Rust: experiment with suppressing canonical path extraction

.bazelrc

@@ -12,9 +12,6 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
-# print test output, like sembuild does.
-# Set to `errors` if this is too verbose.
-test --test_output all
 # we use transitions that break builds of `...`, so for `test` to work with that we need the following
 test --build_tests_only
 

.github/workflows/go-tests-other-os.yml

@@ -3,7 +3,6 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"
       - "!go/ql/**" # don't run other-os if only ql/ files changed
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**

.github/workflows/go-tests.yml

@@ -3,7 +3,6 @@ on:
   push:
     paths:
       - "go/**"
-      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
@@ -14,7 +13,6 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"      
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**

Cargo.lock

@@ -415,6 +415,7 @@ dependencies = [
  "figment",
  "glob",
  "itertools 0.14.0",
+ "log 0.4.22",
  "num-traits",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -434,10 +435,8 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_with",
+ "stderrlog",
  "toml",
- "tracing",
- "tracing-flame",
- "tracing-subscriber",
  "triomphe",
 ]
 
@@ -801,6 +800,12 @@ version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
 
+[[package]]
+name = "hermit-abi"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
+
 [[package]]
 name = "hex"
 version = "0.4.3"
@@ -893,6 +898,17 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "is-terminal"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
+dependencies = [
+ "hermit-abi 0.4.0",
+ "libc",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.1"
@@ -1149,7 +1165,7 @@ version = "1.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
 dependencies = [
- "hermit-abi",
+ "hermit-abi 0.3.9",
  "libc",
 ]
 
@@ -2174,6 +2190,19 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
+[[package]]
+name = "stderrlog"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61c910772f992ab17d32d6760e167d2353f4130ed50e796752689556af07dc6b"
+dependencies = [
+ "chrono",
+ "is-terminal",
+ "log 0.4.22",
+ "termcolor",
+ "thread_local",
+]
+
 [[package]]
 name = "streaming-iterator"
 version = "0.1.9"
@@ -2208,6 +2237,15 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "termcolor"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "text-size"
 version = "1.1.1"
@@ -2341,17 +2379,6 @@ dependencies = [
  "valuable",
 ]
 
-[[package]]
-name = "tracing-flame"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bae117ee14789185e129aaee5d93750abe67fdc5a9a62650452bfe4e122a3a9"
-dependencies = [
- "lazy_static",
- "tracing",
- "tracing-subscriber",
-]
-
 [[package]]
 name = "tracing-log"
 version = "0.2.0"

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2006-2025 GitHub, Inc.
+Copyright (c) 2006-2020 GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

MODULE.bazel

@@ -14,7 +14,7 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "0.0.11")
+bazel_dep(name = "platforms", version = "0.0.10")
 bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.57.1")
+bazel_dep(name = "rules_rust", version = "0.52.2")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -53,17 +53,29 @@ use_repo(rust, "rust_toolchains")
 
 register_toolchains("@rust_toolchains//:all")
 
+rust_host_tools = use_extension("@rules_rust//rust:extensions.bzl", "rust_host_tools")
+
+# Don't download a second toolchain as host toolchain, make sure this is the same version as above
+# The host toolchain is used for vendoring dependencies.
+rust_host_tools.host_tools(
+    edition = RUST_EDITION,
+    version = RUST_VERSION,
+)
+
 # deps for python extractor
 # keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
 py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
 use_repo(
     py_deps,
-    "vendor_py__anyhow-1.0.95",
-    "vendor_py__cc-1.2.14",
-    "vendor_py__clap-4.5.30",
-    "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.20.4",
-    "vendor_py__tree-sitter-graph-0.7.0",
+    "vendor__anyhow-1.0.44",
+    "vendor__cc-1.0.70",
+    "vendor__clap-2.33.3",
+    "vendor__regex-1.5.5",
+    "vendor__smallvec-1.6.1",
+    "vendor__string-interner-0.12.2",
+    "vendor__thiserror-1.0.29",
+    "vendor__tree-sitter-0.20.4",
+    "vendor__tree-sitter-graph-0.7.0",
 )
 
 # deps for ruby+rust
@@ -84,6 +96,7 @@ use_repo(
     "vendor__globset-0.4.15",
     "vendor__itertools-0.14.0",
     "vendor__lazy_static-1.5.0",
+    "vendor__log-0.4.22",
     "vendor__mustache-0.9.0",
     "vendor__num-traits-0.2.19",
     "vendor__num_cpus-1.16.0",
@@ -110,10 +123,10 @@ use_repo(
     "vendor__serde-1.0.217",
     "vendor__serde_json-1.0.135",
     "vendor__serde_with-3.12.0",
+    "vendor__stderrlog-0.6.0",
     "vendor__syn-2.0.96",
     "vendor__toml-0.8.19",
     "vendor__tracing-0.1.41",
-    "vendor__tracing-flame-0.2.0",
     "vendor__tracing-subscriber-0.3.19",
     "vendor__tree-sitter-0.24.6",
     "vendor__tree-sitter-embedded-template-0.23.2",
@@ -239,7 +252,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.24.0")
+go_sdk.download(version = "1.23.1")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/extractor/BUILD.bazel

@@ -4,7 +4,6 @@ codeql_pkg_files(
     name = "extractor",
     srcs = [
         "codeql-extractor.yml",
-        "//:LICENSE",
     ] + glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],

actions/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 0.4.3
-
-### New Features
-
-* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
-
 ## 0.4.2
 
 ### Bug Fixes

actions/ql/lib/change-notes/released/0.4.3.md

@@ -1,5 +0,0 @@
-## 0.4.3
-
-### New Features
-
-* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.3
+lastReleaseVersion: 0.4.2

actions/ql/lib/codeql/actions/Bash.qll

@@ -81,9 +81,7 @@ class BashShellScript extends ShellScript {
           "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
             quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
       )
-    ) and
-    // Only do this for strings that might otherwise disrupt subsequent parsing
-    quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
+    )
   }
 
   private predicate rankedQuotedStringReplacements(int i, string old, string new) {

actions/ql/lib/codeql/actions/config/Config.qll

@@ -126,15 +126,6 @@ predicate vulnerableActionsDataModel(
  */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
 
-/**
- * MaD models for trusted actions owners
- * Fields:
- *    - owner: owner name
- */
-predicate trustedActionsOwnerDataModel(string owner) {
-  Extensions::trustedActionsOwnerDataModel(owner)
-}
-
 /**
  * MaD models for untrusted git commands
  * Fields:

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -63,11 +63,6 @@ extensible predicate vulnerableActionsDataModel(
  */
 extensible predicate immutableActionsDataModel(string action);
 
-/**
- * Holds for trusted Actions owners.
- */
-extensible predicate trustedActionsOwnerDataModel(string owner);
-
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */

actions/ql/lib/ext/config/immutable_actions.yml

@@ -19,10 +19,4 @@ extensions:
       - ["actions/labeler"]
       - ["actions/create-github-app-token"]
       - ["actions/configure-pages"]
-      - ["github/codeql-action/analyze"]
-      - ["github/codeql-action/autobuild"]
-      - ["github/codeql-action/init"]
-      - ["github/codeql-action/resolve-environment"]
-      - ["github/codeql-action/start-proxy"]
-      - ["github/codeql-action/upload-sarif"]
       - ["octokit/request-action"]

actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -1,8 +0,0 @@
-extensions:
-  - addsTo: 
-      pack: codeql/actions-all
-      extensible: trustedActionsOwnerDataModel
-    data:      
-      - ["actions"]
-      - ["github"]
-      - ["advanced-security"]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.4-dev
+version: 0.4.3-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,29 +1,3 @@
-## 0.5.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `code-scanning` and `security-extended` suites.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/if-expression-always-true/critical`
-  * `actions/if-expression-always-true/high`
-  * `actions/unnecessary-use-of-advanced-config`
-  
-* The following query has been moved from the `code-scanning` suite to the `security-extended`
-  suite. Any existing alerts for this query will be closed automatically unless the analysis is
-  configured to use the `security-extended` suite.
-  * `actions/unpinned-tag`
-* The following queries have been added to the `security-extended` suite.
-  * `actions/unversioned-immutable-action`
-  * `actions/envpath-injection/medium`
-  * `actions/envvar-injection/medium`
-  * `actions/code-injection/medium`
-  * `actions/artifact-poisoning/medium`
-  * `actions/untrusted-checkout/medium`
-
-### Minor Analysis Improvements
-
-* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
-
 ## 0.4.2
 
 No user-facing changes.

actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql

@@ -2,9 +2,9 @@
  * @name PATH Enviroment Variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity error
+ * @problem.severity warning
  * @security-severity 5.0
- * @precision medium
+ * @precision high
  * @id actions/envpath-injection/medium
  * @tags actions
  *       security

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql

@@ -2,9 +2,9 @@
  * @name Enviroment Variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity error
+ * @problem.severity warning
  * @security-severity 5.0
- * @precision medium
+ * @precision high
  * @id actions/envvar-injection/medium
  * @tags actions
  *       security

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -3,12 +3,11 @@
  * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity warning
+ * @problem.severity recommendation
  * @precision high
  * @id actions/missing-workflow-permissions
  * @tags actions
  *       maintainability
- *       security
  *       external/cwe/cwe-275
  */
 

actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql

@@ -2,8 +2,7 @@
  * @name Excessive Secrets Exposure
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
- * @precision high
- * @problem.severity warning
+ * @problem.severity recommendation
  * @id actions/excessive-secrets-exposure
  * @tags actions
  *       security

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -2,8 +2,8 @@
  * @name Artifact poisoning
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind path-problem
- * @problem.severity error
- * @precision medium
+ * @problem.severity warning
+ * @precision high
  * @security-severity 5.0
  * @id actions/artifact-poisoning/medium
  * @tags actions

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md

@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
 
 ## References
 
-- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
+- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -3,8 +3,8 @@
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity warning
- * @precision medium
+ * @problem.severity recommendation
+ * @precision high
  * @id actions/unpinned-tag
  * @tags security
  *       actions
@@ -17,23 +17,14 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
-bindingset[nwo]
-private predicate isTrustedOwner(string nwo) {
-  // Gets the segment before the first '/' in the name with owner(nwo) string
-  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
+bindingset[repo]
+private predicate isTrustedOrg(string repo) {
+  repo.matches(["actions", "github", "advanced-security"] + "/%")
 }
 
-bindingset[version]
-private predicate isPinnedContainer(string version) {
-  version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$")
-}
-
-bindingset[nwo]
-private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
-
-from UsesStep uses, string nwo, string version, Workflow workflow, string name
+from UsesStep uses, string repo, string version, Workflow workflow, string name
 where
-  uses.getCallee() = nwo and
+  uses.getCallee() = repo and
   uses.getEnclosingWorkflow() = workflow and
   (
     workflow.getName() = name
@@ -41,9 +32,9 @@ where
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
   uses.getVersion() = version and
-  not isTrustedOwner(nwo) and
-  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
-  not isImmutableAction(uses, nwo)
+  not isTrustedOrg(repo) and
+  not isPinnedCommit(version) and
+  not isImmutableAction(uses, repo)
 select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()

actions/ql/src/change-notes/released/0.5.0.md

@@ -1,25 +0,0 @@
-## 0.5.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `code-scanning` and `security-extended` suites.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/if-expression-always-true/critical`
-  * `actions/if-expression-always-true/high`
-  * `actions/unnecessary-use-of-advanced-config`
-  
-* The following query has been moved from the `code-scanning` suite to the `security-extended`
-  suite. Any existing alerts for this query will be closed automatically unless the analysis is
-  configured to use the `security-extended` suite.
-  * `actions/unpinned-tag`
-* The following queries have been added to the `security-extended` suite.
-  * `actions/unversioned-immutable-action`
-  * `actions/envpath-injection/medium`
-  * `actions/envvar-injection/medium`
-  * `actions/code-injection/medium`
-  * `actions/artifact-poisoning/medium`
-  * `actions/untrusted-checkout/medium`
-
-### Minor Analysis Improvements
-
-* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.4.2

actions/ql/src/codeql-suites/actions-ccr.qls

@@ -1 +0,0 @@
-[]

actions/ql/src/codeql-suites/actions-code-scanning.qls

@@ -1,4 +1,11 @@
 - description: Standard Code Scanning queries for GitHub Actions
-- queries: .
-- apply: code-scanning-selectors.yml
-  from: codeql/suite-helpers
+- queries: '.'
+- include:
+    problem.severity: 
+      - error
+      - recommendation
+- exclude:
+    tags contain:
+      - experimental
+      - debug
+      - internal

actions/ql/src/codeql-suites/actions-security-extended.qls

@@ -1,4 +1,2 @@
 - description: Security-extended queries for GitHub Actions
-- queries: .
-- apply: security-extended-selectors.yml
-  from: codeql/suite-helpers
+- import: codeql-suites/actions-code-scanning.qls

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.1-dev
+version: 0.4.3-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/library-tests/.github/workflows/many_strings.yml

@@ -1,18 +0,0 @@
-on:
-  workflow_run:
-    workflows: ["Prev"]
-    types:
-      - completed
-
-jobs:
-  Test:
-    runs-on: ubuntu-latest
-    steps:
-      - run: |
-          # Avoid choking on large chunks of data containing quotes
-          echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]'
-          echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']"
-
-          # Same as above but where each line has an unbalanced internal quote near the end
-          echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]"'
-          echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']'"

actions/ql/test/library-tests/commands.expected

@@ -25,10 +25,6 @@
 | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
 | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' |
 | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
-| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']" |
-| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']'" |
-| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]"' |
-| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]' |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" |

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref

@@ -1 +1 @@
-experimental/Security/CWE-074/OutputClobberingHigh.ql
+Security/CWE-074/OutputClobberingHigh.ql

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref

@@ -1 +1 @@
-experimental/Security/CWE-078/CommandInjectionCritical.ql
+Security/CWE-078/CommandInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref

@@ -1 +1 @@
-experimental/Security/CWE-078/CommandInjectionMedium.ql
+Security/CWE-078/CommandInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref

@@ -1 +1 @@
-experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+Security/CWE-088/ArgumentInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref

@@ -1 +1 @@
-experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+Security/CWE-088/ArgumentInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref

@@ -1,2 +1,2 @@
-experimental/Security/CWE-200/SecretExfiltration.ql
+Security/CWE-200/SecretExfiltration.ql
 

actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref

@@ -1,2 +1,2 @@
-experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
 

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml

@@ -9,5 +9,3 @@ jobs:
     - uses: foo/bar
     - uses: foo/bar@v1
     - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
-    - uses: docker://foo/bar@latest
-    - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref

@@ -1,2 +1,2 @@
-experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+Security/CWE-829/ArtifactPoisoningPathTraversal.ql
 

actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -32,4 +32,3 @@
 | .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step |
 | .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |
-| .github/workflows/unpinned_tags.yml:12:13:12:35 | docker://foo/bar@latest | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'docker://foo/bar' with ref 'latest', not a pinned commit hash | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | Uses Step |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -299,9 +299,7 @@ edges
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
+| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
 | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |

actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref

@@ -1 +1 @@
-experimental/Security/CWE-918/RequestForgery.ql
+Security/CWE-918/RequestForgery.ql

cpp/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 4.0.1
-
-No user-facing changes.
-
 ## 4.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/4.0.1.md

@@ -1,3 +0,0 @@
-## 4.0.1
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.1
+lastReleaseVersion: 4.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.0.2-dev
+version: 4.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -75,10 +75,7 @@ class Location extends @location {
 
   /** Holds if `this` comes on a line strictly before `l`. */
   pragma[inline]
-  predicate isBefore(Location l) {
-    this.getFile() = l.getFile() and
-    this.getEndLine() < l.getStartLine()
-  }
+  predicate isBefore(Location l) { this.isBefore(l, false) }
 
   /**
    * Holds if `this` comes strictly before `l`. The boolean `sameLine` is

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -869,11 +869,12 @@ private predicate elementSpecMatchesSignature(
 bindingset[nameWithoutArgs]
 pragma[inline_late]
 private Class getClassAndNameImpl(Function method, string nameWithoutArgs) {
-  result = method.getDeclaringType() and
-  nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
-  or
-  result = method.getClassAndName(nameWithoutArgs) and
-  not method instanceof ConversionOperator
+  exists(string memberName | result = method.getClassAndName(memberName) |
+    nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
+    or
+    not method instanceof ConversionOperator and
+    memberName = nameWithoutArgs
+  )
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1765,14 +1765,14 @@ module IteratorFlow {
      * Note: Unlike `def.getAnUltimateDefinition()` this predicate also
      * traverses back through iterator increment and decrement operations.
      */
-    private Ssa::DefinitionExt getAnUltimateDefinition(Ssa::DefinitionExt def) {
+    private Ssa::Def getAnUltimateDefinition(Ssa::Def def) {
       result = def.getAnUltimateDefinition()
       or
       exists(IRBlock bb, int i, IteratorCrementCall crementCall, Ssa::SourceVariable sv |
         crementCall = def.getValue().asInstruction().(StoreInstruction).getSourceValue() and
         sv = def.getSourceVariable() and
         bb.getInstruction(i) = crementCall and
-        Ssa::ssaDefReachesReadExt(sv, result, bb, i)
+        Ssa::ssaDefReachesReadExt(sv, result.asDef(), bb, i)
       )
     }
 
@@ -1800,13 +1800,13 @@ module IteratorFlow {
       GetsIteratorCall beginCall, Instruction writeToDeref
     ) {
       exists(
-        StoreInstruction beginStore, IRBlock bbStar, int iStar, Ssa::DefinitionExt def,
-        IteratorPointerDereferenceCall starCall, Ssa::DefinitionExt ultimate, Operand address
+        StoreInstruction beginStore, IRBlock bbStar, int iStar, Ssa::Def def,
+        IteratorPointerDereferenceCall starCall, Ssa::Def ultimate, Operand address
       |
         isIteratorWrite(writeToDeref, address) and
         operandForFullyConvertedCall(address, starCall) and
         bbStar.getInstruction(iStar) = starCall and
-        Ssa::ssaDefReachesReadExt(_, def, bbStar, iStar) and
+        Ssa::ssaDefReachesReadExt(_, def.asDef(), bbStar, iStar) and
         ultimate = getAnUltimateDefinition*(def) and
         beginStore = ultimate.getValue().asInstruction() and
         operandForFullyConvertedCall(beginStore.getSourceValueOperand(), beginCall)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -842,11 +842,18 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
     result.asSourceCallable() = this.getFunction()
   }
 
-  override Declaration getFunction() { result = globalDef.getFunction() }
+  override Declaration getFunction() { result = globalDef.getIRFunction().getFunction() }
 
   final override predicate isGLValue() { globalDef.getIndirectionIndex() = 0 }
 
-  override DataFlowType getType() { result = globalDef.getUnderlyingType() }
+  override DataFlowType getType() {
+    exists(DataFlowType type |
+      type = globalDef.getUnderlyingType() and
+      if this.isGLValue()
+      then result = type
+      else result = getTypeImpl(type, globalDef.getIndirectionIndex() - 1)
+    )
+  }
 
   final override Location getLocationImpl() { result = globalDef.getLocation() }
 
@@ -1305,7 +1312,7 @@ class UninitializedNode extends Node {
   LocalVariable v;
 
   UninitializedNode() {
-    exists(Ssa::DefinitionExt def, Ssa::SourceVariable sv |
+    exists(Ssa::Def def, Ssa::SourceVariable sv |
       def.getIndirectionIndex() = 0 and
       def.getValue().asInstruction() instanceof UninitializedInstruction and
       Ssa::defToNode(this, def, sv, _, _, _) and
@@ -2292,7 +2299,7 @@ class ContentSet instanceof Content {
 
 pragma[nomagic]
 private predicate guardControlsPhiInput(
-  IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
+  IRGuardCondition g, boolean branch, Ssa::Definition def, IRBlock input, Ssa::PhiNode phi
 ) {
   phi.hasInputFromBlock(def, _, _, _, input) and
   (

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -225,16 +225,10 @@ abstract class DefImpl extends TDefImpl {
     )
   }
 
-  /**
-   * Holds if this definition is guaranteed to totally overwrite the
-   * destination buffer.
-   */
   abstract predicate isCertain();
 
-  /** Gets the value written to the destination variable by this definition. */
   abstract Node0Impl getValue();
 
-  /** Gets the operand that represents the address of this definition, if any. */
   Operand getAddressOperand() { none() }
 }
 
@@ -697,10 +691,8 @@ predicate outNodeHasAddressAndIndex(
  *
  * Holds if `node` is the node that corresponds to the definition of `def`.
  */
-predicate defToNode(
-  Node node, DefinitionExt def, SourceVariable sv, IRBlock bb, int i, boolean uncertain
-) {
-  def.definesAt(sv, bb, i, _) and
+predicate defToNode(Node node, Def def, SourceVariable sv, IRBlock bb, int i, boolean uncertain) {
+  def.hasIndexInBlock(bb, i, sv) and
   (
     nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
     or
@@ -1065,7 +1057,7 @@ module SsaCached {
   }
 
   cached
-  DefinitionExt phiHasInputFromBlockExt(PhiNode phi, IRBlock bb) {
+  Definition phiHasInputFromBlockExt(PhiNode phi, IRBlock bb) {
     SsaImpl::phiHasInputFromBlockExt(phi, result, bb)
   }
 
@@ -1079,24 +1071,157 @@ module SsaCached {
   predicate variableWrite = SsaInput::variableWrite/4;
 }
 
-/** Gets the `DefImpl` corresponding to `def`. */
-private DefImpl getDefImpl(SsaImpl::DefinitionExt def) {
+cached
+private newtype TSsaDef =
+  TDef(DefinitionExt def) or
+  TPhi(PhiNode phi)
+
+abstract private class SsaDef extends TSsaDef {
+  /** Gets a textual representation of this element. */
+  string toString() { none() }
+
+  /** Gets the underlying non-phi definition or use. */
+  DefinitionExt asDef() { none() }
+
+  /** Gets the underlying phi node. */
+  PhiNode asPhi() { none() }
+
+  /** Gets the location of this element. */
+  abstract Location getLocation();
+}
+
+abstract class Def extends SsaDef, TDef {
+  DefinitionExt def;
+
+  Def() { this = TDef(def) }
+
+  final override DefinitionExt asDef() { result = def }
+
+  /** Gets the source variable underlying this SSA definition. */
+  final SourceVariable getSourceVariable() { result = def.getSourceVariable() }
+
+  override string toString() { result = def.toString() }
+
+  /**
+   * Holds if this definition (or use) has index `index` in block `block`,
+   * and is a definition (or use) of the variable `sv`.
+   */
+  predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+    def.definesAt(sv, block, index, _)
+  }
+
+  /** Gets the value written by this definition, if any. */
+  Node0Impl getValue() { none() }
+
+  /**
+   * Holds if this definition is guaranteed to overwrite the entire
+   * destination's allocation.
+   */
+  abstract predicate isCertain();
+
+  /** Gets the address operand written to by this definition. */
+  Operand getAddressOperand() { none() }
+
+  /** Gets the address written to by this definition. */
+  final Instruction getAddress() { result = this.getAddressOperand().getDef() }
+
+  /** Gets the indirection index of this definition. */
+  abstract int getIndirectionIndex();
+
+  /**
+   * Gets the indirection level that this definition is writing to.
+   * For instance, `x = y` is a definition of `x` at indirection level 1 and
+   * `*x = y` is a definition of `x` at indirection level 2.
+   */
+  abstract int getIndirection();
+
+  /**
+   * Gets a definition that ultimately defines this SSA definition and is not
+   * itself a phi node.
+   */
+  Def getAnUltimateDefinition() { result.asDef() = def.getAnUltimateDefinition() }
+}
+
+private predicate isGlobal(DefinitionExt def, GlobalDefImpl global) {
   exists(SourceVariable sv, IRBlock bb, int i |
     def.definesAt(sv, bb, i, _) and
-    result.hasIndexInBlock(bb, i, sv)
+    global.hasIndexInBlock(bb, i, sv)
   )
 }
 
-class GlobalDef extends DefinitionExt {
-  GlobalDefImpl impl;
+private class NonGlobalDef extends Def {
+  NonGlobalDef() { not isGlobal(def, _) }
 
-  GlobalDef() { impl = getDefImpl(this) }
+  final override Location getLocation() { result = this.getImpl().getLocation() }
+
+  private DefImpl getImpl() {
+    exists(SourceVariable sv, IRBlock bb, int i |
+      this.hasIndexInBlock(bb, i, sv) and
+      result.hasIndexInBlock(bb, i, sv)
+    )
+  }
+
+  override Node0Impl getValue() { result = this.getImpl().getValue() }
+
+  override predicate isCertain() { this.getImpl().isCertain() }
+
+  override Operand getAddressOperand() { result = this.getImpl().getAddressOperand() }
+
+  override int getIndirectionIndex() { result = this.getImpl().getIndirectionIndex() }
+
+  override int getIndirection() { result = this.getImpl().getIndirection() }
+}
+
+class GlobalDef extends Def {
+  GlobalDefImpl global;
+
+  GlobalDef() { isGlobal(def, global) }
+
+  /** Gets a textual representation of this definition. */
+  override string toString() { result = global.toString() }
+
+  final override Location getLocation() { result = global.getLocation() }
 
   /**
-   * Gets the global (or `static` local) variable written to by this SSA
-   * definition.
+   * Gets the type of this definition after specifiers have been deeply stripped
+   * and typedefs have been resolved.
    */
-  GlobalLikeVariable getVariable() { result = impl.getVariable() }
+  DataFlowType getUnspecifiedType() { result = global.getUnspecifiedType() }
+
+  /**
+   * Gets the type of this definition, after typedefs have been resolved.
+   */
+  DataFlowType getUnderlyingType() { result = global.getUnderlyingType() }
+
+  /** Gets the `IRFunction` whose body is evaluated after this definition. */
+  IRFunction getIRFunction() { result = global.getIRFunction() }
+
+  /** Gets the global variable associated with this definition. */
+  GlobalLikeVariable getVariable() { result = global.getVariable() }
+
+  override predicate isCertain() { any() }
+
+  final override int getIndirectionIndex() { result = global.getIndirectionIndex() }
+
+  final override int getIndirection() { result = global.getIndirection() }
+}
+
+class Phi extends TPhi, SsaDef {
+  PhiNode phi;
+
+  Phi() { this = TPhi(phi) }
+
+  final override PhiNode asPhi() { result = phi }
+
+  final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
+
+  override string toString() { result = phi.toString() }
+
+  SsaPhiInputNode getNode(IRBlock block) { result.getPhiNode() = phi and result.getBlock() = block }
+
+  predicate hasInputFromBlock(Definition inp, IRBlock bb) { inp = phiHasInputFromBlockExt(phi, bb) }
+
+  final Definition getAnInput() { this.hasInputFromBlock(result, _) }
 }
 
 private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
@@ -1134,12 +1259,12 @@ class PhiNode extends SsaImpl::DefinitionExt {
   }
 
   /** Gets a definition that is an input to this phi node. */
-  final DefinitionExt getAnInput() { this.hasInputFromBlock(result, _, _, _, _) }
+  final Definition getAnInput() { this.hasInputFromBlock(result, _, _, _, _) }
 }
 
 /** An static single assignment (SSA) definition. */
 class DefinitionExt extends SsaImpl::DefinitionExt {
-  private DefinitionExt getAPhiInputOrPriorDefinition() { result = this.(PhiNode).getAnInput() }
+  private Definition getAPhiInputOrPriorDefinition() { result = this.(PhiNode).getAnInput() }
 
   /**
    * Gets a definition that ultimately defines this SSA definition and is
@@ -1150,37 +1275,6 @@ class DefinitionExt extends SsaImpl::DefinitionExt {
     not result instanceof PhiNode
   }
 
-  /**
-   * INTERNAL: Do not use.
-   */
-  Node0Impl getValue() { result = getDefImpl(this).getValue() }
-
-  /** Gets the indirection index of this definition. */
-  int getIndirectionIndex() { result = getDefImpl(this).getIndirectionIndex() }
-
-  /** Gets the indirection of this definition. */
-  int getIndirection() { result = getDefImpl(this).getIndirection() }
-
-  /**
-   * Holds if this definition is guaranteed to totally overwrite the buffer
-   * being written to.
-   */
-  predicate isCertain() { getDefImpl(this).isCertain() }
-
-  /**
-   * Gets the enclosing declaration of this definition.
-   *
-   * Note that this may be a variable when this definition defines a global, or
-   * a static local, variable.
-   */
-  Declaration getFunction() { result = getDefImpl(this).getBlock().getEnclosingFunction() }
-
-  /** Gets the underlying type of the variable being defined by this definition. */
-  Type getUnderlyingType() { result = this.getSourceVariable().getType() }
-
-  /** Gets the unspecified type of the variable being defined by this definition. */
-  Type getUnspecifiedType() { result = this.getUnderlyingType().getUnspecifiedType() }
-
   /** Gets a node that represents a read of this SSA definition. */
   pragma[nomagic]
   Node getARead() {
@@ -1192,4 +1286,6 @@ class DefinitionExt extends SsaImpl::DefinitionExt {
   }
 }
 
+class Definition = SsaImpl::Definition;
+
 import SsaCached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -769,4 +769,8 @@ module InputSigCommon {
   BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
 
   BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
+
+  class ExitBasicBlock extends BasicBlock {
+    ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
+  }
 }

cpp/ql/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.3.4
-
-No user-facing changes.
-
 ## 1.3.3
 
 ### Minor Analysis Improvements

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -49,17 +49,11 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
     call.getTarget() = op and
     op.hasQualifiedName("std", "operator+") and
     op.getType().(UserType).hasQualifiedName("std", "basic_string") and
-    incoming.asIndirectArgument() = call.getArgument(1) and // right operand
+    incoming.asIndirectArgument() = call.getArgument(1) and // left operand
     call = outgoing.asInstruction().getUnconvertedResultExpression()
   )
 }
 
-/**
- * A state will represent the most recent concatenation that occurred in the data flow.
- *  - `TConcatState` if the concetenation has not yet occurred.
- *  - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
- *    into result `outgoing`.
- */
 newtype TState =
   TConcatState() or
   TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -80,9 +74,7 @@ class ExecState extends TExecState {
 
   DataFlow::Node getOutgoingNode() { result = outgoing }
 
-  /**
-   * Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
-   */
+  /** Holds if this is a possible `ExecState` for `sink`. */
   predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
 
   string toString() { result = "ExecState" }
@@ -118,12 +110,6 @@ module ExecStateConfig implements DataFlow::ConfigSig {
 
 module ExecState = TaintTracking::Global<ExecStateConfig>;
 
-/**
- * A full `TaintTracking` configuration from source to concatenation to sink, using a flow
- * state to remember the concatenation. It's important that we track flow to the sink even though
- * as soon as we reach the concatenation we know it will get there (due to the check of
- * `isFeasibleForSink`), because this way we get a complete flow path.
- */
 module ExecTaintConfig implements DataFlow::StateConfigSig {
   class FlowState = TState;
 

cpp/ql/src/change-notes/released/1.3.4.md

@@ -1,3 +0,0 @@
-## 1.3.4
-
-No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.4
+lastReleaseVersion: 1.3.3

cpp/ql/src/codeql-suites/cpp-ccr.qls

@@ -1 +0,0 @@
-[]

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.5-dev
+version: 1.3.4-dev
 groups:
   - cpp
   - queries

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -7,88 +7,68 @@ edges
 | test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags | provenance |  |
 | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command | provenance |  |
 | test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument | provenance | Config |
-| test.cpp:63:9:63:16 | fread output argument | test.cpp:65:20:65:27 | *filename | provenance |  |
-| test.cpp:65:11:65:17 | strncat output argument | test.cpp:66:10:66:16 | *command | provenance |  |
-| test.cpp:65:20:65:27 | *filename | test.cpp:65:11:65:17 | strncat output argument | provenance | Config |
-| test.cpp:83:9:83:16 | fread output argument | test.cpp:85:20:85:27 | *filename | provenance |  |
-| test.cpp:85:11:85:17 | strncat output argument | test.cpp:86:32:86:38 | *command | provenance |  |
-| test.cpp:85:20:85:27 | *filename | test.cpp:85:11:85:17 | strncat output argument | provenance | Config |
-| test.cpp:92:9:92:16 | fread output argument | test.cpp:94:17:94:24 | *filename | provenance |  |
-| test.cpp:94:11:94:14 | strncat output argument | test.cpp:95:45:95:48 | *path | provenance |  |
-| test.cpp:94:17:94:24 | *filename | test.cpp:94:11:94:14 | strncat output argument | provenance | Config |
-| test.cpp:107:20:107:38 | *call to getenv | test.cpp:108:33:108:36 | *path | provenance | TaintFunction |
-| test.cpp:108:31:108:31 | call to operator+ | test.cpp:108:31:108:31 | call to operator+ | provenance |  |
-| test.cpp:108:31:108:31 | call to operator+ | test.cpp:109:18:109:22 | *call to c_str | provenance | TaintFunction |
-| test.cpp:108:33:108:36 | *path | test.cpp:108:31:108:31 | call to operator+ | provenance | Config |
-| test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:19:115:22 | *path | provenance | TaintFunction |
-| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
-| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
-| test.cpp:115:17:115:17 | call to operator+ | test.cpp:115:10:115:23 | call to operator+ | provenance |  |
-| test.cpp:115:19:115:22 | *path | test.cpp:115:10:115:23 | call to operator+ | provenance | Config |
-| test.cpp:115:19:115:22 | *path | test.cpp:115:17:115:17 | call to operator+ | provenance | Config |
-| test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:19:121:22 | *path | provenance | TaintFunction |
-| test.cpp:121:17:121:17 | call to operator+ | test.cpp:121:10:121:30 | *call to data | provenance | TaintFunction |
-| test.cpp:121:19:121:22 | *path | test.cpp:121:17:121:17 | call to operator+ | provenance | Config |
-| test.cpp:141:9:141:11 | fread output argument | test.cpp:143:31:143:33 | *str | provenance |  |
-| test.cpp:143:11:143:17 | sprintf output argument | test.cpp:144:10:144:16 | *command | provenance |  |
-| test.cpp:143:31:143:33 | *str | test.cpp:143:11:143:17 | sprintf output argument | provenance | Config |
-| test.cpp:175:9:175:16 | fread output argument | test.cpp:178:20:178:27 | *filename | provenance |  |
-| test.cpp:175:9:175:16 | fread output argument | test.cpp:181:22:181:29 | *filename | provenance |  |
-| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance |  |
-| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance |  |
-| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | Config |
-| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | TaintFunction |
-| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
-| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
-| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | Config |
-| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | TaintFunction |
-| test.cpp:181:13:181:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
-| test.cpp:181:22:181:29 | *filename | test.cpp:181:13:181:19 | strncat output argument | provenance | Config |
-| test.cpp:187:47:187:54 | *filename | test.cpp:188:18:188:25 | *filename | provenance |  |
-| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance |  |
-| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance |  |
-| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | Config |
-| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | TaintFunction |
-| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance |  |
-| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance |  |
-| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance |  |
-| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance |  |
-| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | Config |
-| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | TaintFunction |
-| test.cpp:195:9:195:16 | fread output argument | test.cpp:197:26:197:33 | *filename | provenance |  |
-| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance |  |
-| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance |  |
-| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | provenance |  |
-| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | Config |
-| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | TaintFunction |
-| test.cpp:219:9:219:16 | fread output argument | test.cpp:221:19:221:26 | *filename | provenance |  |
-| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance |  |
-| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance |  |
-| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
-| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
-| test.cpp:221:19:221:26 | *filename | test.cpp:221:19:221:26 | *filename | provenance |  |
-| test.cpp:231:11:231:16 | strncat output argument | test.cpp:232:11:232:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:231:19:231:33 | *call to getenv | test.cpp:231:11:231:16 | strncat output argument | provenance | Config |
-| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:232:19:232:33 | *call to getenv | test.cpp:232:11:232:16 | strncat output argument | provenance | Config |
-| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance |  |
-| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance |  |
-| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance |  |
-| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance |  |
-| test.cpp:243:5:243:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
-| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | Config |
-| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
-| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
-| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
-| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
-| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
-| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | TaintFunction |
-| test.cpp:248:5:248:10 | *call to getenv | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
-| test.cpp:259:13:259:18 | strncat output argument | test.cpp:261:10:261:15 | *buffer | provenance |  |
-| test.cpp:259:21:259:35 | *call to getenv | test.cpp:259:13:259:18 | strncat output argument | provenance | Config |
+| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename | provenance |  |
+| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command | provenance |  |
+| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument | provenance | Config |
+| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename | provenance |  |
+| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command | provenance |  |
+| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument | provenance | Config |
+| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename | provenance |  |
+| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path | provenance |  |
+| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument | provenance | Config |
+| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path | provenance | TaintFunction |
+| test.cpp:107:31:107:31 | call to operator+ | test.cpp:107:31:107:31 | call to operator+ | provenance |  |
+| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str | provenance | TaintFunction |
+| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ | provenance | Config |
+| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path | provenance | TaintFunction |
+| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
+| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
+| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ | provenance |  |
+| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ | provenance | Config |
+| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ | provenance | Config |
+| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path | provenance | TaintFunction |
+| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data | provenance | TaintFunction |
+| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ | provenance | Config |
+| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str | provenance |  |
+| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command | provenance |  |
+| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument | provenance | Config |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename | provenance |  |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename | provenance |  |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance |  |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance |  |
+| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | Config |
+| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | TaintFunction |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
+| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | Config |
+| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | TaintFunction |
+| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
+| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument | provenance | Config |
+| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename | provenance |  |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance |  |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance |  |
+| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | Config |
+| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | TaintFunction |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance |  |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance |  |
+| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | Config |
+| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | TaintFunction |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance |  |
+| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance |  |
+| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance |  |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | provenance |  |
+| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | Config |
+| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | TaintFunction |
+| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance |  |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename | provenance |  |
 nodes
 | test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
 | test.cpp:16:20:16:26 | *access to array | semmle.label | *access to array |
@@ -100,130 +80,98 @@ nodes
 | test.cpp:50:11:50:17 | sprintf output argument | semmle.label | sprintf output argument |
 | test.cpp:50:35:50:43 | *envCflags | semmle.label | *envCflags |
 | test.cpp:51:10:51:16 | *command | semmle.label | *command |
-| test.cpp:63:9:63:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:65:11:65:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:65:20:65:27 | *filename | semmle.label | *filename |
-| test.cpp:66:10:66:16 | *command | semmle.label | *command |
-| test.cpp:83:9:83:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:85:11:85:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:85:20:85:27 | *filename | semmle.label | *filename |
-| test.cpp:86:32:86:38 | *command | semmle.label | *command |
-| test.cpp:92:9:92:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:94:11:94:14 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:94:17:94:24 | *filename | semmle.label | *filename |
-| test.cpp:95:45:95:48 | *path | semmle.label | *path |
-| test.cpp:107:20:107:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:108:33:108:36 | *path | semmle.label | *path |
-| test.cpp:109:18:109:22 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:114:20:114:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:115:17:115:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:115:19:115:22 | *path | semmle.label | *path |
-| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:120:20:120:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:121:10:121:30 | *call to data | semmle.label | *call to data |
-| test.cpp:121:17:121:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:121:19:121:22 | *path | semmle.label | *path |
-| test.cpp:141:9:141:11 | fread output argument | semmle.label | fread output argument |
-| test.cpp:143:11:143:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:143:31:143:33 | *str | semmle.label | *str |
-| test.cpp:144:10:144:16 | *command | semmle.label | *command |
-| test.cpp:175:9:175:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:178:20:178:27 | *filename | semmle.label | *filename |
-| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
-| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
-| test.cpp:181:13:181:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:181:22:181:29 | *filename | semmle.label | *filename |
-| test.cpp:184:32:184:38 | *command | semmle.label | *command |
-| test.cpp:184:32:184:38 | *command | semmle.label | *command |
-| test.cpp:184:32:184:38 | *command | semmle.label | *command |
-| test.cpp:187:19:187:25 | *command | semmle.label | *command |
-| test.cpp:187:19:187:25 | *command | semmle.label | *command |
-| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
-| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
-| test.cpp:187:47:187:54 | *filename | semmle.label | *filename |
-| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:188:18:188:25 | *filename | semmle.label | *filename |
-| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
-| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
-| test.cpp:195:9:195:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
-| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
-| test.cpp:197:26:197:33 | *filename | semmle.label | *filename |
-| test.cpp:199:32:199:38 | *command | semmle.label | *command |
-| test.cpp:199:32:199:38 | *command | semmle.label | *command |
-| test.cpp:219:9:219:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
-| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
-| test.cpp:223:32:223:38 | *command | semmle.label | *command |
-| test.cpp:223:32:223:38 | *command | semmle.label | *command |
-| test.cpp:231:11:231:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:231:19:231:33 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:232:19:232:33 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
-| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
-| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:243:5:243:10 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:244:5:244:10 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
-| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
-| test.cpp:248:5:248:10 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
-| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
-| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
-| test.cpp:259:13:259:18 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:259:21:259:35 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:261:10:261:15 | *buffer | semmle.label | *buffer |
+| test.cpp:62:9:62:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:64:11:64:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:64:20:64:27 | *filename | semmle.label | *filename |
+| test.cpp:65:10:65:16 | *command | semmle.label | *command |
+| test.cpp:82:9:82:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:84:11:84:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:84:20:84:27 | *filename | semmle.label | *filename |
+| test.cpp:85:32:85:38 | *command | semmle.label | *command |
+| test.cpp:91:9:91:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:93:17:93:24 | *filename | semmle.label | *filename |
+| test.cpp:94:45:94:48 | *path | semmle.label | *path |
+| test.cpp:106:20:106:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:107:33:107:36 | *path | semmle.label | *path |
+| test.cpp:108:18:108:22 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:113:20:113:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:114:17:114:17 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:114:19:114:22 | *path | semmle.label | *path |
+| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:119:20:119:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:120:10:120:30 | *call to data | semmle.label | *call to data |
+| test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:120:19:120:22 | *path | semmle.label | *path |
+| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
+| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:142:31:142:33 | *str | semmle.label | *str |
+| test.cpp:143:10:143:16 | *command | semmle.label | *command |
+| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:177:20:177:27 | *filename | semmle.label | *filename |
+| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
+| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
+| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:180:22:180:29 | *filename | semmle.label | *filename |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:186:19:186:25 | *command | semmle.label | *command |
+| test.cpp:186:19:186:25 | *command | semmle.label | *command |
+| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
+| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
+| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
+| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:18:187:25 | *filename | semmle.label | *filename |
+| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
+| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
+| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
+| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
+| test.cpp:196:26:196:33 | *filename | semmle.label | *filename |
+| test.cpp:198:32:198:38 | *command | semmle.label | *command |
+| test.cpp:198:32:198:38 | *command | semmle.label | *command |
+| test.cpp:218:9:218:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
+| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
+| test.cpp:222:32:222:38 | *command | semmle.label | *command |
+| test.cpp:222:32:222:38 | *command | semmle.label | *command |
 subpaths
-| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
-| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
-| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
-| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
 | test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
-| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument |
-| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument |
-| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument |
-| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ |
-| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ |
-| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ |
-| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ |
-| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument |
-| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument |
-| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument |
-| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument |
-| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument |
-| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument |
-| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
-| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
-| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument |
-| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument |
-| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
-| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument |
-| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
-| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
-| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument |
+| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
+| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
+| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
+| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | *call to getenv | test.cpp:108:18:108:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | *call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
+| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
+| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
+| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:10:120:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | *call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
+| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -14,7 +14,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
 
 int main(int argc, char** argv) {
   char *userName = argv[2];
-
+  
   {
     // BAD: a string from the user is injected directly into
     // a command.
@@ -23,10 +23,10 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {
+  {  
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
-    encodeShellString(userNameQuoted, 1000, userName);
+    encodeShellString(userNameQuoted, 1000, userName); 
     char command2[1000] = {0};
     sprintf(command2, "userinfo -v %s", userNameQuoted);
     system(command2);
@@ -36,16 +36,16 @@ int main(int argc, char** argv) {
 void test2(char* arg2) {
   // GOOD?: the user string is the *first* part of the command, like $CC in many environments
   char *envCC = getenv("CC");
-
+  
   char command[1000];
-  sprintf(command, "%s %s", envCC, arg2);
+  sprintf("%s %s", envCC, arg2);
   system(command);
 }
 
 void test3(char* arg1) {
   // GOOD?: the user string is a `$CFLAGS` environment variable
   char *envCflags = getenv("CFLAGS");
-
+  
   char command[1000];
   sprintf(command, "%s %s", arg1, envCflags);
   system(command);
@@ -54,7 +54,6 @@ void test3(char* arg1) {
 typedef unsigned long size_t;
 typedef void FILE;
 size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
-char *strncpy(char *s1, const char *s2, size_t n);
 char *strncat(char *s1, const char *s2, size_t n);
 
 void test4(FILE *f) {
@@ -161,7 +160,7 @@ void test15(FILE *f) {
   fread(temp, 1, 10, f);
 
   int x = atoi(temp);
-
+  
   char temp2[10];
   sprintf(temp2, "%d", x);
     sprintf(command, "tail -n %s foo.log", temp2);
@@ -223,42 +222,4 @@ void test19(FILE *f) {
   execl("/bin/sh", "sh", "-c", command);
 }
 
-void test20() {
-  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
-  char buffer[1024 * 4];
-
-  strncpy(buffer, getenv("var_a"), 1024);
-  strncat(buffer, getenv("var_b"), 1024);
-  strncat(buffer, getenv("var_c"), 1024);
-  strncat(buffer, " ", 1024);
-  system(buffer);
-}
-
-void test21() {
-  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
-  char buffer1[1024];
-  char buffer2[1024];
-
-  sprintf(buffer1, "%s %s",
-    getenv("var_a"),
-    getenv("var_b"));
-  sprintf(buffer2, "%s %s %s",
-    " ",
-    buffer1,
-    getenv("var_c"));
-  system(buffer2);
-}
-
-void test22() {
-  // BAD: the user strings `var_a` are injected directly into a command
-  char buffer[1024 * 11];
-  int i;
-
-  strncpy(buffer, "command ", 1024);
-  for (i = 0; i < 10; i++) {
-    strncat(buffer, getenv("var_a"), 1024);
-  }
-  system(buffer);
-}
-
 // open question: do we want to report certain sources even when they're the start of the string?

csharp/.vscode/launch.json

@@ -70,8 +70,7 @@
             // Set the path to the folder that should be extracted:
             "cwd": "${workspaceFolder}/ql/test/library-tests/dataflow/local",
             "args": [
-                "LocalDataFlow.cs",
-                "/r:System.Private.CoreLib.dll"
+                "LocalDataFlow.cs"
             ],
             "env": {},
             "stopAtEntry": true,

csharp/documentation/library-coverage/coverage.csv

@@ -2,45 +2,51 @@ package,sink,source,summary,sink:code-injection,sink:encryption-decryptor,sink:e
 Amazon.Lambda.APIGatewayEvents,,6,,,,,,,,,,,,,,,,,6,,,,
 Amazon.Lambda.Core,10,,,,,,,,,,,10,,,,,,,,,,,
 Dapper,55,42,1,,,,,,,,,,55,,42,,,,,,,,1
-ILCompiler,,,121,,,,,,,,,,,,,,,,,,,77,44
-ILLink.RoslynAnalyzer,,,107,,,,,,,,,,,,,,,,,,,31,76
-ILLink.Shared,,,37,,,,,,,,,,,,,,,,,,,11,26
+ILCompiler,,,123,,,,,,,,,,,,,,,,,,,79,44
+ILLink.RoslynAnalyzer,,,139,,,,,,,,,,,,,,,,,,,50,89
+ILLink.Shared,,,31,,,,,,,,,,,,,,,,,,,11,20
 ILLink.Tasks,,,5,,,,,,,,,,,,,,,,,,,4,1
 Internal.IL,,,54,,,,,,,,,,,,,,,,,,,28,26
 Internal.Pgo,,,9,,,,,,,,,,,,,,,,,,,2,7
-Internal.TypeSystem,,,345,,,,,,,,,,,,,,,,,,,205,140
+Internal.TypeSystem,,,329,,,,,,,,,,,,,,,,,,,201,128
+JsonToItemsTaskFactory,,,11,,,,,,,,,,,,,,,,,,,1,10
+Microsoft.Android.Build,,1,14,,,,,,,,,,,,,1,,,,,,12,2
+Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,,,,,7,
 Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,,
 Microsoft.AspNetCore.Components,2,4,2,,,,,,,2,,,,,,,,,4,,,1,1
 Microsoft.AspNetCore.Http,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.AspNetCore.Mvc,,,2,,,,,,,,,,,,,,,,,,,,2
 Microsoft.AspNetCore.WebUtilities,,,2,,,,,,,,,,,,,,,,,,,2,
 Microsoft.CSharp,,,2,,,,,,,,,,,,,,,,,,,2,
-Microsoft.Diagnostics.Tools.Pgo,,,23,,,,,,,,,,,,,,,,,,,,23
-Microsoft.DotNet.Build.Tasks,,,11,,,,,,,,,,,,,,,,,,,9,2
+Microsoft.Diagnostics.Tools.Pgo,,,25,,,,,,,,,,,,,,,,,,,2,23
+Microsoft.DotNet.Build.Tasks,,,10,,,,,,,,,,,,,,,,,,,8,2
 Microsoft.DotNet.PlatformAbstractions,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,,,,,12
 Microsoft.Extensions.Caching.Distributed,,,3,,,,,,,,,,,,,,,,,,,,3
 Microsoft.Extensions.Caching.Memory,,,37,,,,,,,,,,,,,,,,,,,5,32
-Microsoft.Extensions.Configuration,,3,123,,,,,,,,,,,,,3,,,,,,40,83
-Microsoft.Extensions.DependencyInjection,,,209,,,,,,,,,,,,,,,,,,,15,194
-Microsoft.Extensions.DependencyModel,,1,57,,,,,,,,,,,,,1,,,,,,13,44
+Microsoft.Extensions.Configuration,,3,101,,,,,,,,,,,,,3,,,,,,29,72
+Microsoft.Extensions.DependencyInjection,,,202,,,,,,,,,,,,,,,,,,,15,187
+Microsoft.Extensions.DependencyModel,,1,16,,,,,,,,,,,,,1,,,,,,14,2
 Microsoft.Extensions.Diagnostics.Metrics,,,14,,,,,,,,,,,,,,,,,,,1,13
-Microsoft.Extensions.FileProviders,,,18,,,,,,,,,,,,,,,,,,,8,10
-Microsoft.Extensions.FileSystemGlobbing,,,37,,,,,,,,,,,,,,,,,,,13,24
-Microsoft.Extensions.Hosting,,,61,,,,,,,,,,,,,,,,,,,29,32
+Microsoft.Extensions.FileProviders,,,17,,,,,,,,,,,,,,,,,,,7,10
+Microsoft.Extensions.FileSystemGlobbing,,,21,,,,,,,,,,,,,,,,,,,10,11
+Microsoft.Extensions.Hosting,,,58,,,,,,,,,,,,,,,,,,,29,29
 Microsoft.Extensions.Http,,,9,,,,,,,,,,,,,,,,,,,7,2
-Microsoft.Extensions.Logging,,,107,,,,,,,,,,,,,,,,,,,26,81
-Microsoft.Extensions.Options,,,174,,,,,,,,,,,,,,,,,,,48,126
-Microsoft.Extensions.Primitives,,,76,,,,,,,,,,,,,,,,,,,67,9
-Microsoft.Interop,,,216,,,,,,,,,,,,,,,,,,,71,145
+Microsoft.Extensions.Logging,,,91,,,,,,,,,,,,,,,,,,,25,66
+Microsoft.Extensions.Options,,,68,,,,,,,,,,,,,,,,,,,44,24
+Microsoft.Extensions.Primitives,,,73,,,,,,,,,,,,,,,,,,,67,6
+Microsoft.Interop,,,159,,,,,,,,,,,,,,,,,,,75,84
 Microsoft.JSInterop,2,,,,,,,,,,2,,,,,,,,,,,,
 Microsoft.NET.Build.Tasks,,,5,,,,,,,,,,,,,,,,,,,3,2
+Microsoft.NET.Sdk.WebAssembly,,,2,,,,,,,,,,,,,,,,,,,1,1
+Microsoft.NET.WebAssembly.Webcil,,,6,,,,,,,,,,,,,,,,,,,6,
 Microsoft.VisualBasic,,,13,,,,,,,,,,,,,,,,,,,1,12
+Microsoft.WebAssembly.Build.Tasks,,,9,,,,,,,,,,,,,,,,,,,8,1
 Microsoft.Win32,,4,2,,,,,,,,,,,,,,,,,,4,,2
-Mono.Linker,,,280,,,,,,,,,,,,,,,,,,,129,151
+Mono.Linker,,,293,,,,,,,,,,,,,,,,,,,145,148
 MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5941,6300
+System,54,47,10864,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5547,5317
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12241,54,5
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2272,152,4
-   Totals,,107,14520,400,9
+   System,"``System.*``, ``System``",47,10864,54,5
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2075,152,4
+   Totals,,108,12946,400,9
 

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.34
-
-No user-facing changes.
-
 ## 1.7.33
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.34.md

@@ -1,3 +0,0 @@
-## 1.7.34
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.34
+lastReleaseVersion: 1.7.33

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.35-dev
+version: 1.7.34-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.34
-
-No user-facing changes.
-
 ## 1.7.33
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.34.md

@@ -1,3 +0,0 @@
-## 1.7.34
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.34
+lastReleaseVersion: 1.7.33

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.35-dev
+version: 1.7.34-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,18 +1,3 @@
-## 5.1.0
-
-### Deprecated APIs
-
-* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
-  class have been deprecated in favor of the newly added `dominatingEdge`
-  predicate.
-
-### Minor Analysis Improvements
-
-* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
-* C# 13: Add generated models for .NET 9.
-* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
-* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.
-
 ## 5.0.0
 
 ### Breaking Changes
@@ -68,6 +53,7 @@
 
 ### Minor Analysis Improvements
 
+* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.
 
 ## 3.1.0

csharp/ql/lib/change-notes/released/3.1.1.md

@@ -2,4 +2,5 @@
 
 ### Minor Analysis Improvements
 
+* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.

csharp/ql/lib/change-notes/released/5.1.0.md

@@ -1,14 +0,0 @@
-## 5.1.0
-
-### Deprecated APIs
-
-* The predicates `immediatelyControls` and `controls` on the `ConditionBlock`
-  class have been deprecated in favor of the newly added `dominatingEdge`
-  predicate.
-
-### Minor Analysis Improvements
-
-* Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
-* C# 13: Add generated models for .NET 9.
-* The models for `System.Net.Http.HttpRequestMessage` and `System.UriBuilder` have been modified to better model the flow of tainted URIs.
-* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.0
+lastReleaseVersion: 5.0.0

csharp/ql/lib/ext/System.Net.Http.model.yml

@@ -10,8 +10,6 @@ extensions:
     data:
       - ["System.Net.Http", "HttpRequestMessage", False, "HttpRequestMessage", "(System.Net.Http.HttpMethod,System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["System.Net.Http", "HttpRequestMessage", False, "HttpRequestMessage", "(System.Net.Http.HttpMethod,System.String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
-      - ["System.Net.Http", "HttpRequestMessage", False, "HttpRequestMessage", "(System.Net.Http.HttpMethod,System.Uri)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.Net.Http", "HttpRequestMessage", False, "HttpRequestMessage", "(System.Net.Http.HttpMethod,System.Uri)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["System.Net.Http", "HttpRequestOptions", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair`2.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair`2.Key]", "value", "manual"]
       - ["System.Net.Http", "HttpRequestOptions", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair`2.Value]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"]
       - ["System.Net.Http", "MultipartContent", False, "Add", "(System.Net.Http.HttpContent)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]

csharp/ql/lib/ext/System.model.yml

@@ -784,24 +784,6 @@ extensions:
       - ["System", "Uri", False, "get_OriginalString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["System", "Uri", False, "get_PathAndQuery", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["System", "Uri", False, "get_Query", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["System", "UriBuilder", False, "ToString", "()", "", "Argument[this].Property[System.UriBuilder.Scheme,System.UriBuilder.UserName,System.UriBuilder.Password,System.UriBuilder.Host,System.UriBuilder.Port,System.UriBuilder.Path,System.UriBuilder.Query,System.UriBuilder.Fragment]", "ReturnValue", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme,System.UriBuilder.Host,System.UriBuilder.Port,System.UriBuilder.Path,System.UriBuilder.Query,System.UriBuilder.Fragment]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.Uri)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme,System.UriBuilder.Host,System.UriBuilder.Port,System.UriBuilder.Path,System.UriBuilder.Query,System.UriBuilder.Fragment]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String)", "", "Argument[1]", "Argument[this].Property[System.UriBuilder.Host]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32)", "", "Argument[1]", "Argument[this].Property[System.UriBuilder.Host]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32)", "", "Argument[2]", "Argument[this].Property[System.UriBuilder.Port]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String)", "", "Argument[1]", "Argument[this].Property[System.UriBuilder.Host]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String)", "", "Argument[2]", "Argument[this].Property[System.UriBuilder.Port]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String)", "", "Argument[3]", "Argument[this].Property[System.UriBuilder.Path]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String,System.String)", "", "Argument[0]", "Argument[this].Property[System.UriBuilder.Scheme]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String,System.String)", "", "Argument[1]", "Argument[this].Property[System.UriBuilder.Host]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String,System.String)", "", "Argument[2]", "Argument[this].Property[System.UriBuilder.Port]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String,System.String)", "", "Argument[3]", "Argument[this].Property[System.UriBuilder.Path]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "UriBuilder", "(System.String,System.String,System.Int32,System.String,System.String)", "", "Argument[4]", "Argument[this].Property[System.UriBuilder.Query,System.UriBuilder.Fragment]", "taint", "manual"]
-      - ["System", "UriBuilder", False, "get_Uri", "()", "", "Argument[this].Property[System.UriBuilder.Scheme,System.UriBuilder.UserName,System.UriBuilder.Password,System.UriBuilder.Host,System.UriBuilder.Port,System.UriBuilder.Path,System.UriBuilder.Query,System.UriBuilder.Fragment]", "ReturnValue", "taint", "manual"]
       - ["System", "ValueTuple", False, "Create<T1,T2,T3,T4,T5,T6,T7,T8>", "(T1,T2,T3,T4,T5,T6,T7,T8)", "", "Argument[0]", "ReturnValue.Field[System.ValueTuple`8.Item1]", "value", "manual"]
       - ["System", "ValueTuple", False, "Create<T1,T2,T3,T4,T5,T6,T7,T8>", "(T1,T2,T3,T4,T5,T6,T7,T8)", "", "Argument[1]", "ReturnValue.Field[System.ValueTuple`8.Item2]", "value", "manual"]
       - ["System", "ValueTuple", False, "Create<T1,T2,T3,T4,T5,T6,T7,T8>", "(T1,T2,T3,T4,T5,T6,T7,T8)", "", "Argument[2]", "ReturnValue.Field[System.ValueTuple`8.Item3]", "value", "manual"]

csharp/ql/lib/ext/generated/AssemblyStripper.model.yml

@@ -0,0 +1,7 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: neutralModel
+    data:
+      - ["AssemblyStripper", "AssemblyStripper", "StripAssembly", "(System.String,System.String)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/Generators.model.yml

@@ -5,4 +5,3 @@ extensions:
       extensible: neutralModel
     data:
       - ["Generators", "EventSourceGenerator", "Initialize", "(Microsoft.CodeAnalysis.IncrementalGeneratorInitializationContext)", "summary", "df-generated"]
-      - ["Generators", "ProductVersionInfoGenerator", "Initialize", "(Microsoft.CodeAnalysis.IncrementalGeneratorInitializationContext)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILCompiler.Reflection.ReadyToRun.Amd64.model.yml

@@ -12,7 +12,7 @@ extensions:
       extensible: neutralModel
     data:
       - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcInfo+SafePointOffset", "SafePointOffset", "(System.Int32,System.UInt32)", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcInfo", "GcInfo", "(System.Byte[],System.Int32,System.Reflection.PortableExecutable.Machine,System.UInt16,System.UInt16)", "summary", "df-generated"]
+      - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcInfo", "GcInfo", "(System.Byte[],System.Int32,System.Reflection.PortableExecutable.Machine,System.UInt16)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcInfo", "ToString", "()", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcSlotTable+GcSlot", "WriteTo", "(System.Text.StringBuilder,System.Reflection.PortableExecutable.Machine,ILCompiler.Reflection.ReadyToRun.GcSlotFlags)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.Amd64", "GcSlotTable", "GcSlotTable", "(System.Byte[],System.Reflection.PortableExecutable.Machine,ILCompiler.Reflection.ReadyToRun.GcInfoTypes,System.Int32)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILCompiler.Reflection.ReadyToRun.RiscV64.model.yml

@@ -1,11 +0,0 @@
-# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
-extensions:
-  - addsTo:
-      pack: codeql/csharp-all
-      extensible: neutralModel
-    data:
-      - ["ILCompiler.Reflection.ReadyToRun.RiscV64", "Epilog", "Epilog", "(System.Int32,System.Int32,System.UInt32)", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.RiscV64", "Epilog", "ToString", "()", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.RiscV64", "UnwindCode", "UnwindCode", "(System.Int32)", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.RiscV64", "UnwindInfo", "ToString", "()", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.RiscV64", "UnwindInfo", "UnwindInfo", "(System.Byte[],System.Int32)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILCompiler.Reflection.ReadyToRun.x86.model.yml

@@ -4,6 +4,8 @@ extensions:
       pack: codeql/csharp-all
       extensible: summaryModel
     data:
+      - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", False, "ToString", "()", "", "Argument[this].Property[ILCompiler.Reflection.ReadyToRun.x86.GcInfo.Header]", "ReturnValue", "taint", "dfc-generated"]
+      - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", False, "ToString", "()", "", "Argument[this].Property[ILCompiler.Reflection.ReadyToRun.x86.GcInfo.SlotTable]", "ReturnValue", "taint", "dfc-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcSlotTable+GcSlot", False, "GcSlot", "(System.Int32,System.String,System.Int32,System.Int32,ILCompiler.Reflection.ReadyToRun.GcSlotFlags)", "", "Argument[1]", "Argument[this].Property[ILCompiler.Reflection.ReadyToRun.x86.GcSlotTable+GcSlot.Register]", "value", "dfc-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcSlotTable+GcSlot", False, "GcSlot", "(System.Int32,System.String,System.Int32,System.Int32,System.Int32,System.Int32,ILCompiler.Reflection.ReadyToRun.GcSlotFlags)", "", "Argument[1]", "Argument[this].Property[ILCompiler.Reflection.ReadyToRun.x86.GcSlotTable+GcSlot.Register]", "taint", "dfc-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcSlotTable+GcSlot", False, "ToString", "()", "", "Argument[this].Property[ILCompiler.Reflection.ReadyToRun.x86.GcSlotTable+GcSlot.Register]", "ReturnValue", "taint", "dfc-generated"]
@@ -14,9 +16,8 @@ extensions:
     data:
       - ["ILCompiler.Reflection.ReadyToRun.x86", "CalleeSavedRegister", "CalleeSavedRegister", "(System.Int32,ILCompiler.Reflection.ReadyToRun.x86.CalleeSavedRegisters)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "CalleeSavedRegister", "ToString", "()", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", "GcInfo", "(System.Byte[],System.Int32)", "summary", "df-generated"]
+      - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", "GcInfo", "(System.Byte[],System.Int32,System.Reflection.PortableExecutable.Machine,System.UInt16)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", "GetRegisterName", "(System.Int32)", "summary", "df-generated"]
-      - ["ILCompiler.Reflection.ReadyToRun.x86", "GcInfo", "ToString", "()", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcSlotTable", "GcSlotTable", "(System.Byte[],ILCompiler.Reflection.ReadyToRun.x86.InfoHdrSmall,System.Int32)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcTransitionCall+CallRegister", "CallRegister", "(ILCompiler.Reflection.ReadyToRun.x86.Registers,System.Boolean)", "summary", "df-generated"]
       - ["ILCompiler.Reflection.ReadyToRun.x86", "GcTransitionCall+PtrArg", "PtrArg", "(System.UInt32,System.UInt32)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILLink.RoslynAnalyzer.DataFlow.model.yml

@@ -4,30 +4,18 @@ extensions:
       pack: codeql/csharp-all
       extensible: summaryModel
     data:
-      - ["ILLink.RoslynAnalyzer.DataFlow", "BlockProxy", False, "BlockProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.BasicBlock)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.BlockProxy.Block]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "CapturedReferenceValue", False, "CapturedReferenceValue", "(Microsoft.CodeAnalysis.IOperation)", "", "Argument[0]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.CapturedReferenceValue.Reference]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "ControlFlowGraphProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy.ControlFlowGraph]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "CreateProxyBranch", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowBranch)", "", "Argument[0].Property[Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowBranch.Destination]", "ReturnValue.Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.Destination].Property[ILLink.RoslynAnalyzer.DataFlow.BlockProxy.Block]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "CreateProxyBranch", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowBranch)", "", "Argument[0].Property[Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowBranch.Source]", "ReturnValue.Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.Source].Property[ILLink.RoslynAnalyzer.DataFlow.BlockProxy.Block]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "FirstBlock", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "LastBlock", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "TryGetEnclosingFinally", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "", "Argument[0].Property[ILLink.RoslynAnalyzer.DataFlow.BlockProxy.Block].Property[Microsoft.CodeAnalysis.FlowAnalysis.BasicBlock.EnclosingRegion]", "ReturnValue.Property[ILLink.RoslynAnalyzer.DataFlow.RegionProxy.Region]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "TryGetEnclosingTryOrCatchOrFilter", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "", "Argument[0].Property[ILLink.RoslynAnalyzer.DataFlow.BlockProxy.Block].Property[Microsoft.CodeAnalysis.FlowAnalysis.BasicBlock.EnclosingRegion]", "ReturnValue.Property[ILLink.RoslynAnalyzer.DataFlow.RegionProxy.Region]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "TryGetEnclosingTryOrCatchOrFilter", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "", "Argument[0].Property[ILLink.RoslynAnalyzer.DataFlow.RegionProxy.Region].Property[Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowRegion.EnclosingRegion]", "ReturnValue.Property[ILLink.RoslynAnalyzer.DataFlow.RegionProxy.Region]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "get_Blocks", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", False, "get_Entry", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "And", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "And", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "DeepCopy", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "FeatureChecksValue", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "Negate", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "Or", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", False, "Or", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", False, "FeatureChecksVisitor", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "DeepCopy", "()", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "FeatureContext", "(ILLink.Shared.DataFlow.ValueSet<System.String>)", "", "Argument[0]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "Intersection", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "Intersection", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "ToString", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "Union", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", False, "Union", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContextLattice", False, "Meet", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
@@ -41,7 +29,7 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "InterproceduralStateLattice<TValue,TValueLattice>", False, "Meet", "(ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<TValue,TValueLattice>,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<TValue,TValueLattice>)", "", "Argument[1].Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralState`2.Methods]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralState`2.Methods]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "InterproceduralStateLattice<TValue,TValueLattice>", False, "get_Top", "()", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralStateLattice`2.HoistedLocalLattice].Property[ILLink.Shared.DataFlow.DictionaryLattice`3.Top]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralState`2.HoistedLocals]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "InterproceduralStateLattice<TValue,TValueLattice>", False, "get_Top", "()", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralStateLattice`2.MethodLattice].Property[ILLink.Shared.DataFlow.ValueSetLattice`1.Top]", "ReturnValue.Field[ILLink.RoslynAnalyzer.DataFlow.InterproceduralState`2.Methods]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowAnalysis<TValue,TContext,TLattice,TContextLattice,TTransfer,TConditionValue>", False, "LocalDataFlowAnalysis", "(Microsoft.CodeAnalysis.Diagnostics.OperationBlockAnalysisContext,Microsoft.CodeAnalysis.IOperation,TLattice,TContextLattice,TContext)", "", "Argument[0]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowAnalysis`6.Context]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowAnalysis<TValue,TContext,TLattice,TContextLattice,TTransfer,TConditionValue>", False, "LocalDataFlowAnalysis", "(Microsoft.CodeAnalysis.Diagnostics.OperationBlockAnalysisContext,Microsoft.CodeAnalysis.IOperation,TContext)", "", "Argument[0]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowAnalysis`6.Context]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", False, "LocalDataFlowVisitor", "(Microsoft.CodeAnalysis.Compilation,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice<TValue,TContext,TValueLattice,TContextLattice>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph,System.Collections.Immutable.ImmutableDictionary<Microsoft.CodeAnalysis.FlowAnalysis.CaptureId,ILLink.RoslynAnalyzer.DataFlow.FlowCaptureKind>,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<TValue,TValueLattice>)", "", "Argument[0]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.Compilation]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", False, "LocalDataFlowVisitor", "(Microsoft.CodeAnalysis.Compilation,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice<TValue,TContext,TValueLattice,TContextLattice>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph,System.Collections.Immutable.ImmutableDictionary<Microsoft.CodeAnalysis.FlowAnalysis.CaptureId,ILLink.RoslynAnalyzer.DataFlow.FlowCaptureKind>,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<TValue,TValueLattice>)", "", "Argument[1]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", False, "LocalDataFlowVisitor", "(Microsoft.CodeAnalysis.Compilation,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice<TValue,TContext,TValueLattice,TContextLattice>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph,System.Collections.Immutable.ImmutableDictionary<Microsoft.CodeAnalysis.FlowAnalysis.CaptureId,ILLink.RoslynAnalyzer.DataFlow.FlowCaptureKind>,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<TValue,TValueLattice>)", "", "Argument[2]", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.OwningSymbol]", "value", "dfc-generated"]
@@ -51,28 +39,28 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitCompoundAssignment", "(Microsoft.CodeAnalysis.Operations.ICompoundAssignmentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitConversion", "(Microsoft.CodeAnalysis.Operations.IConversionOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDelegateCreation", "(Microsoft.CodeAnalysis.Operations.IDelegateCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicIndexerAccess", "(Microsoft.CodeAnalysis.Operations.IDynamicIndexerAccessOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicIndexerAccess", "(Microsoft.CodeAnalysis.Operations.IDynamicIndexerAccessOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicInvocation", "(Microsoft.CodeAnalysis.Operations.IDynamicInvocationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicInvocation", "(Microsoft.CodeAnalysis.Operations.IDynamicInvocationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicMemberReference", "(Microsoft.CodeAnalysis.Operations.IDynamicMemberReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicMemberReference", "(Microsoft.CodeAnalysis.Operations.IDynamicMemberReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicObjectCreation", "(Microsoft.CodeAnalysis.Operations.IDynamicObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicObjectCreation", "(Microsoft.CodeAnalysis.Operations.IDynamicObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicIndexerAccess", "(Microsoft.CodeAnalysis.Operations.IDynamicIndexerAccessOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicIndexerAccess", "(Microsoft.CodeAnalysis.Operations.IDynamicIndexerAccessOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicInvocation", "(Microsoft.CodeAnalysis.Operations.IDynamicInvocationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicInvocation", "(Microsoft.CodeAnalysis.Operations.IDynamicInvocationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicMemberReference", "(Microsoft.CodeAnalysis.Operations.IDynamicMemberReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicMemberReference", "(Microsoft.CodeAnalysis.Operations.IDynamicMemberReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicObjectCreation", "(Microsoft.CodeAnalysis.Operations.IDynamicObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitDynamicObjectCreation", "(Microsoft.CodeAnalysis.Operations.IDynamicObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitEventAssignment", "(Microsoft.CodeAnalysis.Operations.IEventAssignmentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitEventReference", "(Microsoft.CodeAnalysis.Operations.IEventReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitExpressionStatement", "(Microsoft.CodeAnalysis.Operations.IExpressionStatementOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitFlowAnonymousFunction", "(Microsoft.CodeAnalysis.FlowAnalysis.IFlowAnonymousFunctionOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitFlowCapture", "(Microsoft.CodeAnalysis.FlowAnalysis.IFlowCaptureOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitFlowCaptureReference", "(Microsoft.CodeAnalysis.FlowAnalysis.IFlowCaptureReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitImplicitIndexerReference", "(Microsoft.CodeAnalysis.Operations.IImplicitIndexerReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitImplicitIndexerReference", "(Microsoft.CodeAnalysis.Operations.IImplicitIndexerReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitImplicitIndexerReference", "(Microsoft.CodeAnalysis.Operations.IImplicitIndexerReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitImplicitIndexerReference", "(Microsoft.CodeAnalysis.Operations.IImplicitIndexerReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitInlineArrayAccess", "(Microsoft.CodeAnalysis.Operations.IInlineArrayAccessOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitInvocation", "(Microsoft.CodeAnalysis.Operations.IInvocationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitObjectCreation", "(Microsoft.CodeAnalysis.Operations.IObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitObjectCreation", "(Microsoft.CodeAnalysis.Operations.IObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitPropertyReference", "(Microsoft.CodeAnalysis.Operations.IPropertyReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Field[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.LocalStateAndContextLattice].Property[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice`4.Top]", "Argument[1].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState`4.Current]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitPropertyReference", "(Microsoft.CodeAnalysis.Operations.IPropertyReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitObjectCreation", "(Microsoft.CodeAnalysis.Operations.IObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitObjectCreation", "(Microsoft.CodeAnalysis.Operations.IObjectCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitPropertyReference", "(Microsoft.CodeAnalysis.Operations.IPropertyReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitPropertyReference", "(Microsoft.CodeAnalysis.Operations.IPropertyReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitReturn", "(Microsoft.CodeAnalysis.Operations.IReturnOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitSimpleAssignment", "(Microsoft.CodeAnalysis.Operations.ISimpleAssignmentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "Argument[1]", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", True, "VisitSimpleAssignment", "(Microsoft.CodeAnalysis.Operations.ISimpleAssignmentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
@@ -97,11 +85,11 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalStateLattice<TValue,TValueLattice>", False, "Meet", "(ILLink.RoslynAnalyzer.DataFlow.LocalState<TValue>,ILLink.RoslynAnalyzer.DataFlow.LocalState<TValue>)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "MethodBodyValue", False, "MethodBodyValue", "(Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.MethodBodyValue.OwningSymbol]", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "MethodBodyValue", False, "MethodBodyValue", "(Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph)", "", "Argument[1]", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.MethodBodyValue.ControlFlowGraph]", "value", "dfc-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "RegionProxy", False, "RegionProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowRegion)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.RegionProxy.Region]", "value", "dfc-generated"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: neutralModel
     data:
+      - ["ILLink.RoslynAnalyzer.DataFlow", "BlockProxy", "BlockProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.BasicBlock)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "BlockProxy", "ToString", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "BlockProxy", "get_ConditionKind", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "BlockProxy", "op_Equality", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
@@ -109,15 +97,31 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "CapturedReferenceValue", "Equals", "(ILLink.RoslynAnalyzer.DataFlow.CapturedReferenceValue)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "CapturedReferenceValue", "Equals", "(System.Object)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "CapturedReferenceValue", "GetHashCode", "()", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "ControlFlowGraphProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "CreateProxyBranch", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowBranch)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "FirstBlock", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetConditionalSuccessor", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetCorrespondingTry", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetFallThroughSuccessor", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetPredecessors", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetPreviousFilters", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "GetSuccessors", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "HasFilter", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "LastBlock", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "TryGetEnclosingFinally", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "TryGetEnclosingTryOrCatchOrFilter", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "TryGetEnclosingTryOrCatchOrFilter", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "get_Blocks", "()", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "get_Entry", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "op_Equality", "(ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy,ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "ControlFlowGraphProxy", "op_Inequality", "(ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy,ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", "op_Equality", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue,ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksValue", "op_Inequality", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue,ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "GetLiteralBool", "(Microsoft.CodeAnalysis.IOperation)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "VisitArgument", "(Microsoft.CodeAnalysis.Operations.IArgumentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "VisitBinaryOperator", "(Microsoft.CodeAnalysis.Operations.IBinaryOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "VisitIsPattern", "(Microsoft.CodeAnalysis.Operations.IIsPatternOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "VisitPropertyReference", "(Microsoft.CodeAnalysis.Operations.IPropertyReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureChecksVisitor", "VisitUnaryOperator", "(Microsoft.CodeAnalysis.Operations.IUnaryOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", "Equals", "(ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", "Equals", "(System.Object)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "FeatureContext", "GetHashCode", "()", "summary", "df-generated"]
@@ -145,7 +149,6 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "HandleAssignment", "(TValue,TValue,Microsoft.CodeAnalysis.IOperation,TContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "HandleDelegateCreation", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,TContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "HandleMethodCall", "(Microsoft.CodeAnalysis.IMethodSymbol,TValue,System.Collections.Immutable.ImmutableArray<TValue>,Microsoft.CodeAnalysis.IOperation,TContext)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "HandleReturnConditionValue", "(TConditionValue,Microsoft.CodeAnalysis.IOperation)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "HandleReturnValue", "(TValue,Microsoft.CodeAnalysis.IOperation,TContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "Transfer", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "LocalDataFlowVisitor<TValue,TContext,TValueLattice,TContextLattice,TConditionValue>", "VisitArgument", "(Microsoft.CodeAnalysis.Operations.IArgumentOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<TValue,TContext,TValueLattice,TContextLattice>)", "summary", "df-generated"]
@@ -173,6 +176,7 @@ extensions:
       - ["ILLink.RoslynAnalyzer.DataFlow", "MethodBodyValue", "get_OwningSymbol", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "OperationWalker<TArgument,TResult>", "DefaultVisit", "(Microsoft.CodeAnalysis.IOperation,TArgument)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "OperationWalker<TArgument,TResult>", "Visit", "(Microsoft.CodeAnalysis.IOperation,TArgument)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.DataFlow", "RegionProxy", "RegionProxy", "(Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowRegion)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "RegionProxy", "get_Kind", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "RegionProxy", "op_Equality", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer.DataFlow", "RegionProxy", "op_Inequality", "(ILLink.RoslynAnalyzer.DataFlow.RegionProxy,ILLink.RoslynAnalyzer.DataFlow.RegionProxy)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILLink.RoslynAnalyzer.TrimAnalysis.model.yml

@@ -5,3 +5,78 @@ extensions:
       extensible: summaryModel
     data:
       - ["ILLink.RoslynAnalyzer.TrimAnalysis", "SingleValueExtensions", False, "FromTypeSymbol", "(Microsoft.CodeAnalysis.ITypeSymbol)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern)", "", "Argument[2]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "TrimAnalysisAssignmentPattern", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern.Source]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "TrimAnalysisAssignmentPattern", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[1]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern.Target]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "TrimAnalysisAssignmentPattern", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[2]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern.Operation]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "TrimAnalysisAssignmentPattern", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[3]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern.OwningSymbol]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", False, "TrimAnalysisAssignmentPattern", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[4]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern.FeatureContext]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern)", "", "Argument[2].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", False, "TrimAnalysisFieldAccessPattern", "(Microsoft.CodeAnalysis.IFieldSymbol,Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.Field]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", False, "TrimAnalysisFieldAccessPattern", "(Microsoft.CodeAnalysis.IFieldSymbol,Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[1]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.Operation]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", False, "TrimAnalysisFieldAccessPattern", "(Microsoft.CodeAnalysis.IFieldSymbol,Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[2]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.OwningSymbol]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", False, "TrimAnalysisFieldAccessPattern", "(Microsoft.CodeAnalysis.IFieldSymbol,Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[3]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern.FeatureContext]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern)", "", "Argument[2].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern)", "", "Argument[2].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.Instance]", "ReturnValue.Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.Instance]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "TrimAnalysisMethodCallPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.CalledMethod]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "TrimAnalysisMethodCallPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[1]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.Instance]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "TrimAnalysisMethodCallPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[3]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.Operation]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "TrimAnalysisMethodCallPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[4]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.OwningSymbol]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", False, "TrimAnalysisMethodCallPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[5].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", False, "TrimAnalysisPatternStore", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", False, "TrimAnalysisPatternStore", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", False, "Merge", "(ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern)", "", "Argument[2].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "ReturnValue.Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", False, "TrimAnalysisReflectionAccessPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.ReferencedMethod]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", False, "TrimAnalysisReflectionAccessPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[1]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.Operation]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", False, "TrimAnalysisReflectionAccessPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[2]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.OwningSymbol]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", False, "TrimAnalysisReflectionAccessPattern", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[3].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern.FeatureContext].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", False, "TrimAnalysisVisitor", "(Microsoft.CodeAnalysis.Compilation,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContextLattice<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph,System.Collections.Immutable.ImmutableDictionary<Microsoft.CodeAnalysis.FlowAnalysis.CaptureId,ILLink.RoslynAnalyzer.DataFlow.FlowCaptureKind>,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisPatternStore,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>>,ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "", "Argument[5]", "Argument[this].Field[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisVisitor.TrimAnalysisPatterns]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "ApplyCondition", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>)", "", "Argument[0].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue.EnabledFeatures]", "Argument[1].Field[ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext`2.Context].Field[ILLink.RoslynAnalyzer.DataFlow.FeatureContext.EnabledFeatures]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "ApplyCondition", "(ILLink.RoslynAnalyzer.DataFlow.FeatureChecksValue,ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "GetFieldTargetValue", "(Microsoft.CodeAnalysis.IFieldSymbol,Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "HandleArrayElementRead", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "HandleDelegateCreation", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "HandleMethodCall", "(Microsoft.CodeAnalysis.IMethodSymbol,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,System.Collections.Immutable.ImmutableArray<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>>,Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "", "Argument[1].Property[System.Nullable`1.Value]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "Visit", "(Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitArrayCreation", "(Microsoft.CodeAnalysis.Operations.IArrayCreationOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitBinaryOperator", "(Microsoft.CodeAnalysis.Operations.IBinaryOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitConversion", "(Microsoft.CodeAnalysis.Operations.IConversionOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitFieldReference", "(Microsoft.CodeAnalysis.Operations.IFieldReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitInstanceReference", "(Microsoft.CodeAnalysis.Operations.IInstanceReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", True, "VisitTypeOf", "(Microsoft.CodeAnalysis.Operations.ITypeOfOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowVisitor`5.TopValue]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", False, "TrimDataFlowAnalysis", "(Microsoft.CodeAnalysis.Diagnostics.OperationBlockAnalysisContext,ILLink.RoslynAnalyzer.DataFlowAnalyzerContext,Microsoft.CodeAnalysis.IOperation)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", True, "GetVisitor", "(Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.FlowAnalysis.ControlFlowGraph,System.Collections.Immutable.ImmutableDictionary<Microsoft.CodeAnalysis.FlowAnalysis.CaptureId,ILLink.RoslynAnalyzer.DataFlow.FlowCaptureKind>,ILLink.RoslynAnalyzer.DataFlow.InterproceduralState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>>)", "", "Argument[this].Property[ILLink.RoslynAnalyzer.TrimAnalysis.TrimDataFlowAnalysis.TrimAnalysisPatterns]", "ReturnValue.Field[ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisVisitor.TrimAnalysisPatterns]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", True, "TraceStart", "(ILLink.RoslynAnalyzer.DataFlow.ControlFlowGraphProxy)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: neutralModel
+    data:
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", "CollectDiagnostics", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", "op_Equality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisAssignmentPattern", "op_Inequality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", "CollectDiagnostics", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", "op_Equality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisFieldAccessPattern", "op_Inequality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", "CollectDiagnostics", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", "op_Equality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisMethodCallPattern", "op_Inequality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", "Add", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisAssignmentPattern,System.Boolean)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", "Add", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisFieldAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", "Add", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisMethodCallPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", "Add", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisPatternStore", "CollectDiagnostics", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", "CollectDiagnostics", "(ILLink.RoslynAnalyzer.DataFlowAnalyzerContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", "op_Equality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisReflectionAccessPattern", "op_Inequality", "(ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern,ILLink.RoslynAnalyzer.TrimAnalysis.TrimAnalysisReflectionAccessPattern)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "GetConditionValue", "(Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "GetParameterTargetValue", "(Microsoft.CodeAnalysis.IParameterSymbol)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "HandleArrayElementWrite", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,System.Boolean)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "HandleAssignment", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "HandleReturnValue", "(ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,Microsoft.CodeAnalysis.IOperation,ILLink.RoslynAnalyzer.DataFlow.FeatureContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimAnalysisVisitor", "VisitParameterReference", "(Microsoft.CodeAnalysis.Operations.IParameterReferenceOperation,ILLink.RoslynAnalyzer.DataFlow.LocalDataFlowState<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext,ILLink.Shared.DataFlow.ValueSetLattice<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContextLattice>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", "CollectDiagnostics", "()", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", "TraceBlockInput", "(ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>,System.Nullable<ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>>,System.Nullable<ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", "TraceBlockOutput", "(ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>,System.Nullable<ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>>,System.Nullable<ILLink.RoslynAnalyzer.DataFlow.LocalStateAndContext<ILLink.Shared.DataFlow.ValueSet<ILLink.Shared.DataFlow.SingleValue>,ILLink.RoslynAnalyzer.DataFlow.FeatureContext>>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", "TraceVisitBlock", "(ILLink.RoslynAnalyzer.DataFlow.BlockProxy)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer.TrimAnalysis", "TrimDataFlowAnalysis", "get_TrimAnalysisPatterns", "()", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILLink.RoslynAnalyzer.model.yml

@@ -7,6 +7,8 @@ extensions:
       - ["ILLink.RoslynAnalyzer", "CompilationExtensions", False, "GetUnqualifiedName", "(Microsoft.CodeAnalysis.CSharp.Syntax.NameSyntax)", "", "Argument[0].Property[Microsoft.CodeAnalysis.CSharp.Syntax.AliasQualifiedNameSyntax.Name]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer", "CompilationExtensions", False, "GetUnqualifiedName", "(Microsoft.CodeAnalysis.CSharp.Syntax.NameSyntax)", "", "Argument[0].Property[Microsoft.CodeAnalysis.CSharp.Syntax.QualifiedNameSyntax.Right]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer", "CompilationExtensions", False, "GetUnqualifiedName", "(Microsoft.CodeAnalysis.CSharp.Syntax.NameSyntax)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", False, "Create", "(Microsoft.CodeAnalysis.Diagnostics.AnalyzerOptions,Microsoft.CodeAnalysis.Compilation,System.Collections.Immutable.ImmutableArray<ILLink.RoslynAnalyzer.RequiresAnalyzerBase>)", "", "Argument[1]", "ReturnValue.Property[ILLink.RoslynAnalyzer.DataFlowAnalyzerContext.Compilation]", "value", "dfc-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", False, "get_EnabledRequiresAnalyzers", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "IPropertySymbolExtensions", False, "GetGetMethod", "(Microsoft.CodeAnalysis.IPropertySymbol)", "", "Argument[0].Property[Microsoft.CodeAnalysis.IPropertySymbol.GetMethod]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer", "IPropertySymbolExtensions", False, "GetGetMethod", "(Microsoft.CodeAnalysis.IPropertySymbol)", "", "Argument[0].Property[Microsoft.CodeAnalysis.IPropertySymbol.OverriddenProperty].Property[Microsoft.CodeAnalysis.IPropertySymbol.GetMethod]", "ReturnValue", "value", "dfc-generated"]
       - ["ILLink.RoslynAnalyzer", "IPropertySymbolExtensions", False, "GetSetMethod", "(Microsoft.CodeAnalysis.IPropertySymbol)", "", "Argument[0].Property[Microsoft.CodeAnalysis.IPropertySymbol.OverriddenProperty].Property[Microsoft.CodeAnalysis.IPropertySymbol.SetMethod]", "ReturnValue", "value", "dfc-generated"]
@@ -23,9 +25,11 @@ extensions:
       - ["ILLink.RoslynAnalyzer", "COMAnalyzer", "Initialize", "(Microsoft.CodeAnalysis.Diagnostics.AnalysisContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "COMAnalyzer", "get_SupportedDiagnostics", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "CompilationExtensions", "GetBestTypeByMetadataName", "(Microsoft.CodeAnalysis.Compilation,System.String)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "CompilationExtensions", "TaskOfTType", "(Microsoft.CodeAnalysis.Compilation)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "CompilationExtensions", "TaskType", "(Microsoft.CodeAnalysis.Compilation)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "CompilationExtensions", "ToImmutableArray<T>", "(System.ReadOnlySpan<T>)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", "GetSpecialIncompatibleMembers", "(ILLink.RoslynAnalyzer.RequiresAnalyzerBase)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", "get_AnyAnalyzersEnabled", "()", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", "get_Compilation", "()", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "DataFlowAnalyzerContext", "get_EnableTrimAnalyzer", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "DiagnosticDescriptors", "GetDiagnosticDescriptor", "(ILLink.Shared.DiagnosticId)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "DiagnosticDescriptors", "GetDiagnosticDescriptor", "(ILLink.Shared.DiagnosticId,ILLink.Shared.DiagnosticString)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "DiagnosticDescriptors", "GetDiagnosticDescriptor", "(ILLink.Shared.DiagnosticId,Microsoft.CodeAnalysis.LocalizableResourceString,Microsoft.CodeAnalysis.LocalizableResourceString,System.String,Microsoft.CodeAnalysis.DiagnosticSeverity,System.Boolean,System.String)", "summary", "df-generated"]
@@ -34,18 +38,17 @@ extensions:
       - ["ILLink.RoslynAnalyzer", "DynamicallyAccessedMembersAnalyzer", "get_RequiresAnalyzers", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "DynamicallyAccessedMembersAnalyzer", "get_SupportedDiagnostics", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsConstructor", "(Microsoft.CodeAnalysis.ISymbol)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsEntryPoint", "(Microsoft.CodeAnalysis.IMethodSymbol,Microsoft.CodeAnalysis.Compilation)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsInterface", "(Microsoft.CodeAnalysis.ISymbol)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsStaticConstructor", "(Microsoft.CodeAnalysis.ISymbol)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsSubclassOf", "(Microsoft.CodeAnalysis.ISymbol,System.String,System.String)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "IsUnmanagedCallersOnlyEntryPoint", "(Microsoft.CodeAnalysis.IMethodSymbol)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "get_ILLinkMemberDisplayFormat", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "ISymbolExtensions", "get_ILLinkTypeDisplayFormat", "()", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "CreateSpecialIncompatibleMembersDiagnostic", "(System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,ILLink.Shared.TrimAnalysis.DiagnosticContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "CheckAndCreateRequiresDiagnostic", "(Microsoft.CodeAnalysis.IOperation,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.ISymbol,System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.Diagnostic)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "CreateSpecialIncompatibleMembersDiagnostic", "(Microsoft.CodeAnalysis.IOperation,System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.Diagnostic)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "GetUrlFromAttribute", "(Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "Initialize", "(Microsoft.CodeAnalysis.Diagnostics.AnalysisContext)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresAnalyzerBase", "VerifyAttributeArguments", "(Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "RequiresAssemblyFilesAnalyzer", "CreateSpecialIncompatibleMembersDiagnostic", "(System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,ILLink.Shared.TrimAnalysis.DiagnosticContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "RequiresAssemblyFilesAnalyzer", "CreateSpecialIncompatibleMembersDiagnostic", "(Microsoft.CodeAnalysis.IOperation,System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.Diagnostic)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresAssemblyFilesAnalyzer", "VerifyAttributeArguments", "(Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresAssemblyFilesAnalyzer", "get_SupportedDiagnostics", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresDynamicCodeAnalyzer", "VerifyAttributeArguments", "(Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
@@ -53,7 +56,7 @@ extensions:
       - ["ILLink.RoslynAnalyzer", "RequiresISymbolExtensions", "DoesMemberRequire", "(Microsoft.CodeAnalysis.ISymbol,System.String,Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresISymbolExtensions", "IsInRequiresScope", "(Microsoft.CodeAnalysis.ISymbol,System.String)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresISymbolExtensions", "IsInRequiresScope", "(Microsoft.CodeAnalysis.ISymbol,System.String,Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
-      - ["ILLink.RoslynAnalyzer", "RequiresUnreferencedCodeAnalyzer", "CreateSpecialIncompatibleMembersDiagnostic", "(System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,ILLink.Shared.TrimAnalysis.DiagnosticContext)", "summary", "df-generated"]
+      - ["ILLink.RoslynAnalyzer", "RequiresUnreferencedCodeAnalyzer", "CreateSpecialIncompatibleMembersDiagnostic", "(Microsoft.CodeAnalysis.IOperation,System.Collections.Immutable.ImmutableArray<Microsoft.CodeAnalysis.ISymbol>,Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.Diagnostic)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresUnreferencedCodeAnalyzer", "VerifyAttributeArguments", "(Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresUnreferencedCodeAnalyzer", "get_SupportedDiagnostics", "()", "summary", "df-generated"]
       - ["ILLink.RoslynAnalyzer", "RequiresUnreferencedCodeUtils", "DoesMemberRequireUnreferencedCodeAttribute", "(Microsoft.CodeAnalysis.ISymbol,Microsoft.CodeAnalysis.AttributeData)", "summary", "df-generated"]

csharp/ql/lib/ext/generated/ILLink.Shared.DataFlow.model.yml

@@ -13,9 +13,8 @@ extensions:
       - ["ILLink.Shared.DataFlow", "DictionaryLattice<TKey,TValue,TValueLattice>", False, "DictionaryLattice", "(TValueLattice)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.DictionaryLattice`3.ValueLattice]", "value", "dfc-generated"]
       - ["ILLink.Shared.DataFlow", "DictionaryLattice<TKey,TValue,TValueLattice>", False, "Meet", "(ILLink.Shared.DataFlow.DefaultValueDictionary<TKey,TValue>,ILLink.Shared.DataFlow.DefaultValueDictionary<TKey,TValue>)", "", "Argument[0].Element", "ReturnValue", "taint", "df-generated"]
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", False, "ForwardDataFlowAnalysis", "(TLattice,TValue)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.ForwardDataFlowAnalysis`8.lattice]", "value", "dfc-generated"]
-      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", False, "ControlFlowBranch", "(TBlock,System.Nullable<TBlock>,System.Collections.Immutable.ImmutableArray<TRegion>,ILLink.Shared.DataFlow.ConditionKind)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.Source]", "value", "dfc-generated"]
-      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", False, "ControlFlowBranch", "(TBlock,System.Nullable<TBlock>,System.Collections.Immutable.ImmutableArray<TRegion>,ILLink.Shared.DataFlow.ConditionKind)", "", "Argument[1]", "Argument[this].Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.Destination]", "value", "dfc-generated"]
-      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", False, "ControlFlowBranch", "(TBlock,System.Nullable<TBlock>,System.Collections.Immutable.ImmutableArray<TRegion>,ILLink.Shared.DataFlow.ConditionKind)", "", "Argument[2]", "Argument[this].Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.FinallyRegions]", "value", "dfc-generated"]
+      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", False, "ControlFlowBranch", "(TBlock,System.Nullable<TBlock>,System.Collections.Immutable.ImmutableArray<TRegion>,System.Boolean)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.Source]", "value", "dfc-generated"]
+      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", False, "ControlFlowBranch", "(TBlock,System.Nullable<TBlock>,System.Collections.Immutable.ImmutableArray<TRegion>,System.Boolean)", "", "Argument[2]", "Argument[this].Field[ILLink.Shared.DataFlow.IControlFlowGraph`2+ControlFlowBranch.FinallyRegions]", "value", "dfc-generated"]
       - ["ILLink.Shared.DataFlow", "Maybe<T>", False, "Maybe", "(T)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.Maybe`1.MaybeValue]", "value", "dfc-generated"]
       - ["ILLink.Shared.DataFlow", "MaybeLattice<T,TValueLattice>", False, "MaybeLattice", "(TValueLattice)", "", "Argument[0]", "Argument[this].Field[ILLink.Shared.DataFlow.MaybeLattice`2.ValueLattice]", "value", "dfc-generated"]
       - ["ILLink.Shared.DataFlow", "SingleValue", True, "DeepCopy", "()", "", "Argument[this]", "ReturnValue", "value", "dfc-generated"]
@@ -45,17 +44,18 @@ extensions:
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "Fixpoint", "(TControlFlowGraph,TTransfer)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "TraceBlockInput", "(TValue,System.Nullable<TValue>,System.Nullable<TValue>)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "TraceBlockOutput", "(TValue,System.Nullable<TValue>,System.Nullable<TValue>)", "summary", "df-generated"]
-      - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "TraceEdgeInput", "(ILLink.Shared.DataFlow.IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch,TValue)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "TraceStart", "(TControlFlowGraph)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "ForwardDataFlowAnalysis<TValue,TState,TLattice,TBlock,TRegion,TControlFlowGraph,TTransfer,TConditionValue>", "TraceVisitBlock", "(TBlock)", "summary", "df-generated"]
+      - ["ILLink.Shared.DataFlow", "IBlock<TBlock>", "get_ConditionKind", "()", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", "Equals", "(ILLink.Shared.DataFlow.IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", "Equals", "(System.Object)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>+ControlFlowBranch", "GetHashCode", "()", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "FirstBlock", "(TRegion)", "summary", "df-generated"]
+      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetConditionalSuccessor", "(TBlock)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetCorrespondingTry", "(TRegion)", "summary", "df-generated"]
+      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetFallThroughSuccessor", "(TBlock)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetPredecessors", "(TBlock)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetPreviousFilters", "(TRegion)", "summary", "df-generated"]
-      - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "GetSuccessors", "(TBlock)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "HasFilter", "(TRegion)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "LastBlock", "(TRegion)", "summary", "df-generated"]
       - ["ILLink.Shared.DataFlow", "IControlFlowGraph<TBlock,TRegion>", "TryGetEnclosingFinally", "(TBlock,TRegion)", "summary", "df-generated"]