Merge branch 'main' of github.com:github/codeql into python-port-unsafe-deserialization

2026-04-30 11:15:13 +02:00 · 2020-10-15 15:45:35 +02:00
parent cc7d32c27c b05cc2eafd
commit ef32488596
127 changed files with 1873 additions and 1316 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -46,15 +46,16 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
    // os.system(cmd)
    // ```
    //
-    // Best solution I could come up with is to exclude all sinks inside the `os` and
-    // `subprocess` modules. This does have a downside: If we have overlooked a function
-    // in any of these, that internally runs a command, we no longer give an alert :|
+    // Best solution I could come up with is to exclude all sinks inside the modules of
+    // known sinks. This does have a downside: If we have overlooked a function in any
+    // of these, that internally runs a command, we no longer give an alert :| -- and we
+    // need to keep them updated (which is hard to remember)
    //
    // This does not only affect `os.popen`, but also the helper functions in
    // `subprocess`. See:
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
-    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess"]
+    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess", "platform", "popen2"]
  }
 }

--- a/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/code-injection
+ * @tags security
+ *       external/owasp/owasp-a1
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+}
+
+from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+  source.getNode(), "A user-provided value"
--- a/python/ql/src/experimental/Security-new-dataflow/promote.sh
+++ b/python/ql/src/experimental/Security-new-dataflow/promote.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -Eeuo pipefail # see https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
+
+# Promotes new dataflow queries to be the real ones
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+cd $SCRIPTDIR
+for file in $(find . -mindepth 2); do
+    echo "Promoting $file"
+    mkdir -p "../../Security/$(dirname $file)"
+    mv "$file" "../../Security/${file}"
+done
--- a/python/ql/src/experimental/dataflow/TypeTracker.qll
+++ b/python/ql/src/experimental/dataflow/TypeTracker.qll
@@ -71,7 +71,8 @@ module StepSummary {
 /** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
 private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
  EssaFlow::essaFlowStep(nodeFrom, nodeTo) or
-  jumpStep(nodeFrom, nodeTo)
+  jumpStep(nodeFrom, nodeTo) or
+  nodeFrom = nodeTo.(PostUpdateNode).getPreUpdateNode()
 }

 /** Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. */
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -150,22 +150,6 @@ module EssaFlow {
    //   nodeTo is `y` on second line, cfg node
    useToNextUse(nodeFrom.asCfgNode(), nodeTo.asCfgNode())
    or
-    // Refinements
-    exists(EssaEdgeRefinement r |
-      nodeTo.(EssaNode).getVar() = r.getVariable() and
-      nodeFrom.(EssaNode).getVar() = r.getInput()
-    )
-    or
-    exists(EssaNodeRefinement r |
-      nodeTo.(EssaNode).getVar() = r.getVariable() and
-      nodeFrom.(EssaNode).getVar() = r.getInput()
-    )
-    or
-    exists(PhiFunction p |
-      nodeTo.(EssaNode).getVar() = p.getVariable() and
-      nodeFrom.(EssaNode).getVar() = p.getAnInput()
-    )
-    or
    // If expressions
    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
  }
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -97,6 +97,35 @@ module Decoding {
  }
 }

+/**
+ * A data-flow node that dynamically executes Python code.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `CodeExecution::Range` instead.
+ */
+class CodeExecution extends DataFlow::Node {
+  CodeExecution::Range range;
+
+  CodeExecution() { this = range }
+
+  /** Gets the argument that specifies the code to be executed. */
+  DataFlow::Node getCode() { result = range.getCode() }
+}
+
+/** Provides a class for modeling new dynamic code execution APIs. */
+module CodeExecution {
+  /**
+   * A data-flow node that dynamically executes Python code.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `CodeExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the code to be executed. */
+    abstract DataFlow::Node getCode();
+  }
+}
+
 /** Provides classes for modeling HTTP-related APIs. */
 module HTTP {
  /** Provides classes for modeling HTTP servers. */
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -32,7 +32,7 @@ private module Stdlib {
   * For example, using `attr_name = "system"` will get all uses of `os.system`.
   */
  private DataFlow::Node os_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["system", "popen",
+    attr_name in ["system", "popen", "popen2", "popen3", "popen4",
          // exec
          "execl", "execle", "execlp", "execlpe", "execv", "execve", "execvp", "execvpe",
          // spawn
@@ -111,15 +111,28 @@ private module Stdlib {
  }

  /**
-   * A call to `os.popen`
+   * A call to any of the `os.popen*` functions
   * See https://docs.python.org/3/library/os.html#os.popen
+   *
+   * Note that in Python 2, there are also `popen2`, `popen3`, and `popen4` functions.
+   * Although deprecated since version 2.6, they still work in 2.7.
+   * See https://docs.python.org/2.7/library/os.html#os.popen2
   */
  private class OsPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
    override CallNode node;
+    string name;

-    OsPopenCall() { node.getFunction() = os_attr("popen").asCfgNode() }
+    OsPopenCall() {
+      name in ["popen", "popen2", "popen3", "popen4"] and
+      node.getFunction() = os_attr(name).asCfgNode()
+    }

-    override DataFlow::Node getCommand() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getCommand() {
+      result.asCfgNode() = node.getArg(0)
+      or
+      not name = "popen" and
+      result.asCfgNode() = node.getArgByName("cmd")
+    }
  }

  /**
@@ -242,29 +255,22 @@ private module Stdlib {
   * A call to `subprocess.Popen` or helper functions (call, check_call, check_output, run)
   * See https://docs.python.org/3.8/library/subprocess.html#subprocess.Popen
   */
-  private class SubprocessPopenCall extends SystemCommandExecution::Range {
-    CallNode call;
+  private class SubprocessPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
+    override CallNode node;

    SubprocessPopenCall() {
-      call = this.asCfgNode() and
      exists(string name |
        name in ["Popen", "call", "check_call", "check_output", "run"] and
-        call.getFunction() = subprocess_attr(name).asCfgNode()
+        node.getFunction() = subprocess_attr(name).asCfgNode()
      )
    }

    /** Gets the ControlFlowNode for the `args` argument, if any. */
-    private ControlFlowNode get_args_arg() {
-      result = call.getArg(0)
-      or
-      result = call.getArgByName("args")
-    }
+    private ControlFlowNode get_args_arg() { result in [node.getArg(0), node.getArgByName("args")] }

    /** Gets the ControlFlowNode for the `shell` argument, if any. */
    private ControlFlowNode get_shell_arg() {
-      result = call.getArg(8)
-      or
-      result = call.getArgByName("shell")
+      result in [node.getArg(8), node.getArgByName("shell")]
    }

    private boolean get_shell_arg_value() {
@@ -286,9 +292,7 @@ private module Stdlib {

    /** Gets the ControlFlowNode for the `executable` argument, if any. */
    private ControlFlowNode get_executable_arg() {
-      result = call.getArg(2)
-      or
-      result = call.getArgByName("executable")
+      result in [node.getArg(2), node.getArgByName("executable")]
    }

    override DataFlow::Node getCommand() {
@@ -424,4 +428,256 @@ private module Stdlib {

    override string getFormat() { result = "pickle" }
  }
+
+  // ---------------------------------------------------------------------------
+  // popen2
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `popen2` module (only available in Python 2). */
+  private DataFlow::Node popen2(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("popen2")
+    or
+    exists(DataFlow::TypeTracker t2 | result = popen2(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `popen2` module (only available in Python 2). */
+  DataFlow::Node popen2() { result = popen2(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `popen2` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node popen2_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["popen2", "popen3", "popen4",
+          // classes
+          "Popen3", "Popen4"] and
+    (
+      t.start() and
+      result = DataFlow::importNode("popen2." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importNode("popen2")
+    )
+    or
+    // Due to bad performance when using normal setup with `popen2_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        popen2_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate popen2_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(popen2_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `popen2` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node popen2_attr(string attr_name) {
+    result = popen2_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to any of the `popen.popen*` functions, or instantiation of a `popen.Popen*` class.
+   * See https://docs.python.org/2.7/library/popen2.html
+   */
+  private class Popen2PopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    Popen2PopenCall() {
+      exists(string name |
+        name in ["popen2", "popen3", "popen4", "Popen3", "Popen4"] and
+        node.getFunction() = popen2_attr(name).asCfgNode()
+      )
+    }
+
+    override DataFlow::Node getCommand() {
+      result.asCfgNode() in [node.getArg(0), node.getArgByName("cmd")]
+    }
+  }
+
+  // ---------------------------------------------------------------------------
+  // platform
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `platform` module. */
+  private DataFlow::Node platform(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("platform")
+    or
+    exists(DataFlow::TypeTracker t2 | result = platform(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `platform` module. */
+  DataFlow::Node platform() { result = platform(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `platform` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node platform_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["popen"] and
+    (
+      t.start() and
+      result = DataFlow::importNode("platform." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importNode("platform")
+    )
+    or
+    // Due to bad performance when using normal setup with `platform_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        platform_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate platform_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(platform_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `platform` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node platform_attr(string attr_name) {
+    result = platform_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to the `platform.popen` function.
+   * See https://docs.python.org/2.7/library/platform.html#platform.popen
+   */
+  private class PlatformPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    PlatformPopenCall() { node.getFunction() = platform_attr("popen").asCfgNode() }
+
+    override DataFlow::Node getCommand() {
+      result.asCfgNode() in [node.getArg(0), node.getArgByName("cmd")]
+    }
+  }
+
+  // ---------------------------------------------------------------------------
+  // builtins
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `builtins` module (called `__builtin__` in Python 2). */
+  private DataFlow::Node builtins(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode(["builtins", "__builtin__"])
+    or
+    exists(DataFlow::TypeTracker t2 | result = builtins(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `builtins` module. */
+  DataFlow::Node builtins() { result = builtins(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["exec", "eval", "compile"] and
+    (
+      t.start() and
+      result = DataFlow::importNode(["builtins", "__builtin__"] + "." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importNode(["builtins", "__builtin__"])
+      or
+      // special handling of builtins, that are in scope without any imports
+      // TODO: Take care of overrides, either `def eval: ...`, `eval = ...`, or `builtins.eval = ...`
+      t.start() and
+      exists(NameNode ref | result.asCfgNode() = ref |
+        ref.isGlobal() and
+        ref.getId() = attr_name and
+        ref.isLoad()
+      )
+    )
+    or
+    // Due to bad performance when using normal setup with `builtins_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        builtins_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate builtins_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(builtins_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(string attr_name) {
+    result = builtins_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to the builtin `exec` function.
+   * See https://docs.python.org/3/library/functions.html#exec
+   */
+  private class BuiltinsExecCall extends CodeExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    BuiltinsExecCall() { node.getFunction() = builtins_attr("exec").asCfgNode() }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = node.getArg(0) }
+  }
+
+  /**
+   * A call to the builtin `eval` function.
+   * See https://docs.python.org/3/library/functions.html#eval
+   */
+  private class BuiltinsEvalCall extends CodeExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    BuiltinsEvalCall() { node.getFunction() = builtins_attr("eval").asCfgNode() }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = node.getArg(0) }
+  }
+
+  /** An additional taint step for calls to the builtin function `compile` */
+  private class BuiltinsCompileCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(CallNode call |
+        nodeTo.asCfgNode() = call and
+        call.getFunction() = builtins_attr("compile").asCfgNode() and
+        nodeFrom.asCfgNode() in [call.getArg(0), call.getArgByName("source")]
+      )
+    }
+  }
+}
+
+/**
+ * An exec statement (only Python 2).
+ * Se ehttps://docs.python.org/2/reference/simple_stmts.html#the-exec-statement.
+ */
+private class ExecStatement extends CodeExecution::Range {
+  ExecStatement() {
+    // since there are no DataFlow::Nodes for a Statement, we can't do anything like
+    // `this = any(Exec exec)`
+    this.asExpr() = any(Exec exec).getBody()
+  }
+
+  override DataFlow::Node getCode() { result = this }
 }
--- a/python/ql/src/semmle/python/objects/Classes.qll
+++ b/python/ql/src/semmle/python/objects/Classes.qll
@@ -311,7 +311,8 @@ class SubscriptedTypeInternal extends ObjectInternal, TSubscriptedType {
  override string getName() { result = this.getGeneric().getName() }

  override string toString() {
-    result = this.getGeneric().toString() + "[" + this.getSpecializer().toString() + "]"
+    result =
+      bounded_toString(this.getGeneric()) + "[" + bounded_toString(this.getSpecializer()) + "]"
  }

  override predicate introducedAt(ControlFlowNode node, PointsToContext context) {
--- a/python/ql/src/semmle/python/objects/Instances.qll
+++ b/python/ql/src/semmle/python/objects/Instances.qll
@@ -379,7 +379,8 @@ private predicate cls_descriptor(ClassObjectInternal cls, string name, ObjectInt
 /** A class representing an instance of the `super` class */
 class SuperInstance extends TSuperInstance, ObjectInternal {
  override string toString() {
-    result = "super(" + this.getStartClass().toString() + ", " + this.getSelf().toString() + ")"
+    result =
+      "super(" + this.getStartClass().toString() + ", " + bounded_toString(this.getSelf()) + ")"
  }

  override boolean booleanValue() { result = true }
--- a/python/ql/src/semmle/python/objects/ObjectInternal.qll
+++ b/python/ql/src/semmle/python/objects/ObjectInternal.qll
@@ -515,7 +515,7 @@ class DecoratedFunction extends ObjectInternal, TDecoratedFunction {
  override string getName() { result = this.decoratedObject().getName() }

  override string toString() {
-    result = "Decorated " + this.decoratedObject().toString()
+    result = "Decorated " + bounded_toString(this.decoratedObject())
    or
    not exists(this.decoratedObject()) and result = "Decorated function"
  }
@@ -592,3 +592,18 @@ pragma[nomagic]
 predicate receiver_type(AttrNode attr, string name, ObjectInternal value, ClassObjectInternal cls) {
  PointsToInternal::pointsTo(attr.getObject(name), _, value, _) and value.getClass() = cls
 }
+
+/**
+ * Returns a string representation of `obj`. Because some classes have (mutually) recursive
+ * `toString` implementations, this predicate acts as a stop for these classes, preventing an
+ * unbounded `toString` from being materialized.
+ */
+string bounded_toString(ObjectInternal obj) {
+  if
+    obj instanceof DecoratedFunction or
+    obj instanceof TupleObjectInternal or
+    obj instanceof SubscriptedTypeInternal or
+    obj instanceof SuperInstance
+  then result = "(...)"
+  else result = obj.toString()
+}
--- a/python/ql/src/semmle/python/objects/Sequences.qll
+++ b/python/ql/src/semmle/python/objects/Sequences.qll
@@ -54,10 +54,7 @@ abstract class TupleObjectInternal extends SequenceObjectInternal {
  }

  private string item(int n) {
-    exists(ObjectInternal item | item = this.getItem(n) |
-      // To avoid infinite recursion, nested tuples are replaced with the string "...".
-      if item instanceof TupleObjectInternal then result = "(...)" else result = item.toString()
-    )
+    result = bounded_toString(this.getItem(n))
    or
    n in [0 .. this.length() - 1] and
    not exists(this.getItem(n)) and
--- a/python/ql/test/experimental/dataflow/basic/global.expected
+++ b/python/ql/test/experimental/dataflow/basic/global.expected
@@ -36,7 +36,6 @@
 | test.py:6:1:6:1 | GSSA Variable a | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:1:19:1:19 | SSA variable x |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:2:3:2:3 | SSA variable y |
@@ -47,7 +46,6 @@
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:7:19:7:19 | ControlFlowNode for a | test.py:1:19:1:19 | SSA variable x |
--- a/python/ql/test/experimental/dataflow/basic/globalStep.expected
+++ b/python/ql/test/experimental/dataflow/basic/globalStep.expected
@@ -66,14 +66,10 @@
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | GSSA Variable a |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
--- a/python/ql/test/experimental/dataflow/basic/local.expected
+++ b/python/ql/test/experimental/dataflow/basic/local.expected
@@ -34,11 +34,9 @@
 | test.py:4:10:4:10 | ControlFlowNode for z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | ControlFlowNode for a | test.py:6:1:6:1 | ControlFlowNode for a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:6:1:6:1 | GSSA Variable a |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral |
-| test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:7:1:7:1 | ControlFlowNode for b | test.py:7:1:7:1 | ControlFlowNode for b |
 | test.py:7:1:7:1 | GSSA Variable b | test.py:7:1:7:1 | GSSA Variable b |
--- a/python/ql/test/experimental/dataflow/basic/localStep.expected
+++ b/python/ql/test/experimental/dataflow/basic/localStep.expected
@@ -5,7 +5,6 @@
 | test.py:2:7:2:7 | ControlFlowNode for x | test.py:2:3:2:3 | SSA variable y |
 | test.py:3:3:3:3 | SSA variable z | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:7:3:7 | ControlFlowNode for y | test.py:3:3:3:3 | SSA variable z |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:19:7:19 | ControlFlowNode for a |
 | test.py:6:5:6:6 | ControlFlowNode for IntegerLiteral | test.py:6:1:6:1 | GSSA Variable a |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() | test.py:7:1:7:1 | GSSA Variable b |
--- a/python/ql/test/experimental/dataflow/basic/maximalFlows.expected
+++ b/python/ql/test/experimental/dataflow/basic/maximalFlows.expected
@@ -6,4 +6,3 @@
 | test.py:3:3:3:3 | SSA variable z | test.py:7:1:7:1 | GSSA Variable b |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:6:1:6:1 | GSSA Variable a | test.py:7:1:7:1 | GSSA Variable b |
-| test.py:6:1:6:1 | GSSA Variable a | test.py:7:5:7:20 | GSSA Variable a |
--- a/python/ql/test/experimental/dataflow/coverage/localFlow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/localFlow.expected
@@ -3,34 +3,13 @@
 | test.py:35:1:35:33 | GSSA Variable SOURCE | test.py:36:21:36:26 | ControlFlowNode for SOURCE |
 | test.py:36:5:36:5 | SSA variable x | test.py:37:9:37:9 | ControlFlowNode for x |
 | test.py:36:10:36:26 | ControlFlowNode for Tuple | test.py:36:5:36:5 | SSA variable x |
-| test.py:37:5:37:5 | SSA variable y | test.py:38:5:38:11 | SSA variable y |
 | test.py:37:5:37:5 | SSA variable y | test.py:38:10:38:10 | ControlFlowNode for y |
 | test.py:37:9:37:12 | ControlFlowNode for Subscript | test.py:37:5:37:5 | SSA variable y |
 | test.py:181:1:181:53 | GSSA Variable SINK | test.py:183:5:183:8 | ControlFlowNode for SINK |
 | test.py:181:1:181:53 | GSSA Variable SOURCE | test.py:182:25:182:30 | ControlFlowNode for SOURCE |
 | test.py:182:5:182:5 | SSA variable x | test.py:183:10:183:10 | ControlFlowNode for x |
 | test.py:182:9:182:68 | ControlFlowNode for ListComp | test.py:182:5:182:5 | SSA variable x |
-| test.py:182:9:182:68 | SSA variable u | test.py:182:9:182:68 | SSA variable u |
-| test.py:182:9:182:68 | SSA variable u | test.py:182:9:182:68 | SSA variable u |
-| test.py:182:9:182:68 | SSA variable u | test.py:182:9:182:68 | SSA variable u |
-| test.py:182:9:182:68 | SSA variable v | test.py:182:9:182:68 | SSA variable v |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
-| test.py:182:9:182:68 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
-| test.py:182:9:182:68 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
-| test.py:182:9:182:68 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
-| test.py:182:9:182:68 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
-| test.py:182:9:182:68 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
-| test.py:182:16:182:16 | SSA variable v | test.py:182:9:182:68 | SSA variable v |
 | test.py:182:16:182:16 | SSA variable v | test.py:182:45:182:45 | ControlFlowNode for v |
-| test.py:182:40:182:40 | SSA variable u | test.py:182:9:182:68 | SSA variable u |
 | test.py:182:40:182:40 | SSA variable u | test.py:182:56:182:56 | ControlFlowNode for u |
-| test.py:182:51:182:51 | SSA variable z | test.py:182:9:182:68 | SSA variable z |
 | test.py:182:51:182:51 | SSA variable z | test.py:182:67:182:67 | ControlFlowNode for z |
-| test.py:182:62:182:62 | SSA variable y | test.py:182:9:182:68 | SSA variable y |
 | test.py:182:62:182:62 | SSA variable y | test.py:182:10:182:10 | ControlFlowNode for y |
--- a/python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected
@@ -1,44 +1,26 @@
-| examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:1:1:1:66 | GSSA Variable SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:28:1:28:4 | ControlFlowNode for SINK |
-| examples.py:0:0:0:0 | GSSA Variable SINK_F | examples.py:1:1:1:66 | GSSA Variable SINK_F |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:1:1:1:66 | GSSA Variable SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:27:15:27:20 | ControlFlowNode for SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable __name__ | examples.py:1:1:1:66 | GSSA Variable __name__ |
-| examples.py:0:0:0:0 | GSSA Variable __package__ | examples.py:1:1:1:66 | GSSA Variable __package__ |
-| examples.py:0:0:0:0 | GSSA Variable a | examples.py:1:1:1:66 | GSSA Variable a |
-| examples.py:0:0:0:0 | GSSA Variable fields_with_local_flow | examples.py:1:1:1:66 | GSSA Variable fields_with_local_flow |
-| examples.py:0:0:0:0 | GSSA Variable myobj | examples.py:1:1:1:66 | GSSA Variable myobj |
-| examples.py:0:0:0:0 | GSSA Variable obj | examples.py:1:1:1:66 | GSSA Variable obj |
-| examples.py:0:0:0:0 | GSSA Variable object | examples.py:1:1:1:66 | GSSA Variable object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:5:13:5:18 | ControlFlowNode for object |
-| examples.py:0:0:0:0 | GSSA Variable x | examples.py:1:1:1:66 | GSSA Variable x |
-| examples.py:0:0:0:0 | SSA variable $ | examples.py:1:1:1:66 | SSA variable $ |
-| examples.py:0:0:0:0 | SSA variable * | examples.py:1:1:1:66 | SSA variable * |
-| examples.py:1:1:1:66 | GSSA Variable SOURCE | examples.py:41:7:41:19 | GSSA Variable SOURCE |
 | examples.py:5:1:5:20 | ControlFlowNode for ClassExpr | examples.py:5:7:5:11 | GSSA Variable MyObj |
 | examples.py:5:7:5:11 | GSSA Variable MyObj | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
 | examples.py:5:13:5:18 | ControlFlowNode for object | examples.py:11:17:11:22 | ControlFlowNode for object |
 | examples.py:7:5:7:28 | ControlFlowNode for FunctionExpr | examples.py:7:9:7:16 | SSA variable __init__ |
 | examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:12 | ControlFlowNode for self |
-| examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:16 | SSA variable self |
 | examples.py:7:24:7:26 | SSA variable foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
 | examples.py:11:1:11:24 | ControlFlowNode for ClassExpr | examples.py:11:7:11:15 | GSSA Variable NestedObj |
 | examples.py:11:7:11:15 | GSSA Variable NestedObj | examples.py:33:5:33:13 | ControlFlowNode for NestedObj |
 | examples.py:13:5:13:23 | ControlFlowNode for FunctionExpr | examples.py:13:9:13:16 | SSA variable __init__ |
 | examples.py:13:5:13:23 | GSSA Variable MyObj | examples.py:14:20:14:24 | ControlFlowNode for MyObj |
 | examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:12 | ControlFlowNode for self |
-| examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:16 | SSA variable self |
 | examples.py:16:5:16:21 | ControlFlowNode for FunctionExpr | examples.py:16:9:16:14 | SSA variable getObj |
 | examples.py:16:16:16:19 | SSA variable self | examples.py:17:16:17:19 | ControlFlowNode for self |
 | examples.py:21:1:21:19 | ControlFlowNode for FunctionExpr | examples.py:21:5:21:10 | GSSA Variable setFoo |
 | examples.py:21:1:21:19 | GSSA Variable SINK_F | examples.py:22:5:22:10 | ControlFlowNode for SINK_F |
 | examples.py:21:5:21:10 | GSSA Variable setFoo | examples.py:27:1:27:6 | ControlFlowNode for setFoo |
 | examples.py:21:12:21:14 | SSA variable obj | examples.py:22:12:22:14 | ControlFlowNode for obj |
-| examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:11 | SSA variable obj |
 | examples.py:21:17:21:17 | SSA variable x | examples.py:23:15:23:15 | ControlFlowNode for x |
 | examples.py:22:12:22:14 | ControlFlowNode for obj | examples.py:23:5:23:7 | ControlFlowNode for obj |
 | examples.py:22:12:22:14 | [post read] ControlFlowNode for obj | examples.py:23:5:23:7 | ControlFlowNode for obj |
-| examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:1:27:21 | GSSA Variable myobj |
 | examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:8:27:12 | ControlFlowNode for myobj |
 | examples.py:25:9:25:13 | ControlFlowNode for MyObj | examples.py:41:7:41:11 | ControlFlowNode for MyObj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:25:1:25:5 | GSSA Variable myobj |
@@ -51,7 +33,6 @@
 | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:31:1:31:1 | GSSA Variable x |
 | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:41:13:41:18 | ControlFlowNode for SOURCE |
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:35:1:35:1 | ControlFlowNode for a |
-| examples.py:33:1:33:1 | GSSA Variable a | examples.py:36:1:36:10 | GSSA Variable a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:33:1:33:1 | GSSA Variable a |
 | examples.py:35:1:35:1 | ControlFlowNode for a | examples.py:36:1:36:1 | ControlFlowNode for a |
 | examples.py:35:1:35:1 | [post read] ControlFlowNode for a | examples.py:36:1:36:1 | ControlFlowNode for a |
@@ -61,45 +42,32 @@
 | examples.py:38:1:38:4 | ControlFlowNode for SINK | examples.py:42:1:42:4 | ControlFlowNode for SINK |
 | examples.py:41:1:41:3 | GSSA Variable obj | examples.py:42:6:42:8 | ControlFlowNode for obj |
 | examples.py:41:7:41:19 | ControlFlowNode for MyObj() | examples.py:41:1:41:3 | GSSA Variable obj |
-| examples.py:41:7:41:19 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
 | examples.py:41:13:41:18 | ControlFlowNode for SOURCE | examples.py:50:29:50:34 | ControlFlowNode for SOURCE |
 | examples.py:41:13:41:18 | [post arg] ControlFlowNode for SOURCE | examples.py:50:29:50:34 | ControlFlowNode for SOURCE |
 | examples.py:42:1:42:4 | ControlFlowNode for SINK | examples.py:50:1:50:4 | ControlFlowNode for SINK |
 | examples.py:45:1:45:30 | ControlFlowNode for FunctionExpr | examples.py:45:5:45:26 | GSSA Variable fields_with_local_flow |
 | examples.py:45:1:45:30 | GSSA Variable MyObj | examples.py:46:9:46:13 | ControlFlowNode for MyObj |
 | examples.py:45:5:45:26 | GSSA Variable fields_with_local_flow | examples.py:50:6:50:27 | ControlFlowNode for fields_with_local_flow |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
 | examples.py:45:28:45:28 | SSA variable x | examples.py:46:15:46:15 | ControlFlowNode for x |
 | examples.py:46:3:46:5 | SSA variable obj | examples.py:47:7:47:9 | ControlFlowNode for obj |
 | examples.py:46:9:46:16 | ControlFlowNode for MyObj() | examples.py:46:3:46:5 | SSA variable obj |
 | examples.py:47:3:47:3 | SSA variable a | examples.py:48:10:48:10 | ControlFlowNode for a |
 | examples.py:47:7:47:13 | ControlFlowNode for Attribute | examples.py:47:3:47:3 | SSA variable a |
-| test.py:0:0:0:0 | GSSA Variable SINK | test.py:1:1:1:66 | GSSA Variable SINK |
-| test.py:0:0:0:0 | GSSA Variable SINK_F | test.py:1:1:1:66 | GSSA Variable SINK_F |
-| test.py:0:0:0:0 | GSSA Variable SOURCE | test.py:1:1:1:66 | GSSA Variable SOURCE |
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:1:1:1:66 | GSSA Variable __name__ |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:1:1:1:66 | GSSA Variable __package__ |
-| test.py:0:0:0:0 | GSSA Variable object | test.py:1:1:1:66 | GSSA Variable object |
 | test.py:0:0:0:0 | GSSA Variable object | test.py:6:13:6:18 | ControlFlowNode for object |
-| test.py:0:0:0:0 | SSA variable $ | test.py:1:1:1:66 | SSA variable $ |
-| test.py:0:0:0:0 | SSA variable * | test.py:1:1:1:66 | SSA variable * |
 | test.py:6:1:6:20 | ControlFlowNode for ClassExpr | test.py:6:7:6:11 | GSSA Variable MyObj |
 | test.py:6:13:6:18 | ControlFlowNode for object | test.py:12:17:12:22 | ControlFlowNode for object |
 | test.py:8:5:8:28 | ControlFlowNode for FunctionExpr | test.py:8:9:8:16 | SSA variable __init__ |
 | test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:12 | ControlFlowNode for self |
-| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
 | test.py:8:24:8:26 | SSA variable foo | test.py:9:20:9:22 | ControlFlowNode for foo |
 | test.py:12:1:12:24 | ControlFlowNode for ClassExpr | test.py:12:7:12:15 | GSSA Variable NestedObj |
 | test.py:14:5:14:23 | ControlFlowNode for FunctionExpr | test.py:14:9:14:16 | SSA variable __init__ |
 | test.py:14:5:14:23 | GSSA Variable MyObj | test.py:15:20:15:24 | ControlFlowNode for MyObj |
 | test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:12 | ControlFlowNode for self |
-| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
 | test.py:17:5:17:21 | ControlFlowNode for FunctionExpr | test.py:17:9:17:14 | SSA variable getObj |
 | test.py:17:16:17:19 | SSA variable self | test.py:18:16:18:19 | ControlFlowNode for self |
 | test.py:21:1:21:19 | ControlFlowNode for FunctionExpr | test.py:21:5:21:10 | GSSA Variable setFoo |
 | test.py:21:1:21:19 | GSSA Variable SINK_F | test.py:22:5:22:10 | ControlFlowNode for SINK_F |
 | test.py:21:12:21:14 | SSA variable obj | test.py:22:12:22:14 | ControlFlowNode for obj |
-| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
 | test.py:21:17:21:17 | SSA variable x | test.py:23:15:23:15 | ControlFlowNode for x |
 | test.py:22:12:22:14 | ControlFlowNode for obj | test.py:23:5:23:7 | ControlFlowNode for obj |
 | test.py:22:12:22:14 | [post read] ControlFlowNode for obj | test.py:23:5:23:7 | ControlFlowNode for obj |
@@ -108,7 +76,6 @@
 | test.py:26:1:26:20 | GSSA Variable SINK | test.py:30:5:30:8 | ControlFlowNode for SINK |
 | test.py:26:1:26:20 | GSSA Variable SOURCE | test.py:29:19:29:24 | ControlFlowNode for SOURCE |
 | test.py:26:1:26:20 | GSSA Variable setFoo | test.py:29:5:29:10 | ControlFlowNode for setFoo |
-| test.py:27:5:27:9 | SSA variable myobj | test.py:29:5:29:25 | SSA variable myobj |
 | test.py:27:5:27:9 | SSA variable myobj | test.py:29:12:29:16 | ControlFlowNode for myobj |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:27:5:27:9 | SSA variable myobj |
 | test.py:29:12:29:16 | ControlFlowNode for myobj | test.py:30:10:30:14 | ControlFlowNode for myobj |
@@ -120,7 +87,6 @@
 | test.py:34:5:34:5 | SSA variable x | test.py:38:17:38:17 | ControlFlowNode for x |
 | test.py:34:9:34:14 | ControlFlowNode for SOURCE | test.py:34:5:34:5 | SSA variable x |
 | test.py:36:5:36:5 | SSA variable a | test.py:38:5:38:5 | ControlFlowNode for a |
-| test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:14 | SSA variable a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:36:5:36:5 | SSA variable a |
 | test.py:38:5:38:5 | ControlFlowNode for a | test.py:39:5:39:5 | ControlFlowNode for a |
 | test.py:38:5:38:5 | [post read] ControlFlowNode for a | test.py:39:5:39:5 | ControlFlowNode for a |
@@ -135,7 +101,6 @@
 | test.py:45:11:45:23 | ControlFlowNode for MyObj() | test.py:45:5:45:7 | SSA variable obj |
 | test.py:49:1:49:30 | ControlFlowNode for FunctionExpr | test.py:49:5:49:26 | GSSA Variable fields_with_local_flow |
 | test.py:49:1:49:30 | GSSA Variable MyObj | test.py:50:11:50:15 | ControlFlowNode for MyObj |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
 | test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
 | test.py:50:5:50:7 | SSA variable obj | test.py:51:9:51:11 | ControlFlowNode for obj |
 | test.py:50:11:50:18 | ControlFlowNode for MyObj() | test.py:50:5:50:7 | SSA variable obj |
--- a/python/ql/test/experimental/dataflow/fieldflow/globalStep.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/globalStep.expected
@@ -1,5 +1,3 @@
-| examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:1:1:1:66 | GSSA Variable SINK |
-| examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:1:1:1:66 | GSSA Variable SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:28:1:28:4 | ControlFlowNode for SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:28:1:28:4 | ControlFlowNode for SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:38:1:38:4 | ControlFlowNode for SINK |
@@ -8,10 +6,6 @@
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:42:1:42:4 | ControlFlowNode for SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:50:1:50:4 | ControlFlowNode for SINK |
 | examples.py:0:0:0:0 | GSSA Variable SINK | examples.py:50:1:50:4 | ControlFlowNode for SINK |
-| examples.py:0:0:0:0 | GSSA Variable SINK_F | examples.py:1:1:1:66 | GSSA Variable SINK_F |
-| examples.py:0:0:0:0 | GSSA Variable SINK_F | examples.py:1:1:1:66 | GSSA Variable SINK_F |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:1:1:1:66 | GSSA Variable SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:1:1:1:66 | GSSA Variable SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:27:15:27:20 | ControlFlowNode for SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:27:15:27:20 | ControlFlowNode for SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:31:1:31:1 | GSSA Variable x |
@@ -22,48 +16,20 @@
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:35:13:35:13 | ControlFlowNode for x |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:36:18:36:18 | ControlFlowNode for x |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:36:18:36:18 | ControlFlowNode for x |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:41:7:41:19 | GSSA Variable SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:41:7:41:19 | GSSA Variable SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:41:13:41:18 | ControlFlowNode for SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:41:13:41:18 | ControlFlowNode for SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:50:29:50:34 | ControlFlowNode for SOURCE |
 | examples.py:0:0:0:0 | GSSA Variable SOURCE | examples.py:50:29:50:34 | ControlFlowNode for SOURCE |
-| examples.py:0:0:0:0 | GSSA Variable __name__ | examples.py:1:1:1:66 | GSSA Variable __name__ |
-| examples.py:0:0:0:0 | GSSA Variable __name__ | examples.py:1:1:1:66 | GSSA Variable __name__ |
-| examples.py:0:0:0:0 | GSSA Variable __package__ | examples.py:1:1:1:66 | GSSA Variable __package__ |
-| examples.py:0:0:0:0 | GSSA Variable __package__ | examples.py:1:1:1:66 | GSSA Variable __package__ |
-| examples.py:0:0:0:0 | GSSA Variable a | examples.py:1:1:1:66 | GSSA Variable a |
-| examples.py:0:0:0:0 | GSSA Variable a | examples.py:1:1:1:66 | GSSA Variable a |
-| examples.py:0:0:0:0 | GSSA Variable fields_with_local_flow | examples.py:1:1:1:66 | GSSA Variable fields_with_local_flow |
-| examples.py:0:0:0:0 | GSSA Variable fields_with_local_flow | examples.py:1:1:1:66 | GSSA Variable fields_with_local_flow |
-| examples.py:0:0:0:0 | GSSA Variable myobj | examples.py:1:1:1:66 | GSSA Variable myobj |
-| examples.py:0:0:0:0 | GSSA Variable myobj | examples.py:1:1:1:66 | GSSA Variable myobj |
-| examples.py:0:0:0:0 | GSSA Variable obj | examples.py:1:1:1:66 | GSSA Variable obj |
-| examples.py:0:0:0:0 | GSSA Variable obj | examples.py:1:1:1:66 | GSSA Variable obj |
-| examples.py:0:0:0:0 | GSSA Variable object | examples.py:1:1:1:66 | GSSA Variable object |
-| examples.py:0:0:0:0 | GSSA Variable object | examples.py:1:1:1:66 | GSSA Variable object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:5:13:5:18 | ControlFlowNode for object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:5:13:5:18 | ControlFlowNode for object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:11:17:11:22 | ControlFlowNode for object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:11:17:11:22 | ControlFlowNode for object |
-| examples.py:0:0:0:0 | GSSA Variable x | examples.py:1:1:1:66 | GSSA Variable x |
-| examples.py:0:0:0:0 | GSSA Variable x | examples.py:1:1:1:66 | GSSA Variable x |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:14:20:14:24 | ControlFlowNode for MyObj |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:14:20:14:24 | ControlFlowNode for MyObj |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:46:9:46:13 | ControlFlowNode for MyObj |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:46:9:46:13 | ControlFlowNode for MyObj |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module examples | examples.py:22:5:22:10 | ControlFlowNode for SINK_F |
 | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module examples | examples.py:22:5:22:10 | ControlFlowNode for SINK_F |
-| examples.py:0:0:0:0 | SSA variable $ | examples.py:1:1:1:66 | SSA variable $ |
-| examples.py:0:0:0:0 | SSA variable $ | examples.py:1:1:1:66 | SSA variable $ |
-| examples.py:0:0:0:0 | SSA variable * | examples.py:1:1:1:66 | SSA variable * |
-| examples.py:0:0:0:0 | SSA variable * | examples.py:1:1:1:66 | SSA variable * |
-| examples.py:1:1:1:66 | GSSA Variable SOURCE | examples.py:41:7:41:19 | GSSA Variable SOURCE |
-| examples.py:1:1:1:66 | GSSA Variable SOURCE | examples.py:41:7:41:19 | GSSA Variable SOURCE |
-| examples.py:1:1:1:66 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
-| examples.py:1:1:1:66 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
 | examples.py:5:1:5:20 | ControlFlowNode for ClassExpr | examples.py:5:7:5:11 | GSSA Variable MyObj |
 | examples.py:5:1:5:20 | ControlFlowNode for ClassExpr | examples.py:5:7:5:11 | GSSA Variable MyObj |
 | examples.py:5:1:5:20 | ControlFlowNode for ClassExpr | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
@@ -84,10 +50,6 @@
 | examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:12 | ControlFlowNode for self |
 | examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:12 | ControlFlowNode for self |
 | examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:12 | ControlFlowNode for self |
-| examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:16 | SSA variable self |
-| examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:16 | SSA variable self |
-| examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:16 | SSA variable self |
-| examples.py:7:18:7:21 | SSA variable self | examples.py:8:9:8:16 | SSA variable self |
 | examples.py:7:24:7:26 | SSA variable foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
 | examples.py:7:24:7:26 | SSA variable foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
 | examples.py:7:24:7:26 | SSA variable foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
@@ -120,10 +82,6 @@
 | examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:12 | ControlFlowNode for self |
 | examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:12 | ControlFlowNode for self |
 | examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:12 | ControlFlowNode for self |
-| examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:16 | SSA variable self |
-| examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:16 | SSA variable self |
-| examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:16 | SSA variable self |
-| examples.py:13:18:13:21 | SSA variable self | examples.py:14:9:14:16 | SSA variable self |
 | examples.py:14:9:14:12 | [post store] ControlFlowNode for self | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() |
 | examples.py:14:9:14:12 | [post store] ControlFlowNode for self | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() |
 | examples.py:14:9:14:12 | [post store] ControlFlowNode for self [Attribute obj, Attribute foo] | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() [Attribute obj, Attribute foo] |
@@ -155,10 +113,6 @@
 | examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:7 | ControlFlowNode for obj |
 | examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:7 | ControlFlowNode for obj |
 | examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:7 | ControlFlowNode for obj |
-| examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:11 | SSA variable obj |
-| examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:11 | SSA variable obj |
-| examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:11 | SSA variable obj |
-| examples.py:21:12:21:14 | SSA variable obj | examples.py:23:5:23:11 | SSA variable obj |
 | examples.py:21:12:21:14 | SSA variable obj [Attribute foo] | examples.py:22:12:22:14 | ControlFlowNode for obj [Attribute foo] |
 | examples.py:21:17:21:17 | SSA variable x | examples.py:23:15:23:15 | ControlFlowNode for x |
 | examples.py:21:17:21:17 | SSA variable x | examples.py:23:15:23:15 | ControlFlowNode for x |
@@ -179,8 +133,6 @@
 | examples.py:23:5:23:7 | [post store] ControlFlowNode for obj [Attribute foo] | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | examples.py:23:15:23:15 | ControlFlowNode for x | examples.py:23:5:23:7 | [post store] ControlFlowNode for obj [Attribute foo] |
 | examples.py:23:15:23:15 | ControlFlowNode for x | examples.py:23:5:23:7 | [post store] ControlFlowNode for obj [Attribute foo] |
-| examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:1:27:21 | GSSA Variable myobj |
-| examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:1:27:21 | GSSA Variable myobj |
 | examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:8:27:12 | ControlFlowNode for myobj |
 | examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:27:8:27:12 | ControlFlowNode for myobj |
 | examples.py:25:1:25:5 | GSSA Variable myobj | examples.py:28:6:28:10 | ControlFlowNode for myobj |
@@ -191,8 +143,6 @@
 | examples.py:25:9:25:13 | ControlFlowNode for MyObj | examples.py:41:7:41:11 | ControlFlowNode for MyObj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:25:1:25:5 | GSSA Variable myobj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:25:1:25:5 | GSSA Variable myobj |
-| examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:27:1:27:21 | GSSA Variable myobj |
-| examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:27:1:27:21 | GSSA Variable myobj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:27:8:27:12 | ControlFlowNode for myobj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:27:8:27:12 | ControlFlowNode for myobj |
 | examples.py:25:9:25:19 | ControlFlowNode for MyObj() | examples.py:28:6:28:10 | ControlFlowNode for myobj |
@@ -267,8 +217,6 @@
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:35:1:35:1 | ControlFlowNode for a |
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:36:1:36:1 | ControlFlowNode for a |
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:36:1:36:1 | ControlFlowNode for a |
-| examples.py:33:1:33:1 | GSSA Variable a | examples.py:36:1:36:10 | GSSA Variable a |
-| examples.py:33:1:33:1 | GSSA Variable a | examples.py:36:1:36:10 | GSSA Variable a |
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:38:6:38:6 | ControlFlowNode for a |
 | examples.py:33:1:33:1 | GSSA Variable a | examples.py:38:6:38:6 | ControlFlowNode for a |
 | examples.py:33:1:33:1 | GSSA Variable a [Attribute obj, Attribute foo] | examples.py:35:1:35:1 | ControlFlowNode for a [Attribute obj, Attribute foo] |
@@ -283,8 +231,6 @@
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:35:1:35:1 | ControlFlowNode for a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:36:1:36:1 | ControlFlowNode for a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:36:1:36:1 | ControlFlowNode for a |
-| examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:36:1:36:10 | GSSA Variable a |
-| examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:36:1:36:10 | GSSA Variable a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:38:6:38:6 | ControlFlowNode for a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() | examples.py:38:6:38:6 | ControlFlowNode for a |
 | examples.py:33:5:33:15 | ControlFlowNode for NestedObj() [Attribute obj, Attribute foo] | examples.py:33:1:33:1 | GSSA Variable a [Attribute obj, Attribute foo] |
@@ -344,8 +290,6 @@
 | examples.py:41:7:41:19 | ControlFlowNode for MyObj() | examples.py:42:6:42:8 | ControlFlowNode for obj |
 | examples.py:41:7:41:19 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:41:1:41:3 | GSSA Variable obj [Attribute foo] |
 | examples.py:41:7:41:19 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:42:6:42:8 | ControlFlowNode for obj [Attribute foo] |
-| examples.py:41:7:41:19 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
-| examples.py:41:7:41:19 | GSSA Variable SOURCE | examples.py:50:6:50:35 | GSSA Variable SOURCE |
 | examples.py:41:7:41:19 | [pre objCreate] ControlFlowNode for MyObj() | examples.py:7:18:7:21 | SSA variable self |
 | examples.py:41:7:41:19 | [pre objCreate] ControlFlowNode for MyObj() | examples.py:7:18:7:21 | SSA variable self |
 | examples.py:41:13:41:18 | ControlFlowNode for SOURCE | examples.py:7:24:7:26 | SSA variable foo |
@@ -367,10 +311,6 @@
 | examples.py:45:1:45:30 | GSSA Variable MyObj | examples.py:46:9:46:13 | ControlFlowNode for MyObj |
 | examples.py:45:5:45:26 | GSSA Variable fields_with_local_flow | examples.py:50:6:50:27 | ControlFlowNode for fields_with_local_flow |
 | examples.py:45:5:45:26 | GSSA Variable fields_with_local_flow | examples.py:50:6:50:27 | ControlFlowNode for fields_with_local_flow |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
 | examples.py:45:28:45:28 | SSA variable x | examples.py:46:15:46:15 | ControlFlowNode for x |
 | examples.py:45:28:45:28 | SSA variable x | examples.py:46:15:46:15 | ControlFlowNode for x |
 | examples.py:45:28:45:28 | SSA variable x | examples.py:46:15:46:15 | ControlFlowNode for x |
@@ -419,18 +359,6 @@
 | examples.py:50:29:50:34 | ControlFlowNode for SOURCE | examples.py:45:28:45:28 | SSA variable x |
 | examples.py:50:29:50:34 | ControlFlowNode for SOURCE | examples.py:50:6:50:35 | ControlFlowNode for fields_with_local_flow() |
 | examples.py:50:29:50:34 | ControlFlowNode for SOURCE | examples.py:50:6:50:35 | ControlFlowNode for fields_with_local_flow() |
-| test.py:0:0:0:0 | GSSA Variable SINK | test.py:1:1:1:66 | GSSA Variable SINK |
-| test.py:0:0:0:0 | GSSA Variable SINK | test.py:1:1:1:66 | GSSA Variable SINK |
-| test.py:0:0:0:0 | GSSA Variable SINK_F | test.py:1:1:1:66 | GSSA Variable SINK_F |
-| test.py:0:0:0:0 | GSSA Variable SINK_F | test.py:1:1:1:66 | GSSA Variable SINK_F |
-| test.py:0:0:0:0 | GSSA Variable SOURCE | test.py:1:1:1:66 | GSSA Variable SOURCE |
-| test.py:0:0:0:0 | GSSA Variable SOURCE | test.py:1:1:1:66 | GSSA Variable SOURCE |
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:1:1:1:66 | GSSA Variable __name__ |
-| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:1:1:1:66 | GSSA Variable __name__ |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:1:1:1:66 | GSSA Variable __package__ |
-| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:1:1:1:66 | GSSA Variable __package__ |
-| test.py:0:0:0:0 | GSSA Variable object | test.py:1:1:1:66 | GSSA Variable object |
-| test.py:0:0:0:0 | GSSA Variable object | test.py:1:1:1:66 | GSSA Variable object |
 | test.py:0:0:0:0 | GSSA Variable object | test.py:6:13:6:18 | ControlFlowNode for object |
 | test.py:0:0:0:0 | GSSA Variable object | test.py:6:13:6:18 | ControlFlowNode for object |
 | test.py:0:0:0:0 | GSSA Variable object | test.py:12:17:12:22 | ControlFlowNode for object |
@@ -467,10 +395,6 @@
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test | test.py:56:10:56:31 | ControlFlowNode for fields_with_local_flow |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test | test.py:29:5:29:10 | ControlFlowNode for setFoo |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test | test.py:29:5:29:10 | ControlFlowNode for setFoo |
-| test.py:0:0:0:0 | SSA variable $ | test.py:1:1:1:66 | SSA variable $ |
-| test.py:0:0:0:0 | SSA variable $ | test.py:1:1:1:66 | SSA variable $ |
-| test.py:0:0:0:0 | SSA variable * | test.py:1:1:1:66 | SSA variable * |
-| test.py:0:0:0:0 | SSA variable * | test.py:1:1:1:66 | SSA variable * |
 | test.py:6:1:6:20 | ControlFlowNode for ClassExpr | test.py:6:7:6:11 | GSSA Variable MyObj |
 | test.py:6:1:6:20 | ControlFlowNode for ClassExpr | test.py:6:7:6:11 | GSSA Variable MyObj |
 | test.py:6:7:6:11 | GSSA Variable MyObj | test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test |
@@ -483,10 +407,6 @@
 | test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:12 | ControlFlowNode for self |
 | test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:12 | ControlFlowNode for self |
 | test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:12 | ControlFlowNode for self |
-| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
-| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
-| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
-| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
 | test.py:8:24:8:26 | SSA variable foo | test.py:9:20:9:22 | ControlFlowNode for foo |
 | test.py:8:24:8:26 | SSA variable foo | test.py:9:20:9:22 | ControlFlowNode for foo |
 | test.py:8:24:8:26 | SSA variable foo | test.py:9:20:9:22 | ControlFlowNode for foo |
@@ -517,10 +437,6 @@
 | test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:12 | ControlFlowNode for self |
 | test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:12 | ControlFlowNode for self |
 | test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:12 | ControlFlowNode for self |
-| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
-| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
-| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
-| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
 | test.py:15:9:15:12 | [post store] ControlFlowNode for self | test.py:36:9:36:19 | ControlFlowNode for NestedObj() |
 | test.py:15:9:15:12 | [post store] ControlFlowNode for self | test.py:36:9:36:19 | ControlFlowNode for NestedObj() |
 | test.py:15:9:15:12 | [post store] ControlFlowNode for self [Attribute obj, Attribute foo] | test.py:36:9:36:19 | ControlFlowNode for NestedObj() [Attribute obj, Attribute foo] |
@@ -550,10 +466,6 @@
 | test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:7 | ControlFlowNode for obj |
 | test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:7 | ControlFlowNode for obj |
 | test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:7 | ControlFlowNode for obj |
-| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
-| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
-| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
-| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
 | test.py:21:12:21:14 | SSA variable obj [Attribute foo] | test.py:22:12:22:14 | ControlFlowNode for obj [Attribute foo] |
 | test.py:21:17:21:17 | SSA variable x | test.py:23:15:23:15 | ControlFlowNode for x |
 | test.py:21:17:21:17 | SSA variable x | test.py:23:15:23:15 | ControlFlowNode for x |
@@ -584,8 +496,6 @@
 | test.py:26:1:26:20 | GSSA Variable SOURCE | test.py:29:19:29:24 | ControlFlowNode for SOURCE |
 | test.py:26:1:26:20 | GSSA Variable setFoo | test.py:29:5:29:10 | ControlFlowNode for setFoo |
 | test.py:26:1:26:20 | GSSA Variable setFoo | test.py:29:5:29:10 | ControlFlowNode for setFoo |
-| test.py:27:5:27:9 | SSA variable myobj | test.py:29:5:29:25 | SSA variable myobj |
-| test.py:27:5:27:9 | SSA variable myobj | test.py:29:5:29:25 | SSA variable myobj |
 | test.py:27:5:27:9 | SSA variable myobj | test.py:29:12:29:16 | ControlFlowNode for myobj |
 | test.py:27:5:27:9 | SSA variable myobj | test.py:29:12:29:16 | ControlFlowNode for myobj |
 | test.py:27:5:27:9 | SSA variable myobj | test.py:30:10:30:14 | ControlFlowNode for myobj |
@@ -594,8 +504,6 @@
 | test.py:27:5:27:9 | SSA variable myobj [Attribute foo] | test.py:30:10:30:14 | ControlFlowNode for myobj [Attribute foo] |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:27:5:27:9 | SSA variable myobj |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:27:5:27:9 | SSA variable myobj |
-| test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:29:5:29:25 | SSA variable myobj |
-| test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:29:5:29:25 | SSA variable myobj |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:29:12:29:16 | ControlFlowNode for myobj |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:29:12:29:16 | ControlFlowNode for myobj |
 | test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:30:10:30:14 | ControlFlowNode for myobj |
@@ -650,8 +558,6 @@
 | test.py:36:5:36:5 | SSA variable a | test.py:38:5:38:5 | ControlFlowNode for a |
 | test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:5 | ControlFlowNode for a |
 | test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:5 | ControlFlowNode for a |
-| test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:14 | SSA variable a |
-| test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:14 | SSA variable a |
 | test.py:36:5:36:5 | SSA variable a | test.py:41:10:41:10 | ControlFlowNode for a |
 | test.py:36:5:36:5 | SSA variable a | test.py:41:10:41:10 | ControlFlowNode for a |
 | test.py:36:5:36:5 | SSA variable a [Attribute obj, Attribute foo] | test.py:38:5:38:5 | ControlFlowNode for a [Attribute obj, Attribute foo] |
@@ -666,8 +572,6 @@
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:38:5:38:5 | ControlFlowNode for a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:39:5:39:5 | ControlFlowNode for a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:39:5:39:5 | ControlFlowNode for a |
-| test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:39:5:39:14 | SSA variable a |
-| test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:39:5:39:14 | SSA variable a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:41:10:41:10 | ControlFlowNode for a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:41:10:41:10 | ControlFlowNode for a |
 | test.py:36:9:36:19 | ControlFlowNode for NestedObj() [Attribute obj, Attribute foo] | test.py:36:5:36:5 | SSA variable a [Attribute obj, Attribute foo] |
@@ -744,10 +648,6 @@
 | test.py:49:1:49:30 | GSSA Variable MyObj | test.py:50:11:50:15 | ControlFlowNode for MyObj |
 | test.py:49:5:49:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test |
 | test.py:49:5:49:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
 | test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
 | test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
 | test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
--- a/python/ql/test/experimental/dataflow/fieldflow/localFlow.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/localFlow.expected
@@ -1,12 +1,10 @@
 | examples.py:45:1:45:30 | GSSA Variable MyObj | examples.py:46:9:46:13 | ControlFlowNode for MyObj |
-| examples.py:45:28:45:28 | SSA variable x | examples.py:46:9:46:16 | SSA variable x |
 | examples.py:45:28:45:28 | SSA variable x | examples.py:46:15:46:15 | ControlFlowNode for x |
 | examples.py:46:3:46:5 | SSA variable obj | examples.py:47:7:47:9 | ControlFlowNode for obj |
 | examples.py:46:9:46:16 | ControlFlowNode for MyObj() | examples.py:46:3:46:5 | SSA variable obj |
 | examples.py:47:3:47:3 | SSA variable a | examples.py:48:10:48:10 | ControlFlowNode for a |
 | examples.py:47:7:47:13 | ControlFlowNode for Attribute | examples.py:47:3:47:3 | SSA variable a |
 | test.py:49:1:49:30 | GSSA Variable MyObj | test.py:50:11:50:15 | ControlFlowNode for MyObj |
-| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
 | test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
 | test.py:50:5:50:7 | SSA variable obj | test.py:51:9:51:11 | ControlFlowNode for obj |
 | test.py:50:11:50:18 | ControlFlowNode for MyObj() | test.py:50:5:50:7 | SSA variable obj |
--- a/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.expected
@@ -1,7 +1,5 @@
-| test.py:3:1:3:7 | GSSA Variable tainted | test.py:4:1:4:13 | GSSA Variable tainted |
 | test.py:3:1:3:7 | GSSA Variable tainted | test.py:4:6:4:12 | ControlFlowNode for tainted |
 | test.py:3:11:3:16 | ControlFlowNode for SOURCE | test.py:3:1:3:7 | GSSA Variable tainted |
 | test.py:6:1:6:11 | ControlFlowNode for FunctionExpr | test.py:6:5:6:8 | GSSA Variable func |
-| test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:5:8:22 | SSA variable also_tainted |
 | test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:10:8:21 | ControlFlowNode for also_tainted |
 | test.py:7:20:7:25 | ControlFlowNode for SOURCE | test.py:7:5:7:16 | SSA variable also_tainted |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/CodeExecution.py
@@ -0,0 +1,2 @@
+# exec statement is Python 2 specific
+exec "print(42)"  # $getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/SystemCommandExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/SystemCommandExecution.py
@@ -0,0 +1,36 @@
+########################################
+import os
+
+os.popen2("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+os.popen3("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+os.popen4("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+
+
+os.popen2(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+os.popen3(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+os.popen4(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+
+# os.popen does not support keyword arguments, so this is a TypeError
+os.popen(cmd="cmd1; cmd2")
+
+########################################
+import platform
+
+platform.popen("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+platform.popen(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+
+########################################
+# popen2 was deprecated in Python 2.6, but still available in Python 2.7
+import popen2
+
+popen2.popen2("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.popen3("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.popen4("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.Popen3("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.Popen4("cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+
+popen2.popen2(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.popen3(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.popen4(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.Popen3(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
+popen2.Popen4(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/options
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=2
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/CodeExecution.py
@@ -0,0 +1,4 @@
+import builtins
+
+# exec being part of builtins is Python 3 only
+builtins.exec("print(42)")  # $getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/options
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecution.py
@@ -0,0 +1,39 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+import sys
+
+if sys.version_info[0] == 3:
+    import builtins
+if sys.version_info[0] == 2:
+    import __builtin__ as builtins
+
+exec("print(42)")  # $getCode="print(42)"
+eval("print(42)")  # $getCode="print(42)"
+
+builtins.eval("print(42)")  # $getCode="print(42)"
+
+cmd = compile("print(42)", "<filename>", "exec")
+exec(cmd)  # $getCode=cmd
+
+cmd = builtins.compile("print(42)", "<filename>", "exec")
+exec(cmd)  # $getCode=cmd
+
+# ------------------------------------------------------------------------------
+# taint related
+
+
+def test_additional_taint():
+    src = TAINTED_STRING
+
+    cmd1 = compile(src, "<filename>", "exec")
+    cmd2 = compile(source=src, filename="<filename>", mode="exec")
+    cmd3 = builtins.compile(src, "<filename>", "exec")
+
+    ensure_tainted(
+        src,
+        cmd1,
+        cmd2,
+        cmd3,
+    )
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
@@ -0,0 +1,11 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+
+def eval(*args, **kwargs):
+    raise Exception("no eval")
+
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
@@ -0,0 +1,13 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+
+def foo(*args, **kwargs):
+    raise Exception("no eval")
+
+
+eval = foo
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
@@ -0,0 +1,19 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+import sys
+
+if sys.version_info[0] == 3:
+    import builtins
+if sys.version_info[0] == 2:
+    import __builtin__ as builtins
+
+
+def foo(*args, **kwargs):
+    raise Exception("no eval")
+
+
+builtins.eval = foo
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected
@@ -0,0 +1,4 @@
+| CodeExecution.py:35 | ok   | test_additional_taint | src |
+| CodeExecution.py:36 | ok   | test_additional_taint | cmd1 |
+| CodeExecution.py:37 | ok   | test_additional_taint | cmd2 |
+| CodeExecution.py:38 | ok   | test_additional_taint | cmd3 |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.ql
@@ -0,0 +1,2 @@
+import experimental.dataflow.tainttracking.TestTaintLib
+import experimental.dataflow.RemoteFlowSources
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -73,6 +73,23 @@ class DecodingTest extends InlineExpectationsTest {
  }
 }

+class CodeExecutionTest extends InlineExpectationsTest {
+  CodeExecutionTest() { this = "CodeExecutionTest" }
+
+  override string getARelevantTag() { result = "getCode" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(CodeExecution ce, DataFlow::Node code |
+      exists(location.getFile().getRelativePath()) and
+      code = ce.getCode() and
+      location = code.getLocation() and
+      element = code.toString() and
+      value = value_from_expr(code.asExpr()) and
+      tag = "getCode"
+    )
+  }
+}
+
 class HttpServerRouteSetupTest extends InlineExpectationsTest {
  HttpServerRouteSetupTest() { this = "HttpServerRouteSetupTest" }

--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/CommandInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/CommandInjection.expected
@@ -0,0 +1,31 @@
+edges
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr |
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr |
+nodes
+| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+#select
+| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
+| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | a user-provided value |
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/CommandInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/CommandInjection.qlref
@@ -0,0 +1 @@
+experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/command_injection.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/command_injection.py
@@ -0,0 +1,29 @@
+import os
+import platform
+import popen2
+
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/python2-specific")
+def python2_specific():
+    """
+    These tests are mostly included to check for extra paths that can be generated if
+    we can track flow into the implementation of a stdlib function, and then to another sink.
+    See comment in query for more details.
+    """
+
+    files = request.args.get("files", "")
+    os.popen2("ls " + files)
+    os.popen3("ls " + files)
+    os.popen4("ls " + files)
+
+    platform.popen("ls " + files)
+
+    popen2.popen2("ls " + files)
+    popen2.popen3("ls " + files)
+    popen2.popen4("ls " + files)
+    popen2.Popen3("ls " + files)
+    popen2.Popen4("ls " + files)
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/options
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078-py2/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=2
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/command_injection.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/command_injection.py
@@ -55,7 +55,3 @@ def not_into_sink_impl():
    subprocess.call(command)
    subprocess.check_call(command)
    subprocess.run(command)
-
-
-# TODO: popen2 module for Python 2 only https://devdocs.io/python~2.7/library/popen2
-# (deprecated since Python 2.6, but still functional in Python 2.7.17)
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected
@@ -0,0 +1,13 @@
+edges
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code |
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code |
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:10:10:10:12 | ControlFlowNode for cmd |
+nodes
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
+| code_injection.py:10:10:10:12 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+#select
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
+| code_injection.py:10:10:10:12 | ControlFlowNode for cmd | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:10:10:10:12 | ControlFlowNode for cmd | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.qlref
@@ -0,0 +1 @@
+experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/code_injection.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/code_injection.py
@@ -0,0 +1,10 @@
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/code-execution")
+def code_execution():
+    code = request.args.get("code")
+    exec(code)
+    eval(code)
+    cmd = compile(code, "<filename>", "exec")
+    exec(cmd)
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=1 --lang=2`
				`@@ -0,0 +1 @@`
				`experimental/Security-new-dataflow/CWE-078/CommandInjection.ql`