Merge branch 'main' into varfps

2025-12-16 08:43:11 +01:00 · 2025-12-11 18:21:22 +00:00
parent d88bae9ec2 5db6b92411
commit ee13a49152
357 changed files with 2288 additions and 2031 deletions
--- a/rust/ql/lib/change-notes/2025-12-11-read-as-taint.md
+++ b/rust/ql/lib/change-notes/2025-12-11-read-as-taint.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Reading content of a value now carries taint if the value itself is tainted. For instance, if `s` is tainted then `s.field` is also tainted. This generally improves taint flow.
--- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
@@ -11,6 +11,20 @@ private import codeql.rust.dataflow.FlowSummary
 private import codeql.rust.dataflow.Ssa
 private import Content

+predicate encodeContentTupleField(TupleFieldContent c, string arg) {
+  exists(Addressable a, int pos, string prefix |
+    arg = prefix + "(" + pos + ")" and prefix = a.getCanonicalPath()
+  |
+    c.isStructField(a, pos) or c.isVariantField(a, pos)
+  )
+}
+
+predicate encodeContentStructField(StructFieldContent c, string arg) {
+  exists(Addressable a, string field | arg = a.getCanonicalPath() + "::" + field |
+    c.isStructField(a, field) or c.isVariantField(a, field)
+  )
+}
+
 module Input implements InputSig<Location, RustDataFlow> {
  private import codeql.rust.frameworks.stdlib.Stdlib

@@ -58,24 +72,11 @@ module Input implements InputSig<Location, RustDataFlow> {
    exists(Content c | cs = TSingletonContentSet(c) |
      result = "Field" and
      (
-        exists(Addressable a, int pos, string prefix |
-          arg = prefix + "(" + pos + ")" and prefix = a.getCanonicalPath()
-        |
-          c.(TupleFieldContent).isStructField(a, pos)
-          or
-          c.(TupleFieldContent).isVariantField(a, pos)
-        )
+        encodeContentTupleField(c, arg)
        or
-        exists(Addressable a, string field | arg = a.getCanonicalPath() + "::" + field |
-          c.(StructFieldContent).isStructField(a, field)
-          or
-          c.(StructFieldContent).isVariantField(a, field)
-        )
+        encodeContentStructField(c, arg)
        or
-        exists(int pos |
-          c = TTuplePositionContent(pos) and
-          arg = pos.toString()
-        )
+        exists(int pos | c = TTuplePositionContent(pos) and arg = pos.toString())
      )
      or
      result = "Reference" and
--- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -7,6 +7,27 @@ private import Node as Node
 private import Content
 private import FlowSummaryImpl as FlowSummaryImpl
 private import codeql.rust.internal.CachedStages
+private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.Type as Type
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
+
+/**
+ * Holds if the field `field` should, by default, be excluded from taint steps
+ * from the containing type to reads of the field. The models-as-data syntax
+ * used to denote the field is the same as for `Field[]` access path elements.
+ */
+extensible predicate excludeFieldTaintStep(string field);
+
+/**
+ * Holds if the content `c` corresponds to a field that has explicitly been
+ * excluded as a taint step.
+ */
+private predicate excludedTaintStepContent(Content c) {
+  exists(string arg | excludeFieldTaintStep(arg) |
+    FlowSummaryImpl::encodeContentStructField(c, arg) or
+    FlowSummaryImpl::encodeContentTupleField(c, arg)
+  )
+}

 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
  predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
@@ -28,11 +49,17 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
        succ.asExpr() = index
      )
      or
-      // Although data flow through collections and references is modeled using
-      // stores/reads, we also allow taint to flow out of a tainted collection
-      // or reference.
-      // This is needed in order to support taint-tracking configurations where
-      // the source is a collection or reference.
+      // Read steps give rise to taint steps. This has the effect that if `foo`
+      // is tainted and an operation reads from `foo` (e.g., `foo.bar`) then
+      // taint is propagated.
+      exists(Content c |
+        RustDataFlow::readContentStep(pred, c, succ) and
+        not excludedTaintStepContent(c)
+      )
+      or
+      // In addition to the above, for element and reference content we let
+      // _all_ read steps (including those from flow summaries and those that
+      // result in small primitive types) give rise to taint steps.
      exists(SingletonContentSet cs | RustDataFlow::readStep(pred, cs, succ) |
        cs.getContent() instanceof ElementContent
        or
--- a/rust/ql/lib/codeql/rust/frameworks/actix-web.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/actix-web.model.yml
@@ -15,9 +15,4 @@ extensions:
      pack: codeql/rust-all
      extensible: summaryModel
    data:
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue", "taint", "manual"]
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue.Field[0]", "taint", "manual"]
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue.Field[1]", "taint", "manual"]
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue.Field[2]", "taint", "manual"]
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue.Field[3]", "taint", "manual"]
-        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue.Field[4]", "taint", "manual"]
+        - ["<actix_web::types::path::Path>::into_inner", "Argument[self]", "ReturnValue", "taint", "manual"]
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml
@@ -141,3 +141,9 @@ extensions:
      - ["core::ptr::write_bytes", "Argument[0]", "pointer-access", "manual"]
      - ["core::ptr::write_unaligned", "Argument[0]", "pointer-access", "manual"]
      - ["core::ptr::write_volatile", "Argument[0]", "pointer-access", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: excludeFieldTaintStep
+    data:
+      - ["core::ops::range::RangeInclusive::start"]
+      - ["core::ops::range::RangeInclusive::end"]
--- a/rust/ql/lib/codeql/rust/internal/TypeInference.qll
+++ b/rust/ql/lib/codeql/rust/internal/TypeInference.qll
@@ -1430,11 +1430,19 @@ private module MethodResolution {
     * Holds if the method inside `i` with matching name and arity can be ruled
     * out as a target of this call, because the candidate receiver type represented
     * by `derefChain` and `borrow` is incompatible with the `self` parameter type.
+     *
+     * The types are incompatible because they disagree on a concrete type somewhere
+     * inside `root`.
     */
    pragma[nomagic]
-    private predicate hasIncompatibleTarget(ImplOrTraitItemNode i, string derefChain, boolean borrow) {
-      ReceiverIsInstantiationOfSelfParam::argIsNotInstantiationOf(MkMethodCallCand(this, derefChain,
-          borrow), i, _)
+    private predicate hasIncompatibleTarget(
+      ImplOrTraitItemNode i, string derefChain, boolean borrow, Type root
+    ) {
+      exists(TypePath path |
+        ReceiverIsInstantiationOfSelfParam::argIsNotInstantiationOf(MkMethodCallCand(this,
+            derefChain, borrow), i, _, path) and
+        path.isCons(root.getATypeParameter(), _)
+      )
    }

    /**
@@ -1448,7 +1456,7 @@ private module MethodResolution {
      ImplItemNode impl, string derefChain, boolean borrow
    ) {
      ReceiverIsNotInstantiationOfBlanketLikeSelfParam::argIsNotInstantiationOf(MkMethodCallCand(this,
-          derefChain, borrow), impl, _)
+          derefChain, borrow), impl, _, _)
      or
      ReceiverSatisfiesBlanketLikeConstraint::dissatisfiesBlanketConstraint(MkMethodCallCand(this,
          derefChain, borrow), impl)
@@ -1479,7 +1487,7 @@ private module MethodResolution {
      forall(ImplOrTraitItemNode i |
        methodCallNonBlanketCandidate(this, _, i, _, strippedTypePath, strippedType)
      |
-        this.hasIncompatibleTarget(i, derefChain, borrow)
+        this.hasIncompatibleTarget(i, derefChain, borrow, strippedType)
      )
    }

@@ -1818,7 +1826,7 @@ private module MethodResolution {
     */
    pragma[nomagic]
    private predicate hasIncompatibleInherentTarget(Impl impl) {
-      ReceiverIsNotInstantiationOfInherentSelfParam::argIsNotInstantiationOf(this, impl, _)
+      ReceiverIsNotInstantiationOfInherentSelfParam::argIsNotInstantiationOf(this, impl, _, _)
    }

    /**
--- a/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll
+++ b/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll
@@ -256,8 +256,10 @@ module ArgIsInstantiationOf<
    ArgSubstIsInstantiationOf::isInstantiationOf(arg, i, constraint)
  }

-  predicate argIsNotInstantiationOf(Arg arg, ImplOrTraitItemNode i, AssocFunctionType constraint) {
-    ArgSubstIsInstantiationOf::isNotInstantiationOf(arg, i, constraint)
+  predicate argIsNotInstantiationOf(
+    Arg arg, ImplOrTraitItemNode i, AssocFunctionType constraint, TypePath path
+  ) {
+    ArgSubstIsInstantiationOf::isNotInstantiationOf(arg, i, constraint, path)
  }
 }

--- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
@@ -10,6 +10,8 @@ private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.internal.Node
 private import codeql.rust.security.Barriers as Barriers
+private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.Type

 /**
 * Provides default sources, sinks and barriers for detecting accesses to
@@ -47,16 +49,22 @@ module AccessInvalidPointer {
    ModelsAsDataSource() { sourceNode(this, "pointer-invalidate") }
  }

-  /**
-   * A pointer access using the unary `*` operator.
-   */
+  /** A raw pointer access using the unary `*` operator. */
  private class DereferenceSink extends Sink {
-    DereferenceSink() { any(DerefExpr p).getExpr() = this.asExpr() }
+    DereferenceSink() {
+      exists(Expr p, DerefExpr d | p = d.getExpr() and p = this.asExpr() |
+        // Dereferencing a raw pointer is an unsafe operation. Hence relevant
+        // dereferences must occur inside code marked as unsafe.
+        // See: https://doc.rust-lang.org/reference/types/pointer.html#r-type.pointer.raw.safety
+        (p.getEnclosingBlock*().isUnsafe() or p.getEnclosingCallable().(Function).isUnsafe()) and
+        // We are only interested in dereferences of raw pointers, as other uses
+        // of `*` are safe.
+        (not exists(TypeInference::inferType(p)) or TypeInference::inferType(p) instanceof PtrType)
+      )
+    }
  }

-  /**
-   * A pointer access from model data.
-   */
+  /** A pointer access from model data. */
  private class ModelsAsDataSink extends Sink {
    ModelsAsDataSink() { sinkNode(this, "pointer-access") }
  }
--- a/rust/ql/src/change-notes/2025-12-05-exclude-dereference-sinks.md
+++ b/rust/ql/src/change-notes/2025-12-05-exclude-dereference-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives from the `rust/access-invalid-pointer` query, by only considering dereferences of raw pointers as sinks.
--- a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
+++ b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
@@ -26,18 +26,18 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
    node instanceof AccessAfterLifetime::Source and
    // exclude cases with sources in macros, since these results are difficult to interpret
-    not node.asExpr().isFromMacroExpansion()
+    not node.asExpr().isFromMacroExpansion() and
+    AccessAfterLifetime::sourceValueScope(node, _, _)
  }

  predicate isSink(DataFlow::Node node) {
    node instanceof AccessAfterLifetime::Sink and
-    // exclude cases with sinks in macros, since these results are difficult to interpret
+    // Exclude cases with sinks in macros, since these results are difficult to interpret
    not node.asExpr().isFromMacroExpansion() and
-    // include only results inside `unsafe` blocks, as other results tend to be false positives
-    (
-      node.asExpr().getEnclosingBlock*().isUnsafe() or
-      node.asExpr().getEnclosingCallable().(Function).isUnsafe()
-    )
+    // TODO: Remove this condition if it can be done without negatively
+    // impacting performance. This condition only include nodes with
+    // corresponding to an expression. This excludes sinks from models-as-data.
+    exists(node.asExpr())
  }

  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof AccessAfterLifetime::Barrier }
--- a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
@@ -185,10 +185,13 @@ edges
 | main.rs:306:30:306:56 | ...::take_second(...) [MyInt] | main.rs:306:9:306:26 | MyInt {...} [MyInt] | provenance |  |
 | main.rs:306:55:306:55 | b [MyInt] | main.rs:293:26:293:37 | ...: MyInt [MyInt] | provenance |  |
 | main.rs:306:55:306:55 | b [MyInt] | main.rs:306:30:306:56 | ...::take_second(...) [MyInt] | provenance |  |
+| main.rs:315:32:319:1 | { ... } | main.rs:322:13:322:26 | async_source(...) | provenance |  |
 | main.rs:315:32:319:1 | { ... } | main.rs:334:41:334:54 | async_source(...) | provenance |  |
 | main.rs:316:9:316:9 | a | main.rs:315:32:319:1 | { ... } | provenance |  |
 | main.rs:316:9:316:9 | a | main.rs:317:10:317:10 | a | provenance |  |
 | main.rs:316:13:316:21 | source(...) | main.rs:316:9:316:9 | a | provenance |  |
+| main.rs:322:9:322:9 | a | main.rs:323:10:323:10 | a | provenance |  |
+| main.rs:322:13:322:26 | async_source(...) | main.rs:322:9:322:9 | a | provenance |  |
 | main.rs:326:13:326:13 | c | main.rs:327:14:327:14 | c | provenance |  |
 | main.rs:326:17:326:25 | source(...) | main.rs:326:13:326:13 | c | provenance |  |
 | main.rs:334:9:334:9 | a | main.rs:335:10:335:10 | a | provenance |  |
@@ -419,6 +422,9 @@ nodes
 | main.rs:316:9:316:9 | a | semmle.label | a |
 | main.rs:316:13:316:21 | source(...) | semmle.label | source(...) |
 | main.rs:317:10:317:10 | a | semmle.label | a |
+| main.rs:322:9:322:9 | a | semmle.label | a |
+| main.rs:322:13:322:26 | async_source(...) | semmle.label | async_source(...) |
+| main.rs:323:10:323:10 | a | semmle.label | a |
 | main.rs:326:13:326:13 | c | semmle.label | c |
 | main.rs:326:17:326:25 | source(...) | semmle.label | source(...) |
 | main.rs:327:14:327:14 | c | semmle.label | c |
@@ -503,6 +509,7 @@ testFailures
 | main.rs:302:10:302:10 | c | main.rs:299:28:299:36 | source(...) | main.rs:302:10:302:10 | c | $@ | main.rs:299:28:299:36 | source(...) | source(...) |
 | main.rs:307:10:307:10 | c | main.rs:305:28:305:37 | source(...) | main.rs:307:10:307:10 | c | $@ | main.rs:305:28:305:37 | source(...) | source(...) |
 | main.rs:317:10:317:10 | a | main.rs:316:13:316:21 | source(...) | main.rs:317:10:317:10 | a | $@ | main.rs:316:13:316:21 | source(...) | source(...) |
+| main.rs:323:10:323:10 | a | main.rs:316:13:316:21 | source(...) | main.rs:323:10:323:10 | a | $@ | main.rs:316:13:316:21 | source(...) | source(...) |
 | main.rs:327:14:327:14 | c | main.rs:326:17:326:25 | source(...) | main.rs:327:14:327:14 | c | $@ | main.rs:326:17:326:25 | source(...) | source(...) |
 | main.rs:335:10:335:10 | a | main.rs:316:13:316:21 | source(...) | main.rs:335:10:335:10 | a | $@ | main.rs:316:13:316:21 | source(...) | source(...) |
 | main.rs:384:14:384:15 | n1 | main.rs:359:13:359:21 | source(...) | main.rs:384:14:384:15 | n1 | $@ | main.rs:359:13:359:21 | source(...) | source(...) |
--- a/rust/ql/test/library-tests/dataflow/global/main.rs
+++ b/rust/ql/test/library-tests/dataflow/global/main.rs
@@ -320,7 +320,7 @@ async fn async_source() -> i64 {

 async fn test_async_await_async_part() {
    let a = async_source().await;
-    sink(a); // $ MISSING: hasValueFlow=1
+    sink(a); // $ hasTaintFlow=1 MISSING: hasValueFlow=1

    let b = async {
        let c = source(2);
--- a/rust/ql/test/library-tests/dataflow/sources/database/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/database/InlineFlow.expected
@@ -50,6 +50,10 @@ edges
 | test.rs:42:20:42:21 | t1 [element] | test.rs:42:13:42:15 | row | provenance |  |
 | test.rs:48:22:48:30 | query_map | test.rs:50:14:50:24 | ...: i64 | provenance | Src:MaD:3  |
 | test.rs:50:14:50:24 | ...: i64 | test.rs:51:22:51:27 | values | provenance |  |
+| test.rs:55:22:55:30 | query_map | test.rs:57:14:57:39 | ...: ... | provenance | Src:MaD:3  |
+| test.rs:57:14:57:39 | ...: ... | test.rs:58:22:58:29 | values.0 | provenance |  |
+| test.rs:57:14:57:39 | ...: ... | test.rs:59:22:59:29 | values.1 | provenance |  |
+| test.rs:57:14:57:39 | ...: ... | test.rs:60:22:60:29 | values.2 | provenance |  |
 | test.rs:64:13:64:17 | total | test.rs:68:14:68:18 | total | provenance |  |
 | test.rs:64:21:67:10 | conn.query_fold(...) [Ok] | test.rs:64:21:67:11 | TryExpr | provenance |  |
 | test.rs:64:21:67:11 | TryExpr | test.rs:64:13:64:17 | total | provenance |  |
@@ -61,6 +65,13 @@ edges
 | test.rs:66:19:66:21 | row | test.rs:66:13:66:21 | ... + ... | provenance | MaD:11 |
 | test.rs:66:19:66:21 | row | test.rs:66:13:66:21 | ... + ... | provenance | MaD:12 |
 | test.rs:66:19:66:21 | row | test.rs:66:13:66:21 | ... + ... | provenance | MaD:15 |
+| test.rs:70:22:70:31 | query_fold | test.rs:70:83:70:105 | ...: ... | provenance | Src:MaD:2  |
+| test.rs:70:83:70:105 | ...: ... | test.rs:71:17:71:18 | id | provenance |  |
+| test.rs:70:83:70:105 | ...: ... | test.rs:72:17:72:20 | name | provenance |  |
+| test.rs:70:83:70:105 | ...: ... | test.rs:73:17:73:19 | age | provenance |  |
+| test.rs:71:17:71:18 | id | test.rs:74:18:74:19 | id | provenance |  |
+| test.rs:72:17:72:20 | name | test.rs:75:18:75:21 | name | provenance |  |
+| test.rs:73:17:73:19 | age | test.rs:76:18:76:20 | age | provenance |  |
 | test.rs:105:13:105:14 | v1 | test.rs:106:14:106:15 | v1 | provenance |  |
 | test.rs:105:24:105:33 | row.get(...) [Some] | test.rs:105:24:105:42 | ... .unwrap() | provenance | MaD:16 |
 | test.rs:105:24:105:42 | ... .unwrap() | test.rs:105:13:105:14 | v1 | provenance |  |
@@ -81,6 +92,10 @@ edges
 | test.rs:114:28:114:35 | take_opt | test.rs:114:24:114:38 | row.take_opt(...) [Some, Ok] | provenance | Src:MaD:10  |
 | test.rs:135:22:135:30 | query_map | test.rs:137:14:137:24 | ...: i64 | provenance | Src:MaD:5  |
 | test.rs:137:14:137:24 | ...: i64 | test.rs:138:22:138:27 | values | provenance |  |
+| test.rs:142:22:142:30 | query_map | test.rs:144:14:144:39 | ...: ... | provenance | Src:MaD:5  |
+| test.rs:144:14:144:39 | ...: ... | test.rs:145:22:145:29 | values.0 | provenance |  |
+| test.rs:144:14:144:39 | ...: ... | test.rs:146:22:146:29 | values.1 | provenance |  |
+| test.rs:144:14:144:39 | ...: ... | test.rs:147:22:147:29 | values.2 | provenance |  |
 | test.rs:151:13:151:17 | total | test.rs:155:14:155:18 | total | provenance |  |
 | test.rs:151:21:154:10 | conn.query_fold(...) [future, Ok] | test.rs:151:21:154:16 | await ... [Ok] | provenance |  |
 | test.rs:151:21:154:16 | await ... [Ok] | test.rs:151:21:154:17 | TryExpr | provenance |  |
@@ -93,6 +108,13 @@ edges
 | test.rs:153:19:153:21 | row | test.rs:153:13:153:21 | ... + ... | provenance | MaD:11 |
 | test.rs:153:19:153:21 | row | test.rs:153:13:153:21 | ... + ... | provenance | MaD:12 |
 | test.rs:153:19:153:21 | row | test.rs:153:13:153:21 | ... + ... | provenance | MaD:15 |
+| test.rs:157:22:157:31 | query_fold | test.rs:157:83:157:105 | ...: ... | provenance | Src:MaD:4  |
+| test.rs:157:83:157:105 | ...: ... | test.rs:158:17:158:18 | id | provenance |  |
+| test.rs:157:83:157:105 | ...: ... | test.rs:159:17:159:20 | name | provenance |  |
+| test.rs:157:83:157:105 | ...: ... | test.rs:160:17:160:19 | age | provenance |  |
+| test.rs:158:17:158:18 | id | test.rs:161:18:161:19 | id | provenance |  |
+| test.rs:159:17:159:20 | name | test.rs:162:18:162:21 | name | provenance |  |
+| test.rs:160:17:160:19 | age | test.rs:163:18:163:20 | age | provenance |  |
 nodes
 | test.rs:18:13:18:14 | v1 | semmle.label | v1 |
 | test.rs:18:24:18:33 | row.get(...) [Some] | semmle.label | row.get(...) [Some] |
@@ -135,6 +157,11 @@ nodes
 | test.rs:48:22:48:30 | query_map | semmle.label | query_map |
 | test.rs:50:14:50:24 | ...: i64 | semmle.label | ...: i64 |
 | test.rs:51:22:51:27 | values | semmle.label | values |
+| test.rs:55:22:55:30 | query_map | semmle.label | query_map |
+| test.rs:57:14:57:39 | ...: ... | semmle.label | ...: ... |
+| test.rs:58:22:58:29 | values.0 | semmle.label | values.0 |
+| test.rs:59:22:59:29 | values.1 | semmle.label | values.1 |
+| test.rs:60:22:60:29 | values.2 | semmle.label | values.2 |
 | test.rs:64:13:64:17 | total | semmle.label | total |
 | test.rs:64:21:67:10 | conn.query_fold(...) [Ok] | semmle.label | conn.query_fold(...) [Ok] |
 | test.rs:64:21:67:11 | TryExpr | semmle.label | TryExpr |
@@ -145,6 +172,14 @@ nodes
 | test.rs:66:13:66:21 | ... + ... | semmle.label | ... + ... |
 | test.rs:66:19:66:21 | row | semmle.label | row |
 | test.rs:68:14:68:18 | total | semmle.label | total |
+| test.rs:70:22:70:31 | query_fold | semmle.label | query_fold |
+| test.rs:70:83:70:105 | ...: ... | semmle.label | ...: ... |
+| test.rs:71:17:71:18 | id | semmle.label | id |
+| test.rs:72:17:72:20 | name | semmle.label | name |
+| test.rs:73:17:73:19 | age | semmle.label | age |
+| test.rs:74:18:74:19 | id | semmle.label | id |
+| test.rs:75:18:75:21 | name | semmle.label | name |
+| test.rs:76:18:76:20 | age | semmle.label | age |
 | test.rs:105:13:105:14 | v1 | semmle.label | v1 |
 | test.rs:105:24:105:33 | row.get(...) [Some] | semmle.label | row.get(...) [Some] |
 | test.rs:105:24:105:42 | ... .unwrap() | semmle.label | ... .unwrap() |
@@ -170,6 +205,11 @@ nodes
 | test.rs:135:22:135:30 | query_map | semmle.label | query_map |
 | test.rs:137:14:137:24 | ...: i64 | semmle.label | ...: i64 |
 | test.rs:138:22:138:27 | values | semmle.label | values |
+| test.rs:142:22:142:30 | query_map | semmle.label | query_map |
+| test.rs:144:14:144:39 | ...: ... | semmle.label | ...: ... |
+| test.rs:145:22:145:29 | values.0 | semmle.label | values.0 |
+| test.rs:146:22:146:29 | values.1 | semmle.label | values.1 |
+| test.rs:147:22:147:29 | values.2 | semmle.label | values.2 |
 | test.rs:151:13:151:17 | total | semmle.label | total |
 | test.rs:151:21:154:10 | conn.query_fold(...) [future, Ok] | semmle.label | conn.query_fold(...) [future, Ok] |
 | test.rs:151:21:154:16 | await ... [Ok] | semmle.label | await ... [Ok] |
@@ -181,6 +221,14 @@ nodes
 | test.rs:153:13:153:21 | ... + ... | semmle.label | ... + ... |
 | test.rs:153:19:153:21 | row | semmle.label | row |
 | test.rs:155:14:155:18 | total | semmle.label | total |
+| test.rs:157:22:157:31 | query_fold | semmle.label | query_fold |
+| test.rs:157:83:157:105 | ...: ... | semmle.label | ...: ... |
+| test.rs:158:17:158:18 | id | semmle.label | id |
+| test.rs:159:17:159:20 | name | semmle.label | name |
+| test.rs:160:17:160:19 | age | semmle.label | age |
+| test.rs:161:18:161:19 | id | semmle.label | id |
+| test.rs:162:18:162:21 | name | semmle.label | name |
+| test.rs:163:18:163:20 | age | semmle.label | age |
 subpaths
 testFailures
 #select
@@ -192,12 +240,24 @@ testFailures
 | test.rs:41:14:41:70 | ... .unwrap() | test.rs:41:42:41:44 | get | test.rs:41:14:41:70 | ... .unwrap() | $@ | test.rs:41:42:41:44 | get | get |
 | test.rs:44:22:44:22 | v | test.rs:40:27:40:35 | exec_iter | test.rs:44:22:44:22 | v | $@ | test.rs:40:27:40:35 | exec_iter | exec_iter |
 | test.rs:51:22:51:27 | values | test.rs:48:22:48:30 | query_map | test.rs:51:22:51:27 | values | $@ | test.rs:48:22:48:30 | query_map | query_map |
+| test.rs:58:22:58:29 | values.0 | test.rs:55:22:55:30 | query_map | test.rs:58:22:58:29 | values.0 | $@ | test.rs:55:22:55:30 | query_map | query_map |
+| test.rs:59:22:59:29 | values.1 | test.rs:55:22:55:30 | query_map | test.rs:59:22:59:29 | values.1 | $@ | test.rs:55:22:55:30 | query_map | query_map |
+| test.rs:60:22:60:29 | values.2 | test.rs:55:22:55:30 | query_map | test.rs:60:22:60:29 | values.2 | $@ | test.rs:55:22:55:30 | query_map | query_map |
 | test.rs:65:18:65:20 | row | test.rs:64:26:64:35 | query_fold | test.rs:65:18:65:20 | row | $@ | test.rs:64:26:64:35 | query_fold | query_fold |
 | test.rs:68:14:68:18 | total | test.rs:64:26:64:35 | query_fold | test.rs:68:14:68:18 | total | $@ | test.rs:64:26:64:35 | query_fold | query_fold |
+| test.rs:74:18:74:19 | id | test.rs:70:22:70:31 | query_fold | test.rs:74:18:74:19 | id | $@ | test.rs:70:22:70:31 | query_fold | query_fold |
+| test.rs:75:18:75:21 | name | test.rs:70:22:70:31 | query_fold | test.rs:75:18:75:21 | name | $@ | test.rs:70:22:70:31 | query_fold | query_fold |
+| test.rs:76:18:76:20 | age | test.rs:70:22:70:31 | query_fold | test.rs:76:18:76:20 | age | $@ | test.rs:70:22:70:31 | query_fold | query_fold |
 | test.rs:106:14:106:15 | v1 | test.rs:105:28:105:30 | get | test.rs:106:14:106:15 | v1 | $@ | test.rs:105:28:105:30 | get | get |
 | test.rs:109:14:109:15 | v2 | test.rs:108:28:108:34 | get_opt | test.rs:109:14:109:15 | v2 | $@ | test.rs:108:28:108:34 | get_opt | get_opt |
 | test.rs:112:14:112:15 | v3 | test.rs:111:28:111:31 | take | test.rs:112:14:112:15 | v3 | $@ | test.rs:111:28:111:31 | take | take |
 | test.rs:115:14:115:15 | v4 | test.rs:114:28:114:35 | take_opt | test.rs:115:14:115:15 | v4 | $@ | test.rs:114:28:114:35 | take_opt | take_opt |
 | test.rs:138:22:138:27 | values | test.rs:135:22:135:30 | query_map | test.rs:138:22:138:27 | values | $@ | test.rs:135:22:135:30 | query_map | query_map |
+| test.rs:145:22:145:29 | values.0 | test.rs:142:22:142:30 | query_map | test.rs:145:22:145:29 | values.0 | $@ | test.rs:142:22:142:30 | query_map | query_map |
+| test.rs:146:22:146:29 | values.1 | test.rs:142:22:142:30 | query_map | test.rs:146:22:146:29 | values.1 | $@ | test.rs:142:22:142:30 | query_map | query_map |
+| test.rs:147:22:147:29 | values.2 | test.rs:142:22:142:30 | query_map | test.rs:147:22:147:29 | values.2 | $@ | test.rs:142:22:142:30 | query_map | query_map |
 | test.rs:152:18:152:20 | row | test.rs:151:26:151:35 | query_fold | test.rs:152:18:152:20 | row | $@ | test.rs:151:26:151:35 | query_fold | query_fold |
 | test.rs:155:14:155:18 | total | test.rs:151:26:151:35 | query_fold | test.rs:155:14:155:18 | total | $@ | test.rs:151:26:151:35 | query_fold | query_fold |
+| test.rs:161:18:161:19 | id | test.rs:157:22:157:31 | query_fold | test.rs:161:18:161:19 | id | $@ | test.rs:157:22:157:31 | query_fold | query_fold |
+| test.rs:162:18:162:21 | name | test.rs:157:22:157:31 | query_fold | test.rs:162:18:162:21 | name | $@ | test.rs:157:22:157:31 | query_fold | query_fold |
+| test.rs:163:18:163:20 | age | test.rs:157:22:157:31 | query_fold | test.rs:163:18:163:20 | age | $@ | test.rs:157:22:157:31 | query_fold | query_fold |
--- a/rust/ql/test/library-tests/dataflow/sources/database/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/database/test.rs
@@ -55,9 +55,9 @@ mod test_mysql {
        let _ = conn.query_map( // $ Alert[rust/summary/taint-sources]
            "SELECT id, name, age FROM person",
            |values: (i64, String, i32)| -> () {
-                sink(values.0); // $ MISSING: hasTaintFlow
-                sink(values.1); // $ MISSING: hasTaintFlow
-                sink(values.2); // $ MISSING: hasTaintFlow
+                sink(values.0); // $ hasTaintFlow
+                sink(values.1); // $ hasTaintFlow
+                sink(values.2); // $ hasTaintFlow
            }
        )?;

@@ -71,9 +71,9 @@ mod test_mysql {
            let id: i64 = row.0;
            let name: String = row.1;
            let age: i32 = row.2;
-            sink(id); // $ MISSING: hasTaintFlow
-            sink(name); // $ MISSING: hasTaintFlow
-            sink(age); // $ MISSING: hasTaintFlow
+            sink(id); // $ hasTaintFlow
+            sink(name); // $ hasTaintFlow
+            sink(age); // $ hasTaintFlow
            acc + 1
        })?;

@@ -142,9 +142,9 @@ mod test_mysql_async {
        let _ = conn.query_map( // $ Alert[rust/summary/taint-sources]
            "SELECT id, name, age FROM person",
            |values: (i64, String, i32)| -> () {
-                sink(values.0); // $ MISSING: hasTaintFlow
-                sink(values.1); // $ MISSING: hasTaintFlow
-                sink(values.2); // $ MISSING: hasTaintFlow
+                sink(values.0); // $ hasTaintFlow
+                sink(values.1); // $ hasTaintFlow
+                sink(values.2); // $ hasTaintFlow
            }
        ).await?;

@@ -158,9 +158,9 @@ mod test_mysql_async {
            let id: i64 = row.0;
            let name: String = row.1;
            let age: i32 = row.2;
-            sink(id); // $ MISSING: hasTaintFlow
-            sink(name); // $ MISSING: hasTaintFlow
-            sink(age); // $ MISSING: hasTaintFlow
+            sink(id); // $ hasTaintFlow
+            sink(name); // $ hasTaintFlow
+            sink(age); // $ hasTaintFlow
            acc + 1
        }).await?;

--- a/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.expected
@@ -6,54 +6,64 @@ models
 | 5 | Source: std::env::home_dir; ReturnValue.Field[core::option::Option::Some(0)]; commandargs |
 | 6 | Source: std::env::var; ReturnValue.Field[core::result::Result::Ok(0)]; environment |
 | 7 | Source: std::env::var_os; ReturnValue.Field[core::option::Option::Some(0)]; environment |
-| 8 | Summary: <_ as core::iter::traits::iterator::Iterator>::collect; Argument[self].Element; ReturnValue.Element; value |
-| 9 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Reference.Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
-| 10 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
-| 11 | Summary: <core::option::Option>::expect; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
-| 12 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
-| 13 | Summary: <core::result::Result>::expect; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 14 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 15 | Summary: <core::str>::parse; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 8 | Source: std::env::vars; ReturnValue.Element; environment |
+| 9 | Source: std::env::vars_os; ReturnValue.Element; environment |
+| 10 | Summary: <_ as core::iter::traits::iterator::Iterator>::collect; Argument[self].Element; ReturnValue.Element; value |
+| 11 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Reference.Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
+| 12 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
+| 13 | Summary: <core::option::Option>::expect; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 14 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 15 | Summary: <core::result::Result>::expect; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 16 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 17 | Summary: <core::str>::parse; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
 edges
 | test.rs:6:10:6:22 | ...::var | test.rs:6:10:6:30 | ...::var(...) | provenance | Src:MaD:6  |
 | test.rs:7:10:7:25 | ...::var_os | test.rs:7:10:7:33 | ...::var_os(...) | provenance | Src:MaD:7  |
 | test.rs:9:9:9:12 | var1 | test.rs:12:10:12:13 | var1 | provenance |  |
 | test.rs:9:16:9:28 | ...::var | test.rs:9:16:9:36 | ...::var(...) [Ok] | provenance | Src:MaD:6  |
-| test.rs:9:16:9:36 | ...::var(...) [Ok] | test.rs:9:16:9:59 | ... .expect(...) | provenance | MaD:13 |
+| test.rs:9:16:9:36 | ...::var(...) [Ok] | test.rs:9:16:9:59 | ... .expect(...) | provenance | MaD:15 |
 | test.rs:9:16:9:59 | ... .expect(...) | test.rs:9:9:9:12 | var1 | provenance |  |
 | test.rs:10:9:10:12 | var2 | test.rs:13:10:13:13 | var2 | provenance |  |
 | test.rs:10:16:10:31 | ...::var_os | test.rs:10:16:10:39 | ...::var_os(...) [Some] | provenance | Src:MaD:7  |
-| test.rs:10:16:10:39 | ...::var_os(...) [Some] | test.rs:10:16:10:48 | ... .unwrap() | provenance | MaD:12 |
+| test.rs:10:16:10:39 | ...::var_os(...) [Some] | test.rs:10:16:10:48 | ... .unwrap() | provenance | MaD:14 |
 | test.rs:10:16:10:48 | ... .unwrap() | test.rs:10:9:10:12 | var2 | provenance |  |
+| test.rs:15:9:15:20 | TuplePat | test.rs:16:14:16:16 | key | provenance |  |
+| test.rs:15:9:15:20 | TuplePat | test.rs:17:14:17:18 | value | provenance |  |
+| test.rs:15:25:15:38 | ...::vars | test.rs:15:25:15:40 | ...::vars(...) [element] | provenance | Src:MaD:8  |
+| test.rs:15:25:15:40 | ...::vars(...) [element] | test.rs:15:9:15:20 | TuplePat | provenance |  |
+| test.rs:20:9:20:20 | TuplePat | test.rs:21:14:21:16 | key | provenance |  |
+| test.rs:20:9:20:20 | TuplePat | test.rs:22:14:22:18 | value | provenance |  |
+| test.rs:20:25:20:41 | ...::vars_os | test.rs:20:25:20:43 | ...::vars_os(...) [element] | provenance | Src:MaD:9  |
+| test.rs:20:25:20:43 | ...::vars_os(...) [element] | test.rs:20:9:20:20 | TuplePat | provenance |  |
 | test.rs:27:9:27:12 | args [element] | test.rs:28:20:28:23 | args [element] | provenance |  |
 | test.rs:27:9:27:12 | args [element] | test.rs:29:17:29:20 | args [element] | provenance |  |
 | test.rs:27:29:27:42 | ...::args | test.rs:27:29:27:44 | ...::args(...) [element] | provenance | Src:MaD:1  |
-| test.rs:27:29:27:44 | ...::args(...) [element] | test.rs:27:29:27:54 | ... .collect() [element] | provenance | MaD:8 |
+| test.rs:27:29:27:44 | ...::args(...) [element] | test.rs:27:29:27:54 | ... .collect() [element] | provenance | MaD:10 |
 | test.rs:27:29:27:54 | ... .collect() [element] | test.rs:27:9:27:12 | args [element] | provenance |  |
 | test.rs:28:9:28:15 | my_path [&ref] | test.rs:34:10:34:16 | my_path | provenance |  |
 | test.rs:28:19:28:26 | &... [&ref] | test.rs:28:9:28:15 | my_path [&ref] | provenance |  |
-| test.rs:28:20:28:23 | args [element] | test.rs:28:20:28:26 | args[0] | provenance | MaD:10 |
+| test.rs:28:20:28:23 | args [element] | test.rs:28:20:28:26 | args[0] | provenance | MaD:12 |
 | test.rs:28:20:28:26 | args[0] | test.rs:28:19:28:26 | &... [&ref] | provenance |  |
 | test.rs:29:9:29:12 | arg1 [&ref] | test.rs:35:10:35:13 | arg1 | provenance |  |
 | test.rs:29:16:29:23 | &... [&ref] | test.rs:29:9:29:12 | arg1 [&ref] | provenance |  |
-| test.rs:29:17:29:20 | args [element] | test.rs:29:17:29:23 | args[1] | provenance | MaD:10 |
+| test.rs:29:17:29:20 | args [element] | test.rs:29:17:29:23 | args[1] | provenance | MaD:12 |
 | test.rs:29:17:29:23 | args[1] | test.rs:29:16:29:23 | &... [&ref] | provenance |  |
 | test.rs:30:9:30:12 | arg2 | test.rs:36:10:36:13 | arg2 | provenance |  |
 | test.rs:30:16:30:29 | ...::args | test.rs:30:16:30:31 | ...::args(...) [element] | provenance | Src:MaD:1  |
-| test.rs:30:16:30:31 | ...::args(...) [element] | test.rs:30:16:30:38 | ... .nth(...) [Some] | provenance | MaD:9 |
-| test.rs:30:16:30:38 | ... .nth(...) [Some] | test.rs:30:16:30:47 | ... .unwrap() | provenance | MaD:12 |
+| test.rs:30:16:30:31 | ...::args(...) [element] | test.rs:30:16:30:38 | ... .nth(...) [Some] | provenance | MaD:11 |
+| test.rs:30:16:30:38 | ... .nth(...) [Some] | test.rs:30:16:30:47 | ... .unwrap() | provenance | MaD:14 |
 | test.rs:30:16:30:47 | ... .unwrap() | test.rs:30:9:30:12 | arg2 | provenance |  |
 | test.rs:31:9:31:12 | arg3 | test.rs:37:10:37:13 | arg3 | provenance |  |
 | test.rs:31:16:31:32 | ...::args_os | test.rs:31:16:31:34 | ...::args_os(...) [element] | provenance | Src:MaD:2  |
-| test.rs:31:16:31:34 | ...::args_os(...) [element] | test.rs:31:16:31:41 | ... .nth(...) [Some] | provenance | MaD:9 |
-| test.rs:31:16:31:41 | ... .nth(...) [Some] | test.rs:31:16:31:50 | ... .unwrap() | provenance | MaD:12 |
+| test.rs:31:16:31:34 | ...::args_os(...) [element] | test.rs:31:16:31:41 | ... .nth(...) [Some] | provenance | MaD:11 |
+| test.rs:31:16:31:41 | ... .nth(...) [Some] | test.rs:31:16:31:50 | ... .unwrap() | provenance | MaD:14 |
 | test.rs:31:16:31:50 | ... .unwrap() | test.rs:31:9:31:12 | arg3 | provenance |  |
 | test.rs:32:9:32:12 | arg4 | test.rs:38:10:38:13 | arg4 | provenance |  |
 | test.rs:32:16:32:29 | ...::args | test.rs:32:16:32:31 | ...::args(...) [element] | provenance | Src:MaD:1  |
-| test.rs:32:16:32:31 | ...::args(...) [element] | test.rs:32:16:32:38 | ... .nth(...) [Some] | provenance | MaD:9 |
-| test.rs:32:16:32:38 | ... .nth(...) [Some] | test.rs:32:16:32:47 | ... .unwrap() | provenance | MaD:12 |
-| test.rs:32:16:32:47 | ... .unwrap() | test.rs:32:16:32:64 | ... .parse() [Ok] | provenance | MaD:15 |
-| test.rs:32:16:32:64 | ... .parse() [Ok] | test.rs:32:16:32:73 | ... .unwrap() | provenance | MaD:14 |
+| test.rs:32:16:32:31 | ...::args(...) [element] | test.rs:32:16:32:38 | ... .nth(...) [Some] | provenance | MaD:11 |
+| test.rs:32:16:32:38 | ... .nth(...) [Some] | test.rs:32:16:32:47 | ... .unwrap() | provenance | MaD:14 |
+| test.rs:32:16:32:47 | ... .unwrap() | test.rs:32:16:32:64 | ... .parse() [Ok] | provenance | MaD:17 |
+| test.rs:32:16:32:64 | ... .parse() [Ok] | test.rs:32:16:32:73 | ... .unwrap() | provenance | MaD:16 |
 | test.rs:32:16:32:73 | ... .unwrap() | test.rs:32:9:32:12 | arg4 | provenance |  |
 | test.rs:40:9:40:11 | arg | test.rs:41:14:41:16 | arg | provenance |  |
 | test.rs:40:16:40:29 | ...::args | test.rs:40:16:40:31 | ...::args(...) [element] | provenance | Src:MaD:1  |
@@ -63,15 +73,15 @@ edges
 | test.rs:44:16:44:34 | ...::args_os(...) [element] | test.rs:44:9:44:11 | arg | provenance |  |
 | test.rs:50:9:50:11 | dir | test.rs:54:10:54:12 | dir | provenance |  |
 | test.rs:50:15:50:35 | ...::current_dir | test.rs:50:15:50:37 | ...::current_dir(...) [Ok] | provenance | Src:MaD:3  |
-| test.rs:50:15:50:37 | ...::current_dir(...) [Ok] | test.rs:50:15:50:54 | ... .expect(...) | provenance | MaD:13 |
+| test.rs:50:15:50:37 | ...::current_dir(...) [Ok] | test.rs:50:15:50:54 | ... .expect(...) | provenance | MaD:15 |
 | test.rs:50:15:50:54 | ... .expect(...) | test.rs:50:9:50:11 | dir | provenance |  |
 | test.rs:51:9:51:11 | exe | test.rs:55:10:55:12 | exe | provenance |  |
 | test.rs:51:15:51:35 | ...::current_exe | test.rs:51:15:51:37 | ...::current_exe(...) [Ok] | provenance | Src:MaD:4  |
-| test.rs:51:15:51:37 | ...::current_exe(...) [Ok] | test.rs:51:15:51:54 | ... .expect(...) | provenance | MaD:13 |
+| test.rs:51:15:51:37 | ...::current_exe(...) [Ok] | test.rs:51:15:51:54 | ... .expect(...) | provenance | MaD:15 |
 | test.rs:51:15:51:54 | ... .expect(...) | test.rs:51:9:51:11 | exe | provenance |  |
 | test.rs:52:9:52:12 | home | test.rs:56:10:56:13 | home | provenance |  |
 | test.rs:52:16:52:33 | ...::home_dir | test.rs:52:16:52:35 | ...::home_dir(...) [Some] | provenance | Src:MaD:5  |
-| test.rs:52:16:52:35 | ...::home_dir(...) [Some] | test.rs:52:16:52:52 | ... .expect(...) | provenance | MaD:11 |
+| test.rs:52:16:52:35 | ...::home_dir(...) [Some] | test.rs:52:16:52:52 | ... .expect(...) | provenance | MaD:13 |
 | test.rs:52:16:52:52 | ... .expect(...) | test.rs:52:9:52:12 | home | provenance |  |
 nodes
 | test.rs:6:10:6:22 | ...::var | semmle.label | ...::var |
@@ -88,6 +98,16 @@ nodes
 | test.rs:10:16:10:48 | ... .unwrap() | semmle.label | ... .unwrap() |
 | test.rs:12:10:12:13 | var1 | semmle.label | var1 |
 | test.rs:13:10:13:13 | var2 | semmle.label | var2 |
+| test.rs:15:9:15:20 | TuplePat | semmle.label | TuplePat |
+| test.rs:15:25:15:38 | ...::vars | semmle.label | ...::vars |
+| test.rs:15:25:15:40 | ...::vars(...) [element] | semmle.label | ...::vars(...) [element] |
+| test.rs:16:14:16:16 | key | semmle.label | key |
+| test.rs:17:14:17:18 | value | semmle.label | value |
+| test.rs:20:9:20:20 | TuplePat | semmle.label | TuplePat |
+| test.rs:20:25:20:41 | ...::vars_os | semmle.label | ...::vars_os |
+| test.rs:20:25:20:43 | ...::vars_os(...) [element] | semmle.label | ...::vars_os(...) [element] |
+| test.rs:21:14:21:16 | key | semmle.label | key |
+| test.rs:22:14:22:18 | value | semmle.label | value |
 | test.rs:27:9:27:12 | args [element] | semmle.label | args [element] |
 | test.rs:27:29:27:42 | ...::args | semmle.label | ...::args |
 | test.rs:27:29:27:44 | ...::args(...) [element] | semmle.label | ...::args(...) [element] |
@@ -152,6 +172,10 @@ testFailures
 | test.rs:7:10:7:33 | ...::var_os(...) | test.rs:7:10:7:25 | ...::var_os | test.rs:7:10:7:33 | ...::var_os(...) | $@ | test.rs:7:10:7:25 | ...::var_os | ...::var_os |
 | test.rs:12:10:12:13 | var1 | test.rs:9:16:9:28 | ...::var | test.rs:12:10:12:13 | var1 | $@ | test.rs:9:16:9:28 | ...::var | ...::var |
 | test.rs:13:10:13:13 | var2 | test.rs:10:16:10:31 | ...::var_os | test.rs:13:10:13:13 | var2 | $@ | test.rs:10:16:10:31 | ...::var_os | ...::var_os |
+| test.rs:16:14:16:16 | key | test.rs:15:25:15:38 | ...::vars | test.rs:16:14:16:16 | key | $@ | test.rs:15:25:15:38 | ...::vars | ...::vars |
+| test.rs:17:14:17:18 | value | test.rs:15:25:15:38 | ...::vars | test.rs:17:14:17:18 | value | $@ | test.rs:15:25:15:38 | ...::vars | ...::vars |
+| test.rs:21:14:21:16 | key | test.rs:20:25:20:41 | ...::vars_os | test.rs:21:14:21:16 | key | $@ | test.rs:20:25:20:41 | ...::vars_os | ...::vars_os |
+| test.rs:22:14:22:18 | value | test.rs:20:25:20:41 | ...::vars_os | test.rs:22:14:22:18 | value | $@ | test.rs:20:25:20:41 | ...::vars_os | ...::vars_os |
 | test.rs:34:10:34:16 | my_path | test.rs:27:29:27:42 | ...::args | test.rs:34:10:34:16 | my_path | $@ | test.rs:27:29:27:42 | ...::args | ...::args |
 | test.rs:35:10:35:13 | arg1 | test.rs:27:29:27:42 | ...::args | test.rs:35:10:35:13 | arg1 | $@ | test.rs:27:29:27:42 | ...::args | ...::args |
 | test.rs:36:10:36:13 | arg2 | test.rs:30:16:30:29 | ...::args | test.rs:36:10:36:13 | arg2 | $@ | test.rs:30:16:30:29 | ...::args | ...::args |
--- a/rust/ql/test/library-tests/dataflow/sources/env/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/env/test.rs
@@ -13,13 +13,13 @@ fn test_env_vars() {
    sink(var2); // $ hasTaintFlow="PATH"

    for (key, value) in std::env::vars() { // $ Alert[rust/summary/taint-sources]
-        sink(key); // $ MISSING: hasTaintFlow
-        sink(value); // $ MISSING: hasTaintFlow
+        sink(key); // $ hasTaintFlow
+        sink(value); // $ hasTaintFlow
    }

    for (key, value) in std::env::vars_os() { // $ Alert[rust/summary/taint-sources]
-        sink(key); // $ MISSING: hasTaintFlow
-        sink(value); // $ MISSING: hasTaintFlow
+        sink(key); // $ hasTaintFlow
+        sink(value); // $ hasTaintFlow
    }
 }

--- a/rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected
@@ -41,20 +41,26 @@ models
 edges
 | test.rs:12:13:12:18 | buffer | test.rs:13:14:13:19 | buffer | provenance |  |
 | test.rs:12:31:12:43 | ...::read | test.rs:12:31:12:43 | ...::read [Ok] | provenance | Src:MaD:11  |
+| test.rs:12:31:12:43 | ...::read | test.rs:12:31:12:55 | ...::read(...) | provenance | Src:MaD:12 MaD:12 |
 | test.rs:12:31:12:43 | ...::read | test.rs:12:31:12:55 | ...::read(...) [Ok] | provenance | Src:MaD:11  |
 | test.rs:12:31:12:43 | ...::read [Ok] | test.rs:12:31:12:55 | ...::read(...) [Ok] | provenance | MaD:12 |
+| test.rs:12:31:12:55 | ...::read(...) | test.rs:12:13:12:18 | buffer | provenance |  |
 | test.rs:12:31:12:55 | ...::read(...) [Ok] | test.rs:12:31:12:56 | TryExpr | provenance |  |
 | test.rs:12:31:12:56 | TryExpr | test.rs:12:13:12:18 | buffer | provenance |  |
 | test.rs:17:13:17:18 | buffer | test.rs:18:14:18:19 | buffer | provenance |  |
 | test.rs:17:31:17:38 | ...::read | test.rs:17:31:17:38 | ...::read [Ok] | provenance | Src:MaD:11  |
+| test.rs:17:31:17:38 | ...::read | test.rs:17:31:17:50 | ...::read(...) | provenance | Src:MaD:12 MaD:12 |
 | test.rs:17:31:17:38 | ...::read | test.rs:17:31:17:50 | ...::read(...) [Ok] | provenance | Src:MaD:11  |
 | test.rs:17:31:17:38 | ...::read [Ok] | test.rs:17:31:17:50 | ...::read(...) [Ok] | provenance | MaD:12 |
+| test.rs:17:31:17:50 | ...::read(...) | test.rs:17:13:17:18 | buffer | provenance |  |
 | test.rs:17:31:17:50 | ...::read(...) [Ok] | test.rs:17:31:17:51 | TryExpr | provenance |  |
 | test.rs:17:31:17:51 | TryExpr | test.rs:17:13:17:18 | buffer | provenance |  |
 | test.rs:22:13:22:18 | buffer | test.rs:23:14:23:19 | buffer | provenance |  |
 | test.rs:22:22:22:39 | ...::read_to_string | test.rs:22:22:22:39 | ...::read_to_string [Ok] | provenance | Src:MaD:14  |
+| test.rs:22:22:22:39 | ...::read_to_string | test.rs:22:22:22:51 | ...::read_to_string(...) | provenance | Src:MaD:15 MaD:15 |
 | test.rs:22:22:22:39 | ...::read_to_string | test.rs:22:22:22:51 | ...::read_to_string(...) [Ok] | provenance | Src:MaD:14  |
 | test.rs:22:22:22:39 | ...::read_to_string [Ok] | test.rs:22:22:22:51 | ...::read_to_string(...) [Ok] | provenance | MaD:15 |
+| test.rs:22:22:22:51 | ...::read_to_string(...) | test.rs:22:13:22:18 | buffer | provenance |  |
 | test.rs:22:22:22:51 | ...::read_to_string(...) [Ok] | test.rs:22:22:22:52 | TryExpr | provenance |  |
 | test.rs:22:22:22:52 | TryExpr | test.rs:22:13:22:18 | buffer | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:30:14:30:17 | path | provenance |  |
@@ -262,19 +268,25 @@ edges
 nodes
 | test.rs:12:13:12:18 | buffer | semmle.label | buffer |
 | test.rs:12:31:12:43 | ...::read | semmle.label | ...::read |
+| test.rs:12:31:12:43 | ...::read | semmle.label | ...::read |
 | test.rs:12:31:12:43 | ...::read [Ok] | semmle.label | ...::read [Ok] |
+| test.rs:12:31:12:55 | ...::read(...) | semmle.label | ...::read(...) |
 | test.rs:12:31:12:55 | ...::read(...) [Ok] | semmle.label | ...::read(...) [Ok] |
 | test.rs:12:31:12:56 | TryExpr | semmle.label | TryExpr |
 | test.rs:13:14:13:19 | buffer | semmle.label | buffer |
 | test.rs:17:13:17:18 | buffer | semmle.label | buffer |
 | test.rs:17:31:17:38 | ...::read | semmle.label | ...::read |
+| test.rs:17:31:17:38 | ...::read | semmle.label | ...::read |
 | test.rs:17:31:17:38 | ...::read [Ok] | semmle.label | ...::read [Ok] |
+| test.rs:17:31:17:50 | ...::read(...) | semmle.label | ...::read(...) |
 | test.rs:17:31:17:50 | ...::read(...) [Ok] | semmle.label | ...::read(...) [Ok] |
 | test.rs:17:31:17:51 | TryExpr | semmle.label | TryExpr |
 | test.rs:18:14:18:19 | buffer | semmle.label | buffer |
 | test.rs:22:13:22:18 | buffer | semmle.label | buffer |
 | test.rs:22:22:22:39 | ...::read_to_string | semmle.label | ...::read_to_string |
+| test.rs:22:22:22:39 | ...::read_to_string | semmle.label | ...::read_to_string |
 | test.rs:22:22:22:39 | ...::read_to_string [Ok] | semmle.label | ...::read_to_string [Ok] |
+| test.rs:22:22:22:51 | ...::read_to_string(...) | semmle.label | ...::read_to_string(...) |
 | test.rs:22:22:22:51 | ...::read_to_string(...) [Ok] | semmle.label | ...::read_to_string(...) [Ok] |
 | test.rs:22:22:22:52 | TryExpr | semmle.label | TryExpr |
 | test.rs:23:14:23:19 | buffer | semmle.label | buffer |
@@ -503,7 +515,10 @@ subpaths
 testFailures
 #select
 | test.rs:13:14:13:19 | buffer | test.rs:12:31:12:43 | ...::read | test.rs:13:14:13:19 | buffer | $@ | test.rs:12:31:12:43 | ...::read | ...::read |
+| test.rs:13:14:13:19 | buffer | test.rs:12:31:12:43 | ...::read | test.rs:13:14:13:19 | buffer | $@ | test.rs:12:31:12:43 | ...::read | ...::read |
 | test.rs:18:14:18:19 | buffer | test.rs:17:31:17:38 | ...::read | test.rs:18:14:18:19 | buffer | $@ | test.rs:17:31:17:38 | ...::read | ...::read |
+| test.rs:18:14:18:19 | buffer | test.rs:17:31:17:38 | ...::read | test.rs:18:14:18:19 | buffer | $@ | test.rs:17:31:17:38 | ...::read | ...::read |
+| test.rs:23:14:23:19 | buffer | test.rs:22:22:22:39 | ...::read_to_string | test.rs:23:14:23:19 | buffer | $@ | test.rs:22:22:22:39 | ...::read_to_string | ...::read_to_string |
 | test.rs:23:14:23:19 | buffer | test.rs:22:22:22:39 | ...::read_to_string | test.rs:23:14:23:19 | buffer | $@ | test.rs:22:22:22:39 | ...::read_to_string | ...::read_to_string |
 | test.rs:30:14:30:25 | path.clone() | test.rs:29:22:29:25 | path | test.rs:30:14:30:25 | path.clone() | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:31:14:31:35 | ... .as_path() | test.rs:29:22:29:25 | path | test.rs:31:14:31:35 | ... .as_path() | $@ | test.rs:29:22:29:25 | path | path |
--- a/rust/ql/test/library-tests/dataflow/sources/net/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/net/test.rs
@@ -204,7 +204,7 @@ async fn test_std_tcpstream(case: i64) -> std::io::Result<()> {
                for line in reader.lines() { // $ MISSING: Alert[rust/summary/taint-sources]
                    if let Ok(string) = line {
                        println!("line = {}", string);
-                        sink(string); // $ MISSING: hasTaintFlow
+                        sink(string); // $ MISSING: hasTaintFlow=&sock_addr
                    }
                }
            }
--- a/rust/ql/test/library-tests/dataflow/sources/web_frameworks/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/web_frameworks/InlineFlow.expected
@@ -4,73 +4,44 @@ models
 | 3 | Source: <_ as warp::filter::Filter>::then; Argument[0].Parameter[0..7]; remote |
 | 4 | Source: <actix_web::resource::Resource>::to; Argument[0].Parameter[0..7]; remote |
 | 5 | Source: <actix_web::route::Route>::to; Argument[0].Parameter[0..7]; remote |
-| 6 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue.Field[0]; taint |
-| 7 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue.Field[1]; taint |
-| 8 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue.Field[2]; taint |
-| 9 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue; taint |
-| 10 | Summary: <alloc::string::String>::as_bytes; Argument[self]; ReturnValue; value |
-| 11 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
+| 6 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue; taint |
+| 7 | Summary: <alloc::string::String>::as_bytes; Argument[self]; ReturnValue; value |
+| 8 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
 edges
 | test.rs:11:31:11:31 | a | test.rs:13:14:13:14 | a | provenance |  |
 | test.rs:11:31:11:31 | a | test.rs:14:14:14:14 | a | provenance |  |
 | test.rs:11:31:11:31 | a | test.rs:15:14:15:14 | a | provenance |  |
-| test.rs:13:14:13:14 | a | test.rs:13:14:13:23 | a.as_str() | provenance | MaD:11 |
-| test.rs:14:14:14:14 | a | test.rs:14:14:14:25 | a.as_bytes() | provenance | MaD:10 |
+| test.rs:13:14:13:14 | a | test.rs:13:14:13:23 | a.as_str() | provenance | MaD:8 |
+| test.rs:14:14:14:14 | a | test.rs:14:14:14:25 | a.as_bytes() | provenance | MaD:7 |
+| test.rs:22:14:22:19 | TuplePat | test.rs:24:14:24:14 | a | provenance |  |
+| test.rs:22:14:22:19 | TuplePat | test.rs:25:14:25:14 | b | provenance |  |
+| test.rs:48:14:48:30 | MyStruct {...} | test.rs:50:14:50:14 | a | provenance |  |
+| test.rs:48:14:48:30 | MyStruct {...} | test.rs:51:14:51:14 | b | provenance |  |
+| test.rs:58:14:58:15 | ms | test.rs:60:14:60:17 | ms.a | provenance |  |
+| test.rs:58:14:58:15 | ms | test.rs:61:14:61:17 | ms.b | provenance |  |
 | test.rs:68:15:68:15 | a | test.rs:70:14:70:14 | a | provenance |  |
 | test.rs:98:9:98:31 | ...: ...::Path::<...> | test.rs:100:17:100:20 | path | provenance |  |
 | test.rs:100:13:100:13 | a | test.rs:101:14:101:14 | a | provenance |  |
 | test.rs:100:13:100:13 | a | test.rs:102:14:102:14 | a | provenance |  |
 | test.rs:100:13:100:13 | a | test.rs:103:14:103:14 | a | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.0] | test.rs:101:14:101:14 | a [tuple.0] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.0] | test.rs:102:14:102:14 | a [tuple.0] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.0] | test.rs:103:14:103:14 | a | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.1] | test.rs:101:14:101:14 | a [tuple.1] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.1] | test.rs:102:14:102:14 | a [tuple.1] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.1] | test.rs:103:14:103:14 | a | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.2] | test.rs:101:14:101:14 | a [tuple.2] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.2] | test.rs:102:14:102:14 | a [tuple.2] | provenance |  |
-| test.rs:100:13:100:13 | a [tuple.2] | test.rs:103:14:103:14 | a | provenance |  |
-| test.rs:100:17:100:20 | path | test.rs:100:17:100:33 | path.into_inner() | provenance | MaD:9 |
-| test.rs:100:17:100:20 | path | test.rs:100:17:100:33 | path.into_inner() [tuple.0] | provenance | MaD:6 |
-| test.rs:100:17:100:20 | path | test.rs:100:17:100:33 | path.into_inner() [tuple.1] | provenance | MaD:7 |
-| test.rs:100:17:100:20 | path | test.rs:100:17:100:33 | path.into_inner() [tuple.2] | provenance | MaD:8 |
+| test.rs:100:17:100:20 | path | test.rs:100:17:100:33 | path.into_inner() | provenance | MaD:6 |
 | test.rs:100:17:100:33 | path.into_inner() | test.rs:100:13:100:13 | a | provenance |  |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.0] | test.rs:100:13:100:13 | a [tuple.0] | provenance |  |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.1] | test.rs:100:13:100:13 | a [tuple.1] | provenance |  |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.2] | test.rs:100:13:100:13 | a [tuple.2] | provenance |  |
-| test.rs:101:14:101:14 | a | test.rs:101:14:101:23 | a.as_str() | provenance | MaD:11 |
-| test.rs:101:14:101:14 | a [tuple.0] | test.rs:101:14:101:23 | a.as_str() | provenance | MaD:11 |
-| test.rs:101:14:101:14 | a [tuple.1] | test.rs:101:14:101:23 | a.as_str() | provenance | MaD:11 |
-| test.rs:101:14:101:14 | a [tuple.2] | test.rs:101:14:101:23 | a.as_str() | provenance | MaD:11 |
-| test.rs:102:14:102:14 | a | test.rs:102:14:102:25 | a.as_bytes() | provenance | MaD:10 |
-| test.rs:102:14:102:14 | a [tuple.0] | test.rs:102:14:102:25 | a.as_bytes() | provenance | MaD:10 |
-| test.rs:102:14:102:14 | a [tuple.1] | test.rs:102:14:102:25 | a.as_bytes() | provenance | MaD:10 |
-| test.rs:102:14:102:14 | a [tuple.2] | test.rs:102:14:102:25 | a.as_bytes() | provenance | MaD:10 |
+| test.rs:101:14:101:14 | a | test.rs:101:14:101:23 | a.as_str() | provenance | MaD:8 |
+| test.rs:102:14:102:14 | a | test.rs:102:14:102:25 | a.as_bytes() | provenance | MaD:7 |
 | test.rs:109:9:109:41 | ...: ...::Path::<...> | test.rs:111:22:111:25 | path | provenance |  |
-| test.rs:111:13:111:18 | TuplePat [tuple.0] | test.rs:111:14:111:14 | a | provenance |  |
-| test.rs:111:13:111:18 | TuplePat [tuple.1] | test.rs:111:17:111:17 | b | provenance |  |
-| test.rs:111:14:111:14 | a | test.rs:113:14:113:14 | a | provenance |  |
-| test.rs:111:17:111:17 | b | test.rs:114:14:114:14 | b | provenance |  |
-| test.rs:111:22:111:25 | path | test.rs:111:22:111:38 | path.into_inner() [tuple.0] | provenance | MaD:6 |
-| test.rs:111:22:111:25 | path | test.rs:111:22:111:38 | path.into_inner() [tuple.1] | provenance | MaD:7 |
-| test.rs:111:22:111:38 | path.into_inner() [tuple.0] | test.rs:111:13:111:18 | TuplePat [tuple.0] | provenance |  |
-| test.rs:111:22:111:38 | path.into_inner() [tuple.1] | test.rs:111:13:111:18 | TuplePat [tuple.1] | provenance |  |
+| test.rs:111:13:111:18 | TuplePat | test.rs:113:14:113:14 | a | provenance |  |
+| test.rs:111:13:111:18 | TuplePat | test.rs:114:14:114:14 | b | provenance |  |
+| test.rs:111:22:111:25 | path | test.rs:111:22:111:38 | path.into_inner() | provenance | MaD:6 |
+| test.rs:111:22:111:38 | path.into_inner() | test.rs:111:13:111:18 | TuplePat | provenance |  |
+| test.rs:120:9:120:41 | ...: ...::Query::<...> | test.rs:122:14:122:14 | a | provenance |  |
 | test.rs:127:5:127:20 | to | test.rs:129:9:129:31 | ...: ...::Path::<...> | provenance | Src:MaD:4  |
 | test.rs:129:9:129:31 | ...: ...::Path::<...> | test.rs:131:17:131:20 | path | provenance |  |
 | test.rs:131:13:131:13 | a | test.rs:132:14:132:14 | a | provenance |  |
-| test.rs:131:13:131:13 | a [tuple.0] | test.rs:132:14:132:14 | a | provenance |  |
-| test.rs:131:13:131:13 | a [tuple.1] | test.rs:132:14:132:14 | a | provenance |  |
-| test.rs:131:13:131:13 | a [tuple.2] | test.rs:132:14:132:14 | a | provenance |  |
-| test.rs:131:17:131:20 | path | test.rs:131:17:131:33 | path.into_inner() | provenance | MaD:9 |
-| test.rs:131:17:131:20 | path | test.rs:131:17:131:33 | path.into_inner() [tuple.0] | provenance | MaD:6 |
-| test.rs:131:17:131:20 | path | test.rs:131:17:131:33 | path.into_inner() [tuple.1] | provenance | MaD:7 |
-| test.rs:131:17:131:20 | path | test.rs:131:17:131:33 | path.into_inner() [tuple.2] | provenance | MaD:8 |
+| test.rs:131:17:131:20 | path | test.rs:131:17:131:33 | path.into_inner() | provenance | MaD:6 |
 | test.rs:131:17:131:33 | path.into_inner() | test.rs:131:13:131:13 | a | provenance |  |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.0] | test.rs:131:13:131:13 | a [tuple.0] | provenance |  |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.1] | test.rs:131:13:131:13 | a [tuple.1] | provenance |  |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.2] | test.rs:131:13:131:13 | a [tuple.2] | provenance |  |
 | test.rs:139:41:139:42 | to | test.rs:98:9:98:31 | ...: ...::Path::<...> | provenance | Src:MaD:5  |
 | test.rs:140:45:140:46 | to | test.rs:109:9:109:41 | ...: ...::Path::<...> | provenance | Src:MaD:5  |
+| test.rs:141:41:141:42 | to | test.rs:120:9:120:41 | ...: ...::Query::<...> | provenance | Src:MaD:5  |
 | test.rs:242:33:242:35 | map | test.rs:242:38:242:46 | ...: String | provenance | Src:MaD:2  |
 | test.rs:242:38:242:46 | ...: String | test.rs:244:18:244:18 | a | provenance |  |
 | test.rs:250:46:250:49 | then | test.rs:251:25:251:33 | ...: String | provenance | Src:MaD:3  |
@@ -86,53 +57,43 @@ nodes
 | test.rs:14:14:14:14 | a | semmle.label | a |
 | test.rs:14:14:14:25 | a.as_bytes() | semmle.label | a.as_bytes() |
 | test.rs:15:14:15:14 | a | semmle.label | a |
+| test.rs:22:14:22:19 | TuplePat | semmle.label | TuplePat |
+| test.rs:24:14:24:14 | a | semmle.label | a |
+| test.rs:25:14:25:14 | b | semmle.label | b |
+| test.rs:48:14:48:30 | MyStruct {...} | semmle.label | MyStruct {...} |
+| test.rs:50:14:50:14 | a | semmle.label | a |
+| test.rs:51:14:51:14 | b | semmle.label | b |
+| test.rs:58:14:58:15 | ms | semmle.label | ms |
+| test.rs:60:14:60:17 | ms.a | semmle.label | ms.a |
+| test.rs:61:14:61:17 | ms.b | semmle.label | ms.b |
 | test.rs:68:15:68:15 | a | semmle.label | a |
 | test.rs:70:14:70:14 | a | semmle.label | a |
 | test.rs:98:9:98:31 | ...: ...::Path::<...> | semmle.label | ...: ...::Path::<...> |
 | test.rs:100:13:100:13 | a | semmle.label | a |
-| test.rs:100:13:100:13 | a [tuple.0] | semmle.label | a [tuple.0] |
-| test.rs:100:13:100:13 | a [tuple.1] | semmle.label | a [tuple.1] |
-| test.rs:100:13:100:13 | a [tuple.2] | semmle.label | a [tuple.2] |
 | test.rs:100:17:100:20 | path | semmle.label | path |
 | test.rs:100:17:100:33 | path.into_inner() | semmle.label | path.into_inner() |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.0] | semmle.label | path.into_inner() [tuple.0] |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.1] | semmle.label | path.into_inner() [tuple.1] |
-| test.rs:100:17:100:33 | path.into_inner() [tuple.2] | semmle.label | path.into_inner() [tuple.2] |
 | test.rs:101:14:101:14 | a | semmle.label | a |
-| test.rs:101:14:101:14 | a [tuple.0] | semmle.label | a [tuple.0] |
-| test.rs:101:14:101:14 | a [tuple.1] | semmle.label | a [tuple.1] |
-| test.rs:101:14:101:14 | a [tuple.2] | semmle.label | a [tuple.2] |
 | test.rs:101:14:101:23 | a.as_str() | semmle.label | a.as_str() |
 | test.rs:102:14:102:14 | a | semmle.label | a |
-| test.rs:102:14:102:14 | a [tuple.0] | semmle.label | a [tuple.0] |
-| test.rs:102:14:102:14 | a [tuple.1] | semmle.label | a [tuple.1] |
-| test.rs:102:14:102:14 | a [tuple.2] | semmle.label | a [tuple.2] |
 | test.rs:102:14:102:25 | a.as_bytes() | semmle.label | a.as_bytes() |
 | test.rs:103:14:103:14 | a | semmle.label | a |
 | test.rs:109:9:109:41 | ...: ...::Path::<...> | semmle.label | ...: ...::Path::<...> |
-| test.rs:111:13:111:18 | TuplePat [tuple.0] | semmle.label | TuplePat [tuple.0] |
-| test.rs:111:13:111:18 | TuplePat [tuple.1] | semmle.label | TuplePat [tuple.1] |
-| test.rs:111:14:111:14 | a | semmle.label | a |
-| test.rs:111:17:111:17 | b | semmle.label | b |
+| test.rs:111:13:111:18 | TuplePat | semmle.label | TuplePat |
 | test.rs:111:22:111:25 | path | semmle.label | path |
-| test.rs:111:22:111:38 | path.into_inner() [tuple.0] | semmle.label | path.into_inner() [tuple.0] |
-| test.rs:111:22:111:38 | path.into_inner() [tuple.1] | semmle.label | path.into_inner() [tuple.1] |
+| test.rs:111:22:111:38 | path.into_inner() | semmle.label | path.into_inner() |
 | test.rs:113:14:113:14 | a | semmle.label | a |
 | test.rs:114:14:114:14 | b | semmle.label | b |
+| test.rs:120:9:120:41 | ...: ...::Query::<...> | semmle.label | ...: ...::Query::<...> |
+| test.rs:122:14:122:14 | a | semmle.label | a |
 | test.rs:127:5:127:20 | to | semmle.label | to |
 | test.rs:129:9:129:31 | ...: ...::Path::<...> | semmle.label | ...: ...::Path::<...> |
 | test.rs:131:13:131:13 | a | semmle.label | a |
-| test.rs:131:13:131:13 | a [tuple.0] | semmle.label | a [tuple.0] |
-| test.rs:131:13:131:13 | a [tuple.1] | semmle.label | a [tuple.1] |
-| test.rs:131:13:131:13 | a [tuple.2] | semmle.label | a [tuple.2] |
 | test.rs:131:17:131:20 | path | semmle.label | path |
 | test.rs:131:17:131:33 | path.into_inner() | semmle.label | path.into_inner() |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.0] | semmle.label | path.into_inner() [tuple.0] |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.1] | semmle.label | path.into_inner() [tuple.1] |
-| test.rs:131:17:131:33 | path.into_inner() [tuple.2] | semmle.label | path.into_inner() [tuple.2] |
 | test.rs:132:14:132:14 | a | semmle.label | a |
 | test.rs:139:41:139:42 | to | semmle.label | to |
 | test.rs:140:45:140:46 | to | semmle.label | to |
+| test.rs:141:41:141:42 | to | semmle.label | to |
 | test.rs:242:33:242:35 | map | semmle.label | map |
 | test.rs:242:38:242:46 | ...: String | semmle.label | ...: String |
 | test.rs:244:18:244:18 | a | semmle.label | a |
@@ -151,12 +112,19 @@ testFailures
 | test.rs:13:14:13:23 | a.as_str() | test.rs:11:31:11:31 | a | test.rs:13:14:13:23 | a.as_str() | $@ | test.rs:11:31:11:31 | a | a |
 | test.rs:14:14:14:25 | a.as_bytes() | test.rs:11:31:11:31 | a | test.rs:14:14:14:25 | a.as_bytes() | $@ | test.rs:11:31:11:31 | a | a |
 | test.rs:15:14:15:14 | a | test.rs:11:31:11:31 | a | test.rs:15:14:15:14 | a | $@ | test.rs:11:31:11:31 | a | a |
+| test.rs:24:14:24:14 | a | test.rs:22:14:22:19 | TuplePat | test.rs:24:14:24:14 | a | $@ | test.rs:22:14:22:19 | TuplePat | TuplePat |
+| test.rs:25:14:25:14 | b | test.rs:22:14:22:19 | TuplePat | test.rs:25:14:25:14 | b | $@ | test.rs:22:14:22:19 | TuplePat | TuplePat |
+| test.rs:50:14:50:14 | a | test.rs:48:14:48:30 | MyStruct {...} | test.rs:50:14:50:14 | a | $@ | test.rs:48:14:48:30 | MyStruct {...} | MyStruct {...} |
+| test.rs:51:14:51:14 | b | test.rs:48:14:48:30 | MyStruct {...} | test.rs:51:14:51:14 | b | $@ | test.rs:48:14:48:30 | MyStruct {...} | MyStruct {...} |
+| test.rs:60:14:60:17 | ms.a | test.rs:58:14:58:15 | ms | test.rs:60:14:60:17 | ms.a | $@ | test.rs:58:14:58:15 | ms | ms |
+| test.rs:61:14:61:17 | ms.b | test.rs:58:14:58:15 | ms | test.rs:61:14:61:17 | ms.b | $@ | test.rs:58:14:58:15 | ms | ms |
 | test.rs:70:14:70:14 | a | test.rs:68:15:68:15 | a | test.rs:70:14:70:14 | a | $@ | test.rs:68:15:68:15 | a | a |
 | test.rs:101:14:101:23 | a.as_str() | test.rs:139:41:139:42 | to | test.rs:101:14:101:23 | a.as_str() | $@ | test.rs:139:41:139:42 | to | to |
 | test.rs:102:14:102:25 | a.as_bytes() | test.rs:139:41:139:42 | to | test.rs:102:14:102:25 | a.as_bytes() | $@ | test.rs:139:41:139:42 | to | to |
 | test.rs:103:14:103:14 | a | test.rs:139:41:139:42 | to | test.rs:103:14:103:14 | a | $@ | test.rs:139:41:139:42 | to | to |
 | test.rs:113:14:113:14 | a | test.rs:140:45:140:46 | to | test.rs:113:14:113:14 | a | $@ | test.rs:140:45:140:46 | to | to |
 | test.rs:114:14:114:14 | b | test.rs:140:45:140:46 | to | test.rs:114:14:114:14 | b | $@ | test.rs:140:45:140:46 | to | to |
+| test.rs:122:14:122:14 | a | test.rs:141:41:141:42 | to | test.rs:122:14:122:14 | a | $@ | test.rs:141:41:141:42 | to | to |
 | test.rs:132:14:132:14 | a | test.rs:127:5:127:20 | to | test.rs:132:14:132:14 | a | $@ | test.rs:127:5:127:20 | to | to |
 | test.rs:244:18:244:18 | a | test.rs:242:33:242:35 | map | test.rs:244:18:244:18 | a | $@ | test.rs:242:33:242:35 | map | map |
 | test.rs:252:22:252:22 | a | test.rs:250:46:250:49 | then | test.rs:252:22:252:22 | a | $@ | test.rs:250:46:250:49 | then | then |
--- a/rust/ql/test/library-tests/dataflow/sources/web_frameworks/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/web_frameworks/test.rs
@@ -21,8 +21,8 @@ mod poem_test {
    fn my_poem_handler_2(
        Path((a, b)): Path<(String, String)>, // $ Alert[rust/summary/taint-sources]
    ) -> String {
-        sink(a); // $ MISSING: hasTaintFlow
-        sink(b); // $ MISSING: hasTaintFlow
+        sink(a); // $ hasTaintFlow
+        sink(b); // $ hasTaintFlow

        "".to_string()
    }
@@ -47,8 +47,8 @@ mod poem_test {
    fn my_poem_handler_4(
        Path(MyStruct { a, b }): Path<MyStruct>, // $ Alert[rust/summary/taint-sources]
    ) -> String {
-        sink(a); // $ MISSING: hasTaintFlow
-        sink(b); // $ MISSING: hasTaintFlow
+        sink(a); // $ hasTaintFlow
+        sink(b); // $ hasTaintFlow

        "".to_string()
    }
@@ -57,8 +57,8 @@ mod poem_test {
    fn my_poem_handler_5(
        Path(ms): Path<MyStruct>, // $ Alert[rust/summary/taint-sources]
    ) -> String {
-        sink(ms.a); // $ MISSING: hasTaintFlow
-        sink(ms.b); // $ MISSING: hasTaintFlow
+        sink(ms.a); // $ hasTaintFlow
+        sink(ms.b); // $ hasTaintFlow

        "".to_string()
    }
@@ -119,7 +119,7 @@ mod actix_test {
    async fn my_actix_handler_3(
        web::Query(a): web::Query<String>,
    ) -> String {
-        sink(a); // $ MISSING: hasTaintFlow
+        sink(a); // $ hasTaintFlow=my_actix_handler_3

        "".to_string()
    }
--- a/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
+++ b/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
@@ -30,5 +30,6 @@ multipleResolvedTargets
 | main.rs:2642:13:2642:31 | ...::from(...) |
 | main.rs:2643:13:2643:31 | ...::from(...) |
 | main.rs:2644:13:2644:31 | ...::from(...) |
+| main.rs:3067:13:3067:17 | x.f() |
 | pattern_matching.rs:273:13:273:27 | * ... |
 | pattern_matching.rs:273:14:273:27 | * ... |
--- a/rust/ql/test/library-tests/type-inference/main.rs
+++ b/rust/ql/test/library-tests/type-inference/main.rs
@@ -3036,6 +3036,39 @@ mod context_typed {
    }
 }

+mod literal_overlap {
+    trait MyTrait {
+        fn f(self) -> Self;
+    }
+
+    impl MyTrait for i32 {
+        // i32f
+        fn f(self) -> Self {
+            self
+        }
+    }
+
+    impl MyTrait for usize {
+        // usizef
+        fn f(self) -> Self {
+            self
+        }
+    }
+
+    impl<T> MyTrait for &T {
+        // Reff
+        fn f(self) -> Self {
+            self
+        }
+    }
+
+    pub fn f() -> usize {
+        let mut x = 0;
+        x = x.f(); // $ target=usizef $ SPURIOUS: target=i32f
+        x
+    }
+}
+
 mod blanket_impl;
 mod closure;
 mod dereference;
--- a/rust/ql/test/library-tests/type-inference/type-inference.expected
+++ b/rust/ql/test/library-tests/type-inference/type-inference.expected
@@ -3529,48 +3529,62 @@ inferCertainType
 | main.rs:3032:9:3032:9 | x | A | {EXTERNAL LOCATION} | Global |
 | main.rs:3035:9:3035:9 | x |  | {EXTERNAL LOCATION} | Vec |
 | main.rs:3035:9:3035:9 | x | A | {EXTERNAL LOCATION} | Global |
-| main.rs:3044:11:3079:1 | { ... } |  | {EXTERNAL LOCATION} | () |
-| main.rs:3045:5:3045:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3046:5:3046:20 | ...::f(...) |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:5:3047:60 | ...::g(...) |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:20:3047:38 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:41:3047:59 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3048:5:3048:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3049:5:3049:41 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3050:5:3050:45 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3051:5:3051:30 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3052:5:3052:33 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3053:5:3053:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3054:5:3054:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3055:5:3055:32 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3056:5:3056:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3057:5:3057:36 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3058:5:3058:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3059:5:3059:29 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3060:5:3060:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3061:5:3061:24 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3062:5:3062:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3063:5:3063:18 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3064:5:3064:15 | ...::f(...) |  | {EXTERNAL LOCATION} | dyn Future |
-| main.rs:3064:5:3064:15 | ...::f(...) | dyn(Output) | {EXTERNAL LOCATION} | () |
-| main.rs:3065:5:3065:19 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3066:5:3066:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3067:5:3067:14 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3068:5:3068:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3069:5:3069:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3070:5:3070:43 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3071:5:3071:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3072:5:3072:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3073:5:3073:23 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3074:5:3074:41 | ...::test_all_patterns(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3075:5:3075:49 | ...::box_patterns(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3076:5:3076:20 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3077:5:3077:20 | ...::f(...) |  | {EXTERNAL LOCATION} | Box |
-| main.rs:3077:5:3077:20 | ...::f(...) | A | {EXTERNAL LOCATION} | Global |
-| main.rs:3077:5:3077:20 | ...::f(...) | T | main.rs:2897:5:2899:5 | dyn MyTrait |
-| main.rs:3077:5:3077:20 | ...::f(...) | T.dyn(T) | {EXTERNAL LOCATION} | i32 |
-| main.rs:3077:16:3077:19 | true |  | {EXTERNAL LOCATION} | bool |
-| main.rs:3078:5:3078:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3041:14:3041:17 | SelfParam |  | main.rs:3040:5:3042:5 | Self [trait MyTrait] |
+| main.rs:3046:14:3046:17 | SelfParam |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3046:28:3048:9 | { ... } |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3047:13:3047:16 | self |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3053:14:3053:17 | SelfParam |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3053:28:3055:9 | { ... } |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3054:13:3054:16 | self |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3060:14:3060:17 | SelfParam |  | {EXTERNAL LOCATION} | & |
+| main.rs:3060:14:3060:17 | SelfParam | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3060:28:3062:9 | { ... } |  | {EXTERNAL LOCATION} | & |
+| main.rs:3060:28:3062:9 | { ... } | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3061:13:3061:16 | self |  | {EXTERNAL LOCATION} | & |
+| main.rs:3061:13:3061:16 | self | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3065:25:3069:5 | { ... } |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3077:11:3112:1 | { ... } |  | {EXTERNAL LOCATION} | () |
+| main.rs:3078:5:3078:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3079:5:3079:20 | ...::f(...) |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:5:3080:60 | ...::g(...) |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:20:3080:38 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:41:3080:59 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3081:5:3081:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3082:5:3082:41 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3083:5:3083:45 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3084:5:3084:30 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3085:5:3085:33 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3086:5:3086:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3087:5:3087:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3088:5:3088:32 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3089:5:3089:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3090:5:3090:36 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3091:5:3091:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3092:5:3092:29 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3093:5:3093:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3094:5:3094:24 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3095:5:3095:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3096:5:3096:18 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3097:5:3097:15 | ...::f(...) |  | {EXTERNAL LOCATION} | dyn Future |
+| main.rs:3097:5:3097:15 | ...::f(...) | dyn(Output) | {EXTERNAL LOCATION} | () |
+| main.rs:3098:5:3098:19 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3099:5:3099:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3100:5:3100:14 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3101:5:3101:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3102:5:3102:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3103:5:3103:43 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3104:5:3104:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3105:5:3105:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3106:5:3106:23 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3107:5:3107:41 | ...::test_all_patterns(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3108:5:3108:49 | ...::box_patterns(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3109:5:3109:20 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3110:5:3110:20 | ...::f(...) |  | {EXTERNAL LOCATION} | Box |
+| main.rs:3110:5:3110:20 | ...::f(...) | A | {EXTERNAL LOCATION} | Global |
+| main.rs:3110:5:3110:20 | ...::f(...) | T | main.rs:2897:5:2899:5 | dyn MyTrait |
+| main.rs:3110:5:3110:20 | ...::f(...) | T.dyn(T) | {EXTERNAL LOCATION} | i32 |
+| main.rs:3110:16:3110:19 | true |  | {EXTERNAL LOCATION} | bool |
+| main.rs:3111:5:3111:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
 | pattern_matching.rs:13:26:133:1 | { ... } |  | {EXTERNAL LOCATION} | Option |
 | pattern_matching.rs:13:26:133:1 | { ... } | T | {EXTERNAL LOCATION} | () |
 | pattern_matching.rs:15:5:18:5 | if ... {...} |  | {EXTERNAL LOCATION} | () |
@@ -10983,48 +10997,75 @@ inferType
 | main.rs:3035:9:3035:9 | x | T | {EXTERNAL LOCATION} | i32 |
 | main.rs:3035:9:3035:17 | x.push(...) |  | {EXTERNAL LOCATION} | () |
 | main.rs:3035:16:3035:16 | y |  | {EXTERNAL LOCATION} | i32 |
-| main.rs:3044:11:3079:1 | { ... } |  | {EXTERNAL LOCATION} | () |
-| main.rs:3045:5:3045:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3046:5:3046:20 | ...::f(...) |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:5:3047:60 | ...::g(...) |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:20:3047:38 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3047:41:3047:59 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
-| main.rs:3048:5:3048:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3049:5:3049:41 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3050:5:3050:45 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3051:5:3051:30 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3052:5:3052:33 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3053:5:3053:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3054:5:3054:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3055:5:3055:32 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3056:5:3056:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3057:5:3057:36 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3058:5:3058:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3059:5:3059:29 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3060:5:3060:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3061:5:3061:24 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3062:5:3062:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3063:5:3063:18 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3064:5:3064:15 | ...::f(...) |  | {EXTERNAL LOCATION} | dyn Future |
-| main.rs:3064:5:3064:15 | ...::f(...) | dyn(Output) | {EXTERNAL LOCATION} | () |
-| main.rs:3065:5:3065:19 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3066:5:3066:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3067:5:3067:14 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3068:5:3068:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3069:5:3069:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3070:5:3070:43 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3071:5:3071:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3072:5:3072:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3073:5:3073:23 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3074:5:3074:41 | ...::test_all_patterns(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3075:5:3075:49 | ...::box_patterns(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3076:5:3076:20 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
-| main.rs:3077:5:3077:20 | ...::f(...) |  | {EXTERNAL LOCATION} | Box |
-| main.rs:3077:5:3077:20 | ...::f(...) | A | {EXTERNAL LOCATION} | Global |
-| main.rs:3077:5:3077:20 | ...::f(...) | T | main.rs:2897:5:2899:5 | dyn MyTrait |
-| main.rs:3077:5:3077:20 | ...::f(...) | T.dyn(T) | {EXTERNAL LOCATION} | i32 |
-| main.rs:3077:16:3077:19 | true |  | {EXTERNAL LOCATION} | bool |
-| main.rs:3078:5:3078:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3041:14:3041:17 | SelfParam |  | main.rs:3040:5:3042:5 | Self [trait MyTrait] |
+| main.rs:3046:14:3046:17 | SelfParam |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3046:28:3048:9 | { ... } |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3047:13:3047:16 | self |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3053:14:3053:17 | SelfParam |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3053:28:3055:9 | { ... } |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3054:13:3054:16 | self |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3060:14:3060:17 | SelfParam |  | {EXTERNAL LOCATION} | & |
+| main.rs:3060:14:3060:17 | SelfParam | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3060:28:3062:9 | { ... } |  | {EXTERNAL LOCATION} | & |
+| main.rs:3060:28:3062:9 | { ... } | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3061:13:3061:16 | self |  | {EXTERNAL LOCATION} | & |
+| main.rs:3061:13:3061:16 | self | TRef | main.rs:3058:10:3058:10 | T |
+| main.rs:3065:25:3069:5 | { ... } |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3066:17:3066:17 | x |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3066:17:3066:17 | x |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3066:21:3066:21 | 0 |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3066:21:3066:21 | 0 |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3067:9:3067:9 | x |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3067:9:3067:9 | x |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3067:9:3067:17 | ... = ... |  | {EXTERNAL LOCATION} | () |
+| main.rs:3067:13:3067:13 | x |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3067:13:3067:13 | x |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3067:13:3067:17 | x.f() |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3067:13:3067:17 | x.f() |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3068:9:3068:9 | x |  | {EXTERNAL LOCATION} | i32 |
+| main.rs:3068:9:3068:9 | x |  | {EXTERNAL LOCATION} | usize |
+| main.rs:3077:11:3112:1 | { ... } |  | {EXTERNAL LOCATION} | () |
+| main.rs:3078:5:3078:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3079:5:3079:20 | ...::f(...) |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:5:3080:60 | ...::g(...) |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:20:3080:38 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3080:41:3080:59 | ...::Foo {...} |  | main.rs:72:5:72:21 | Foo |
+| main.rs:3081:5:3081:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3082:5:3082:41 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3083:5:3083:45 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3084:5:3084:30 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3085:5:3085:33 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3086:5:3086:21 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3087:5:3087:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3088:5:3088:32 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3089:5:3089:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3090:5:3090:36 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3091:5:3091:35 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3092:5:3092:29 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3093:5:3093:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3094:5:3094:24 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3095:5:3095:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3096:5:3096:18 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3097:5:3097:15 | ...::f(...) |  | {EXTERNAL LOCATION} | dyn Future |
+| main.rs:3097:5:3097:15 | ...::f(...) | dyn(Output) | {EXTERNAL LOCATION} | () |
+| main.rs:3098:5:3098:19 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3099:5:3099:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3100:5:3100:14 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3101:5:3101:27 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3102:5:3102:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3103:5:3103:43 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3104:5:3104:15 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3105:5:3105:17 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3106:5:3106:23 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3107:5:3107:41 | ...::test_all_patterns(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3108:5:3108:49 | ...::box_patterns(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3109:5:3109:20 | ...::test(...) |  | {EXTERNAL LOCATION} | () |
+| main.rs:3110:5:3110:20 | ...::f(...) |  | {EXTERNAL LOCATION} | Box |
+| main.rs:3110:5:3110:20 | ...::f(...) | A | {EXTERNAL LOCATION} | Global |
+| main.rs:3110:5:3110:20 | ...::f(...) | T | main.rs:2897:5:2899:5 | dyn MyTrait |
+| main.rs:3110:5:3110:20 | ...::f(...) | T.dyn(T) | {EXTERNAL LOCATION} | i32 |
+| main.rs:3110:16:3110:19 | true |  | {EXTERNAL LOCATION} | bool |
+| main.rs:3111:5:3111:23 | ...::f(...) |  | {EXTERNAL LOCATION} | () |
 | pattern_matching.rs:13:26:133:1 | { ... } |  | {EXTERNAL LOCATION} | Option |
 | pattern_matching.rs:13:26:133:1 | { ... } | T | {EXTERNAL LOCATION} | () |
 | pattern_matching.rs:14:9:14:13 | value |  | {EXTERNAL LOCATION} | Option |
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
@@ -76,6 +76,15 @@ dependencies = [
 "cipher",
 ]

+[[package]]
+name = "ecb"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a8bfa975b1aec2145850fcaa1c6fe269a16578c44705a532ae3edc92b8881c7"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -146,6 +155,7 @@ dependencies = [
 "cbc",
 "cipher",
 "des",
+ "ecb",
 "rabbit",
 "rc2",
 "rc4",
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
@@ -8,3 +8,4 @@ qltest_dependencies:
    - rc2 = { version = "0.8.1" }
    - rc5 = { version = "0.0.1" }
    - cbc = { version = "0.1.2" }
+    - ecb = { version = "0.1.2" }
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
@@ -145,3 +145,33 @@ fn test_cbc(
    let des_cipher4 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
 }
+
+type MyAesEcbEncryptor = ecb::Encryptor<aes::Aes128>;
+
+fn test_ecb(
+    key: &[u8], key128: &[u8;16],
+    input: &[u8], data: &mut [u8]
+) {
+    let data_len = data.len();
+
+    // aes with ECB (weak block mode)
+    let aes_cipher1 = ecb::Encryptor::<aes::Aes128>::new(key128.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher1.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let aes_cipher2 = MyAesEcbEncryptor::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher2.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let aes_cipher3 = ecb::Encryptor::<aes::Aes128>::new_from_slice(&key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher3.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let aes_cipher4 = ecb::Encryptor::<aes::Aes128>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher4.encrypt_padded_b2b_mut::<aes::cipher::block_padding::Pkcs7>(input, data).unwrap();
+
+    // des with ECB (broken cipher + weak block mode)
+    let des_cipher1 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    // rc2 with ECB (broken cipher + weak block mode)
+    let rc2_cipher1 = ecb::Encryptor::<rc2::Rc2>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = rc2_cipher1.encrypt_padded_mut::<rc2::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+}
--- a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
+++ b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -27,24 +27,6 @@ edges
 | deallocation.rs:242:6:242:7 | p1 | deallocation.rs:245:14:245:15 | p1 | provenance |  |
 | deallocation.rs:242:6:242:7 | p1 | deallocation.rs:252:14:252:15 | p1 | provenance |  |
 | deallocation.rs:242:30:242:38 | &raw const my_buffer | deallocation.rs:242:6:242:7 | p1 | provenance |  |
-| deallocation.rs:322:28:322:43 | ...: ... | deallocation.rs:324:18:324:20 | ptr | provenance |  |
-| deallocation.rs:334:27:334:42 | ...: ... | deallocation.rs:342:18:342:20 | ptr | provenance |  |
-| deallocation.rs:351:7:351:10 | ptr1 | deallocation.rs:354:4:354:7 | ptr1 | provenance |  |
-| deallocation.rs:351:7:351:10 | ptr1 | deallocation.rs:354:4:354:7 | ptr1 | provenance |  |
-| deallocation.rs:351:14:351:33 | &raw mut ... | deallocation.rs:351:7:351:10 | ptr1 | provenance |  |
-| deallocation.rs:352:7:352:10 | ptr2 | deallocation.rs:355:4:355:7 | ptr2 | provenance |  |
-| deallocation.rs:352:7:352:10 | ptr2 | deallocation.rs:355:4:355:7 | ptr2 | provenance |  |
-| deallocation.rs:352:14:352:33 | &raw mut ... | deallocation.rs:352:7:352:10 | ptr2 | provenance |  |
-| deallocation.rs:354:4:354:7 | ptr1 | deallocation.rs:357:27:357:30 | ptr1 | provenance |  |
-| deallocation.rs:355:4:355:7 | ptr2 | deallocation.rs:359:26:359:29 | ptr2 | provenance |  |
-| deallocation.rs:357:27:357:30 | ptr1 | deallocation.rs:322:28:322:43 | ...: ... | provenance |  |
-| deallocation.rs:359:26:359:29 | ptr2 | deallocation.rs:334:27:334:42 | ...: ... | provenance |  |
-| deallocation.rs:370:6:370:9 | ptr1 | deallocation.rs:373:13:373:16 | ptr1 | provenance |  |
-| deallocation.rs:370:6:370:9 | ptr1 | deallocation.rs:381:13:381:16 | ptr1 | provenance |  |
-| deallocation.rs:370:13:370:28 | &raw mut ... | deallocation.rs:370:6:370:9 | ptr1 | provenance |  |
-| deallocation.rs:389:6:389:9 | ptr2 | deallocation.rs:392:13:392:16 | ptr2 | provenance |  |
-| deallocation.rs:389:6:389:9 | ptr2 | deallocation.rs:402:13:402:16 | ptr2 | provenance |  |
-| deallocation.rs:389:13:389:28 | &raw mut ... | deallocation.rs:389:6:389:9 | ptr2 | provenance |  |
 | lifetime.rs:21:2:21:18 | return ... | lifetime.rs:54:11:54:30 | get_local_dangling(...) | provenance |  |
 | lifetime.rs:21:9:21:18 | &my_local1 | lifetime.rs:21:2:21:18 | return ... | provenance |  |
 | lifetime.rs:27:2:27:22 | return ... | lifetime.rs:55:11:55:34 | get_local_dangling_mut(...) | provenance |  |
@@ -80,15 +62,6 @@ edges
 | lifetime.rs:94:7:94:16 | &my_local1 | lifetime.rs:94:2:94:3 | p3 | provenance |  |
 | lifetime.rs:119:15:119:24 | &my_local3 | lifetime.rs:91:17:91:30 | ...: ... | provenance |  |
 | lifetime.rs:119:27:119:44 | &mut my_local_mut4 | lifetime.rs:91:33:91:44 | ...: ... | provenance |  |
-| lifetime.rs:127:2:127:24 | return ... | lifetime.rs:139:11:139:21 | get_const(...) | provenance |  |
-| lifetime.rs:127:9:127:24 | &MY_GLOBAL_CONST | lifetime.rs:127:2:127:24 | return ... | provenance |  |
-| lifetime.rs:134:3:134:30 | return ... | lifetime.rs:140:11:140:26 | get_static_mut(...) | provenance |  |
-| lifetime.rs:134:10:134:30 | &mut MY_GLOBAL_STATIC | lifetime.rs:134:3:134:30 | return ... | provenance |  |
-| lifetime.rs:139:6:139:7 | p1 | lifetime.rs:147:14:147:15 | p1 | provenance |  |
-| lifetime.rs:139:11:139:21 | get_const(...) | lifetime.rs:139:6:139:7 | p1 | provenance |  |
-| lifetime.rs:140:6:140:7 | p2 | lifetime.rs:148:14:148:15 | p2 | provenance |  |
-| lifetime.rs:140:6:140:7 | p2 | lifetime.rs:154:5:154:6 | p2 | provenance |  |
-| lifetime.rs:140:11:140:26 | get_static_mut(...) | lifetime.rs:140:6:140:7 | p2 | provenance |  |
 | lifetime.rs:161:17:161:31 | ...: ... | lifetime.rs:164:13:164:15 | ptr | provenance |  |
 | lifetime.rs:169:17:169:31 | ...: ... | lifetime.rs:172:13:172:15 | ptr | provenance |  |
 | lifetime.rs:177:17:177:31 | ...: ... | lifetime.rs:180:13:180:15 | ptr | provenance |  |
@@ -106,7 +79,6 @@ edges
 | lifetime.rs:201:15:201:17 | ptr | lifetime.rs:177:17:177:31 | ...: ... | provenance |  |
 | lifetime.rs:206:19:206:36 | ...: ... | lifetime.rs:216:16:216:21 | ptr_up | provenance |  |
 | lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:211:33:211:40 | ptr_ours | provenance |  |
-| lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:217:18:217:25 | ptr_ours | provenance |  |
 | lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:225:2:225:16 | return ptr_ours | provenance |  |
 | lifetime.rs:208:17:208:29 | &my_local_rec | lifetime.rs:208:6:208:13 | ptr_ours | provenance |  |
 | lifetime.rs:211:7:211:14 | ptr_down | lifetime.rs:218:18:218:25 | ptr_down | provenance |  |
@@ -141,6 +113,16 @@ edges
 | lifetime.rs:305:15:305:37 | get_pointer_from_enum(...) | lifetime.rs:305:6:305:11 | result | provenance |  |
 | lifetime.rs:313:10:313:29 | ...::Pointer(...) [Pointer] | lifetime.rs:313:27:313:28 | p2 | provenance |  |
 | lifetime.rs:313:27:313:28 | p2 | lifetime.rs:314:23:314:24 | p2 | provenance |  |
+| lifetime.rs:332:6:332:13 | mut ref1 | lifetime.rs:338:9:338:35 | ...::Pointer(...) | provenance |  |
+| lifetime.rs:332:17:332:22 | &enum1 | lifetime.rs:332:6:332:13 | mut ref1 | provenance |  |
+| lifetime.rs:336:3:336:6 | ref1 | lifetime.rs:338:9:338:35 | ...::Pointer(...) | provenance |  |
+| lifetime.rs:336:10:336:15 | &inner | lifetime.rs:336:3:336:6 | ref1 | provenance |  |
+| lifetime.rs:338:9:338:35 | ...::Pointer(...) | lifetime.rs:339:28:339:30 | ptr | provenance |  |
+| lifetime.rs:348:6:348:13 | mut ref1 | lifetime.rs:354:9:354:35 | ...::Pointer(...) | provenance |  |
+| lifetime.rs:348:17:348:22 | &enum1 | lifetime.rs:348:6:348:13 | mut ref1 | provenance |  |
+| lifetime.rs:352:3:352:6 | ref1 | lifetime.rs:354:9:354:35 | ...::Pointer(...) | provenance |  |
+| lifetime.rs:352:10:352:15 | &inner | lifetime.rs:352:3:352:6 | ref1 | provenance |  |
+| lifetime.rs:354:9:354:35 | ...::Pointer(...) | lifetime.rs:355:28:355:30 | ptr | provenance |  |
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:388:15:388:16 | p1 | provenance |  |
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:391:15:391:16 | p1 | provenance |  |
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:399:6:399:7 | p1 | provenance |  |
@@ -150,41 +132,21 @@ edges
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:428:7:428:8 | p1 | provenance |  |
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:433:7:433:8 | p1 | provenance |  |
 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:383:3:383:4 | p1 | provenance |  |
-| lifetime.rs:384:3:384:4 | p2 | lifetime.rs:394:14:394:15 | p2 | provenance |  |
-| lifetime.rs:384:3:384:4 | p2 | lifetime.rs:421:15:421:16 | p2 | provenance |  |
-| lifetime.rs:384:27:384:35 | &raw const ... | lifetime.rs:384:3:384:4 | p2 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:395:14:395:15 | p3 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:400:5:400:6 | p3 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:400:5:400:6 | p3 | provenance |  |
-| lifetime.rs:385:31:385:39 | &raw mut ... | lifetime.rs:385:3:385:4 | p3 | provenance |  |
-| lifetime.rs:400:5:400:6 | p3 | lifetime.rs:422:15:422:16 | p3 | provenance |  |
-| lifetime.rs:400:5:400:6 | p3 | lifetime.rs:429:6:429:7 | p3 | provenance |  |
 | lifetime.rs:442:6:442:7 | r1 | lifetime.rs:443:42:443:43 | r1 | provenance |  |
 | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:442:6:442:7 | r1 | provenance |  |
 | lifetime.rs:443:6:443:7 | p1 | lifetime.rs:446:13:446:14 | p1 | provenance |  |
 | lifetime.rs:443:6:443:7 | p1 | lifetime.rs:450:2:450:10 | return p1 | provenance |  |
 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | lifetime.rs:443:6:443:7 | p1 | provenance |  |
-| lifetime.rs:443:42:443:43 | r1 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | provenance | MaD:5 |
+| lifetime.rs:443:42:443:43 | r1 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | provenance | MaD:3 |
 | lifetime.rs:450:2:450:10 | return p1 | lifetime.rs:454:11:454:29 | get_ptr_from_ref(...) | provenance |  |
 | lifetime.rs:450:2:450:10 | return p1 | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | provenance |  |
 | lifetime.rs:454:6:454:7 | p1 | lifetime.rs:459:13:459:14 | p1 | provenance |  |
 | lifetime.rs:454:11:454:29 | get_ptr_from_ref(...) | lifetime.rs:454:6:454:7 | p1 | provenance |  |
 | lifetime.rs:568:7:568:8 | p2 | lifetime.rs:572:14:572:15 | p2 | provenance |  |
 | lifetime.rs:568:24:568:33 | &my_local2 | lifetime.rs:568:7:568:8 | p2 | provenance |  |
-| lifetime.rs:630:3:630:6 | str2 | lifetime.rs:633:15:633:18 | str2 | provenance |  |
-| lifetime.rs:630:3:630:6 | str2 | lifetime.rs:641:14:641:17 | str2 | provenance |  |
-| lifetime.rs:630:10:630:25 | &... | lifetime.rs:630:3:630:6 | str2 | provenance |  |
-| lifetime.rs:654:4:654:7 | str2 | lifetime.rs:655:22:655:25 | str2 | provenance |  |
-| lifetime.rs:654:11:654:35 | ... + ... | lifetime.rs:654:4:654:7 | str2 | provenance |  |
-| lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:654:11:654:35 | ... + ... | provenance | MaD:2 |
-| lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:654:11:654:35 | ... + ... | provenance | MaD:1 |
 | lifetime.rs:655:4:655:7 | ref1 | lifetime.rs:659:15:659:18 | ref1 | provenance |  |
 | lifetime.rs:655:4:655:7 | ref1 | lifetime.rs:667:14:667:17 | ref1 | provenance |  |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | lifetime.rs:659:15:659:18 | ref1 | provenance |  |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | lifetime.rs:667:14:667:17 | ref1 | provenance |  |
 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:655:4:655:7 | ref1 | provenance |  |
-| lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | lifetime.rs:655:4:655:7 | ref1 [&ref] | provenance |  |
-| lifetime.rs:655:22:655:25 | str2 | lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | provenance |  |
 | lifetime.rs:781:2:781:19 | return ... | lifetime.rs:785:11:785:41 | get_local_for_unsafe_function(...) | provenance |  |
 | lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:781:2:781:19 | return ... | provenance |  |
 | lifetime.rs:785:6:785:7 | p1 | lifetime.rs:789:12:789:13 | p1 | provenance |  |
@@ -196,47 +158,23 @@ edges
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:21:19:21:20 | p1 | provenance |  |
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:29:19:29:20 | p1 | provenance |  |
 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | main.rs:18:9:18:10 | p1 [&ref] | provenance |  |
-| main.rs:18:26:18:28 | &b1 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | provenance | MaD:4 |
+| main.rs:18:26:18:28 | &b1 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | provenance | MaD:2 |
 | main.rs:44:9:44:10 | p2 [&ref] | main.rs:51:23:51:24 | p2 | provenance |  |
 | main.rs:44:9:44:10 | p2 [&ref] | main.rs:64:23:64:24 | p2 | provenance |  |
 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | main.rs:44:9:44:10 | p2 [&ref] | provenance |  |
-| main.rs:44:26:44:28 | &b2 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | provenance | MaD:4 |
+| main.rs:44:26:44:28 | &b2 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | provenance | MaD:2 |
 | main.rs:47:9:47:10 | p3 [&ref] | main.rs:52:23:52:24 | p3 | provenance |  |
 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | main.rs:47:9:47:10 | p3 [&ref] | provenance |  |
-| main.rs:47:30:47:36 | &mut b3 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | provenance | MaD:3 |
+| main.rs:47:30:47:36 | &mut b3 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | provenance | MaD:1 |
 models
-| 1 | Summary: <_ as core::ops::arith::Add>::add; Argument[0].Reference; ReturnValue; taint |
-| 2 | Summary: <_ as core::ops::arith::Add>::add; Argument[0]; ReturnValue; taint |
-| 3 | Summary: <alloc::boxed::Box>::as_mut_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
-| 4 | Summary: <alloc::boxed::Box>::as_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
-| 5 | Summary: core::ptr::from_ref; Argument[0]; ReturnValue; value |
+| 1 | Summary: <alloc::boxed::Box>::as_mut_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
+| 2 | Summary: <alloc::boxed::Box>::as_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
+| 3 | Summary: core::ptr::from_ref; Argument[0]; ReturnValue; value |
 nodes
 | deallocation.rs:242:6:242:7 | p1 | semmle.label | p1 |
 | deallocation.rs:242:30:242:38 | &raw const my_buffer | semmle.label | &raw const my_buffer |
 | deallocation.rs:245:14:245:15 | p1 | semmle.label | p1 |
 | deallocation.rs:252:14:252:15 | p1 | semmle.label | p1 |
-| deallocation.rs:322:28:322:43 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:324:18:324:20 | ptr | semmle.label | ptr |
-| deallocation.rs:334:27:334:42 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:342:18:342:20 | ptr | semmle.label | ptr |
-| deallocation.rs:351:7:351:10 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:351:14:351:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:352:7:352:10 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:352:14:352:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:354:4:354:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:354:4:354:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:355:4:355:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:355:4:355:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:357:27:357:30 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:359:26:359:29 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:370:6:370:9 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:370:13:370:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:373:13:373:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:381:13:381:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:389:6:389:9 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:389:13:389:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:392:13:392:16 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:402:13:402:16 | ptr2 | semmle.label | ptr2 |
 | lifetime.rs:21:2:21:18 | return ... | semmle.label | return ... |
 | lifetime.rs:21:9:21:18 | &my_local1 | semmle.label | &my_local1 |
 | lifetime.rs:27:2:27:22 | return ... | semmle.label | return ... |
@@ -282,17 +220,6 @@ nodes
 | lifetime.rs:110:5:110:6 | p2 | semmle.label | p2 |
 | lifetime.rs:119:15:119:24 | &my_local3 | semmle.label | &my_local3 |
 | lifetime.rs:119:27:119:44 | &mut my_local_mut4 | semmle.label | &mut my_local_mut4 |
-| lifetime.rs:127:2:127:24 | return ... | semmle.label | return ... |
-| lifetime.rs:127:9:127:24 | &MY_GLOBAL_CONST | semmle.label | &MY_GLOBAL_CONST |
-| lifetime.rs:134:3:134:30 | return ... | semmle.label | return ... |
-| lifetime.rs:134:10:134:30 | &mut MY_GLOBAL_STATIC | semmle.label | &mut MY_GLOBAL_STATIC |
-| lifetime.rs:139:6:139:7 | p1 | semmle.label | p1 |
-| lifetime.rs:139:11:139:21 | get_const(...) | semmle.label | get_const(...) |
-| lifetime.rs:140:6:140:7 | p2 | semmle.label | p2 |
-| lifetime.rs:140:11:140:26 | get_static_mut(...) | semmle.label | get_static_mut(...) |
-| lifetime.rs:147:14:147:15 | p1 | semmle.label | p1 |
-| lifetime.rs:148:14:148:15 | p2 | semmle.label | p2 |
-| lifetime.rs:154:5:154:6 | p2 | semmle.label | p2 |
 | lifetime.rs:161:17:161:31 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:164:13:164:15 | ptr | semmle.label | ptr |
 | lifetime.rs:169:17:169:31 | ...: ... | semmle.label | ...: ... |
@@ -315,7 +242,6 @@ nodes
 | lifetime.rs:211:18:211:52 | access_ptr_rec(...) | semmle.label | access_ptr_rec(...) |
 | lifetime.rs:211:33:211:40 | ptr_ours | semmle.label | ptr_ours |
 | lifetime.rs:216:16:216:21 | ptr_up | semmle.label | ptr_up |
-| lifetime.rs:217:18:217:25 | ptr_ours | semmle.label | ptr_ours |
 | lifetime.rs:218:18:218:25 | ptr_down | semmle.label | ptr_down |
 | lifetime.rs:225:2:225:16 | return ptr_ours | semmle.label | return ptr_ours |
 | lifetime.rs:230:6:230:14 | ptr_start | semmle.label | ptr_start |
@@ -349,26 +275,27 @@ nodes
 | lifetime.rs:313:27:313:28 | p2 | semmle.label | p2 |
 | lifetime.rs:314:23:314:24 | p2 | semmle.label | p2 |
 | lifetime.rs:317:13:317:18 | result | semmle.label | result |
+| lifetime.rs:332:6:332:13 | mut ref1 | semmle.label | mut ref1 |
+| lifetime.rs:332:17:332:22 | &enum1 | semmle.label | &enum1 |
+| lifetime.rs:336:3:336:6 | ref1 | semmle.label | ref1 |
+| lifetime.rs:336:10:336:15 | &inner | semmle.label | &inner |
+| lifetime.rs:338:9:338:35 | ...::Pointer(...) | semmle.label | ...::Pointer(...) |
+| lifetime.rs:339:28:339:30 | ptr | semmle.label | ptr |
+| lifetime.rs:348:6:348:13 | mut ref1 | semmle.label | mut ref1 |
+| lifetime.rs:348:17:348:22 | &enum1 | semmle.label | &enum1 |
+| lifetime.rs:352:3:352:6 | ref1 | semmle.label | ref1 |
+| lifetime.rs:352:10:352:15 | &inner | semmle.label | &inner |
+| lifetime.rs:354:9:354:35 | ...::Pointer(...) | semmle.label | ...::Pointer(...) |
+| lifetime.rs:355:28:355:30 | ptr | semmle.label | ptr |
 | lifetime.rs:383:3:383:4 | p1 | semmle.label | p1 |
 | lifetime.rs:383:31:383:37 | &raw mut my_pair | semmle.label | &raw mut my_pair |
-| lifetime.rs:384:3:384:4 | p2 | semmle.label | p2 |
-| lifetime.rs:384:27:384:35 | &raw const ... | semmle.label | &raw const ... |
-| lifetime.rs:385:3:385:4 | p3 | semmle.label | p3 |
-| lifetime.rs:385:31:385:39 | &raw mut ... | semmle.label | &raw mut ... |
 | lifetime.rs:388:15:388:16 | p1 | semmle.label | p1 |
 | lifetime.rs:391:15:391:16 | p1 | semmle.label | p1 |
-| lifetime.rs:394:14:394:15 | p2 | semmle.label | p2 |
-| lifetime.rs:395:14:395:15 | p3 | semmle.label | p3 |
 | lifetime.rs:399:6:399:7 | p1 | semmle.label | p1 |
-| lifetime.rs:400:5:400:6 | p3 | semmle.label | p3 |
-| lifetime.rs:400:5:400:6 | p3 | semmle.label | p3 |
 | lifetime.rs:401:6:401:7 | p1 | semmle.label | p1 |
 | lifetime.rs:411:16:411:17 | p1 | semmle.label | p1 |
 | lifetime.rs:416:16:416:17 | p1 | semmle.label | p1 |
-| lifetime.rs:421:15:421:16 | p2 | semmle.label | p2 |
-| lifetime.rs:422:15:422:16 | p3 | semmle.label | p3 |
 | lifetime.rs:428:7:428:8 | p1 | semmle.label | p1 |
-| lifetime.rs:429:6:429:7 | p3 | semmle.label | p3 |
 | lifetime.rs:433:7:433:8 | p1 | semmle.label | p1 |
 | lifetime.rs:442:6:442:7 | r1 | semmle.label | r1 |
 | lifetime.rs:442:17:442:23 | &my_val | semmle.label | &my_val |
@@ -384,18 +311,8 @@ nodes
 | lifetime.rs:568:7:568:8 | p2 | semmle.label | p2 |
 | lifetime.rs:568:24:568:33 | &my_local2 | semmle.label | &my_local2 |
 | lifetime.rs:572:14:572:15 | p2 | semmle.label | p2 |
-| lifetime.rs:630:3:630:6 | str2 | semmle.label | str2 |
-| lifetime.rs:630:10:630:25 | &... | semmle.label | &... |
-| lifetime.rs:633:15:633:18 | str2 | semmle.label | str2 |
-| lifetime.rs:641:14:641:17 | str2 | semmle.label | str2 |
-| lifetime.rs:654:4:654:7 | str2 | semmle.label | str2 |
-| lifetime.rs:654:11:654:35 | ... + ... | semmle.label | ... + ... |
-| lifetime.rs:654:31:654:35 | &str1 | semmle.label | &str1 |
 | lifetime.rs:655:4:655:7 | ref1 | semmle.label | ref1 |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | semmle.label | ref1 [&ref] |
 | lifetime.rs:655:11:655:25 | &raw const str2 | semmle.label | &raw const str2 |
-| lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | semmle.label | &raw const str2 [&ref] |
-| lifetime.rs:655:22:655:25 | str2 | semmle.label | str2 |
 | lifetime.rs:659:15:659:18 | ref1 | semmle.label | ref1 |
 | lifetime.rs:667:14:667:17 | ref1 | semmle.label | ref1 |
 | lifetime.rs:781:2:781:19 | return ... | semmle.label | return ... |
--- a/rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/PathResolutionConsistency.expected
+++ b/rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,6 +1,10 @@
 multipleResolvedTargets
 | deallocation.rs:354:11:354:29 | ...::from(...) |
 | deallocation.rs:355:11:355:29 | ...::from(...) |
+| deallocation.rs:420:2:420:4 | * ... |
+| deallocation.rs:421:23:421:25 | * ... |
+| deallocation.rs:425:33:425:35 | * ... |
+| deallocation.rs:430:27:430:29 | * ... |
 | lifetime.rs:217:17:217:25 | * ... |
 | lifetime.rs:610:13:610:31 | ...::from(...) |
 | lifetime.rs:611:13:611:31 | ...::from(...) |
--- a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
+++ b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -403,3 +403,29 @@ pub fn test_vec_reserve() {
 		println!("	v4 = {}", v4); // corrupt in practice
 	}
 }
+
+// --- pointer to reference ---
+
+pub fn test_pointer_converted_to_reference() {
+	let layout = std::alloc::Layout::new::<u128>();
+	let m3;
+
+	// allocate
+	unsafe {
+		let m1 = std::alloc::alloc(layout); // *mut u8
+		let m2 = m1 as *mut u128; // *mut u128
+		m3 = &mut *m2; // &u128
+	}
+
+	*m3 = 1; // GOOD
+	println!("	v1 = {}", *m3); // GOOD
+
+	// free
+	unsafe {
+		std::alloc::dealloc((&raw mut *m3) as *mut u8, layout); // $ MISSING: Source[rust/access-invalid-pointer]=dealloc
+	}
+	// (m1, m2, m3 are now dangling)
+
+	// (this is corrupt in practice)
+	println!("	v2 = {} (!)", *m3); // $ MISSING: Alert[rust/access-invalid-pointer]=dealloc
+}
--- a/rust/ql/test/query-tests/security/CWE-825/main.rs
+++ b/rust/ql/test/query-tests/security/CWE-825/main.rs
@@ -143,6 +143,9 @@ fn main() {
    println!("test_vec_reserve:");
    test_vec_reserve();

+    println!("test_pointer_converted_to_reference:");
+    test_pointer_converted_to_reference();
+
    // ---

    println!("test_local_dangling:");