Merge pull request #7150 from bmuskalla/removeClassFile

Java: Remove class file

.github/workflows/ruby-build.yml

@@ -102,16 +102,6 @@ jobs:
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
           codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
           (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - name: Compile with previous CodeQL versions
-        run: |
-          for version in  $(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -3 | head -2); do
-            rm -f codeql-linux64.zip
-            gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$version"
-            rm -rf codeql; unzip -q codeql-linux64.zip
-            codeql/codeql query compile target/packs/*
-          done
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
       - uses: actions/upload-artifact@v2
         with:
           name: codeql-ruby-queries

.gitignore

@@ -27,3 +27,6 @@ csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
 
 # Avoid committing cached package components
 .codeql
+
+# Compiled class file
+*.class

cpp/change-notes/2021-11-09-use-of-http.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -6,6 +6,8 @@ import semmle.code.cpp.Type
 import semmle.code.cpp.commons.CommonType
 import semmle.code.cpp.commons.StringAnalysis
 import semmle.code.cpp.models.interfaces.FormattingFunction
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
 class PrintfFormatAttribute extends FormatAttribute {
   PrintfFormatAttribute() { this.getArchetype() = ["printf", "__printf__"] }
@@ -268,6 +270,18 @@ class FormattingFunctionCall extends Expr {
   }
 }
 
+/**
+ * Gets the number of digits required to represent the integer represented by `f`.
+ *
+ * `f` is assumed to be nonnegative.
+ */
+bindingset[f]
+private int lengthInBase10(float f) {
+  f = 0 and result = 1
+  or
+  result = f.log10().floor() + 1
+}
+
 /**
  * A class to represent format strings that occur as arguments to invocations of formatting functions.
  */
@@ -1046,39 +1060,63 @@ class FormatLiteral extends Literal {
         or
         this.getConversionChar(n).toLowerCase() = ["d", "i"] and
         // e.g. -2^31 = "-2147483648"
-        exists(int sizeBits |
-          sizeBits =
-            min(int bits |
-              bits = this.getIntegralDisplayType(n).getSize() * 8
-              or
-              exists(IntegralType t |
-                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
-              |
-                t.isSigned() and bits = t.getSize() * 8
-              )
-            ) and
-          len = 1 + ((sizeBits - 1) / 10.0.log2()).ceil()
-          // this calculation is as %u (below) only we take out the sign bit (- 1) and allow a whole
-          // character for it to be expressed as '-'.
-        )
+        len =
+          min(float cand |
+            // The first case handles length sub-specifiers
+            // Subtract one in the exponent because one bit is for the sign.
+            // Add 1 to account for the possible sign in the output.
+            cand = 1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1))
+            or
+            // The second case uses range analysis to deduce a length that's shorter than the length
+            // of the number -2^31.
+            exists(Expr arg, float lower, float upper |
+              arg = this.getUse().getConversionArgument(n) and
+              lower = lowerBound(arg.getFullyConverted()) and
+              upper = upperBound(arg.getFullyConverted())
+            |
+              cand =
+                max(int cand0 |
+                  // Include the sign bit in the length if it can be negative
+                  (
+                    if lower < 0
+                    then cand0 = 1 + lengthInBase10(lower.abs())
+                    else cand0 = lengthInBase10(lower)
+                  )
+                  or
+                  (
+                    if upper < 0
+                    then cand0 = 1 + lengthInBase10(upper.abs())
+                    else cand0 = lengthInBase10(upper)
+                  )
+                )
+            )
+          )
         or
         this.getConversionChar(n).toLowerCase() = "u" and
         // e.g. 2^32 - 1 = "4294967295"
-        exists(int sizeBits |
-          sizeBits =
-            min(int bits |
-              bits = this.getIntegralDisplayType(n).getSize() * 8
-              or
-              exists(IntegralType t |
-                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
-              |
-                t.isUnsigned() and bits = t.getSize() * 8
-              )
-            ) and
-          len = (sizeBits / 10.0.log2()).ceil()
-          // convert the size from bits to decimal characters, and round up as you can't have
-          // fractional characters (10.0.log2() is the number of bits expressed per decimal character)
-        )
+        len =
+          min(float cand |
+            // The first case handles length sub-specifiers
+            cand = 2.pow(this.getIntegralDisplayType(n).getSize() * 8)
+            or
+            // The second case uses range analysis to deduce a length that's shorter than
+            // the length of the number 2^31 - 1.
+            exists(Expr arg, float lower |
+              arg = this.getUse().getConversionArgument(n) and
+              lower = lowerBound(arg.getFullyConverted())
+            |
+              cand =
+                max(float cand0 |
+                  // If lower can be negative we use `(unsigned)-1` as the candidate value.
+                  lower < 0 and
+                  cand0 = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
+                  or
+                  cand0 = upperBound(arg.getFullyConverted())
+                )
+            )
+          |
+            lengthInBase10(cand)
+          )
         or
         this.getConversionChar(n).toLowerCase() = "x" and
         // e.g. "12345678"

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.cpp

@@ -0,0 +1,9 @@
+
+void openUrl(char *url)
+{
+	// ...
+}
+
+openUrl("http://example.com"); // BAD
+
+openUrl("https://example.com"); // GOOD: Opening a connection to a URL using HTTPS enforces SSL.

cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Constructing URLs with the HTTP protocol can lead to unsecured connections.</p>
+
+</overview>
+<recommendation>
+
+<p>When you construct a URL, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure SSL connections.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows two ways of opening a connection using a URL. When the connection is 
+opened using an HTTP URL rather than an HTTPS URL, the connection is unsecured. When the connection is opened using an HTTPS URL, the connection is a secure SSL connection.</p>
+
+<sample src="UseOfHttp.cpp" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html">Transport Layer Protection Cheat Sheet</a>.
+</li>
+<li>
+OWASP Top 10:
+<a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">A08:2021 - Software and Data Integrity Failures</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql

@@ -0,0 +1,85 @@
+/**
+ * @name Failure to use HTTPS URLs
+ * @description Non-HTTPS connections can be intercepted by third parties.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision medium
+ * @id cpp/non-https-url
+ * @tags security
+ *       external/cwe/cwe-319
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * A string matching private host names of IPv4 and IPv6, which only matches
+ * the host portion therefore checking for port is not necessary.
+ * Several examples are localhost, reserved IPv4 IP addresses including
+ * 127.0.0.1, 10.x.x.x, 172.16.x,x, 192.168.x,x, and reserved IPv6 addresses
+ * including [0:0:0:0:0:0:0:1] and [::1]
+ */
+class PrivateHostName extends string {
+  bindingset[this]
+  PrivateHostName() {
+    this.regexpMatch("(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?")
+  }
+}
+
+/**
+ * A string containing an HTTP URL not in a private domain.
+ */
+class HttpStringLiteral extends StringLiteral {
+  HttpStringLiteral() {
+    exists(string s | this.getValue() = s |
+      s = "http"
+      or
+      exists(string tail |
+        tail = s.regexpCapture("http://(.*)", 1) and not tail instanceof PrivateHostName
+      ) and
+      not TaintTracking::localExprTaint(any(StringLiteral p |
+          p.getValue() instanceof PrivateHostName
+        ), this.getParent*())
+    )
+  }
+}
+
+/**
+ * Taint tracking configuration for HTTP connections.
+ */
+class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
+  HttpStringToUrlOpenConfig() { this = "HttpStringToUrlOpenConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    // Sources are strings containing an HTTP URL not in a private domain.
+    src.asExpr() instanceof HttpStringLiteral
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    // Sinks can be anything that demonstrates the string is likely to be
+    // accessed as a URL, for example using it in a network access. Some
+    // URLs are only ever displayed or used for data processing.
+    exists(FunctionCall fc |
+      fc.getTarget().hasGlobalOrStdName(["system", "gethostbyname", "getaddrinfo"]) and
+      sink.asExpr() = fc.getArgument(0)
+      or
+      fc.getTarget().hasGlobalOrStdName(["send", "URLDownloadToFile", "URLDownloadToCacheFile"]) and
+      sink.asExpr() = fc.getArgument(1)
+      or
+      fc.getTarget().hasGlobalOrStdName(["curl_easy_setopt", "getnameinfo"]) and
+      sink.asExpr() = fc.getArgument(2)
+      or
+      fc.getTarget().hasGlobalOrStdName(["ShellExecute", "ShellExecuteA", "ShellExecuteW"]) and
+      sink.asExpr() = fc.getArgument(3)
+    )
+  }
+}
+
+from
+  HttpStringToUrlOpenConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  HttpStringLiteral str
+where
+  config.hasFlowPath(source, sink) and
+  str = source.getNode().asExpr()
+select str, source, sink, "A URL may be constructed with the HTTP protocol."

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.cpp

@@ -0,0 +1,14 @@
+...
+  fp = fopen("/tmp/name.tmp","w"); // BAD
+...
+  char filename = tmpnam(NULL);
+  fp = fopen(filename,"w"); // BAD
+...
+
+  strcat (filename, "/tmp/name.XXXXXX");
+  fd = mkstemp(filename);
+  if ( fd < 0 ) {
+    return error;
+  }
+  fp = fdopen(fd,"w") // GOOD
+...

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.qhelp

@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Working with a file, without checking its existence and its rights, as well as working with names that can be predicted, may not be safe. Requires the attention of developers.</p>
+
+</overview>
+
+<example>
+<p>The following example demonstrates erroneous and corrected work with file.</p>
+<sample src="InsecureTemporaryFile.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/CON33-C.+Avoid+race+conditions+when+using+library+functions">CON33-C. Avoid race conditions when using library functions</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

@@ -0,0 +1,112 @@
+/**
+ * @name Insecure generation of filenames.
+ * @description Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.
+ * @kind problem
+ * @id cpp/insecure-generation-of-filename
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-377
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/** Holds for a function `f` that has an argument at index `apos` used to read the file. */
+predicate numberArgumentRead(Function f, int apos) {
+  f.hasGlobalOrStdName("fgets") and apos = 2
+  or
+  f.hasGlobalOrStdName("fread") and apos = 3
+  or
+  f.hasGlobalOrStdName("read") and apos = 0
+  or
+  f.hasGlobalOrStdName("fscanf") and apos = 0
+}
+
+/** Holds for a function `f` that has an argument at index `apos` used to write to file */
+predicate numberArgumentWrite(Function f, int apos) {
+  f.hasGlobalOrStdName("fprintf") and apos = 0
+  or
+  f.hasGlobalOrStdName("fputs") and apos = 1
+  or
+  f.hasGlobalOrStdName("write") and apos = 0
+  or
+  f.hasGlobalOrStdName("fwrite") and apos = 3
+  or
+  f.hasGlobalOrStdName("fflush") and apos = 0
+}
+
+from FunctionCall fc, string msg
+where
+  // search for functions for generating a name, without a guarantee of the absence of a file during the period of work with it.
+  (
+    fc.getTarget().hasGlobalOrStdName("tmpnam") or
+    fc.getTarget().hasGlobalOrStdName("tmpnam_s") or
+    fc.getTarget().hasGlobalOrStdName("tmpnam_r")
+  ) and
+  not exists(FunctionCall fctmp |
+    (
+      fctmp.getTarget().hasGlobalOrStdName("mktemp") or
+      fctmp.getTarget().hasGlobalOrStdName("mkstemp") or
+      fctmp.getTarget().hasGlobalOrStdName("mkstemps") or
+      fctmp.getTarget().hasGlobalOrStdName("mkdtemp")
+    ) and
+    (
+      fc.getBasicBlock().getASuccessor*() = fctmp.getBasicBlock() or
+      fctmp.getBasicBlock().getASuccessor*() = fc.getBasicBlock()
+    )
+  ) and
+  msg =
+    "Finding the name of a file that does not exist does not mean that it will not be exist at the next operation."
+  or
+  // finding places to work with a file without setting permissions, but with predictable names.
+  (
+    fc.getTarget().hasGlobalOrStdName("fopen") or
+    fc.getTarget().hasGlobalOrStdName("open")
+  ) and
+  fc.getNumberOfArguments() = 2 and
+  exists(FunctionCall fctmp, int i |
+    numberArgumentWrite(fctmp.getTarget(), i) and
+    globalValueNumber(fc) = globalValueNumber(fctmp.getArgument(i))
+  ) and
+  not exists(FunctionCall fctmp, int i |
+    numberArgumentRead(fctmp.getTarget(), i) and
+    globalValueNumber(fc) = globalValueNumber(fctmp.getArgument(i))
+  ) and
+  exists(FunctionCall fctmp |
+    (
+      fctmp.getTarget().hasGlobalOrStdName("strcat") or
+      fctmp.getTarget().hasGlobalOrStdName("strcpy")
+    ) and
+    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fctmp.getAnArgument())
+    or
+    fctmp.getTarget().hasGlobalOrStdName("getenv") and
+    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fctmp)
+    or
+    (
+      fctmp.getTarget().hasGlobalOrStdName("asprintf") or
+      fctmp.getTarget().hasGlobalOrStdName("vasprintf") or
+      fctmp.getTarget().hasGlobalOrStdName("xasprintf") or
+      fctmp.getTarget().hasGlobalOrStdName("xvasprintf ")
+    ) and
+    exists(Variable vrtmp |
+      vrtmp = fc.getArgument(0).(VariableAccess).getTarget() and
+      vrtmp = fctmp.getArgument(0).(AddressOfExpr).getAddressable().(Variable) and
+      not vrtmp instanceof Field
+    )
+  ) and
+  not exists(FunctionCall fctmp |
+    (
+      fctmp.getTarget().hasGlobalOrStdName("umask") or
+      fctmp.getTarget().hasGlobalOrStdName("fchmod") or
+      fctmp.getTarget().hasGlobalOrStdName("chmod")
+    ) and
+    (
+      fc.getBasicBlock().getASuccessor*() = fctmp.getBasicBlock() or
+      fctmp.getBasicBlock().getASuccessor*() = fc.getBasicBlock()
+    )
+  ) and
+  msg =
+    "Creating a file for writing without evaluating its existence and setting permissions can be unsafe."
+select fc, msg

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.expected

@@ -0,0 +1,2 @@
+| test.cpp:16:20:16:25 | call to tmpnam | Finding the name of a file that does not exist does not mean that it will not be exist at the next operation. |
+| test.cpp:42:8:42:12 | call to fopen | Creating a file for writing without evaluating its existence and setting permissions can be unsafe. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp

@@ -0,0 +1,68 @@
+typedef int FILE;
+#define NULL (0)
+FILE *fopen(char *filename, const char *mode);
+FILE *fdopen(int handle, char *mode);
+char * tmpnam(char * name);
+int mkstemp(char * name);
+char * strcat(char *str1, const char *str2);
+int umask(int pmode);
+int chmod(char * filename,int pmode);
+int fprintf(FILE *fp,const char *fmt, ...);
+int fclose(FILE *stream);
+
+int funcTest1()
+{
+  FILE *fp;
+  char *filename = tmpnam(NULL); // BAD
+  fp = fopen(filename,"w");
+  fprintf(fp,"%s\n","data to file");
+  fclose(fp);
+  return 0;
+}
+
+int funcTest2()
+{
+  FILE *fp;
+  int fd;
+  char filename[80];
+  strcat (filename, "/tmp/name.XXXXXX");
+  fd = mkstemp(filename);
+  if ( fd < 0 ) {
+    return 1;
+  }
+  fp = fdopen(fd,"w"); // GOOD
+  return 0;
+}
+
+int funcTest3()
+{
+  FILE *fp;
+  char filename[80];
+  strcat(filename, "/tmp/tmp.name");
+  fp = fopen(filename,"w"); // BAD
+  fprintf(fp,"%s\n","data to file");
+  fclose(fp);
+  return 0;
+}
+
+int funcTest4()
+{
+  FILE *fp;
+  char filename[80];
+  umask(0022);
+  strcat(filename, "/tmp/tmp.name");
+  fp = fopen(filename,"w"); // GOOD
+  chmod(filename,0666);
+  fprintf(fp,"%s\n","data to file");
+  fclose(fp);
+  return 0;
+}
+
+int main(int argc, char *argv[])
+{
+  funcTest1();
+  funcTest2();
+  funcTest3();
+  funcTest4();
+  return 0;
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -594,12 +594,6 @@
 | map.cpp:105:31:105:32 | call to map | map.cpp:136:7:136:8 | m2 |  |
 | map.cpp:105:31:105:32 | call to map | map.cpp:152:12:152:13 | m2 |  |
 | map.cpp:105:31:105:32 | call to map | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:105:31:105:32 | call to map | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:105:31:105:32 | call to map | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:105:35:105:36 | call to map | map.cpp:109:7:109:8 | m3 |  |
 | map.cpp:105:35:105:36 | call to map | map.cpp:115:7:115:8 | m3 |  |
@@ -643,12 +637,6 @@
 | map.cpp:108:7:108:8 | ref arg m2 | map.cpp:136:7:136:8 | m2 |  |
 | map.cpp:108:7:108:8 | ref arg m2 | map.cpp:152:12:152:13 | m2 |  |
 | map.cpp:108:7:108:8 | ref arg m2 | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:108:7:108:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:108:7:108:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:108:17:108:30 | call to make_pair | map.cpp:108:17:108:47 | call to pair | TAINT |
 | map.cpp:108:17:108:47 | call to pair | map.cpp:108:7:108:8 | ref arg m2 | TAINT |
@@ -717,12 +705,6 @@
 | map.cpp:120:7:120:8 | ref arg m2 | map.cpp:136:7:136:8 | m2 |  |
 | map.cpp:120:7:120:8 | ref arg m2 | map.cpp:152:12:152:13 | m2 |  |
 | map.cpp:120:7:120:8 | ref arg m2 | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:120:7:120:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:120:7:120:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:121:7:121:8 | m3 | map.cpp:121:10:121:13 | call to find | TAINT |
 | map.cpp:121:7:121:8 | ref arg m3 | map.cpp:127:7:127:8 | m3 |  |
@@ -748,12 +730,6 @@
 | map.cpp:126:7:126:8 | ref arg m2 | map.cpp:136:7:136:8 | m2 |  |
 | map.cpp:126:7:126:8 | ref arg m2 | map.cpp:152:12:152:13 | m2 |  |
 | map.cpp:126:7:126:8 | ref arg m2 | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:126:7:126:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:126:7:126:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:127:7:127:8 | m3 | map.cpp:127:10:127:13 | call to find | TAINT |
 | map.cpp:127:7:127:8 | ref arg m3 | map.cpp:158:12:158:13 | m3 |  |
@@ -830,12 +806,6 @@
 | map.cpp:150:8:150:9 | ref arg i1 | map.cpp:150:8:150:9 | i1 |  |
 | map.cpp:152:12:152:13 | m2 | map.cpp:152:15:152:19 | call to begin | TAINT |
 | map.cpp:152:12:152:13 | ref arg m2 | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:152:12:152:13 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:152:12:152:13 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:152:15:152:19 | call to begin | map.cpp:152:7:152:21 | ... = ... |  |
 | map.cpp:152:15:152:19 | call to begin | map.cpp:152:24:152:25 | i2 |  |
@@ -845,12 +815,6 @@
 | map.cpp:152:15:152:19 | call to begin | map.cpp:156:8:156:9 | i2 |  |
 | map.cpp:152:30:152:31 | m2 | map.cpp:152:33:152:35 | call to end | TAINT |
 | map.cpp:152:30:152:31 | ref arg m2 | map.cpp:152:30:152:31 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:182:7:182:8 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:152:30:152:31 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
 | map.cpp:152:30:152:31 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
 | map.cpp:152:40:152:41 | i2 | map.cpp:152:42:152:42 | call to operator++ |  |
 | map.cpp:152:40:152:41 | ref arg i2 | map.cpp:152:24:152:25 | i2 |  |
@@ -962,59 +926,89 @@
 | map.cpp:177:27:177:29 | call to map | map.cpp:179:2:179:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:180:2:180:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:181:2:181:4 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:182:7:182:9 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:177:27:177:29 | call to map | map.cpp:187:7:187:9 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:252:1:252:1 | m14 |  |
 | map.cpp:178:2:178:4 | ref arg m14 | map.cpp:179:2:179:4 | m14 |  |
 | map.cpp:178:2:178:4 | ref arg m14 | map.cpp:180:2:180:4 | m14 |  |
 | map.cpp:178:2:178:4 | ref arg m14 | map.cpp:181:2:181:4 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:182:7:182:9 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:178:2:178:4 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
 | map.cpp:178:2:178:4 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
 | map.cpp:178:13:178:26 | call to make_pair | map.cpp:178:13:178:36 | call to pair | TAINT |
 | map.cpp:178:13:178:36 | call to pair | map.cpp:178:2:178:4 | ref arg m14 | TAINT |
 | map.cpp:178:13:178:36 | call to pair | map.cpp:178:6:178:11 | call to insert | TAINT |
 | map.cpp:179:2:179:4 | ref arg m14 | map.cpp:180:2:180:4 | m14 |  |
 | map.cpp:179:2:179:4 | ref arg m14 | map.cpp:181:2:181:4 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:182:7:182:9 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:179:2:179:4 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
 | map.cpp:179:2:179:4 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
 | map.cpp:179:13:179:26 | call to make_pair | map.cpp:179:13:179:41 | call to pair | TAINT |
 | map.cpp:179:13:179:41 | call to pair | map.cpp:179:2:179:4 | ref arg m14 | TAINT |
 | map.cpp:179:13:179:41 | call to pair | map.cpp:179:6:179:11 | call to insert | TAINT |
 | map.cpp:180:2:180:4 | ref arg m14 | map.cpp:181:2:181:4 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:182:7:182:9 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:180:2:180:4 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
 | map.cpp:180:2:180:4 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
 | map.cpp:180:13:180:26 | call to make_pair | map.cpp:180:13:180:41 | call to pair | TAINT |
 | map.cpp:180:13:180:41 | call to pair | map.cpp:180:2:180:4 | ref arg m14 | TAINT |
 | map.cpp:180:13:180:41 | call to pair | map.cpp:180:6:180:11 | call to insert | TAINT |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:182:7:182:9 | m14 |  |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:181:2:181:4 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
 | map.cpp:181:2:181:4 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
 | map.cpp:181:13:181:26 | call to make_pair | map.cpp:181:13:181:36 | call to pair | TAINT |
 | map.cpp:181:13:181:36 | call to pair | map.cpp:181:2:181:4 | ref arg m14 | TAINT |
 | map.cpp:181:13:181:36 | call to pair | map.cpp:181:6:181:11 | call to insert | TAINT |
-| map.cpp:182:7:182:8 | m2 | map.cpp:182:10:182:20 | call to lower_bound | TAINT |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:183:7:183:8 | m2 |  |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
-| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:183:7:183:8 | m2 | map.cpp:183:10:183:20 | call to upper_bound | TAINT |
-| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 |  |
-| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
-| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:184:7:184:8 | m2 | map.cpp:184:10:184:20 | call to equal_range | TAINT |
-| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 |  |
-| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
-| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:184:27:184:31 | first | map.cpp:184:7:184:31 | call to iterator |  |
-| map.cpp:185:7:185:8 | m2 | map.cpp:185:10:185:20 | call to equal_range | TAINT |
-| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 |  |
-| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
-| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:185:27:185:32 | second | map.cpp:185:7:185:32 | call to iterator |  |
-| map.cpp:186:7:186:8 | m2 | map.cpp:186:10:186:20 | call to upper_bound | TAINT |
-| map.cpp:186:7:186:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 |  |
-| map.cpp:186:7:186:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:187:7:187:8 | m2 | map.cpp:187:10:187:20 | call to equal_range | TAINT |
-| map.cpp:187:7:187:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 |  |
-| map.cpp:187:27:187:32 | second | map.cpp:187:7:187:32 | call to iterator |  |
+| map.cpp:182:7:182:9 | m14 | map.cpp:182:11:182:21 | call to lower_bound | TAINT |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:183:7:183:9 | m14 |  |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
+| map.cpp:182:7:182:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:183:7:183:9 | m14 | map.cpp:183:11:183:21 | call to upper_bound | TAINT |
+| map.cpp:183:7:183:9 | ref arg m14 | map.cpp:184:7:184:9 | m14 |  |
+| map.cpp:183:7:183:9 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:183:7:183:9 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:183:7:183:9 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
+| map.cpp:183:7:183:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:184:7:184:9 | m14 | map.cpp:184:11:184:21 | call to equal_range | TAINT |
+| map.cpp:184:7:184:9 | ref arg m14 | map.cpp:185:7:185:9 | m14 |  |
+| map.cpp:184:7:184:9 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:184:7:184:9 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
+| map.cpp:184:7:184:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:184:28:184:32 | first | map.cpp:184:7:184:32 | call to iterator |  |
+| map.cpp:185:7:185:9 | m14 | map.cpp:185:11:185:21 | call to equal_range | TAINT |
+| map.cpp:185:7:185:9 | ref arg m14 | map.cpp:186:7:186:9 | m14 |  |
+| map.cpp:185:7:185:9 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
+| map.cpp:185:7:185:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:185:28:185:33 | second | map.cpp:185:7:185:33 | call to iterator |  |
+| map.cpp:186:7:186:9 | m14 | map.cpp:186:11:186:21 | call to upper_bound | TAINT |
+| map.cpp:186:7:186:9 | ref arg m14 | map.cpp:187:7:187:9 | m14 |  |
+| map.cpp:186:7:186:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:187:7:187:9 | m14 | map.cpp:187:11:187:21 | call to equal_range | TAINT |
+| map.cpp:187:7:187:9 | ref arg m14 | map.cpp:252:1:252:1 | m14 |  |
+| map.cpp:187:28:187:33 | second | map.cpp:187:7:187:33 | call to iterator |  |
 | map.cpp:190:27:190:29 | call to map | map.cpp:191:2:191:4 | m15 |  |
 | map.cpp:190:27:190:29 | call to map | map.cpp:193:7:193:9 | m15 |  |
 | map.cpp:190:27:190:29 | call to map | map.cpp:197:2:197:4 | m15 |  |
@@ -1315,9 +1309,6 @@
 | map.cpp:257:41:257:42 | call to unordered_map | map.cpp:288:7:288:8 | m2 |  |
 | map.cpp:257:41:257:42 | call to unordered_map | map.cpp:304:12:304:13 | m2 |  |
 | map.cpp:257:41:257:42 | call to unordered_map | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:257:41:257:42 | call to unordered_map | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:257:41:257:42 | call to unordered_map | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:257:41:257:42 | call to unordered_map | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:257:41:257:42 | call to unordered_map | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:257:45:257:46 | call to unordered_map | map.cpp:261:7:261:8 | m3 |  |
 | map.cpp:257:45:257:46 | call to unordered_map | map.cpp:267:7:267:8 | m3 |  |
@@ -1361,9 +1352,6 @@
 | map.cpp:260:7:260:8 | ref arg m2 | map.cpp:288:7:288:8 | m2 |  |
 | map.cpp:260:7:260:8 | ref arg m2 | map.cpp:304:12:304:13 | m2 |  |
 | map.cpp:260:7:260:8 | ref arg m2 | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:260:7:260:8 | ref arg m2 | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:260:7:260:8 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:260:7:260:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:260:7:260:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:260:17:260:30 | call to make_pair | map.cpp:260:17:260:47 | call to pair | TAINT |
 | map.cpp:260:17:260:47 | call to pair | map.cpp:260:7:260:8 | ref arg m2 | TAINT |
@@ -1432,9 +1420,6 @@
 | map.cpp:272:7:272:8 | ref arg m2 | map.cpp:288:7:288:8 | m2 |  |
 | map.cpp:272:7:272:8 | ref arg m2 | map.cpp:304:12:304:13 | m2 |  |
 | map.cpp:272:7:272:8 | ref arg m2 | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:272:7:272:8 | ref arg m2 | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:272:7:272:8 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:272:7:272:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:272:7:272:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:273:7:273:8 | m3 | map.cpp:273:10:273:13 | call to find | TAINT |
 | map.cpp:273:7:273:8 | ref arg m3 | map.cpp:279:7:279:8 | m3 |  |
@@ -1460,9 +1445,6 @@
 | map.cpp:278:7:278:8 | ref arg m2 | map.cpp:288:7:288:8 | m2 |  |
 | map.cpp:278:7:278:8 | ref arg m2 | map.cpp:304:12:304:13 | m2 |  |
 | map.cpp:278:7:278:8 | ref arg m2 | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:278:7:278:8 | ref arg m2 | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:278:7:278:8 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:278:7:278:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:278:7:278:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:279:7:279:8 | m3 | map.cpp:279:10:279:13 | call to find | TAINT |
 | map.cpp:279:7:279:8 | ref arg m3 | map.cpp:310:12:310:13 | m3 |  |
@@ -1539,9 +1521,6 @@
 | map.cpp:302:8:302:9 | ref arg i1 | map.cpp:302:8:302:9 | i1 |  |
 | map.cpp:304:12:304:13 | m2 | map.cpp:304:15:304:19 | call to begin | TAINT |
 | map.cpp:304:12:304:13 | ref arg m2 | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:304:12:304:13 | ref arg m2 | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:304:12:304:13 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:304:12:304:13 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:304:12:304:13 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:304:15:304:19 | call to begin | map.cpp:304:7:304:21 | ... = ... |  |
 | map.cpp:304:15:304:19 | call to begin | map.cpp:304:24:304:25 | i2 |  |
@@ -1551,9 +1530,6 @@
 | map.cpp:304:15:304:19 | call to begin | map.cpp:308:8:308:9 | i2 |  |
 | map.cpp:304:30:304:31 | m2 | map.cpp:304:33:304:35 | call to end | TAINT |
 | map.cpp:304:30:304:31 | ref arg m2 | map.cpp:304:30:304:31 | m2 |  |
-| map.cpp:304:30:304:31 | ref arg m2 | map.cpp:334:7:334:8 | m2 |  |
-| map.cpp:304:30:304:31 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:304:30:304:31 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
 | map.cpp:304:30:304:31 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
 | map.cpp:304:40:304:41 | i2 | map.cpp:304:42:304:42 | call to operator++ |  |
 | map.cpp:304:40:304:41 | ref arg i2 | map.cpp:304:24:304:25 | i2 |  |
@@ -1665,41 +1641,56 @@
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:331:2:331:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:332:2:332:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:333:2:333:4 | m14 |  |
+| map.cpp:329:37:329:39 | call to unordered_map | map.cpp:334:7:334:9 | m14 |  |
+| map.cpp:329:37:329:39 | call to unordered_map | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:329:37:329:39 | call to unordered_map | map.cpp:336:7:336:9 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:438:1:438:1 | m14 |  |
 | map.cpp:330:2:330:4 | ref arg m14 | map.cpp:331:2:331:4 | m14 |  |
 | map.cpp:330:2:330:4 | ref arg m14 | map.cpp:332:2:332:4 | m14 |  |
 | map.cpp:330:2:330:4 | ref arg m14 | map.cpp:333:2:333:4 | m14 |  |
+| map.cpp:330:2:330:4 | ref arg m14 | map.cpp:334:7:334:9 | m14 |  |
+| map.cpp:330:2:330:4 | ref arg m14 | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:330:2:330:4 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
 | map.cpp:330:2:330:4 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
 | map.cpp:330:13:330:26 | call to make_pair | map.cpp:330:13:330:36 | call to pair | TAINT |
 | map.cpp:330:13:330:36 | call to pair | map.cpp:330:2:330:4 | ref arg m14 | TAINT |
 | map.cpp:330:13:330:36 | call to pair | map.cpp:330:6:330:11 | call to insert | TAINT |
 | map.cpp:331:2:331:4 | ref arg m14 | map.cpp:332:2:332:4 | m14 |  |
 | map.cpp:331:2:331:4 | ref arg m14 | map.cpp:333:2:333:4 | m14 |  |
+| map.cpp:331:2:331:4 | ref arg m14 | map.cpp:334:7:334:9 | m14 |  |
+| map.cpp:331:2:331:4 | ref arg m14 | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:331:2:331:4 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
 | map.cpp:331:2:331:4 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
 | map.cpp:331:13:331:26 | call to make_pair | map.cpp:331:13:331:41 | call to pair | TAINT |
 | map.cpp:331:13:331:41 | call to pair | map.cpp:331:2:331:4 | ref arg m14 | TAINT |
 | map.cpp:331:13:331:41 | call to pair | map.cpp:331:6:331:11 | call to insert | TAINT |
 | map.cpp:332:2:332:4 | ref arg m14 | map.cpp:333:2:333:4 | m14 |  |
+| map.cpp:332:2:332:4 | ref arg m14 | map.cpp:334:7:334:9 | m14 |  |
+| map.cpp:332:2:332:4 | ref arg m14 | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:332:2:332:4 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
 | map.cpp:332:2:332:4 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
 | map.cpp:332:13:332:26 | call to make_pair | map.cpp:332:13:332:41 | call to pair | TAINT |
 | map.cpp:332:13:332:41 | call to pair | map.cpp:332:2:332:4 | ref arg m14 | TAINT |
 | map.cpp:332:13:332:41 | call to pair | map.cpp:332:6:332:11 | call to insert | TAINT |
+| map.cpp:333:2:333:4 | ref arg m14 | map.cpp:334:7:334:9 | m14 |  |
+| map.cpp:333:2:333:4 | ref arg m14 | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:333:2:333:4 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
 | map.cpp:333:2:333:4 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
 | map.cpp:333:13:333:26 | call to make_pair | map.cpp:333:13:333:36 | call to pair | TAINT |
 | map.cpp:333:13:333:36 | call to pair | map.cpp:333:2:333:4 | ref arg m14 | TAINT |
 | map.cpp:333:13:333:36 | call to pair | map.cpp:333:6:333:11 | call to insert | TAINT |
-| map.cpp:334:7:334:8 | m2 | map.cpp:334:10:334:20 | call to equal_range | TAINT |
-| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:335:7:335:8 | m2 |  |
-| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
-| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
-| map.cpp:334:27:334:31 | first | map.cpp:334:7:334:31 | call to iterator |  |
-| map.cpp:335:7:335:8 | m2 | map.cpp:335:10:335:20 | call to equal_range | TAINT |
-| map.cpp:335:7:335:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 |  |
-| map.cpp:335:7:335:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
-| map.cpp:335:27:335:32 | second | map.cpp:335:7:335:32 | call to iterator |  |
-| map.cpp:336:7:336:8 | m2 | map.cpp:336:10:336:20 | call to equal_range | TAINT |
-| map.cpp:336:7:336:8 | ref arg m2 | map.cpp:438:1:438:1 | m2 |  |
-| map.cpp:336:27:336:32 | second | map.cpp:336:7:336:32 | call to iterator |  |
+| map.cpp:334:7:334:9 | m14 | map.cpp:334:11:334:21 | call to equal_range | TAINT |
+| map.cpp:334:7:334:9 | ref arg m14 | map.cpp:335:7:335:9 | m14 |  |
+| map.cpp:334:7:334:9 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
+| map.cpp:334:7:334:9 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
+| map.cpp:334:28:334:32 | first | map.cpp:334:7:334:32 | call to iterator |  |
+| map.cpp:335:7:335:9 | m14 | map.cpp:335:11:335:21 | call to equal_range | TAINT |
+| map.cpp:335:7:335:9 | ref arg m14 | map.cpp:336:7:336:9 | m14 |  |
+| map.cpp:335:7:335:9 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
+| map.cpp:335:28:335:33 | second | map.cpp:335:7:335:33 | call to iterator |  |
+| map.cpp:336:7:336:9 | m14 | map.cpp:336:11:336:21 | call to equal_range | TAINT |
+| map.cpp:336:7:336:9 | ref arg m14 | map.cpp:438:1:438:1 | m14 |  |
+| map.cpp:336:28:336:33 | second | map.cpp:336:7:336:33 | call to iterator |  |
 | map.cpp:339:37:339:39 | call to unordered_map | map.cpp:340:2:340:4 | m15 |  |
 | map.cpp:339:37:339:39 | call to unordered_map | map.cpp:342:7:342:9 | m15 |  |
 | map.cpp:339:37:339:39 | call to unordered_map | map.cpp:346:2:346:4 | m15 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -179,12 +179,12 @@ void test_map()
 	m14.insert(std::make_pair("b", source()));
 	m14.insert(std::make_pair("c", source()));
 	m14.insert(std::make_pair("d", "d"));
-	sink(m2.lower_bound("b")); // $ ast,ir
-	sink(m2.upper_bound("b")); // $ ast,ir
-	sink(m2.equal_range("b").first); // $ MISSING: ast,ir
-	sink(m2.equal_range("b").second); // $ MISSING: ast,ir
-	sink(m2.upper_bound("c")); // $ SPURIOUS: ast,ir
-	sink(m2.equal_range("c").second);
+	sink(m14.lower_bound("b")); // $ ast,ir=179:33 ast,ir=180:33
+	sink(m14.upper_bound("b")); // $ ast,ir=179:33 ast,ir=180:33
+	sink(m14.equal_range("b").first); // $ MISSING: ast,ir
+	sink(m14.equal_range("b").second); // $ MISSING: ast,ir
+	sink(m14.upper_bound("c")); // $ SPURIOUS: ast,ir=179:33 ast,ir=180:33
+	sink(m14.equal_range("c").second);
 
 	// swap
 	std::map<char *, char *> m15, m16, m17, m18;
@@ -331,9 +331,9 @@ void test_unordered_map()
 	m14.insert(std::make_pair("b", source()));
 	m14.insert(std::make_pair("c", source()));
 	m14.insert(std::make_pair("d", "d"));
-	sink(m2.equal_range("b").first);
-	sink(m2.equal_range("b").second); // $ MISSING: ast,ir
-	sink(m2.equal_range("c").second);
+	sink(m14.equal_range("b").first);
+	sink(m14.equal_range("b").second); // $ MISSING: ast,ir
+	sink(m14.equal_range("c").second);
 
 	// swap
 	std::unordered_map<char *, char *> m15, m16, m17, m18;

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -11251,10 +11251,13 @@ ir.cpp:
 # 1444|           getExpr(): [FunctionCall] call to returnValue
 # 1444|               Type = [Struct] POD_Middle
 # 1444|               ValueCategory = prvalue
-# 1444|           getExpr().getFullyConverted(): [CStyleCast] (POD_Base)...
-# 1444|               Conversion = [BaseClassConversion] base class conversion
-# 1444|               Type = [Struct] POD_Base
-# 1444|               ValueCategory = prvalue
+#-----|           getExpr().getFullyConverted(): [CStyleCast] (POD_Base)...
+#-----|               Conversion = [BaseClassConversion] base class conversion
+#-----|               Type = [Struct] POD_Base
+#-----|               ValueCategory = prvalue(load)
+#-----|             getExpr(): [TemporaryObjectExpr] temporary object
+#-----|                 Type = [Struct] POD_Middle
+#-----|                 ValueCategory = xvalue
 # 1445|     getStmt(1): [ExprStmt] ExprStmt
 # 1445|       getExpr(): [AssignExpr] ... = ...
 # 1445|           Type = [Struct] POD_Base
@@ -11285,18 +11288,21 @@ ir.cpp:
 # 1446|         getVariable().getInitializer(): [Initializer] initializer for x
 # 1446|           getExpr(): [ValueFieldAccess] x
 # 1446|               Type = [IntType] int
-# 1446|               ValueCategory = prvalue
+# 1446|               ValueCategory = prvalue(load)
 # 1446|             getQualifier(): [FunctionCall] call to returnValue
 # 1446|                 Type = [Struct] POD_Derived
 # 1446|                 ValueCategory = prvalue
-# 1446|             getQualifier().getFullyConverted(): [CStyleCast] (POD_Base)...
-# 1446|                 Conversion = [BaseClassConversion] base class conversion
-# 1446|                 Type = [Struct] POD_Base
-# 1446|                 ValueCategory = prvalue
-# 1446|               getExpr(): [CStyleCast] (POD_Middle)...
-# 1446|                   Conversion = [BaseClassConversion] base class conversion
-# 1446|                   Type = [Struct] POD_Middle
-# 1446|                   ValueCategory = prvalue
+#-----|             getQualifier().getFullyConverted(): [CStyleCast] (POD_Base)...
+#-----|                 Conversion = [BaseClassConversion] base class conversion
+#-----|                 Type = [Struct] POD_Base
+#-----|                 ValueCategory = xvalue
+#-----|               getExpr(): [CStyleCast] (POD_Middle)...
+#-----|                   Conversion = [BaseClassConversion] base class conversion
+#-----|                   Type = [Struct] POD_Middle
+#-----|                   ValueCategory = xvalue
+#-----|                 getExpr(): [TemporaryObjectExpr] temporary object
+#-----|                     Type = [Struct] POD_Derived
+#-----|                     ValueCategory = xvalue
 # 1447|     getStmt(3): [DeclStmt] declaration
 # 1447|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
 # 1447|           Type = [FloatType] float
@@ -11307,17 +11313,24 @@ ir.cpp:
 # 1447|             getQualifier(): [FunctionCall] call to returnValue
 # 1447|                 Type = [Struct] POD_Derived
 # 1447|                 ValueCategory = prvalue
-# 1447|             getQualifier().getFullyConverted(): [CStyleCast] (const POD_Base)...
-# 1447|                 Conversion = [BaseClassConversion] base class conversion
-# 1447|                 Type = [SpecifiedType] const POD_Base
-# 1447|                 ValueCategory = prvalue
-# 1447|               getExpr(): [CStyleCast] (POD_Middle)...
-# 1447|                   Conversion = [BaseClassConversion] base class conversion
-# 1447|                   Type = [Struct] POD_Middle
-# 1447|                   ValueCategory = prvalue
-# 1447|                 getExpr(): [ParenthesisExpr] (...)
-# 1447|                     Type = [Struct] POD_Derived
-# 1447|                     ValueCategory = prvalue
+#-----|             getQualifier().getFullyConverted(): [CStyleCast] (const POD_Base)...
+#-----|                 Conversion = [GlvalueConversion] glvalue conversion
+#-----|                 Type = [SpecifiedType] const POD_Base
+#-----|                 ValueCategory = xvalue
+#-----|               getExpr(): [CStyleCast] (POD_Base)...
+#-----|                   Conversion = [BaseClassConversion] base class conversion
+#-----|                   Type = [Struct] POD_Base
+#-----|                   ValueCategory = xvalue
+#-----|                 getExpr(): [CStyleCast] (POD_Middle)...
+#-----|                     Conversion = [BaseClassConversion] base class conversion
+#-----|                     Type = [Struct] POD_Middle
+#-----|                     ValueCategory = xvalue
+#-----|                   getExpr(): [TemporaryObjectExpr] temporary object
+#-----|                       Type = [Struct] POD_Derived
+#-----|                       ValueCategory = xvalue
+# 1447|                     getExpr(): [ParenthesisExpr] (...)
+# 1447|                         Type = [Struct] POD_Derived
+# 1447|                         ValueCategory = prvalue
 # 1448|     getStmt(4): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -7810,14 +7810,14 @@ ir.cpp:
 # 1443|     mu1443_2(unknown)           = AliasedDefinition                                 : 
 # 1443|     mu1443_3(unknown)           = InitializeNonLocal                                : 
 # 1444|     r1444_1(glval<POD_Base>)    = VariableAddress[b]                                : 
+#-----|     r0_1(glval<POD_Middle>)     = VariableAddress[#temp0:0]                         : 
 # 1444|     r1444_2(glval<unknown>)     = FunctionAddress[returnValue]                      : 
 # 1444|     r1444_3(POD_Middle)         = Call[returnValue]                                 : func:r1444_2
 # 1444|     mu1444_4(unknown)           = ^CallSideEffect                                   : ~m?
-# 1444|     r1444_5(glval<POD_Middle>)  = VariableAddress[#temp1444:18]                     : 
-# 1444|     mu1444_6(POD_Middle)        = Store[#temp1444:18]                               : &:r1444_5, r1444_3
-# 1444|     r1444_7(glval<POD_Base>)    = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r1444_5
-# 1444|     r1444_8(POD_Base)           = Load[?]                                           : &:r1444_7, ~m?
-# 1444|     mu1444_9(POD_Base)          = Store[b]                                          : &:r1444_1, r1444_8
+# 1444|     mu1444_5(POD_Middle)        = Store[#temp0:0]                                   : &:r0_1, r1444_3
+#-----|     r0_2(glval<POD_Base>)       = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r0_1
+#-----|     r0_3(POD_Base)              = Load[?]                                           : &:r0_2, ~m?
+#-----|     mu0_4(POD_Base)             = Store[b]                                          : &:r1444_1, r0_3
 # 1445|     r1445_1(glval<POD_Derived>) = VariableAddress[#temp1445:9]                      : 
 # 1445|     r1445_2(glval<unknown>)     = FunctionAddress[returnValue]                      : 
 # 1445|     r1445_3(POD_Derived)        = Call[returnValue]                                 : func:r1445_2
@@ -7829,29 +7829,30 @@ ir.cpp:
 # 1445|     r1445_9(glval<POD_Base>)    = VariableAddress[b]                                : 
 # 1445|     mu1445_10(POD_Base)         = Store[b]                                          : &:r1445_9, r1445_8
 # 1446|     r1446_1(glval<int>)         = VariableAddress[x]                                : 
+#-----|     r0_5(glval<POD_Derived>)    = VariableAddress[#temp0:0]                         : 
 # 1446|     r1446_2(glval<unknown>)     = FunctionAddress[returnValue]                      : 
 # 1446|     r1446_3(POD_Derived)        = Call[returnValue]                                 : func:r1446_2
 # 1446|     mu1446_4(unknown)           = ^CallSideEffect                                   : ~m?
-# 1446|     r1446_5(glval<POD_Derived>) = VariableAddress[#temp1446:13]                     : 
-# 1446|     mu1446_6(POD_Derived)       = Store[#temp1446:13]                               : &:r1446_5, r1446_3
-# 1446|     r1446_7(glval<POD_Middle>)  = ConvertToNonVirtualBase[POD_Derived : POD_Middle] : r1446_5
-# 1446|     r1446_8(glval<POD_Base>)    = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r1446_7
-# 1446|     r1446_9(glval<int>)         = FieldAddress[x]                                   : r1446_8
-# 1446|     r1446_10(int)               = Load[?]                                           : &:r1446_9, ~m?
-# 1446|     mu1446_11(int)              = Store[x]                                          : &:r1446_1, r1446_10
+# 1446|     mu1446_5(POD_Derived)       = Store[#temp0:0]                                   : &:r0_5, r1446_3
+#-----|     r0_6(glval<POD_Middle>)     = ConvertToNonVirtualBase[POD_Derived : POD_Middle] : r0_5
+#-----|     r0_7(glval<POD_Base>)       = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r0_6
+# 1446|     r1446_6(glval<int>)         = FieldAddress[x]                                   : r0_7
+# 1446|     r1446_7(int)                = Load[?]                                           : &:r1446_6, ~m?
+# 1446|     mu1446_8(int)               = Store[x]                                          : &:r1446_1, r1446_7
 # 1447|     r1447_1(glval<float>)       = VariableAddress[f]                                : 
+#-----|     r0_8(glval<POD_Derived>)    = VariableAddress[#temp0:0]                         : 
 # 1447|     r1447_2(glval<unknown>)     = FunctionAddress[returnValue]                      : 
 # 1447|     r1447_3(POD_Derived)        = Call[returnValue]                                 : func:r1447_2
 # 1447|     mu1447_4(unknown)           = ^CallSideEffect                                   : ~m?
-# 1447|     r1447_5(glval<POD_Derived>) = VariableAddress[#temp1447:16]                     : 
-# 1447|     mu1447_6(POD_Derived)       = Store[#temp1447:16]                               : &:r1447_5, r1447_3
-# 1447|     r1447_7(glval<POD_Middle>)  = ConvertToNonVirtualBase[POD_Derived : POD_Middle] : r1447_5
-# 1447|     r1447_8(glval<POD_Base>)    = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r1447_7
-# 1447|     r1447_9(glval<unknown>)     = FunctionAddress[f]                                : 
-# 1447|     r1447_10(float)             = Call[f]                                           : func:r1447_9, this:r1447_8
-# 1447|     mu1447_11(unknown)          = ^CallSideEffect                                   : ~m?
-# 1447|     v1447_12(void)              = ^IndirectReadSideEffect[-1]                       : &:r1447_8, ~m?
-# 1447|     mu1447_13(float)            = Store[f]                                          : &:r1447_1, r1447_10
+# 1447|     mu1447_5(POD_Derived)       = Store[#temp0:0]                                   : &:r0_8, r1447_3
+#-----|     r0_9(glval<POD_Middle>)     = ConvertToNonVirtualBase[POD_Derived : POD_Middle] : r0_8
+#-----|     r0_10(glval<POD_Base>)      = ConvertToNonVirtualBase[POD_Middle : POD_Base]    : r0_9
+#-----|     r0_11(glval<POD_Base>)      = Convert                                           : r0_10
+# 1447|     r1447_6(glval<unknown>)     = FunctionAddress[f]                                : 
+# 1447|     r1447_7(float)              = Call[f]                                           : func:r1447_6, this:r0_11
+# 1447|     mu1447_8(unknown)           = ^CallSideEffect                                   : ~m?
+#-----|     v0_12(void)                 = ^IndirectReadSideEffect[-1]                       : &:r0_11, ~m?
+# 1447|     mu1447_9(float)             = Store[f]                                          : &:r1447_1, r1447_7
 # 1448|     v1448_1(void)               = NoOp                                              : 
 # 1443|     v1443_4(void)               = ReturnVoid                                        : 
 # 1443|     v1443_5(void)               = AliasedUse                                        : ~m?

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected

@@ -3,3 +3,13 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
+| tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
+| tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp

@@ -307,4 +307,42 @@ namespace custom_sprintf_impl {
 		char buffer8[8];
 		sprintf(buffer8, "12345678"); // BAD: potential buffer overflow
 	}
+}
+
+void test6(unsigned unsigned_value, int value) {
+	char buffer[2];
+	
+	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 10) {
+		sprintf(buffer, "%u", unsigned_value); // GOOD
+	}
+
+	sprintf(buffer, "%u", -10); // BAD: buffer overflow
+
+	if(unsigned_value == (unsigned)-10) {
+		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	}
+
+	sprintf(buffer, "%d", value); // BAD: buffer overflow
+	if (value < 10) {
+		sprintf(buffer, "%d", value); // BAD: buffer overflow
+
+		if(value > 0) {
+			sprintf(buffer, "%d", value); // GOOD
+		}
+	}
+
+	sprintf(buffer, "%u", 0); // GOOD
+	sprintf(buffer, "%d", 0); // GOOD
+	sprintf(buffer, "%u", 5); // GOOD
+	sprintf(buffer, "%d", 5); // GOOD
+
+	sprintf(buffer, "%d", -1); // BAD
+	sprintf(buffer, "%d", 9); // GOOD
+	sprintf(buffer, "%d", 10); // BAD
+
+	sprintf(buffer, "%u", -1); // BAD
+	sprintf(buffer, "%u", 9); // GOOD
+	sprintf(buffer, "%u", 10); // BAD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected

@@ -0,0 +1,25 @@
+edges
+| test.cpp:11:26:11:28 | url | test.cpp:15:30:15:32 | url |
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:11:26:11:28 | url |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:39:11:39:15 | url_l |
+| test.cpp:36:26:36:45 | http://example.com | test.cpp:40:11:40:17 | access to array |
+| test.cpp:39:11:39:15 | url_l | test.cpp:11:26:11:28 | url |
+| test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url |
+| test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
+| test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url |
+nodes
+| test.cpp:11:26:11:28 | url | semmle.label | url |
+| test.cpp:15:30:15:32 | url | semmle.label | url |
+| test.cpp:28:10:28:29 | http://example.com | semmle.label | http://example.com |
+| test.cpp:35:23:35:42 | http://example.com | semmle.label | http://example.com |
+| test.cpp:36:26:36:45 | http://example.com | semmle.label | http://example.com |
+| test.cpp:39:11:39:15 | url_l | semmle.label | url_l |
+| test.cpp:40:11:40:17 | access to array | semmle.label | access to array |
+| test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
+| test.cpp:49:11:49:16 | buffer | semmle.label | buffer |
+subpaths
+#select
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
+| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
+| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |

cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-319/UseOfHttp.ql

cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp

@@ -0,0 +1,60 @@
+
+struct host
+{
+	// ...
+};
+
+host gethostbyname(const char *str);
+char *strcpy(char *s1, const char *s2);
+char *strcat(char *s1, const char *s2);
+
+void openUrl(const char *url)
+{
+	// ...
+
+	host myHost = gethostbyname(url);
+
+	// ...
+}
+
+void doNothing(char *url)
+{
+}
+
+const char *url_g = "http://example.com"; // BAD [NOT DETECTED]
+
+void test()
+{
+	openUrl("http://example.com"); // BAD
+	openUrl("https://example.com"); // GOOD (https)
+	openUrl("http://localhost/example"); // GOOD (localhost)
+	openUrl("https://localhost/example"); // GOOD (https, localhost)
+	doNothing("http://example.com"); // GOOD (URL not used)
+
+	{
+		const char *url_l = "http://example.com"; // BAD
+		const char *urls[] = { "http://example.com" }; // BAD
+
+		openUrl(url_g);
+		openUrl(url_l);
+		openUrl(urls[0]);
+	}
+
+	{
+		char buffer[1024];
+
+		strcpy(buffer, "http://"); // BAD
+		strcat(buffer, "example.com");
+
+		openUrl(buffer);
+	}
+
+	{
+		char buffer[1024];
+
+		strcpy(buffer, "https://"); // GOOD (https)
+		strcat(buffer, "example.com");
+
+		openUrl(buffer);
+	}
+}

csharp/ql/consistency-queries/CfgConsistency.ql

@@ -6,13 +6,25 @@ import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
 import semmle.code.csharp.controlflow.internal.Splitting
 import Consistency
 
+private predicate splitBB(ControlFlow::BasicBlock bb) {
+  exists(ControlFlow::Node first |
+    first = bb.getFirstNode() and
+    first.isJoin() and
+    strictcount(first.getAPredecessor().getElement()) = 1
+  )
+}
+
+private class RelevantBasicBlock extends ControlFlow::BasicBlock {
+  RelevantBasicBlock() { not splitBB(this) }
+}
+
 predicate bbStartInconsistency(ControlFlowElement cfe) {
-  exists(ControlFlow::BasicBlock bb | bb.getFirstNode() = cfe.getAControlFlowNode()) and
+  exists(RelevantBasicBlock bb | bb.getFirstNode() = cfe.getAControlFlowNode()) and
   not cfe = any(PreBasicBlock bb).getFirstElement()
 }
 
 predicate bbSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
-  exists(ControlFlow::BasicBlock predBB, ControlFlow::BasicBlock succBB |
+  exists(RelevantBasicBlock predBB, RelevantBasicBlock succBB |
     predBB.getLastNode() = pred.getAControlFlowNode() and
     succBB = predBB.getASuccessor() and
     succBB.getFirstNode() = succ.getAControlFlowNode()

csharp/ql/consistency-queries/qlpack.yml

@@ -0,0 +1,6 @@
+name: codeql-csharp-consistency-queries
+version: 0.0.0
+libraryPathDependencies:
+  - codeql/csharp-all
+  - codeql/csharp-queries
+extractor: csharp

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll

@@ -924,7 +924,8 @@ module Consistency {
     succSplits(pred, predSplits, succ, succSplits, c) and
     split.hasEntry(pred, succ, c) and
     not split.getKind() = predSplits.getASplit().getKind() and
-    not split = succSplits.getASplit()
+    not split = succSplits.getASplit() and
+    split.getKind().isEnabled(succ)
   }
 
   query predicate breakInvariant5(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -791,12 +791,14 @@ predicate nodeIsHidden(Node n) {
     def instanceof Ssa::ImplicitCallDefinition
   )
   or
-  exists(Parameter p |
-    p = n.(ParameterNode).getParameter() and
+  exists(Parameter p | p = n.(ParameterNode).getParameter() |
     not p.fromSource()
+    or
+    p.getCallable() instanceof SummarizedCallable
   )
   or
-  n = TInstanceParameterNode(any(Callable c | not c.fromSource()))
+  n =
+    TInstanceParameterNode(any(Callable c | not c.fromSource() or c instanceof SummarizedCallable))
   or
   n instanceof YieldReturnNode
   or

csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql

@@ -29,17 +29,22 @@ predicate returnsCollection(Callable c, Field f) {
   not c.(Modifiable).isStatic()
 }
 
-predicate mayWriteToCollection(Expr modified) {
-  modified instanceof CollectionModificationAccess
+predicate nodeMayWriteToCollection(Node modified) {
+  modified.asExpr() instanceof CollectionModificationAccess
   or
-  exists(Expr mid | mayWriteToCollection(mid) | localExprFlow(modified, mid))
+  exists(Node mid | nodeMayWriteToCollection(mid) | localFlowStep(modified, mid))
   or
-  exists(MethodCall mid, Callable c | mayWriteToCollection(mid) |
-    mid.getTarget() = c and
-    c.canReturn(modified)
+  exists(Node mid, MethodCall mc, Callable c | nodeMayWriteToCollection(mid) |
+    mc = mid.asExpr() and
+    mc.getTarget() = c and
+    c.canReturn(modified.asExpr())
   )
 }
 
+predicate mayWriteToCollection(Expr modified) {
+  nodeMayWriteToCollection(any(ExprNode n | n.getExpr() = modified))
+}
+
 predicate modificationAfter(Expr before, Expr after) {
   mayWriteToCollection(after) and
   localFlowStep+(exprNode(before), exprNode(after))

csharp/ql/test/experimental/ir/ir/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/arguments/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/assignments/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/attributes/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/comments/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/constructors/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/conversion/operator/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp6/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp7.1/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp7.2/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp7.3/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp7/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp8/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/csharp9/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/dataflow/async/Async.expected

@@ -8,13 +8,17 @@ edges
 | Async.cs:19:41:19:45 | input : String | Async.cs:21:32:21:36 | access to parameter input : String |
 | Async.cs:21:20:21:37 | call to method ReturnAwait [property Result] : String | Async.cs:21:14:21:37 | await ... |
 | Async.cs:21:32:21:36 | access to parameter input : String | Async.cs:21:20:21:37 | call to method ReturnAwait [property Result] : String |
+| Async.cs:21:32:21:36 | access to parameter input : String | Async.cs:35:51:35:51 | x : String |
 | Async.cs:24:41:24:45 | input : String | Async.cs:26:35:26:39 | access to parameter input : String |
 | Async.cs:26:17:26:40 | await ... : String | Async.cs:27:14:27:14 | access to local variable x |
 | Async.cs:26:23:26:40 | call to method ReturnAwait [property Result] : String | Async.cs:26:17:26:40 | await ... : String |
 | Async.cs:26:35:26:39 | access to parameter input : String | Async.cs:26:23:26:40 | call to method ReturnAwait [property Result] : String |
+| Async.cs:26:35:26:39 | access to parameter input : String | Async.cs:35:51:35:51 | x : String |
 | Async.cs:30:35:30:39 | input : String | Async.cs:32:27:32:31 | access to parameter input : String |
 | Async.cs:32:14:32:32 | call to method ReturnAwait2 [property Result] : String | Async.cs:32:14:32:39 | access to property Result |
 | Async.cs:32:27:32:31 | access to parameter input : String | Async.cs:32:14:32:32 | call to method ReturnAwait2 [property Result] : String |
+| Async.cs:32:27:32:31 | access to parameter input : String | Async.cs:51:52:51:52 | x : String |
+| Async.cs:35:51:35:51 | x : String | Async.cs:38:16:38:16 | access to parameter x : String |
 | Async.cs:35:51:35:51 | x : String | Async.cs:38:16:38:16 | access to parameter x : String |
 | Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:21:20:21:37 | call to method ReturnAwait [property Result] : String |
 | Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:26:23:26:40 | call to method ReturnAwait [property Result] : String |
@@ -28,6 +32,7 @@ edges
 | Async.cs:48:32:48:32 | access to parameter x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String |
 | Async.cs:48:32:48:32 | access to parameter x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String |
 | Async.cs:51:52:51:52 | x : String | Async.cs:51:58:51:58 | access to parameter x : String |
+| Async.cs:51:52:51:52 | x : String | Async.cs:51:58:51:58 | access to parameter x : String |
 | Async.cs:51:58:51:58 | access to parameter x : String | Async.cs:32:14:32:32 | call to method ReturnAwait2 [property Result] : String |
 nodes
 | Async.cs:9:37:9:41 | input : String | semmle.label | input : String |
@@ -51,6 +56,8 @@ nodes
 | Async.cs:32:14:32:39 | access to property Result | semmle.label | access to property Result |
 | Async.cs:32:27:32:31 | access to parameter input : String | semmle.label | access to parameter input : String |
 | Async.cs:35:51:35:51 | x : String | semmle.label | x : String |
+| Async.cs:35:51:35:51 | x : String | semmle.label | x : String |
+| Async.cs:38:16:38:16 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:38:16:38:16 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:41:33:41:37 | input : String | semmle.label | input : String |
 | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String | semmle.label | call to method ReturnTask [property Result] : String |
@@ -63,9 +70,14 @@ nodes
 | Async.cs:48:32:48:32 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:48:32:48:32 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:51:52:51:52 | x : String | semmle.label | x : String |
+| Async.cs:51:52:51:52 | x : String | semmle.label | x : String |
+| Async.cs:51:58:51:58 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:51:58:51:58 | access to parameter x : String | semmle.label | access to parameter x : String |
 subpaths
 | Async.cs:11:21:11:25 | access to parameter input : String | Async.cs:14:34:14:34 | x : String | Async.cs:16:16:16:16 | access to parameter x : String | Async.cs:11:14:11:26 | call to method Return : String |
+| Async.cs:21:32:21:36 | access to parameter input : String | Async.cs:35:51:35:51 | x : String | Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:21:20:21:37 | call to method ReturnAwait [property Result] : String |
+| Async.cs:26:35:26:39 | access to parameter input : String | Async.cs:35:51:35:51 | x : String | Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:26:23:26:40 | call to method ReturnAwait [property Result] : String |
+| Async.cs:32:27:32:31 | access to parameter input : String | Async.cs:51:52:51:52 | x : String | Async.cs:51:58:51:58 | access to parameter x : String | Async.cs:32:14:32:32 | call to method ReturnAwait2 [property Result] : String |
 | Async.cs:43:25:43:29 | access to parameter input : String | Async.cs:46:44:46:44 | x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String |
 #select
 | Async.cs:11:14:11:26 | call to method Return | Async.cs:9:37:9:41 | input : String | Async.cs:11:14:11:26 | call to method Return | $@ flows to here and is used. | Async.cs:9:37:9:41 | input | User-provided value |

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected

@@ -24,12 +24,12 @@ edges
 | ExternalFlow.cs:54:36:54:47 | object creation of type Object : Object | ExternalFlow.cs:54:13:54:16 | [post] this access [element] : Object |
 | ExternalFlow.cs:55:18:55:21 | this access [element] : Object | ExternalFlow.cs:55:18:55:41 | call to method StepElementGetter |
 | ExternalFlow.cs:60:35:60:35 | o : Object | ExternalFlow.cs:60:47:60:47 | access to parameter o |
-| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:135:46:135:46 | s : Object |
+| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:35:60:35 | o : Object |
 | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | ExternalFlow.cs:66:18:66:18 | access to local variable o |
 | ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object |
 | ExternalFlow.cs:71:30:71:45 | { ..., ... } [element] : Object | ExternalFlow.cs:72:17:72:20 | access to local variable objs [element] : Object |
 | ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | ExternalFlow.cs:71:30:71:45 | { ..., ... } [element] : Object |
-| ExternalFlow.cs:72:17:72:20 | access to local variable objs [element] : Object | ExternalFlow.cs:137:34:137:41 | elements [element] : Object |
+| ExternalFlow.cs:72:17:72:20 | access to local variable objs [element] : Object | ExternalFlow.cs:72:23:72:23 | o : Object |
 | ExternalFlow.cs:72:23:72:23 | o : Object | ExternalFlow.cs:72:35:72:35 | access to parameter o |
 | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> [element] : Object | ExternalFlow.cs:78:18:78:21 | access to local variable objs [element] : Object |
 | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> [element] : Object |
@@ -47,25 +47,11 @@ edges
 | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 [field Field] : Object | ExternalFlow.cs:104:18:104:19 | access to local variable d1 [field Field] : Object |
 | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 [field Field] : Object |
 | ExternalFlow.cs:100:20:100:20 | d : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d |
+| ExternalFlow.cs:103:16:103:17 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object |
 | ExternalFlow.cs:103:16:103:17 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:103:20:103:21 | [post] access to local variable d2 [field Field2] : Object |
-| ExternalFlow.cs:103:16:103:17 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object |
 | ExternalFlow.cs:103:20:103:21 | [post] access to local variable d2 [field Field2] : Object | ExternalFlow.cs:105:18:105:19 | access to local variable d2 [field Field2] : Object |
 | ExternalFlow.cs:104:18:104:19 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:104:18:104:25 | access to field Field |
 | ExternalFlow.cs:105:18:105:19 | access to local variable d2 [field Field2] : Object | ExternalFlow.cs:105:18:105:26 | access to field Field2 |
-| ExternalFlow.cs:135:46:135:46 | s : Object | ExternalFlow.cs:60:35:60:35 | o : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | ExternalFlow.cs:72:23:72:23 | o : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | ExternalFlow.cs:72:23:72:23 | o : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | ExternalFlow.cs:137:34:137:41 | elements [element] : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | ExternalFlow.cs:137:34:137:41 | elements [element] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object |
-| ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object | ExternalFlow.cs:100:20:100:20 | d : Object |
-| ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object | ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object |
-| ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object | ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object |
 nodes
 | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | semmle.label | call to method StepArgRes |
@@ -135,12 +121,6 @@ nodes
 | ExternalFlow.cs:104:18:104:25 | access to field Field | semmle.label | access to field Field |
 | ExternalFlow.cs:105:18:105:19 | access to local variable d2 [field Field2] : Object | semmle.label | access to local variable d2 [field Field2] : Object |
 | ExternalFlow.cs:105:18:105:26 | access to field Field2 | semmle.label | access to field Field2 |
-| ExternalFlow.cs:135:46:135:46 | s : Object | semmle.label | s : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | semmle.label | elements [element] : Object |
-| ExternalFlow.cs:137:34:137:41 | elements [element] : Object | semmle.label | elements [element] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | semmle.label | s1 [field Field] : Object |
-| ExternalFlow.cs:139:46:139:47 | s1 [field Field] : Object | semmle.label | s1 [field Field] : Object |
-| ExternalFlow.cs:139:52:139:53 | s2 [field Field2] : Object | semmle.label | s2 [field Field2] : Object |
 subpaths
 invalidModelRow
 #select

csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected

@@ -129,6 +129,7 @@ edges
 | GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
 | GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
+| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
 | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@@ -262,7 +263,11 @@ edges
 | GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
+| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String |
+| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String |
+| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String |
 | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -519,6 +524,11 @@ nodes
 | GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
+| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | semmle.label | e [element] : String |
+| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
+| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
+| GlobalDataFlow.cs:501:44:501:47 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | semmle.label | access to local variable x : String |
 | Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -556,6 +566,7 @@ subpaths
 | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
 | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
 | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
 | GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
 | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

@@ -129,6 +129,7 @@ edges
 | GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
 | GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
+| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
 | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@@ -288,7 +289,11 @@ edges
 | GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
+| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String |
+| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String |
+| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String |
 | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -573,6 +578,11 @@ nodes
 | GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
+| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | semmle.label | e [element] : String |
+| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
+| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
+| GlobalDataFlow.cs:501:44:501:47 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | semmle.label | access to local variable x : String |
 | Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -610,6 +620,7 @@ subpaths
 | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
 | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
 | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
 | GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
 | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |

csharp/ql/test/library-tests/dataflow/tuples/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/definitions/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/delegates/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/dynamic/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/enums/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/events/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/exceptions/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/expressions/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/fields/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected

@@ -1,34 +1,16 @@
 edges
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Person, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:41:49:41:64 | this [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Person, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:81:49:81:64 | this [property Persons, element, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
 | EntityFramework.cs:59:13:62:13 | { ..., ... } [property Name] : String | EntityFramework.cs:66:29:66:30 | access to local variable p1 [property Name] : String |
 | EntityFramework.cs:61:24:61:32 | "tainted" : String | EntityFramework.cs:59:13:62:13 | { ..., ... } [property Name] : String |
 | EntityFramework.cs:66:13:66:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:68:13:68:15 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:66:13:66:23 | [post] access to property Persons [element, property Name] : String | EntityFramework.cs:66:13:66:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:66:29:66:30 | access to local variable p1 [property Name] : String | EntityFramework.cs:66:13:66:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFramework.cs:68:13:68:15 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Name] : String |
+| EntityFramework.cs:68:13:68:15 | access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
 | EntityFramework.cs:81:13:84:13 | { ..., ... } [property Name] : String | EntityFramework.cs:88:29:88:30 | access to local variable p1 [property Name] : String |
 | EntityFramework.cs:83:24:83:32 | "tainted" : String | EntityFramework.cs:81:13:84:13 | { ..., ... } [property Name] : String |
 | EntityFramework.cs:88:13:88:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:90:19:90:21 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:88:13:88:23 | [post] access to property Persons [element, property Name] : String | EntityFramework.cs:88:13:88:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:88:29:88:30 | access to local variable p1 [property Name] : String | EntityFramework.cs:88:13:88:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFramework.cs:90:19:90:21 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:41:49:41:64 | this [property Persons, element, property Name] : String |
+| EntityFramework.cs:90:19:90:21 | access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
 | EntityFramework.cs:103:13:106:13 | { ..., ... } [property Name] : String | EntityFramework.cs:109:27:109:28 | access to local variable p1 [property Name] : String |
 | EntityFramework.cs:105:24:105:32 | "tainted" : String | EntityFramework.cs:103:13:106:13 | { ..., ... } [property Name] : String |
 | EntityFramework.cs:109:27:109:28 | access to local variable p1 [property Name] : String | EntityFramework.cs:193:35:193:35 | p [property Name] : String |
@@ -47,18 +29,24 @@ edges
 | EntityFramework.cs:149:13:149:15 | [post] access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String |
 | EntityFramework.cs:149:13:149:23 | [post] access to property Persons [element, property Addresses, element, property Street] : String | EntityFramework.cs:149:13:149:15 | [post] access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String |
 | EntityFramework.cs:149:29:149:30 | access to local variable p1 [property Addresses, element, property Street] : String | EntityFramework.cs:149:13:149:23 | [post] access to property Persons [element, property Addresses, element, property Street] : String |
-| EntityFramework.cs:150:13:150:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String |
-| EntityFramework.cs:154:13:154:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:150:13:150:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:150:13:150:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:154:13:154:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:154:13:154:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
 | EntityFramework.cs:157:13:160:13 | { ..., ... } [property Street] : String | EntityFramework.cs:161:31:161:32 | access to local variable a1 [property Street] : String |
 | EntityFramework.cs:159:26:159:34 | "tainted" : String | EntityFramework.cs:157:13:160:13 | { ..., ... } [property Street] : String |
 | EntityFramework.cs:161:13:161:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFramework.cs:161:13:161:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFramework.cs:161:13:161:25 | [post] access to property Addresses [element, property Street] : String | EntityFramework.cs:161:13:161:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFramework.cs:161:31:161:32 | access to local variable a1 [property Street] : String | EntityFramework.cs:161:13:161:25 | [post] access to property Addresses [element, property Street] : String |
-| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Addresses, element, property Street] : String |
-| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String |
-| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Addresses, element, property Street] : String |
-| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:162:13:162:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:166:13:166:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
 | EntityFramework.cs:173:13:176:13 | { ..., ... } [property Name] : String | EntityFramework.cs:182:71:182:72 | access to local variable p1 [property Name] : String |
 | EntityFramework.cs:175:24:175:32 | "tainted" : String | EntityFramework.cs:173:13:176:13 | { ..., ... } [property Name] : String |
 | EntityFramework.cs:178:13:181:13 | { ..., ... } [property Street] : String | EntityFramework.cs:182:85:182:86 | access to local variable a1 [property Street] : String |
@@ -75,15 +63,17 @@ edges
 | EntityFramework.cs:183:13:183:31 | [post] access to property PersonAddresses [element, property Person, property Name] : String | EntityFramework.cs:183:13:183:15 | [post] access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String |
 | EntityFramework.cs:183:37:183:53 | access to local variable personAddressMap1 [property Address, property Street] : String | EntityFramework.cs:183:13:183:31 | [post] access to property PersonAddresses [element, property Address, property Street] : String |
 | EntityFramework.cs:183:37:183:53 | access to local variable personAddressMap1 [property Person, property Name] : String | EntityFramework.cs:183:13:183:31 | [post] access to property PersonAddresses [element, property Person, property Name] : String |
-| EntityFramework.cs:184:13:184:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Address, property Street] : String |
-| EntityFramework.cs:184:13:184:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Person, property Name] : String |
-| EntityFramework.cs:190:13:190:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Address, property Street] : String |
-| EntityFramework.cs:190:13:190:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Person, property Name] : String |
+| EntityFramework.cs:184:13:184:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:184:13:184:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:184:13:184:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
+| EntityFramework.cs:190:13:190:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String |
+| EntityFramework.cs:190:13:190:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFramework.cs:219:18:219:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFramework.cs:190:13:190:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
 | EntityFramework.cs:193:35:193:35 | p [property Name] : String | EntityFramework.cs:196:29:196:29 | access to parameter p [property Name] : String |
 | EntityFramework.cs:196:13:196:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:197:13:197:15 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:196:13:196:23 | [post] access to property Persons [element, property Name] : String | EntityFramework.cs:196:13:196:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFramework.cs:196:29:196:29 | access to parameter p [property Name] : String | EntityFramework.cs:196:13:196:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFramework.cs:197:13:197:15 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Name] : String |
+| EntityFramework.cs:197:13:197:15 | access to local variable ctx [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String |
 | EntityFramework.cs:204:18:204:28 | access to property Persons [element, property Name] : String | EntityFramework.cs:204:18:204:36 | call to method First<Person> [property Name] : String |
 | EntityFramework.cs:204:18:204:36 | call to method First<Person> [property Name] : String | EntityFramework.cs:204:18:204:41 | access to property Name |
 | EntityFramework.cs:212:18:212:30 | access to property Addresses [element, property Street] : String | EntityFramework.cs:212:18:212:38 | call to method First<Address> [property Street] : String |
@@ -104,13 +94,13 @@ edges
 | EntityFrameworkCore.cs:92:13:92:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:94:13:94:15 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:92:13:92:23 | [post] access to property Persons [element, property Name] : String | EntityFrameworkCore.cs:92:13:92:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:92:29:92:30 | access to local variable p1 [property Name] : String | EntityFrameworkCore.cs:92:13:92:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFrameworkCore.cs:94:13:94:15 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Name] : String |
+| EntityFrameworkCore.cs:94:13:94:15 | access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
 | EntityFrameworkCore.cs:107:13:110:13 | { ..., ... } [property Name] : String | EntityFrameworkCore.cs:114:29:114:30 | access to local variable p1 [property Name] : String |
 | EntityFrameworkCore.cs:109:24:109:32 | "tainted" : String | EntityFrameworkCore.cs:107:13:110:13 | { ..., ... } [property Name] : String |
 | EntityFrameworkCore.cs:114:13:114:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:116:19:116:21 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:114:13:114:23 | [post] access to property Persons [element, property Name] : String | EntityFrameworkCore.cs:114:13:114:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:114:29:114:30 | access to local variable p1 [property Name] : String | EntityFrameworkCore.cs:114:13:114:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFrameworkCore.cs:116:19:116:21 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:81:49:81:64 | this [property Persons, element, property Name] : String |
+| EntityFrameworkCore.cs:116:19:116:21 | access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
 | EntityFrameworkCore.cs:129:13:132:13 | { ..., ... } [property Name] : String | EntityFrameworkCore.cs:135:27:135:28 | access to local variable p1 [property Name] : String |
 | EntityFrameworkCore.cs:131:24:131:32 | "tainted" : String | EntityFrameworkCore.cs:129:13:132:13 | { ..., ... } [property Name] : String |
 | EntityFrameworkCore.cs:135:27:135:28 | access to local variable p1 [property Name] : String | EntityFrameworkCore.cs:219:35:219:35 | p [property Name] : String |
@@ -129,18 +119,24 @@ edges
 | EntityFrameworkCore.cs:175:13:175:15 | [post] access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:175:13:175:23 | [post] access to property Persons [element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:175:13:175:15 | [post] access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:175:29:175:30 | access to local variable p1 [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:175:13:175:23 | [post] access to property Persons [element, property Addresses, element, property Street] : String |
-| EntityFrameworkCore.cs:176:13:176:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String |
-| EntityFrameworkCore.cs:180:13:180:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:176:13:176:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:176:13:176:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:180:13:180:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:180:13:180:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:183:13:186:13 | { ..., ... } [property Street] : String | EntityFrameworkCore.cs:187:31:187:32 | access to local variable a1 [property Street] : String |
 | EntityFrameworkCore.cs:185:26:185:34 | "tainted" : String | EntityFrameworkCore.cs:183:13:186:13 | { ..., ... } [property Street] : String |
 | EntityFrameworkCore.cs:187:13:187:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:187:13:187:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:187:13:187:25 | [post] access to property Addresses [element, property Street] : String | EntityFrameworkCore.cs:187:13:187:15 | [post] access to local variable ctx [property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:187:31:187:32 | access to local variable a1 [property Street] : String | EntityFrameworkCore.cs:187:13:187:25 | [post] access to property Addresses [element, property Street] : String |
-| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Addresses, element, property Street] : String |
-| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String |
-| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Addresses, element, property Street] : String |
-| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:188:13:188:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:192:13:192:15 | access to local variable ctx [property Persons, element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
 | EntityFrameworkCore.cs:199:13:202:13 | { ..., ... } [property Name] : String | EntityFrameworkCore.cs:208:71:208:72 | access to local variable p1 [property Name] : String |
 | EntityFrameworkCore.cs:201:24:201:32 | "tainted" : String | EntityFrameworkCore.cs:199:13:202:13 | { ..., ... } [property Name] : String |
 | EntityFrameworkCore.cs:204:13:207:13 | { ..., ... } [property Street] : String | EntityFrameworkCore.cs:208:85:208:86 | access to local variable a1 [property Street] : String |
@@ -157,15 +153,17 @@ edges
 | EntityFrameworkCore.cs:209:13:209:31 | [post] access to property PersonAddresses [element, property Person, property Name] : String | EntityFrameworkCore.cs:209:13:209:15 | [post] access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String |
 | EntityFrameworkCore.cs:209:37:209:53 | access to local variable personAddressMap1 [property Address, property Street] : String | EntityFrameworkCore.cs:209:13:209:31 | [post] access to property PersonAddresses [element, property Address, property Street] : String |
 | EntityFrameworkCore.cs:209:37:209:53 | access to local variable personAddressMap1 [property Person, property Name] : String | EntityFrameworkCore.cs:209:13:209:31 | [post] access to property PersonAddresses [element, property Person, property Name] : String |
-| EntityFrameworkCore.cs:210:13:210:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Address, property Street] : String |
-| EntityFrameworkCore.cs:210:13:210:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Person, property Name] : String |
-| EntityFrameworkCore.cs:216:13:216:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Address, property Street] : String |
-| EntityFrameworkCore.cs:216:13:216:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Person, property Name] : String |
+| EntityFrameworkCore.cs:210:13:210:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:210:13:210:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:210:13:210:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
+| EntityFrameworkCore.cs:216:13:216:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String |
+| EntityFrameworkCore.cs:216:13:216:15 | access to local variable ctx [property PersonAddresses, element, property Address, property Street] : String | EntityFrameworkCore.cs:245:18:245:28 | access to property Persons [element, property Addresses, element, property Street] : String |
+| EntityFrameworkCore.cs:216:13:216:15 | access to local variable ctx [property PersonAddresses, element, property Person, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
 | EntityFrameworkCore.cs:219:35:219:35 | p [property Name] : String | EntityFrameworkCore.cs:222:29:222:29 | access to parameter p [property Name] : String |
 | EntityFrameworkCore.cs:222:13:222:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:223:13:223:15 | access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:222:13:222:23 | [post] access to property Persons [element, property Name] : String | EntityFrameworkCore.cs:222:13:222:15 | [post] access to local variable ctx [property Persons, element, property Name] : String |
 | EntityFrameworkCore.cs:222:29:222:29 | access to parameter p [property Name] : String | EntityFrameworkCore.cs:222:13:222:23 | [post] access to property Persons [element, property Name] : String |
-| EntityFrameworkCore.cs:223:13:223:15 | access to local variable ctx [property Persons, element, property Name] : String | ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Name] : String |
+| EntityFrameworkCore.cs:223:13:223:15 | access to local variable ctx [property Persons, element, property Name] : String | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String |
 | EntityFrameworkCore.cs:230:18:230:28 | access to property Persons [element, property Name] : String | EntityFrameworkCore.cs:230:18:230:36 | call to method First<Person> [property Name] : String |
 | EntityFrameworkCore.cs:230:18:230:36 | call to method First<Person> [property Name] : String | EntityFrameworkCore.cs:230:18:230:41 | access to property Name |
 | EntityFrameworkCore.cs:238:18:238:30 | access to property Addresses [element, property Street] : String | EntityFrameworkCore.cs:238:18:238:38 | call to method First<Address> [property Street] : String |
@@ -175,18 +173,6 @@ edges
 | EntityFrameworkCore.cs:245:18:245:46 | access to property Addresses [element, property Street] : String | EntityFrameworkCore.cs:245:18:245:54 | call to method First<Address> [property Street] : String |
 | EntityFrameworkCore.cs:245:18:245:54 | call to method First<Address> [property Street] : String | EntityFrameworkCore.cs:245:18:245:61 | access to property Street |
 nodes
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Addresses, element, property Street] : String | semmle.label | this [property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Address, property Street] : String | semmle.label | this [property PersonAddresses, element, property Address, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property PersonAddresses, element, property Person, property Name] : String | semmle.label | this [property PersonAddresses, element, property Person, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Addresses, element, property Street] : String | semmle.label | this [property Persons, element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:40:20:40:30 | this [property Persons, element, property Name] : String | semmle.label | this [property Persons, element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:41:49:41:64 | this [property Persons, element, property Name] : String | semmle.label | this [property Persons, element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Addresses, element, property Street] : String | semmle.label | this [property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Address, property Street] : String | semmle.label | this [property PersonAddresses, element, property Address, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property PersonAddresses, element, property Person, property Name] : String | semmle.label | this [property PersonAddresses, element, property Person, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Addresses, element, property Street] : String | semmle.label | this [property Persons, element, property Addresses, element, property Street] : String |
-| ../../../resources/stubs/EntityFramework.cs:80:20:80:30 | this [property Persons, element, property Name] : String | semmle.label | this [property Persons, element, property Name] : String |
-| ../../../resources/stubs/EntityFramework.cs:81:49:81:64 | this [property Persons, element, property Name] : String | semmle.label | this [property Persons, element, property Name] : String |
 | EntityFramework.cs:59:13:62:13 | { ..., ... } [property Name] : String | semmle.label | { ..., ... } [property Name] : String |
 | EntityFramework.cs:61:24:61:32 | "tainted" : String | semmle.label | "tainted" : String |
 | EntityFramework.cs:66:13:66:15 | [post] access to local variable ctx [property Persons, element, property Name] : String | semmle.label | [post] access to local variable ctx [property Persons, element, property Name] : String |

csharp/ql/test/library-tests/generics/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/goto/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/indexers/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/initializers/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/linq/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/members/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/methods/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/namespaces/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/nestedtypes/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/operators/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/partial/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/properties/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/statements/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/types/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/library-tests/unsafe/PrintAst.qlref

@@ -1 +1 @@
-semmle/code/csharp/PrintAst.ql
+shared/PrintAst.ql

csharp/ql/test/shared/PrintAst.ql

@@ -6,7 +6,7 @@
  */
 
 import csharp
-import PrintAst
+import semmle.code.csharp.PrintAst
 
 /**
  * Temporarily tweak this class or make a copy to control which functions are

docs/codeql/support/reusables/frameworks.rst

@@ -164,10 +164,12 @@ Python built-in support
    Name, Category
    aiohttp.web, Web framework
    Django, Web framework
+   djangorestframework, Web framework
    FastAPI, Web framework
    Flask, Web framework
    Tornado, Web framework
    Twisted, Web framework
+   Flask-Admin, Web framework
    starlette, Asynchronous Server Gateway Interface (ASGI)
    dill, Serialization
    PyYAML, Serialization
@@ -183,6 +185,8 @@ Python built-in support
    pydantic, Utility library
    yarl, Utility library
    aioch, Database
+   aiomysql, Database
+   aiopg, Database
    asyncpg, Database
    clickhouse-driver, Database
    mysql-connector-python, Database

java/documentation/library-coverage/coverage.csv

@@ -26,7 +26,7 @@ jakarta.ws.rs.client,1,,,,,,,,,,,,,,1,,,,,,,,,,,
 jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,9,,
 jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,2,,,,,,94,55
 java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,1,
-java.io,3,,27,,3,,,,,,,,,,,,,,,,,,,,26,1
+java.io,3,,31,,3,,,,,,,,,,,,,,,,,,,,30,1
 java.lang,,,51,,,,,,,,,,,,,,,,,,,,,,41,10
 java.net,10,3,7,,,,,,,,,,,,10,,,,,,,,,3,7,
 java.nio,10,,4,,10,,,,,,,,,,,,,,,,,,,,4,

java/documentation/library-coverage/coverage.rst

@@ -15,9 +15,9 @@ Java framework & library support
    `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,6,,6,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
-   Java Standard Library,``java.*``,3,519,30,13,,,7,,,10
+   Java Standard Library,``java.*``,3,523,30,13,,,7,,,10
    Java extensions,"``javax.*``, ``jakarta.*``",54,552,32,,,4,,1,1,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,469,91,,,,19,14,,29
    Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``",39,99,151,,,,14,18,,
-   Totals,,175,5364,431,13,6,10,107,33,1,66
+   Totals,,175,5368,431,13,6,10,107,33,1,66
 

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -83,6 +83,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.android.XssSinks
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Collections
+  private import semmle.code.java.frameworks.apache.IO
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.Flexjson
   private import semmle.code.java.frameworks.guava.Guava
@@ -322,33 +323,11 @@ private predicate summaryModelCsv(string row) {
       "org.apache.commons.codec;BinaryDecoder;true;decode;(byte[]);;Argument[0];ReturnValue;taint",
       "org.apache.commons.codec;StringEncoder;true;encode;(String);;Argument[0];ReturnValue;taint",
       "org.apache.commons.codec;StringDecoder;true;decode;(String);;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;buffer;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;readLines;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(InputStream,int);;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toBufferedInputStream;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toBufferedReader;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toByteArray;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toCharArray;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toInputStream;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.io;IOUtils;false;toString;;;Argument[0];ReturnValue;taint",
       "java.net;URLDecoder;false;decode;;;Argument[0];ReturnValue;taint",
       "java.net;URI;false;create;;;Argument[0];ReturnValue;taint",
       "javax.xml.transform.sax;SAXSource;false;sourceToInputSource;;;Argument[0];ReturnValue;taint",
       // arg to arg
       "java.lang;System;false;arraycopy;;;Argument[0];Argument[2];taint",
-      "org.apache.commons.io;IOUtils;false;copy;;;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;copyLarge;;;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;read;;;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(InputStream,byte[]);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(InputStream,byte[],int,int);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(InputStream,ByteBuffer);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(ReadableByteChannel,ByteBuffer);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(Reader,char[]);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;readFully;(Reader,char[],int,int);;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;write;;;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;writeChunked;;;Argument[0];Argument[1];taint",
-      "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[0];Argument[2];taint",
-      "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[1];Argument[2];taint",
       // constructor flow
       "java.io;File;false;File;;;Argument[0];Argument[-1];taint",
       "java.io;File;false;File;;;Argument[1];Argument[-1];taint",

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -11,6 +11,7 @@ private import semmle.code.java.dataflow.DataFlow
  */
 private module Frameworks {
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.android.AsyncTask
   private import semmle.code.java.frameworks.android.Intent
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Guice
@@ -64,6 +65,20 @@ class AdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
+/**
+ * A unit class for adding additional value steps.
+ *
+ * Extend this class to add additional value-preserving steps that should apply
+ * to all data flow configurations.
+ */
+class AdditionalValueStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` is a value-preserving step and
+   * should apply to all data flow configurations.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
 /**
  * A method or constructor that preserves taint.
  *

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll

@@ -3740,13 +3740,14 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths01(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
     exists(Configuration config |
       pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
       pathIntoCallable(arg, par, _, innercc, sc, _, config) and
-      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config)) and
+      not arg.isHidden()
     )
   }
 
@@ -3780,8 +3781,17 @@ private module Subpaths {
       innercc = ret.getCallContext() and
       sc = ret.getSummaryCtx() and
       ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
-      apout = ret.getAp() and
-      not ret.isHidden()
+      apout = ret.getAp()
+    )
+  }
+
+  private PathNodeImpl localStepToHidden(PathNodeImpl n) {
+    n.getASuccessorImpl() = result and
+    result.isHidden() and
+    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
+      localFlowBigStep(n1, n2, _, _, _, _) or
+      store(n1, _, n2, _, _) or
+      read(n1, _, n2, _)
     )
   }
 
@@ -3790,11 +3800,12 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
       pragma[only_bind_into](arg).getASuccessor() = par and
       pragma[only_bind_into](arg).getASuccessor() = out and
-      subpaths03(arg, p, ret, o, apout) and
+      subpaths03(arg, p, localStepToHidden*(ret), o, apout) and
+      not ret.isHidden() and
       par.getNodeEx() = p and
       out.getNodeEx() = o and
       out.getAp() = apout

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -5,6 +5,7 @@ private import DataFlowDispatch
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.SSA
 private import ContainerFlow
+private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
 import DataFlowNodes::Private
@@ -73,9 +74,14 @@ private predicate variableCaptureStep(Node node1, ExprNode node2) {
  * variable capture.
  */
 predicate jumpStep(Node node1, Node node2) {
-  staticFieldStep(node1, node2) or
-  variableCaptureStep(node1, node2) or
+  staticFieldStep(node1, node2)
+  or
+  variableCaptureStep(node1, node2)
+  or
   variableCaptureStep(node1.(PostUpdateNode).getPreUpdateNode(), node2)
+  or
+  any(AdditionalValueStep a).step(node1, node2) and
+  node1.getEnclosingCallable() != node2.getEnclosingCallable()
 }
 
 /**
@@ -368,7 +374,11 @@ predicate isImmutableOrUnobservable(Node n) {
 }
 
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { n instanceof SummaryNode }
+predicate nodeIsHidden(Node n) {
+  n instanceof SummaryNode
+  or
+  n.(ParameterNode).isParameterOf(any(SummarizedCallable c).asCallable(), _)
+}
 
 class LambdaCallKind = Method; // the "apply" method in the functional interface
 

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -158,6 +158,10 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  or
+  any(AdditionalValueStep a).step(node1, node2) and
+  pragma[only_bind_out](node1.getEnclosingCallable()) =
+    pragma[only_bind_out](node2.getEnclosingCallable())
 }
 
 private newtype TContent =