C#: Add some lambda flow tests for demo

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -76,7 +76,8 @@ private module Cached {
     } or
     TSummaryCall(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
       FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
-    }
+    } or
+    TLambdaSynthCall(Node creation) { lambdaCreation(creation, _, _) }
 
   /** Gets a viable run-time target for the call `call`. */
   cached
@@ -497,6 +498,24 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
   override Location getLocation() { result = c.getLocation() }
 }
 
+class LambdaSynthCall extends DataFlowCall, TLambdaSynthCall {
+  private NodeImpl creation;
+
+  LambdaSynthCall() { this = TLambdaSynthCall(creation) }
+
+  override DataFlowCallable getARuntimeTarget() { none() }
+
+  override ControlFlow::Nodes::ElementNode getControlFlowNode() { none() }
+
+  override DataFlow::Node getNode() { none() }
+
+  override DataFlowCallable getEnclosingCallable() { result = creation.getEnclosingCallableImpl() }
+
+  override string toString() { result = "[lambda] call to " + creation }
+
+  override Location getLocation() { result = creation.getLocation() }
+}
+
 /** A parameter position. */
 class ParameterPosition extends TParameterPosition {
   /** Gets the underlying integer position, if any. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -126,13 +126,12 @@ private class ExprNodeImpl extends ExprNode, NodeImpl {
  * Needed for flow through captured variables, where we treat local functions
  * as if they were lambdas.
  */
-abstract private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctionCreationNode {
+private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctionCreationNode {
   ControlFlow::Nodes::ElementNode cfn;
   LocalFunction function;
-  boolean isPostUpdate;
 
   LocalFunctionCreationNode() {
-    this = TLocalFunctionCreationNode(cfn, isPostUpdate) and
+    this = TLocalFunctionCreationNode(cfn) and
     function = cfn.getAstNode().(LocalFunctionStmt).getLocalFunction()
   }
 
@@ -156,10 +155,6 @@ abstract private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctio
   ControlFlow::Nodes::ElementNode getUnderlyingControlFlowNode() { result = cfn }
 
   override Location getLocationImpl() { result = cfn.getLocation() }
-}
-
-private class LocalFunctionCreationPreNode extends LocalFunctionCreationNode {
-  LocalFunctionCreationPreNode() { isPostUpdate = false }
 
   override string toStringImpl() { result = cfn.toString() }
 }
@@ -419,17 +414,14 @@ module VariableCapture {
     result.(Flow::ExprNode).getExpr() =
       [
         n.(ExprNode).getControlFlowNode(),
-        n.(LocalFunctionCreationPreNode).getUnderlyingControlFlowNode()
+        n.(LocalFunctionCreationNode).getUnderlyingControlFlowNode()
       ]
     or
     result.(Flow::VariableWriteSourceNode).getVariableWrite().getRhs() =
       n.(ExprNode).getControlFlowNode()
     or
     result.(Flow::ExprPostUpdateNode).getExpr() =
-      [
+      [n.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode(),]
-        n.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode(),
-        n.(LocalFunctionCreationPostUpdateNode).getUnderlyingControlFlowNode()
-      ]
     or
     result.(Flow::ParameterNode).getParameter().getParameterNode() = n
     or
@@ -767,6 +759,8 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
     VariableCapture::valueStep(nodeFrom, nodeTo)
     or
     nodeTo = nodeFrom.(LocalFunctionCreationNode).getAnAccess(true)
+    or
+    delegateCreationStep(nodeFrom, nodeTo)
   ) and
   model = ""
   or
@@ -1073,7 +1067,7 @@ private module Cached {
       l = c.getARelevantLocation()
     } or
     TDelegateSelfReferenceNode(Callable c) { lambdaCreationExpr(_, c) } or
-    TLocalFunctionCreationNode(ControlFlow::Nodes::ElementNode cfn, Boolean isPostUpdate) {
+    TLocalFunctionCreationNode(ControlFlow::Nodes::ElementNode cfn) {
       cfn.getAstNode() instanceof LocalFunctionStmt
     } or
     TYieldReturnNode(ControlFlow::Nodes::ElementNode cfn) {
@@ -1150,13 +1144,22 @@ private module Cached {
     TCapturedVariableContent(VariableCapture::CapturedVariable v) or
     TDelegateCallArgumentContent(int i) {
       i = [0 .. max(any(DelegateLikeCall dc).getNumberOfArguments()) - 1]
+      or
+      i in [0 .. 1000] // todo
+      or
+      // exists(ArgumentPosition apos |
+      //   FlowSummaryImpl::Private::summaryArgumentNode(_, _, apos) and
+      //   i = apos.getPosition()
+      // )
+      i = -1
     } or
     TDelegateCallReturnContent()
 
   cached
   newtype TContentSet =
     TSingletonContent(Content c) { not c instanceof PropertyContent } or
-    TPropertyContentSet(Property p) { p.isUnboundDeclaration() }
+    TPropertyContentSet(Property p) { p.isUnboundDeclaration() } or
+    TVariableCaptureContentSet()
 
   cached
   newtype TContentApprox =
@@ -2600,7 +2603,7 @@ DataFlowType getNodeType(Node n) {
   or
   [
     n.asExpr().(ControlFlowElement),
-    n.(LocalFunctionCreationPreNode).getUnderlyingControlFlowNode().getAstNode()
+    n.(LocalFunctionCreationNode).getUnderlyingControlFlowNode().getAstNode()
   ] = result.getADelegateCreation()
 }
 
@@ -2835,16 +2838,6 @@ module PostUpdateNodes {
     override string toStringImpl() { result = "[post] this" }
   }
 
-  class LocalFunctionCreationPostUpdateNode extends LocalFunctionCreationNode, PostUpdateNode {
-    LocalFunctionCreationPostUpdateNode() { isPostUpdate = true }
-
-    override LocalFunctionCreationPreNode getPreUpdateNode() {
-      result = TLocalFunctionCreationNode(cfn, false)
-    }
-
-    override string toStringImpl() { result = "[post] " + cfn }
-  }
-
   private class CapturePostUpdateNode extends PostUpdateNode, CaptureNode {
     private CaptureNode pre;
 
@@ -2908,7 +2901,11 @@ int accessPathLimit() { result = 5 }
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.
  */
-predicate forceHighPrecision(Content c) { c instanceof ElementContent }
+predicate forceHighPrecision(Content c) {
+  c instanceof ElementContent or
+  c instanceof DelegateCallArgumentContent or
+  c instanceof DelegateCallReturnContent
+}
 
 private predicate lambdaCreationExpr(ControlFlowElement creation, Callable c) {
   c =
@@ -2924,10 +2921,42 @@ class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a delegate for `c`. */
 predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-  lambdaCreationExpr(creation.asExpr(), c.asCallable(_)) and
+  (
+    lambdaCreationExpr(creation.asExpr(), c.asCallable(_))
+    or
+    creation.(LocalFunctionCreationNode).getFunction() = c.asCallable(_)
+  ) and
   exists(kind)
 }
 
+/** Holds if `creation` is an expression that creates a delegate for `c`. */
+predicate lambdaCreation(
+  Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
+) {
+  lambdaCreation(creation, kind, c) and
+  synthCall = TLambdaSynthCall(creation)
+}
+
+Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind rk) {
+  result = TDelegateCallReturnContent() and
+  exists(kind) and
+  rk = TNormalReturnKind()
+}
+
+Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos) {
+  (
+    result = TDelegateCallArgumentContent(pos.getPosition())
+    or
+    result = TDelegateCallArgumentContent(-1) and
+    pos.isDelegateSelf()
+  ) and
+  exists(kind)
+}
+
+predicate isLambdaInstanceParameter(ParameterNode p) { p instanceof DelegateSelfReferenceNode }
+
+predicate isVariableCaptureContentSet(ContentSet c) { c.isCapturedVariable() }
+
 private predicate isLocalFunctionCallReceiver(
   LocalFunctionCall call, LocalFunctionAccess receiver, LocalFunction f
 ) {
@@ -2973,9 +3002,7 @@ private predicate lambdaCallExpr(DataFlowCall call, ControlFlow::Node receiver)
 /** Holds if `call` is a lambda call where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
   (
-    lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) and
+    lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) //and
-    // local function calls can be resolved directly without a flow analysis
-    not call.getControlFlowNode().getAstNode() instanceof LocalFunctionCall
     or
     receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver()
   ) and
@@ -3052,6 +3079,8 @@ predicate allowParameterReturnInSelf(ParameterNode p) {
   or
   VariableCapture::Flow::heuristicAllowInstanceParameterReturnInSelf(p.(DelegateSelfReferenceNode)
         .getCallable())
+  or
+  p.getType() instanceof SystemLinqExpressions::DelegateExtType
 }
 
 /** An approximated `Content`. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll

@@ -3,7 +3,6 @@ private import DataFlowDispatch
 private import DataFlowPrivate
 private import semmle.code.csharp.controlflow.Guards
 private import semmle.code.csharp.Unification
-private import semmle.code.csharp.frameworks.system.linq.Expressions
 
 /**
  * An element, viewed as a node in a data flow graph. Either an expression
@@ -324,6 +323,8 @@ class ContentSet extends TContentSet {
    */
   predicate isProperty(Property p) { this = TPropertyContentSet(p) }
 
+  predicate isCapturedVariable() { this = TVariableCaptureContentSet() }
+
   /**
    * Holds if this content set represents the `i`th argument of a delegate call.
    */
@@ -362,6 +363,9 @@ class ContentSet extends TContentSet {
       or
       overridesOrImplementsSourceDecl(p1, p2)
     )
+    or
+    this.isCapturedVariable() and
+    result instanceof CapturedVariableContent
   }
 
   /** Gets a textual representation of this content set. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -4,7 +4,6 @@
 
 private import csharp
 private import semmle.code.csharp.commons.QualifiedName
-private import semmle.code.csharp.frameworks.system.linq.Expressions
 private import codeql.dataflow.internal.FlowSummaryImpl
 private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
 private import DataFlowImplSpecific as DataFlowImplSpecific

csharp/ql/test/library-tests/arguments/lambdaArgument.expected

@@ -1,11 +0,0 @@
-| lambdas.cs:8:9:8:13 | delegate call | lambdas.cs:7:23:7:23 | x | lambdas.cs:8:12:8:12 | 1 |
-| lambdas.cs:11:9:11:16 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:11:12:11:12 | 2 |
-| lambdas.cs:11:9:11:16 | delegate call | lambdas.cs:10:30:10:30 | y | lambdas.cs:11:15:11:15 | 3 |
-| lambdas.cs:12:9:12:13 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:12:12:12:12 | 4 |
-| lambdas.cs:13:9:13:16 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:13:12:13:12 | 5 |
-| lambdas.cs:13:9:13:16 | delegate call | lambdas.cs:10:30:10:30 | y | lambdas.cs:13:15:13:15 | 6 |
-| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:12:17:12 | 7 |
-| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:15:17:15 | 8 |
-| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:18:17:18 | 9 |
-| lambdas.cs:25:9:25:23 | delegate call | lambdas.cs:24:31:24:31 | x | lambdas.cs:25:22:25:22 | 5 |
-| lambdas.cs:25:9:25:23 | delegate call | lambdas.cs:24:38:24:38 | y | lambdas.cs:25:16:25:16 | 4 |

csharp/ql/test/library-tests/csharp7/GlobalFlow.expected

@@ -18,11 +18,21 @@ edges
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:181:23:181:25 | access to local variable src : String | provenance |  |
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:182:23:182:25 | access to local variable src : String | provenance |  |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:175:16:175:18 | access to local variable src : String | provenance |  |
+| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | provenance |  |
 | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | provenance |  |
+| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | provenance |  |
 | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | provenance |  |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | provenance |  |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | provenance |  |
+| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance |  |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | provenance |  |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | provenance |  |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance |  |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | provenance |  |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | provenance |  |
+| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance |  |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | provenance |  |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | provenance |  |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance |  |
 nodes
 | CSharp7.cs:39:9:39:9 | access to parameter x : String | semmle.label | access to parameter x : String |
@@ -47,18 +57,26 @@ nodes
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | semmle.label | g(...) : g [delegate return] : String |
 | CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
 | CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | semmle.label | h(...) : h [delegate return] : String |
 | CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
 | CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | semmle.label | [post] access to local function g : null [delegate argument at position 0] : String |
+| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
 | CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | semmle.label | [post] access to local function h : null [delegate argument at position 0] : String |
+| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | semmle.label | access to local function h : h [delegate return] : String |
 | CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 subpaths
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:9 | access to parameter y : String | CSharp7.cs:55:30:55:31 | String t4 : String |
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h |
 #select
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |

csharp/ql/test/library-tests/csharp7/GlobalTaintTracking.expected

@@ -19,17 +19,37 @@ edges
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:181:23:181:25 | access to local variable src : String | provenance |  |
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:182:23:182:25 | access to local variable src : String | provenance |  |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:175:16:175:18 | access to local variable src : String | provenance |  |
+| CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | provenance |  |
 | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:33:176:33 | access to parameter s : String | provenance |  |
+| CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | CSharp7.cs:176:31:176:34 | call to local function g : String | provenance |  |
 | CSharp7.cs:176:31:176:34 | call to local function g : String | CSharp7.cs:176:31:176:39 | ... + ... : String | provenance |  |
+| CSharp7.cs:176:31:176:34 | call to local function g : String | CSharp7.cs:176:31:176:39 | ... + ... : String | provenance |  |
+| CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | provenance |  |
+| CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance |  |
 | CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String | provenance |  |
 | CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String | provenance |  |
+| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | provenance |  |
+| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | provenance |  |
 | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | provenance |  |
+| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | provenance |  |
 | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | provenance |  |
+| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | provenance |  |
+| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:25:176:25 | s : String | provenance |  |
+| CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance |  |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String | provenance |  |
+| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | provenance |  |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance |  |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | provenance |  |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | provenance |  |
+| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance |  |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | provenance |  |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | provenance |  |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance |  |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | provenance |  |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | provenance |  |
+| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance |  |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | provenance |  |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | provenance |  |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance |  |
 nodes
 | CSharp7.cs:39:9:39:9 | access to parameter x : String | semmle.label | access to parameter x : String |
@@ -54,26 +74,41 @@ nodes
 | CSharp7.cs:175:16:175:18 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | semmle.label | f(...) : f [delegate return] : String |
 | CSharp7.cs:176:25:176:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
+| CSharp7.cs:176:31:176:34 | call to local function g : String | semmle.label | call to local function g : String |
 | CSharp7.cs:176:31:176:34 | call to local function g : String | semmle.label | call to local function g : String |
 | CSharp7.cs:176:31:176:39 | ... + ... : String | semmle.label | ... + ... : String |
+| CSharp7.cs:176:31:176:39 | ... + ... : String | semmle.label | ... + ... : String |
 | CSharp7.cs:176:33:176:33 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | semmle.label | g(...) : g [delegate return] : String |
 | CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
 | CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | semmle.label | h(...) : h [delegate return] : String |
 | CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
 | CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | semmle.label | [post] access to local function f : null [delegate argument at position 0] : String |
+| CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | semmle.label | access to local function f : f [delegate return] : String |
 | CSharp7.cs:180:21:180:26 | call to local function f | semmle.label | call to local function f |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | semmle.label | [post] access to local function g : null [delegate argument at position 0] : String |
+| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
 | CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | semmle.label | [post] access to local function h : null [delegate argument at position 0] : String |
+| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | semmle.label | access to local function h : h [delegate return] : String |
 | CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 subpaths
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:9 | access to parameter y : String | CSharp7.cs:55:30:55:31 | String t4 : String |
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
 | CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String |
+| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:180:21:180:26 | call to local function f |
+| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g |
+| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h |
 #select
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |

csharp/ql/test/library-tests/dataflow/callablereturnsarg/DataFlow.expected

@@ -13,9 +13,6 @@
 | CallableReturnsArg.cs:71:31:71:36 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:76:33:76:38 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:81:22:81:27 | (...) => ... | 0 | -1 |
-| CallableReturnsArg.cs:90:21:90:35 | ApplyWrapper`1 | 2 | -1 |
-| CallableReturnsArg.cs:95:26:95:46 | ApplyNonPreservingFP1 | 0 | -1 |
 | CallableReturnsArg.cs:97:40:97:45 | (...) => ... | 0 | -1 |
-| CallableReturnsArg.cs:100:26:100:46 | ApplyNonPreservingFP2 | 0 | -1 |
 | CallableReturnsArg.cs:102:29:102:34 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:112:26:112:40 | ReturnNoBarrier | 0 | -1 |

csharp/ql/test/library-tests/dataflow/callablereturnsarg/TaintTracking.expected

@@ -17,9 +17,6 @@
 | CallableReturnsArg.cs:71:31:71:36 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:76:33:76:38 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:81:22:81:27 | (...) => ... | 0 | -1 |
-| CallableReturnsArg.cs:90:21:90:35 | ApplyWrapper`1 | 2 | -1 |
-| CallableReturnsArg.cs:95:26:95:46 | ApplyNonPreservingFP1 | 0 | -1 |
 | CallableReturnsArg.cs:97:40:97:45 | (...) => ... | 0 | -1 |
-| CallableReturnsArg.cs:100:26:100:46 | ApplyNonPreservingFP2 | 0 | -1 |
 | CallableReturnsArg.cs:102:29:102:34 | (...) => ... | 0 | -1 |
 | CallableReturnsArg.cs:112:26:112:40 | ReturnNoBarrier | 0 | -1 |

csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected

@@ -249,8 +249,9 @@ edges
 | CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | provenance |  |
 | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair<A,Int32> : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List<T> [element, property Key] : A | provenance | MaD:3 |
 | CollectionFlow.cs:308:43:308:43 | access to local variable a : A | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair<A,Int32> : KeyValuePair<T,T> [property Key] : A | provenance | MaD:13 |
-| CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | provenance | MaD:18 |
+| CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | provenance | MaD:18 |
 | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | provenance |  |
+| CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | provenance |  |
 | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:311:18:311:24 | access to property Key | provenance |  |
 | CollectionFlow.cs:328:32:328:38 | element : A | CollectionFlow.cs:328:55:328:61 | access to parameter element : A | provenance |  |
 | CollectionFlow.cs:328:44:328:48 | [post] access to parameter array : A[] [element] : A | CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | provenance |  |
@@ -560,6 +561,7 @@ nodes
 | CollectionFlow.cs:308:43:308:43 | access to local variable a : A | semmle.label | access to local variable a : A |
 | CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | semmle.label | access to local variable list : List<T> [element, property Key] : A |
 | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | semmle.label | kvp : KeyValuePair<T,T> [property Key] : A |
+| CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A |
 | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | semmle.label | access to parameter kvp : KeyValuePair<T,T> [property Key] : A |
 | CollectionFlow.cs:311:18:311:24 | access to property Key | semmle.label | access to property Key |
 | CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | semmle.label | array [Return] : A[] [element] : A |

csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.expected

@@ -1,63 +1,2 @@
 delegateCall
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:16:12:16:19 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:27:12:27:19 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:98:9:98:37 | LocalFunction |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:119:18:119:27 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:125:15:125:24 | (...) => ... |
-| DelegateFlow.cs:11:9:11:12 | delegate call | DelegateFlow.cs:10:13:10:20 | (...) => ... |
-| DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:38:12:38:25 | (...) => ... |
-| DelegateFlow.cs:38:19:38:22 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
-| DelegateFlow.cs:44:15:44:22 | delegate call | DelegateFlow.cs:43:22:43:29 | (...) => ... |
-| DelegateFlow.cs:57:9:57:11 | delegate call | DelegateFlow.cs:53:34:53:47 | (...) => ... |
-| DelegateFlow.cs:57:9:57:14 | delegate call | DelegateFlow.cs:53:40:53:47 | (...) => ... |
-| DelegateFlow.cs:67:9:67:16 | delegate call | DelegateFlow.cs:62:16:62:23 | (...) => ... |
-| DelegateFlow.cs:77:9:77:15 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:77:9:77:15 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:74:17:74:19 | M12 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:93:13:93:21 | (...) => ... |
-| DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:7:17:7:18 | M2 |
-| DelegateFlow.cs:125:9:125:25 | function pointer call | DelegateFlow.cs:7:17:7:18 | M2 |
-| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:131:17:131:25 | (...) => ... |
-| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:135:29:135:37 | (...) => ... |
-| DelegateFlow.cs:153:9:153:21 | delegate call | DelegateFlow.cs:149:13:149:20 | (...) => ... |
-| DelegateFlow.cs:154:9:154:21 | delegate call | DelegateFlow.cs:150:13:150:20 | (...) => ... |
-| DelegateFlow.cs:155:9:155:16 | delegate call | DelegateFlow.cs:149:13:149:20 | (...) => ... |
-| DelegateFlow.cs:156:9:156:16 | delegate call | DelegateFlow.cs:150:13:150:20 | (...) => ... |
 viableLambda
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:16:9:16:20 | call to method M2 | DelegateFlow.cs:16:12:16:19 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:17:9:17:14 | call to method M2 | DelegateFlow.cs:5:10:5:11 | M1 |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:22:9:22:13 | call to method M2 | DelegateFlow.cs:5:10:5:11 | M1 |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:22:9:22:13 | call to method M2 | DelegateFlow.cs:27:12:27:19 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:99:9:99:25 | call to method M2 | DelegateFlow.cs:98:9:98:37 | LocalFunction |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:119:18:119:27 | (...) => ... |
-| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:125:9:125:25 | function pointer call | DelegateFlow.cs:125:15:125:24 | (...) => ... |
-| DelegateFlow.cs:11:9:11:12 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:10:13:10:20 | (...) => ... |
-| DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:38:9:38:30 | call to method M6 | DelegateFlow.cs:38:12:38:25 | (...) => ... |
-| DelegateFlow.cs:38:19:38:22 | delegate call | DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
-| DelegateFlow.cs:44:15:44:22 | delegate call | DelegateFlow.cs:50:9:50:14 | dynamic access to member Prop | DelegateFlow.cs:43:22:43:29 | (...) => ... |
-| DelegateFlow.cs:57:9:57:11 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:53:34:53:47 | (...) => ... |
-| DelegateFlow.cs:57:9:57:14 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:53:40:53:47 | (...) => ... |
-| DelegateFlow.cs:67:9:67:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:62:16:62:23 | (...) => ... |
-| DelegateFlow.cs:77:9:77:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:77:9:77:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:78:9:78:15 | call to method M13 | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:84:9:84:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:90:9:90:31 | call to local function M14 | DelegateFlow.cs:55:10:55:11 | M9 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:91:9:91:48 | call to local function M14 | DelegateFlow.cs:65:10:65:12 | M11 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:92:9:92:16 | call to local function M14 | DelegateFlow.cs:74:17:74:19 | M12 |
-| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:93:9:93:22 | call to local function M14 | DelegateFlow.cs:93:13:93:21 | (...) => ... |
-| DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:119:9:119:28 | call to method M16 | DelegateFlow.cs:7:17:7:18 | M2 |
-| DelegateFlow.cs:125:9:125:25 | function pointer call | file://:0:0:0:0 | (none) | DelegateFlow.cs:7:17:7:18 | M2 |
-| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:135:25:135:41 | call to method M19 | DelegateFlow.cs:135:29:135:37 | (...) => ... |
-| DelegateFlow.cs:132:9:132:11 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:131:17:131:25 | (...) => ... |
-| DelegateFlow.cs:153:9:153:21 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:149:13:149:20 | (...) => ... |
-| DelegateFlow.cs:154:9:154:21 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:150:13:150:20 | (...) => ... |
-| DelegateFlow.cs:155:9:155:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:149:13:149:20 | (...) => ... |
-| DelegateFlow.cs:156:9:156:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:150:13:150:20 | (...) => ... |
-| file://:0:0:0:0 | [summary] call to [summary param] position 0 in Lazy in Lazy | DelegateFlow.cs:105:9:105:24 | object creation of type Lazy<Int32> | DelegateFlow.cs:104:23:104:30 | (...) => ... |
-| file://:0:0:0:0 | [summary] call to [summary param] position 0 in Lazy in Lazy | DelegateFlow.cs:107:9:107:24 | object creation of type Lazy<Int32> | DelegateFlow.cs:106:13:106:20 | (...) => ... |

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected

@@ -66,27 +66,33 @@ edges
 | ExternalFlow.cs:54:36:54:47 | object creation of type Object : Object | ExternalFlow.cs:54:13:54:16 | [post] this access : D [element] : Object | provenance | MaD:12 |
 | ExternalFlow.cs:55:18:55:21 | this access : D [element] : Object | ExternalFlow.cs:55:18:55:41 | call to method StepElementGetter | provenance | MaD:11 |
 | ExternalFlow.cs:60:35:60:35 | o : Object | ExternalFlow.cs:60:47:60:47 | access to parameter o | provenance |  |
-| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:35:60:35 | o : Object | provenance | MaD:3 |
+| ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:60:35:60:35 | o : Object | provenance |  |
+| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:3 |
 | ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | ExternalFlow.cs:66:18:66:18 | access to local variable o | provenance |  |
 | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | provenance |  |
-| ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | provenance | MaD:2 |
+| ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | provenance | MaD:2 |
+| ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | provenance |  |
 | ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | provenance |  |
 | ExternalFlow.cs:71:30:71:45 | { ..., ... } : null [element] : Object | ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | provenance |  |
 | ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | ExternalFlow.cs:71:30:71:45 | { ..., ... } : null [element] : Object | provenance |  |
-| ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:23:72:23 | o : Object | provenance | MaD:4 |
+| ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:4 |
 | ExternalFlow.cs:72:23:72:23 | o : Object | ExternalFlow.cs:72:35:72:35 | access to parameter o | provenance |  |
+| ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:72:23:72:23 | o : Object | provenance |  |
 | ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | provenance |  |
 | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | provenance |  |
-| ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | provenance | MaD:5 |
+| ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | provenance | MaD:5 |
+| ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | provenance |  |
 | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:24 | access to array element | provenance |  |
 | ExternalFlow.cs:83:17:83:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | provenance |  |
 | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | ExternalFlow.cs:83:17:83:20 | access to local variable objs : null [element] : Object | provenance |  |
 | ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | provenance |  |
 | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | provenance |  |
 | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | provenance |  |
-| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | provenance | MaD:4 |
+| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:4 |
-| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | provenance | MaD:4 |
 | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | provenance |  |
+| ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | provenance | MaD:5 |
+| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | provenance |  |
+| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | provenance |  |
 | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:25 | access to array element | provenance |  |
 | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | ExternalFlow.cs:91:19:91:19 | access to local variable s : String | provenance |  |
 | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | provenance |  |
@@ -96,7 +102,8 @@ edges
 | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | provenance |  |
 | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | provenance |  |
 | ExternalFlow.cs:100:20:100:20 | d : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | provenance |  |
-| ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object | provenance | MaD:1 |
+| ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | ExternalFlow.cs:100:20:100:20 | d : Object | provenance |  |
+| ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | provenance | MaD:1 |
 | ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | provenance |  |
 | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f : F [field MyField] : Object | ExternalFlow.cs:112:18:112:18 | access to local variable f : F [field MyField] : Object | provenance |  |
 | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f : F [field MyField] : Object | provenance | MaD:19 |
@@ -191,10 +198,12 @@ nodes
 | ExternalFlow.cs:55:18:55:21 | this access : D [element] : Object | semmle.label | this access : D [element] : Object |
 | ExternalFlow.cs:55:18:55:41 | call to method StepElementGetter | semmle.label | call to method StepElementGetter |
 | ExternalFlow.cs:60:35:60:35 | o : Object | semmle.label | o : Object |
+| ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
 | ExternalFlow.cs:60:47:60:47 | access to parameter o | semmle.label | access to parameter o |
 | ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | semmle.label | access to local variable o : Object |
 | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | semmle.label | call to method Apply<Int32,Object> : Object |
+| ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
 | ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:66:18:66:18 | access to local variable o | semmle.label | access to local variable o |
 | ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
@@ -202,9 +211,11 @@ nodes
 | ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
 | ExternalFlow.cs:72:23:72:23 | o : Object | semmle.label | o : Object |
+| ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
 | ExternalFlow.cs:72:35:72:35 | access to parameter o | semmle.label | access to parameter o |
 | ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | semmle.label | access to local variable objs : T[] [element] : Object |
 | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | semmle.label | call to method Map<Int32,Object> : T[] [element] : Object |
+| ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
 | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | semmle.label | access to local variable objs : T[] [element] : Object |
 | ExternalFlow.cs:78:18:78:24 | access to array element | semmle.label | access to array element |
@@ -215,6 +226,8 @@ nodes
 | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | semmle.label | call to method Map<Object,Object> : T[] [element] : Object |
 | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
 | ExternalFlow.cs:84:35:84:35 | o : Object | semmle.label | o : Object |
+| ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
+| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
 | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | semmle.label | access to parameter o : Object |
 | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | semmle.label | access to local variable objs2 : T[] [element] : Object |
 | ExternalFlow.cs:85:18:85:25 | access to array element | semmle.label | access to array element |
@@ -226,6 +239,7 @@ nodes
 | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | semmle.label | [post] access to local variable d1 : D [field Field] : Object |
 | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:100:20:100:20 | d : Object | semmle.label | d : Object |
+| ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object |
 | ExternalFlow.cs:102:22:102:22 | access to parameter d | semmle.label | access to parameter d |
 | ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | semmle.label | access to local variable d1 : D [field Field] : Object |
 | ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | semmle.label | access to local variable d1 : D [field Field] : Object |
@@ -293,7 +307,7 @@ nodes
 | ExternalFlow.cs:345:18:345:18 | access to local variable l : Library [synthetic X] : Object | semmle.label | access to local variable l : Library [synthetic X] : Object |
 | ExternalFlow.cs:345:18:345:29 | call to method GetValue | semmle.label | call to method GetValue |
 subpaths
-| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object |
+| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object |
 invalidModelRow
 #select
 | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | $@ | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | object creation of type Object : Object |

csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected

@@ -1,20 +1,2 @@
 fptrCall
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:5:24:5:27 | Log1 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:6:24:6:27 | Log2 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:10:24:10:27 | Log6 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction |
-| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | FunctionPointerFlow.cs:7:24:7:27 | Log3 |
-| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | FunctionPointerFlow.cs:8:24:8:27 | Log4 |
-| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | FunctionPointerFlow.cs:9:24:9:27 | Log5 |
-| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:24:24:24:25 | M4 |
-| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:72:24:72:26 | M17 |
 fptrCallContext
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:21:9:21:17 | call to method M2 | FunctionPointerFlow.cs:5:24:5:27 | Log1 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:26:9:26:13 | call to method M2 | FunctionPointerFlow.cs:6:24:6:27 | Log2 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:26:9:26:13 | call to method M2 | FunctionPointerFlow.cs:10:24:10:27 | Log6 |
-| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:47:9:47:26 | call to method M2 | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction |
-| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:7:24:7:27 | Log3 |
-| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:8:24:8:27 | Log4 |
-| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:9:24:9:27 | Log5 |
-| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:64:9:64:23 | call to method M10 | FunctionPointerFlow.cs:24:24:24:25 | M4 |
-| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:81:9:81:29 | call to method M16 | FunctionPointerFlow.cs:72:24:72:26 | M17 |

csharp/ql/test/library-tests/dataflow/global/Common.qll

@@ -2,8 +2,9 @@ import csharp
 
 module FlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source.asExpr().(StringLiteral).getValue() = "taint source"
+    source.asExpr().(StringLiteral).getValue() = "taint source" //and
     or
+    // source.getLocation().getStartLine() = 81
     source.asParameter().hasName("tainted")
   }
 
@@ -13,6 +14,7 @@ module FlowConfig implements DataFlow::ConfigSig {
       mc.getAnArgument() = sink.asExpr()
     )
   }
+  // predicate includeHiddenNodes() { any() }
 }
 
 module Flow = DataFlow::Global<FlowConfig>;

csharp/ql/test/library-tests/dataflow/global/DataFlow.expected

@@ -12,8 +12,8 @@
 | Capture.cs:163:15:163:20 | access to local variable sink36 |
 | Capture.cs:171:15:171:20 | access to local variable sink37 |
 | Capture.cs:197:15:197:20 | access to local variable sink38 |
+| Capture.cs:199:15:199:22 | access to local variable nonSink0 |
 | Capture.cs:206:19:206:19 | access to parameter s |
-| Capture.cs:217:19:217:19 | access to parameter s |
 | Capture.cs:231:19:231:19 | access to local variable x |
 | Capture.cs:234:15:234:15 | access to local variable x |
 | Capture.cs:246:19:246:25 | access to field Field |
@@ -40,6 +40,7 @@
 | GlobalDataFlow.cs:86:15:86:20 | access to local variable sink15 |
 | GlobalDataFlow.cs:88:15:88:20 | access to local variable sink16 |
 | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
+| GlobalDataFlow.cs:144:15:144:22 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
 | GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
@@ -53,6 +54,12 @@
 | GlobalDataFlow.cs:217:15:217:20 | access to local variable sink24 |
 | GlobalDataFlow.cs:219:15:219:20 | access to local variable sink25 |
 | GlobalDataFlow.cs:221:15:221:20 | access to local variable sink26 |
+| GlobalDataFlow.cs:224:59:224:70 | access to parameter nonSinkParam |
+| GlobalDataFlow.cs:227:15:227:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:229:15:229:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:231:15:231:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:233:15:233:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:235:15:235:21 | access to local variable nonSink |
 | GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 |
 | GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 |
 | GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 |
@@ -65,6 +72,7 @@
 | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
 | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
+| GlobalDataFlow.cs:335:15:335:26 | access to parameter nonSinkParam |
 | GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
 | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
 | GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |

csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected

@@ -12,8 +12,8 @@
 | Capture.cs:163:15:163:20 | access to local variable sink36 |
 | Capture.cs:171:15:171:20 | access to local variable sink37 |
 | Capture.cs:197:15:197:20 | access to local variable sink38 |
+| Capture.cs:199:15:199:22 | access to local variable nonSink0 |
 | Capture.cs:206:19:206:19 | access to parameter s |
-| Capture.cs:217:19:217:19 | access to parameter s |
 | Capture.cs:231:19:231:19 | access to local variable x |
 | Capture.cs:234:15:234:15 | access to local variable x |
 | Capture.cs:246:19:246:25 | access to field Field |
@@ -45,6 +45,7 @@
 | GlobalDataFlow.cs:98:15:98:20 | access to local variable sink22 |
 | GlobalDataFlow.cs:101:15:101:21 | access to local variable sink21b |
 | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
+| GlobalDataFlow.cs:144:15:144:22 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
 | GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
@@ -58,6 +59,12 @@
 | GlobalDataFlow.cs:217:15:217:20 | access to local variable sink24 |
 | GlobalDataFlow.cs:219:15:219:20 | access to local variable sink25 |
 | GlobalDataFlow.cs:221:15:221:20 | access to local variable sink26 |
+| GlobalDataFlow.cs:224:59:224:70 | access to parameter nonSinkParam |
+| GlobalDataFlow.cs:227:15:227:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:229:15:229:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:231:15:231:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:233:15:233:21 | access to local variable nonSink |
+| GlobalDataFlow.cs:235:15:235:21 | access to local variable nonSink |
 | GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 |
 | GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 |
 | GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 |
@@ -70,6 +77,7 @@
 | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
 | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
+| GlobalDataFlow.cs:335:15:335:26 | access to parameter nonSinkParam |
 | GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
 | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
 | GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 |

csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.cs

@@ -0,0 +1,190 @@
+using System;
+
+public class LambdaFlow
+{
+    /// <summary>
+    /// Flow into a normal method
+    /// </summary>
+    class Ex1
+    {
+        void M1(string s)
+        {
+            Sink(s); // $ hasValueFlow=1
+        }
+
+        public void M2()
+        {
+            var source = Source(1);
+            M1(source);
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// Flow into a lambda
+    /// </summary>
+    class Ex2
+    {
+        void M1(Action<string> lambda)
+        {
+            var source = Source(2);
+            lambda(source);
+        }
+
+        void M2()
+        {
+            Action<string> lambda = x => Sink(x); // $ hasValueFlow=2
+            M1(lambda);
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// Flow out of a lambda
+    /// </summary>
+    class Ex3
+    {
+        Func<string> M1()
+        {
+            return () => Source(3);
+        }
+
+        void M2()
+        {
+            var lambda = M1();
+            Sink(lambda()); // $ hasValueFlow=3
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// Flow through a lambda
+    /// </summary>
+    class Ex4
+    {
+        string M1(Func<string, string> lambda, string input)
+        {
+            return lambda(input);
+        }
+
+        void M2()
+        {
+            Func<string, string> id = x => x;
+            var source = Source(4);
+            var output = M1(id, source);
+            Sink(output); // $ hasValueFlow=4
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// No flow into lambda (call context sensitivity)
+    /// </summary>
+    class Ex5
+    {
+        void M1(Action<string> lambda, string input)
+        {
+            lambda(input);
+        }
+
+        void M2(Action<string> lambda, string input)
+        {
+            M1(lambda, input);
+        }
+
+        void M3()
+        {
+            Action<string> lambda1 = arg => Sink(arg);
+            Action<string> lambda2 = arg => { };
+
+            var source = Source(5);
+            var nonSource = "non-source";
+
+            M1(lambda1, nonSource);
+            M1(lambda2, source);
+
+            M2(lambda1, nonSource);
+            M2(lambda2, source);
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// Flow into a returned lambda
+    /// </summary>
+    class Ex6
+    {
+        Action<string> M1()
+        {
+            return x => Sink(x); // $ hasValueFlow=6
+        }
+
+        void M2()
+        {
+            var source = Source(6);
+            var lambda = M1();
+            lambda(source);
+        }
+    }
+
+
+
+
+
+
+
+    /// <summary>
+    /// No flow through lambda
+    /// </summary>
+    class Ex7
+    {
+        void M1(Func<string, string> lambda)
+        {
+            var source = Source(7);
+            lambda(source);
+        }
+
+        void M2(Func<string, string> lambda)
+        {
+            var nonSource = "non-source";
+            var output = lambda(nonSource);
+            Sink(output);
+        }
+
+        void M3()
+        {
+            Func<string, string> id = x => x;
+            M1(id);
+            M2(id);
+        }
+    }
+
+    static string Source(int source) => source.ToString();
+
+    static void Sink(string value) { }
+}

csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.expected

@@ -0,0 +1,120 @@
+models
+edges
+| LambdaFlow.cs:10:24:10:24 | s : String | LambdaFlow.cs:12:18:12:18 | access to parameter s | provenance |  |
+| LambdaFlow.cs:17:17:17:22 | access to local variable source : String | LambdaFlow.cs:18:16:18:21 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:17:26:17:34 | call to method Source : String | LambdaFlow.cs:17:17:17:22 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:18:16:18:21 | access to local variable source : String | LambdaFlow.cs:10:24:10:24 | s : String | provenance |  |
+| LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:35:17:35:22 | access to local variable source : String | LambdaFlow.cs:36:20:36:25 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:35:26:35:34 | call to method Source : String | LambdaFlow.cs:35:17:35:22 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:36:20:36:25 | access to local variable source : String | LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:41:37:41:37 | x : String | LambdaFlow.cs:41:47:41:47 | access to parameter x | provenance |  |
+| LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:41:37:41:37 | x : String | provenance |  |
+| LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:59:26:59:34 | call to method Source : String | LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:65:18:65:25 | delegate call | provenance |  |
+| LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:80:55:80:59 | input : String | LambdaFlow.cs:82:27:82:31 | access to parameter input : String | provenance |  |
+| LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:32 | delegate call : String | provenance |  |
+| LambdaFlow.cs:82:27:82:31 | access to parameter input : String | LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:87:39:87:39 | x : String | LambdaFlow.cs:87:44:87:44 | access to parameter x : String | provenance |  |
+| LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:88:17:88:22 | access to local variable source : String | LambdaFlow.cs:89:33:89:38 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:88:26:88:34 | call to method Source : String | LambdaFlow.cs:88:17:88:22 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:89:17:89:22 | access to local variable output : String | LambdaFlow.cs:90:18:90:23 | access to local variable output | provenance |  |
+| LambdaFlow.cs:89:26:89:39 | call to method M1 : String | LambdaFlow.cs:89:17:89:22 | access to local variable output : String | provenance |  |
+| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:39 | x : String | provenance |  |
+| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:89:26:89:39 | call to method M1 : String | provenance |  |
+| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:80:55:80:59 | input : String | provenance |  |
+| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:168:17:168:22 | access to local variable source : String | LambdaFlow.cs:169:20:169:25 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:168:26:168:34 | call to method Source : String | LambdaFlow.cs:168:17:168:22 | access to local variable source : String | provenance |  |
+| LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:169:20:169:25 | access to local variable source : String | LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | provenance |  |
+| LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:175:17:175:22 | access to local variable output : String | LambdaFlow.cs:176:18:176:23 | access to local variable output | provenance |  |
+| LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:175:26:175:42 | delegate call : String | provenance |  |
+| LambdaFlow.cs:175:26:175:42 | delegate call : String | LambdaFlow.cs:175:17:175:22 | access to local variable output : String | provenance |  |
+| LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:181:39:181:39 | x : String | LambdaFlow.cs:181:44:181:44 | access to parameter x : String | provenance |  |
+| LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:39 | x : String | provenance |  |
+| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | provenance |  |
+| LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | provenance |  |
+nodes
+| LambdaFlow.cs:10:24:10:24 | s : String | semmle.label | s : String |
+| LambdaFlow.cs:12:18:12:18 | access to parameter s | semmle.label | access to parameter s |
+| LambdaFlow.cs:17:17:17:22 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:17:26:17:34 | call to method Source : String | semmle.label | call to method Source : String |
+| LambdaFlow.cs:18:16:18:21 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Action<String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:35:17:35:22 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:35:26:35:34 | call to method Source : String | semmle.label | call to method Source : String |
+| LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:36:20:36:25 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:41:37:41:37 | x : String | semmle.label | x : String |
+| LambdaFlow.cs:41:47:41:47 | access to parameter x | semmle.label | access to parameter x |
+| LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:59:26:59:34 | call to method Source : String | semmle.label | call to method Source : String |
+| LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | semmle.label | access to local variable lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | semmle.label | call to method M1 : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | semmle.label | access to local variable lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:65:18:65:25 | delegate call | semmle.label | delegate call |
+| LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | semmle.label | lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:80:55:80:59 | input : String | semmle.label | input : String |
+| LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | semmle.label | access to parameter lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:82:20:82:32 | delegate call : String | semmle.label | delegate call : String |
+| LambdaFlow.cs:82:27:82:31 | access to parameter input : String | semmle.label | access to parameter input : String |
+| LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:87:39:87:39 | x : String | semmle.label | x : String |
+| LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:87:44:87:44 | access to parameter x : String | semmle.label | access to parameter x : String |
+| LambdaFlow.cs:88:17:88:22 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:88:26:88:34 | call to method Source : String | semmle.label | call to method Source : String |
+| LambdaFlow.cs:89:17:89:22 | access to local variable output : String | semmle.label | access to local variable output : String |
+| LambdaFlow.cs:89:26:89:39 | call to method M1 : String | semmle.label | call to method M1 : String |
+| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:90:18:90:23 | access to local variable output | semmle.label | access to local variable output |
+| LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:168:17:168:22 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:168:26:168:34 | call to method Source : String | semmle.label | call to method Source : String |
+| LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:169:20:169:25 | access to local variable source : String | semmle.label | access to local variable source : String |
+| LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | semmle.label | lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:175:17:175:22 | access to local variable output : String | semmle.label | access to local variable output : String |
+| LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | semmle.label | access to parameter lambda : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:175:26:175:42 | delegate call : String | semmle.label | delegate call : String |
+| LambdaFlow.cs:176:18:176:23 | access to local variable output | semmle.label | access to local variable output |
+| LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:181:39:181:39 | x : String | semmle.label | x : String |
+| LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:181:44:181:44 | access to parameter x : String | semmle.label | access to parameter x : String |
+| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
+subpaths
+| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:39 | x : String | LambdaFlow.cs:87:44:87:44 | access to parameter x : String | LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String |
+| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:32 | delegate call : String | LambdaFlow.cs:89:26:89:39 | call to method M1 : String |
+| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:80:55:80:59 | input : String | LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
+| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:39 | x : String | LambdaFlow.cs:181:44:181:44 | access to parameter x : String | LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String |
+testFailures
+| LambdaFlow.cs:144:34:144:52 | // ... | Missing result: hasValueFlow=6 |
+| LambdaFlow.cs:176:18:176:23 | access to local variable output | Unexpected result: hasValueFlow=7 |
+#select
+| LambdaFlow.cs:12:18:12:18 | access to parameter s | LambdaFlow.cs:17:26:17:34 | call to method Source : String | LambdaFlow.cs:12:18:12:18 | access to parameter s | $@ | LambdaFlow.cs:17:26:17:34 | call to method Source : String | call to method Source : String |
+| LambdaFlow.cs:41:47:41:47 | access to parameter x | LambdaFlow.cs:35:26:35:34 | call to method Source : String | LambdaFlow.cs:41:47:41:47 | access to parameter x | $@ | LambdaFlow.cs:35:26:35:34 | call to method Source : String | call to method Source : String |
+| LambdaFlow.cs:65:18:65:25 | delegate call | LambdaFlow.cs:59:26:59:34 | call to method Source : String | LambdaFlow.cs:65:18:65:25 | delegate call | $@ | LambdaFlow.cs:59:26:59:34 | call to method Source : String | call to method Source : String |
+| LambdaFlow.cs:90:18:90:23 | access to local variable output | LambdaFlow.cs:88:26:88:34 | call to method Source : String | LambdaFlow.cs:90:18:90:23 | access to local variable output | $@ | LambdaFlow.cs:88:26:88:34 | call to method Source : String | call to method Source : String |
+| LambdaFlow.cs:176:18:176:23 | access to local variable output | LambdaFlow.cs:168:26:168:34 | call to method Source : String | LambdaFlow.cs:176:18:176:23 | access to local variable output | $@ | LambdaFlow.cs:168:26:168:34 | call to method Source : String | call to method Source : String |

csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.ql

@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import TestUtilities.InlineFlowTest
+import ValueFlowTest<DefaultFlowConfig>
+import PathGraph
+
+from PathNode source, PathNode sink
+where flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

csharp/ql/test/library-tests/dataflow/typeflow-dispatch/TypeFlowDispatch.expected

@@ -4,20 +4,32 @@ models
 edges
 | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | provenance |  |
 | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | provenance |  |
-| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance |  |
+| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
-| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance |  |
+| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | provenance |  |
 | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | provenance |  |
+| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | provenance |  |
 | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | provenance |  |
+| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:23:20:23:20 | x : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | provenance |  |
 | TypeFlowDispatch.cs:23:20:23:20 | x : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | provenance |  |
+| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance |  |
+| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance |  |
 | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | provenance |  |
 | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | provenance |  |
+| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | provenance |  |
-| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | MaD:2 |
+| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
-| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | MaD:2 |
+| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
+| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | provenance |  |
@@ -26,30 +38,50 @@ edges
 | TypeFlowDispatch.cs:36:42:36:52 | call to method Source<String> : String | TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | provenance | MaD:1 |
 | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | provenance |  |
+| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
+| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
 | TypeFlowDispatch.cs:39:34:39:34 | x : String | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | provenance |  |
 | TypeFlowDispatch.cs:39:34:39:34 | x : String | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | provenance |  |
+| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance |  |
+| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance |  |
 | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | provenance |  |
 | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | provenance |  |
-| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
-| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | provenance |  |
 | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | provenance |  |
+| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | provenance |  |
 | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | provenance |  |
+| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:52:32:52:32 | t : String | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | provenance |  |
 | TypeFlowDispatch.cs:52:32:52:32 | t : String | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | provenance |  |
+| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
 | TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | provenance |  |
 | TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | provenance |  |
+| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | provenance |  |
 | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | provenance |  |
-| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
-| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | provenance |  |
+| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance |  |
 | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | provenance |  |
@@ -58,25 +90,43 @@ edges
 | TypeFlowDispatch.cs:74:42:74:52 | call to method Source<String> : String | TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | provenance | MaD:1 |
 | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | provenance |  |
 | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | provenance |  |
+| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance |  |
+| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
+| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance |  |
 nodes
+| TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:11:42:11:42 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:11:42:11:42 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | semmle.label | access to parameter x : String |
+| TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:16:46:16:46 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:16:46:16:46 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:23:20:23:20 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:23:20:23:20 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | semmle.label | access to parameter x |
 | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | semmle.label | access to parameter x |
 | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
 | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
+| TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
 | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
+| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | semmle.label | object creation of type List<String> : List<T> [element] : String |
@@ -87,32 +137,52 @@ nodes
 | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:39:34:39:34 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:39:34:39:34 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | semmle.label | access to parameter x |
 | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | semmle.label | access to parameter x |
+| TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:42:42:42:42 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:42:42:42:42 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | semmle.label | access to parameter x : String |
+| TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:47:46:47:46 | x : String | semmle.label | x : String |
 | TypeFlowDispatch.cs:47:46:47:46 | x : String | semmle.label | x : String |
+| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | semmle.label | access to parameter x : String |
 | TypeFlowDispatch.cs:52:32:52:32 | t : String | semmle.label | t : String |
 | TypeFlowDispatch.cs:52:32:52:32 | t : String | semmle.label | t : String |
 | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | semmle.label | access to parameter t |
 | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | semmle.label | access to parameter t |
+| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
 | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
+| TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
 | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
+| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | semmle.label | access to local variable x : String |
 | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | semmle.label | access to local variable x : String |
 | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
 | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
+| TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
 | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
+| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
 | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | semmle.label | object creation of type List<String> : List<T> [element] : String |
@@ -121,7 +191,23 @@ nodes
 | TypeFlowDispatch.cs:74:42:74:52 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
 | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
+| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
 subpaths
+| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
+| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
 testFailures
 #select
 | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | $@ | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | call to method Source<String> : String |

csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.expected

@@ -1,4 +1,3 @@
 | LockOrder.cs:6:15:6:15 | b | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:6:18:6:18 | c | c | LockOrder.cs:10:18:10:37 | lock (...) {...} | b | LockOrder.cs:10:27:10:37 | lock (...) {...} | c | LockOrder.cs:15:18:15:37 | lock (...) {...} | c | LockOrder.cs:15:27:15:37 | lock (...) {...} | b |
 | LockOrder.cs:27:22:27:22 | b | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:27:25:27:25 | c | c | LockOrder.cs:36:8:36:20 | lock (...) {...} | b | LockOrder.cs:42:9:42:20 | lock (...) {...} | c | LockOrder.cs:37:8:37:20 | lock (...) {...} | c | LockOrder.cs:47:9:47:20 | lock (...) {...} | b |
-| LockOrder.cs:54:19:54:19 | a | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:54:22:54:22 | b | b | LockOrder.cs:61:9:61:25 | lock (...) {...} | a | LockOrder.cs:59:33:59:43 | lock (...) {...} | b | LockOrder.cs:62:9:62:25 | lock (...) {...} | b | LockOrder.cs:58:33:58:43 | lock (...) {...} | a |
 | LockOrderBad.cs:6:29:6:33 | lock1 | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrderBad.cs:7:29:7:33 | lock2 | lock2 | LockOrderBad.cs:11:9:19:9 | lock (...) {...} | lock1 | LockOrderBad.cs:16:13:18:13 | lock (...) {...} | lock2 | LockOrderBad.cs:24:9:32:9 | lock (...) {...} | lock2 | LockOrderBad.cs:29:13:31:13 | lock (...) {...} | lock1 |

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowNodes.qll

@@ -6,6 +6,7 @@ private import semmle.code.java.dataflow.TypeFlow
 private import semmle.code.java.dataflow.FlowSteps
 private import DataFlowPrivate
 private import DataFlowUtil
+private import DataFlowDispatch
 private import FlowSummaryImpl as FlowSummaryImpl
 private import DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.java.controlflow.Guards
@@ -68,7 +69,11 @@ private module Cached {
     TMapKeyContent() or
     TMapValueContent() or
     TCapturedVariableContent(CapturedVariable v) or
-    TSyntheticFieldContent(SyntheticField s)
+    TSyntheticFieldContent(SyntheticField s) or
+    TLambdaReturnContent(Method m) or
+    TLambdaArgumentContent(Method m, ArgumentPosition pos) {
+      exists(m.getParameter(pos)) or pos = -1
+    }
 
   cached
   newtype TContentApprox =
@@ -78,7 +83,11 @@ private module Cached {
     TMapKeyContentApprox() or
     TMapValueContentApprox() or
     TCapturedVariableContentApprox(CapturedVariable v) or
-    TSyntheticFieldApproxContent()
+    TSyntheticFieldApproxContent() or
+    TLambdaReturnContentApprox(Method m) or
+    TLambdaArgumentApprox(Method m, ArgumentPosition pos) {
+      exists(m.getParameter(pos)) or pos = -1
+    }
 }
 
 import Cached

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -464,7 +464,8 @@ private newtype TDataFlowCall =
   TCall(Call c) or
   TSummaryCall(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
-  }
+  } or
+  TLambdaSynthCall(Node node) { lambdaCreationHelper(node, _, _) }
 
 /** A call relevant for data flow. Includes both source calls and synthesized calls. */
 class DataFlowCall extends TDataFlowCall {
@@ -526,6 +527,21 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
   override Location getLocation() { result = c.getLocation() }
 }
 
+/** A synthesized call inside a `SummarizedCallable`. */
+class LambdaSynthCall extends DataFlowCall, TLambdaSynthCall {
+  private Node node;
+
+  LambdaSynthCall() { this = TLambdaSynthCall(node) }
+
+  override DataFlowCallable getEnclosingCallable() {
+    result.asCallable() = node.getEnclosingCallable()
+  }
+
+  override string toString() { result = "[synthetic] call to " + node }
+
+  override Location getLocation() { result = node.getLocation() }
+}
+
 class NodeRegion instanceof BasicBlock {
   string toString() { result = "NodeRegion" }
 
@@ -585,8 +601,7 @@ predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
 
 class LambdaCallKind = Method; // the "apply" method in the functional interface
 
-/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
+predicate lambdaCreationHelper(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
   exists(ClassInstanceExpr func, Interface t, FunctionalInterface interface |
     creation.asExpr() = func and
     func.getAnonymousClass().getAMethod() = c.asCallable() and
@@ -597,6 +612,14 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
   )
 }
 
+/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
+predicate lambdaCreation(
+  Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
+) {
+  synthCall = TLambdaSynthCall(creation) and
+  lambdaCreationHelper(creation, kind, c)
+}
+
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
   receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver() and
@@ -734,6 +757,12 @@ class ContentApprox extends TContentApprox {
     or
     this = TSyntheticFieldApproxContent() and
     result = "approximated synthetic field"
+    or
+    this = TLambdaReturnContentApprox(_) and
+    result = "<lambda-return>"
+    or
+    this = TLambdaArgumentApprox(_, _) and
+    result = "<lambda-argument>"
   }
 }
 
@@ -755,6 +784,12 @@ ContentApprox getContentApprox(Content c) {
   )
   or
   c instanceof SyntheticFieldContent and result = TSyntheticFieldApproxContent()
+  or
+  exists(Method m | c = TLambdaReturnContent(m) and result = TLambdaReturnContentApprox(m))
+  or
+  exists(Method m, ArgumentPosition pos |
+    c = TLambdaArgumentContent(m, pos) and result = TLambdaArgumentApprox(m, pos)
+  )
 }
 
 /**
@@ -766,3 +801,15 @@ predicate containerContent(ContentSet c) {
   c instanceof MapKeyContent or
   c instanceof MapValueContent
 }
+
+Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind k) {
+  result = TLambdaReturnContent(kind) and exists(k)
+}
+
+Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos) {
+  result = TLambdaArgumentContent(kind, pos)
+}
+
+predicate isLambdaInstanceParameter(ParameterNode p) {
+  exists(DataFlowCallable c | lambdaCreationHelper(_, _, c) and p.isParameterOf(c, -1))
+}

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -4,6 +4,7 @@
 
 private import java
 private import DataFlowPrivate
+private import DataFlowDispatch
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
@@ -359,6 +360,27 @@ class SyntheticFieldContent extends Content, TSyntheticFieldContent {
   override string toString() { result = s.toString() }
 }
 
+class LambdaReturnContent extends Content, TLambdaReturnContent {
+  Method m;
+
+  LambdaReturnContent() { this = TLambdaReturnContent(m) }
+
+  override DataFlowType getType() { result = getErasedRepr(m.getReturnType()) }
+
+  override string toString() { result = "<lambda-return>" }
+}
+
+class LambdaArgumentContent extends Content, TLambdaArgumentContent {
+  Method m;
+  ArgumentPosition pos;
+
+  LambdaArgumentContent() { this = TLambdaArgumentContent(m, pos) }
+
+  override DataFlowType getType() { result = getErasedRepr(m.getParameter(pos).getType()) }
+
+  override string toString() { result = "<lambda-argument> " + pos.toString() }
+}
+
 /**
  * An entity that represents a set of `Content`s.
  *

shared/dataflow/codeql/dataflow/DataFlow.qll

@@ -290,7 +290,9 @@ signature module InputSig<LocationSig Location> {
   class LambdaCallKind;
 
   /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-  predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c);
+  predicate lambdaCreation(
+    Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
+  );
 
   /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
   predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver);
@@ -344,6 +346,14 @@ signature module InputSig<LocationSig Location> {
 
   /** Holds if `fieldFlowBranchLimit` should be ignored for flow going into/out of `c`. */
   default predicate ignoreFieldFlowBranchLimit(DataFlowCallable c) { none() }
+
+  Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind retKind);
+
+  Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos);
+
+  predicate isLambdaInstanceParameter(ParameterNode p);
+
+  predicate isVariableCaptureContentSet(ContentSet c);
 }
 
 module Configs<LocationSig Location, InputSig<Location> Lang> {

shared/dataflow/codeql/dataflow/VariableCapture.qll

@@ -1051,8 +1051,8 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
      * since normal use-use flow for `fn` does not take the overwrite at (2) into account.
      */
 
-    storeStepClosure(_, v, node, true)
+    // storeStepClosure(_, v, node, true)
-    or
+    // or
     exists(BasicBlock bb, int i |
       captureWrite(v, bb, i, false, _) and
       node = TSynthThisQualifier(bb, i, false)

shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll

@@ -216,7 +216,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
 
     private predicate readStep(Node node1, State state1, ContentSet c, Node node2, ReadState state2) {
       exists(int size |
-        readSet(node1, c, node2) and
+        readSet(any(NodeEx n1 | n1.asNode() = node1), c, any(NodeEx n2 | n2.asNode() = node2)) and // todo
         ContentConfig::isRelevantContent(c) and
         state2.decode(size + 1, true)
       |

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -423,7 +423,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
 
     pragma[nomagic]
     private predicate readSetEx(NodeEx node1, ContentSet c, NodeEx node2) {
-      readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+      readSet(node1, c, node2) and
       stepFilter(node1, node2)
       or
       exists(Node n |
@@ -450,20 +450,19 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
     bindingset[c]
     private predicate expectsContentEx(NodeEx n, Content c) {
       exists(ContentSet cs |
-        expectsContentCached(n.asNode(), cs) and
+        expectsContentCached(n, cs) and
         pragma[only_bind_out](c) = pragma[only_bind_into](cs).getAReadContent()
       )
     }
 
     pragma[nomagic]
-    private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
+    private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n, _) }
 
     pragma[nomagic]
     private predicate storeExUnrestricted(
       NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType
     ) {
-      store(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode()),
+      store(node1, c, node2, contentType, containerType) and
-        contentType, containerType) and
       stepFilter(node1, node2)
     }
 
@@ -478,16 +477,6 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       hasReadStep(c)
     }
 
-    pragma[nomagic]
-    private predicate viableReturnPosOutEx(DataFlowCall call, ReturnPosition pos, NodeEx out) {
-      viableReturnPosOut(call, pos, out.asNode())
-    }
-
-    pragma[nomagic]
-    private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
-      viableParamArg(call, p.asNode(), arg.asNode())
-    }
-
     /**
      * Holds if field flow should be used for the given configuration.
      */
@@ -2629,7 +2618,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
               (
                 castNode(this.asNode()) or
                 clearsContentCached(this.asNode(), _) or
-                expectsContentCached(this.asNode(), _) or
+                expectsContentCached(this, _) or
                 neverSkipInPathGraph(this.asNode()) or
                 Config::neverSkip(this.asNode())
               )
@@ -2665,7 +2654,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
               or
               node instanceof ParamNodeEx
               or
-              node.asNode() instanceof OutNodeExt
+              node instanceof OutNodeEx
               or
               storeStepCand(_, _, _, node, _, _)
               or
@@ -2899,15 +2888,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
 
             predicate isHidden() {
               not Config::includeHiddenNodes() and
-              (
+              hiddenNode(this.getNodeEx()) and
-                hiddenNode(this.getNodeEx().asNode()) and
+              not this.isSource() and
-                not this.isSource() and
+              not this instanceof PathNodeSink
-                not this instanceof PathNodeSink
-                or
-                this.getNodeEx() instanceof TNodeImplicitRead
-                or
-                hiddenNode(this.getNodeEx().asParamReturnNode())
-              )
             }
 
             /** Gets a textual representation of this element. */
@@ -5444,7 +5427,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
         exists(ReturnKindExt kind, DataFlowCall call |
           partialPathOutOfCallable1(mid, call, kind, state, cc, t, ap)
         |
-          out.asNode() = kind.getAnOutNode(call)
+          out = kind.getAnOutNodeEx(call)
         )
       }
 
@@ -5529,7 +5512,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       ) {
         exists(DataFlowCall call, ReturnKindExt kind |
           partialPathThroughCallable0(call, mid, kind, state, cc, t, ap) and
-          out.asNode() = kind.getAnOutNode(call)
+          out = kind.getAnOutNodeEx(call)
         )
       }
 

shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll

@@ -1,7 +1,7 @@
 private import codeql.dataflow.DataFlow
 private import codeql.typetracking.TypeTracking as Tt
 private import codeql.util.Location
-private import codeql.util.Option
+private import codeql.util.Boolean
 private import codeql.util.Unit
 private import codeql.util.Option
 
@@ -118,10 +118,12 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     // TODO: support setters
+    // TODO extend
     predicate storeStep(Node n1, Node n2, Content f) { storeSet(n1, f, n2, _, _) }
 
     private predicate loadStep0(Node n1, Node n2, Content f) {
-      readSet(n1, f, n2)
+      // TODO extend
+      readStep(n1, f, n2)
       or
       argumentValueFlowsThrough(n1, TReadStepTypesSome(_, f, _), n2, _)
     }
@@ -139,7 +141,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     predicate callStep(Node n1, LocalSourceNode n2) { viableParamArg(_, n2, n1) }
 
     predicate returnStep(Node n1, LocalSourceNode n2) {
-      viableReturnPosOut(_, [getValueReturnPosition(n1), getParamReturnPosition(n1, _)], n2)
+      // TODO: extend to NodeEx
+      viableReturnPosOut(_,
+        [getValueReturnPosition(n1), getParamReturnPosition(any(NodeEx n | n.asNode() = n1), _)], n2)
     }
 
     predicate hasFeatureBacktrackStoreTarget() { none() }
@@ -183,6 +187,24 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     )
   }
 
+  /**
+   * Holds if `arg` is an argument of `call` with an argument position that matches
+   * parameter position `ppos`.
+   */
+  pragma[noinline]
+  private predicate argumentPositionMatchEx(DataFlowCall call, ArgNodeEx arg, ParameterPosition ppos) {
+    exists(ArgumentPosition apos |
+      arg.argumentOf(call, apos) and
+      parameterMatch(ppos, apos)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate hasSimpleReturnKindIn(ReturnNode ret, ReturnKind kind, DataFlowCallable c) {
+    c = getNodeEnclosingCallable(ret) and
+    kind = ret.getKind()
+  }
+
   /**
    * Provides a simple data-flow analysis for resolving lambda calls. The analysis
    * currently excludes read-steps, store-steps, and flow-through.
@@ -192,9 +214,24 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
    * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
    */
   private module LambdaFlow {
+    private predicate lambdaLocalFlow(Node lambda, Node node) {
+      lambdaCreation(lambda, _, _, _) and
+      node = lambda
+      or
+      exists(Node mid |
+        lambdaLocalFlow(lambda, mid) and
+        simpleLocalFlowStep(mid, node, _) and
+        validParameterAliasStep(mid, node)
+      )
+    }
+
+    predicate lambdaFlowsToPostUpdate(Node lambda, PostUpdateNode post) {
+      lambdaLocalFlow(lambda, post.getPreUpdateNode())
+    }
+
     pragma[noinline]
     private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-      p.isParameterOf(viableCallable(call), ppos)
+      p.isParameterOf(viableCallableCached(call), ppos)
     }
 
     pragma[noinline]
@@ -224,12 +261,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
         )
       }
 
-    pragma[nomagic]
-    private predicate hasSimpleReturnKindIn(ReturnNode ret, ReturnKind kind, DataFlowCallable c) {
-      c = getNodeEnclosingCallable(ret) and
-      kind = ret.getKind()
-    }
-
     pragma[nomagic]
     private TReturnPositionSimple getReturnPositionSimple(ReturnNode ret) {
       exists(ReturnKind kind, DataFlowCallable c |
@@ -240,7 +271,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
     pragma[nomagic]
     private TReturnPositionSimple viableReturnPosNonLambda(DataFlowCall call, ReturnKind kind) {
-      result = TReturnPositionSimple0(viableCallable(call), kind)
+      result = TReturnPositionSimple0(viableCallableCached(call), kind)
     }
 
     pragma[nomagic]
@@ -857,6 +888,21 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       exists(Node n | this.isImplicitReadNode(n) | result = n.toString() + " [Ext]")
       or
       result = this.asParamReturnNode().toString() + " [Return]"
+      or
+      result = this.asLambdaMallocNode().toString() + " [LambdaMalloc]"
+      or
+      result = this.asLambdaArgsNode().toString() + " [LambdaArgs]"
+      or
+      result = this.asLambdaCaptureNode().toString() + " [LambdaCapture]"
+      or
+      result = this.asLambdaInstancePostUpdateNode().toString() + " [LambdaPostUpdate]"
+      or
+      exists(DataFlowCall synthCall, ArgumentPosition apos, boolean isPost |
+        this.isLambdaArgNode(synthCall, apos, isPost)
+      |
+        result =
+          synthCall.toString() + "-" + apos.toString() + "-" + isPost.toString() + " [LambdaArg]"
+      )
     }
 
     Node asNode() { this = TNodeNormal(result) }
@@ -868,10 +914,39 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
     ParameterNode asParamReturnNode() { this = TParamReturnNode(result, _) }
 
+    ParameterNode asLambdaInstancePostUpdateNode() { this = TNodeLambdaInstancePostUpdate(result) }
+
+    Node asLambdaMallocNode() { this = TNodeLambdaMalloc(result) }
+
+    Node asLambdaArgsNode() { this = TNodeLambdaArgs(result) }
+
+    Node asLambdaCaptureNode() { this = TNodeLambdaCapture(result) }
+
+    predicate isLambdaArgNode(DataFlowCall synthCall, ArgumentPosition apos, boolean isPost) {
+      this = TNodeLambdaArg(synthCall, apos, isPost)
+    }
+
     Node projectToNode() {
-      this = TNodeNormal(result) or
+      this = TNodeNormal(result)
-      this = TNodeImplicitRead(result) or
+      or
+      this = TNodeImplicitRead(result)
+      or
       this = TParamReturnNode(result, _)
+      or
+      this = TNodeLambdaInstancePostUpdate(result)
+      or
+      this = TNodeLambdaMalloc(result)
+      or
+      this = TNodeLambdaArgs(result)
+      or
+      this = TNodeLambdaCapture(result)
+      or
+      this = TNodeLambdaCapture(result)
+      or
+      exists(DataFlowCall synthCall |
+        this = TNodeLambdaArg(synthCall, _, _) and
+        lambdaCreation(result, _, _, synthCall)
+      )
     }
 
     pragma[nomagic]
@@ -889,6 +964,25 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       nodeDataFlowType(this.asNode(), result)
       or
       nodeDataFlowType(this.asParamReturnNode(), result)
+      or
+      nodeDataFlowType(this.asLambdaInstancePostUpdateNode(), result)
+      or
+      nodeDataFlowType(this.asLambdaMallocNode(), result)
+      or
+      nodeDataFlowType(this.asLambdaArgsNode(), result)
+      or
+      nodeDataFlowType(this.asLambdaCaptureNode(), result)
+      or
+      exists(
+        DataFlowCall synthCall, ArgumentPosition apos, DataFlowCallable c, ParameterNode p,
+        ParameterPosition ppos
+      |
+        this.isLambdaArgNode(synthCall, apos, _) and
+        lambdaCreation(_, _, c, synthCall) and
+        isParameterNode(p, c, ppos) and
+        parameterMatch(ppos, apos) and
+        nodeDataFlowType(p, result)
+      )
     }
 
     pragma[inline]
@@ -900,9 +994,29 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
   }
 
   final class ArgNodeEx extends NodeEx {
-    ArgNodeEx() { this.asNode() instanceof ArgNode }
+    private DataFlowCall call_;
+    private ArgumentPosition pos_;
 
-    DataFlowCall getCall() { this.asNode().(ArgNode).argumentOf(result, _) }
+    ArgNodeEx() {
+      this.asNode().(ArgNode).argumentOf(call_, pos_)
+      or
+      this.isLambdaArgNode(call_, pos_, false)
+      or
+      exists(Node lambda, DataFlowCallable c, ParameterNode p, ParameterPosition ppos |
+        lambda = this.asLambdaMallocNode() and
+        lambdaCreation(lambda, _, c, call_) and
+        isParameterNode(p, c, ppos) and
+        isLambdaInstanceParameter(p) and
+        parameterMatch(ppos, pos_)
+      )
+    }
+
+    final DataFlowCall getCall() { this.argumentOf(result, _) }
+
+    final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      call = call_ and
+      pos = pos_
+    }
   }
 
   final class ParamNodeEx extends NodeEx {
@@ -929,6 +1043,35 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     ReturnKindExt getKind() { result = pos.getKind() }
   }
 
+  final class OutNodeEx extends NodeEx {
+    OutNodeEx() {
+      this.asNode() instanceof OutNodeExt
+      or
+      this.(PostUpdateNodeEx).getPreUpdateNode() instanceof ArgNodeEx
+    }
+  }
+
+  class PostUpdateNodeEx extends NodeEx {
+    private NodeEx pre;
+
+    PostUpdateNodeEx() {
+      pre.asNode() = this.asNode().(PostUpdateNode).getPreUpdateNode()
+      or
+      pre.asNode() = this.asLambdaInstancePostUpdateNode()
+      or
+      // Every argument in the synthetic call has a post update node
+      // corresponding to the argument node.
+      exists(DataFlowCall synthCall, ArgumentPosition apos |
+        this.isLambdaArgNode(synthCall, apos, true) and
+        pre.isLambdaArgNode(synthCall, apos, false)
+      )
+      or
+      pre.asLambdaMallocNode() = this.asNode()
+    }
+
+    NodeEx getPreUpdateNode() { result = pre }
+  }
+
   cached
   private module Cached {
     /**
@@ -979,7 +1122,12 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }
 
     cached
-    predicate expectsContentCached(Node n, ContentSet c) { expectsContent(n, c) }
+    predicate expectsContentCached(NodeEx n, ContentSet c) {
+      expectsContent(n.asNode(), c)
+      or
+      exists(n.asLambdaCaptureNode()) and
+      isVariableCaptureContentSet(c)
+    }
 
     cached
     predicate isUnreachableInCallCached(NodeRegion nr, DataFlowCall call) {
@@ -994,7 +1142,16 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     cached
-    predicate hiddenNode(Node n) { nodeIsHidden(n) }
+    predicate hiddenNode(NodeEx n) {
+      nodeIsHidden(n.asNode()) or
+      n.isImplicitReadNode(_) or
+      exists(n.asLambdaInstancePostUpdateNode()) or
+      exists(n.asLambdaMallocNode()) or
+      exists(n.asLambdaArgsNode()) or
+      exists(n.asLambdaCaptureNode()) or
+      n.isLambdaArgNode(_, _, _) or
+      hiddenNode(any(NodeEx p | n.asParamReturnNode() = p.asNode()))
+    }
 
     cached
     OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
@@ -1006,18 +1163,49 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       )
     }
 
-    pragma[nomagic]
+    cached
-    private predicate paramReturnNode(
+    OutNodeEx getAnOutNodeEx(DataFlowCall call, ReturnKindExt k) {
-      PostUpdateNode n, ParamNode p, SndLevelScopeOption scope, ReturnKindExt k
+      result.asNode() = getAnOutNodeExt(call, k)
-    ) {
+      or
-      exists(ParameterPosition pos |
+      exists(ArgNodeEx arg |
-        parameterValueFlowsToPreUpdate(p, n) and
+        result.(PostUpdateNodeEx).getPreUpdateNode() = arg and
-        p.isParameterOf(_, pos) and
+        arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
-        k = TParamUpdate(pos) and
-        scope = getSecondLevelScopeCached(n)
       )
     }
 
+    pragma[nomagic]
+    private predicate paramReturnNode(
+      PostUpdateNodeEx n, ParamNode p, SndLevelScopeOption scope, ReturnKindExt k
+    ) {
+      exists(ParameterPosition pos |
+        parameterValueFlowsToPreUpdate(p, n.asNode()) and
+        p.isParameterOf(_, pos) and
+        k = TParamUpdate(pos) and
+        scope = getSecondLevelScopeCached(n.asNode())
+      )
+      or
+      exists(ParameterPosition pos |
+        n.asLambdaInstancePostUpdateNode() = p and
+        p.isParameterOf(_, pos) and
+        scope = getSecondLevelScopeCached(p) and
+        k = TParamUpdate(pos)
+      )
+    }
+
+    /*
+     * lambda = (x) = x.addTaint();
+     * synthcall(lambda, lambda.arg0); // arg0[post] --store(Argument0)--> lambda (post-update) [Argument0]
+     *
+     *
+     * foo(lambda)
+     *
+     * foo(l1) {
+     *    l1(x); // x --store(Argument0)--> l1 (post-update) [Argument0]
+     *    // l1 [Argument0] --read(Argument0)--> x (post-update)
+     *    // l1 [ReturnValue] --read(ReturnValue)--> l1(x)
+     * }
+     */
+
     cached
     predicate castNode(Node n) { n instanceof CastNode }
 
@@ -1029,7 +1217,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       // For reads, `x.f`, we want to check that the tracked type after the read (which
       // is obtained by popping the head of the access path stack) is compatible with
       // the type of `x.f`.
-      readSet(_, _, n)
+      readStep(_, _, n)
     }
 
     cached
@@ -1043,7 +1231,88 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     cached
-    DataFlowCallable viableCallableCached(DataFlowCall call) { result = viableCallable(call) }
+    DataFlowCallable viableCallableCached(DataFlowCall call) {
+      result = viableCallable(call)
+      or
+      lambdaCreation(_, _, result, call)
+    }
+
+    /*
+     *    foo(x => sink(x), notaint)
+     *    foo(x => safe(x), taint)
+     *
+     *    foo(lambda, x) {
+     *      lambda(x);
+     *    }
+     *
+     *    x.Field = taint;
+     *    taint --store(Field) --> x [Field]
+     *
+     *    y = x; // x [Field] --> y [Field]
+     *
+     *    sink(y.Field) // y [Field] --read(Field)--> y.Field
+     *
+     *
+     *
+     *
+     *    lambda = () => "taint";
+     *
+     *    "taint" --store(ReturnValue)--> this (post-update) [ReturnValue]
+     *
+     *    lambda.synth_call();
+     *
+     *    this (post-update) [ReturnValue] --> lambda (post-update) [ReturnValue]
+     *
+     *    sink(lambda_1());
+     *
+     *    "taint" --store(ReturnValue)--> () => "taint" [ReturnValue]
+     *    () => "taint" [ReturnValue] --> lambda [ReturnValue]
+     *    lambda [ReturnValue] --> lambda_1 [ReturnValue]
+     *    lambda_1 [ReturnValue] --read(ReturnValue)--> lambda_1()
+     *
+     *
+     *    setField(p, value) {
+     *      sink(p.Field);
+     *      p.Field = value; // value --store(Field)--> p (post-update) [Field]
+     *    }
+     *
+     *    // p (post-update) [Field] --> x (post-update) [Field]
+     *
+     *    setField(x, "taint");
+     *    sink(x.Field);
+     *
+     *
+     *    lambda = (x) => sink(x);
+     *    lambda.synth_call_lambda(lambda_arg0, lambda_arg1)
+     *
+     *
+     *
+     *    foo(lambda);
+     *
+     *    foo(l1) {
+     *      bar(l1)
+     *    }
+     *
+     *    bar(l2) {
+     *      l2("taint"); // taint --store(Argument0)--> l2 (post-update) [Argument0]
+     *    }
+     *
+     *    l2 (post-update) [Argument0] --> l1 (post-update) [Argument0]
+     *
+     *    l1 (post-update) [Argument0] --> lambda (post-update) [Argument0]
+     *
+     *
+     *    id = (x) => x;
+     *    id.synth_call(arg0)
+     *    foo(id);
+     *
+     *    foo(l) {
+     *      x = l("taint");
+     *      y = l("safe");
+     *      sink(x);
+     *      sink(y);
+     *    }
+     */
 
     /**
      * Gets a viable target for the lambda call `call`.
@@ -1053,9 +1322,10 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
      */
     cached
     DataFlowCallable viableCallableLambda(DataFlowCall call, DataFlowCallOption lastCall) {
+      none() and
       exists(Node creation, LambdaCallKind kind |
         LambdaFlow::revLambdaFlow(call, kind, creation, _, _, _, lastCall) and
-        lambdaCreation(creation, kind, result)
+        lambdaCreation(creation, kind, result, _)
       )
     }
 
@@ -1080,7 +1350,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     cached
     DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
       result = viableImplInCallContext(call, ctx) and
-      result = viableCallable(call)
+      result = viableCallableCached(call)
       or
       result = viableCallableLambda(call, TDataFlowCallSome(ctx))
       or
@@ -1224,6 +1494,35 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       )
     }
 
+    cached
+    predicate viableReturnPosOutEx(DataFlowCall call, ReturnPosition pos, NodeEx out) {
+      viableReturnPosOut(call, pos, out.asNode())
+      or
+      exists(ReturnKindExt kind |
+        pos = viableReturnPos(call, kind) and
+        out = kind.getAnOutNodeEx(call)
+      )
+    }
+
+    bindingset[call, p, arg]
+    private predicate golangSpecificParamArgFilterEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
+      golangSpecificParamArgFilter(call, p.asNode(), arg.asNode())
+      or
+      not p.asNode() instanceof ParamNode
+      or
+      not arg.asNode() instanceof ArgNode
+    }
+
+    cached
+    predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
+      exists(ParameterPosition ppos |
+        viableParam(call, ppos, p.asNode()) and
+        argumentPositionMatchEx(call, arg, ppos) and
+        compatibleTypesFilter(arg.getDataFlowType(), p.getDataFlowType()) and
+        golangSpecificParamArgFilterEx(call, p, arg)
+      )
+    }
+
     /** Provides predicates for calculating flow-through summaries. */
     private module FlowThrough {
       /**
@@ -1255,7 +1554,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
             // read
             exists(Node mid |
               parameterValueFlowCand(p, mid, false) and
-              readSet(mid, _, node) and
+              readStep(mid, _, node) and
               read = true
             )
             or
@@ -1271,7 +1570,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
               argumentValueFlowsThroughCand(arg, node, false)
             )
           ) and
-          not expectsContentCached(node, _)
+          not expectsContent(node, _)
         }
 
         pragma[nomagic]
@@ -1502,7 +1801,37 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     cached
-    predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
+    predicate readSet(NodeEx node1, ContentSet c, NodeEx node2) {
+      readStep(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode()))
+      or
+      exists(DataFlowCall call, LambdaCallKind k, Node receiver, ReturnKind kind |
+        lambdaCall(call, k, receiver) and
+        node1.asNode() = receiver
+      |
+        c.getAReadContent() = getLambdaReturnContent(k, kind) and
+        getAnOutNode(call, kind) = node2.asNode()
+        or
+        exists(ArgumentPosition apos |
+          c.getAReadContent() = getLambdaArgumentContent(k, apos) and
+          node2.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(call, apos) and
+          // we should never read from the lambda itself
+          not any(ArgNodeEx arg | exists(arg.asLambdaMallocNode())).argumentOf(_, apos)
+        )
+      )
+      or
+      //read step from malloc to args
+      //lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall)
+      exists(Node lambda, DataFlowCall synthCall, LambdaCallKind k, ArgumentPosition apos |
+        lambdaCreation(lambda, k, _, synthCall) and
+        lambda = node1.asLambdaArgsNode() and
+        c.getAReadContent() = getLambdaArgumentContent(k, apos)
+      |
+        node2.isLambdaArgNode(synthCall, apos, false)
+        or
+        node2.asLambdaMallocNode() = lambda and
+        node2.(ArgNodeEx).argumentOf(_, apos)
+      )
+    }
 
     cached
     predicate storeSet(
@@ -1518,7 +1847,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       |
         argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1, _) // TODO
         or
-        readSet(n2, c, n1) and
+        readStep(n2, c, n1) and
         contentType = getNodeDataFlowType(n1) and
         containerType = getNodeDataFlowType(n2)
       )
@@ -1533,10 +1862,42 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
      */
     cached
     predicate store(
-      Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
+      NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType
     ) {
       exists(ContentSet cs |
-        c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
+        c = cs.getAStoreContent() and
+        storeSet(pragma[only_bind_into](node1.asNode()), cs, pragma[only_bind_into](node2.asNode()),
+          contentType, containerType)
+      )
+      or
+      contentType = node1.getDataFlowType() and
+      containerType = node2.getDataFlowType() and
+      (
+        // Arguments in a call to a lambda write to the receiving node at the
+        // `Content` corresponding to the argument position.
+        exists(DataFlowCall call, LambdaCallKind k, Node receiver, ArgumentPosition pos |
+          lambdaCall(call, k, receiver) and
+          node1.asNode().(ArgNode).argumentOf(call, pos) and
+          c = getLambdaArgumentContent(k, pos) and
+          node2.asNode().(PostUpdateNode).getPreUpdateNode() = receiver
+        )
+        or
+        // Simple returns in a lambda write to the post node for the
+        // lambda instance argument.
+        exists(DataFlowCallable lambda, LambdaCallKind k, ReturnKind kind |
+          lambdaCreation(_, k, lambda, _) and
+          hasSimpleReturnKindIn(node1.asNode(), kind, lambda) and
+          nodeGetEnclosingCallable(node2.asLambdaInstancePostUpdateNode()) = lambda and
+          c = getLambdaReturnContent(k, kind)
+        )
+        or
+        // Argument nodes to a synthetic call node for a lamda write to the
+        // lambda at the `Content` corresponding to the argument position.
+        exists(DataFlowCall synthCall, LambdaCallKind k, ArgumentPosition pos |
+          lambdaCreation(node2.asNode(), k, _, synthCall) and
+          node1.isLambdaArgNode(synthCall, pos, true) and
+          c = getLambdaArgumentContent(k, pos)
+        )
       )
     }
 
@@ -1572,7 +1933,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     cached
-    predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
+    predicate allowParameterReturnInSelfCached(ParamNode p) {
+      allowParameterReturnInSelf(p) or isLambdaInstanceParameter(p)
+    }
 
     cached
     predicate paramMustFlow(ParamNode p, ArgNode arg) { localMustFlowStep+(p, arg) }
@@ -1625,9 +1988,10 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
     pragma[nomagic]
     private predicate hasParamReturnKindIn(
-      PostUpdateNode n, ParamNode p, ReturnKindExt kind, DataFlowCallable c
+      PostUpdateNodeEx n, ParamNode p, ReturnKindExt kind, DataFlowCallable c
     ) {
-      c = getNodeEnclosingCallable(n) and
+      // c = getNodeEnclosingCallable(n) and
+      c = n.getEnclosingCallable() and
       paramReturnNode(n, p, _, kind)
     }
 
@@ -1648,7 +2012,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
     }
 
     cached
-    ReturnPosition getParamReturnPosition(PostUpdateNode n, ParamNode p) {
+    ReturnPosition getParamReturnPosition(PostUpdateNodeEx n, ParamNode p) {
       exists(ReturnKindExt kind, DataFlowCallable c |
         hasParamReturnKindIn(n, p, kind, c) and
         result = TReturnPosition0(c, kind)
@@ -1707,7 +2071,40 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       TNodeImplicitRead(Node n) or // will be restricted to nodes with actual implicit reads in `DataFlowImpl.qll`
       TParamReturnNode(ParameterNode p, SndLevelScopeOption scope) {
         paramReturnNode(_, p, scope, _)
-      }
+      } or
+      TNodeLambdaInstancePostUpdate(ParameterNode pre) { isLambdaInstanceParameter(pre) } or
+      TNodeLambdaMalloc(Node lambda) { lambdaCreation(lambda, _, _, _) } or
+      TNodeLambdaArgs(Node lambda) { lambdaCreation(lambda, _, _, _) } or
+      TNodeLambdaArg(DataFlowCall synthCall, ArgumentPosition apos, Boolean ispost) {
+        exists(DataFlowCallable c, ParameterNode p, ParameterPosition ppos |
+          lambdaCreation(_, _, c, synthCall) and
+          isParameterNode(p, c, ppos) and
+          parameterMatch(ppos, apos) and
+          // not isLambdaInstanceParameter(p) and
+          exists(ispost)
+        )
+      } or
+      TNodeLambdaCapture(Node receiver) { lambdaCall(_, _, receiver) }
+
+    /*
+     * foo(() => "taint"); // taint --store(ReturnValue)--> this (post-update) [ReturnValue]
+     * // this (post-update) [ReturnValue] --> lambda (post-update) [ReturnValue]
+     * //
+     */
+
+    /*
+     * lambda = (x) = x.addTaint();
+     * synthcall(lambda, lambda.arg0); // arg0[post] --store(Argument0)--> lambda (post-update) [Argument0]
+     *
+     *
+     * foo(lambda)
+     *
+     * foo(l1) {
+     *    l1(x); // x --store(Argument0)--> l1 (post-update) [Argument0]
+     *    // l1 [Argument0] --read(Argument0)--> x (post-update)
+     *    // l1 [ReturnValue] --read(ReturnValue)--> l1(x)
+     * }
+     */
 
     /**
      * Holds if data can flow in one local step from `node1` to `node2`.
@@ -1720,13 +2117,25 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
         simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2), model)
       )
       or
-      exists(Node n1, Node n2, SndLevelScopeOption scope |
+      exists(Node n2, SndLevelScopeOption scope |
-        node1.asNode() = n1 and
         node2 = TParamReturnNode(n2, scope) and
-        paramReturnNode(pragma[only_bind_into](n1), pragma[only_bind_into](n2),
+        paramReturnNode(node1, pragma[only_bind_into](n2), pragma[only_bind_into](scope), _) and
-          pragma[only_bind_into](scope), _) and
         model = ""
       )
+      or
+      LambdaFlow::lambdaFlowsToPostUpdate(node2.asLambdaArgsNode(), node1.asNode()) and
+      model = ""
+      or
+      // When data is stored in a captured variable content and reaches a lambda call,
+      // we need it to propagate back out to the lambda. We do this by adding flow
+      // from the lambda receiver to the post-update of the lambda receiver, but _only_
+      // for captured variable content. The latter restriction is enforced by going via
+      // an intermediate `expectsContent` node.
+      node1.asNode() = node2.asLambdaCaptureNode() and
+      model = ""
+      or
+      node2.asNode().(PostUpdateNode).getPreUpdateNode() = node1.asLambdaCaptureNode() and
+      model = ""
     }
 
     cached
@@ -2160,7 +2569,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
   private predicate readStepWithTypes(
     Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
   ) {
-    readSet(n1, c, n2) and
+    readStep(n1, c, n2) and
     container = getNodeDataFlowType(n1) and
     content = getNodeDataFlowType(n2)
   }
@@ -2263,6 +2672,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
     /** Gets a node corresponding to data flow out of `call`. */
     final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
+
+    /** Gets a node corresponding to data flow out of `call`. */
+    final OutNodeEx getAnOutNodeEx(DataFlowCall call) { result = getAnOutNodeEx(call, this) }
   }
 
   class ValueReturnKind extends ReturnKindExt, TValueReturn {

shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll

@@ -699,7 +699,8 @@ module Make<
       c.propagatesFlow(input, output, preservesValue, model)
       or
       // observe side effects of callbacks on input arguments
-      c.propagatesFlow(output, input, preservesValue, model) and
+      summary(c, output, input, preservesValue, model) and
+      // c.propagatesFlow(output, input, preservesValue, model) and
       preservesValue = true and
       isCallbackParameter(input) and
       isContentOfArgument(output, _)