Swift: produce malformed bundle

python: enable summaries from model

.bazelrc

@@ -1,3 +1,9 @@
-build --repo_env=CC=clang --repo_env=CXX=clang++ --cxxopt="-std=c++20"
+common --enable_platform_specific_config
+
+build --repo_env=CC=clang --repo_env=CXX=clang++
+
+build:linux --cxxopt=-std=c++20
+build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
+build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
 
 try-import %workspace%/local.bazelrc

config/identical-files.json

@@ -523,6 +523,10 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
+  "SummaryTypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
+  ],
   "AccessPathSyntax": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.
+
 ## 0.7.2
 
 ### New Features

cpp/ql/lib/change-notes/2023-06-19-delete-container-url.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.

cpp/ql/lib/change-notes/released/0.7.3.md

@@ -1,6 +1,7 @@
----
-category: minorAnalysis
----
+## 0.7.3
+
+### Minor Analysis Improvements
+
 * Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
 * Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `CodeDuplication.qll` file.
+* Deleted the deprecated `CodeDuplication.qll` file.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.2
+lastReleaseVersion: 0.7.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.7.3-dev
+version: 0.7.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -34,14 +34,6 @@ class Container extends Locatable, @container {
    */
   string getAbsolutePath() { none() } // overridden by subclasses
 
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets a URL representing the location of this container.
-   *
-   * For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
-   */
-  deprecated string getURL() { none() } // overridden by subclasses
-
   /**
    * Gets the relative path of this file or folder from the root folder of the
    * analyzed source location. The relative path of the root folder itself is
@@ -183,12 +175,6 @@ class Folder extends Container, @folder {
   }
 
   override string getAPrimaryQlClass() { result = "Folder" }
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this folder.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 }
 
 /**
@@ -213,12 +199,6 @@ class File extends Container, @file {
     result.hasLocationInfo(_, 0, 0, 0, 0)
   }
 
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this file.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
   /** Holds if this file was compiled as C (at any point). */
   predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -2021,7 +2021,8 @@ module Impl<FullStateConfigSig Config> {
       FlowCheckNode() {
         castNode(this.asNode()) or
         clearsContentCached(this.asNode(), _) or
-        expectsContentCached(this.asNode(), _)
+        expectsContentCached(this.asNode(), _) or
+        neverSkipInPathGraph(this.asNode())
       }
     }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -235,6 +235,12 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
+/**
+ * Holds if `n` should never be skipped over in the `PathGraph` and in path
+ * explanations.
+ */
+predicate neverSkipInPathGraph(Node n) { none() }
+
 class DataFlowCallable = Function;
 
 class DataFlowExpr = Expr;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -2021,7 +2021,8 @@ module Impl<FullStateConfigSig Config> {
       FlowCheckNode() {
         castNode(this.asNode()) or
         clearsContentCached(this.asNode(), _) or
-        expectsContentCached(this.asNode(), _)
+        expectsContentCached(this.asNode(), _) or
+        neverSkipInPathGraph(this.asNode())
       }
     }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -193,86 +193,89 @@ private class SingleUseOperandNode0 extends OperandNode0, TSingleUseOperandNode0
   SingleUseOperandNode0() { this = TSingleUseOperandNode0(op) }
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an operand in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
- * be an `OperandNode`.
- */
-class IndirectOperand extends Node {
-  Operand operand;
-  int indirectionIndex;
-
-  IndirectOperand() {
-    this.(RawIndirectOperand).getOperand() = operand and
-    this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex
-    or
-    nodeHasOperand(this, Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex),
-      indirectionIndex - 1)
+private module IndirectOperands {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an operand in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
+   * be an `OperandNode`.
+   */
+  abstract class IndirectOperand extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex);
   }
 
-  /** Gets the underlying operand. */
-  Operand getOperand() { result = operand }
+  private class IndirectOperandFromRaw extends IndirectOperand instanceof RawIndirectOperand {
+    override predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+      operand = RawIndirectOperand.super.getOperand() and
+      indirectionIndex = RawIndirectOperand.super.getIndirectionIndex()
+    }
+  }
 
-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+  private class IndirectOperandFromIRRepr extends IndirectOperand {
+    Operand operand;
+    int indirectionIndex;
 
-  /**
-   * Holds if this `IndirectOperand` is represented directly in the IR instead of
-   * a `RawIndirectionOperand` with operand `op` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Operand op, int index) {
-    this instanceof OperandNode and
-    (
-      op = operand and
-      index = indirectionIndex
-    )
+    IndirectOperandFromIRRepr() {
+      exists(Operand repr |
+        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
+        nodeHasOperand(this, repr, indirectionIndex - 1)
+      )
+    }
+
+    override predicate hasOperandAndIndirectionIndex(Operand op, int index) {
+      op = operand and index = indirectionIndex
+    }
   }
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an instruction in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
- * be an `InstructionNode`.
- */
-class IndirectInstruction extends Node {
-  Instruction instr;
-  int indirectionIndex;
+import IndirectOperands
 
-  IndirectInstruction() {
-    this.(RawIndirectInstruction).getInstruction() = instr and
-    this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex
-    or
-    nodeHasInstruction(this, Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex),
-      indirectionIndex - 1)
+private module IndirectInstructions {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an instruction in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
+   * be an `InstructionNode`.
+   */
+  abstract class IndirectInstruction extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasInstructionAndIndirectionIndex(Instruction instr, int index);
   }
 
-  /** Gets the underlying instruction. */
-  Instruction getInstruction() { result = instr }
+  private class IndirectInstructionFromRaw extends IndirectInstruction instanceof RawIndirectInstruction
+  {
+    override predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+      instr = RawIndirectInstruction.super.getInstruction() and
+      index = RawIndirectInstruction.super.getIndirectionIndex()
+    }
+  }
 
-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+  private class IndirectInstructionFromIRRepr extends IndirectInstruction {
+    Instruction instr;
+    int indirectionIndex;
 
-  /**
-   * Holds if this `IndirectInstruction` is represented directly in the IR instead of
-   * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Instruction i, int index) {
-    this instanceof InstructionNode and
-    (
-      i = instr and
-      index = indirectionIndex
-    )
+    IndirectInstructionFromIRRepr() {
+      exists(Instruction repr |
+        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
+        nodeHasInstruction(this, repr, indirectionIndex - 1)
+      )
+    }
+
+    override predicate hasInstructionAndIndirectionIndex(Instruction i, int index) {
+      i = instr and index = indirectionIndex
+    }
   }
 }
 
+import IndirectInstructions
+
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
@@ -320,7 +323,7 @@ private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode
   override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
     this.getCallInstruction() = dfCall and
     pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
-    pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex()
+    super.hasAddressOperandAndIndirectionIndex(_, pos.(IndirectionPosition).getIndirectionIndex())
   }
 }
 
@@ -783,6 +786,12 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
+/**
+ * Holds if `n` should never be skipped over in the `PathGraph` and in path
+ * explanations.
+ */
+predicate neverSkipInPathGraph(Node n) { none() }
+
 /**
  * A function that may contain code or a variable that may contain itself. When
  * flow crosses from one _enclosing callable_ to another, the interprocedural
@@ -839,7 +848,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
  * by default as a heuristic.
  */
-predicate allowParameterReturnInSelf(ParameterNode p) { none() }
+predicate allowParameterReturnInSelf(ParameterNode p) { p instanceof IndirectParameterNode }
 
 private predicate fieldHasApproxName(Field f, string s) {
   s = f.getName().charAt(0) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -274,7 +274,7 @@ class Node extends TIRDataFlowNode {
    * represents the value of `**x` going into `f`.
    */
   Expr asIndirectArgument(int index) {
-    this.(SideEffectOperandNode).getIndirectionIndex() = index and
+    this.(SideEffectOperandNode).hasAddressOperandAndIndirectionIndex(_, index) and
     result = this.(SideEffectOperandNode).getArgument()
   }
 
@@ -317,7 +317,7 @@ class Node extends TIRDataFlowNode {
     index = 0 and
     result = this.(ExplicitParameterNode).getParameter()
     or
-    this.(IndirectParameterNode).getIndirectionIndex() = index and
+    this.(IndirectParameterNode).hasInstructionAndIndirectionIndex(_, index) and
     result = this.(IndirectParameterNode).getParameter()
   }
 
@@ -577,15 +577,20 @@ class SsaPhiNode extends Node, TSsaPhiNode {
  *
  * A node representing a value after leaving a function.
  */
-class SideEffectOperandNode extends Node, IndirectOperand {
+class SideEffectOperandNode extends Node instanceof IndirectOperand {
   CallInstruction call;
   int argumentIndex;
 
-  SideEffectOperandNode() { operand = call.getArgumentOperand(argumentIndex) }
+  SideEffectOperandNode() {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(call.getArgumentOperand(argumentIndex), _)
+  }
 
   CallInstruction getCallInstruction() { result = call }
 
-  Operand getAddressOperand() { result = operand }
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasAddressOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(operand, indirectionIndex)
+  }
 
   int getArgumentIndex() { result = argumentIndex }
 
@@ -665,10 +670,10 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
  *
  * A node representing an indirection of a parameter.
  */
-class IndirectParameterNode extends Node, IndirectInstruction {
+class IndirectParameterNode extends Node instanceof IndirectInstruction {
   InitializeParameterInstruction init;
 
-  IndirectParameterNode() { this.getInstruction() = init }
+  IndirectParameterNode() { IndirectInstruction.super.hasInstructionAndIndirectionIndex(init, _) }
 
   int getArgumentIndex() { init.hasIndex(result) }
 
@@ -677,7 +682,12 @@ class IndirectParameterNode extends Node, IndirectInstruction {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Declaration getFunction() { result = init.getEnclosingFunction() }
+
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+    IndirectInstruction.super.hasInstructionAndIndirectionIndex(instr, index)
+  }
 
   override Location getLocationImpl() { result = this.getParameter().getLocation() }
 
@@ -699,7 +709,8 @@ class IndirectReturnNode extends Node {
   IndirectReturnNode() {
     this instanceof FinalParameterNode
     or
-    this.(IndirectOperand).getOperand() = any(ReturnValueInstruction ret).getReturnAddressOperand()
+    this.(IndirectOperand)
+        .hasOperandAndIndirectionIndex(any(ReturnValueInstruction ret).getReturnAddressOperand(), _)
   }
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
@@ -722,7 +733,7 @@ class IndirectReturnNode extends Node {
   int getIndirectionIndex() {
     result = this.(FinalParameterNode).getIndirectionIndex()
     or
-    result = this.(IndirectOperand).getIndirectionIndex()
+    this.(IndirectOperand).hasOperandAndIndirectionIndex(_, result)
   }
 }
 
@@ -1106,7 +1117,8 @@ predicate exprNodeShouldBeInstruction(Node node, Expr e) {
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
 predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
   exists(Instruction instr |
-    instr = node.getInstruction() and not indirectExprNodeShouldBeIndirectOperand(_, e)
+    node.hasInstructionAndIndirectionIndex(instr, _) and
+    not indirectExprNodeShouldBeIndirectOperand(_, e)
   |
     e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
     or
@@ -1307,8 +1319,8 @@ pragma[noinline]
 private predicate indirectParameterNodeHasArgumentIndexAndIndex(
   IndirectParameterNode node, int argumentIndex, int indirectionIndex
 ) {
-  node.getArgumentIndex() = argumentIndex and
-  node.getIndirectionIndex() = indirectionIndex
+  node.hasInstructionAndIndirectionIndex(_, indirectionIndex) and
+  node.getArgumentIndex() = argumentIndex
 }
 
 /** A synthetic parameter to model the pointed-to object of a pointer parameter. */
@@ -1479,18 +1491,14 @@ VariableNode variableNode(Variable v) {
  */
 Node uninitializedNode(LocalVariable v) { none() }
 
-pragma[noinline]
 predicate hasOperandAndIndex(IndirectOperand indirectOperand, Operand operand, int indirectionIndex) {
-  indirectOperand.getOperand() = operand and
-  indirectOperand.getIndirectionIndex() = indirectionIndex
+  indirectOperand.hasOperandAndIndirectionIndex(operand, indirectionIndex)
 }
 
-pragma[noinline]
 predicate hasInstructionAndIndex(
   IndirectInstruction indirectInstr, Instruction instr, int indirectionIndex
 ) {
-  indirectInstr.getInstruction() = instr and
-  indirectInstr.getIndirectionIndex() = indirectionIndex
+  indirectInstr.hasInstructionAndIndirectionIndex(instr, indirectionIndex)
 }
 
 cached
@@ -1656,8 +1664,7 @@ module ExprFlowCached {
   private predicate isIndirectBaseOfArrayAccess(IndirectOperand n, Expr e) {
     exists(LoadInstruction load, PointerArithmeticInstruction pai |
       pai = load.getSourceAddress() and
-      pai.getLeftOperand() = n.getOperand() and
-      n.getIndirectionIndex() = 1 and
+      n.hasOperandAndIndirectionIndex(pai.getLeftOperand(), 1) and
       e = load.getConvertedResultExpression()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll

@@ -13,7 +13,7 @@ class FieldFlowPropertyProvider extends IRPropertyProvider {
   override string getOperandProperty(Operand operand, string key) {
     exists(PostFieldUpdateNode pfun, Content content |
       key = "store " + content.toString() and
-      operand = pfun.getPreUpdateNode().(IndirectOperand).getOperand() and
+      pfun.getPreUpdateNode().(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
       result =
         strictconcat(string element, Node node |
           storeStep(node, content, pfun) and
@@ -25,7 +25,7 @@ class FieldFlowPropertyProvider extends IRPropertyProvider {
     or
     exists(Node node2, Content content |
       key = "read " + content.toString() and
-      operand = node2.(IndirectOperand).getOperand() and
+      node2.(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
       result =
         strictconcat(string element, Node node1 |
           readStep(node1, content, node2) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -18,9 +18,12 @@ private string stars(int k) {
 }
 
 string starsForNode(Node node) {
-  result = stars(node.(IndirectInstruction).getIndirectionIndex())
-  or
-  result = stars(node.(IndirectOperand).getIndirectionIndex())
+  exists(int indirectionIndex |
+    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
+    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
+  |
+    result = stars(indirectionIndex)
+  )
   or
   not node instanceof IndirectInstruction and
   not node instanceof IndirectOperand and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -117,6 +117,16 @@ private int countIndirections(Type t) {
   else (
     result = any(Indirection ind | ind.getType() = t).getNumberOfIndirections()
     or
+    // If there is an indirection for the type, but we cannot count the number of indirections
+    // it means we couldn't reach a non-indirection type by stripping off indirections. This
+    // can occur if an iterator specifies itself as the value type. In this case we default to
+    // 1 indirection fore the type.
+    exists(Indirection ind |
+      ind.getType() = t and
+      not exists(ind.getNumberOfIndirections()) and
+      result = 1
+    )
+    or
     not exists(Indirection ind | ind.getType() = t) and
     result = 0
   )
@@ -263,7 +273,7 @@ private module IteratorIndirections {
         // Taint through `operator+=` and `operator-=` on iterators.
         call.getStaticCallTarget() instanceof Iterator::IteratorAssignArithmeticOperator and
         node2.(IndirectArgumentOutNode).getPreUpdateNode() = node1 and
-        node1.(IndirectOperand).getOperand() = call.getArgumentOperand(0) and
+        node1.(IndirectOperand).hasOperandAndIndirectionIndex(call.getArgumentOperand(0), _) and
         node1.getType().getUnspecifiedType() = this
       )
     }
@@ -796,7 +806,7 @@ private module Cached {
       address.getDef() = instr and
       isDereference(load, address) and
       isUseImpl(address, _, indirectionIndex - 1) and
-      result = instr
+      result = load
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -160,7 +160,7 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
     FunctionInput modelIn, FunctionOutput modelOut
   |
     indirectArgument = callInput(call, modelIn) and
-    indirectArgument.getAddressOperand() = nodeIn.asOperand() and
+    indirectArgument.hasAddressOperandAndIndirectionIndex(nodeIn.asOperand(), _) and
     call.getStaticCallTarget() = func and
     (
       func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -108,7 +108,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     // these may do only a partial copy of the input buffer to the output
     // buffer
     exists(this.getParamSize()) and
-    input.isParameter(this.getParamSrc()) and
+    input.isParameterDeref(this.getParamSrc()) and
     (
       output.isParameterDeref(this.getParamDest()) or
       output.isReturnValueDeref()

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.3
+
+### New Queries
+
+* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
+
 ## 0.6.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -5,7 +5,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.3
- * @precision medium
+ * @precision low
  * @id cpp/overrun-write
  * @tags reliability
  *       security

cpp/ql/src/change-notes/released/0.6.3.md

@@ -1,4 +1,5 @@
----
-category: newQuery
----
+## 0.6.3
+
+### New Queries
+
 * Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: 
   - cpp
   - queries

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -748,6 +748,46 @@ edges
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
+| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | test.cpp:404:7:404:8 | val indirection [post update] [xs] |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:404:12:404:25 | new[] | test.cpp:404:3:404:25 | ... = ... |
+| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
+| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
+| test.cpp:407:3:407:18 | access to array | test.cpp:407:3:407:22 | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | test.cpp:407:3:407:18 | access to array |
+| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
+| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
+| test.cpp:419:7:419:8 | xs | test.cpp:419:7:419:11 | access to array |
+| test.cpp:419:7:419:11 | access to array | test.cpp:419:7:419:15 | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
+| test.cpp:433:5:433:6 | xs | test.cpp:433:5:433:17 | access to array |
+| test.cpp:433:5:433:17 | access to array | test.cpp:433:5:433:21 | Store: ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1087,6 +1127,36 @@ nodes
 | test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
 | test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
 | test.cpp:384:14:384:16 | end | semmle.label | end |
+| test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
+| test.cpp:389:16:389:17 | xs | semmle.label | xs |
+| test.cpp:392:5:392:6 | xs | semmle.label | xs |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:395:5:395:6 | xs | semmle.label | xs |
+| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:404:12:404:25 | new[] | semmle.label | new[] |
+| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
+| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
+| test.cpp:407:3:407:18 | access to array | semmle.label | access to array |
+| test.cpp:407:3:407:22 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | semmle.label | xs |
+| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
+| test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
+| test.cpp:419:7:419:8 | xs | semmle.label | xs |
+| test.cpp:419:7:419:11 | access to array | semmle.label | access to array |
+| test.cpp:419:7:419:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
+| test.cpp:433:5:433:6 | xs | semmle.label | xs |
+| test.cpp:433:5:433:17 | access to array | semmle.label | access to array |
+| test.cpp:433:5:433:21 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1113,3 +1183,7 @@ subpaths
 | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
 | test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
 | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
+| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
+| test.cpp:407:3:407:22 | Store: ... = ... | test.cpp:404:12:404:25 | new[] | test.cpp:407:3:407:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:404:12:404:25 | new[] | new[] | test.cpp:407:10:407:17 | ... - ... | ... - ... |
+| test.cpp:419:7:419:15 | Store: ... = ... | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:417:16:417:33 | new[] | new[] | test.cpp:419:10:419:10 | i | i |
+| test.cpp:433:5:433:21 | Store: ... = ... | test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:427:14:427:27 | new[] | new[] | test.cpp:433:8:433:16 | ... ++ | ... ++ |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

@@ -383,3 +383,53 @@ void test27(unsigned size, bool b) {
 
   int val = *end; // BAD
 }
+
+void test28(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+    if (xs >= end)
+      return;
+    xs++;
+    if (xs >= end)
+      return;
+    xs[0] = 0;  // GOOD [FALSE POSITIVE]
+}
+
+struct test29_struct {
+  char* xs;
+};
+
+void test29(unsigned size) {
+  test29_struct val;
+  val.xs = new char[size];
+  size++;
+  val.xs = new char[size];
+  val.xs[size - 1] = 0; // GOOD [FALSE POSITIVE]
+}
+
+void test30(int *size)
+{
+  int new_size = 0, tmp_size = 0;
+
+  test30(&tmp_size);
+  if (tmp_size + 1 > new_size) {
+    new_size = tmp_size + 1;
+    char *xs = new char[new_size];
+    for (int i = 0; i < new_size; i++) {
+      xs[i] = 0;  // GOOD [FALSE POSITIVE]
+    }
+  }
+  *size = new_size;
+}
+
+void test31(unsigned size, unsigned src_pos)
+{
+  char *xs = new char[size];
+  if (src_pos > size) {
+    src_pos = size;
+  }
+  unsigned dst_pos = src_pos;
+  if(dst_pos < size - 3) {
+    xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
+  }
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -67,6 +67,8 @@ postWithInFlow
 | ref.cpp:109:9:109:11 | val [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:113:11:113:13 | val [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:115:11:115:13 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| self_parameter_flow.cpp:3:4:3:5 | ps [inner post update] | PostUpdateNode should not be the target of local flow. |
+| self_parameter_flow.cpp:8:9:8:9 | s [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:91:3:91:9 | source1 [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:115:3:115:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:115:4:115:6 | out [inner post update] | PostUpdateNode should not be the target of local flow. |
@@ -128,6 +130,10 @@ postWithInFlow
 | test.cpp:690:3:690:3 | s [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:694:4:694:6 | buf [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:704:23:704:25 | buf [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:715:25:715:25 | c [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:728:3:728:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:728:4:728:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:734:41:734:41 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/self-Iterator.cpp

@@ -0,0 +1,21 @@
+#include "../../../include/iterator.h"
+int source();
+
+template<typename T>
+void sink(T);
+
+template<> struct std::iterator_traits<unsigned long>
+{   // get traits from integer type
+    typedef std::input_iterator_tag iterator_category;
+    typedef unsigned long value_type;
+    typedef unsigned long difference_type;
+    typedef unsigned long distance_type;
+    typedef unsigned long * pointer;
+    typedef unsigned long& reference;
+};
+
+
+int test() {
+    unsigned long x = source();
+    sink(x); // $ ast ir
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/self_parameter_flow.cpp

@@ -0,0 +1,14 @@
+void incr(unsigned char **ps) // $ ast-def=ps ir-def=*ps ir-def=**ps 
+{
+  *ps += 1;
+}
+
+void callincr(unsigned char *s) // $ ast-def=s 
+{
+  incr(&s);
+}
+
+void test(unsigned char *s) // $ ast-def=s
+{
+  callincr(s); // $ flow
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -702,4 +702,35 @@ void call_increment_buf(int** buf) { // $ ast-def=buf
 void test_conflation_regression(int* source) { // $ ast-def=source
   int* buf = source;
   call_increment_buf(&buf);
-}
+}
+
+void write_to_star_star_p(unsigned char **p) // $ ast-def=p ir-def=**p ir-def=*p
+{
+  **p = 0;
+}
+
+void write_to_star_buf(unsigned char *buf) // $ ast-def=buf
+{
+  unsigned char *c = buf;
+  write_to_star_star_p(&c);
+}
+
+void test_write_to_star_buf(unsigned char *source) // $ ast-def=source
+{
+  write_to_star_buf(source);
+  sink(*source); // clean
+}
+
+void does_not_write_source_to_dereference(int *p) // $ ast-def=p ir-def=*p
+{
+  int x = source();
+  p = &x;
+  *p = 42;
+}
+
+void test_does_not_write_source_to_dereference()
+{
+  int x;
+  does_not_write_source_to_dereference(&x);
+  sink(x); // $ ast,ir=733:7 SPURIOUS: ast,ir=726:11
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_parameter_flow.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_parameter_flow.ql

@@ -0,0 +1,34 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.getLocation().getFile().getBaseName() = "self_parameter_flow.cpp" and
+    source.asIndirectArgument() =
+      any(Call call | call.getTarget().hasName("callincr")).getAnArgument()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asDefiningArgument() =
+      any(Call call | call.getTarget().hasName("callincr")).getAnArgument()
+  }
+}
+
+import DataFlow::Global<TestConfig>
+
+module TestSelfParameterFlow implements TestSig {
+  string getARelevantTag() { result = "flow" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node sink |
+      flowTo(sink) and
+      location = sink.getLocation() and
+      element = sink.toString() and
+      tag = "flow" and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<TestSelfParameterFlow>

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -42,3 +42,5 @@
 | test.cpp:551:9:551:9 | y | test.cpp:552:28:552:28 | y |
 | test.cpp:595:8:595:9 | xs | test.cpp:596:3:596:4 | xs |
 | test.cpp:595:8:595:9 | xs | test.cpp:597:9:597:10 | xs |
+| test.cpp:733:7:733:7 | x | test.cpp:734:41:734:41 | x |
+| test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x |

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6591,6 +6591,20 @@
 | taint.cpp:702:4:702:6 | ... ++ | taint.cpp:703:8:703:8 | p | TAINT |
 | taint.cpp:702:10:702:11 | * ... | taint.cpp:702:3:702:11 | ... = ... |  |
 | taint.cpp:702:11:702:11 | s | taint.cpp:702:10:702:11 | * ... | TAINT |
+| taint.cpp:709:25:709:25 | d | taint.cpp:709:25:709:25 | d |  |
+| taint.cpp:709:25:709:25 | d | taint.cpp:711:10:711:10 | d |  |
+| taint.cpp:709:25:709:25 | d | taint.cpp:712:7:712:7 | d |  |
+| taint.cpp:709:34:709:34 | s | taint.cpp:709:34:709:34 | s |  |
+| taint.cpp:709:34:709:34 | s | taint.cpp:710:18:710:18 | s |  |
+| taint.cpp:709:34:709:34 | s | taint.cpp:711:13:711:13 | s |  |
+| taint.cpp:710:18:710:18 | ref arg s | taint.cpp:709:34:709:34 | s |  |
+| taint.cpp:710:18:710:18 | ref arg s | taint.cpp:711:13:711:13 | s |  |
+| taint.cpp:711:10:711:10 | d | taint.cpp:711:2:711:8 | call to strncpy |  |
+| taint.cpp:711:10:711:10 | ref arg d | taint.cpp:709:25:709:25 | d |  |
+| taint.cpp:711:10:711:10 | ref arg d | taint.cpp:712:7:712:7 | d |  |
+| taint.cpp:711:13:711:13 | s | taint.cpp:711:2:711:8 | call to strncpy | TAINT |
+| taint.cpp:711:13:711:13 | s | taint.cpp:711:10:711:10 | ref arg d | TAINT |
+| taint.cpp:712:7:712:7 | ref arg d | taint.cpp:709:25:709:25 | d |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -702,4 +702,12 @@ namespace strings {
 		*p++ = *s;
 		sink(p); // $ ast ir
 	}
+}
+
+char * strncpy (char *, const char *, unsigned long);
+
+void test_strncpy(char* d, char* s) {
+	argument_source(s);
+	strncpy(d, s, 16);
+	sink(d); // $ ast ir
 }

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected

@@ -8,13 +8,19 @@ edges
 | overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
+| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
+| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
 | overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 | overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | src indirection |
 nodes
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
@@ -28,15 +34,20 @@ nodes
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:46:15:46:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:53:9:53:12 | memcpy output argument | semmle.label | memcpy output argument |
 | overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:54:9:54:12 | memcpy output argument | semmle.label | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
 | overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
 subpaths
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 #select
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

csharp/documentation/library-coverage/coverage.csv

@@ -24,5 +24,5 @@ Microsoft.Win32,,,8,,,,,,,,,,,,,,8,
 MySql.Data.MySqlClient,48,,,,,,,,,,,48,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,92,,,,,7,
-System,65,25,12157,,8,8,9,,,4,3,33,1,17,3,4,10163,1994
+System,65,25,12148,,8,8,9,,,4,3,33,1,17,3,4,10163,1985
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",25,12157,65,7
+   System,"``System.*``, ``System``",25,12148,65,7
    Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``Windows.Security.Cryptography.Core``",,568,138,
-   Totals,,25,12732,397,7
+   Totals,,25,12723,397,7
 

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.3
+
+No user-facing changes.
+
 ## 1.5.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.5.3.md

@@ -0,0 +1,3 @@
+## 1.5.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.2
+lastReleaseVersion: 1.5.3

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.5.3-dev
+version: 1.5.4-dev
 groups:
     - csharp
     - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.3
+
+No user-facing changes.
+
 ## 1.5.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.5.3.md

@@ -0,0 +1,3 @@
+## 1.5.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.2
+lastReleaseVersion: 1.5.3

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.5.3-dev
+version: 1.5.4-dev
 groups:
     - csharp
     - solorigate

csharp/ql/consistency-queries/AstConsistency.qll

@@ -17,3 +17,8 @@ query predicate missingLocation(Element e) {
   not exists(TupleType t | e = t or e = t.getAField()) and
   not exists(e.getLocation())
 }
+
+query predicate multipleToString(Element e, string s) {
+  s = strictconcat(e.toString(), ",") and
+  strictcount(e.toString()) > 1
+}

csharp/ql/consistency-queries/CfgConsistency.ql

@@ -62,3 +62,8 @@ query predicate preBasicBlockConsistency(ControlFlowElement cfe1, ControlFlowEle
   bbIntraSuccInconsistency(cfe1, cfe2) and
   s = "intra succ inconsistency"
 }
+
+query predicate multipleToString(Node n, string s) {
+  s = strictconcat(n.toString(), ",") and
+  strictcount(n.toString()) > 1
+}

csharp/ql/consistency-queries/DataFlowConsistency.ql

@@ -74,3 +74,8 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
 
   override predicate identityLocalStepExclude(Node n) { none() }
 }
+
+query predicate multipleToString(Node n, string s) {
+  s = strictconcat(n.toString(), ",") and
+  strictcount(n.toString()) > 1
+}

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.6.3
+
+### Major Analysis Improvements
+
+* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
+
+### Minor Analysis Improvements
+
+* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
+* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
+* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
+* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
+* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
+* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
+* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+  * `code` to `code-injection`
+  * `sql` to `sql-injection`
+  * `html` to `html-injection`
+  * `xss` to `js-injection`
+  * `remote` to `file-content-store`
+
 ## 0.6.2
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/2023-05-09-models-as-data.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional support for `command-injection`, `ldap-injection`, `log-injection`, and `url-redirection` sink kinds for Models as Data.

csharp/ql/lib/change-notes/2023-05-17-update-csharp-sink-kinds.md

@@ -1,9 +0,0 @@
----
-category: minorAnalysis
----
-* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
-  * `code` to `code-injection`
-  * `sql` to `sql-injection`
-  * `html` to `html-injection`
-  * `xss` to `js-injection`
-  * `remote` to `file-content-store`

csharp/ql/lib/change-notes/2023-05-30-source-generators.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.

csharp/ql/lib/change-notes/2023-06-06-dotnettest.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.

csharp/ql/lib/change-notes/released/0.6.3.md

@@ -1,8 +1,20 @@
----
-category: minorAnalysis
----
+## 0.6.3
+
+### Major Analysis Improvements
+
+* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
+
+### Minor Analysis Improvements
+
+* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
 * Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
 * Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
 * Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
 * Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
 * Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
+* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+  * `code` to `code-injection`
+  * `sql` to `sql-injection`
+  * `html` to `html-injection`
+  * `xss` to `js-injection`
+  * `remote` to `file-content-store`

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3

csharp/ql/lib/qlpack.yml

@@ -1,11 +1,12 @@
 name: codeql/csharp-all
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/mad: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -62,8 +62,8 @@
  *      in the given range. The range is inclusive at both ends.
  *    - "ReturnValue": Selects the return value of a call to the selected element.
  *
- *    For summaries, `input` and `output` may be prefixed by one of the following,
- *    separated by the "of" keyword:
+ *    For summaries, `input` and `output` may be suffixed by any number of the
+ *    following, separated by ".":
  *    - "Element": Selects an element in a collection.
  *    - "Field[f]": Selects the contents of field `f`.
  *    - "Property[p]": Selects the contents of property `p`.
@@ -95,6 +95,7 @@ private import internal.DataFlowPublic
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
+private import codeql.mad.ModelValidation as SharedModelVal
 
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel = Extensions::sourceModel/9;
@@ -204,30 +205,18 @@ module ModelValidation {
     )
   }
 
-  private string getInvalidModelKind() {
-    exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) |
-      not kind = ["taint", "value"] and
-      result = "Invalid kind \"" + kind + "\" in summary model."
-    )
-    or
-    exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) |
-      not kind =
-        ["code-injection", "sql-injection", "js-injection", "html-injection", "file-content-store"] and
-      not kind.matches("encryption-%") and
-      result = "Invalid kind \"" + kind + "\" in sink model."
-    )
-    or
-    exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["local", "remote", "file", "file-write"] and
-      result = "Invalid kind \"" + kind + "\" in source model."
-    )
-    or
-    exists(string kind | neutralModel(_, _, _, _, kind, _) |
-      not kind = ["summary", "source", "sink"] and
-      result = "Invalid kind \"" + kind + "\" in neutral model."
-    )
+  private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
+
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
+
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
+
+    predicate neutralKind(string kind) { neutralModel(_, _, _, _, kind, _) }
   }
 
+  private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
+
   private string getInvalidModelSignature() {
     exists(
       string pred, string namespace, string type, string name, string signature, string ext,
@@ -269,7 +258,7 @@ module ModelValidation {
     msg =
       [
         getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelKind()
+        KindVal::getInvalidModelKind()
       ]
   }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -64,15 +64,6 @@ module SummaryComponent {
   /** Gets a summary component that represents the return value of a call. */
   SummaryComponent return() { result = return(any(DataFlowDispatch::NormalReturnKind rk)) }
 
-  /** Gets a summary component that represents a jump to `c`. */
-  SummaryComponent jump(Callable c) {
-    result =
-      return(any(DataFlowDispatch::JumpReturnKind jrk |
-          jrk.getTarget() = c.getUnboundDeclaration() and
-          jrk.getTargetReturnKind() instanceof DataFlowDispatch::NormalReturnKind
-        ))
-  }
-
   predicate syntheticGlobal = SummaryComponentInternal::syntheticGlobal/1;
 
   class SyntheticGlobal = SummaryComponentInternal::SyntheticGlobal;
@@ -114,9 +105,6 @@ module SummaryComponentStack {
   /** Gets a singleton stack representing the return value of a call. */
   SummaryComponentStack return() { result = singleton(SummaryComponent::return()) }
 
-  /** Gets a singleton stack representing a jump to `c`. */
-  SummaryComponentStack jump(Callable c) { result = singleton(SummaryComponent::jump(c)) }
-
   /** Gets a singleton stack representing a synthetic global with name `name`. */
   SummaryComponentStack syntheticGlobal(string synthetic) {
     result = singleton(SummaryComponent::syntheticGlobal(synthetic))

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -74,18 +74,6 @@ newtype TReturnKind =
     exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowOut(_, _) |
       v = def.getSourceVariable().getAssignable()
     )
-  } or
-  TJumpReturnKind(Callable target, ReturnKind rk) {
-    target.isUnboundDeclaration() and
-    (
-      rk instanceof NormalReturnKind and
-      (
-        target instanceof Constructor or
-        not target.getReturnType() instanceof VoidType
-      )
-      or
-      exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
-    )
   }
 
 /**
@@ -257,27 +245,6 @@ class ImplicitCapturedReturnKind extends ReturnKind, TImplicitCapturedReturnKind
   override string toString() { result = "captured " + v }
 }
 
-/**
- * A value returned through the output of another callable.
- *
- * This is currently only used to model flow summaries where data may flow into
- * one API entry point and out of another.
- */
-class JumpReturnKind extends ReturnKind, TJumpReturnKind {
-  private Callable target;
-  private ReturnKind rk;
-
-  JumpReturnKind() { this = TJumpReturnKind(target, rk) }
-
-  /** Gets the target of the jump. */
-  Callable getTarget() { result = target }
-
-  /** Gets the return kind of the target. */
-  ReturnKind getTargetReturnKind() { result = rk }
-
-  override string toString() { result = "jump to " + target }
-}
-
 /** A callable used for data flow. */
 class DataFlowCallable extends TDataFlowCallable {
   /** Get the underlying source code callable, if any. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

@@ -2021,7 +2021,8 @@ module Impl<FullStateConfigSig Config> {
       FlowCheckNode() {
         castNode(this.asNode()) or
         clearsContentCached(this.asNode(), _) or
-        expectsContentCached(this.asNode(), _)
+        expectsContentCached(this.asNode(), _) or
+        neverSkipInPathGraph(this.asNode())
       }
     }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -1457,8 +1457,7 @@ private module ReturnNodes {
     private ReturnKind rk;
 
     SummaryReturnNode() {
-      FlowSummaryImpl::Private::summaryReturnNode(this.getSummaryNode(), rk) and
-      not rk instanceof JumpReturnKind
+      FlowSummaryImpl::Private::summaryReturnNode(this.getSummaryNode(), rk)
       or
       exists(Parameter p, int pos |
         summaryPostUpdateNodeIsOutOrRef(this, p) and
@@ -1708,12 +1707,6 @@ predicate jumpStep(Node pred, Node succ) {
     flr.hasNonlocalValue()
   )
   or
-  exists(JumpReturnKind jrk, NonDelegateDataFlowCall call |
-    FlowSummaryImpl::Private::summaryReturnNode(pred.(FlowSummaryNode).getSummaryNode(), jrk) and
-    jrk.getTarget() = call.getATarget(_) and
-    succ = getAnOutNode(call, jrk.getTargetReturnKind())
-  )
-  or
   FlowSummaryImpl::Private::Steps::summaryJumpStep(pred.(FlowSummaryNode).getSummaryNode(),
     succ.(FlowSummaryNode).getSummaryNode())
 }
@@ -2147,6 +2140,12 @@ class CastNode extends Node {
   }
 }
 
+/**
+ * Holds if `n` should never be skipped over in the `PathGraph` and in path
+ * explanations.
+ */
+predicate neverSkipInPathGraph(Node n) { none() }
+
 class DataFlowExpr = DotNet::Expr;
 
 /** Holds if `e` is an expression that always has the same Boolean value `val`. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -61,7 +61,8 @@ DataFlowType getParameterType(SummarizedCallable c, ParameterPosition pos) {
   )
 }
 
-private DataFlowType getReturnTypeBase(DotNet::Callable c, ReturnKind rk) {
+/** Gets the return type of kind `rk` for callable `c`. */
+DataFlowType getReturnType(DotNet::Callable c, ReturnKind rk) {
   exists(Type t | result = Gvn::getGlobalValueNumber(t) |
     rk instanceof NormalReturnKind and
     (
@@ -75,15 +76,6 @@ private DataFlowType getReturnTypeBase(DotNet::Callable c, ReturnKind rk) {
   )
 }
 
-/** Gets the return type of kind `rk` for callable `c`. */
-bindingset[c]
-DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
-  result = getReturnTypeBase(c, rk)
-  or
-  rk =
-    any(JumpReturnKind jrk | result = getReturnTypeBase(jrk.getTarget(), jrk.getTargetReturnKind()))
-}
-
 /**
  * Gets the type of the parameter matching arguments at position `pos` in a
  * synthesized call that targets a callback of type `t`.

csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll

@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.Diagnostics
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A source specific to command injection vulnerabilities.
@@ -66,6 +67,11 @@ module CommandInjection = TaintTracking::Global<CommandInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** Command Injection sinks defined through Models as Data. */
+private class ExternalCommandInjectionExprSink extends Sink {
+  ExternalCommandInjectionExprSink() { sinkNode(this, "command-injection") }
+}
+
 /**
  * A sink in `System.Diagnostic.Process` or its related classes.
  */

csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll

@@ -8,6 +8,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.DirectoryServices
 private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated user input that is used to construct LDAP queries.
@@ -68,6 +69,11 @@ module LdapInjection = TaintTracking::Global<LdapInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** LDAP sinks defined through Models as Data. */
+private class ExternalLdapExprSink extends Sink {
+  ExternalLdapExprSink() { sinkNode(this, "ldap-injection") }
+}
+
 /**
  * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP
  * injection.

csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll

@@ -8,6 +8,7 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.text.RegularExpressions
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for untrusted user input used in log entries.
@@ -72,6 +73,11 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { }
  */
 private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { }
 
+/** Log Forging sinks defined through Models as Data. */
+private class ExternalLoggingExprSink extends Sink {
+  ExternalLoggingExprSink() { sinkNode(this, "log-injection") }
+}
+
 /**
  * A call to String replace or remove that is considered to sanitize replaced string.
  */

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated URL redirect vulnerabilities.
@@ -70,6 +71,11 @@ module UrlRedirect = TaintTracking::Global<UrlRedirectConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** URL Redirection sinks defined through Models as Data. */
+private class ExternalUrlRedirectExprSink extends Sink {
+  ExternalUrlRedirectExprSink() { sinkNode(this, "url-redirection") }
+}
+
 /**
  * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a
  * sink for URL redirects.

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.3
+
+No user-facing changes.
+
 ## 0.6.2
 
 No user-facing changes.

csharp/ql/src/Security Features/CWE-022/ZipSlip.qhelp

@@ -3,16 +3,15 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Extracting files from a malicious zip archive without validating that the destination file path
-is within the destination directory can cause files outside the destination directory to be
-overwritten, due to the possible presence of directory traversal elements (<code>..</code>) in
-archive paths.</p>
+<p>Extracting files from a malicious zip file, or similar type of archive,
+is at risk of directory traversal attacks if filenames from the archive are
+not properly validated.</p>
 
 <p>Zip archives contain archive entries representing each file in the archive. These entries
 include a file path for the entry, but these file paths are not restricted and may contain
 unexpected special elements such as the directory traversal element (<code>..</code>). If these
-file paths are used to determine an output file to write the contents of the archive item to, then
-the file may be written to an unexpected location. This can result in sensitive information being
+file paths are used to create a filesystem path, then a file operation may happen in an 
+unexpected location. This can result in sensitive information being
 revealed or deleted, or an attacker being able to influence behavior by modifying unexpected
 files.</p>
 

csharp/ql/src/Security Features/CWE-022/ZipSlip.ql

@@ -1,8 +1,8 @@
 /**
- * @name Arbitrary file write during zip extraction ("Zip Slip")
- * @description Extracting files from a malicious zip archive without validating that the
- *              destination file path is within the destination directory can cause files outside
- *              the destination directory to be overwritten.
+ * @name Arbitrary file access during archive extraction ("Zip Slip")
+ * @description Extracting files from a malicious ZIP file, or similar type of archive, without
+ *              validating that the destination file path is within the destination directory
+ *              can allow an attacker to unexpectedly gain access to resources.
  * @kind path-problem
  * @id cs/zipslip
  * @problem.severity error

csharp/ql/src/change-notes/2023-06-16-zipslip-rename.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query "Arbitrary file write during zip extraction ("Zip Slip")" (`cs/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."

csharp/ql/src/change-notes/released/0.6.3.md

@@ -0,0 +1,3 @@
+## 0.6.3
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: 
   - csharp
   - queries

csharp/ql/test/TestUtilities/InlineFlowTest.qll

@@ -4,11 +4,12 @@
  * Example for a test.ql:
  * ```ql
  * import csharp
- * import DefaultValueFlow::PathGraph
  * import TestUtilities.InlineFlowTest
+ * import DefaultFlowTest
+ * import PathGraph
  *
- * from DefaultValueFlow::PathNode source, DefaultValueFlow::PathNode sink
- * where DefaultValueFlow::flowPath(source, sink)
+ * from PathNode source, PathNode sink
+ * where flowPath(source, sink)
  * select sink, source, sink, "$@", source, source.toString()
  *
  * ```
@@ -32,14 +33,10 @@
  * }
  * ```
  *
- * If you're not interested in a specific flow type, you can disable either value or taint flow expectations as follows:
- * ```ql
- * class HasFlowTest extends InlineFlowTest {
- *   override DataFlow::Configuration getTaintFlowConfig() { none() }
- *
- *   override DataFlow::Configuration getValueFlowConfig() { none() }
- * }
- * ```
+ * If you are only interested in value flow, then instead of importing `DefaultFlowTest`, you can import
+ * `ValueFlowTest<DefaultFlowConfig>`. Similarly, if you are only interested in taint flow, then instead of
+ * importing `DefaultFlowTest`, you can import `TaintFlowTest<DefaultFlowConfig>`. In both cases
+ * `DefaultFlowConfig` can be replaced by another implementation of `DataFlow::ConfigSig`.
  *
  * If you need more fine-grained tuning, consider implementing a test using `InlineExpectationsTest`.
  */
@@ -47,8 +44,8 @@
 import csharp
 import TestUtilities.InlineExpectationsTest
 
-private predicate defaultSource(DataFlow::Node src) {
-  src.asExpr().(MethodCall).getTarget().getUndecoratedName() = ["Source", "Taint"]
+private predicate defaultSource(DataFlow::Node source) {
+  source.asExpr().(MethodCall).getTarget().getUndecoratedName() = ["Source", "Taint"]
 }
 
 private predicate defaultSink(DataFlow::Node sink) {
@@ -58,42 +55,66 @@ private predicate defaultSink(DataFlow::Node sink) {
 }
 
 module DefaultFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { defaultSource(n) }
+  predicate isSource(DataFlow::Node source) { defaultSource(source) }
 
-  predicate isSink(DataFlow::Node n) { defaultSink(n) }
+  predicate isSink(DataFlow::Node sink) { defaultSink(sink) }
 
   int fieldFlowBranchLimit() { result = 1000 }
 }
 
-module DefaultValueFlow = DataFlow::Global<DefaultFlowConfig>;
+private module NoFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
 
-module DefaultTaintFlow = TaintTracking::Global<DefaultFlowConfig>;
+  predicate isSink(DataFlow::Node sink) { none() }
+}
 
 private string getSourceArgString(DataFlow::Node src) {
   defaultSource(src) and
   src.asExpr().(MethodCall).getAnArgument().getValue() = result
 }
 
-class InlineFlowTest extends InlineExpectationsTest {
-  InlineFlowTest() { this = "HasFlowTest" }
+module FlowTest<DataFlow::ConfigSig ValueFlowConfig, DataFlow::ConfigSig TaintFlowConfig> {
+  module ValueFlow = DataFlow::Global<ValueFlowConfig>;
 
-  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+  module TaintFlow = TaintTracking::Global<TaintFlowConfig>;
 
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasValueFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink | DefaultValueFlow::flow(src, sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
-    )
-    or
-    tag = "hasTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      DefaultTaintFlow::flow(src, sink) and not DefaultValueFlow::flow(src, sink)
-    |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
-    )
+  private module InlineTest implements TestSig {
+    string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+    predicate hasActualResult(Location location, string element, string tag, string value) {
+      tag = "hasValueFlow" and
+      exists(DataFlow::Node src, DataFlow::Node sink | ValueFlow::flow(src, sink) |
+        sink.getLocation() = location and
+        element = sink.toString() and
+        if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
+      )
+      or
+      tag = "hasTaintFlow" and
+      exists(DataFlow::Node src, DataFlow::Node sink |
+        TaintFlow::flow(src, sink) and not ValueFlow::flow(src, sink)
+      |
+        sink.getLocation() = location and
+        element = sink.toString() and
+        if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
+      )
+    }
+  }
+
+  import MakeTest<InlineTest>
+  import DataFlow::MergePathGraph<ValueFlow::PathNode, TaintFlow::PathNode, ValueFlow::PathGraph, TaintFlow::PathGraph>
+
+  predicate flowPath(PathNode source, PathNode sink) {
+    ValueFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+    TaintFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
   }
 }
+
+module DefaultFlowTest = FlowTest<DefaultFlowConfig, DefaultFlowConfig>;
+
+module ValueFlowTest<DataFlow::ConfigSig ValueFlowConfig> {
+  import FlowTest<ValueFlowConfig, NoFlowConfig>
+}
+
+module TaintFlowTest<DataFlow::ConfigSig TaintFlowConfig> {
+  import FlowTest<NoFlowConfig, TaintFlowConfig>
+}

csharp/ql/test/library-tests/dataflow/fields/FieldFlow.ql

@@ -3,9 +3,10 @@
  */
 
 import csharp
-import DefaultValueFlow::PathGraph
 import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import PathGraph
 
-from DefaultValueFlow::PathNode source, DefaultValueFlow::PathNode sink
-where DefaultValueFlow::flowPath(source, sink)
+from PathNode source, PathNode sink
+where flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

csharp/ql/test/library-tests/dataflow/operators/operatorFlow.expected

@@ -1,95 +1,186 @@
 failures
+testFailures
 edges
 | Operator.cs:9:39:9:39 | x : C | Operator.cs:9:50:9:50 | access to parameter x : C |
+| Operator.cs:9:39:9:39 | x : C | Operator.cs:9:50:9:50 | access to parameter x : C |
+| Operator.cs:16:38:16:38 | x : C | Operator.cs:16:49:16:49 | access to parameter x : C |
 | Operator.cs:16:38:16:38 | x : C | Operator.cs:16:49:16:49 | access to parameter x : C |
 | Operator.cs:18:51:18:51 | y : C | Operator.cs:18:57:18:57 | access to parameter y : C |
+| Operator.cs:18:51:18:51 | y : C | Operator.cs:18:57:18:57 | access to parameter y : C |
+| Operator.cs:19:38:19:38 | x : C | Operator.cs:19:49:19:49 | access to parameter x : C |
 | Operator.cs:19:38:19:38 | x : C | Operator.cs:19:49:19:49 | access to parameter x : C |
 | Operator.cs:21:43:21:43 | y : C | Operator.cs:21:49:21:49 | access to parameter y : C |
+| Operator.cs:21:43:21:43 | y : C | Operator.cs:21:49:21:49 | access to parameter y : C |
+| Operator.cs:22:51:22:51 | y : C | Operator.cs:22:57:22:57 | access to parameter y : C |
 | Operator.cs:22:51:22:51 | y : C | Operator.cs:22:57:22:57 | access to parameter y : C |
 | Operator.cs:27:17:27:28 | call to method Source<C> : C | Operator.cs:29:17:29:17 | access to local variable x : C |
+| Operator.cs:27:17:27:28 | call to method Source<C> : C | Operator.cs:29:17:29:17 | access to local variable x : C |
+| Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:16:38:16:38 | x : C |
 | Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:16:38:16:38 | x : C |
 | Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:29:17:29:21 | call to operator + : C |
+| Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:29:17:29:21 | call to operator + : C |
+| Operator.cs:29:17:29:21 | call to operator + : C | Operator.cs:30:14:30:14 | access to local variable z |
 | Operator.cs:29:17:29:21 | call to operator + : C | Operator.cs:30:14:30:14 | access to local variable z |
 | Operator.cs:35:17:35:28 | call to method Source<C> : C | Operator.cs:37:27:37:27 | access to local variable x : C |
+| Operator.cs:35:17:35:28 | call to method Source<C> : C | Operator.cs:37:27:37:27 | access to local variable x : C |
+| Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:19:38:19:38 | x : C |
 | Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:19:38:19:38 | x : C |
 | Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:37:27:37:31 | call to operator - : C |
+| Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:37:27:37:31 | call to operator - : C |
+| Operator.cs:37:27:37:31 | call to operator - : C | Operator.cs:38:14:38:14 | access to local variable z |
 | Operator.cs:37:27:37:31 | call to operator - : C | Operator.cs:38:14:38:14 | access to local variable z |
 | Operator.cs:44:17:44:28 | call to method Source<C> : C | Operator.cs:45:29:45:29 | access to local variable y : C |
+| Operator.cs:44:17:44:28 | call to method Source<C> : C | Operator.cs:45:29:45:29 | access to local variable y : C |
+| Operator.cs:45:25:45:29 | call to operator checked - : C | Operator.cs:46:14:46:14 | access to local variable z |
 | Operator.cs:45:25:45:29 | call to operator checked - : C | Operator.cs:46:14:46:14 | access to local variable z |
 | Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:18:51:18:51 | y : C |
+| Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:18:51:18:51 | y : C |
+| Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:45:25:45:29 | call to operator checked - : C |
 | Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:45:25:45:29 | call to operator checked - : C |
 | Operator.cs:49:28:49:28 | x : C | Operator.cs:51:17:51:17 | access to parameter x : C |
+| Operator.cs:49:28:49:28 | x : C | Operator.cs:51:17:51:17 | access to parameter x : C |
+| Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:9:39:9:39 | x : C |
 | Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:9:39:9:39 | x : C |
 | Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:51:17:51:21 | call to operator * : C |
+| Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:51:17:51:21 | call to operator * : C |
+| Operator.cs:51:17:51:21 | call to operator * : C | Operator.cs:52:14:52:14 | (...) ... |
 | Operator.cs:51:17:51:21 | call to operator * : C | Operator.cs:52:14:52:14 | (...) ... |
 | Operator.cs:57:17:57:28 | call to method Source<C> : C | Operator.cs:59:15:59:15 | access to local variable x : C |
+| Operator.cs:57:17:57:28 | call to method Source<C> : C | Operator.cs:59:15:59:15 | access to local variable x : C |
+| Operator.cs:59:15:59:15 | access to local variable x : C | Operator.cs:49:28:49:28 | x : C |
 | Operator.cs:59:15:59:15 | access to local variable x : C | Operator.cs:49:28:49:28 | x : C |
 | Operator.cs:62:33:62:33 | y : C | Operator.cs:64:21:64:21 | access to parameter y : C |
+| Operator.cs:62:33:62:33 | y : C | Operator.cs:64:21:64:21 | access to parameter y : C |
+| Operator.cs:64:17:64:21 | call to operator / : C | Operator.cs:65:14:65:14 | (...) ... |
 | Operator.cs:64:17:64:21 | call to operator / : C | Operator.cs:65:14:65:14 | (...) ... |
 | Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:21:43:21:43 | y : C |
+| Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:21:43:21:43 | y : C |
+| Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:64:17:64:21 | call to operator / : C |
 | Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:64:17:64:21 | call to operator / : C |
 | Operator.cs:71:17:71:29 | call to method Source<C> : C | Operator.cs:72:18:72:18 | access to local variable y : C |
+| Operator.cs:71:17:71:29 | call to method Source<C> : C | Operator.cs:72:18:72:18 | access to local variable y : C |
+| Operator.cs:72:18:72:18 | access to local variable y : C | Operator.cs:62:33:62:33 | y : C |
 | Operator.cs:72:18:72:18 | access to local variable y : C | Operator.cs:62:33:62:33 | y : C |
 | Operator.cs:75:33:75:33 | y : C | Operator.cs:77:29:77:29 | access to parameter y : C |
+| Operator.cs:75:33:75:33 | y : C | Operator.cs:77:29:77:29 | access to parameter y : C |
+| Operator.cs:77:25:77:29 | call to operator checked / : C | Operator.cs:78:14:78:14 | (...) ... |
 | Operator.cs:77:25:77:29 | call to operator checked / : C | Operator.cs:78:14:78:14 | (...) ... |
 | Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:22:51:22:51 | y : C |
+| Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:22:51:22:51 | y : C |
+| Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:77:25:77:29 | call to operator checked / : C |
 | Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:77:25:77:29 | call to operator checked / : C |
 | Operator.cs:84:17:84:29 | call to method Source<C> : C | Operator.cs:85:18:85:18 | access to local variable y : C |
+| Operator.cs:84:17:84:29 | call to method Source<C> : C | Operator.cs:85:18:85:18 | access to local variable y : C |
+| Operator.cs:85:18:85:18 | access to local variable y : C | Operator.cs:75:33:75:33 | y : C |
 | Operator.cs:85:18:85:18 | access to local variable y : C | Operator.cs:75:33:75:33 | y : C |
 nodes
 | Operator.cs:9:39:9:39 | x : C | semmle.label | x : C |
+| Operator.cs:9:39:9:39 | x : C | semmle.label | x : C |
+| Operator.cs:9:50:9:50 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:9:50:9:50 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:16:38:16:38 | x : C | semmle.label | x : C |
+| Operator.cs:16:38:16:38 | x : C | semmle.label | x : C |
+| Operator.cs:16:49:16:49 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:16:49:16:49 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:18:51:18:51 | y : C | semmle.label | y : C |
+| Operator.cs:18:51:18:51 | y : C | semmle.label | y : C |
+| Operator.cs:18:57:18:57 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:18:57:18:57 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:19:38:19:38 | x : C | semmle.label | x : C |
+| Operator.cs:19:38:19:38 | x : C | semmle.label | x : C |
+| Operator.cs:19:49:19:49 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:19:49:19:49 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:21:43:21:43 | y : C | semmle.label | y : C |
+| Operator.cs:21:43:21:43 | y : C | semmle.label | y : C |
+| Operator.cs:21:49:21:49 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:21:49:21:49 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:22:51:22:51 | y : C | semmle.label | y : C |
+| Operator.cs:22:51:22:51 | y : C | semmle.label | y : C |
+| Operator.cs:22:57:22:57 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:22:57:22:57 | access to parameter y : C | semmle.label | access to parameter y : C |
 | Operator.cs:27:17:27:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:27:17:27:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:29:17:29:17 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:29:17:29:17 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:29:17:29:21 | call to operator + : C | semmle.label | call to operator + : C |
+| Operator.cs:29:17:29:21 | call to operator + : C | semmle.label | call to operator + : C |
+| Operator.cs:30:14:30:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:30:14:30:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:35:17:35:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:35:17:35:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:37:27:37:27 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:37:27:37:27 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:37:27:37:31 | call to operator - : C | semmle.label | call to operator - : C |
+| Operator.cs:37:27:37:31 | call to operator - : C | semmle.label | call to operator - : C |
+| Operator.cs:38:14:38:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:38:14:38:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:44:17:44:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:44:17:44:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:45:25:45:29 | call to operator checked - : C | semmle.label | call to operator checked - : C |
 | Operator.cs:45:25:45:29 | call to operator checked - : C | semmle.label | call to operator checked - : C |
 | Operator.cs:45:29:45:29 | access to local variable y : C | semmle.label | access to local variable y : C |
+| Operator.cs:45:29:45:29 | access to local variable y : C | semmle.label | access to local variable y : C |
+| Operator.cs:46:14:46:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:46:14:46:14 | access to local variable z | semmle.label | access to local variable z |
 | Operator.cs:49:28:49:28 | x : C | semmle.label | x : C |
+| Operator.cs:49:28:49:28 | x : C | semmle.label | x : C |
+| Operator.cs:51:17:51:17 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:51:17:51:17 | access to parameter x : C | semmle.label | access to parameter x : C |
 | Operator.cs:51:17:51:21 | call to operator * : C | semmle.label | call to operator * : C |
+| Operator.cs:51:17:51:21 | call to operator * : C | semmle.label | call to operator * : C |
+| Operator.cs:52:14:52:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:52:14:52:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:57:17:57:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:57:17:57:28 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:59:15:59:15 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:59:15:59:15 | access to local variable x : C | semmle.label | access to local variable x : C |
 | Operator.cs:62:33:62:33 | y : C | semmle.label | y : C |
+| Operator.cs:62:33:62:33 | y : C | semmle.label | y : C |
+| Operator.cs:64:17:64:21 | call to operator / : C | semmle.label | call to operator / : C |
 | Operator.cs:64:17:64:21 | call to operator / : C | semmle.label | call to operator / : C |
 | Operator.cs:64:21:64:21 | access to parameter y : C | semmle.label | access to parameter y : C |
+| Operator.cs:64:21:64:21 | access to parameter y : C | semmle.label | access to parameter y : C |
+| Operator.cs:65:14:65:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:65:14:65:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:71:17:71:29 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:71:17:71:29 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:72:18:72:18 | access to local variable y : C | semmle.label | access to local variable y : C |
 | Operator.cs:72:18:72:18 | access to local variable y : C | semmle.label | access to local variable y : C |
 | Operator.cs:75:33:75:33 | y : C | semmle.label | y : C |
+| Operator.cs:75:33:75:33 | y : C | semmle.label | y : C |
+| Operator.cs:77:25:77:29 | call to operator checked / : C | semmle.label | call to operator checked / : C |
 | Operator.cs:77:25:77:29 | call to operator checked / : C | semmle.label | call to operator checked / : C |
 | Operator.cs:77:29:77:29 | access to parameter y : C | semmle.label | access to parameter y : C |
+| Operator.cs:77:29:77:29 | access to parameter y : C | semmle.label | access to parameter y : C |
+| Operator.cs:78:14:78:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:78:14:78:14 | (...) ... | semmle.label | (...) ... |
 | Operator.cs:84:17:84:29 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:84:17:84:29 | call to method Source<C> : C | semmle.label | call to method Source<C> : C |
+| Operator.cs:85:18:85:18 | access to local variable y : C | semmle.label | access to local variable y : C |
 | Operator.cs:85:18:85:18 | access to local variable y : C | semmle.label | access to local variable y : C |
 subpaths
 | Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:16:38:16:38 | x : C | Operator.cs:16:49:16:49 | access to parameter x : C | Operator.cs:29:17:29:21 | call to operator + : C |
+| Operator.cs:29:17:29:17 | access to local variable x : C | Operator.cs:16:38:16:38 | x : C | Operator.cs:16:49:16:49 | access to parameter x : C | Operator.cs:29:17:29:21 | call to operator + : C |
+| Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:19:38:19:38 | x : C | Operator.cs:19:49:19:49 | access to parameter x : C | Operator.cs:37:27:37:31 | call to operator - : C |
 | Operator.cs:37:27:37:27 | access to local variable x : C | Operator.cs:19:38:19:38 | x : C | Operator.cs:19:49:19:49 | access to parameter x : C | Operator.cs:37:27:37:31 | call to operator - : C |
 | Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:18:51:18:51 | y : C | Operator.cs:18:57:18:57 | access to parameter y : C | Operator.cs:45:25:45:29 | call to operator checked - : C |
+| Operator.cs:45:29:45:29 | access to local variable y : C | Operator.cs:18:51:18:51 | y : C | Operator.cs:18:57:18:57 | access to parameter y : C | Operator.cs:45:25:45:29 | call to operator checked - : C |
+| Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:9:39:9:39 | x : C | Operator.cs:9:50:9:50 | access to parameter x : C | Operator.cs:51:17:51:21 | call to operator * : C |
 | Operator.cs:51:17:51:17 | access to parameter x : C | Operator.cs:9:39:9:39 | x : C | Operator.cs:9:50:9:50 | access to parameter x : C | Operator.cs:51:17:51:21 | call to operator * : C |
 | Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:21:43:21:43 | y : C | Operator.cs:21:49:21:49 | access to parameter y : C | Operator.cs:64:17:64:21 | call to operator / : C |
+| Operator.cs:64:21:64:21 | access to parameter y : C | Operator.cs:21:43:21:43 | y : C | Operator.cs:21:49:21:49 | access to parameter y : C | Operator.cs:64:17:64:21 | call to operator / : C |
+| Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:22:51:22:51 | y : C | Operator.cs:22:57:22:57 | access to parameter y : C | Operator.cs:77:25:77:29 | call to operator checked / : C |
 | Operator.cs:77:29:77:29 | access to parameter y : C | Operator.cs:22:51:22:51 | y : C | Operator.cs:22:57:22:57 | access to parameter y : C | Operator.cs:77:25:77:29 | call to operator checked / : C |
 #select
 | Operator.cs:30:14:30:14 | access to local variable z | Operator.cs:27:17:27:28 | call to method Source<C> : C | Operator.cs:30:14:30:14 | access to local variable z | $@ | Operator.cs:27:17:27:28 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:30:14:30:14 | access to local variable z | Operator.cs:27:17:27:28 | call to method Source<C> : C | Operator.cs:30:14:30:14 | access to local variable z | $@ | Operator.cs:27:17:27:28 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:38:14:38:14 | access to local variable z | Operator.cs:35:17:35:28 | call to method Source<C> : C | Operator.cs:38:14:38:14 | access to local variable z | $@ | Operator.cs:35:17:35:28 | call to method Source<C> : C | call to method Source<C> : C |
 | Operator.cs:38:14:38:14 | access to local variable z | Operator.cs:35:17:35:28 | call to method Source<C> : C | Operator.cs:38:14:38:14 | access to local variable z | $@ | Operator.cs:35:17:35:28 | call to method Source<C> : C | call to method Source<C> : C |
 | Operator.cs:46:14:46:14 | access to local variable z | Operator.cs:44:17:44:28 | call to method Source<C> : C | Operator.cs:46:14:46:14 | access to local variable z | $@ | Operator.cs:44:17:44:28 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:46:14:46:14 | access to local variable z | Operator.cs:44:17:44:28 | call to method Source<C> : C | Operator.cs:46:14:46:14 | access to local variable z | $@ | Operator.cs:44:17:44:28 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:52:14:52:14 | (...) ... | Operator.cs:57:17:57:28 | call to method Source<C> : C | Operator.cs:52:14:52:14 | (...) ... | $@ | Operator.cs:57:17:57:28 | call to method Source<C> : C | call to method Source<C> : C |
 | Operator.cs:52:14:52:14 | (...) ... | Operator.cs:57:17:57:28 | call to method Source<C> : C | Operator.cs:52:14:52:14 | (...) ... | $@ | Operator.cs:57:17:57:28 | call to method Source<C> : C | call to method Source<C> : C |
 | Operator.cs:65:14:65:14 | (...) ... | Operator.cs:71:17:71:29 | call to method Source<C> : C | Operator.cs:65:14:65:14 | (...) ... | $@ | Operator.cs:71:17:71:29 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:65:14:65:14 | (...) ... | Operator.cs:71:17:71:29 | call to method Source<C> : C | Operator.cs:65:14:65:14 | (...) ... | $@ | Operator.cs:71:17:71:29 | call to method Source<C> : C | call to method Source<C> : C |
+| Operator.cs:78:14:78:14 | (...) ... | Operator.cs:84:17:84:29 | call to method Source<C> : C | Operator.cs:78:14:78:14 | (...) ... | $@ | Operator.cs:84:17:84:29 | call to method Source<C> : C | call to method Source<C> : C |
 | Operator.cs:78:14:78:14 | (...) ... | Operator.cs:84:17:84:29 | call to method Source<C> : C | Operator.cs:78:14:78:14 | (...) ... | $@ | Operator.cs:84:17:84:29 | call to method Source<C> : C | call to method Source<C> : C |

csharp/ql/test/library-tests/dataflow/operators/operatorFlow.ql

@@ -3,9 +3,10 @@
  */
 
 import csharp
-import DefaultValueFlow::PathGraph
 import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import PathGraph
 
-from DefaultValueFlow::PathNode source, DefaultValueFlow::PathNode sink
-where DefaultValueFlow::flowPath(source, sink)
+from PathNode source, PathNode sink
+where flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

csharp/ql/test/library-tests/dataflow/patterns/PatternFlow.expected

@@ -1,4 +1,5 @@
 failures
+testFailures
 edges
 nodes
 subpaths

csharp/ql/test/library-tests/dataflow/patterns/PatternFlow.ql

@@ -3,9 +3,10 @@
  */
 
 import csharp
-import DefaultValueFlow::PathGraph
 import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import PathGraph
 
-from DefaultValueFlow::PathNode source, DefaultValueFlow::PathNode sink
-where DefaultValueFlow::flowPath(source, sink)
+from PathNode source, PathNode sink
+where flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

csharp/ql/test/library-tests/dataflow/tuples/Tuples.expected

@@ -1,233 +1,462 @@
 failures
+testFailures
 edges
 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:10:21:10:22 | access to local variable o1 : Object |
+| Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:10:21:10:22 | access to local variable o1 : Object |
+| Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:10:29:10:30 | access to local variable o2 : Object |
 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:10:29:10:30 | access to local variable o2 : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:21:10:22 | access to local variable o1 : Object | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:21:10:22 | access to local variable o1 : Object | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:10:29:10:30 | access to local variable o2 : Object | Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:10:29:10:30 | access to local variable o2 : Object | Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:11:9:11:27 | SSA def(c) : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:11:9:11:27 | SSA def(c) : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:11:9:11:27 | SSA def(a) : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:11:9:11:27 | SSA def(a) : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:11:9:11:27 | SSA def(a) : Object | Tuples.cs:12:14:12:14 | access to local variable a |
 | Tuples.cs:11:9:11:27 | SSA def(a) : Object | Tuples.cs:12:14:12:14 | access to local variable a |
 | Tuples.cs:11:9:11:27 | SSA def(c) : Object | Tuples.cs:14:14:14:14 | access to local variable c |
+| Tuples.cs:11:9:11:27 | SSA def(c) : Object | Tuples.cs:14:14:14:14 | access to local variable c |
+| Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:16:9:16:23 | SSA def(a) : Object |
 | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:16:9:16:23 | SSA def(a) : Object |
 | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:16:9:16:23 | SSA def(a) : Object | Tuples.cs:17:14:17:14 | access to local variable a |
 | Tuples.cs:16:9:16:23 | SSA def(a) : Object | Tuples.cs:17:14:17:14 | access to local variable a |
 | Tuples.cs:16:9:16:23 | SSA def(c) : Object | Tuples.cs:19:14:19:14 | access to local variable c |
+| Tuples.cs:16:9:16:23 | SSA def(c) : Object | Tuples.cs:19:14:19:14 | access to local variable c |
+| Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:16:9:16:23 | SSA def(c) : Object |
 | Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:16:9:16:23 | SSA def(c) : Object |
 | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:21:9:21:26 | SSA def(p) : Object |
+| Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:21:9:21:26 | SSA def(p) : Object |
+| Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:21:9:21:26 | SSA def(p) : Object | Tuples.cs:22:14:22:14 | access to local variable p |
+| Tuples.cs:21:9:21:26 | SSA def(p) : Object | Tuples.cs:22:14:22:14 | access to local variable p |
+| Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:24:14:24:20 | access to field Item2 |
+| Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:24:14:24:20 | access to field Item2 |
+| Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:26:14:26:20 | access to field Item1 |
 | Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:26:14:26:20 | access to field Item1 |
 | Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:27:14:27:16 | access to field Item1 |
+| Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | Tuples.cs:27:14:27:16 | access to field Item1 |
+| Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:29:14:29:26 | access to field Item2 |
+| Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:29:14:29:26 | access to field Item2 |
+| Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | Tuples.cs:37:18:37:19 | access to local variable o1 : Object |
 | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | Tuples.cs:37:18:37:19 | access to local variable o1 : Object |
 | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | Tuples.cs:37:46:37:47 | access to local variable o2 : Object |
+| Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | Tuples.cs:37:46:37:47 | access to local variable o2 : Object |
+| Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:37:18:37:19 | access to local variable o1 : Object | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:18:37:19 | access to local variable o1 : Object | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:46:37:47 | access to local variable o2 : Object | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:37:46:37:47 | access to local variable o2 : Object | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | Tuples.cs:38:14:38:20 | access to field Item1 |
 | Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | Tuples.cs:38:14:38:20 | access to field Item1 |
 | Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | Tuples.cs:40:14:40:21 | access to field Item10 |
+| Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | Tuples.cs:40:14:40:21 | access to field Item10 |
+| Tuples.cs:45:17:45:33 | call to method Source<String> : String | Tuples.cs:46:48:46:48 | access to local variable o : String |
 | Tuples.cs:45:17:45:33 | call to method Source<String> : String | Tuples.cs:46:48:46:48 | access to local variable o : String |
 | Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:46:48:46:48 | access to local variable o : String | Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:46:48:46:48 | access to local variable o : String | Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:47:14:47:20 | access to field Item1 |
 | Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String | Tuples.cs:47:14:47:20 | access to field Item1 |
 | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:59:18:59:19 | access to local variable o1 : String |
+| Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:59:18:59:19 | access to local variable o1 : String |
+| Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:59:26:59:27 | access to local variable o2 : String |
 | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:59:26:59:27 | access to local variable o2 : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:18:59:19 | access to local variable o1 : String | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:18:59:19 | access to local variable o1 : String | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:59:26:59:27 | access to local variable o2 : String | Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:59:26:59:27 | access to local variable o2 : String | Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:63:22:63:28 | access to field Item1 |
 | Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:63:22:63:28 | access to field Item1 |
 | Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:64:22:64:34 | access to field Item2 |
 | Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:64:22:64:34 | access to field Item2 |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:67:30:67:30 | SSA def(c) : String |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:67:30:67:30 | SSA def(c) : String |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:67:23:67:23 | SSA def(a) : String |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:67:23:67:23 | SSA def(a) : String |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:67:23:67:23 | SSA def(a) : String | Tuples.cs:68:22:68:22 | access to local variable a |
 | Tuples.cs:67:23:67:23 | SSA def(a) : String | Tuples.cs:68:22:68:22 | access to local variable a |
 | Tuples.cs:67:30:67:30 | SSA def(c) : String | Tuples.cs:69:22:69:22 | access to local variable c |
+| Tuples.cs:67:30:67:30 | SSA def(c) : String | Tuples.cs:69:22:69:22 | access to local variable c |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:87:30:87:30 | SSA def(r) : String |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | Tuples.cs:87:30:87:30 | SSA def(r) : String |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:87:23:87:23 | SSA def(p) : String |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | Tuples.cs:87:23:87:23 | SSA def(p) : String |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:87:23:87:23 | SSA def(p) : String | Tuples.cs:89:18:89:18 | access to local variable p |
+| Tuples.cs:87:23:87:23 | SSA def(p) : String | Tuples.cs:89:18:89:18 | access to local variable p |
+| Tuples.cs:87:30:87:30 | SSA def(r) : String | Tuples.cs:90:18:90:18 | access to local variable r |
 | Tuples.cs:87:30:87:30 | SSA def(r) : String | Tuples.cs:90:18:90:18 | access to local variable r |
 | Tuples.cs:99:17:99:33 | call to method Source<String> : String | Tuples.cs:100:24:100:24 | access to local variable o : String |
+| Tuples.cs:99:17:99:33 | call to method Source<String> : String | Tuples.cs:100:24:100:24 | access to local variable o : String |
+| Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String | Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String |
 | Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String | Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String |
 | Tuples.cs:100:24:100:24 | access to local variable o : String | Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String |
+| Tuples.cs:100:24:100:24 | access to local variable o : String | Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String |
+| Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String | Tuples.cs:101:14:101:16 | access to property i |
 | Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String | Tuples.cs:101:14:101:16 | access to property i |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:121:28:121:28 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:121:28:121:28 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:122:14:122:15 | access to local variable x1 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:122:14:122:15 | access to local variable x1 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:125:25:125:25 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:125:25:125:25 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:126:14:126:15 | access to local variable x2 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:126:14:126:15 | access to local variable x2 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:129:31:129:31 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:129:31:129:31 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:130:14:130:15 | access to local variable y3 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:130:14:130:15 | access to local variable y3 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:133:28:133:28 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:133:28:133:28 | access to local variable o : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:134:14:134:15 | access to local variable y4 |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:134:14:134:15 | access to local variable y4 |
 | Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:121:9:121:32 | SSA def(x1) : Object |
+| Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:121:9:121:32 | SSA def(x1) : Object |
+| Tuples.cs:121:9:121:32 | SSA def(x1) : Object | Tuples.cs:122:14:122:15 | access to local variable x1 |
 | Tuples.cs:121:9:121:32 | SSA def(x1) : Object | Tuples.cs:122:14:122:15 | access to local variable x1 |
 | Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:121:28:121:28 | access to local variable o : Object | Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:121:28:121:28 | access to local variable o : Object | Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:125:9:125:29 | SSA def(x2) : Object |
+| Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:125:9:125:29 | SSA def(x2) : Object |
+| Tuples.cs:125:9:125:29 | SSA def(x2) : Object | Tuples.cs:126:14:126:15 | access to local variable x2 |
 | Tuples.cs:125:9:125:29 | SSA def(x2) : Object | Tuples.cs:126:14:126:15 | access to local variable x2 |
 | Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:25:125:25 | access to local variable o : Object | Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:125:25:125:25 | access to local variable o : Object | Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:129:9:129:32 | SSA def(y3) : Object |
+| Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:129:9:129:32 | SSA def(y3) : Object |
+| Tuples.cs:129:9:129:32 | SSA def(y3) : Object | Tuples.cs:130:14:130:15 | access to local variable y3 |
 | Tuples.cs:129:9:129:32 | SSA def(y3) : Object | Tuples.cs:130:14:130:15 | access to local variable y3 |
 | Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:129:31:129:31 | access to local variable o : Object | Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:129:31:129:31 | access to local variable o : Object | Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:133:9:133:29 | SSA def(y4) : Object |
+| Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:133:9:133:29 | SSA def(y4) : Object |
+| Tuples.cs:133:9:133:29 | SSA def(y4) : Object | Tuples.cs:134:14:134:15 | access to local variable y4 |
 | Tuples.cs:133:9:133:29 | SSA def(y4) : Object | Tuples.cs:134:14:134:15 | access to local variable y4 |
 | Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:133:28:133:28 | access to local variable o : Object | Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:133:28:133:28 | access to local variable o : Object | Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 nodes
 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:17:10:32 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:10:21:10:22 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| Tuples.cs:10:21:10:22 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:10:25:10:31 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:10:29:10:30 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| Tuples.cs:10:29:10:30 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:11:9:11:23 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:11:9:11:27 | SSA def(a) : Object | semmle.label | SSA def(a) : Object |
+| Tuples.cs:11:9:11:27 | SSA def(a) : Object | semmle.label | SSA def(a) : Object |
+| Tuples.cs:11:9:11:27 | SSA def(c) : Object | semmle.label | SSA def(c) : Object |
 | Tuples.cs:11:9:11:27 | SSA def(c) : Object | semmle.label | SSA def(c) : Object |
 | Tuples.cs:12:14:12:14 | access to local variable a | semmle.label | access to local variable a |
+| Tuples.cs:12:14:12:14 | access to local variable a | semmle.label | access to local variable a |
+| Tuples.cs:14:14:14:14 | access to local variable c | semmle.label | access to local variable c |
 | Tuples.cs:14:14:14:14 | access to local variable c | semmle.label | access to local variable c |
 | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:16:9:16:19 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
 | Tuples.cs:16:9:16:23 | SSA def(a) : Object | semmle.label | SSA def(a) : Object |
+| Tuples.cs:16:9:16:23 | SSA def(a) : Object | semmle.label | SSA def(a) : Object |
+| Tuples.cs:16:9:16:23 | SSA def(c) : Object | semmle.label | SSA def(c) : Object |
 | Tuples.cs:16:9:16:23 | SSA def(c) : Object | semmle.label | SSA def(c) : Object |
 | Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:16:13:16:18 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:17:14:17:14 | access to local variable a | semmle.label | access to local variable a |
 | Tuples.cs:17:14:17:14 | access to local variable a | semmle.label | access to local variable a |
 | Tuples.cs:19:14:19:14 | access to local variable c | semmle.label | access to local variable c |
+| Tuples.cs:19:14:19:14 | access to local variable c | semmle.label | access to local variable c |
+| Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
 | Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:21:9:21:22 | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:21:9:21:26 | SSA def(p) : Object | semmle.label | SSA def(p) : Object |
 | Tuples.cs:21:9:21:26 | SSA def(p) : Object | semmle.label | SSA def(p) : Object |
 | Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:21:9:21:26 | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | SSA def(q) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:22:14:22:14 | access to local variable p | semmle.label | access to local variable p |
 | Tuples.cs:22:14:22:14 | access to local variable p | semmle.label | access to local variable p |
 | Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:24:14:24:14 | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | access to local variable q : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:24:14:24:20 | access to field Item2 | semmle.label | access to field Item2 |
 | Tuples.cs:24:14:24:20 | access to field Item2 | semmle.label | access to field Item2 |
 | Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:26:14:26:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:26:14:26:20 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:26:14:26:20 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:27:14:27:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item1] : Object |
+| Tuples.cs:27:14:27:16 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:27:14:27:16 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:29:14:29:14 | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object | semmle.label | access to local variable x : ValueTuple<Object,ValueTuple<Int32,Object>> [field Item2, field Item2] : Object |
+| Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:29:14:29:20 | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | access to field Item2 : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:29:14:29:26 | access to field Item2 | semmle.label | access to field Item2 |
+| Tuples.cs:29:14:29:26 | access to field Item2 | semmle.label | access to field Item2 |
+| Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:37:17:37:48 | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
+| Tuples.cs:37:18:37:19 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
 | Tuples.cs:37:18:37:19 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
 | Tuples.cs:37:46:37:47 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| Tuples.cs:37:46:37:47 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:38:14:38:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object | semmle.label | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item1] : Object |
 | Tuples.cs:38:14:38:20 | access to field Item1 | semmle.label | access to field Item1 |
+| Tuples.cs:38:14:38:20 | access to field Item1 | semmle.label | access to field Item1 |
+| Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | semmle.label | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
 | Tuples.cs:40:14:40:14 | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object | semmle.label | access to local variable x : ValueTuple<Object,Int32,Int32,Int32,Int32,Int32,Int32,ValueTuple<Int32,Int32,Object>> [field Item10] : Object |
 | Tuples.cs:40:14:40:21 | access to field Item10 | semmle.label | access to field Item10 |
+| Tuples.cs:40:14:40:21 | access to field Item10 | semmle.label | access to field Item10 |
+| Tuples.cs:45:17:45:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:45:17:45:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:46:17:46:55 | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | (...) ... : ValueTuple<String,Int32,Int32> [field Item1] : String |
+| Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:46:47:46:55 | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:46:48:46:48 | access to local variable o : String | semmle.label | access to local variable o : String |
+| Tuples.cs:46:48:46:48 | access to local variable o : String | semmle.label | access to local variable o : String |
+| Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:47:14:47:14 | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String | semmle.label | access to local variable x : ValueTuple<String,Int32,Int32> [field Item1] : String |
 | Tuples.cs:47:14:47:20 | access to field Item1 | semmle.label | access to field Item1 |
+| Tuples.cs:47:14:47:20 | access to field Item1 | semmle.label | access to field Item1 |
+| Tuples.cs:57:18:57:34 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:57:18:57:34 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:58:18:58:34 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| Tuples.cs:58:18:58:34 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:59:17:59:32 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:59:18:59:19 | access to local variable o1 : String | semmle.label | access to local variable o1 : String |
 | Tuples.cs:59:18:59:19 | access to local variable o1 : String | semmle.label | access to local variable o1 : String |
 | Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:59:22:59:28 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:59:26:59:27 | access to local variable o2 : String | semmle.label | access to local variable o2 : String |
 | Tuples.cs:59:26:59:27 | access to local variable o2 : String | semmle.label | access to local variable o2 : String |
 | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:62:18:62:57 | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | SSA def(t) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:63:22:63:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:63:22:63:28 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:63:22:63:28 | access to field Item1 | semmle.label | access to field Item1 |
 | Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:64:22:64:22 | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | access to local variable t : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String | semmle.label | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:64:22:64:28 | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String | semmle.label | access to field Item2 : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:64:22:64:34 | access to field Item2 | semmle.label | access to field Item2 |
+| Tuples.cs:64:22:64:34 | access to field Item2 | semmle.label | access to field Item2 |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
+| Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:67:18:67:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
 | Tuples.cs:67:23:67:23 | SSA def(a) : String | semmle.label | SSA def(a) : String |
+| Tuples.cs:67:23:67:23 | SSA def(a) : String | semmle.label | SSA def(a) : String |
+| Tuples.cs:67:30:67:30 | SSA def(c) : String | semmle.label | SSA def(c) : String |
 | Tuples.cs:67:30:67:30 | SSA def(c) : String | semmle.label | SSA def(c) : String |
 | Tuples.cs:68:22:68:22 | access to local variable a | semmle.label | access to local variable a |
+| Tuples.cs:68:22:68:22 | access to local variable a | semmle.label | access to local variable a |
+| Tuples.cs:69:22:69:22 | access to local variable c | semmle.label | access to local variable c |
 | Tuples.cs:69:22:69:22 | access to local variable c | semmle.label | access to local variable c |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<Int32,String> [field Item2] : String | semmle.label | (..., ...) : ValueTuple<Int32,String> [field Item2] : String |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item1] : String |
 | Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:87:18:87:35 | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String | semmle.label | (..., ...) : ValueTuple<String,ValueTuple<Int32,String>,Int32> [field Item2, field Item2] : String |
+| Tuples.cs:87:23:87:23 | SSA def(p) : String | semmle.label | SSA def(p) : String |
 | Tuples.cs:87:23:87:23 | SSA def(p) : String | semmle.label | SSA def(p) : String |
 | Tuples.cs:87:30:87:30 | SSA def(r) : String | semmle.label | SSA def(r) : String |
+| Tuples.cs:87:30:87:30 | SSA def(r) : String | semmle.label | SSA def(r) : String |
+| Tuples.cs:89:18:89:18 | access to local variable p | semmle.label | access to local variable p |
 | Tuples.cs:89:18:89:18 | access to local variable p | semmle.label | access to local variable p |
 | Tuples.cs:90:18:90:18 | access to local variable r | semmle.label | access to local variable r |
+| Tuples.cs:90:18:90:18 | access to local variable r | semmle.label | access to local variable r |
+| Tuples.cs:99:17:99:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:99:17:99:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
 | Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String | semmle.label | object creation of type R1 : R1 [property i] : String |
+| Tuples.cs:100:17:100:28 | object creation of type R1 : R1 [property i] : String | semmle.label | object creation of type R1 : R1 [property i] : String |
+| Tuples.cs:100:24:100:24 | access to local variable o : String | semmle.label | access to local variable o : String |
 | Tuples.cs:100:24:100:24 | access to local variable o : String | semmle.label | access to local variable o : String |
 | Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String | semmle.label | access to local variable r : R1 [property i] : String |
+| Tuples.cs:101:14:101:14 | access to local variable r : R1 [property i] : String | semmle.label | access to local variable r : R1 [property i] : String |
+| Tuples.cs:101:14:101:16 | access to property i | semmle.label | access to property i |
 | Tuples.cs:101:14:101:16 | access to property i | semmle.label | access to property i |
 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:121:9:121:23 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:121:9:121:32 | SSA def(x1) : Object | semmle.label | SSA def(x1) : Object |
+| Tuples.cs:121:9:121:32 | SSA def(x1) : Object | semmle.label | SSA def(x1) : Object |
+| Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:121:27:121:32 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
 | Tuples.cs:121:28:121:28 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:121:28:121:28 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:122:14:122:15 | access to local variable x1 | semmle.label | access to local variable x1 |
 | Tuples.cs:122:14:122:15 | access to local variable x1 | semmle.label | access to local variable x1 |
 | Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:9:125:20 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:9:125:29 | SSA def(x2) : Object | semmle.label | SSA def(x2) : Object |
 | Tuples.cs:125:9:125:29 | SSA def(x2) : Object | semmle.label | SSA def(x2) : Object |
 | Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:24:125:29 | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object | semmle.label | (..., ...) : ValueTuple<Object,Int32> [field Item1] : Object |
+| Tuples.cs:125:25:125:25 | access to local variable o : Object | semmle.label | access to local variable o : Object |
 | Tuples.cs:125:25:125:25 | access to local variable o : Object | semmle.label | access to local variable o : Object |
 | Tuples.cs:126:14:126:15 | access to local variable x2 | semmle.label | access to local variable x2 |
+| Tuples.cs:126:14:126:15 | access to local variable x2 | semmle.label | access to local variable x2 |
+| Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:129:9:129:23 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:129:9:129:32 | SSA def(y3) : Object | semmle.label | SSA def(y3) : Object |
+| Tuples.cs:129:9:129:32 | SSA def(y3) : Object | semmle.label | SSA def(y3) : Object |
+| Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:129:27:129:32 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:129:31:129:31 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:129:31:129:31 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:130:14:130:15 | access to local variable y3 | semmle.label | access to local variable y3 |
 | Tuples.cs:130:14:130:15 | access to local variable y3 | semmle.label | access to local variable y3 |
 | Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:133:9:133:20 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:133:9:133:29 | SSA def(y4) : Object | semmle.label | SSA def(y4) : Object |
 | Tuples.cs:133:9:133:29 | SSA def(y4) : Object | semmle.label | SSA def(y4) : Object |
 | Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
+| Tuples.cs:133:24:133:29 | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object | semmle.label | (..., ...) : ValueTuple<Int32,Object> [field Item2] : Object |
 | Tuples.cs:133:28:133:28 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:133:28:133:28 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Tuples.cs:134:14:134:15 | access to local variable y4 | semmle.label | access to local variable y4 |
 | Tuples.cs:134:14:134:15 | access to local variable y4 | semmle.label | access to local variable y4 |
 subpaths
 #select
 | Tuples.cs:12:14:12:14 | access to local variable a | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:12:14:12:14 | access to local variable a | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:12:14:12:14 | access to local variable a | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:12:14:12:14 | access to local variable a | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:14:14:14:14 | access to local variable c | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:14:14:14:14 | access to local variable c | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:14:14:14:14 | access to local variable c | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:14:14:14:14 | access to local variable c | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:17:14:17:14 | access to local variable a | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:17:14:17:14 | access to local variable a | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:17:14:17:14 | access to local variable a | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:17:14:17:14 | access to local variable a | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:19:14:19:14 | access to local variable c | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:19:14:19:14 | access to local variable c | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:19:14:19:14 | access to local variable c | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:19:14:19:14 | access to local variable c | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:22:14:22:14 | access to local variable p | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:22:14:22:14 | access to local variable p | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:22:14:22:14 | access to local variable p | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:22:14:22:14 | access to local variable p | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:24:14:24:20 | access to field Item2 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:24:14:24:20 | access to field Item2 | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:24:14:24:20 | access to field Item2 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:24:14:24:20 | access to field Item2 | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:26:14:26:20 | access to field Item1 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:26:14:26:20 | access to field Item1 | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:26:14:26:20 | access to field Item1 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:26:14:26:20 | access to field Item1 | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:27:14:27:16 | access to field Item1 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:27:14:27:16 | access to field Item1 | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:27:14:27:16 | access to field Item1 | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | Tuples.cs:27:14:27:16 | access to field Item1 | $@ | Tuples.cs:7:18:7:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:29:14:29:26 | access to field Item2 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:29:14:29:26 | access to field Item2 | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:29:14:29:26 | access to field Item2 | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | Tuples.cs:29:14:29:26 | access to field Item2 | $@ | Tuples.cs:8:18:8:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:38:14:38:20 | access to field Item1 | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | Tuples.cs:38:14:38:20 | access to field Item1 | $@ | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:38:14:38:20 | access to field Item1 | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | Tuples.cs:38:14:38:20 | access to field Item1 | $@ | Tuples.cs:34:18:34:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:40:14:40:21 | access to field Item10 | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | Tuples.cs:40:14:40:21 | access to field Item10 | $@ | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:40:14:40:21 | access to field Item10 | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | Tuples.cs:40:14:40:21 | access to field Item10 | $@ | Tuples.cs:35:18:35:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:47:14:47:20 | access to field Item1 | Tuples.cs:45:17:45:33 | call to method Source<String> : String | Tuples.cs:47:14:47:20 | access to field Item1 | $@ | Tuples.cs:45:17:45:33 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:47:14:47:20 | access to field Item1 | Tuples.cs:45:17:45:33 | call to method Source<String> : String | Tuples.cs:47:14:47:20 | access to field Item1 | $@ | Tuples.cs:45:17:45:33 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:63:22:63:28 | access to field Item1 | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:63:22:63:28 | access to field Item1 | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:63:22:63:28 | access to field Item1 | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:63:22:63:28 | access to field Item1 | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:64:22:64:34 | access to field Item2 | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:64:22:64:34 | access to field Item2 | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:64:22:64:34 | access to field Item2 | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:64:22:64:34 | access to field Item2 | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:68:22:68:22 | access to local variable a | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:68:22:68:22 | access to local variable a | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:68:22:68:22 | access to local variable a | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:68:22:68:22 | access to local variable a | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:69:22:69:22 | access to local variable c | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:69:22:69:22 | access to local variable c | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:69:22:69:22 | access to local variable c | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:69:22:69:22 | access to local variable c | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:89:18:89:18 | access to local variable p | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:89:18:89:18 | access to local variable p | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:89:18:89:18 | access to local variable p | Tuples.cs:57:18:57:34 | call to method Source<String> : String | Tuples.cs:89:18:89:18 | access to local variable p | $@ | Tuples.cs:57:18:57:34 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:90:18:90:18 | access to local variable r | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:90:18:90:18 | access to local variable r | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:90:18:90:18 | access to local variable r | Tuples.cs:58:18:58:34 | call to method Source<String> : String | Tuples.cs:90:18:90:18 | access to local variable r | $@ | Tuples.cs:58:18:58:34 | call to method Source<String> : String | call to method Source<String> : String |
 | Tuples.cs:101:14:101:16 | access to property i | Tuples.cs:99:17:99:33 | call to method Source<String> : String | Tuples.cs:101:14:101:16 | access to property i | $@ | Tuples.cs:99:17:99:33 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:101:14:101:16 | access to property i | Tuples.cs:99:17:99:33 | call to method Source<String> : String | Tuples.cs:101:14:101:16 | access to property i | $@ | Tuples.cs:99:17:99:33 | call to method Source<String> : String | call to method Source<String> : String |
+| Tuples.cs:122:14:122:15 | access to local variable x1 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:122:14:122:15 | access to local variable x1 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:122:14:122:15 | access to local variable x1 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:122:14:122:15 | access to local variable x1 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:126:14:126:15 | access to local variable x2 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:126:14:126:15 | access to local variable x2 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:126:14:126:15 | access to local variable x2 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:126:14:126:15 | access to local variable x2 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:130:14:130:15 | access to local variable y3 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:130:14:130:15 | access to local variable y3 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:130:14:130:15 | access to local variable y3 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:130:14:130:15 | access to local variable y3 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Tuples.cs:134:14:134:15 | access to local variable y4 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:134:14:134:15 | access to local variable y4 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Tuples.cs:134:14:134:15 | access to local variable y4 | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | Tuples.cs:134:14:134:15 | access to local variable y4 | $@ | Tuples.cs:118:17:118:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |

csharp/ql/test/library-tests/dataflow/tuples/Tuples.ql

@@ -3,9 +3,10 @@
  */
 
 import csharp
-import DefaultValueFlow::PathGraph
 import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import PathGraph
 
-from DefaultValueFlow::PathNode source, DefaultValueFlow::PathNode sink
-where DefaultValueFlow::flowPath(source, sink)
+from PathNode source, PathNode sink
+where flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

csharp/ql/test/query-tests/API Abuse/CallToGCCollect/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/options

@@ -1,2 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Data.Common.dll
-semmle-extractor-options: /langversion:8.0
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj

csharp/ql/test/query-tests/API Abuse/FormatInvalid/options

@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Diagnostics.TraceSource.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs

@@ -1,15 +1,4 @@
-namespace System
-{
-    public interface IComparable
-    {
-        int CompareTo(object obj); // GOOD: the very definition of IComparable.CompareTo()
-    }
-
-    public interface IComparable<in T>
-    {
-        int CompareTo(T other);  // GOOD: the very definition of IComparable<T>.CompareTo()
-    }
-}
+using System;
 
 class C1<T>
 {

csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.expected

@@ -1,2 +1,2 @@
-| IncorrectCompareToSignature.cs:16:16:16:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignature.cs:14:10:14:10 | T | T | IncorrectCompareToSignature.cs:14:7:14:11 | C1<> | C1<> | IncorrectCompareToSignature.cs:14:10:14:10 | T | T |
+| IncorrectCompareToSignature.cs:5:16:5:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignature.cs:3:10:3:10 | T | T | IncorrectCompareToSignature.cs:3:7:3:11 | C1<> | C1<> | IncorrectCompareToSignature.cs:3:10:3:10 | T | T |
 | IncorrectCompareToSignatureBad.cs:5:16:5:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad |

csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/options

@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/options

@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/options

@@ -1 +1 @@
-semmle-extractor-options: --cil /langversion:8.0 /r:System.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.Xml.dll /r:System.ComponentModel.Primitives.dll /r:System.IO.Compression.dll /r:System.Runtime.Extensions.dll
+semmle-extractor-options: --cil /r:System.Private.Xml.dll /r:System.IO.Compression.dll

csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.cs

@@ -1,11 +1,6 @@
 using System;
-class HashSet<T>
-{
-    public bool Add(T t)
-    {
-        return true;
-    }
-}
+using System.Text;
+using System.Collections.Generic;
 
 class C1
 {
@@ -30,11 +25,6 @@ class C1
     }
 }
 
-class StringBuilder
-{
-    public StringBuilder Append(string s) { return this; }
-}
-
 class C2
 {
     static void Main(string[] args)
@@ -59,20 +49,6 @@ class C2
     }
 }
 
-namespace System.IO
-{
-    public abstract class Stream
-    {
-        public abstract int Read(byte[] buffer, int offset, int count);
-        public virtual int ReadByte() { return 0; }
-    }
-
-    public class MemoryStream : Stream
-    {
-        public override int Read(byte[] buffer, int offset, int count) { return 0; }
-    }
-}
-
 class C3
 {
     static void Main(string[] args)

csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.expected

@@ -1,8 +1,8 @@
-| UncheckedReturnValue.cs:29:9:29:31 | call to method Add | Result of call to 'Add' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:91:9:91:26 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |
-| UncheckedReturnValue.cs:92:9:92:20 | call to method ReadByte | Result of call to 'ReadByte' is ignored, but should always be checked. |
-| UncheckedReturnValue.cs:109:9:109:17 | call to method M1<Int32> | Result of call to 'M1<Int32>' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:130:9:130:21 | call to method M2<Decimal> | Result of call to 'M2<Decimal>' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:142:9:142:20 | call to method M3<C6> | Result of call to 'M3<C6>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:24:9:24:31 | call to method Add | Result of call to 'Add' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:67:9:67:26 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |
+| UncheckedReturnValue.cs:68:9:68:20 | call to method ReadByte | Result of call to 'ReadByte' is ignored, but should always be checked. |
+| UncheckedReturnValue.cs:85:9:85:17 | call to method M1<Int32> | Result of call to 'M1<Int32>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:106:9:106:21 | call to method M2<Decimal> | Result of call to 'M2<Decimal>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:118:9:118:20 | call to method M3<C6> | Result of call to 'M3<C6>' is ignored, but 90% of calls to this method have their result used. |
 | UncheckedReturnValueBad.cs:29:9:29:20 | call to method DoPrint | Result of call to 'DoPrint' is ignored, but 90% of calls to this method have their result used. |
 | UncheckedReturnValueBad.cs:36:13:36:40 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |