflow/internal/SsaImpl.qll | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index a610fd4bcd4..6db089928e0 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -78,11 +78,11 @@ module Ssa_ = Impl::MakeSsa; class Definition = Impl::Definition; -class WriteDefinition = Impl::WriteDefinition; +deprecated class WriteDefinition = Impl::WriteDefinition; -class UncertainWriteDefinition = Impl::UncertainWriteDefinition; +deprecated class UncertainWriteDefinition = Impl::UncertainWriteDefinition; -class PhiNode = Impl::PhiNode; +deprecated class PhiNode = Impl::PhiNode; module Consistency = Impl::Consistency; @@ -868,7 +868,7 @@ private module Cached { } cached - predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { + deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { Impl::ssaDefReachesEndOfBlock(bb, def, _) } @@ -878,7 +878,7 @@ private module Cached { } cached - AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { + deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { exists(Ssa::SourceVariable v, BasicBlock bb, int i | Impl::ssaDefReachesRead(v, def, bb, i) and variableReadActual(bb, i, v) and @@ -1012,9 +1012,9 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu predicate hasCfgNode(BasicBlock bb, int i) { this = bb.getNode(i) } } - Expr getARead(Definition def) { exists(getAReadAtNode(def, result)) } + Expr getARead(Definition def) { def.(SsaDefinition).getARead().getControlFlowNode() = result } - predicate ssaDefHasSource(WriteDefinition def) { + predicate ssaDefHasSource(Impl::WriteDefinition def) { // exclude flow directly from RHS to SSA definition, as we instead want to // go from RHS to matching assignable definition, and from there to SSA definition def instanceof SsaParameterInit @@ -1024,7 +1024,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu * Allows for flow into uncertain defintions that are not call definitions, * as we, conservatively, consider such definitions to be certain. */ - predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { + predicate allowFlowIntoUncertainDef(Impl::UncertainWriteDefinition def) { def instanceof SsaExplicitWrite or def = From e0421dbf536230046c5ac20e502df469d47630f4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 13:38:14 +0200 Subject: [PATCH 27/46] C#: Reinstate toString for SSA data flow nodes. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 14 -------------- .../code/csharp/dataflow/internal/SsaImpl.qll | 4 ++++ shared/ssa/codeql/ssa/Ssa.qll | 4 +++- 3 files changed, 7 insertions(+), 15 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 4a7f774af07..c251a30b351 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -506,8 +506,6 @@ module Ssa { } override Element getElement() { result = ad.getElement() } - - override string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } } /** @@ -551,12 +549,6 @@ module Ssa { final Callable getCallable() { result = this.getBasicBlock().getEnclosingCallable() } override Element getElement() { result = this.getCallable() } - - override string toString() { - if this.getSourceVariable().getAssignable() instanceof LocalScopeVariable - then result = "SSA capture def(" + this.getSourceVariable() + ")" - else result = "SSA entry def(" + this.getSourceVariable() + ")" - } } /** @@ -590,10 +582,6 @@ module Ssa { /** Gets the parameter that this entry definition represents. */ Parameter getParameter() { result = p } - - override string toString() { - result = "SSA param_default(" + pragma[only_bind_out](this.getParameter()) + ")" - } } /** @@ -687,8 +675,6 @@ module Ssa { predicate hasInputFromBlock(Definition inp, BasicBlock bb) { inp = SsaImpl::phiHasInputFromBlock(this, bb) } - - override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 6db089928e0..218b8c97717 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -78,6 +78,10 @@ module Ssa_ = Impl::MakeSsa; class Definition = Impl::Definition; +private class SsaDefinitionToStringProxy extends Definition { + override string toString() { result = this.(SsaDefinition).toString() } +} + deprecated class WriteDefinition = Impl::WriteDefinition; deprecated class UncertainWriteDefinition = Impl::UncertainWriteDefinition; diff --git a/shared/ssa/codeql/ssa/Ssa.qll b/shared/ssa/codeql/ssa/Ssa.qll index 8d6b960b283..861f797ed6d 100644 --- a/shared/ssa/codeql/ssa/Ssa.qll +++ b/shared/ssa/codeql/ssa/Ssa.qll @@ -1054,7 +1054,7 @@ module Make< /** A static single assignment (SSA) definition. */ class SsaDefinition extends FinalDefinition { /** Gets a textual representation of this SSA definition. */ - string toString() { result = super.toString() } + string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } /** * Gets the control flow node of this SSA definition. @@ -1207,6 +1207,8 @@ module Make< * a phi definition for `x` is inserted just before the call `puts x`. */ class SsaPhiDefinition extends SsaDefinition instanceof PhiNode { + override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } + /** Holds if `inp` is an input to this phi definition along the edge originating in `bb`. */ predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) { phiHasInputFromBlockCached(this, inp, bb) From 77807c83f84c531946a5d219b7a7480e43231c05 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 14:46:43 +0200 Subject: [PATCH 28/46] C#: Exclude entry definitions from qualifier definitions. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index c251a30b351..23e1ee0afda 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -625,6 +625,7 @@ module Ssa { private SsaDefinition q; ImplicitQualifierDefinition() { + not this instanceof SsaImplicitEntryDefinition and exists(BasicBlock bb, int i, SourceVariables::QualifiedFieldOrPropSourceVariable v | this.definesAt(v, bb, i) | From ff8ab191d13d73919cbeafdc7e3561d6970a4a64 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 15:06:59 +0200 Subject: [PATCH 29/46] C#: Drop caching for deprecated predicates. --- .../code/csharp/dataflow/internal/SsaImpl.qll | 80 +++++++++---------- 1 file changed, 37 insertions(+), 43 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 218b8c97717..0f08e6d66dd 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -828,14 +828,6 @@ private module Cached { ) } - cached - deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { - exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | - result = ad or - result = getASameOutRefDefAfter(v, ad) - ) - } - /** * Holds if `call` may change the value of field or property `fp`. The actual * update occurs in `setter`. @@ -861,36 +853,6 @@ private module Cached { not updatesNamedFieldOrProp(bb, i, _, v, _) } - cached - deprecated predicate explicitDefinition( - WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad - ) { - exists(BasicBlock bb, int i | - def.definesAt(v, bb, i) and - variableDefinition(bb, i, v, ad) - ) - } - - cached - deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { - Impl::ssaDefReachesEndOfBlock(bb, def, _) - } - - cached - deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { - Impl::phiHasInputFromBlock(phi, result, bb) - } - - cached - deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { - exists(Ssa::SourceVariable v, BasicBlock bb, int i | - Impl::ssaDefReachesRead(v, def, bb, i) and - variableReadActual(bb, i, v) and - cfn = bb.getNode(i) and - result.getControlFlowNode() = cfn - ) - } - /** * Holds if the value defined at SSA definition `def` can reach a read at `cfn`, * without passing through any other read. @@ -915,11 +877,6 @@ private module Cached { ) } - cached - deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { - Impl::uncertainWriteDefinitionInput(def, result) - } - /** * Holds if the SSA definition `def` assigns to `out`/`ref` parameter `p`, and the * parameter may remain unchanged throughout the rest of the enclosing callable. @@ -1009,6 +966,43 @@ private module Cached { import Cached +deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { + exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | + result = ad or + result = getASameOutRefDefAfter(v, ad) + ) +} + +deprecated predicate explicitDefinition( + WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad +) { + exists(BasicBlock bb, int i | + def.definesAt(v, bb, i) and + variableDefinition(bb, i, v, ad) + ) +} + +deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { + Impl::ssaDefReachesEndOfBlock(bb, def, _) +} + +deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { + Impl::phiHasInputFromBlock(phi, result, bb) +} + +deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { + exists(Ssa::SourceVariable v, BasicBlock bb, int i | + Impl::ssaDefReachesRead(v, def, bb, i) and + variableReadActual(bb, i, v) and + cfn = bb.getNode(i) and + result.getControlFlowNode() = cfn + ) +} + +deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { + Impl::uncertainWriteDefinitionInput(def, result) +} + private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig { private import codeql.util.Boolean From a291548fd8070934135754ec3939a79e5fe5b0ee Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 30 Apr 2026 14:31:24 +0200 Subject: [PATCH 30/46] Update rust/ql/test/library-tests/type-inference/main.rs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- rust/ql/test/library-tests/type-inference/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/test/library-tests/type-inference/main.rs b/rust/ql/test/library-tests/type-inference/main.rs index 78d6ef3a2ed..ddba6c53da8 100644 --- a/rust/ql/test/library-tests/type-inference/main.rs +++ b/rust/ql/test/library-tests/type-inference/main.rs @@ -2339,7 +2339,7 @@ mod loops { vals7.push(1u8); // $ target=push for u in vals7 {} // $ type=u:u8 - let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ type=matrix1:Vec $ MISSING: type=matrix1@T:Vec type=matrix1@Vec.Vec:i32 + let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ type=matrix1:Vec $ MISSING: type=matrix1@Vec:Vec type=matrix1@Vec.Vec:i32 #[rustfmt::skip] let _ = for row in matrix1 { // $ MISSING: type=row:Vec type=row@Vec:i32 for cell in row { // $ MISSING: type=cell:i32 From 4fd02220c783468ead2c2bc110c172a7d19f506f Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 30 Apr 2026 10:50:06 -0400 Subject: [PATCH 31/46] Update help files CWE-829/UntrustedCheckoutX --- .../CWE-829/UntrustedCheckoutCritical.md | 32 ++++++++++++++++++- .../Security/CWE-829/UntrustedCheckoutHigh.md | 32 ++++++++++++++++++- .../CWE-829/UntrustedCheckoutMedium.md | 32 ++++++++++++++++++- 3 files changed, 93 insertions(+), 3 deletions(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index a4fceb1f8da..a6dd437c1ba 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -1,6 +1,35 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems. + +## Workflow Security Model + +In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged. + +This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone. + +On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow: + + * Runs in the context of the base repository + * Has access to organization and repository secrets (e.g., API keys, deployment tokens) + * Has a read/write `GITHUB_TOKEN` by default + * Can access private resources + +Certain triggers automatically grant a workflow elevated privileges: + + * `pull_request_target` as described above + * `workflow_run`: Triggered when another workflow completes. + * `issue_comment`: Triggered when a comment is made on an issue or PR. + +## Attack Details + + * A repository has a privileged workflow + * An attacker forks the repository and adds malicious code (e.g., in the build script) + * The attacker opens a PR from the fork, and, if needed, comments on the PR + * The workflow in the base repository checks out the forked code + * The workflow runs, (e.g. the build script etc.), which contains the malicious code + +Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog. ## Recommendation @@ -133,4 +162,5 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout). - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index a4fceb1f8da..a6dd437c1ba 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -1,6 +1,35 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems. + +## Workflow Security Model + +In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged. + +This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone. + +On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow: + + * Runs in the context of the base repository + * Has access to organization and repository secrets (e.g., API keys, deployment tokens) + * Has a read/write `GITHUB_TOKEN` by default + * Can access private resources + +Certain triggers automatically grant a workflow elevated privileges: + + * `pull_request_target` as described above + * `workflow_run`: Triggered when another workflow completes. + * `issue_comment`: Triggered when a comment is made on an issue or PR. + +## Attack Details + + * A repository has a privileged workflow + * An attacker forks the repository and adds malicious code (e.g., in the build script) + * The attacker opens a PR from the fork, and, if needed, comments on the PR + * The workflow in the base repository checks out the forked code + * The workflow runs, (e.g. the build script etc.), which contains the malicious code + +Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog. ## Recommendation @@ -133,4 +162,5 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout). - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index a4fceb1f8da..a6dd437c1ba 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -1,6 +1,35 @@ ## Overview -GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A dangerous misuse of event triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted input from the PR may lead to repository compromise if untrusted code gets executed in a privileged job. Untrusted code may get executed due to a modified build script, workflow injection, or registry hijacking. **Carefully review** whether least privileges is used and whether input is taken from untrusted sources. +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems. + +## Workflow Security Model + +In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged. + +This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone. + +On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow: + + * Runs in the context of the base repository + * Has access to organization and repository secrets (e.g., API keys, deployment tokens) + * Has a read/write `GITHUB_TOKEN` by default + * Can access private resources + +Certain triggers automatically grant a workflow elevated privileges: + + * `pull_request_target` as described above + * `workflow_run`: Triggered when another workflow completes. + * `issue_comment`: Triggered when a comment is made on an issue or PR. + +## Attack Details + + * A repository has a privileged workflow + * An attacker forks the repository and adds malicious code (e.g., in the build script) + * The attacker opens a PR from the fork, and, if needed, comments on the PR + * The workflow in the base repository checks out the forked code + * The workflow runs, (e.g. the build script etc.), which contains the malicious code + +Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog. ## Recommendation @@ -133,4 +162,5 @@ jobs: ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). +- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout). - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/). From b0bc0fdd61f15a4a8b5bc00a1f7c025df73de658 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 30 Apr 2026 12:28:06 -0400 Subject: [PATCH 32/46] Adjust changenotes actions queries --- .../2026-04-15-poisonable-steps-additions-alterations.md | 4 ++++ .../2026-04-15-untrusted-checkout-improvements.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md diff --git a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md new file mode 100644 index 00000000000..1d6a8a49a2c --- /dev/null +++ b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by any queries that use that library. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md index ef16e84e2c2..b78cc74e089 100644 --- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md @@ -1,6 +1,6 @@ --- category: majorAnalysis --- -* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. Additionally alter 2 patterns in the detection such that now extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. This may lead to more results being detected by all 3 queries. +* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. * Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. * Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file From d3df5ce110f4ec5659ed487754ad970097828af5 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 10:22:53 +0200 Subject: [PATCH 33/46] C#: Deprecate ParameterDefinition in favour of SsaParameterInit. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 ++---- .../semmle/code/csharp/dataflow/internal/SsaImpl.qll | 10 ++++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 23e1ee0afda..a570b7ba563 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -554,11 +554,9 @@ module Ssa { /** * DEPRECATED: Use `SsaParameterInit` instead. */ - deprecated class ImplicitParameterDefinition = ParameterDefinition; + deprecated final class ImplicitParameterDefinition = SsaImpl::ParameterDefinitionImpl; - final class ParameterDefinition = SsaImpl::ParameterDefinitionImpl; - - private class ExplicitParameterDefinition extends ExplicitDefinition, + deprecated private class ExplicitParameterDefinition extends ExplicitDefinition, SsaImpl::ParameterDefinitionImpl { private Parameter p; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 0f08e6d66dd..9f0ca12888f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -1048,7 +1048,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu private module DataFlowIntegrationImpl = Impl::DataFlowIntegration; -private module MultiBodyNearestLocationInput implements NearestLocationInputSig { +deprecated private module MultiBodyNearestLocationInput implements NearestLocationInputSig { class C = MultiBodyParameterDefinition; predicate relevantLocations(MultiBodyParameterDefinition def, Location l1, Location l2) { @@ -1062,7 +1062,7 @@ private module MultiBodyNearestLocationInput implements NearestLocationInputSig } pragma[nomagic] -private predicate implicitEntryDef( +deprecated private predicate implicitEntryDef( Ssa::ImplicitEntryDefinition def, Ssa::SourceVariable v, Callable c ) { v = def.getSourceVariable() and @@ -1073,7 +1073,7 @@ private predicate implicitEntryDef( * An SSA definition representing the implicit initialization of a parameter * at the beginning of a callable. */ -abstract class ParameterDefinitionImpl extends Ssa::Definition { +abstract deprecated class ParameterDefinitionImpl extends Ssa::Definition { /** Gets the parameter that this definition represents. */ abstract Parameter getParameter(); @@ -1082,7 +1082,9 @@ abstract class ParameterDefinitionImpl extends Ssa::Definition { } } -class MultiBodyParameterDefinition extends ParameterDefinitionImpl, Ssa::ImplicitEntryDefinition { +deprecated class MultiBodyParameterDefinition extends ParameterDefinitionImpl, + Ssa::ImplicitEntryDefinition +{ private Parameter p; MultiBodyParameterDefinition() { From 5fbba0e9fedc698d4b9e68a9abbfe4cd426a3c34 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 10:24:23 +0200 Subject: [PATCH 34/46] C#: Delete ParameterDefaultDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index a570b7ba563..7d49e0b27d1 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -569,19 +569,6 @@ module Ssa { override string toString() { result = SsaImpl::ParameterDefinitionImpl.super.toString() } } - /** - * An SSA definition representing the default value of a parameter. - */ - class ParameterDefaultDefinition extends ExplicitDefinition { - private Parameter p; - override AssignableDefinitions::ParameterDefaultDefinition ad; - - ParameterDefaultDefinition() { p = ad.getParameter() } - - /** Gets the parameter that this entry definition represents. */ - Parameter getParameter() { result = p } - } - /** * An SSA definition representing the potential definition of a variable * via a call. From 439a67a3feb656dcc34ba3bbf15e18f42980b3b1 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 10:26:50 +0200 Subject: [PATCH 35/46] C#: Fix toString for capture definitions. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 7d49e0b27d1..fc640cccf77 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -569,6 +569,15 @@ module Ssa { override string toString() { result = SsaImpl::ParameterDefinitionImpl.super.toString() } } + /** An SSA definition in a closure that captures a variable. */ + class SsaCapturedDefinition extends SsaImplicitEntryDefinition { + SsaCapturedDefinition() { + this.getSourceVariable().getAssignable() instanceof LocalScopeVariable + } + + override string toString() { result = "SSA capture def(" + this.getSourceVariable() + ")" } + } + /** * An SSA definition representing the potential definition of a variable * via a call. From 351e9cc91468b169994c8443ec4a77c33563b5bc Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 10:28:15 +0200 Subject: [PATCH 36/46] C#: Accept test changes. --- .../dataflow/local/DataFlowStep.expected | 38 +++++++++---------- .../dataflow/local/TaintTrackingStep.expected | 38 +++++++++---------- .../dataflow/ssa/DefAdjacentRead.expected | 2 + .../dataflow/ssa/SSAPhi.expected | 4 +- .../dataflow/ssa/SsaDef.expected | 14 +++---- .../dataflow/ssa/SsaExplicitDef.expected | 6 ++- .../ssa/SsaImplicitQualifier.expected | 6 +-- .../dataflow/ssa/SsaRead.expected | 4 +- .../dataflow/ssa/SsaUltimateDef.expected | 26 ++++++------- 9 files changed, 69 insertions(+), 69 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected index d1df5b77de0..3efa55f0ca4 100644 --- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -530,8 +530,8 @@ | LocalDataFlow.cs:385:34:385:34 | SSA param(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | | LocalDataFlow.cs:385:34:385:34 | s | LocalDataFlow.cs:385:34:385:34 | SSA param(s) | | LocalDataFlow.cs:385:38:385:51 | "taint source" | LocalDataFlow.cs:385:38:385:51 | s = ... | -| LocalDataFlow.cs:385:38:385:51 | SSA param_default(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | -| LocalDataFlow.cs:385:38:385:51 | s = ... | LocalDataFlow.cs:385:38:385:51 | SSA param_default(s) | +| LocalDataFlow.cs:385:38:385:51 | SSA def(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | +| LocalDataFlow.cs:385:38:385:51 | s = ... | LocalDataFlow.cs:385:38:385:51 | SSA def(s) | | SSA.cs:3:14:3:16 | this | SSA.cs:3:14:3:16 | this access | | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S | | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access | @@ -642,13 +642,13 @@ | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S | | SSA.cs:67:9:67:14 | access to field S | SSA.cs:68:23:68:28 | access to field S | | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | -| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | +| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted | +| SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | -| SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | @@ -661,12 +661,12 @@ | SSA.cs:72:9:72:14 | [post] access to field S | SSA.cs:73:23:73:28 | access to field S | | SSA.cs:72:9:72:14 | access to field S | SSA.cs:73:23:73:28 | access to field S | | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | -| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | +| SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | -| SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | @@ -690,10 +690,10 @@ | SSA.cs:80:9:80:14 | access to field S | SSA.cs:81:21:81:26 | access to field S | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:80:9:80:31 | access to field SsaFieldNonSink0 | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:83:35:83:41 | access to parameter tainted | +| SSA.cs:81:9:81:27 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:24 | [post] this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:24 | this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:26 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | -| SSA.cs:81:21:81:26 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:21:81:26 | SSA def(this.S) | | SSA.cs:82:15:82:18 | [post] this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:18 | this access | SSA.cs:83:9:83:12 | this access | @@ -768,7 +768,7 @@ | SSA.cs:114:9:114:14 | access to field S | SSA.cs:115:13:115:33 | [input] SSA phi read(this.S) | | SSA.cs:114:9:114:14 | access to field S | SSA.cs:117:13:117:18 | access to field S | | SSA.cs:114:9:114:28 | access to field SsaFieldSink1 | SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | -| SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:114:32:114:33 | "" | SSA.cs:114:9:114:28 | access to field SsaFieldSink1 | | SSA.cs:115:13:115:22 | [post] access to parameter nonTainted | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) | | SSA.cs:115:13:115:22 | [post] access to parameter nonTainted | SSA.cs:118:17:118:26 | access to parameter nonTainted | @@ -794,18 +794,18 @@ | SSA.cs:119:21:119:24 | this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:119:21:119:26 | [post] access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:119:21:119:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | -| SSA.cs:119:21:119:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | -| SSA.cs:119:21:119:40 | access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:119:21:119:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:119:21:119:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:121:21:121:24 | [post] this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:121:21:121:24 | this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:121:21:121:26 | [post] access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:121:21:121:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | -| SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | -| SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | -| SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | @@ -822,7 +822,7 @@ | SSA.cs:127:9:127:14 | access to field S | SSA.cs:128:13:128:33 | [input] SSA phi read(this.S) | | SSA.cs:127:9:127:14 | access to field S | SSA.cs:130:13:130:18 | access to field S | | SSA.cs:127:9:127:31 | access to field SsaFieldNonSink0 | SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | -| SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:127:35:127:36 | "" | SSA.cs:127:9:127:31 | access to field SsaFieldNonSink0 | | SSA.cs:128:13:128:22 | [post] access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted | | SSA.cs:128:13:128:22 | access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted | @@ -843,18 +843,18 @@ | SSA.cs:132:21:132:24 | this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:132:21:132:26 | [post] access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:132:21:132:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | -| SSA.cs:132:21:132:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | -| SSA.cs:132:21:132:43 | access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:132:21:132:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:132:21:132:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:134:21:134:24 | [post] this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:134:21:134:24 | this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:134:21:134:26 | [post] access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:134:21:134:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | -| SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | -| SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | -| SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected index 06251245a05..3229a540148 100644 --- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected @@ -642,8 +642,8 @@ | LocalDataFlow.cs:385:34:385:34 | SSA param(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | | LocalDataFlow.cs:385:34:385:34 | s | LocalDataFlow.cs:385:34:385:34 | SSA param(s) | | LocalDataFlow.cs:385:38:385:51 | "taint source" | LocalDataFlow.cs:385:38:385:51 | s = ... | -| LocalDataFlow.cs:385:38:385:51 | SSA param_default(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | -| LocalDataFlow.cs:385:38:385:51 | s = ... | LocalDataFlow.cs:385:38:385:51 | SSA param_default(s) | +| LocalDataFlow.cs:385:38:385:51 | SSA def(s) | LocalDataFlow.cs:387:15:387:15 | access to parameter s | +| LocalDataFlow.cs:385:38:385:51 | s = ... | LocalDataFlow.cs:385:38:385:51 | SSA def(s) | | SSA.cs:3:14:3:16 | this | SSA.cs:3:14:3:16 | this access | | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S | | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access | @@ -760,13 +760,13 @@ | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S | | SSA.cs:67:9:67:14 | access to field S | SSA.cs:68:23:68:28 | access to field S | | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | -| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | +| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted | +| SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | -| SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | @@ -779,12 +779,12 @@ | SSA.cs:72:9:72:14 | [post] access to field S | SSA.cs:73:23:73:28 | access to field S | | SSA.cs:72:9:72:14 | access to field S | SSA.cs:73:23:73:28 | access to field S | | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | -| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | +| SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | -| SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | @@ -808,10 +808,10 @@ | SSA.cs:80:9:80:14 | access to field S | SSA.cs:81:21:81:26 | access to field S | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:80:9:80:31 | access to field SsaFieldNonSink0 | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:83:35:83:41 | access to parameter tainted | +| SSA.cs:81:9:81:27 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:24 | [post] this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:24 | this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:26 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | -| SSA.cs:81:21:81:26 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:21:81:26 | SSA def(this.S) | | SSA.cs:82:15:82:18 | [post] this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:18 | this access | SSA.cs:83:9:83:12 | this access | @@ -890,7 +890,7 @@ | SSA.cs:114:9:114:14 | access to field S | SSA.cs:115:13:115:33 | [input] SSA phi read(this.S) | | SSA.cs:114:9:114:14 | access to field S | SSA.cs:117:13:117:18 | access to field S | | SSA.cs:114:9:114:28 | access to field SsaFieldSink1 | SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | -| SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:114:9:114:33 | SSA def(this.S.SsaFieldSink1) | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:114:32:114:33 | "" | SSA.cs:114:9:114:28 | access to field SsaFieldSink1 | | SSA.cs:115:13:115:22 | [post] access to parameter nonTainted | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) | | SSA.cs:115:13:115:22 | [post] access to parameter nonTainted | SSA.cs:118:17:118:26 | access to parameter nonTainted | @@ -918,18 +918,18 @@ | SSA.cs:119:21:119:24 | this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:119:21:119:26 | [post] access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:119:21:119:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | -| SSA.cs:119:21:119:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | -| SSA.cs:119:21:119:40 | access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:119:21:119:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:119:21:119:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:121:21:121:24 | [post] this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:121:21:121:24 | this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:121:21:121:26 | [post] access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:121:21:121:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | -| SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | -| SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | -| SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | @@ -946,7 +946,7 @@ | SSA.cs:127:9:127:14 | access to field S | SSA.cs:128:13:128:33 | [input] SSA phi read(this.S) | | SSA.cs:127:9:127:14 | access to field S | SSA.cs:130:13:130:18 | access to field S | | SSA.cs:127:9:127:31 | access to field SsaFieldNonSink0 | SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | -| SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:127:9:127:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:127:35:127:36 | "" | SSA.cs:127:9:127:31 | access to field SsaFieldNonSink0 | | SSA.cs:128:13:128:22 | [post] access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted | | SSA.cs:128:13:128:22 | access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted | @@ -969,18 +969,18 @@ | SSA.cs:132:21:132:24 | this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:132:21:132:26 | [post] access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:132:21:132:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | -| SSA.cs:132:21:132:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | -| SSA.cs:132:21:132:43 | access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:132:21:132:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:132:21:132:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:134:21:134:24 | [post] this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:134:21:134:24 | this access | SSA.cs:136:23:136:26 | this access | | SSA.cs:134:21:134:26 | [post] access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:134:21:134:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | -| SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | -| SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | -| SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected b/csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected index 0350c73ce25..3015fea1770 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected @@ -83,6 +83,8 @@ | Fields.cs:93:19:93:23 | Field | Fields.cs:102:9:102:28 | ... = ... | Fields.cs:104:16:104:25 | access to field Field | | Fields.cs:95:19:95:19 | f | Fields.cs:95:19:95:19 | f | Fields.cs:97:9:97:9 | access to parameter f | | Fields.cs:107:33:107:33 | f | Fields.cs:107:33:107:33 | f | Fields.cs:107:38:107:38 | access to parameter f | +| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:28:5:28 | access to parameter x | +| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:28:3:28 | access to parameter x | | OutRef.cs:5:9:5:13 | Field | OutRef.cs:13:28:13:32 | access to field Field | OutRef.cs:15:13:15:17 | access to field Field | | OutRef.cs:5:9:5:13 | Field | OutRef.cs:16:21:16:25 | access to field Field | OutRef.cs:17:13:17:17 | access to field Field | | OutRef.cs:5:9:5:13 | Field | OutRef.cs:16:32:16:36 | access to field Field | OutRef.cs:17:13:17:17 | access to field Field | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected index 7ace8cd316d..dd72baf4f29 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected @@ -9,9 +9,9 @@ | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:97:13:97:18 | SSA def(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:101:13:101:23 | SSA def(x5) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:30:3:30 | SSA param(s) | -| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | +| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:34:3:35 | SSA def(s) | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:42:3:42 | SSA param(i) | -| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | +| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:46:3:46 | SSA def(i) | | Example.cs:8:9:8:18 | this.Field | Example.cs:10:9:13:24 | SSA phi(this.Field) | Example.cs:11:13:11:30 | SSA def(this.Field) | | Example.cs:8:9:8:18 | this.Field | Example.cs:10:9:13:24 | SSA phi(this.Field) | Example.cs:12:14:13:24 | SSA phi(this.Field) | | Example.cs:8:9:8:18 | this.Field | Example.cs:12:14:13:24 | SSA phi(this.Field) | Example.cs:8:9:8:22 | SSA def(this.Field) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected index 507ff8b2b6e..1e185b8456f 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected @@ -36,7 +36,7 @@ | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | | Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | | Consistency.cs:49:30:49:30 | a | Consistency.cs:49:30:49:30 | SSA param(a) | @@ -95,10 +95,10 @@ | DefUse.cs:188:13:188:18 | this.Field5 | DefUse.cs:188:13:188:22 | SSA def(this.Field5) | | DefaultParam.cs:3:20:3:20 | b | DefaultParam.cs:3:20:3:20 | SSA param(b) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:30:3:30 | SSA param(s) | -| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | +| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA def(s) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:42:3:42 | SSA param(i) | -| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | +| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA def(i) | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | | Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | SSA param(i) | | Example.cs:8:9:8:18 | this.Field | Example.cs:8:9:8:22 | SSA def(this.Field) | @@ -162,9 +162,9 @@ | Fields.cs:107:33:107:33 | f | Fields.cs:107:33:107:33 | SSA param(f) | | Fields.cs:115:20:115:29 | this.Field | Fields.cs:109:10:109:10 | SSA entry def(this.Field) | | Fields.cs:115:20:115:29 | this.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field) | -| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | +| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field) | | Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | -| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) | +| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field.xs) | | Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | @@ -245,9 +245,9 @@ | Properties.cs:106:37:106:37 | p | Properties.cs:106:37:106:37 | SSA param(p) | | Properties.cs:114:20:114:29 | this.Props | Properties.cs:108:10:108:10 | SSA entry def(this.Props) | | Properties.cs:114:20:114:29 | this.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props) | -| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | +| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props) | | Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | -| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props.xs) | +| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props.xs) | | Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | | Test.cs:5:15:5:20 | param1 | Test.cs:5:15:5:20 | SSA param(param1) | | Test.cs:5:15:5:20 | param1 | Test.cs:25:9:32:9 | SSA phi(param1) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected index 9a2e5c49b15..1d8a06035dc 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected @@ -77,9 +77,9 @@ | DefUse.cs:188:13:188:18 | this.Field5 | DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:188:13:188:22 | ... = ... | | DefaultParam.cs:3:20:3:20 | b | DefaultParam.cs:3:20:3:20 | SSA param(b) | DefaultParam.cs:3:20:3:20 | b | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:30:3:30 | SSA param(s) | DefaultParam.cs:3:30:3:30 | s | -| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | DefaultParam.cs:3:34:3:35 | s = ... | +| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA def(s) | DefaultParam.cs:3:34:3:35 | s = ... | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:42:3:42 | SSA param(i) | DefaultParam.cs:3:42:3:42 | i | -| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | DefaultParam.cs:3:46:3:46 | i = ... | +| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA def(i) | DefaultParam.cs:3:46:3:46 | i = ... | | Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | SSA param(i) | Example.cs:6:23:6:23 | i | | Example.cs:8:9:8:18 | this.Field | Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:8:9:8:22 | ... = ... | | Example.cs:8:9:8:18 | this.Field | Example.cs:11:13:11:30 | SSA def(this.Field) | Example.cs:11:13:11:30 | ... = ... | @@ -105,6 +105,8 @@ | Fields.cs:97:9:97:15 | f.Field | Fields.cs:97:9:97:30 | SSA def(f.Field) | Fields.cs:97:9:97:30 | ... = ... | | Fields.cs:102:9:102:18 | this.Field | Fields.cs:102:9:102:28 | SSA def(this.Field) | Fields.cs:102:9:102:28 | ... = ... | | Fields.cs:107:33:107:33 | f | Fields.cs:107:33:107:33 | SSA param(f) | Fields.cs:107:33:107:33 | f | +| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x | +| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x | | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... | | OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:32:10:32 | access to local variable j | | OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:22:22:22 | access to local variable j | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected index c64c419cb48..f4b936fa530 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected @@ -1,15 +1,11 @@ -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:25:29:25:29 | SSA def(c) | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:25:29:25:29 | SSA def(c) | | Fields.cs:31:19:31:22 | f.xs | Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:30:13:30:28 | SSA def(f) | | Fields.cs:31:19:31:22 | f.xs | Fields.cs:49:13:49:28 | SSA qualifier def(f.xs) | Fields.cs:49:13:49:28 | SSA def(f) | | Fields.cs:98:20:98:32 | f.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:97:9:97:30 | SSA def(f.Field) | | Fields.cs:99:16:99:34 | f.Field.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | | Fields.cs:100:16:100:40 | f.Field.Field.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field.Field) | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | -| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | Fields.cs:109:10:109:10 | SSA entry def(this.Field) | -| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | | Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | | OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:18:13:18:28 | SSA def(t) | | Properties.cs:31:19:31:22 | f.xs | Properties.cs:30:13:30:32 | SSA qualifier def(f.xs) | Properties.cs:30:13:30:32 | SSA def(f) | | Properties.cs:31:19:31:22 | f.xs | Properties.cs:49:13:49:32 | SSA qualifier def(f.xs) | Properties.cs:49:13:49:32 | SSA def(f) | -| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | Properties.cs:108:10:108:10 | SSA entry def(this.Props) | -| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | | Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected index 88ed6233672..f82cab61409 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected @@ -37,8 +37,8 @@ | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:16:17:16:17 | access to local variable i | | Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:26:13:26:13 | access to local variable c | | Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:27:13:27:13 | access to local variable c | -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:26:13:26:19 | access to field Field | -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:27:13:27:19 | access to field Field | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:26:13:26:19 | access to field Field | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:27:13:27:19 | access to field Field | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:33:9:33:9 | access to parameter c | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:45:9:45:9 | access to local variable s | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:46:13:46:13 | access to local variable s | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected index 00bacccf157..a34b470ccdc 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected @@ -36,7 +36,7 @@ | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | SSA param(b) | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | SSA def(i) | | Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:29:25:29 | SSA def(c) | -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | SSA def(c) | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | SSA def(s) | | Consistency.cs:49:30:49:30 | a | Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:30:49:30 | SSA param(a) | @@ -101,13 +101,13 @@ | DefUse.cs:188:13:188:18 | this.Field5 | DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:188:13:188:22 | SSA def(this.Field5) | | DefaultParam.cs:3:20:3:20 | b | DefaultParam.cs:3:20:3:20 | SSA param(b) | DefaultParam.cs:3:20:3:20 | SSA param(b) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:30:3:30 | SSA param(s) | DefaultParam.cs:3:30:3:30 | SSA param(s) | -| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | +| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:34:3:35 | SSA def(s) | DefaultParam.cs:3:34:3:35 | SSA def(s) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:30:3:30 | SSA param(s) | -| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:34:3:35 | SSA param_default(s) | +| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:34:3:35 | SSA def(s) | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:42:3:42 | SSA param(i) | DefaultParam.cs:3:42:3:42 | SSA param(i) | -| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | +| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:46:3:46 | SSA def(i) | DefaultParam.cs:3:46:3:46 | SSA def(i) | | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:42:3:42 | SSA param(i) | -| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:46:3:46 | SSA param_default(i) | +| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:3:46:3:46 | SSA def(i) | | Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | SSA param(i) | Example.cs:6:23:6:23 | SSA param(i) | | Example.cs:8:9:8:18 | this.Field | Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:8:9:8:22 | SSA def(this.Field) | | Example.cs:8:9:8:18 | this.Field | Example.cs:10:9:13:24 | SSA phi(this.Field) | Example.cs:8:9:8:22 | SSA def(this.Field) | @@ -210,11 +210,11 @@ | Fields.cs:115:20:115:29 | this.Field | Fields.cs:109:10:109:10 | SSA entry def(this.Field) | Fields.cs:109:10:109:10 | SSA entry def(this.Field) | | Fields.cs:115:20:115:29 | this.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:109:10:109:10 | SSA entry def(this.Field) | | Fields.cs:115:20:115:29 | this.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:114:9:114:22 | SSA call def(this.Field) | -| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | -| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field) | +| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field) | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field) | +| Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field) | | Fields.cs:115:20:115:35 | this.Field.Field | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | -| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) | -| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) | +| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field.xs) | +| Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field.xs) | | Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | @@ -333,11 +333,11 @@ | Properties.cs:114:20:114:29 | this.Props | Properties.cs:108:10:108:10 | SSA entry def(this.Props) | Properties.cs:108:10:108:10 | SSA entry def(this.Props) | | Properties.cs:114:20:114:29 | this.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:108:10:108:10 | SSA entry def(this.Props) | | Properties.cs:114:20:114:29 | this.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:113:9:113:22 | SSA call def(this.Props) | -| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | -| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props) | +| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props) | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props) | +| Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props) | | Properties.cs:114:20:114:35 | this.Props.Props | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | -| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props.xs) | -| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | SSA qualifier def(this.Props.Props.xs) | +| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props.xs) | +| Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props.xs) | | Properties.cs:115:21:115:39 | this.Props.Props.xs | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | | Test.cs:5:15:5:20 | param1 | Test.cs:5:15:5:20 | SSA param(param1) | Test.cs:5:15:5:20 | SSA param(param1) | | Test.cs:5:15:5:20 | param1 | Test.cs:25:9:32:9 | SSA phi(param1) | Test.cs:5:15:5:20 | SSA param(param1) | From e012981e5b559c5f2ae43f7610a390e0e973fdf0 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 10:32:18 +0200 Subject: [PATCH 37/46] C#: Accept test changes for out/ref SSA location changes. --- .../csharp7/LocalTaintFlow.expected | 16 ++-- .../dataflow/local/DataFlowStep.expected | 76 +++++++++---------- .../dataflow/local/TaintTrackingStep.expected | 76 +++++++++---------- .../dataflow/ssa/SSAPhi.expected | 2 +- .../dataflow/ssa/SsaDef.expected | 32 ++++---- .../dataflow/ssa/SsaExplicitDef.expected | 36 ++++----- .../ssa/SsaImplicitQualifier.expected | 2 +- .../dataflow/ssa/SsaRead.expected | 42 +++++----- .../dataflow/ssa/SsaUltimateDef.expected | 36 ++++----- 9 files changed, 159 insertions(+), 159 deletions(-) diff --git a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected index 61693ac518e..e2d3b18e036 100644 --- a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected +++ b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected @@ -35,23 +35,23 @@ | CSharp7.cs:44:9:44:9 | access to parameter y | CSharp7.cs:44:9:44:13 | SSA def(y) | | CSharp7.cs:44:13:44:13 | access to parameter x | CSharp7.cs:44:9:44:9 | access to parameter y | | CSharp7.cs:47:10:47:10 | this | CSharp7.cs:49:9:49:24 | this access | +| CSharp7.cs:49:9:49:24 | SSA def(t1) | CSharp7.cs:51:18:51:19 | access to local variable t1 | | CSharp7.cs:49:9:49:24 | [post] this access | CSharp7.cs:50:9:50:21 | this access | | CSharp7.cs:49:9:49:24 | this access | CSharp7.cs:50:9:50:21 | this access | -| CSharp7.cs:49:22:49:23 | SSA def(t1) | CSharp7.cs:51:18:51:19 | access to local variable t1 | -| CSharp7.cs:49:22:49:23 | String t1 | CSharp7.cs:49:22:49:23 | SSA def(t1) | +| CSharp7.cs:49:22:49:23 | String t1 | CSharp7.cs:49:9:49:24 | SSA def(t1) | +| CSharp7.cs:50:9:50:21 | SSA def(t2) | CSharp7.cs:54:14:54:15 | access to local variable t2 | | CSharp7.cs:50:9:50:21 | [post] this access | CSharp7.cs:52:9:52:17 | this access | | CSharp7.cs:50:9:50:21 | this access | CSharp7.cs:52:9:52:17 | this access | -| CSharp7.cs:50:19:50:20 | SSA def(t2) | CSharp7.cs:54:14:54:15 | access to local variable t2 | -| CSharp7.cs:50:19:50:20 | String t2 | CSharp7.cs:50:19:50:20 | SSA def(t2) | +| CSharp7.cs:50:19:50:20 | String t2 | CSharp7.cs:50:9:50:21 | SSA def(t2) | | CSharp7.cs:51:18:51:19 | access to local variable t1 | CSharp7.cs:51:13:51:14 | access to local variable t3 | +| CSharp7.cs:52:9:52:17 | SSA def(t1) | CSharp7.cs:53:14:53:15 | access to local variable t1 | | CSharp7.cs:52:9:52:17 | [post] this access | CSharp7.cs:55:9:55:32 | this access | | CSharp7.cs:52:9:52:17 | this access | CSharp7.cs:55:9:55:32 | this access | -| CSharp7.cs:52:15:52:16 | SSA def(t1) | CSharp7.cs:53:14:53:15 | access to local variable t1 | -| CSharp7.cs:52:15:52:16 | access to local variable t1 | CSharp7.cs:52:15:52:16 | SSA def(t1) | +| CSharp7.cs:52:15:52:16 | access to local variable t1 | CSharp7.cs:52:9:52:17 | SSA def(t1) | | CSharp7.cs:53:14:53:15 | access to local variable t1 | CSharp7.cs:53:9:53:10 | access to local variable t3 | | CSharp7.cs:54:14:54:15 | access to local variable t2 | CSharp7.cs:54:9:54:10 | access to local variable t3 | -| CSharp7.cs:55:30:55:31 | SSA def(t4) | CSharp7.cs:56:18:56:19 | access to local variable t4 | -| CSharp7.cs:55:30:55:31 | String t4 | CSharp7.cs:55:30:55:31 | SSA def(t4) | +| CSharp7.cs:55:9:55:32 | SSA def(t4) | CSharp7.cs:56:18:56:19 | access to local variable t4 | +| CSharp7.cs:55:30:55:31 | String t4 | CSharp7.cs:55:9:55:32 | SSA def(t4) | | CSharp7.cs:56:18:56:19 | access to local variable t4 | CSharp7.cs:56:13:56:14 | access to local variable t5 | | CSharp7.cs:60:7:60:12 | this | CSharp7.cs:60:7:60:12 | this access | | CSharp7.cs:67:10:67:20 | this | CSharp7.cs:69:26:69:28 | this access | diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected index 3efa55f0ca4..2a88f163a3a 100644 --- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -629,14 +629,14 @@ | SSA.cs:58:16:58:33 | SSA def(ssaSink3) | SSA.cs:59:23:59:30 | access to local variable ssaSink3 | | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:58:16:58:23 | access to local variable ssaSink3 | | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:67:32:67:38 | access to parameter tainted | -| SSA.cs:59:23:59:30 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 | -| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:63:23:63:30 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 | -| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | -| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | -| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | +| SSA.cs:59:9:59:31 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 | +| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:63:9:63:31 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 | +| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | +| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | +| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | | SSA.cs:67:9:67:12 | [post] this access | SSA.cs:68:23:68:26 | this access | | SSA.cs:67:9:67:12 | this access | SSA.cs:68:23:68:26 | this access | | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S | @@ -645,13 +645,13 @@ | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted | +| SSA.cs:68:9:68:29 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access | -| SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | -| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | -| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | -| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | | SSA.cs:69:15:69:18 | [post] this access | SSA.cs:72:9:72:12 | this access | | SSA.cs:69:15:69:18 | this access | SSA.cs:72:9:72:12 | this access | | SSA.cs:69:15:69:20 | [post] access to field S | SSA.cs:72:9:72:14 | access to field S | @@ -663,13 +663,13 @@ | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | +| SSA.cs:73:9:73:29 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access | -| SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | -| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | -| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | -| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | | SSA.cs:74:15:74:18 | [post] this access | SSA.cs:80:9:80:12 | this access | | SSA.cs:74:15:74:18 | this access | SSA.cs:80:9:80:12 | this access | | SSA.cs:74:15:74:20 | [post] access to field S | SSA.cs:80:9:80:14 | access to field S | @@ -678,8 +678,8 @@ | SSA.cs:77:9:77:26 | SSA def(nonSink0) | SSA.cs:78:21:78:28 | access to local variable nonSink0 | | SSA.cs:77:20:77:26 | access to parameter tainted | SSA.cs:77:9:77:16 | access to local variable nonSink0 | | SSA.cs:77:20:77:26 | access to parameter tainted | SSA.cs:80:35:80:41 | access to parameter tainted | -| SSA.cs:78:21:78:28 | SSA def(nonSink0) | SSA.cs:79:15:79:22 | access to local variable nonSink0 | -| SSA.cs:78:21:78:28 | access to local variable nonSink0 | SSA.cs:78:21:78:28 | SSA def(nonSink0) | +| SSA.cs:78:9:78:29 | SSA def(nonSink0) | SSA.cs:79:15:79:22 | access to local variable nonSink0 | +| SSA.cs:78:21:78:28 | access to local variable nonSink0 | SSA.cs:78:9:78:29 | SSA def(nonSink0) | | SSA.cs:79:15:79:22 | [post] access to local variable nonSink0 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | | SSA.cs:79:15:79:22 | [post] access to local variable nonSink0 | SSA.cs:104:24:104:31 | access to local variable nonSink0 | | SSA.cs:79:15:79:22 | access to local variable nonSink0 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | @@ -690,11 +690,11 @@ | SSA.cs:80:9:80:14 | access to field S | SSA.cs:81:21:81:26 | access to field S | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:80:9:80:31 | access to field SsaFieldNonSink0 | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:83:35:83:41 | access to parameter tainted | +| SSA.cs:81:9:81:27 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | | SSA.cs:81:9:81:27 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:24 | [post] this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:24 | this access | SSA.cs:82:15:82:18 | this access | -| SSA.cs:81:21:81:26 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | -| SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:21:81:26 | SSA def(this.S) | +| SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:9:81:27 | SSA def(this.S) | | SSA.cs:82:15:82:18 | [post] this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:18 | this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:20 | [post] access to field S | SSA.cs:83:9:83:14 | access to field S | @@ -731,10 +731,10 @@ | SSA.cs:93:21:93:28 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | | SSA.cs:95:21:95:28 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | | SSA.cs:95:21:95:28 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | -| SSA.cs:97:23:97:30 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 | -| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | -| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | -| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | +| SSA.cs:97:9:97:31 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 | +| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | +| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | +| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | | SSA.cs:101:16:101:23 | access to local variable nonSink3 | SSA.cs:101:16:101:28 | SSA def(nonSink3) | | SSA.cs:101:16:101:28 | SSA def(nonSink3) | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:101:27:101:28 | "" | SSA.cs:101:16:101:23 | access to local variable nonSink3 | @@ -755,10 +755,10 @@ | SSA.cs:106:21:106:28 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:108:21:108:28 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:108:21:108:28 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | -| SSA.cs:110:23:110:30 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 | -| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | -| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | -| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | +| SSA.cs:110:9:110:31 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 | +| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | +| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | +| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:117:13:117:16 | this access | | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:114:9:114:12 | this access | SSA.cs:117:13:117:16 | this access | @@ -802,13 +802,13 @@ | SSA.cs:121:21:121:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:123:9:123:29 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access | -| SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | -| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | -| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | -| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | | SSA.cs:124:15:124:18 | [post] this access | SSA.cs:127:9:127:12 | this access | | SSA.cs:124:15:124:18 | this access | SSA.cs:127:9:127:12 | this access | | SSA.cs:124:15:124:20 | [post] access to field S | SSA.cs:127:9:127:14 | access to field S | @@ -851,13 +851,13 @@ | SSA.cs:134:21:134:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:136:9:136:29 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access | -| SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | -| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | -| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | -| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | | SSA.cs:144:34:144:34 | SSA param(t) | SSA.cs:146:13:146:13 | access to parameter t | | SSA.cs:144:34:144:34 | t | SSA.cs:144:34:144:34 | SSA param(t) | | SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:146:13:146:13 | (...) ... | @@ -874,8 +874,8 @@ | SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:154:13:154:21 | [input] SSA phi(t) | | SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:155:25:155:25 | access to parameter t | | SSA.cs:154:13:154:21 | [input] SSA phi(t) | SSA.cs:154:9:155:27 | SSA phi(t) | -| SSA.cs:155:25:155:25 | SSA def(t) | SSA.cs:154:9:155:27 | SSA phi(t) | -| SSA.cs:155:25:155:25 | access to parameter t | SSA.cs:155:25:155:25 | SSA def(t) | +| SSA.cs:155:13:155:26 | SSA def(t) | SSA.cs:154:9:155:27 | SSA phi(t) | +| SSA.cs:155:25:155:25 | access to parameter t | SSA.cs:155:13:155:26 | SSA def(t) | | SSA.cs:166:10:166:13 | this | SSA.cs:166:19:166:22 | this access | | SSA.cs:166:28:166:31 | null | SSA.cs:166:19:166:24 | access to field S | | SSA.cs:168:22:168:28 | SSA param(tainted) | SSA.cs:173:24:173:30 | access to parameter tainted | diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected index 3229a540148..8f059acc6ca 100644 --- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected @@ -747,14 +747,14 @@ | SSA.cs:58:16:58:33 | SSA def(ssaSink3) | SSA.cs:59:23:59:30 | access to local variable ssaSink3 | | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:58:16:58:23 | access to local variable ssaSink3 | | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:67:32:67:38 | access to parameter tainted | -| SSA.cs:59:23:59:30 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 | -| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | -| SSA.cs:63:23:63:30 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 | -| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | -| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | -| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | +| SSA.cs:59:9:59:31 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 | +| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:9:59:31 | SSA def(ssaSink3) | +| SSA.cs:63:9:63:31 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 | +| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | +| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | +| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:9:63:31 | SSA def(nonSink0) | | SSA.cs:67:9:67:12 | [post] this access | SSA.cs:68:23:68:26 | this access | | SSA.cs:67:9:67:12 | this access | SSA.cs:68:23:68:26 | this access | | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S | @@ -763,13 +763,13 @@ | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted | +| SSA.cs:68:9:68:29 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | | SSA.cs:68:9:68:29 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 | | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access | | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access | -| SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S | -| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | -| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | -| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | +| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:9:68:29 | SSA def(this.S) | | SSA.cs:69:15:69:18 | [post] this access | SSA.cs:72:9:72:12 | this access | | SSA.cs:69:15:69:18 | this access | SSA.cs:72:9:72:12 | this access | | SSA.cs:69:15:69:20 | [post] access to field S | SSA.cs:72:9:72:14 | access to field S | @@ -781,13 +781,13 @@ | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | +| SSA.cs:73:9:73:29 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | | SSA.cs:73:9:73:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 | | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access | | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access | -| SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S | -| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | -| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | -| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | +| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:9:73:29 | SSA def(this.S) | | SSA.cs:74:15:74:18 | [post] this access | SSA.cs:80:9:80:12 | this access | | SSA.cs:74:15:74:18 | this access | SSA.cs:80:9:80:12 | this access | | SSA.cs:74:15:74:20 | [post] access to field S | SSA.cs:80:9:80:14 | access to field S | @@ -796,8 +796,8 @@ | SSA.cs:77:9:77:26 | SSA def(nonSink0) | SSA.cs:78:21:78:28 | access to local variable nonSink0 | | SSA.cs:77:20:77:26 | access to parameter tainted | SSA.cs:77:9:77:16 | access to local variable nonSink0 | | SSA.cs:77:20:77:26 | access to parameter tainted | SSA.cs:80:35:80:41 | access to parameter tainted | -| SSA.cs:78:21:78:28 | SSA def(nonSink0) | SSA.cs:79:15:79:22 | access to local variable nonSink0 | -| SSA.cs:78:21:78:28 | access to local variable nonSink0 | SSA.cs:78:21:78:28 | SSA def(nonSink0) | +| SSA.cs:78:9:78:29 | SSA def(nonSink0) | SSA.cs:79:15:79:22 | access to local variable nonSink0 | +| SSA.cs:78:21:78:28 | access to local variable nonSink0 | SSA.cs:78:9:78:29 | SSA def(nonSink0) | | SSA.cs:79:15:79:22 | [post] access to local variable nonSink0 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | | SSA.cs:79:15:79:22 | [post] access to local variable nonSink0 | SSA.cs:104:24:104:31 | access to local variable nonSink0 | | SSA.cs:79:15:79:22 | access to local variable nonSink0 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | @@ -808,11 +808,11 @@ | SSA.cs:80:9:80:14 | access to field S | SSA.cs:81:21:81:26 | access to field S | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:80:9:80:31 | access to field SsaFieldNonSink0 | | SSA.cs:80:35:80:41 | access to parameter tainted | SSA.cs:83:35:83:41 | access to parameter tainted | +| SSA.cs:81:9:81:27 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | | SSA.cs:81:9:81:27 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:82:15:82:37 | access to field SsaFieldNonSink0 | | SSA.cs:81:21:81:24 | [post] this access | SSA.cs:82:15:82:18 | this access | | SSA.cs:81:21:81:24 | this access | SSA.cs:82:15:82:18 | this access | -| SSA.cs:81:21:81:26 | SSA def(this.S) | SSA.cs:82:15:82:20 | access to field S | -| SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:21:81:26 | SSA def(this.S) | +| SSA.cs:81:21:81:26 | access to field S | SSA.cs:81:9:81:27 | SSA def(this.S) | | SSA.cs:82:15:82:18 | [post] this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:18 | this access | SSA.cs:83:9:83:12 | this access | | SSA.cs:82:15:82:20 | [post] access to field S | SSA.cs:83:9:83:14 | access to field S | @@ -851,10 +851,10 @@ | SSA.cs:93:21:93:28 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | | SSA.cs:95:21:95:28 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | | SSA.cs:95:21:95:28 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | -| SSA.cs:97:23:97:30 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 | -| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | -| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | -| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | +| SSA.cs:97:9:97:31 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 | +| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | +| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | +| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:9:97:31 | SSA def(ssaSink4) | | SSA.cs:101:16:101:23 | access to local variable nonSink3 | SSA.cs:101:16:101:28 | SSA def(nonSink3) | | SSA.cs:101:16:101:28 | SSA def(nonSink3) | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:101:27:101:28 | "" | SSA.cs:101:16:101:23 | access to local variable nonSink3 | @@ -877,10 +877,10 @@ | SSA.cs:106:21:106:28 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:108:21:108:28 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | | SSA.cs:108:21:108:28 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | -| SSA.cs:110:23:110:30 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 | -| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | -| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | -| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | +| SSA.cs:110:9:110:31 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 | +| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | +| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | +| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:9:110:31 | SSA def(nonSink3) | | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:117:13:117:16 | this access | | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:123:23:123:26 | this access | | SSA.cs:114:9:114:12 | this access | SSA.cs:117:13:117:16 | this access | @@ -926,13 +926,13 @@ | SSA.cs:121:21:121:26 | access to field S | SSA.cs:123:23:123:28 | access to field S | | SSA.cs:121:21:121:40 | [post] access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | | SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | +| SSA.cs:123:9:123:29 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | | SSA.cs:123:9:123:29 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 | | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access | | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access | -| SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S | -| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | -| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | -| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | +| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:9:123:29 | SSA def(this.S) | | SSA.cs:124:15:124:18 | [post] this access | SSA.cs:127:9:127:12 | this access | | SSA.cs:124:15:124:18 | this access | SSA.cs:127:9:127:12 | this access | | SSA.cs:124:15:124:20 | [post] access to field S | SSA.cs:127:9:127:14 | access to field S | @@ -977,13 +977,13 @@ | SSA.cs:134:21:134:26 | access to field S | SSA.cs:136:23:136:28 | access to field S | | SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | | SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | +| SSA.cs:136:9:136:29 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | | SSA.cs:136:9:136:29 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 | | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access | | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access | -| SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S | -| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | -| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | -| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | +| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:9:136:29 | SSA def(this.S) | | SSA.cs:144:34:144:34 | SSA param(t) | SSA.cs:146:13:146:13 | access to parameter t | | SSA.cs:144:34:144:34 | t | SSA.cs:144:34:144:34 | SSA param(t) | | SSA.cs:146:13:146:13 | (...) ... | SSA.cs:146:13:146:21 | ... == ... | @@ -1002,8 +1002,8 @@ | SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:154:13:154:21 | [input] SSA phi(t) | | SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:155:25:155:25 | access to parameter t | | SSA.cs:154:13:154:21 | [input] SSA phi(t) | SSA.cs:154:9:155:27 | SSA phi(t) | -| SSA.cs:155:25:155:25 | SSA def(t) | SSA.cs:154:9:155:27 | SSA phi(t) | -| SSA.cs:155:25:155:25 | access to parameter t | SSA.cs:155:25:155:25 | SSA def(t) | +| SSA.cs:155:13:155:26 | SSA def(t) | SSA.cs:154:9:155:27 | SSA phi(t) | +| SSA.cs:155:25:155:25 | access to parameter t | SSA.cs:155:13:155:26 | SSA def(t) | | SSA.cs:166:10:166:13 | this | SSA.cs:166:19:166:22 | this access | | SSA.cs:166:28:166:31 | null | SSA.cs:166:19:166:24 | access to field S | | SSA.cs:168:22:168:28 | SSA param(tainted) | SSA.cs:173:24:173:30 | access to parameter tainted | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected index dd72baf4f29..7be0fb7c46d 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected @@ -5,7 +5,7 @@ | DefUse.cs:6:14:6:14 | y | DefUse.cs:37:9:40:9 | SSA phi(y) | DefUse.cs:28:13:28:18 | SSA def(y) | | DefUse.cs:6:14:6:14 | y | DefUse.cs:37:9:40:9 | SSA phi(y) | DefUse.cs:39:13:39:18 | SSA def(y) | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:79:13:79:18 | SSA def(x1) | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:80:30:80:31 | SSA def(x1) | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:80:16:80:32 | SSA def(x1) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:97:13:97:18 | SSA def(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:101:13:101:23 | SSA def(x5) | | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:30:3:30 | SSA param(s) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected index 1e185b8456f..b7d177bf785 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected @@ -35,7 +35,7 @@ | Capture.cs:248:36:248:36 | j | Capture.cs:251:13:251:17 | SSA def(j) | | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | -| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | +| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:9:25:30 | SSA def(c) | | Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | @@ -58,8 +58,8 @@ | DefUse.cs:6:14:6:14 | y | DefUse.cs:37:9:40:9 | SSA phi(y) | | DefUse.cs:6:14:6:14 | y | DefUse.cs:39:13:39:18 | SSA def(y) | | DefUse.cs:44:13:44:13 | z | DefUse.cs:44:13:44:17 | SSA def(z) | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:23:50:23 | SSA def(z) | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:9:47:24 | SSA def(z) | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:9:50:24 | SSA def(z) | | DefUse.cs:53:9:53:13 | this.Field | DefUse.cs:53:9:53:17 | SSA def(this.Field) | | DefUse.cs:56:9:56:12 | this.Prop | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | | DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | @@ -67,12 +67,12 @@ | DefUse.cs:67:19:67:20 | tc | DefUse.cs:67:19:67:27 | SSA def(tc) | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:79:13:79:18 | SSA def(x1) | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA def(x1) | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:16:80:32 | SSA def(x1) | | DefUse.cs:83:13:83:14 | x2 | DefUse.cs:83:13:83:18 | SSA def(x2) | -| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | +| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:84:9:86:17 | SSA def(x2) | | DefUse.cs:89:13:89:14 | x3 | DefUse.cs:89:13:89:18 | SSA def(x3) | -| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:92:15:92:16 | SSA def(x3) | -| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:93:15:93:16 | SSA def(x4) | +| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:91:9:93:17 | SSA def(x3) | +| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:91:9:93:17 | SSA def(x4) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:97:13:97:18 | SSA def(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:101:13:101:23 | SSA def(x5) | @@ -169,18 +169,18 @@ | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:25:10:25 | SSA def(i) | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:21:13:21 | SSA def(i) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:9:10:33 | SSA def(j) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:9:22:30 | SSA def(j) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:9:24:30 | SSA def(j) | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:9:10:33 | SSA def(i) | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:9:13:33 | SSA def(i) | | OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:21:19:25 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:9:13:33 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:9:16:37 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:9:19:39 | SSA def(this.Field) | | OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | | OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | -| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:32:19:38 | SSA def(t.Field) | +| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:9:19:39 | SSA def(t.Field) | | OutRef.cs:28:26:28:26 | i | OutRef.cs:30:9:30:13 | SSA def(i) | | OutRef.cs:28:37:28:37 | j | OutRef.cs:28:37:28:37 | SSA param(j) | | OutRef.cs:28:37:28:37 | j | OutRef.cs:31:9:31:13 | SSA def(j) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected index 1d8a06035dc..4ea7d32e32f 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.expected @@ -24,7 +24,7 @@ | Capture.cs:248:36:248:36 | j | Capture.cs:251:13:251:17 | SSA def(j) | Capture.cs:251:13:251:17 | ... = ... | | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | b | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | Int32 i = ... | -| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:29:25:29 | Consistency c | +| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:9:25:30 | SSA def(c) | Consistency.cs:25:29:25:29 | Consistency c | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | ... = ... | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | S s | | Consistency.cs:49:30:49:30 | a | Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:30:49:30 | a | @@ -43,21 +43,21 @@ | DefUse.cs:6:14:6:14 | y | DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:28:13:28:18 | ... = ... | | DefUse.cs:6:14:6:14 | y | DefUse.cs:39:13:39:18 | SSA def(y) | DefUse.cs:39:13:39:18 | ... = ... | | DefUse.cs:44:13:44:13 | z | DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:44:13:44:17 | Int32 z = ... | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:47:23:47:23 | access to local variable z | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:50:23:50:23 | access to local variable z | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:9:47:24 | SSA def(z) | DefUse.cs:47:23:47:23 | access to local variable z | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:9:50:24 | SSA def(z) | DefUse.cs:50:23:50:23 | access to local variable z | | DefUse.cs:53:9:53:13 | this.Field | DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:53:9:53:17 | ... = ... | | DefUse.cs:56:9:56:12 | this.Prop | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:56:9:56:16 | ... = ... | | DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:63:9:63:18 | ... = ... | | DefUse.cs:66:9:66:14 | this.Field3 | DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:66:9:66:18 | ... = ... | | DefUse.cs:67:19:67:20 | tc | DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:67:19:67:27 | TestClass tc = ... | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:79:13:79:18 | SSA def(x1) | DefUse.cs:79:13:79:18 | Int32 x1 = ... | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:80:30:80:31 | access to local variable x1 | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:16:80:32 | SSA def(x1) | DefUse.cs:80:30:80:31 | access to local variable x1 | | DefUse.cs:83:13:83:14 | x2 | DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:83:13:83:18 | Int32 x2 = ... | -| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:85:15:85:16 | access to local variable x2 | -| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:86:15:86:16 | access to local variable x2 | +| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:84:9:86:17 | SSA def(x2) | DefUse.cs:85:15:85:16 | access to local variable x2 | +| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:84:9:86:17 | SSA def(x2) | DefUse.cs:86:15:86:16 | access to local variable x2 | | DefUse.cs:89:13:89:14 | x3 | DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:89:13:89:18 | Int32 x3 = ... | -| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:92:15:92:16 | access to local variable x3 | -| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:93:15:93:16 | access to local variable x4 | +| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:91:9:93:17 | SSA def(x3) | DefUse.cs:92:15:92:16 | access to local variable x3 | +| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:91:9:93:17 | SSA def(x4) | DefUse.cs:93:15:93:16 | access to local variable x4 | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:97:13:97:18 | SSA def(x5) | DefUse.cs:97:13:97:18 | Int32 x5 = ... | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:101:13:101:23 | SSA def(x5) | DefUse.cs:101:13:101:23 | ... = ... | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:104:9:104:15 | SSA def(x5) | DefUse.cs:104:9:104:15 | ... += ... | @@ -108,17 +108,17 @@ | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x | | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:32:10:32 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:22:22:22 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:24:29:24:29 | access to local variable j | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:25:10:25 | Int32 i | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:13:21:13:21 | access to local variable i | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:13:28:13:32 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:21:16:25 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:32:16:36 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:19:21:19:25 | access to field Field | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:9:10:33 | SSA def(j) | OutRef.cs:10:32:10:32 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:9:22:30 | SSA def(j) | OutRef.cs:22:22:22:22 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:9:24:30 | SSA def(j) | OutRef.cs:24:29:24:29 | access to local variable j | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:9:10:33 | SSA def(i) | OutRef.cs:10:25:10:25 | Int32 i | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:9:13:33 | SSA def(i) | OutRef.cs:13:21:13:21 | access to local variable i | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:9:13:33 | SSA def(this.Field) | OutRef.cs:13:28:13:32 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:9:16:37 | SSA def(this.Field) | OutRef.cs:16:21:16:25 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:9:16:37 | SSA def(this.Field) | OutRef.cs:16:32:16:36 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:9:19:39 | SSA def(this.Field) | OutRef.cs:19:21:19:25 | access to field Field | | OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:18:13:18:28 | OutRef t = ... | -| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:19:32:19:38 | access to field Field | +| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:9:19:39 | SSA def(t.Field) | OutRef.cs:19:32:19:38 | access to field Field | | OutRef.cs:28:26:28:26 | i | OutRef.cs:30:9:30:13 | SSA def(i) | OutRef.cs:30:9:30:13 | ... = ... | | OutRef.cs:28:37:28:37 | j | OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:28:37:28:37 | j | | OutRef.cs:28:37:28:37 | j | OutRef.cs:31:9:31:13 | SSA def(j) | OutRef.cs:31:9:31:13 | ... = ... | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected index f4b936fa530..0f283aa4b58 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitQualifier.expected @@ -1,4 +1,4 @@ -| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:25:29:25:29 | SSA def(c) | +| Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | SSA def(c) | | Fields.cs:31:19:31:22 | f.xs | Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:30:13:30:28 | SSA def(f) | | Fields.cs:31:19:31:22 | f.xs | Fields.cs:49:13:49:28 | SSA qualifier def(f.xs) | Fields.cs:49:13:49:28 | SSA def(f) | | Fields.cs:98:20:98:32 | f.Field.Field | Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:97:9:97:30 | SSA def(f.Field) | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected index f82cab61409..a06115caf53 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.expected @@ -35,8 +35,8 @@ | Capture.cs:212:30:212:35 | exited | Capture.cs:212:30:212:71 | SSA def(exited) | Capture.cs:213:29:213:34 | access to local variable exited | | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:11:17:11:17 | access to parameter b | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:16:17:16:17 | access to local variable i | -| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:26:13:26:13 | access to local variable c | -| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:27:13:27:13 | access to local variable c | +| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:9:25:30 | SSA def(c) | Consistency.cs:26:13:26:13 | access to local variable c | +| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:9:25:30 | SSA def(c) | Consistency.cs:27:13:27:13 | access to local variable c | | Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:26:13:26:19 | access to field Field | | Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:27:13:27:19 | access to field Field | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:33:9:33:9 | access to parameter c | @@ -63,9 +63,9 @@ | DefUse.cs:6:14:6:14 | y | DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:34:13:34:13 | access to local variable y | | DefUse.cs:6:14:6:14 | y | DefUse.cs:37:9:40:9 | SSA phi(y) | DefUse.cs:42:13:42:13 | access to local variable y | | DefUse.cs:44:13:44:13 | z | DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:45:13:45:13 | access to local variable z | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:48:13:48:13 | access to local variable z | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:50:23:50:23 | access to local variable z | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:51:13:51:13 | access to local variable z | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:9:47:24 | SSA def(z) | DefUse.cs:48:13:48:13 | access to local variable z | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:9:47:24 | SSA def(z) | DefUse.cs:50:23:50:23 | access to local variable z | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:9:50:24 | SSA def(z) | DefUse.cs:51:13:51:13 | access to local variable z | | DefUse.cs:53:9:53:13 | this.Field | DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:54:13:54:17 | access to field Field | | DefUse.cs:56:9:56:12 | this.Prop | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:57:13:57:16 | access to property Prop | | DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:64:13:64:18 | access to field Field2 | @@ -73,12 +73,12 @@ | DefUse.cs:66:9:66:14 | this.Field3 | DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:69:13:69:18 | access to field Field3 | | DefUse.cs:67:19:67:20 | tc | DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:68:9:68:10 | access to local variable tc | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:80:30:80:31 | access to local variable x1 | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:81:13:81:14 | access to local variable x1 | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:16:80:32 | SSA def(x1) | DefUse.cs:81:13:81:14 | access to local variable x1 | | DefUse.cs:83:13:83:14 | x2 | DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:85:15:85:16 | access to local variable x2 | -| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:87:13:87:14 | access to local variable x2 | +| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:84:9:86:17 | SSA def(x2) | DefUse.cs:87:13:87:14 | access to local variable x2 | | DefUse.cs:89:13:89:14 | x3 | DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:92:15:92:16 | access to local variable x3 | -| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:94:13:94:14 | access to local variable x3 | -| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:95:13:95:14 | access to local variable x4 | +| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:91:9:93:17 | SSA def(x3) | DefUse.cs:94:13:94:14 | access to local variable x3 | +| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:91:9:93:17 | SSA def(x4) | DefUse.cs:95:13:95:14 | access to local variable x4 | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:98:16:98:17 | access to local variable x5 | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:100:17:100:18 | access to local variable x5 | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:101:18:101:19 | access to local variable x5 | @@ -198,22 +198,22 @@ | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:28:5:28 | access to parameter x | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationB.cs:3:28:3:28 | access to parameter x | | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:10:32:10:32 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:12:13:12:13 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:22:29:22:29 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:23:13:23:13 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:24:29:24:29 | access to local variable j | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:25:13:25:13 | access to local variable j | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:11:13:11:13 | access to local variable i | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:14:13:14:13 | access to local variable i | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:9:10:33 | SSA def(j) | OutRef.cs:12:13:12:13 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:9:10:33 | SSA def(j) | OutRef.cs:22:29:22:29 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:9:22:30 | SSA def(j) | OutRef.cs:23:13:23:13 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:9:22:30 | SSA def(j) | OutRef.cs:24:29:24:29 | access to local variable j | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:9:24:30 | SSA def(j) | OutRef.cs:25:13:25:13 | access to local variable j | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:9:10:33 | SSA def(i) | OutRef.cs:11:13:11:13 | access to local variable i | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:9:13:33 | SSA def(i) | OutRef.cs:14:13:14:13 | access to local variable i | | OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:13:28:13:32 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:15:13:15:17 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:16:32:16:36 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:17:13:17:17 | access to field Field | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:20:13:20:17 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:9:13:33 | SSA def(this.Field) | OutRef.cs:15:13:15:17 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:9:13:33 | SSA def(this.Field) | OutRef.cs:16:32:16:36 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:9:16:37 | SSA def(this.Field) | OutRef.cs:17:13:17:17 | access to field Field | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:9:19:39 | SSA def(this.Field) | OutRef.cs:20:13:20:17 | access to field Field | | OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:19:32:19:32 | access to local variable t | | OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:21:13:21:13 | access to local variable t | | OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:19:32:19:38 | access to field Field | -| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:21:13:21:19 | access to field Field | +| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:9:19:39 | SSA def(t.Field) | OutRef.cs:21:13:21:19 | access to field Field | | OutRef.cs:28:37:28:37 | j | OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:30:13:30:13 | access to parameter j | | OutRef.cs:34:38:34:38 | j | OutRef.cs:34:38:34:38 | SSA param(j) | OutRef.cs:36:13:36:13 | access to parameter j | | OutRef.cs:39:24:39:24 | b | OutRef.cs:39:24:39:24 | SSA param(b) | OutRef.cs:41:13:41:13 | access to parameter b | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected index a34b470ccdc..f12eaaf9826 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.expected @@ -35,7 +35,7 @@ | Capture.cs:248:36:248:36 | j | Capture.cs:251:13:251:17 | SSA def(j) | Capture.cs:251:13:251:17 | SSA def(j) | | Consistency.cs:7:25:7:25 | b | Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | SSA param(b) | | Consistency.cs:15:17:15:17 | i | Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | SSA def(i) | -| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:29:25:29 | SSA def(c) | +| Consistency.cs:25:29:25:29 | c | Consistency.cs:25:9:25:30 | SSA def(c) | Consistency.cs:25:9:25:30 | SSA def(c) | | Consistency.cs:26:13:26:19 | c.Field | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | SSA qualifier def(c.Field) | | Consistency.cs:30:30:30:30 | c | Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | SSA def(c) | | Consistency.cs:44:11:44:11 | s | Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | SSA def(s) | @@ -61,8 +61,8 @@ | DefUse.cs:6:14:6:14 | y | DefUse.cs:37:9:40:9 | SSA phi(y) | DefUse.cs:39:13:39:18 | SSA def(y) | | DefUse.cs:6:14:6:14 | y | DefUse.cs:39:13:39:18 | SSA def(y) | DefUse.cs:39:13:39:18 | SSA def(y) | | DefUse.cs:44:13:44:13 | z | DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:44:13:44:17 | SSA def(z) | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:47:23:47:23 | SSA def(z) | -| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:50:23:50:23 | SSA def(z) | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:47:9:47:24 | SSA def(z) | DefUse.cs:47:9:47:24 | SSA def(z) | +| DefUse.cs:44:13:44:13 | z | DefUse.cs:50:9:50:24 | SSA def(z) | DefUse.cs:50:9:50:24 | SSA def(z) | | DefUse.cs:53:9:53:13 | this.Field | DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:53:9:53:17 | SSA def(this.Field) | | DefUse.cs:56:9:56:12 | this.Prop | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:56:9:56:16 | SSA def(this.Prop) | | DefUse.cs:63:9:63:14 | this.Field2 | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:63:9:63:18 | SSA def(this.Field2) | @@ -70,13 +70,13 @@ | DefUse.cs:67:19:67:20 | tc | DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:67:19:67:27 | SSA def(tc) | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:79:13:79:18 | SSA def(x1) | DefUse.cs:79:13:79:18 | SSA def(x1) | | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:79:13:79:18 | SSA def(x1) | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:80:30:80:31 | SSA def(x1) | -| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:80:30:80:31 | SSA def(x1) | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:9:80:51 | SSA phi(x1) | DefUse.cs:80:16:80:32 | SSA def(x1) | +| DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:16:80:32 | SSA def(x1) | DefUse.cs:80:16:80:32 | SSA def(x1) | | DefUse.cs:83:13:83:14 | x2 | DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:83:13:83:18 | SSA def(x2) | -| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:85:15:85:16 | SSA def(x2) | +| DefUse.cs:83:13:83:14 | x2 | DefUse.cs:84:9:86:17 | SSA def(x2) | DefUse.cs:84:9:86:17 | SSA def(x2) | | DefUse.cs:89:13:89:14 | x3 | DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:89:13:89:18 | SSA def(x3) | -| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:92:15:92:16 | SSA def(x3) | -| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:93:15:93:16 | SSA def(x4) | +| DefUse.cs:89:13:89:14 | x3 | DefUse.cs:91:9:93:17 | SSA def(x3) | DefUse.cs:91:9:93:17 | SSA def(x3) | +| DefUse.cs:90:13:90:14 | x4 | DefUse.cs:91:9:93:17 | SSA def(x4) | DefUse.cs:91:9:93:17 | SSA def(x4) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:97:13:97:18 | SSA def(x5) | DefUse.cs:97:13:97:18 | SSA def(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:97:13:97:18 | SSA def(x5) | | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:9:102:9 | SSA phi(x5) | DefUse.cs:101:13:101:23 | SSA def(x5) | @@ -219,19 +219,19 @@ | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationB.cs:3:22:3:22 | SSA param(x) | | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:32:10:32 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:22:22:22 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:22:22:22:22 | SSA def(j) | -| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:24:29:24:29 | SSA def(j) | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:25:10:25 | SSA def(i) | -| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:13:21:13:21 | SSA def(i) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:10:9:10:33 | SSA def(j) | OutRef.cs:10:9:10:33 | SSA def(j) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:22:9:22:30 | SSA def(j) | OutRef.cs:22:9:22:30 | SSA def(j) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:9:24:30 | SSA def(j) | OutRef.cs:22:9:22:30 | SSA def(j) | +| OutRef.cs:9:13:9:13 | j | OutRef.cs:24:9:24:30 | SSA def(j) | OutRef.cs:24:9:24:30 | SSA def(j) | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:10:9:10:33 | SSA def(i) | OutRef.cs:10:9:10:33 | SSA def(i) | +| OutRef.cs:10:25:10:25 | i | OutRef.cs:13:9:13:33 | SSA def(i) | OutRef.cs:13:9:13:33 | SSA def(i) | | OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:13:28:13:32 | SSA def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:21:16:25 | SSA def(this.Field) | -| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:19:21:19:25 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:13:9:13:33 | SSA def(this.Field) | OutRef.cs:13:9:13:33 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:16:9:16:37 | SSA def(this.Field) | OutRef.cs:16:9:16:37 | SSA def(this.Field) | +| OutRef.cs:13:28:13:32 | this.Field | OutRef.cs:19:9:19:39 | SSA def(this.Field) | OutRef.cs:19:9:19:39 | SSA def(this.Field) | | OutRef.cs:18:13:18:13 | t | OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:18:13:18:28 | SSA def(t) | | OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | -| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:19:32:19:38 | SSA def(t.Field) | +| OutRef.cs:19:32:19:38 | t.Field | OutRef.cs:19:9:19:39 | SSA def(t.Field) | OutRef.cs:19:9:19:39 | SSA def(t.Field) | | OutRef.cs:28:26:28:26 | i | OutRef.cs:30:9:30:13 | SSA def(i) | OutRef.cs:30:9:30:13 | SSA def(i) | | OutRef.cs:28:37:28:37 | j | OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:28:37:28:37 | SSA param(j) | | OutRef.cs:28:37:28:37 | j | OutRef.cs:31:9:31:13 | SSA def(j) | OutRef.cs:31:9:31:13 | SSA def(j) | From 21a0d1444fe608dccd92f8c3028f4c5f370786c6 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 1 May 2026 13:13:40 +0200 Subject: [PATCH 38/46] C#: Add change note. --- csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md diff --git a/csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md b/csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md new file mode 100644 index 00000000000..27988f36f2f --- /dev/null +++ b/csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc. From 1f3a8319ed4e607032bde23d773b00bcb62f41c1 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 4 May 2026 09:41:00 +0200 Subject: [PATCH 39/46] Update csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 9f0ca12888f..e248cf1c7e9 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -1019,7 +1019,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu } /** - * Allows for flow into uncertain defintions that are not call definitions, + * Allows for flow into uncertain definitions that are not call definitions, * as we, conservatively, consider such definitions to be certain. */ predicate allowFlowIntoUncertainDef(Impl::UncertainWriteDefinition def) { From 80ccdcc6965dd963233951f582a893c0163fa0b7 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 4 May 2026 11:06:00 +0200 Subject: [PATCH 40/46] Inline test expectations: Rename `tagIsOptional` to `tagIsIgnored` --- .../type-inference/type-inference.ql | 2 - .../util/test/InlineExpectationsTest.qll | 59 +++++++++---------- 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/rust/ql/test/library-tests/type-inference/type-inference.ql b/rust/ql/test/library-tests/type-inference/type-inference.ql index c4653f557ac..ea8ef68134d 100644 --- a/rust/ql/test/library-tests/type-inference/type-inference.ql +++ b/rust/ql/test/library-tests/type-inference/type-inference.ql @@ -62,8 +62,6 @@ module ResolveTest implements TestSig { module TypeTest implements TestSig { string getARelevantTag() { result = ["type", "certainType"] } - predicate tagIsOptional(string expectedTag) { expectedTag = "type" } - predicate hasActualResult(Location location, string element, string tag, string value) { none() } predicate hasOptionalResult(Location location, string element, string tag, string value) { diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll index 0d4bb3d9710..e2ea9b87e74 100644 --- a/shared/util/codeql/util/test/InlineExpectationsTest.qll +++ b/shared/util/codeql/util/test/InlineExpectationsTest.qll @@ -146,9 +146,9 @@ module Make { bindingset[expectedTag, actualTag] default predicate tagMatches(string expectedTag, string actualTag) { expectedTag = actualTag } - /** Holds if expectations marked with `expectedTag` are optional. */ + /** Holds if expectations marked with `expectedTag` are ignored. */ bindingset[expectedTag] - default predicate tagIsOptional(string expectedTag) { none() } + default predicate tagIsIgnored(string expectedTag) { none() } /** * Holds if expected value `expectedValue` matches actual value `actualValue`. @@ -223,8 +223,7 @@ module Make { exists(ValidTestExpectation expectation | not exists(ActualTestResult actualResult | expectation.matchesActualResult(actualResult)) and expectation.getTag() = TestImpl::getARelevantTag() and - element = expectation and - not expectation.isOptional() + element = expectation | expectation instanceof GoodTestExpectation and message = "Missing result: " + expectation.getExpectationText() @@ -253,7 +252,8 @@ module Make { exists(TColumn column, string tags | getAnExpectation(comment, column, _, tags, value) and tag = tags.splitAt(",") and - knownFailure = getColumnString(column) + knownFailure = getColumnString(column) and + not TestImpl::tagIsIgnored(tag) ) } or TInvalidExpectation(Impl::ExpectationComment comment, string expectation) { @@ -338,8 +338,6 @@ module Make { TestImpl::tagMatches(this.getTag(), actualResult.getTag()) and TestImpl::valueMatches(this.getValue(), actualResult.getValue()) } - - predicate isOptional() { TestImpl::tagIsOptional(tag) } } // Note: These next three classes correspond to all the possible values of type `TColumn`. @@ -428,6 +426,12 @@ module Make { result = TestImpl1::getARelevantTag() or result = TestImpl2::getARelevantTag() } + bindingset[expectedTag] + predicate tagIsIgnored(string expectedTag) { + TestImpl1::tagIsIgnored(expectedTag) or + TestImpl2::tagIsIgnored(expectedTag) + } + predicate hasActualResult(Impl::Location location, string element, string tag, string value) { TestImpl1::hasActualResult(location, element, tag, value) or @@ -447,16 +451,13 @@ module Make { module MergeTests3 implements TestSig { private module M = MergeTests, TestImpl3>; - bindingset[result] - string getARelevantTag() { result = M::getARelevantTag() } + predicate getARelevantTag = M::getARelevantTag/0; - predicate hasActualResult(Impl::Location location, string element, string tag, string value) { - M::hasActualResult(location, element, tag, value) - } + predicate tagIsIgnored = M::tagIsIgnored/1; - predicate hasOptionalResult(Impl::Location location, string element, string tag, string value) { - M::hasOptionalResult(location, element, tag, value) - } + predicate hasActualResult = M::hasActualResult/4; + + predicate hasOptionalResult = M::hasOptionalResult/4; } /** @@ -467,16 +468,13 @@ module Make { { private module M = MergeTests, TestImpl4>; - bindingset[result] - string getARelevantTag() { result = M::getARelevantTag() } + predicate getARelevantTag = M::getARelevantTag/0; - predicate hasActualResult(Impl::Location location, string element, string tag, string value) { - M::hasActualResult(location, element, tag, value) - } + predicate tagIsIgnored = M::tagIsIgnored/1; - predicate hasOptionalResult(Impl::Location location, string element, string tag, string value) { - M::hasOptionalResult(location, element, tag, value) - } + predicate hasActualResult = M::hasActualResult/4; + + predicate hasOptionalResult = M::hasOptionalResult/4; } /** @@ -489,16 +487,13 @@ module Make { private module M = MergeTests, TestImpl5>; - bindingset[result] - string getARelevantTag() { result = M::getARelevantTag() } + predicate getARelevantTag = M::getARelevantTag/0; - predicate hasActualResult(Impl::Location location, string element, string tag, string value) { - M::hasActualResult(location, element, tag, value) - } + predicate tagIsIgnored = M::tagIsIgnored/1; - predicate hasOptionalResult(Impl::Location location, string element, string tag, string value) { - M::hasOptionalResult(location, element, tag, value) - } + predicate hasActualResult = M::hasActualResult/4; + + predicate hasOptionalResult = M::hasOptionalResult/4; } /** @@ -870,7 +865,7 @@ module TestPostProcessing { } bindingset[expectedTag] - predicate tagIsOptional(string expectedTag) { + predicate tagIsIgnored(string expectedTag) { exists(getQueryKind()) and ( // ignore irrelevant tags From 02f5fe9a42ae9804aa6366fa42a69e75b1352841 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 4 May 2026 11:49:24 +0200 Subject: [PATCH 41/46] C#: Address some review comments. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 13 +++---------- .../csharp/dataflow/internal/DataFlowPrivate.qll | 2 +- .../code/csharp/dataflow/internal/SsaImpl.qll | 8 +++++--- .../dataflow/callablereturnsarg/Common.qll | 3 ++- .../dataflow/ssa/IsLiveOutRefParameterDefinition.ql | 3 ++- 5 files changed, 13 insertions(+), 16 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index fc640cccf77..fee6bedf0f3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -183,14 +183,7 @@ module Ssa { * Subsequent reads can be found by following the steps defined by * `AssignableRead.getANextRead()`. */ - AssignableRead ssaGetAFirstUse(SsaDefinition def) { - exists(ControlFlowNode cfn | - SsaImpl::firstReadSameVar(def, cfn) and - result.getControlFlowNode() = cfn - ) - } - - predicate isLiveOutRefParameterDefinition = SsaImpl::isLiveOutRefParameterDefinition/2; + AssignableRead ssaGetAFirstUse(SsaDefinition def) { SsaImpl::firstReadSameVar(def, result) } /** * DEPRECATED: Use `SsaDefinition` instead. @@ -350,7 +343,7 @@ module Ssa { * `AssignableRead.getANextRead()`. */ deprecated final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) { - SsaImpl::firstReadSameVar(this, cfn) and + SsaImpl::firstReadSameVar(this, result) and result.getControlFlowNode() = cfn } @@ -416,7 +409,7 @@ module Ssa { } /** - * DEPRECATED: Use `isLiveOutRefParameterDefinition(SsaDefinition, Parameter)` instead. + * DEPRECATED. * * Holds if this SSA definition assigns to `out`/`ref` parameter `p`, and the * parameter may remain unchanged throughout the rest of the enclosing callable. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index ccf65ddb37c..f0d4bd99621 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1605,7 +1605,7 @@ private module ReturnNodes { OutRefReturnNode() { exists(Parameter p | - Ssa::isLiveOutRefParameterDefinition(this.getDefinition(), p) and + SsaImpl::isLiveOutRefParameterDefinition(this.getDefinition(), p) and kind.getPosition() = p.getPosition() | p.isOut() and kind instanceof OutReturnKind diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index e248cf1c7e9..b7257a2f5f2 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -854,12 +854,14 @@ private module Cached { } /** - * Holds if the value defined at SSA definition `def` can reach a read at `cfn`, + * Holds if the value defined at SSA definition `def` can reach a read `read`, * without passing through any other read. */ cached - predicate firstReadSameVar(Definition def, ControlFlowNode cfn) { - exists(BasicBlock bb, int i | Impl::firstUse(def, bb, i, true) and cfn = bb.getNode(i)) + predicate firstReadSameVar(Definition def, AssignableRead read) { + exists(BasicBlock bb, int i | + Impl::firstUse(def, bb, i, true) and read.getControlFlowNode() = bb.getNode(i) + ) } /** diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 2af01c72333..043ff2d1bc5 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -1,11 +1,12 @@ import csharp private import semmle.code.csharp.controlflow.Guards +private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { exists(SsaExplicitWrite def, Parameter outRefParameter | outRefParameter.isOutOrRef() and ne.getExpr() = def.getValue() and - Ssa::isLiveOutRefParameterDefinition(def, outRefParameter) and + SsaImpl::isLiveOutRefParameterDefinition(def, outRefParameter) and outRef = outRefParameter.getPosition() ) } diff --git a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql index 130d91fb6fe..a8d2309d080 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql @@ -1,7 +1,8 @@ import csharp +private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl from Ssa::SourceVariable v, SsaDefinition def where v = def.getSourceVariable() and - Ssa::isLiveOutRefParameterDefinition(def, _) + SsaImpl::isLiveOutRefParameterDefinition(def, _) select v, def From 39b6cf94688e54bce7a7c6944dda1e955cda131e Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Mon, 4 May 2026 16:47:44 -0400 Subject: [PATCH 42/46] Address review comments --- .../2026-04-15-poisonable-steps-additions-alterations.md | 2 +- .../2026-04-15-untrusted-checkout-improvements-helpfile.md | 4 ++++ .../2026-04-15-untrusted-checkout-improvements-metadata.md | 4 ++++ .../2026-04-15-untrusted-checkout-improvements.md | 4 +--- 4 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md create mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md diff --git a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md index 1d6a8a49a2c..4a28280a3c8 100644 --- a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md +++ b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by any queries that use that library. \ No newline at end of file +* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md new file mode 100644 index 00000000000..2555bc03d3d --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md new file mode 100644 index 00000000000..78f97da0f17 --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md index b78cc74e089..098c60a3753 100644 --- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md @@ -1,6 +1,4 @@ --- category: majorAnalysis --- -* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. -* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. -* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file +* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file From f9f1349a0dde007305a3fad40ed50c0a37591724 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Mon, 4 May 2026 16:50:55 -0400 Subject: [PATCH 43/46] Undo larger change in this PR --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- .../2026-04-15-untrusted-checkout-improvements.md | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 8e8882f9cf5..ad79a1ce776 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -51,5 +51,5 @@ where event.getName() = checkoutTriggers() and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) -select checkout, checkout, poisonable, +select poisonable, checkout, poisonable, "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName() diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md deleted file mode 100644 index 098c60a3753..00000000000 --- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: majorAnalysis ---- -* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file From ebc759d830551360f394b74a437522a37d6cb083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jack=20N=C3=B8rskov=20J=C3=B8rgensen?= Date: Tue, 5 May 2026 15:58:42 +0200 Subject: [PATCH 44/46] Fix issue with Python formatting and expand scope of python-tooling --- .github/workflows/python-tooling.yml | 2 +- misc/scripts/models-as-data/generate_mad.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python-tooling.yml b/.github/workflows/python-tooling.yml index bab1277dd03..a3ad9900ea4 100644 --- a/.github/workflows/python-tooling.yml +++ b/.github/workflows/python-tooling.yml @@ -5,7 +5,7 @@ on: paths: - "misc/bazel/**" - "misc/codegen/**" - - "misc/scripts/models-as-data/bulk_generate_mad.py" + - "misc/scripts/models-as-data/*.py" - "*.bazel*" - .github/workflows/codegen.yml - .pre-commit-config.yaml diff --git a/misc/scripts/models-as-data/generate_mad.py b/misc/scripts/models-as-data/generate_mad.py index 9e6c5516b49..d78d5b10cc5 100755 --- a/misc/scripts/models-as-data/generate_mad.py +++ b/misc/scripts/models-as-data/generate_mad.py @@ -67,7 +67,8 @@ class Generator: self.database = database or self.database self.folder = folder or self.folder self.generated_frameworks = os.path.join( - self.codeql_root, f"{self.language}/ql/lib/ext/generated/modelgenerator/{self.folder}" + self.codeql_root, + f"{self.language}/ql/lib/ext/generated/modelgenerator/{self.folder}", ) self.workDir = tempfile.mkdtemp() if self.ram is None: From 6a8f9a950c674bf21e16cdf8290470a84172a1d9 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Tue, 5 May 2026 13:27:09 -0400 Subject: [PATCH 45/46] Fix unit test expected file --- .../UntrustedCheckoutCritical.expected | 78 +++++++++---------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index e7c208d1bdb..39e54b2bbae 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -334,42 +334,42 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | From 52b02a05812f29a73772bbe7b0730ce7467ce864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jack=20N=C3=B8rskov=20J=C3=B8rgensen?= Date: Wed, 6 May 2026 08:39:41 +0200 Subject: [PATCH 46/46] Fix path to generated models --- .github/workflows/mad_modelDiff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mad_modelDiff.yml b/.github/workflows/mad_modelDiff.yml index 3b96d903e23..45a31f40666 100644 --- a/.github/workflows/mad_modelDiff.yml +++ b/.github/workflows/mad_modelDiff.yml @@ -70,7 +70,7 @@ jobs: SHORTNAME=`basename $DATABASE` python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT mkdir -p $MODELS/$SHORTNAME - mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME + mv java/ql/lib/ext/generated/modelgenerator/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME cd .. }