Merge pull request #5032 from aschackmull/dataflow/subpaths

Dataflow: Add subpaths query predicate.
2021-09-08 11:52:41 +02:00 · 2021-09-08 11:52:41 +02:00 · 2b7882e6e5
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
@ -8,6 +8,7 @@ nodes
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
 | test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
 | test.cpp:31:27:31:31 | ... * ... | semmle.label | ... * ... |
+subpaths
 #select
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
 | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected
@ -1,8 +1,12 @@
 edges
+| test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer |
 | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
 | test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 |
+| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer |
 | test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func |
 nodes
+| test.cpp:45:18:45:23 | buffer | semmle.label | buffer |
+| test.cpp:47:10:47:15 | buffer | semmle.label | buffer |
 | test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
 | test.cpp:77:16:77:22 | medical | semmle.label | medical |
@ -12,6 +16,8 @@ nodes
 | test.cpp:82:24:82:28 | buff5 | semmle.label | buff5 |
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
+subpaths
+| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | test.cpp:81:17:81:20 | call to func |
 #select
 | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
 | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@ -1,11 +1,18 @@
 edges
+| A.cpp:23:10:23:10 | c | A.cpp:25:7:25:17 | Chi [c] |
+| A.cpp:27:17:27:17 | c | A.cpp:27:22:27:32 | Chi [c] |
+| A.cpp:28:8:28:10 | *#this [c] | A.cpp:28:29:28:29 | Store |
 | A.cpp:55:5:55:5 | set output argument [c] | A.cpp:56:10:56:10 | b indirection [c] |
+| A.cpp:55:8:55:10 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:55:8:55:10 | new | A.cpp:55:5:55:5 | set output argument [c] |
 | A.cpp:55:12:55:19 | (C *)... | A.cpp:55:8:55:10 | new |
 | A.cpp:55:12:55:19 | new | A.cpp:55:8:55:10 | new |
+| A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | *#this [c] |
 | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:56:13:56:15 | call to get |
+| A.cpp:57:10:57:25 | new indirection [c] | A.cpp:28:8:28:10 | *#this [c] |
 | A.cpp:57:10:57:25 | new indirection [c] | A.cpp:57:28:57:30 | call to get |
 | A.cpp:57:11:57:24 | B output argument [c] | A.cpp:57:10:57:25 | new indirection [c] |
+| A.cpp:57:11:57:24 | new | A.cpp:23:10:23:10 | c |
 | A.cpp:57:11:57:24 | new | A.cpp:57:11:57:24 | B output argument [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | new |
 | A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Chi [a] |
@ -14,10 +21,12 @@ edges
 | A.cpp:103:14:103:14 | *c [a] | A.cpp:107:16:107:16 | a |
 | A.cpp:126:5:126:5 | Chi [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:126:5:126:5 | Chi [c] |
+| A.cpp:126:8:126:10 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:126:8:126:10 | new | A.cpp:126:5:126:5 | set output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:126:8:126:10 | new |
 | A.cpp:131:8:131:8 | Chi [c] | A.cpp:132:13:132:13 | c |
 | A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:131:8:131:8 | Chi [c] |
+| A.cpp:140:13:140:13 | b | A.cpp:143:7:143:31 | Chi [b] |
 | A.cpp:142:7:142:20 | Chi [c] | A.cpp:151:18:151:18 | D output argument [c] |
 | A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Chi [c] |
 | A.cpp:143:7:143:31 | Chi [b] | A.cpp:151:12:151:24 | D output argument [b] |
@ -25,6 +34,7 @@ edges
 | A.cpp:150:12:150:18 | new | A.cpp:151:12:151:24 | b |
 | A.cpp:151:12:151:24 | Chi [b] | A.cpp:152:13:152:13 | b |
 | A.cpp:151:12:151:24 | D output argument [b] | A.cpp:151:12:151:24 | Chi [b] |
+| A.cpp:151:12:151:24 | b | A.cpp:140:13:140:13 | b |
 | A.cpp:151:12:151:24 | b | A.cpp:151:12:151:24 | D output argument [b] |
 | A.cpp:151:18:151:18 | Chi [c] | A.cpp:154:13:154:13 | c |
 | A.cpp:151:18:151:18 | D output argument [c] | A.cpp:151:18:151:18 | Chi [c] |
@ -86,21 +96,49 @@ edges
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... |
 | arrays.cpp:15:14:15:23 | call to user_input | arrays.cpp:16:8:16:13 | access to array |
 | arrays.cpp:36:26:36:35 | call to user_input | arrays.cpp:37:24:37:27 | data |
+| by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:16 | Chi [a] |
+| by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:19 | Chi [a] |
+| by_reference.cpp:19:28:19:32 | value | by_reference.cpp:20:11:20:21 | value |
+| by_reference.cpp:20:5:20:8 | setDirectly output argument [a] | by_reference.cpp:20:5:20:8 | Chi [a] |
+| by_reference.cpp:20:11:20:21 | value | by_reference.cpp:15:26:15:30 | value |
+| by_reference.cpp:20:11:20:21 | value | by_reference.cpp:20:5:20:8 | setDirectly output argument [a] |
+| by_reference.cpp:23:34:23:38 | value | by_reference.cpp:24:5:24:17 | value |
+| by_reference.cpp:24:5:24:17 | value | by_reference.cpp:11:48:11:52 | value |
+| by_reference.cpp:24:5:24:17 | value | by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] |
+| by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] | by_reference.cpp:24:19:24:22 | Chi [a] |
+| by_reference.cpp:31:46:31:46 | *s [a] | by_reference.cpp:32:15:32:15 | Store |
+| by_reference.cpp:35:9:35:19 | *#this [a] | by_reference.cpp:36:18:36:18 | Store |
+| by_reference.cpp:39:9:39:21 | *#this [a] | by_reference.cpp:40:12:40:15 | this indirection [a] |
+| by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:35:9:35:19 | *#this [a] |
+| by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:40:18:40:28 | call to getDirectly |
+| by_reference.cpp:40:18:40:28 | call to getDirectly | by_reference.cpp:40:18:40:28 | Store |
+| by_reference.cpp:43:9:43:27 | *#this [a] | by_reference.cpp:44:26:44:29 | this indirection [a] |
+| by_reference.cpp:44:12:44:24 | call to nonMemberGetA | by_reference.cpp:44:12:44:24 | Store |
+| by_reference.cpp:44:26:44:29 | this indirection [a] | by_reference.cpp:31:46:31:46 | *s [a] |
+| by_reference.cpp:44:26:44:29 | this indirection [a] | by_reference.cpp:44:12:44:24 | call to nonMemberGetA |
 | by_reference.cpp:50:3:50:3 | setDirectly output argument [a] | by_reference.cpp:51:8:51:8 | s indirection [a] |
+| by_reference.cpp:50:5:50:15 | call to user_input | by_reference.cpp:15:26:15:30 | value |
 | by_reference.cpp:50:5:50:15 | call to user_input | by_reference.cpp:50:3:50:3 | setDirectly output argument [a] |
 | by_reference.cpp:50:17:50:26 | call to user_input | by_reference.cpp:50:5:50:15 | call to user_input |
+| by_reference.cpp:51:8:51:8 | s indirection [a] | by_reference.cpp:35:9:35:19 | *#this [a] |
 | by_reference.cpp:51:8:51:8 | s indirection [a] | by_reference.cpp:51:10:51:20 | call to getDirectly |
 | by_reference.cpp:56:3:56:3 | setIndirectly output argument [a] | by_reference.cpp:57:8:57:8 | s indirection [a] |
+| by_reference.cpp:56:5:56:17 | call to user_input | by_reference.cpp:19:28:19:32 | value |
 | by_reference.cpp:56:5:56:17 | call to user_input | by_reference.cpp:56:3:56:3 | setIndirectly output argument [a] |
 | by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:56:5:56:17 | call to user_input |
+| by_reference.cpp:57:8:57:8 | s indirection [a] | by_reference.cpp:39:9:39:21 | *#this [a] |
 | by_reference.cpp:57:8:57:8 | s indirection [a] | by_reference.cpp:57:10:57:22 | call to getIndirectly |
 | by_reference.cpp:62:3:62:3 | setThroughNonMember output argument [a] | by_reference.cpp:63:8:63:8 | s indirection [a] |
+| by_reference.cpp:62:5:62:23 | call to user_input | by_reference.cpp:23:34:23:38 | value |
 | by_reference.cpp:62:5:62:23 | call to user_input | by_reference.cpp:62:3:62:3 | setThroughNonMember output argument [a] |
 | by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:62:5:62:23 | call to user_input |
+| by_reference.cpp:63:8:63:8 | s indirection [a] | by_reference.cpp:43:9:43:27 | *#this [a] |
 | by_reference.cpp:63:8:63:8 | s indirection [a] | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
+| by_reference.cpp:68:3:68:15 | call to user_input | by_reference.cpp:11:48:11:52 | value |
 | by_reference.cpp:68:3:68:15 | call to user_input | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] |
 | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] | by_reference.cpp:69:22:69:23 | & ... indirection [a] |
 | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:68:3:68:15 | call to user_input |
+| by_reference.cpp:69:22:69:23 | & ... indirection [a] | by_reference.cpp:31:46:31:46 | *s [a] |
 | by_reference.cpp:69:22:69:23 | & ... indirection [a] | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] |
@ -134,48 +172,73 @@ edges
 | by_reference.cpp:128:15:128:23 | Chi | by_reference.cpp:128:15:128:23 | Chi [a] |
 | by_reference.cpp:128:15:128:23 | Chi [a] | by_reference.cpp:136:16:136:16 | a |
 | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [[]] | by_reference.cpp:128:15:128:23 | Chi |
+| complex.cpp:9:7:9:7 | *#this [a_] | complex.cpp:9:20:9:21 | Store |
+| complex.cpp:10:7:10:7 | *#this [b_] | complex.cpp:10:20:10:21 | Store |
+| complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:27 | Chi [a_] |
+| complex.cpp:12:8:12:11 | *#this [a_] | complex.cpp:12:22:12:27 | Chi [a_] |
+| complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:27 | Chi [b_] |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:42:16:42:16 | f indirection [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | f indirection [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
+| complex.cpp:42:16:42:16 | f indirection [a_] | complex.cpp:9:7:9:7 | *#this [a_] |
 | complex.cpp:42:16:42:16 | f indirection [a_] | complex.cpp:42:18:42:18 | call to a |
+| complex.cpp:42:16:42:16 | f indirection [b_] | complex.cpp:9:7:9:7 | *#this [b_] |
 | complex.cpp:42:16:42:16 | f indirection [b_] | complex.cpp:42:16:42:16 | a output argument [b_] |
+| complex.cpp:43:16:43:16 | f indirection [b_] | complex.cpp:10:7:10:7 | *#this [b_] |
 | complex.cpp:43:16:43:16 | f indirection [b_] | complex.cpp:43:18:43:18 | call to b |
 | complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:59:7:59:8 | b1 indirection [a_] |
+| complex.cpp:53:14:53:17 | call to user_input | complex.cpp:11:17:11:17 | a |
 | complex.cpp:53:14:53:17 | call to user_input | complex.cpp:53:12:53:12 | setA output argument [a_] |
 | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:53:14:53:17 | call to user_input |
 | complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:62:7:62:8 | b2 indirection [b_] |
+| complex.cpp:54:14:54:17 | call to user_input | complex.cpp:12:17:12:17 | b |
 | complex.cpp:54:14:54:17 | call to user_input | complex.cpp:54:12:54:12 | setB output argument [b_] |
 | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:54:14:54:17 | call to user_input |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | f indirection [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
+| complex.cpp:55:14:55:17 | call to user_input | complex.cpp:11:17:11:17 | a |
 | complex.cpp:55:14:55:17 | call to user_input | complex.cpp:55:12:55:12 | setA output argument [a_] |
 | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:55:14:55:17 | call to user_input |
+| complex.cpp:56:12:56:12 | f indirection [a_] | complex.cpp:12:8:12:11 | *#this [a_] |
 | complex.cpp:56:12:56:12 | f indirection [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:65:7:65:8 | b3 indirection [b_] |
+| complex.cpp:56:14:56:17 | call to user_input | complex.cpp:12:17:12:17 | b |
 | complex.cpp:56:14:56:17 | call to user_input | complex.cpp:56:12:56:12 | setB output argument [b_] |
 | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:56:14:56:17 | call to user_input |
 | complex.cpp:59:7:59:8 | b1 indirection [a_] | complex.cpp:40:17:40:17 | *b [a_] |
 | complex.cpp:62:7:62:8 | b2 indirection [b_] | complex.cpp:40:17:40:17 | *b [b_] |
 | complex.cpp:65:7:65:8 | b3 indirection [a_] | complex.cpp:40:17:40:17 | *b [a_] |
 | complex.cpp:65:7:65:8 | b3 indirection [b_] | complex.cpp:40:17:40:17 | *b [b_] |
+| constructors.cpp:18:9:18:9 | *#this [a_] | constructors.cpp:18:22:18:23 | Store |
+| constructors.cpp:19:9:19:9 | *#this [b_] | constructors.cpp:19:22:19:23 | Store |
+| constructors.cpp:23:13:23:13 | a | constructors.cpp:23:28:23:28 | Chi [a_] |
+| constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | Chi [b_] |
+| constructors.cpp:23:28:23:28 | Chi [a_] | constructors.cpp:23:35:23:35 | Chi [a_] |
 | constructors.cpp:26:15:26:15 | *f [a_] | constructors.cpp:28:10:28:10 | f indirection [a_] |
 | constructors.cpp:26:15:26:15 | *f [b_] | constructors.cpp:28:10:28:10 | f indirection [b_] |
 | constructors.cpp:26:15:26:15 | *f [b_] | constructors.cpp:29:10:29:10 | f indirection [b_] |
 | constructors.cpp:28:10:28:10 | a output argument [b_] | constructors.cpp:29:10:29:10 | f indirection [b_] |
+| constructors.cpp:28:10:28:10 | f indirection [a_] | constructors.cpp:18:9:18:9 | *#this [a_] |
 | constructors.cpp:28:10:28:10 | f indirection [a_] | constructors.cpp:28:12:28:12 | call to a |
+| constructors.cpp:28:10:28:10 | f indirection [b_] | constructors.cpp:18:9:18:9 | *#this [b_] |
 | constructors.cpp:28:10:28:10 | f indirection [b_] | constructors.cpp:28:10:28:10 | a output argument [b_] |
+| constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:19:9:19:9 | *#this [b_] |
 | constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:29:12:29:12 | call to b |
 | constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:34:11:34:26 | call to user_input |
 | constructors.cpp:34:11:34:26 | Foo output argument [a_] | constructors.cpp:40:9:40:9 | f indirection [a_] |
+| constructors.cpp:34:11:34:26 | call to user_input | constructors.cpp:23:13:23:13 | a |
 | constructors.cpp:34:11:34:26 | call to user_input | constructors.cpp:34:11:34:26 | Foo output argument [a_] |
 | constructors.cpp:35:11:35:26 | Foo output argument [b_] | constructors.cpp:43:9:43:9 | g indirection [b_] |
+| constructors.cpp:35:11:35:26 | call to user_input | constructors.cpp:23:20:23:20 | b |
 | constructors.cpp:35:11:35:26 | call to user_input | constructors.cpp:35:11:35:26 | Foo output argument [b_] |
 | constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:35:11:35:26 | call to user_input |
 | constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:36:11:36:37 | call to user_input |
 | constructors.cpp:36:11:36:37 | Foo output argument [a_] | constructors.cpp:46:9:46:9 | h indirection [a_] |
 | constructors.cpp:36:11:36:37 | Foo output argument [b_] | constructors.cpp:46:9:46:9 | h indirection [b_] |
+| constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:23:13:23:13 | a |
+| constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:23:20:23:20 | b |
 | constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:36:11:36:37 | Foo output argument [a_] |
 | constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:36:11:36:37 | Foo output argument [b_] |
 | constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:36:11:36:37 | call to user_input |
@ -183,26 +246,39 @@ edges
 | constructors.cpp:43:9:43:9 | g indirection [b_] | constructors.cpp:26:15:26:15 | *f [b_] |
 | constructors.cpp:46:9:46:9 | h indirection [a_] | constructors.cpp:26:15:26:15 | *f [a_] |
 | constructors.cpp:46:9:46:9 | h indirection [b_] | constructors.cpp:26:15:26:15 | *f [b_] |
+| simple.cpp:18:9:18:9 | *#this [a_] | simple.cpp:18:22:18:23 | Store |
+| simple.cpp:19:9:19:9 | *#this [b_] | simple.cpp:19:22:19:23 | Store |
+| simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:29 | Chi [a_] |
+| simple.cpp:21:10:21:13 | *#this [a_] | simple.cpp:21:24:21:29 | Chi [a_] |
+| simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:29 | Chi [b_] |
 | simple.cpp:26:15:26:15 | *f [a_] | simple.cpp:28:10:28:10 | f indirection [a_] |
 | simple.cpp:26:15:26:15 | *f [b_] | simple.cpp:28:10:28:10 | f indirection [b_] |
 | simple.cpp:26:15:26:15 | *f [b_] | simple.cpp:29:10:29:10 | f indirection [b_] |
 | simple.cpp:28:10:28:10 | a output argument [b_] | simple.cpp:29:10:29:10 | f indirection [b_] |
+| simple.cpp:28:10:28:10 | f indirection [a_] | simple.cpp:18:9:18:9 | *#this [a_] |
 | simple.cpp:28:10:28:10 | f indirection [a_] | simple.cpp:28:12:28:12 | call to a |
+| simple.cpp:28:10:28:10 | f indirection [b_] | simple.cpp:18:9:18:9 | *#this [b_] |
 | simple.cpp:28:10:28:10 | f indirection [b_] | simple.cpp:28:10:28:10 | a output argument [b_] |
+| simple.cpp:29:10:29:10 | f indirection [b_] | simple.cpp:19:9:19:9 | *#this [b_] |
 | simple.cpp:29:10:29:10 | f indirection [b_] | simple.cpp:29:12:29:12 | call to b |
 | simple.cpp:39:5:39:5 | setA output argument [a_] | simple.cpp:45:9:45:9 | f indirection [a_] |
+| simple.cpp:39:7:39:10 | call to user_input | simple.cpp:20:19:20:19 | a |
 | simple.cpp:39:7:39:10 | call to user_input | simple.cpp:39:5:39:5 | setA output argument [a_] |
 | simple.cpp:39:12:39:21 | call to user_input | simple.cpp:39:7:39:10 | call to user_input |
 | simple.cpp:40:5:40:5 | setB output argument [b_] | simple.cpp:48:9:48:9 | g indirection [b_] |
+| simple.cpp:40:7:40:10 | call to user_input | simple.cpp:21:19:21:19 | b |
 | simple.cpp:40:7:40:10 | call to user_input | simple.cpp:40:5:40:5 | setB output argument [b_] |
 | simple.cpp:40:12:40:21 | call to user_input | simple.cpp:40:7:40:10 | call to user_input |
 | simple.cpp:41:5:41:5 | setA output argument [a_] | simple.cpp:42:5:42:5 | h indirection [a_] |
 | simple.cpp:41:5:41:5 | setA output argument [a_] | simple.cpp:51:9:51:9 | h indirection [a_] |
+| simple.cpp:41:7:41:10 | call to user_input | simple.cpp:20:19:20:19 | a |
 | simple.cpp:41:7:41:10 | call to user_input | simple.cpp:41:5:41:5 | setA output argument [a_] |
 | simple.cpp:41:12:41:21 | call to user_input | simple.cpp:41:7:41:10 | call to user_input |
+| simple.cpp:42:5:42:5 | h indirection [a_] | simple.cpp:21:10:21:13 | *#this [a_] |
 | simple.cpp:42:5:42:5 | h indirection [a_] | simple.cpp:42:5:42:5 | setB output argument [a_] |
 | simple.cpp:42:5:42:5 | setB output argument [a_] | simple.cpp:51:9:51:9 | h indirection [a_] |
 | simple.cpp:42:5:42:5 | setB output argument [b_] | simple.cpp:51:9:51:9 | h indirection [b_] |
+| simple.cpp:42:7:42:10 | call to user_input | simple.cpp:21:19:21:19 | b |
 | simple.cpp:42:7:42:10 | call to user_input | simple.cpp:42:5:42:5 | setB output argument [b_] |
 | simple.cpp:42:12:42:21 | call to user_input | simple.cpp:42:7:42:10 | call to user_input |
 | simple.cpp:45:9:45:9 | f indirection [a_] | simple.cpp:26:15:26:15 | *f [a_] |
@ -212,8 +288,10 @@ edges
 | simple.cpp:65:5:65:22 | Store [i] | simple.cpp:66:12:66:12 | Store [i] |
 | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] |
 | simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i |
+| simple.cpp:78:9:78:15 | *#this [f1] | simple.cpp:79:19:79:20 | Store |
 | simple.cpp:83:9:83:28 | Store [f1] | simple.cpp:84:14:84:20 | this indirection [f1] |
 | simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Store [f1] |
+| simple.cpp:84:14:84:20 | this indirection [f1] | simple.cpp:78:9:78:15 | *#this [f1] |
 | simple.cpp:84:14:84:20 | this indirection [f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
 | simple.cpp:92:5:92:22 | Store [i] | simple.cpp:93:20:93:20 | Store [i] |
 | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | Store [i] |
@ -228,6 +306,12 @@ edges
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:23:31:23 | a |
 | struct_init.c:36:10:36:24 | & ... indirection [a] | struct_init.c:14:24:14:25 | *ab [a] |
 nodes
+| A.cpp:23:10:23:10 | c | semmle.label | c |
+| A.cpp:25:7:25:17 | Chi [c] | semmle.label | Chi [c] |
+| A.cpp:27:17:27:17 | c | semmle.label | c |
+| A.cpp:27:22:27:32 | Chi [c] | semmle.label | Chi [c] |
+| A.cpp:28:8:28:10 | *#this [c] | semmle.label | *#this [c] |
+| A.cpp:28:29:28:29 | Store | semmle.label | Store |
 | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:55:8:55:10 | new | semmle.label | new |
 | A.cpp:55:12:55:19 | (C *)... | semmle.label | (C *)... |
@ -251,9 +335,11 @@ nodes
 | A.cpp:131:8:131:8 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] |
 | A.cpp:132:13:132:13 | c | semmle.label | c |
+| A.cpp:140:13:140:13 | b | semmle.label | b |
 | A.cpp:142:7:142:20 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:142:14:142:20 | new | semmle.label | new |
 | A.cpp:143:7:143:31 | Chi [b] | semmle.label | Chi [b] |
+| A.cpp:143:7:143:31 | Chi [b] | semmle.label | Chi [b] |
 | A.cpp:143:25:143:31 | new | semmle.label | new |
 | A.cpp:150:12:150:18 | new | semmle.label | new |
 | A.cpp:151:12:151:24 | Chi [b] | semmle.label | Chi [b] |
@ -336,6 +422,30 @@ nodes
 | arrays.cpp:16:8:16:13 | access to array | semmle.label | access to array |
 | arrays.cpp:36:26:36:35 | call to user_input | semmle.label | call to user_input |
 | arrays.cpp:37:24:37:27 | data | semmle.label | data |
+| by_reference.cpp:11:48:11:52 | value | semmle.label | value |
+| by_reference.cpp:12:5:12:16 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:15:26:15:30 | value | semmle.label | value |
+| by_reference.cpp:16:5:16:19 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:19:28:19:32 | value | semmle.label | value |
+| by_reference.cpp:20:5:20:8 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:20:5:20:8 | setDirectly output argument [a] | semmle.label | setDirectly output argument [a] |
+| by_reference.cpp:20:11:20:21 | value | semmle.label | value |
+| by_reference.cpp:23:34:23:38 | value | semmle.label | value |
+| by_reference.cpp:24:5:24:17 | value | semmle.label | value |
+| by_reference.cpp:24:19:24:22 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] | semmle.label | nonMemberSetA output argument [a] |
+| by_reference.cpp:31:46:31:46 | *s [a] | semmle.label | *s [a] |
+| by_reference.cpp:32:15:32:15 | Store | semmle.label | Store |
+| by_reference.cpp:35:9:35:19 | *#this [a] | semmle.label | *#this [a] |
+| by_reference.cpp:36:18:36:18 | Store | semmle.label | Store |
+| by_reference.cpp:39:9:39:21 | *#this [a] | semmle.label | *#this [a] |
+| by_reference.cpp:40:12:40:15 | this indirection [a] | semmle.label | this indirection [a] |
+| by_reference.cpp:40:18:40:28 | Store | semmle.label | Store |
+| by_reference.cpp:40:18:40:28 | call to getDirectly | semmle.label | call to getDirectly |
+| by_reference.cpp:43:9:43:27 | *#this [a] | semmle.label | *#this [a] |
+| by_reference.cpp:44:12:44:24 | Store | semmle.label | Store |
+| by_reference.cpp:44:12:44:24 | call to nonMemberGetA | semmle.label | call to nonMemberGetA |
+| by_reference.cpp:44:26:44:29 | this indirection [a] | semmle.label | this indirection [a] |
 | by_reference.cpp:50:3:50:3 | setDirectly output argument [a] | semmle.label | setDirectly output argument [a] |
 | by_reference.cpp:50:5:50:15 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:50:17:50:26 | call to user_input | semmle.label | call to user_input |
@ -392,6 +502,17 @@ nodes
 | by_reference.cpp:132:14:132:14 | a | semmle.label | a |
 | by_reference.cpp:134:29:134:29 | a | semmle.label | a |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
+| complex.cpp:9:7:9:7 | *#this [a_] | semmle.label | *#this [a_] |
+| complex.cpp:9:7:9:7 | *#this [b_] | semmle.label | *#this [b_] |
+| complex.cpp:9:20:9:21 | Store | semmle.label | Store |
+| complex.cpp:10:7:10:7 | *#this [b_] | semmle.label | *#this [b_] |
+| complex.cpp:10:20:10:21 | Store | semmle.label | Store |
+| complex.cpp:11:17:11:17 | a | semmle.label | a |
+| complex.cpp:11:22:11:27 | Chi [a_] | semmle.label | Chi [a_] |
+| complex.cpp:12:8:12:11 | *#this [a_] | semmle.label | *#this [a_] |
+| complex.cpp:12:17:12:17 | b | semmle.label | b |
+| complex.cpp:12:22:12:27 | Chi [a_] | semmle.label | Chi [a_] |
+| complex.cpp:12:22:12:27 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:40:17:40:17 | *b [a_] | semmle.label | *b [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | semmle.label | *b [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | semmle.label | a output argument [b_] |
@ -418,6 +539,16 @@ nodes
 | complex.cpp:62:7:62:8 | b2 indirection [b_] | semmle.label | b2 indirection [b_] |
 | complex.cpp:65:7:65:8 | b3 indirection [a_] | semmle.label | b3 indirection [a_] |
 | complex.cpp:65:7:65:8 | b3 indirection [b_] | semmle.label | b3 indirection [b_] |
+| constructors.cpp:18:9:18:9 | *#this [a_] | semmle.label | *#this [a_] |
+| constructors.cpp:18:9:18:9 | *#this [b_] | semmle.label | *#this [b_] |
+| constructors.cpp:18:22:18:23 | Store | semmle.label | Store |
+| constructors.cpp:19:9:19:9 | *#this [b_] | semmle.label | *#this [b_] |
+| constructors.cpp:19:22:19:23 | Store | semmle.label | Store |
+| constructors.cpp:23:13:23:13 | a | semmle.label | a |
+| constructors.cpp:23:20:23:20 | b | semmle.label | b |
+| constructors.cpp:23:28:23:28 | Chi [a_] | semmle.label | Chi [a_] |
+| constructors.cpp:23:35:23:35 | Chi [a_] | semmle.label | Chi [a_] |
+| constructors.cpp:23:35:23:35 | Chi [b_] | semmle.label | Chi [b_] |
 | constructors.cpp:26:15:26:15 | *f [a_] | semmle.label | *f [a_] |
 | constructors.cpp:26:15:26:15 | *f [b_] | semmle.label | *f [b_] |
 | constructors.cpp:28:10:28:10 | a output argument [b_] | semmle.label | a output argument [b_] |
@ -442,6 +573,17 @@ nodes
 | constructors.cpp:43:9:43:9 | g indirection [b_] | semmle.label | g indirection [b_] |
 | constructors.cpp:46:9:46:9 | h indirection [a_] | semmle.label | h indirection [a_] |
 | constructors.cpp:46:9:46:9 | h indirection [b_] | semmle.label | h indirection [b_] |
+| simple.cpp:18:9:18:9 | *#this [a_] | semmle.label | *#this [a_] |
+| simple.cpp:18:9:18:9 | *#this [b_] | semmle.label | *#this [b_] |
+| simple.cpp:18:22:18:23 | Store | semmle.label | Store |
+| simple.cpp:19:9:19:9 | *#this [b_] | semmle.label | *#this [b_] |
+| simple.cpp:19:22:19:23 | Store | semmle.label | Store |
+| simple.cpp:20:19:20:19 | a | semmle.label | a |
+| simple.cpp:20:24:20:29 | Chi [a_] | semmle.label | Chi [a_] |
+| simple.cpp:21:10:21:13 | *#this [a_] | semmle.label | *#this [a_] |
+| simple.cpp:21:19:21:19 | b | semmle.label | b |
+| simple.cpp:21:24:21:29 | Chi [a_] | semmle.label | Chi [a_] |
+| simple.cpp:21:24:21:29 | Chi [b_] | semmle.label | Chi [b_] |
 | simple.cpp:26:15:26:15 | *f [a_] | semmle.label | *f [a_] |
 | simple.cpp:26:15:26:15 | *f [b_] | semmle.label | *f [b_] |
 | simple.cpp:28:10:28:10 | a output argument [b_] | semmle.label | a output argument [b_] |
@ -472,6 +614,8 @@ nodes
 | simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:67:13:67:13 | i | semmle.label | i |
+| simple.cpp:78:9:78:15 | *#this [f1] | semmle.label | *#this [f1] |
+| simple.cpp:79:19:79:20 | Store | semmle.label | Store |
 | simple.cpp:83:9:83:28 | Store [f1] | semmle.label | Store [f1] |
 | simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 |
@ -490,6 +634,49 @@ nodes
 | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:31:23:31:23 | a | semmle.label | a |
 | struct_init.c:36:10:36:24 | & ... indirection [a] | semmle.label | & ... indirection [a] |
+subpaths
+| A.cpp:55:8:55:10 | new | A.cpp:27:17:27:17 | c | A.cpp:27:22:27:32 | Chi [c] | A.cpp:55:5:55:5 | set output argument [c] |
+| A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | *#this [c] | A.cpp:28:29:28:29 | Store | A.cpp:56:13:56:15 | call to get |
+| A.cpp:57:10:57:25 | new indirection [c] | A.cpp:28:8:28:10 | *#this [c] | A.cpp:28:29:28:29 | Store | A.cpp:57:28:57:30 | call to get |
+| A.cpp:57:11:57:24 | new | A.cpp:23:10:23:10 | c | A.cpp:25:7:25:17 | Chi [c] | A.cpp:57:11:57:24 | B output argument [c] |
+| A.cpp:126:8:126:10 | new | A.cpp:27:17:27:17 | c | A.cpp:27:22:27:32 | Chi [c] | A.cpp:126:5:126:5 | set output argument [c] |
+| A.cpp:151:12:151:24 | b | A.cpp:140:13:140:13 | b | A.cpp:143:7:143:31 | Chi [b] | A.cpp:151:12:151:24 | D output argument [b] |
+| by_reference.cpp:20:11:20:21 | value | by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:19 | Chi [a] | by_reference.cpp:20:5:20:8 | setDirectly output argument [a] |
+| by_reference.cpp:24:5:24:17 | value | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:16 | Chi [a] | by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] |
+| by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:35:9:35:19 | *#this [a] | by_reference.cpp:36:18:36:18 | Store | by_reference.cpp:40:18:40:28 | call to getDirectly |
+| by_reference.cpp:44:26:44:29 | this indirection [a] | by_reference.cpp:31:46:31:46 | *s [a] | by_reference.cpp:32:15:32:15 | Store | by_reference.cpp:44:12:44:24 | call to nonMemberGetA |
+| by_reference.cpp:50:5:50:15 | call to user_input | by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:19 | Chi [a] | by_reference.cpp:50:3:50:3 | setDirectly output argument [a] |
+| by_reference.cpp:51:8:51:8 | s indirection [a] | by_reference.cpp:35:9:35:19 | *#this [a] | by_reference.cpp:36:18:36:18 | Store | by_reference.cpp:51:10:51:20 | call to getDirectly |
+| by_reference.cpp:56:5:56:17 | call to user_input | by_reference.cpp:19:28:19:32 | value | by_reference.cpp:20:5:20:8 | Chi [a] | by_reference.cpp:56:3:56:3 | setIndirectly output argument [a] |
+| by_reference.cpp:57:8:57:8 | s indirection [a] | by_reference.cpp:39:9:39:21 | *#this [a] | by_reference.cpp:40:18:40:28 | Store | by_reference.cpp:57:10:57:22 | call to getIndirectly |
+| by_reference.cpp:62:5:62:23 | call to user_input | by_reference.cpp:23:34:23:38 | value | by_reference.cpp:24:19:24:22 | Chi [a] | by_reference.cpp:62:3:62:3 | setThroughNonMember output argument [a] |
+| by_reference.cpp:63:8:63:8 | s indirection [a] | by_reference.cpp:43:9:43:27 | *#this [a] | by_reference.cpp:44:12:44:24 | Store | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
+| by_reference.cpp:68:3:68:15 | call to user_input | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:16 | Chi [a] | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] |
+| by_reference.cpp:69:22:69:23 | & ... indirection [a] | by_reference.cpp:31:46:31:46 | *s [a] | by_reference.cpp:32:15:32:15 | Store | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
+| complex.cpp:42:16:42:16 | f indirection [a_] | complex.cpp:9:7:9:7 | *#this [a_] | complex.cpp:9:20:9:21 | Store | complex.cpp:42:18:42:18 | call to a |
+| complex.cpp:42:16:42:16 | f indirection [b_] | complex.cpp:9:7:9:7 | *#this [b_] | complex.cpp:9:7:9:7 | *#this [b_] | complex.cpp:42:16:42:16 | a output argument [b_] |
+| complex.cpp:43:16:43:16 | f indirection [b_] | complex.cpp:10:7:10:7 | *#this [b_] | complex.cpp:10:20:10:21 | Store | complex.cpp:43:18:43:18 | call to b |
+| complex.cpp:53:14:53:17 | call to user_input | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:27 | Chi [a_] | complex.cpp:53:12:53:12 | setA output argument [a_] |
+| complex.cpp:54:14:54:17 | call to user_input | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:27 | Chi [b_] | complex.cpp:54:12:54:12 | setB output argument [b_] |
+| complex.cpp:55:14:55:17 | call to user_input | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:27 | Chi [a_] | complex.cpp:55:12:55:12 | setA output argument [a_] |
+| complex.cpp:56:12:56:12 | f indirection [a_] | complex.cpp:12:8:12:11 | *#this [a_] | complex.cpp:12:22:12:27 | Chi [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
+| complex.cpp:56:14:56:17 | call to user_input | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:27 | Chi [b_] | complex.cpp:56:12:56:12 | setB output argument [b_] |
+| constructors.cpp:28:10:28:10 | f indirection [a_] | constructors.cpp:18:9:18:9 | *#this [a_] | constructors.cpp:18:22:18:23 | Store | constructors.cpp:28:12:28:12 | call to a |
+| constructors.cpp:28:10:28:10 | f indirection [b_] | constructors.cpp:18:9:18:9 | *#this [b_] | constructors.cpp:18:9:18:9 | *#this [b_] | constructors.cpp:28:10:28:10 | a output argument [b_] |
+| constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:19:9:19:9 | *#this [b_] | constructors.cpp:19:22:19:23 | Store | constructors.cpp:29:12:29:12 | call to b |
+| constructors.cpp:34:11:34:26 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:35:23:35 | Chi [a_] | constructors.cpp:34:11:34:26 | Foo output argument [a_] |
+| constructors.cpp:35:11:35:26 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | Chi [b_] | constructors.cpp:35:11:35:26 | Foo output argument [b_] |
+| constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:35:23:35 | Chi [a_] | constructors.cpp:36:11:36:37 | Foo output argument [a_] |
+| constructors.cpp:36:11:36:37 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | Chi [b_] | constructors.cpp:36:11:36:37 | Foo output argument [b_] |
+| simple.cpp:28:10:28:10 | f indirection [a_] | simple.cpp:18:9:18:9 | *#this [a_] | simple.cpp:18:22:18:23 | Store | simple.cpp:28:12:28:12 | call to a |
+| simple.cpp:28:10:28:10 | f indirection [b_] | simple.cpp:18:9:18:9 | *#this [b_] | simple.cpp:18:9:18:9 | *#this [b_] | simple.cpp:28:10:28:10 | a output argument [b_] |
+| simple.cpp:29:10:29:10 | f indirection [b_] | simple.cpp:19:9:19:9 | *#this [b_] | simple.cpp:19:22:19:23 | Store | simple.cpp:29:12:29:12 | call to b |
+| simple.cpp:39:7:39:10 | call to user_input | simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:29 | Chi [a_] | simple.cpp:39:5:39:5 | setA output argument [a_] |
+| simple.cpp:40:7:40:10 | call to user_input | simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:29 | Chi [b_] | simple.cpp:40:5:40:5 | setB output argument [b_] |
+| simple.cpp:41:7:41:10 | call to user_input | simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:29 | Chi [a_] | simple.cpp:41:5:41:5 | setA output argument [a_] |
+| simple.cpp:42:5:42:5 | h indirection [a_] | simple.cpp:21:10:21:13 | *#this [a_] | simple.cpp:21:24:21:29 | Chi [a_] | simple.cpp:42:5:42:5 | setB output argument [a_] |
+| simple.cpp:42:7:42:10 | call to user_input | simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:29 | Chi [b_] | simple.cpp:42:5:42:5 | setB output argument [b_] |
+| simple.cpp:84:14:84:20 | this indirection [f1] | simple.cpp:78:9:78:15 | *#this [f1] | simple.cpp:79:19:79:20 | Store | simple.cpp:84:14:84:20 | call to getf2f1 |
 #select
 | A.cpp:56:13:56:15 | call to get | A.cpp:55:12:55:19 | (C *)... | A.cpp:56:13:56:15 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | (C *)... | (C *)... |
 | A.cpp:56:13:56:15 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:13:56:15 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
--- a/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
@ -1,21 +1,46 @@
 edges
+| A.cpp:23:10:23:10 | c | A.cpp:25:7:25:17 | ... = ... |
+| A.cpp:25:7:25:17 | ... = ... | A.cpp:25:7:25:10 | this [post update] [c] |
+| A.cpp:27:17:27:17 | c | A.cpp:27:22:27:32 | ... = ... |
+| A.cpp:27:22:27:32 | ... = ... | A.cpp:27:22:27:25 | this [post update] [c] |
+| A.cpp:28:8:28:10 | this [c] | A.cpp:28:23:28:26 | this [c] |
+| A.cpp:28:23:28:26 | this [c] | A.cpp:28:29:28:29 | c |
+| A.cpp:29:23:29:23 | c | A.cpp:31:20:31:20 | c |
+| A.cpp:31:14:31:21 | call to B [c] | A.cpp:31:14:31:21 | new [c] |
+| A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c |
+| A.cpp:31:20:31:20 | c | A.cpp:31:14:31:21 | call to B [c] |
 | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... |
 | A.cpp:47:12:47:18 | new | A.cpp:48:20:48:20 | c |
 | A.cpp:48:12:48:18 | call to make [c] | A.cpp:49:10:49:10 | b [c] |
+| A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c |
 | A.cpp:48:20:48:20 | c | A.cpp:48:12:48:18 | call to make [c] |
 | A.cpp:49:10:49:10 | b [c] | A.cpp:49:13:49:13 | c |
 | A.cpp:55:5:55:5 | ref arg b [c] | A.cpp:56:10:56:10 | b [c] |
+| A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | ref arg b [c] |
+| A.cpp:56:10:56:10 | b [c] | A.cpp:28:8:28:10 | this [c] |
 | A.cpp:56:10:56:10 | b [c] | A.cpp:56:13:56:15 | call to get |
 | A.cpp:57:11:57:24 | call to B [c] | A.cpp:57:11:57:24 | new [c] |
+| A.cpp:57:11:57:24 | new [c] | A.cpp:28:8:28:10 | this [c] |
 | A.cpp:57:11:57:24 | new [c] | A.cpp:57:28:57:30 | call to get |
+| A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | call to B [c] |
 | A.cpp:64:10:64:15 | call to setOnB [c] | A.cpp:66:10:66:11 | b2 [c] |
 | A.cpp:64:21:64:28 | new | A.cpp:64:10:64:15 | call to setOnB [c] |
+| A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c |
 | A.cpp:66:10:66:11 | b2 [c] | A.cpp:66:14:66:14 | c |
 | A.cpp:73:10:73:19 | call to setOnBWrap [c] | A.cpp:75:10:75:11 | b2 [c] |
 | A.cpp:73:25:73:32 | new | A.cpp:73:10:73:19 | call to setOnBWrap [c] |
+| A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c |
 | A.cpp:75:10:75:11 | b2 [c] | A.cpp:75:14:75:14 | c |
+| A.cpp:78:27:78:27 | c | A.cpp:81:21:81:21 | c |
+| A.cpp:81:10:81:15 | call to setOnB [c] | A.cpp:82:12:82:24 | ... ? ... : ... [c] |
+| A.cpp:81:21:81:21 | c | A.cpp:81:10:81:15 | call to setOnB [c] |
+| A.cpp:81:21:81:21 | c | A.cpp:85:26:85:26 | c |
+| A.cpp:85:26:85:26 | c | A.cpp:90:15:90:15 | c |
+| A.cpp:90:7:90:8 | ref arg b2 [c] | A.cpp:91:14:91:15 | b2 [c] |
+| A.cpp:90:15:90:15 | c | A.cpp:27:17:27:17 | c |
+| A.cpp:90:15:90:15 | c | A.cpp:90:7:90:8 | ref arg b2 [c] |
 | A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | ... = ... |
 | A.cpp:100:5:100:6 | c1 [post update] [a] | A.cpp:101:8:101:9 | c1 [a] |
 | A.cpp:100:5:100:13 | ... = ... | A.cpp:100:5:100:6 | c1 [post update] [a] |
@ -25,9 +50,11 @@ edges
 | A.cpp:107:12:107:13 | c1 [a] | A.cpp:107:16:107:16 | a |
 | A.cpp:120:12:120:13 | c1 [a] | A.cpp:120:16:120:16 | a |
 | A.cpp:126:5:126:5 | ref arg b [c] | A.cpp:131:8:131:8 | ref arg b [c] |
+| A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | ref arg b [c] |
 | A.cpp:131:8:131:8 | ref arg b [c] | A.cpp:132:10:132:10 | b [c] |
 | A.cpp:132:10:132:10 | b [c] | A.cpp:132:13:132:13 | c |
+| A.cpp:140:13:140:13 | b | A.cpp:143:7:143:31 | ... = ... |
 | A.cpp:142:7:142:7 | b [post update] [c] | A.cpp:143:7:143:31 | ... = ... [c] |
 | A.cpp:142:7:142:7 | b [post update] [c] | A.cpp:151:18:151:18 | ref arg b [c] |
 | A.cpp:142:7:142:20 | ... = ... | A.cpp:142:7:142:7 | b [post update] [c] |
@ -35,11 +62,13 @@ edges
 | A.cpp:143:7:143:10 | this [post update] [b, c] | A.cpp:151:12:151:24 | call to D [b, c] |
 | A.cpp:143:7:143:10 | this [post update] [b] | A.cpp:151:12:151:24 | call to D [b] |
 | A.cpp:143:7:143:31 | ... = ... | A.cpp:143:7:143:10 | this [post update] [b] |
+| A.cpp:143:7:143:31 | ... = ... | A.cpp:143:7:143:10 | this [post update] [b] |
 | A.cpp:143:7:143:31 | ... = ... [c] | A.cpp:143:7:143:10 | this [post update] [b, c] |
 | A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | ... = ... |
 | A.cpp:150:12:150:18 | new | A.cpp:151:18:151:18 | b |
 | A.cpp:151:12:151:24 | call to D [b, c] | A.cpp:153:10:153:10 | d [b, c] |
 | A.cpp:151:12:151:24 | call to D [b] | A.cpp:152:10:152:10 | d [b] |
+| A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b |
 | A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | call to D [b] |
 | A.cpp:151:18:151:18 | ref arg b [c] | A.cpp:154:10:154:10 | b [c] |
 | A.cpp:152:10:152:10 | d [b] | A.cpp:152:13:152:13 | b |
@ -49,11 +78,14 @@ edges
 | A.cpp:159:12:159:18 | new | A.cpp:160:29:160:29 | b |
 | A.cpp:160:18:160:60 | call to MyList [head] | A.cpp:161:38:161:39 | l1 [head] |
 | A.cpp:160:29:160:29 | b | A.cpp:160:18:160:60 | call to MyList [head] |
+| A.cpp:160:29:160:29 | b | A.cpp:181:15:181:21 | newHead |
 | A.cpp:161:18:161:40 | call to MyList [next, head] | A.cpp:162:38:162:39 | l2 [next, head] |
 | A.cpp:161:38:161:39 | l1 [head] | A.cpp:161:18:161:40 | call to MyList [next, head] |
+| A.cpp:161:38:161:39 | l1 [head] | A.cpp:181:32:181:35 | next [head] |
 | A.cpp:162:18:162:40 | call to MyList [next, next, head] | A.cpp:165:10:165:11 | l3 [next, next, head] |
 | A.cpp:162:18:162:40 | call to MyList [next, next, head] | A.cpp:167:44:167:44 | l [next, next, head] |
 | A.cpp:162:38:162:39 | l2 [next, head] | A.cpp:162:18:162:40 | call to MyList [next, next, head] |
+| A.cpp:162:38:162:39 | l2 [next, head] | A.cpp:181:32:181:35 | next [next, head] |
 | A.cpp:165:10:165:11 | l3 [next, next, head] | A.cpp:165:14:165:17 | next [next, head] |
 | A.cpp:165:14:165:17 | next [next, head] | A.cpp:165:20:165:23 | next [head] |
 | A.cpp:165:20:165:23 | next [head] | A.cpp:165:26:165:29 | head |
@ -62,20 +94,38 @@ edges
 | A.cpp:167:47:167:50 | next [head] | A.cpp:169:12:169:12 | l [head] |
 | A.cpp:167:47:167:50 | next [next, head] | A.cpp:167:44:167:44 | l [next, head] |
 | A.cpp:169:12:169:12 | l [head] | A.cpp:169:15:169:18 | head |
+| A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:20 | ... = ... |
+| A.cpp:181:32:181:35 | next [head] | A.cpp:184:7:184:23 | ... = ... [head] |
+| A.cpp:181:32:181:35 | next [next, head] | A.cpp:184:7:184:23 | ... = ... [next, head] |
+| A.cpp:183:7:183:20 | ... = ... | A.cpp:183:7:183:10 | this [post update] [head] |
+| A.cpp:184:7:184:23 | ... = ... [head] | A.cpp:184:7:184:10 | this [post update] [next, head] |
+| A.cpp:184:7:184:23 | ... = ... [next, head] | A.cpp:184:7:184:10 | this [post update] [next, next, head] |
 | B.cpp:6:15:6:24 | new | B.cpp:7:25:7:25 | e |
 | B.cpp:7:16:7:35 | call to Box1 [elem1] | B.cpp:8:25:8:26 | b1 [elem1] |
 | B.cpp:7:25:7:25 | e | B.cpp:7:16:7:35 | call to Box1 [elem1] |
+| B.cpp:7:25:7:25 | e | B.cpp:33:16:33:17 | e1 |
 | B.cpp:8:16:8:27 | call to Box2 [box1, elem1] | B.cpp:9:10:9:11 | b2 [box1, elem1] |
 | B.cpp:8:25:8:26 | b1 [elem1] | B.cpp:8:16:8:27 | call to Box2 [box1, elem1] |
+| B.cpp:8:25:8:26 | b1 [elem1] | B.cpp:44:16:44:17 | b1 [elem1] |
 | B.cpp:9:10:9:11 | b2 [box1, elem1] | B.cpp:9:14:9:17 | box1 [elem1] |
 | B.cpp:9:14:9:17 | box1 [elem1] | B.cpp:9:20:9:24 | elem1 |
 | B.cpp:15:15:15:27 | new | B.cpp:16:37:16:37 | e |
 | B.cpp:16:16:16:38 | call to Box1 [elem2] | B.cpp:17:25:17:26 | b1 [elem2] |
 | B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | call to Box1 [elem2] |
+| B.cpp:16:37:16:37 | e | B.cpp:33:26:33:27 | e2 |
 | B.cpp:17:16:17:27 | call to Box2 [box1, elem2] | B.cpp:19:10:19:11 | b2 [box1, elem2] |
 | B.cpp:17:25:17:26 | b1 [elem2] | B.cpp:17:16:17:27 | call to Box2 [box1, elem2] |
+| B.cpp:17:25:17:26 | b1 [elem2] | B.cpp:44:16:44:17 | b1 [elem2] |
 | B.cpp:19:10:19:11 | b2 [box1, elem2] | B.cpp:19:14:19:17 | box1 [elem2] |
 | B.cpp:19:14:19:17 | box1 [elem2] | B.cpp:19:20:19:24 | elem2 |
+| B.cpp:33:16:33:17 | e1 | B.cpp:35:7:35:22 | ... = ... |
+| B.cpp:33:26:33:27 | e2 | B.cpp:36:7:36:22 | ... = ... |
+| B.cpp:35:7:35:22 | ... = ... | B.cpp:35:7:35:10 | this [post update] [elem1] |
+| B.cpp:36:7:36:22 | ... = ... | B.cpp:36:7:36:10 | this [post update] [elem2] |
+| B.cpp:44:16:44:17 | b1 [elem1] | B.cpp:46:7:46:21 | ... = ... [elem1] |
+| B.cpp:44:16:44:17 | b1 [elem2] | B.cpp:46:7:46:21 | ... = ... [elem2] |
+| B.cpp:46:7:46:21 | ... = ... [elem1] | B.cpp:46:7:46:10 | this [post update] [box1, elem1] |
+| B.cpp:46:7:46:21 | ... = ... [elem2] | B.cpp:46:7:46:10 | this [post update] [box1, elem2] |
 | C.cpp:18:12:18:18 | call to C [s1] | C.cpp:19:5:19:5 | c [s1] |
 | C.cpp:18:12:18:18 | call to C [s3] | C.cpp:19:5:19:5 | c [s3] |
 | C.cpp:19:5:19:5 | c [s1] | C.cpp:27:8:27:11 | this [s1] |
@ -89,8 +139,16 @@ edges
 | C.cpp:27:8:27:11 | this [s3] | C.cpp:31:10:31:11 | this [s3] |
 | C.cpp:29:10:29:11 | this [s1] | C.cpp:29:10:29:11 | s1 |
 | C.cpp:31:10:31:11 | this [s3] | C.cpp:31:10:31:11 | s3 |
+| D.cpp:10:11:10:17 | this [elem] | D.cpp:10:30:10:33 | this [elem] |
+| D.cpp:10:30:10:33 | this [elem] | D.cpp:10:30:10:33 | elem |
+| D.cpp:11:24:11:24 | e | D.cpp:11:29:11:36 | ... = ... |
+| D.cpp:11:29:11:36 | ... = ... | D.cpp:11:29:11:32 | this [post update] [elem] |
+| D.cpp:17:11:17:17 | this [box, elem] | D.cpp:17:30:17:32 | this [box, elem] |
+| D.cpp:17:30:17:32 | this [box, elem] | D.cpp:17:30:17:32 | box [elem] |
 | D.cpp:21:30:21:31 | b2 [box, elem] | D.cpp:22:10:22:11 | b2 [box, elem] |
+| D.cpp:22:10:22:11 | b2 [box, elem] | D.cpp:17:11:17:17 | this [box, elem] |
 | D.cpp:22:10:22:11 | b2 [box, elem] | D.cpp:22:14:22:20 | call to getBox1 [elem] |
+| D.cpp:22:14:22:20 | call to getBox1 [elem] | D.cpp:10:11:10:17 | this [elem] |
 | D.cpp:22:14:22:20 | call to getBox1 [elem] | D.cpp:22:25:22:31 | call to getElem |
 | D.cpp:28:15:28:24 | new | D.cpp:30:5:30:20 | ... = ... |
 | D.cpp:30:5:30:5 | b [post update] [box, elem] | D.cpp:31:14:31:14 | b [box, elem] |
@ -100,6 +158,7 @@ edges
 | D.cpp:35:15:35:24 | new | D.cpp:37:21:37:21 | e |
 | D.cpp:37:5:37:5 | b [post update] [box, elem] | D.cpp:38:14:38:14 | b [box, elem] |
 | D.cpp:37:8:37:10 | ref arg box [elem] | D.cpp:37:5:37:5 | b [post update] [box, elem] |
+| D.cpp:37:21:37:21 | e | D.cpp:11:24:11:24 | e |
 | D.cpp:37:21:37:21 | e | D.cpp:37:8:37:10 | ref arg box [elem] |
 | D.cpp:38:14:38:14 | b [box, elem] | D.cpp:21:30:21:31 | b2 [box, elem] |
 | D.cpp:42:15:42:24 | new | D.cpp:44:5:44:26 | ... = ... |
@ -110,6 +169,7 @@ edges
 | D.cpp:49:15:49:24 | new | D.cpp:51:27:51:27 | e |
 | D.cpp:51:5:51:5 | ref arg b [box, elem] | D.cpp:52:14:52:14 | b [box, elem] |
 | D.cpp:51:8:51:14 | ref arg call to getBox1 [elem] | D.cpp:51:5:51:5 | ref arg b [box, elem] |
+| D.cpp:51:27:51:27 | e | D.cpp:11:24:11:24 | e |
 | D.cpp:51:27:51:27 | e | D.cpp:51:8:51:14 | ref arg call to getBox1 [elem] |
 | D.cpp:52:14:52:14 | b [box, elem] | D.cpp:21:30:21:31 | b2 [box, elem] |
 | D.cpp:56:15:56:24 | new | D.cpp:58:5:58:27 | ... = ... |
@ -223,17 +283,45 @@ edges
 | arrays.cpp:44:8:44:25 | access to array [data] | arrays.cpp:44:27:44:30 | data |
 | arrays.cpp:44:10:44:17 | indirect [arr, data] | arrays.cpp:44:20:44:22 | arr [data] |
 | arrays.cpp:44:20:44:22 | arr [data] | arrays.cpp:44:8:44:25 | access to array [data] |
+| by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:16 | ... = ... |
+| by_reference.cpp:12:5:12:16 | ... = ... | by_reference.cpp:12:5:12:5 | s [post update] [a] |
+| by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:19 | ... = ... |
+| by_reference.cpp:16:5:16:19 | ... = ... | by_reference.cpp:16:5:16:8 | this [post update] [a] |
+| by_reference.cpp:19:28:19:32 | value | by_reference.cpp:20:23:20:27 | value |
+| by_reference.cpp:20:23:20:27 | value | by_reference.cpp:15:26:15:30 | value |
+| by_reference.cpp:20:23:20:27 | value | by_reference.cpp:20:5:20:8 | ref arg this [a] |
+| by_reference.cpp:23:34:23:38 | value | by_reference.cpp:24:25:24:29 | value |
+| by_reference.cpp:24:25:24:29 | value | by_reference.cpp:11:48:11:52 | value |
+| by_reference.cpp:24:25:24:29 | value | by_reference.cpp:24:19:24:22 | ref arg this [a] |
+| by_reference.cpp:31:46:31:46 | s [a] | by_reference.cpp:32:12:32:12 | s [a] |
+| by_reference.cpp:32:12:32:12 | s [a] | by_reference.cpp:32:15:32:15 | a |
+| by_reference.cpp:35:9:35:19 | this [a] | by_reference.cpp:36:12:36:15 | this [a] |
+| by_reference.cpp:36:12:36:15 | this [a] | by_reference.cpp:36:18:36:18 | a |
+| by_reference.cpp:39:9:39:21 | this [a] | by_reference.cpp:40:12:40:15 | this [a] |
+| by_reference.cpp:40:12:40:15 | this [a] | by_reference.cpp:35:9:35:19 | this [a] |
+| by_reference.cpp:40:12:40:15 | this [a] | by_reference.cpp:40:18:40:28 | call to getDirectly |
+| by_reference.cpp:43:9:43:27 | this [a] | by_reference.cpp:44:26:44:29 | this [a] |
+| by_reference.cpp:44:26:44:29 | this [a] | by_reference.cpp:31:46:31:46 | s [a] |
+| by_reference.cpp:44:26:44:29 | this [a] | by_reference.cpp:44:12:44:24 | call to nonMemberGetA |
 | by_reference.cpp:50:3:50:3 | ref arg s [a] | by_reference.cpp:51:8:51:8 | s [a] |
+| by_reference.cpp:50:17:50:26 | call to user_input | by_reference.cpp:15:26:15:30 | value |
 | by_reference.cpp:50:17:50:26 | call to user_input | by_reference.cpp:50:3:50:3 | ref arg s [a] |
+| by_reference.cpp:51:8:51:8 | s [a] | by_reference.cpp:35:9:35:19 | this [a] |
 | by_reference.cpp:51:8:51:8 | s [a] | by_reference.cpp:51:10:51:20 | call to getDirectly |
 | by_reference.cpp:56:3:56:3 | ref arg s [a] | by_reference.cpp:57:8:57:8 | s [a] |
+| by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:19:28:19:32 | value |
 | by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:56:3:56:3 | ref arg s [a] |
+| by_reference.cpp:57:8:57:8 | s [a] | by_reference.cpp:39:9:39:21 | this [a] |
 | by_reference.cpp:57:8:57:8 | s [a] | by_reference.cpp:57:10:57:22 | call to getIndirectly |
 | by_reference.cpp:62:3:62:3 | ref arg s [a] | by_reference.cpp:63:8:63:8 | s [a] |
+| by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:23:34:23:38 | value |
 | by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:62:3:62:3 | ref arg s [a] |
+| by_reference.cpp:63:8:63:8 | s [a] | by_reference.cpp:43:9:43:27 | this [a] |
 | by_reference.cpp:63:8:63:8 | s [a] | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
 | by_reference.cpp:68:17:68:18 | ref arg & ... [a] | by_reference.cpp:69:22:69:23 | & ... [a] |
+| by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:11:48:11:52 | value |
 | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:68:17:68:18 | ref arg & ... [a] |
+| by_reference.cpp:69:22:69:23 | & ... [a] | by_reference.cpp:31:46:31:46 | s [a] |
 | by_reference.cpp:69:22:69:23 | & ... [a] | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
 | by_reference.cpp:84:3:84:7 | inner [post update] [a] | by_reference.cpp:102:21:102:39 | ref arg & ... [a] |
 | by_reference.cpp:84:3:84:7 | inner [post update] [a] | by_reference.cpp:103:27:103:35 | ref arg inner_ptr [a] |
@ -308,29 +396,43 @@ edges
 | by_reference.cpp:135:8:135:13 | pouter [inner_ptr, a] | by_reference.cpp:135:16:135:24 | inner_ptr [a] |
 | by_reference.cpp:135:16:135:24 | inner_ptr [a] | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | by_reference.cpp:136:16:136:16 | a |
+| complex.cpp:9:7:9:7 | this [a_] | complex.cpp:9:20:9:21 | this [a_] |
+| complex.cpp:9:20:9:21 | this [a_] | complex.cpp:9:20:9:21 | a_ |
+| complex.cpp:10:7:10:7 | this [b_] | complex.cpp:10:20:10:21 | this [b_] |
+| complex.cpp:10:20:10:21 | this [b_] | complex.cpp:10:20:10:21 | b_ |
+| complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:27 | ... = ... |
+| complex.cpp:11:22:11:27 | ... = ... | complex.cpp:11:22:11:23 | this [post update] [a_] |
+| complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:27 | ... = ... |
+| complex.cpp:12:22:12:27 | ... = ... | complex.cpp:12:22:12:23 | this [post update] [b_] |
 | complex.cpp:40:17:40:17 | b [inner, f, a_] | complex.cpp:42:8:42:8 | b [inner, f, a_] |
 | complex.cpp:40:17:40:17 | b [inner, f, b_] | complex.cpp:43:8:43:8 | b [inner, f, b_] |
 | complex.cpp:42:8:42:8 | b [inner, f, a_] | complex.cpp:42:10:42:14 | inner [f, a_] |
 | complex.cpp:42:10:42:14 | inner [f, a_] | complex.cpp:42:16:42:16 | f [a_] |
+| complex.cpp:42:16:42:16 | f [a_] | complex.cpp:9:7:9:7 | this [a_] |
 | complex.cpp:42:16:42:16 | f [a_] | complex.cpp:42:18:42:18 | call to a |
 | complex.cpp:43:8:43:8 | b [inner, f, b_] | complex.cpp:43:10:43:14 | inner [f, b_] |
 | complex.cpp:43:10:43:14 | inner [f, b_] | complex.cpp:43:16:43:16 | f [b_] |
+| complex.cpp:43:16:43:16 | f [b_] | complex.cpp:10:7:10:7 | this [b_] |
 | complex.cpp:43:16:43:16 | f [b_] | complex.cpp:43:18:43:18 | call to b |
 | complex.cpp:53:3:53:4 | b1 [post update] [inner, f, a_] | complex.cpp:59:7:59:8 | b1 [inner, f, a_] |
 | complex.cpp:53:6:53:10 | inner [post update] [f, a_] | complex.cpp:53:3:53:4 | b1 [post update] [inner, f, a_] |
 | complex.cpp:53:12:53:12 | ref arg f [a_] | complex.cpp:53:6:53:10 | inner [post update] [f, a_] |
+| complex.cpp:53:19:53:28 | call to user_input | complex.cpp:11:17:11:17 | a |
 | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:53:12:53:12 | ref arg f [a_] |
 | complex.cpp:54:3:54:4 | b2 [post update] [inner, f, b_] | complex.cpp:62:7:62:8 | b2 [inner, f, b_] |
 | complex.cpp:54:6:54:10 | inner [post update] [f, b_] | complex.cpp:54:3:54:4 | b2 [post update] [inner, f, b_] |
 | complex.cpp:54:12:54:12 | ref arg f [b_] | complex.cpp:54:6:54:10 | inner [post update] [f, b_] |
+| complex.cpp:54:19:54:28 | call to user_input | complex.cpp:12:17:12:17 | b |
 | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:54:12:54:12 | ref arg f [b_] |
 | complex.cpp:55:3:55:4 | b3 [post update] [inner, f, a_] | complex.cpp:65:7:65:8 | b3 [inner, f, a_] |
 | complex.cpp:55:6:55:10 | inner [post update] [f, a_] | complex.cpp:55:3:55:4 | b3 [post update] [inner, f, a_] |
 | complex.cpp:55:12:55:12 | ref arg f [a_] | complex.cpp:55:6:55:10 | inner [post update] [f, a_] |
+| complex.cpp:55:19:55:28 | call to user_input | complex.cpp:11:17:11:17 | a |
 | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:55:12:55:12 | ref arg f [a_] |
 | complex.cpp:56:3:56:4 | b3 [post update] [inner, f, b_] | complex.cpp:65:7:65:8 | b3 [inner, f, b_] |
 | complex.cpp:56:6:56:10 | inner [post update] [f, b_] | complex.cpp:56:3:56:4 | b3 [post update] [inner, f, b_] |
 | complex.cpp:56:12:56:12 | ref arg f [b_] | complex.cpp:56:6:56:10 | inner [post update] [f, b_] |
+| complex.cpp:56:19:56:28 | call to user_input | complex.cpp:12:17:12:17 | b |
 | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:56:12:56:12 | ref arg f [b_] |
 | complex.cpp:59:7:59:8 | b1 [inner, f, a_] | complex.cpp:40:17:40:17 | b [inner, f, a_] |
 | complex.cpp:62:7:62:8 | b2 [inner, f, b_] | complex.cpp:40:17:40:17 | b [inner, f, b_] |
@ -357,22 +459,43 @@ edges
 | conflated.cpp:60:17:60:26 | call to user_input | conflated.cpp:60:3:60:28 | ... = ... |
 | conflated.cpp:61:8:61:9 | ll [next, y] | conflated.cpp:61:12:61:15 | next [y] |
 | conflated.cpp:61:12:61:15 | next [y] | conflated.cpp:61:18:61:18 | y |
+| constructors.cpp:18:9:18:9 | this [a_] | constructors.cpp:18:22:18:23 | this [a_] |
+| constructors.cpp:18:22:18:23 | this [a_] | constructors.cpp:18:22:18:23 | a_ |
+| constructors.cpp:19:9:19:9 | this [b_] | constructors.cpp:19:22:19:23 | this [b_] |
+| constructors.cpp:19:22:19:23 | this [b_] | constructors.cpp:19:22:19:23 | b_ |
+| constructors.cpp:23:13:23:13 | a | constructors.cpp:23:28:23:28 | a |
+| constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | b |
+| constructors.cpp:23:28:23:28 | a | constructors.cpp:23:25:23:29 | constructor init of field a_ [post-this] [a_] |
+| constructors.cpp:23:35:23:35 | b | constructors.cpp:23:32:23:36 | constructor init of field b_ [post-this] [b_] |
 | constructors.cpp:26:15:26:15 | f [a_] | constructors.cpp:28:10:28:10 | f [a_] |
 | constructors.cpp:26:15:26:15 | f [b_] | constructors.cpp:29:10:29:10 | f [b_] |
+| constructors.cpp:28:10:28:10 | f [a_] | constructors.cpp:18:9:18:9 | this [a_] |
 | constructors.cpp:28:10:28:10 | f [a_] | constructors.cpp:28:12:28:12 | call to a |
+| constructors.cpp:29:10:29:10 | f [b_] | constructors.cpp:19:9:19:9 | this [b_] |
 | constructors.cpp:29:10:29:10 | f [b_] | constructors.cpp:29:12:29:12 | call to b |
+| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:23:13:23:13 | a |
 | constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:34:11:34:26 | call to Foo [a_] |
 | constructors.cpp:34:11:34:26 | call to Foo [a_] | constructors.cpp:40:9:40:9 | f [a_] |
 | constructors.cpp:35:11:35:26 | call to Foo [b_] | constructors.cpp:43:9:43:9 | g [b_] |
+| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:23:20:23:20 | b |
 | constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:35:11:35:26 | call to Foo [b_] |
+| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:23:13:23:13 | a |
 | constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:36:11:36:37 | call to Foo [a_] |
 | constructors.cpp:36:11:36:37 | call to Foo [a_] | constructors.cpp:46:9:46:9 | h [a_] |
 | constructors.cpp:36:11:36:37 | call to Foo [b_] | constructors.cpp:46:9:46:9 | h [b_] |
+| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:23:20:23:20 | b |
 | constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:36:11:36:37 | call to Foo [b_] |
 | constructors.cpp:40:9:40:9 | f [a_] | constructors.cpp:26:15:26:15 | f [a_] |
 | constructors.cpp:43:9:43:9 | g [b_] | constructors.cpp:26:15:26:15 | f [b_] |
 | constructors.cpp:46:9:46:9 | h [a_] | constructors.cpp:26:15:26:15 | f [a_] |
 | constructors.cpp:46:9:46:9 | h [b_] | constructors.cpp:26:15:26:15 | f [b_] |
+| qualifiers.cpp:9:21:9:25 | value | qualifiers.cpp:9:30:9:44 | ... = ... |
+| qualifiers.cpp:9:30:9:44 | ... = ... | qualifiers.cpp:9:30:9:33 | this [post update] [a] |
+| qualifiers.cpp:12:40:12:44 | value | qualifiers.cpp:12:49:12:64 | ... = ... |
+| qualifiers.cpp:12:49:12:64 | ... = ... | qualifiers.cpp:12:49:12:53 | inner [post update] [a] |
+| qualifiers.cpp:13:42:13:46 | value | qualifiers.cpp:13:51:13:65 | ... = ... |
+| qualifiers.cpp:13:51:13:55 | inner [post update] [a] | qualifiers.cpp:13:29:13:33 | inner [a] |
+| qualifiers.cpp:13:51:13:65 | ... = ... | qualifiers.cpp:13:51:13:55 | inner [post update] [a] |
 | qualifiers.cpp:22:5:22:9 | ref arg outer [inner, a] | qualifiers.cpp:23:10:23:14 | outer [inner, a] |
 | qualifiers.cpp:22:5:22:38 | ... = ... | qualifiers.cpp:22:11:22:18 | call to getInner [post update] [a] |
 | qualifiers.cpp:22:11:22:18 | call to getInner [post update] [a] | qualifiers.cpp:22:5:22:9 | ref arg outer [inner, a] |
@ -381,17 +504,20 @@ edges
 | qualifiers.cpp:23:16:23:20 | inner [a] | qualifiers.cpp:23:23:23:23 | a |
 | qualifiers.cpp:27:5:27:9 | ref arg outer [inner, a] | qualifiers.cpp:28:10:28:14 | outer [inner, a] |
 | qualifiers.cpp:27:11:27:18 | ref arg call to getInner [a] | qualifiers.cpp:27:5:27:9 | ref arg outer [inner, a] |
+| qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:9:21:9:25 | value |
 | qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:27:11:27:18 | ref arg call to getInner [a] |
 | qualifiers.cpp:28:10:28:14 | outer [inner, a] | qualifiers.cpp:28:16:28:20 | inner [a] |
 | qualifiers.cpp:28:16:28:20 | inner [a] | qualifiers.cpp:28:23:28:23 | a |
 | qualifiers.cpp:32:17:32:21 | ref arg outer [inner, a] | qualifiers.cpp:33:10:33:14 | outer [inner, a] |
 | qualifiers.cpp:32:23:32:30 | ref arg call to getInner [a] | qualifiers.cpp:32:17:32:21 | ref arg outer [inner, a] |
+| qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:12:40:12:44 | value |
 | qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:32:23:32:30 | ref arg call to getInner [a] |
 | qualifiers.cpp:33:10:33:14 | outer [inner, a] | qualifiers.cpp:33:16:33:20 | inner [a] |
 | qualifiers.cpp:33:16:33:20 | inner [a] | qualifiers.cpp:33:23:33:23 | a |
 | qualifiers.cpp:37:19:37:35 | ref arg * ... [a] | qualifiers.cpp:37:26:37:33 | call to getInner [inner post update] [a] |
 | qualifiers.cpp:37:20:37:24 | ref arg outer [inner, a] | qualifiers.cpp:38:10:38:14 | outer [inner, a] |
 | qualifiers.cpp:37:26:37:33 | call to getInner [inner post update] [a] | qualifiers.cpp:37:20:37:24 | ref arg outer [inner, a] |
+| qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:13:42:13:46 | value |
 | qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:37:19:37:35 | ref arg * ... [a] |
 | qualifiers.cpp:38:10:38:14 | outer [inner, a] | qualifiers.cpp:38:16:38:20 | inner [a] |
 | qualifiers.cpp:38:16:38:20 | inner [a] | qualifiers.cpp:38:23:38:23 | a |
@ -420,17 +546,31 @@ edges
 | realistic.cpp:61:25:61:27 | bar [baz, userInput, bufferLen] | realistic.cpp:61:21:61:30 | access to array [baz, userInput, bufferLen] |
 | realistic.cpp:61:32:61:34 | baz [userInput, bufferLen] | realistic.cpp:61:37:61:45 | userInput [bufferLen] |
 | realistic.cpp:61:37:61:45 | userInput [bufferLen] | realistic.cpp:61:47:61:55 | bufferLen |
+| simple.cpp:18:9:18:9 | this [a_] | simple.cpp:18:22:18:23 | this [a_] |
+| simple.cpp:18:22:18:23 | this [a_] | simple.cpp:18:22:18:23 | a_ |
+| simple.cpp:19:9:19:9 | this [b_] | simple.cpp:19:22:19:23 | this [b_] |
+| simple.cpp:19:22:19:23 | this [b_] | simple.cpp:19:22:19:23 | b_ |
+| simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:29 | ... = ... |
+| simple.cpp:20:24:20:29 | ... = ... | simple.cpp:20:24:20:25 | this [post update] [a_] |
+| simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:29 | ... = ... |
+| simple.cpp:21:24:21:29 | ... = ... | simple.cpp:21:24:21:25 | this [post update] [b_] |
 | simple.cpp:26:15:26:15 | f [a_] | simple.cpp:28:10:28:10 | f [a_] |
 | simple.cpp:26:15:26:15 | f [b_] | simple.cpp:29:10:29:10 | f [b_] |
+| simple.cpp:28:10:28:10 | f [a_] | simple.cpp:18:9:18:9 | this [a_] |
 | simple.cpp:28:10:28:10 | f [a_] | simple.cpp:28:12:28:12 | call to a |
+| simple.cpp:29:10:29:10 | f [b_] | simple.cpp:19:9:19:9 | this [b_] |
 | simple.cpp:29:10:29:10 | f [b_] | simple.cpp:29:12:29:12 | call to b |
 | simple.cpp:39:5:39:5 | ref arg f [a_] | simple.cpp:45:9:45:9 | f [a_] |
+| simple.cpp:39:12:39:21 | call to user_input | simple.cpp:20:19:20:19 | a |
 | simple.cpp:39:12:39:21 | call to user_input | simple.cpp:39:5:39:5 | ref arg f [a_] |
 | simple.cpp:40:5:40:5 | ref arg g [b_] | simple.cpp:48:9:48:9 | g [b_] |
+| simple.cpp:40:12:40:21 | call to user_input | simple.cpp:21:19:21:19 | b |
 | simple.cpp:40:12:40:21 | call to user_input | simple.cpp:40:5:40:5 | ref arg g [b_] |
 | simple.cpp:41:5:41:5 | ref arg h [a_] | simple.cpp:51:9:51:9 | h [a_] |
+| simple.cpp:41:12:41:21 | call to user_input | simple.cpp:20:19:20:19 | a |
 | simple.cpp:41:12:41:21 | call to user_input | simple.cpp:41:5:41:5 | ref arg h [a_] |
 | simple.cpp:42:5:42:5 | ref arg h [b_] | simple.cpp:51:9:51:9 | h [b_] |
+| simple.cpp:42:12:42:21 | call to user_input | simple.cpp:21:19:21:19 | b |
 | simple.cpp:42:12:42:21 | call to user_input | simple.cpp:42:5:42:5 | ref arg h [b_] |
 | simple.cpp:45:9:45:9 | f [a_] | simple.cpp:26:15:26:15 | f [a_] |
 | simple.cpp:48:9:48:9 | g [b_] | simple.cpp:26:15:26:15 | f [b_] |
@ -440,10 +580,14 @@ edges
 | simple.cpp:65:5:65:22 | ... = ... | simple.cpp:65:5:65:5 | a [post update] [i] |
 | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | ... = ... |
 | simple.cpp:67:10:67:11 | a2 [i] | simple.cpp:67:13:67:13 | i |
+| simple.cpp:78:9:78:15 | this [f2, f1] | simple.cpp:79:16:79:17 | this [f2, f1] |
+| simple.cpp:79:16:79:17 | f2 [f1] | simple.cpp:79:19:79:20 | f1 |
+| simple.cpp:79:16:79:17 | this [f2, f1] | simple.cpp:79:16:79:17 | f2 [f1] |
 | simple.cpp:83:9:83:10 | f2 [post update] [f1] | simple.cpp:83:9:83:10 | this [post update] [f2, f1] |
 | simple.cpp:83:9:83:10 | this [post update] [f2, f1] | simple.cpp:84:14:84:20 | this [f2, f1] |
 | simple.cpp:83:9:83:28 | ... = ... | simple.cpp:83:9:83:10 | f2 [post update] [f1] |
 | simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | ... = ... |
+| simple.cpp:84:14:84:20 | this [f2, f1] | simple.cpp:78:9:78:15 | this [f2, f1] |
 | simple.cpp:84:14:84:20 | this [f2, f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
 | simple.cpp:92:5:92:5 | a [post update] [i] | simple.cpp:94:10:94:11 | a2 [i] |
 | simple.cpp:92:5:92:22 | ... = ... | simple.cpp:92:5:92:5 | a [post update] [i] |
@ -477,6 +621,19 @@ edges
 | struct_init.c:46:10:46:14 | outer [pointerAB, a] | struct_init.c:46:16:46:24 | pointerAB [a] |
 | struct_init.c:46:16:46:24 | pointerAB [a] | struct_init.c:14:24:14:25 | ab [a] |
 nodes
+| A.cpp:23:10:23:10 | c | semmle.label | c |
+| A.cpp:25:7:25:10 | this [post update] [c] | semmle.label | this [post update] [c] |
+| A.cpp:25:7:25:17 | ... = ... | semmle.label | ... = ... |
+| A.cpp:27:17:27:17 | c | semmle.label | c |
+| A.cpp:27:22:27:25 | this [post update] [c] | semmle.label | this [post update] [c] |
+| A.cpp:27:22:27:32 | ... = ... | semmle.label | ... = ... |
+| A.cpp:28:8:28:10 | this [c] | semmle.label | this [c] |
+| A.cpp:28:23:28:26 | this [c] | semmle.label | this [c] |
+| A.cpp:28:29:28:29 | c | semmle.label | c |
+| A.cpp:29:23:29:23 | c | semmle.label | c |
+| A.cpp:31:14:31:21 | call to B [c] | semmle.label | call to B [c] |
+| A.cpp:31:14:31:21 | new [c] | semmle.label | new [c] |
+| A.cpp:31:20:31:20 | c | semmle.label | c |
 | A.cpp:41:15:41:21 | new | semmle.label | new |
 | A.cpp:43:10:43:12 | & ... | semmle.label | & ... |
 | A.cpp:47:12:47:18 | new | semmle.label | new |
@ -500,6 +657,14 @@ nodes
 | A.cpp:73:25:73:32 | new | semmle.label | new |
 | A.cpp:75:10:75:11 | b2 [c] | semmle.label | b2 [c] |
 | A.cpp:75:14:75:14 | c | semmle.label | c |
+| A.cpp:78:27:78:27 | c | semmle.label | c |
+| A.cpp:81:10:81:15 | call to setOnB [c] | semmle.label | call to setOnB [c] |
+| A.cpp:81:21:81:21 | c | semmle.label | c |
+| A.cpp:82:12:82:24 | ... ? ... : ... [c] | semmle.label | ... ? ... : ... [c] |
+| A.cpp:85:26:85:26 | c | semmle.label | c |
+| A.cpp:90:7:90:8 | ref arg b2 [c] | semmle.label | ref arg b2 [c] |
+| A.cpp:90:15:90:15 | c | semmle.label | c |
+| A.cpp:91:14:91:15 | b2 [c] | semmle.label | b2 [c] |
 | A.cpp:98:12:98:18 | new | semmle.label | new |
 | A.cpp:100:5:100:6 | c1 [post update] [a] | semmle.label | c1 [post update] [a] |
 | A.cpp:100:5:100:13 | ... = ... | semmle.label | ... = ... |
@ -514,11 +679,14 @@ nodes
 | A.cpp:131:8:131:8 | ref arg b [c] | semmle.label | ref arg b [c] |
 | A.cpp:132:10:132:10 | b [c] | semmle.label | b [c] |
 | A.cpp:132:13:132:13 | c | semmle.label | c |
+| A.cpp:140:13:140:13 | b | semmle.label | b |
 | A.cpp:142:7:142:7 | b [post update] [c] | semmle.label | b [post update] [c] |
 | A.cpp:142:7:142:20 | ... = ... | semmle.label | ... = ... |
 | A.cpp:142:14:142:20 | new | semmle.label | new |
 | A.cpp:143:7:143:10 | this [post update] [b, c] | semmle.label | this [post update] [b, c] |
 | A.cpp:143:7:143:10 | this [post update] [b] | semmle.label | this [post update] [b] |
+| A.cpp:143:7:143:10 | this [post update] [b] | semmle.label | this [post update] [b] |
+| A.cpp:143:7:143:31 | ... = ... | semmle.label | ... = ... |
 | A.cpp:143:7:143:31 | ... = ... | semmle.label | ... = ... |
 | A.cpp:143:7:143:31 | ... = ... [c] | semmle.label | ... = ... [c] |
 | A.cpp:143:25:143:31 | new | semmle.label | new |
@ -551,6 +719,15 @@ nodes
 | A.cpp:167:47:167:50 | next [next, head] | semmle.label | next [next, head] |
 | A.cpp:169:12:169:12 | l [head] | semmle.label | l [head] |
 | A.cpp:169:15:169:18 | head | semmle.label | head |
+| A.cpp:181:15:181:21 | newHead | semmle.label | newHead |
+| A.cpp:181:32:181:35 | next [head] | semmle.label | next [head] |
+| A.cpp:181:32:181:35 | next [next, head] | semmle.label | next [next, head] |
+| A.cpp:183:7:183:10 | this [post update] [head] | semmle.label | this [post update] [head] |
+| A.cpp:183:7:183:20 | ... = ... | semmle.label | ... = ... |
+| A.cpp:184:7:184:10 | this [post update] [next, head] | semmle.label | this [post update] [next, head] |
+| A.cpp:184:7:184:10 | this [post update] [next, next, head] | semmle.label | this [post update] [next, next, head] |
+| A.cpp:184:7:184:23 | ... = ... [head] | semmle.label | ... = ... [head] |
+| A.cpp:184:7:184:23 | ... = ... [next, head] | semmle.label | ... = ... [next, head] |
 | B.cpp:6:15:6:24 | new | semmle.label | new |
 | B.cpp:7:16:7:35 | call to Box1 [elem1] | semmle.label | call to Box1 [elem1] |
 | B.cpp:7:25:7:25 | e | semmle.label | e |
@ -567,6 +744,18 @@ nodes
 | B.cpp:19:10:19:11 | b2 [box1, elem2] | semmle.label | b2 [box1, elem2] |
 | B.cpp:19:14:19:17 | box1 [elem2] | semmle.label | box1 [elem2] |
 | B.cpp:19:20:19:24 | elem2 | semmle.label | elem2 |
+| B.cpp:33:16:33:17 | e1 | semmle.label | e1 |
+| B.cpp:33:26:33:27 | e2 | semmle.label | e2 |
+| B.cpp:35:7:35:10 | this [post update] [elem1] | semmle.label | this [post update] [elem1] |
+| B.cpp:35:7:35:22 | ... = ... | semmle.label | ... = ... |
+| B.cpp:36:7:36:10 | this [post update] [elem2] | semmle.label | this [post update] [elem2] |
+| B.cpp:36:7:36:22 | ... = ... | semmle.label | ... = ... |
+| B.cpp:44:16:44:17 | b1 [elem1] | semmle.label | b1 [elem1] |
+| B.cpp:44:16:44:17 | b1 [elem2] | semmle.label | b1 [elem2] |
+| B.cpp:46:7:46:10 | this [post update] [box1, elem1] | semmle.label | this [post update] [box1, elem1] |
+| B.cpp:46:7:46:10 | this [post update] [box1, elem2] | semmle.label | this [post update] [box1, elem2] |
+| B.cpp:46:7:46:21 | ... = ... [elem1] | semmle.label | ... = ... [elem1] |
+| B.cpp:46:7:46:21 | ... = ... [elem2] | semmle.label | ... = ... [elem2] |
 | C.cpp:18:12:18:18 | call to C [s1] | semmle.label | call to C [s1] |
 | C.cpp:18:12:18:18 | call to C [s3] | semmle.label | call to C [s3] |
 | C.cpp:19:5:19:5 | c [s1] | semmle.label | c [s1] |
@ -582,6 +771,15 @@ nodes
 | C.cpp:29:10:29:11 | this [s1] | semmle.label | this [s1] |
 | C.cpp:31:10:31:11 | s3 | semmle.label | s3 |
 | C.cpp:31:10:31:11 | this [s3] | semmle.label | this [s3] |
+| D.cpp:10:11:10:17 | this [elem] | semmle.label | this [elem] |
+| D.cpp:10:30:10:33 | elem | semmle.label | elem |
+| D.cpp:10:30:10:33 | this [elem] | semmle.label | this [elem] |
+| D.cpp:11:24:11:24 | e | semmle.label | e |
+| D.cpp:11:29:11:32 | this [post update] [elem] | semmle.label | this [post update] [elem] |
+| D.cpp:11:29:11:36 | ... = ... | semmle.label | ... = ... |
+| D.cpp:17:11:17:17 | this [box, elem] | semmle.label | this [box, elem] |
+| D.cpp:17:30:17:32 | box [elem] | semmle.label | box [elem] |
+| D.cpp:17:30:17:32 | this [box, elem] | semmle.label | this [box, elem] |
 | D.cpp:21:30:21:31 | b2 [box, elem] | semmle.label | b2 [box, elem] |
 | D.cpp:22:10:22:11 | b2 [box, elem] | semmle.label | b2 [box, elem] |
 | D.cpp:22:14:22:20 | call to getBox1 [elem] | semmle.label | call to getBox1 [elem] |
@ -729,6 +927,30 @@ nodes
 | arrays.cpp:44:10:44:17 | indirect [arr, data] | semmle.label | indirect [arr, data] |
 | arrays.cpp:44:20:44:22 | arr [data] | semmle.label | arr [data] |
 | arrays.cpp:44:27:44:30 | data | semmle.label | data |
+| by_reference.cpp:11:48:11:52 | value | semmle.label | value |
+| by_reference.cpp:12:5:12:5 | s [post update] [a] | semmle.label | s [post update] [a] |
+| by_reference.cpp:12:5:12:16 | ... = ... | semmle.label | ... = ... |
+| by_reference.cpp:15:26:15:30 | value | semmle.label | value |
+| by_reference.cpp:16:5:16:8 | this [post update] [a] | semmle.label | this [post update] [a] |
+| by_reference.cpp:16:5:16:19 | ... = ... | semmle.label | ... = ... |
+| by_reference.cpp:19:28:19:32 | value | semmle.label | value |
+| by_reference.cpp:20:5:20:8 | ref arg this [a] | semmle.label | ref arg this [a] |
+| by_reference.cpp:20:23:20:27 | value | semmle.label | value |
+| by_reference.cpp:23:34:23:38 | value | semmle.label | value |
+| by_reference.cpp:24:19:24:22 | ref arg this [a] | semmle.label | ref arg this [a] |
+| by_reference.cpp:24:25:24:29 | value | semmle.label | value |
+| by_reference.cpp:31:46:31:46 | s [a] | semmle.label | s [a] |
+| by_reference.cpp:32:12:32:12 | s [a] | semmle.label | s [a] |
+| by_reference.cpp:32:15:32:15 | a | semmle.label | a |
+| by_reference.cpp:35:9:35:19 | this [a] | semmle.label | this [a] |
+| by_reference.cpp:36:12:36:15 | this [a] | semmle.label | this [a] |
+| by_reference.cpp:36:18:36:18 | a | semmle.label | a |
+| by_reference.cpp:39:9:39:21 | this [a] | semmle.label | this [a] |
+| by_reference.cpp:40:12:40:15 | this [a] | semmle.label | this [a] |
+| by_reference.cpp:40:18:40:28 | call to getDirectly | semmle.label | call to getDirectly |
+| by_reference.cpp:43:9:43:27 | this [a] | semmle.label | this [a] |
+| by_reference.cpp:44:12:44:24 | call to nonMemberGetA | semmle.label | call to nonMemberGetA |
+| by_reference.cpp:44:26:44:29 | this [a] | semmle.label | this [a] |
 | by_reference.cpp:50:3:50:3 | ref arg s [a] | semmle.label | ref arg s [a] |
 | by_reference.cpp:50:17:50:26 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:51:8:51:8 | s [a] | semmle.label | s [a] |
@ -818,6 +1040,18 @@ nodes
 | by_reference.cpp:135:27:135:27 | a | semmle.label | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | semmle.label | pouter [a] |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
+| complex.cpp:9:7:9:7 | this [a_] | semmle.label | this [a_] |
+| complex.cpp:9:20:9:21 | a_ | semmle.label | a_ |
+| complex.cpp:9:20:9:21 | this [a_] | semmle.label | this [a_] |
+| complex.cpp:10:7:10:7 | this [b_] | semmle.label | this [b_] |
+| complex.cpp:10:20:10:21 | b_ | semmle.label | b_ |
+| complex.cpp:10:20:10:21 | this [b_] | semmle.label | this [b_] |
+| complex.cpp:11:17:11:17 | a | semmle.label | a |
+| complex.cpp:11:22:11:23 | this [post update] [a_] | semmle.label | this [post update] [a_] |
+| complex.cpp:11:22:11:27 | ... = ... | semmle.label | ... = ... |
+| complex.cpp:12:17:12:17 | b | semmle.label | b |
+| complex.cpp:12:22:12:23 | this [post update] [b_] | semmle.label | this [post update] [b_] |
+| complex.cpp:12:22:12:27 | ... = ... | semmle.label | ... = ... |
 | complex.cpp:40:17:40:17 | b [inner, f, a_] | semmle.label | b [inner, f, a_] |
 | complex.cpp:40:17:40:17 | b [inner, f, b_] | semmle.label | b [inner, f, b_] |
 | complex.cpp:42:8:42:8 | b [inner, f, a_] | semmle.label | b [inner, f, a_] |
@ -874,6 +1108,18 @@ nodes
 | conflated.cpp:61:8:61:9 | ll [next, y] | semmle.label | ll [next, y] |
 | conflated.cpp:61:12:61:15 | next [y] | semmle.label | next [y] |
 | conflated.cpp:61:18:61:18 | y | semmle.label | y |
+| constructors.cpp:18:9:18:9 | this [a_] | semmle.label | this [a_] |
+| constructors.cpp:18:22:18:23 | a_ | semmle.label | a_ |
+| constructors.cpp:18:22:18:23 | this [a_] | semmle.label | this [a_] |
+| constructors.cpp:19:9:19:9 | this [b_] | semmle.label | this [b_] |
+| constructors.cpp:19:22:19:23 | b_ | semmle.label | b_ |
+| constructors.cpp:19:22:19:23 | this [b_] | semmle.label | this [b_] |
+| constructors.cpp:23:13:23:13 | a | semmle.label | a |
+| constructors.cpp:23:20:23:20 | b | semmle.label | b |
+| constructors.cpp:23:25:23:29 | constructor init of field a_ [post-this] [a_] | semmle.label | constructor init of field a_ [post-this] [a_] |
+| constructors.cpp:23:28:23:28 | a | semmle.label | a |
+| constructors.cpp:23:32:23:36 | constructor init of field b_ [post-this] [b_] | semmle.label | constructor init of field b_ [post-this] [b_] |
+| constructors.cpp:23:35:23:35 | b | semmle.label | b |
 | constructors.cpp:26:15:26:15 | f [a_] | semmle.label | f [a_] |
 | constructors.cpp:26:15:26:15 | f [b_] | semmle.label | f [b_] |
 | constructors.cpp:28:10:28:10 | f [a_] | semmle.label | f [a_] |
@ -892,6 +1138,16 @@ nodes
 | constructors.cpp:43:9:43:9 | g [b_] | semmle.label | g [b_] |
 | constructors.cpp:46:9:46:9 | h [a_] | semmle.label | h [a_] |
 | constructors.cpp:46:9:46:9 | h [b_] | semmle.label | h [b_] |
+| qualifiers.cpp:9:21:9:25 | value | semmle.label | value |
+| qualifiers.cpp:9:30:9:33 | this [post update] [a] | semmle.label | this [post update] [a] |
+| qualifiers.cpp:9:30:9:44 | ... = ... | semmle.label | ... = ... |
+| qualifiers.cpp:12:40:12:44 | value | semmle.label | value |
+| qualifiers.cpp:12:49:12:53 | inner [post update] [a] | semmle.label | inner [post update] [a] |
+| qualifiers.cpp:12:49:12:64 | ... = ... | semmle.label | ... = ... |
+| qualifiers.cpp:13:29:13:33 | inner [a] | semmle.label | inner [a] |
+| qualifiers.cpp:13:42:13:46 | value | semmle.label | value |
+| qualifiers.cpp:13:51:13:55 | inner [post update] [a] | semmle.label | inner [post update] [a] |
+| qualifiers.cpp:13:51:13:65 | ... = ... | semmle.label | ... = ... |
 | qualifiers.cpp:22:5:22:9 | ref arg outer [inner, a] | semmle.label | ref arg outer [inner, a] |
 | qualifiers.cpp:22:5:22:38 | ... = ... | semmle.label | ... = ... |
 | qualifiers.cpp:22:11:22:18 | call to getInner [post update] [a] | semmle.label | call to getInner [post update] [a] |
@ -946,6 +1202,18 @@ nodes
 | realistic.cpp:61:32:61:34 | baz [userInput, bufferLen] | semmle.label | baz [userInput, bufferLen] |
 | realistic.cpp:61:37:61:45 | userInput [bufferLen] | semmle.label | userInput [bufferLen] |
 | realistic.cpp:61:47:61:55 | bufferLen | semmle.label | bufferLen |
+| simple.cpp:18:9:18:9 | this [a_] | semmle.label | this [a_] |
+| simple.cpp:18:22:18:23 | a_ | semmle.label | a_ |
+| simple.cpp:18:22:18:23 | this [a_] | semmle.label | this [a_] |
+| simple.cpp:19:9:19:9 | this [b_] | semmle.label | this [b_] |
+| simple.cpp:19:22:19:23 | b_ | semmle.label | b_ |
+| simple.cpp:19:22:19:23 | this [b_] | semmle.label | this [b_] |
+| simple.cpp:20:19:20:19 | a | semmle.label | a |
+| simple.cpp:20:24:20:25 | this [post update] [a_] | semmle.label | this [post update] [a_] |
+| simple.cpp:20:24:20:29 | ... = ... | semmle.label | ... = ... |
+| simple.cpp:21:19:21:19 | b | semmle.label | b |
+| simple.cpp:21:24:21:25 | this [post update] [b_] | semmle.label | this [post update] [b_] |
+| simple.cpp:21:24:21:29 | ... = ... | semmle.label | ... = ... |
 | simple.cpp:26:15:26:15 | f [a_] | semmle.label | f [a_] |
 | simple.cpp:26:15:26:15 | f [b_] | semmle.label | f [b_] |
 | simple.cpp:28:10:28:10 | f [a_] | semmle.label | f [a_] |
@ -969,6 +1237,10 @@ nodes
 | simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:67:10:67:11 | a2 [i] | semmle.label | a2 [i] |
 | simple.cpp:67:13:67:13 | i | semmle.label | i |
+| simple.cpp:78:9:78:15 | this [f2, f1] | semmle.label | this [f2, f1] |
+| simple.cpp:79:16:79:17 | f2 [f1] | semmle.label | f2 [f1] |
+| simple.cpp:79:16:79:17 | this [f2, f1] | semmle.label | this [f2, f1] |
+| simple.cpp:79:19:79:20 | f1 | semmle.label | f1 |
 | simple.cpp:83:9:83:10 | f2 [post update] [f1] | semmle.label | f2 [post update] [f1] |
 | simple.cpp:83:9:83:10 | this [post update] [f2, f1] | semmle.label | this [post update] [f2, f1] |
 | simple.cpp:83:9:83:28 | ... = ... | semmle.label | ... = ... |
@ -1008,6 +1280,65 @@ nodes
 | struct_init.c:43:5:43:7 | & ... [a] | semmle.label | & ... [a] |
 | struct_init.c:46:10:46:14 | outer [pointerAB, a] | semmle.label | outer [pointerAB, a] |
 | struct_init.c:46:16:46:24 | pointerAB [a] | semmle.label | pointerAB [a] |
+subpaths
+| A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | A.cpp:25:7:25:10 | this [post update] [c] | A.cpp:31:14:31:21 | call to B [c] |
+| A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | A.cpp:31:14:31:21 | new [c] | A.cpp:48:12:48:18 | call to make [c] |
+| A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c | A.cpp:27:22:27:25 | this [post update] [c] | A.cpp:55:5:55:5 | ref arg b [c] |
+| A.cpp:56:10:56:10 | b [c] | A.cpp:28:8:28:10 | this [c] | A.cpp:28:29:28:29 | c | A.cpp:56:13:56:15 | call to get |
+| A.cpp:57:11:57:24 | new [c] | A.cpp:28:8:28:10 | this [c] | A.cpp:28:29:28:29 | c | A.cpp:57:28:57:30 | call to get |
+| A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c | A.cpp:25:7:25:10 | this [post update] [c] | A.cpp:57:11:57:24 | call to B [c] |
+| A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c | A.cpp:91:14:91:15 | b2 [c] | A.cpp:64:10:64:15 | call to setOnB [c] |
+| A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c | A.cpp:82:12:82:24 | ... ? ... : ... [c] | A.cpp:73:10:73:19 | call to setOnBWrap [c] |
+| A.cpp:81:21:81:21 | c | A.cpp:85:26:85:26 | c | A.cpp:91:14:91:15 | b2 [c] | A.cpp:81:10:81:15 | call to setOnB [c] |
+| A.cpp:90:15:90:15 | c | A.cpp:27:17:27:17 | c | A.cpp:27:22:27:25 | this [post update] [c] | A.cpp:90:7:90:8 | ref arg b2 [c] |
+| A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c | A.cpp:27:22:27:25 | this [post update] [c] | A.cpp:126:5:126:5 | ref arg b [c] |
+| A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b | A.cpp:143:7:143:10 | this [post update] [b] | A.cpp:151:12:151:24 | call to D [b] |
+| A.cpp:160:29:160:29 | b | A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:10 | this [post update] [head] | A.cpp:160:18:160:60 | call to MyList [head] |
+| A.cpp:161:38:161:39 | l1 [head] | A.cpp:181:32:181:35 | next [head] | A.cpp:184:7:184:10 | this [post update] [next, head] | A.cpp:161:18:161:40 | call to MyList [next, head] |
+| A.cpp:162:38:162:39 | l2 [next, head] | A.cpp:181:32:181:35 | next [next, head] | A.cpp:184:7:184:10 | this [post update] [next, next, head] | A.cpp:162:18:162:40 | call to MyList [next, next, head] |
+| B.cpp:7:25:7:25 | e | B.cpp:33:16:33:17 | e1 | B.cpp:35:7:35:10 | this [post update] [elem1] | B.cpp:7:16:7:35 | call to Box1 [elem1] |
+| B.cpp:8:25:8:26 | b1 [elem1] | B.cpp:44:16:44:17 | b1 [elem1] | B.cpp:46:7:46:10 | this [post update] [box1, elem1] | B.cpp:8:16:8:27 | call to Box2 [box1, elem1] |
+| B.cpp:16:37:16:37 | e | B.cpp:33:26:33:27 | e2 | B.cpp:36:7:36:10 | this [post update] [elem2] | B.cpp:16:16:16:38 | call to Box1 [elem2] |
+| B.cpp:17:25:17:26 | b1 [elem2] | B.cpp:44:16:44:17 | b1 [elem2] | B.cpp:46:7:46:10 | this [post update] [box1, elem2] | B.cpp:17:16:17:27 | call to Box2 [box1, elem2] |
+| D.cpp:22:10:22:11 | b2 [box, elem] | D.cpp:17:11:17:17 | this [box, elem] | D.cpp:17:30:17:32 | box [elem] | D.cpp:22:14:22:20 | call to getBox1 [elem] |
+| D.cpp:22:14:22:20 | call to getBox1 [elem] | D.cpp:10:11:10:17 | this [elem] | D.cpp:10:30:10:33 | elem | D.cpp:22:25:22:31 | call to getElem |
+| D.cpp:37:21:37:21 | e | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:32 | this [post update] [elem] | D.cpp:37:8:37:10 | ref arg box [elem] |
+| D.cpp:51:27:51:27 | e | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:32 | this [post update] [elem] | D.cpp:51:8:51:14 | ref arg call to getBox1 [elem] |
+| by_reference.cpp:20:23:20:27 | value | by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:8 | this [post update] [a] | by_reference.cpp:20:5:20:8 | ref arg this [a] |
+| by_reference.cpp:24:25:24:29 | value | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:5 | s [post update] [a] | by_reference.cpp:24:19:24:22 | ref arg this [a] |
+| by_reference.cpp:40:12:40:15 | this [a] | by_reference.cpp:35:9:35:19 | this [a] | by_reference.cpp:36:18:36:18 | a | by_reference.cpp:40:18:40:28 | call to getDirectly |
+| by_reference.cpp:44:26:44:29 | this [a] | by_reference.cpp:31:46:31:46 | s [a] | by_reference.cpp:32:15:32:15 | a | by_reference.cpp:44:12:44:24 | call to nonMemberGetA |
+| by_reference.cpp:50:17:50:26 | call to user_input | by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:5:16:8 | this [post update] [a] | by_reference.cpp:50:3:50:3 | ref arg s [a] |
+| by_reference.cpp:51:8:51:8 | s [a] | by_reference.cpp:35:9:35:19 | this [a] | by_reference.cpp:36:18:36:18 | a | by_reference.cpp:51:10:51:20 | call to getDirectly |
+| by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:19:28:19:32 | value | by_reference.cpp:20:5:20:8 | ref arg this [a] | by_reference.cpp:56:3:56:3 | ref arg s [a] |
+| by_reference.cpp:57:8:57:8 | s [a] | by_reference.cpp:39:9:39:21 | this [a] | by_reference.cpp:40:18:40:28 | call to getDirectly | by_reference.cpp:57:10:57:22 | call to getIndirectly |
+| by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:23:34:23:38 | value | by_reference.cpp:24:19:24:22 | ref arg this [a] | by_reference.cpp:62:3:62:3 | ref arg s [a] |
+| by_reference.cpp:63:8:63:8 | s [a] | by_reference.cpp:43:9:43:27 | this [a] | by_reference.cpp:44:12:44:24 | call to nonMemberGetA | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
+| by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:5:12:5 | s [post update] [a] | by_reference.cpp:68:17:68:18 | ref arg & ... [a] |
+| by_reference.cpp:69:22:69:23 | & ... [a] | by_reference.cpp:31:46:31:46 | s [a] | by_reference.cpp:32:15:32:15 | a | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
+| complex.cpp:42:16:42:16 | f [a_] | complex.cpp:9:7:9:7 | this [a_] | complex.cpp:9:20:9:21 | a_ | complex.cpp:42:18:42:18 | call to a |
+| complex.cpp:43:16:43:16 | f [b_] | complex.cpp:10:7:10:7 | this [b_] | complex.cpp:10:20:10:21 | b_ | complex.cpp:43:18:43:18 | call to b |
+| complex.cpp:53:19:53:28 | call to user_input | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:23 | this [post update] [a_] | complex.cpp:53:12:53:12 | ref arg f [a_] |
+| complex.cpp:54:19:54:28 | call to user_input | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:23 | this [post update] [b_] | complex.cpp:54:12:54:12 | ref arg f [b_] |
+| complex.cpp:55:19:55:28 | call to user_input | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:23 | this [post update] [a_] | complex.cpp:55:12:55:12 | ref arg f [a_] |
+| complex.cpp:56:19:56:28 | call to user_input | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:23 | this [post update] [b_] | complex.cpp:56:12:56:12 | ref arg f [b_] |
+| constructors.cpp:28:10:28:10 | f [a_] | constructors.cpp:18:9:18:9 | this [a_] | constructors.cpp:18:22:18:23 | a_ | constructors.cpp:28:12:28:12 | call to a |
+| constructors.cpp:29:10:29:10 | f [b_] | constructors.cpp:19:9:19:9 | this [b_] | constructors.cpp:19:22:19:23 | b_ | constructors.cpp:29:12:29:12 | call to b |
+| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | constructor init of field a_ [post-this] [a_] | constructors.cpp:34:11:34:26 | call to Foo [a_] |
+| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | constructor init of field b_ [post-this] [b_] | constructors.cpp:35:11:35:26 | call to Foo [b_] |
+| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | constructor init of field a_ [post-this] [a_] | constructors.cpp:36:11:36:37 | call to Foo [a_] |
+| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | constructor init of field b_ [post-this] [b_] | constructors.cpp:36:11:36:37 | call to Foo [b_] |
+| qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:9:21:9:25 | value | qualifiers.cpp:9:30:9:33 | this [post update] [a] | qualifiers.cpp:27:11:27:18 | ref arg call to getInner [a] |
+| qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:12:40:12:44 | value | qualifiers.cpp:12:49:12:53 | inner [post update] [a] | qualifiers.cpp:32:23:32:30 | ref arg call to getInner [a] |
+| qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:13:42:13:46 | value | qualifiers.cpp:13:29:13:33 | inner [a] | qualifiers.cpp:37:19:37:35 | ref arg * ... [a] |
+| qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:13:42:13:46 | value | qualifiers.cpp:13:51:13:55 | inner [post update] [a] | qualifiers.cpp:37:19:37:35 | ref arg * ... [a] |
+| simple.cpp:28:10:28:10 | f [a_] | simple.cpp:18:9:18:9 | this [a_] | simple.cpp:18:22:18:23 | a_ | simple.cpp:28:12:28:12 | call to a |
+| simple.cpp:29:10:29:10 | f [b_] | simple.cpp:19:9:19:9 | this [b_] | simple.cpp:19:22:19:23 | b_ | simple.cpp:29:12:29:12 | call to b |
+| simple.cpp:39:12:39:21 | call to user_input | simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:25 | this [post update] [a_] | simple.cpp:39:5:39:5 | ref arg f [a_] |
+| simple.cpp:40:12:40:21 | call to user_input | simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:25 | this [post update] [b_] | simple.cpp:40:5:40:5 | ref arg g [b_] |
+| simple.cpp:41:12:41:21 | call to user_input | simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:25 | this [post update] [a_] | simple.cpp:41:5:41:5 | ref arg h [a_] |
+| simple.cpp:42:12:42:21 | call to user_input | simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:25 | this [post update] [b_] | simple.cpp:42:5:42:5 | ref arg h [b_] |
+| simple.cpp:84:14:84:20 | this [f2, f1] | simple.cpp:78:9:78:15 | this [f2, f1] | simple.cpp:79:19:79:20 | f1 | simple.cpp:84:14:84:20 | call to getf2f1 |
 #select
 | A.cpp:43:10:43:12 | & ... | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... | & ... flows from $@ | A.cpp:41:15:41:21 | new | new |
 | A.cpp:49:13:49:13 | c | A.cpp:47:12:47:18 | new | A.cpp:49:13:49:13 | c | c flows from $@ | A.cpp:47:12:47:18 | new | new |
--- a/Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
+++ b/Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
@ -34,6 +34,7 @@ nodes
 | test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
 | test.cpp:95:21:95:21 | d | semmle.label | d |
 | test.cpp:96:21:96:23 | dss | semmle.label | dss |
+subpaths
 #select
 | test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | Pointer arithmetic here may be done with the wrong type because of the cast $@. | test.cpp:57:19:57:19 | d | here |
 | test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | Pointer arithmetic here may be done with the wrong type because of the cast $@. | test.cpp:74:19:74:21 | dss | here |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@ -1,4 +1,5 @@
 edges
+| argvLocal.c:9:25:9:31 | correct | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
@ -13,6 +14,7 @@ edges
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
+| argvLocal.c:96:15:96:21 | access to array indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
@ -41,6 +43,7 @@ edges
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
+| argvLocal.c:102:15:102:16 | i1 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
@ -69,6 +72,8 @@ edges
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
+| argvLocal.c:107:15:107:19 | access to array indirection | argvLocal.c:9:25:9:31 | *correct |
+| argvLocal.c:111:15:111:17 | * ... indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
@ -113,7 +118,9 @@ edges
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
+| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:9:25:9:31 | correct |
 | argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
+| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
@ -129,7 +136,9 @@ edges
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
+| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:9:25:9:31 | correct |
 | argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
+| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
 | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
 | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
@ -165,7 +174,9 @@ edges
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
+| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:9:25:9:31 | correct |
 | argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
+| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
@ -173,6 +184,9 @@ edges
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... indirection |
+| argvLocal.c:132:15:132:20 | ... + ... indirection | argvLocal.c:9:25:9:31 | *correct |
+| argvLocal.c:136:15:136:18 | -- ... indirection | argvLocal.c:9:25:9:31 | *correct |
+| argvLocal.c:145:15:145:16 | i7 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
@ -187,6 +201,7 @@ edges
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
+| argvLocal.c:151:15:151:16 | i8 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
@ -199,6 +214,7 @@ edges
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
+| argvLocal.c:158:15:158:16 | i9 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
@ -211,6 +227,7 @@ edges
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
+| argvLocal.c:165:15:165:17 | i91 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
@ -229,6 +246,7 @@ edges
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:170:15:170:26 | i10 indirection | argvLocal.c:9:25:9:31 | *correct |
 nodes
 | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
 | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
@ -105,6 +105,7 @@ nodes
 | test.cpp:223:20:223:23 | call to rand | semmle.label | call to rand |
 | test.cpp:223:20:223:25 | (unsigned int)... | semmle.label | (unsigned int)... |
 | test.cpp:227:8:227:8 | x | semmle.label | x |
+subpaths
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/Features/backdoor/ProcessNameToHashTaintFlow.expected
+++ b/Features/backdoor/ProcessNameToHashTaintFlow.expected
@ -1,3 +1,4 @@
 edges
 nodes
+subpaths
 #select
--- a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected
+++ b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected
@ -1,4 +1,23 @@
 edges
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.2 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | ldarg.2 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | call : String |
 | dataflow.cs:16:18:16:26 | "tainted" : String | dataflow.cs:16:18:16:37 | call to method ToString |
 | dataflow.cs:18:27:18:27 | 2 : Int32 | dataflow.cs:18:18:18:31 | call to method Max |
 | dataflow.cs:18:30:18:30 | 3 : Int32 | dataflow.cs:18:18:18:31 | call to method Max |
@ -6,12 +25,19 @@ edges
 | dataflow.cs:20:45:20:53 | "tainted" : String | dataflow.cs:20:18:20:54 | call to method GetFullPath |
 | dataflow.cs:27:44:27:46 | 1 : Double | dataflow.cs:27:18:27:52 | call to method IEEERemainder |
 | dataflow.cs:27:49:27:51 | 2 : Double | dataflow.cs:27:18:27:52 | call to method IEEERemainder |
+| dataflow.cs:38:34:38:37 | "d1" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
 | dataflow.cs:38:34:38:37 | "d1" : String | dataflow.cs:38:18:38:38 | call to method Taint1 |
+| dataflow.cs:39:34:39:37 | "d2" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String |
 | dataflow.cs:39:34:39:37 | "d2" : String | dataflow.cs:39:18:39:38 | call to method Taint2 |
+| dataflow.cs:40:34:40:37 | "d3" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String |
 | dataflow.cs:40:34:40:37 | "d3" : String | dataflow.cs:40:18:40:38 | call to method Taint3 |
+| dataflow.cs:44:28:44:32 | "t1a" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
 | dataflow.cs:44:28:44:32 | "t1a" : String | dataflow.cs:44:18:44:40 | call to method Taint1 |
+| dataflow.cs:44:35:44:39 | "t1b" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String |
 | dataflow.cs:44:35:44:39 | "t1b" : String | dataflow.cs:44:18:44:40 | call to method Taint1 |
+| dataflow.cs:47:35:47:38 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String |
 | dataflow.cs:47:35:47:38 | "t6" : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect |
+| dataflow.cs:47:41:47:44 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String |
 | dataflow.cs:47:41:47:44 | "t6" : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect |
 | dataflow.cs:72:21:72:34 | call to method NullFunction : null | dataflow.cs:72:21:72:52 | ... ?? ... |
 | dataflow.cs:72:39:72:52 | call to method IndirectNull : null | dataflow.cs:72:21:72:52 | ... ?? ... |
@ -24,6 +50,30 @@ edges
 | dataflow.cs:108:16:108:16 | access to local variable x : null | dataflow.cs:72:21:72:34 | call to method NullFunction : null |
 | dataflow.cs:108:16:108:16 | access to local variable x : null | dataflow.cs:87:31:87:44 | call to method NullFunction : null |
 nodes
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | semmle.label | Parameter 1 of Taint1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | semmle.label | Parameter 1 of Taint1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | semmle.label | Parameter 1 of Taint2 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | semmle.label | Parameter 1 of Taint3 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | semmle.label | Parameter 1 of Taint5 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | semmle.label | Parameter 1 of Taint6 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | semmle.label | Parameter 1 of TaintIndirect : String |
+| DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | semmle.label | Parameter 2 of Taint1 : String |
+| DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | semmle.label | Parameter 2 of TaintIndirect : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | semmle.label | ldarg.2 : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | semmle.label | ldarg.2 : String |
 | dataflow.cs:16:18:16:26 | "tainted" : String | semmle.label | "tainted" : String |
 | dataflow.cs:16:18:16:37 | call to method ToString | semmle.label | call to method ToString |
 | dataflow.cs:18:18:18:31 | call to method Max | semmle.label | call to method Max |
@ -58,6 +108,18 @@ nodes
 | dataflow.cs:106:20:106:33 | call to method IndirectNull : null | semmle.label | call to method IndirectNull : null |
 | dataflow.cs:107:23:107:26 | null : null | semmle.label | null : null |
 | dataflow.cs:108:16:108:16 | access to local variable x : null | semmle.label | access to local variable x : null |
+subpaths
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
+| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
+| dataflow.cs:38:34:38:37 | "d1" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | dataflow.cs:38:18:38:38 | call to method Taint1 : String |
+| dataflow.cs:39:34:39:37 | "d2" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:39:18:39:38 | call to method Taint2 : String |
+| dataflow.cs:40:34:40:37 | "d3" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | dataflow.cs:40:18:40:38 | call to method Taint3 : String |
+| dataflow.cs:44:28:44:32 | "t1a" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:44:18:44:40 | call to method Taint1 : String |
+| dataflow.cs:44:35:44:39 | "t1b" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:44:18:44:40 | call to method Taint1 : String |
+| dataflow.cs:47:35:47:38 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect : String |
+| dataflow.cs:47:41:47:44 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect : String |
 #select
 | dataflow.cs:16:18:16:26 | "tainted" : String | dataflow.cs:16:18:16:37 | call to method ToString | dataflow.cs:16:18:16:37 | call to method ToString | $@ | dataflow.cs:16:18:16:37 | call to method ToString | call to method ToString |
 | dataflow.cs:18:27:18:27 | 2 : Int32 | dataflow.cs:18:18:18:31 | call to method Max | dataflow.cs:18:18:18:31 | call to method Max | $@ | dataflow.cs:18:18:18:31 | call to method Max | call to method Max |
--- a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
+++ b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
@ -4,7 +4,33 @@

 import csharp
 import DataFlow
-import DataFlow::PathGraph
+
+private predicate relevantPathNode(PathNode n) {
+  exists(File f | f = n.getNode().getLocation().getFile() |
+    f.fromSource()
+    or
+    f.getBaseName() = "DataFlow.dll"
+  )
+}
+
+query predicate edges(PathNode a, PathNode b) {
+  PathGraph::edges(a, b) and
+  relevantPathNode(a) and
+  relevantPathNode(b)
+}
+
+query predicate nodes(PathNode n, string key, string val) {
+  PathGraph::nodes(n, key, val) and
+  relevantPathNode(n)
+}
+
+query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+  PathGraph::subpaths(arg, par, ret, out) and
+  relevantPathNode(arg) and
+  relevantPathNode(par) and
+  relevantPathNode(ret) and
+  relevantPathNode(out)
+}

 class FlowConfig extends Configuration {
  FlowConfig() { this = "FlowConfig" }
@ -16,6 +42,6 @@ class FlowConfig extends Configuration {
  }
 }

-from DataFlow::PathNode source, DataFlow::PathNode sink, FlowConfig config
+from PathNode source, PathNode sink, FlowConfig config
 where config.hasFlowPath(source, sink)
 select source, sink, sink, "$@", sink, sink.toString()
--- a/csharp/ql/test/library-tests/csharp7/GlobalFlow.expected
+++ b/csharp/ql/test/library-tests/csharp7/GlobalFlow.expected
@ -1,25 +1,41 @@
 edges
 | CSharp7.cs:39:9:39:21 | SSA def(x) : String | CSharp7.cs:49:22:49:23 | SSA def(t1) : String |
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:9:39:21 | SSA def(x) : String |
+| CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:13 | SSA def(y) : String |
 | CSharp7.cs:49:22:49:23 | SSA def(t1) : String | CSharp7.cs:51:18:51:19 | access to local variable t1 |
+| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:55:30:55:31 | SSA def(t4) : String |
 | CSharp7.cs:55:30:55:31 | SSA def(t4) : String | CSharp7.cs:56:18:56:19 | access to local variable t4 |
+| CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:20:82:20 | access to parameter x : String |
+| CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String |
+| CSharp7.cs:82:20:82:20 | access to parameter x : String | CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String |
 | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String | CSharp7.cs:90:20:90:21 | access to local variable t1 [field Item1] : String |
 | CSharp7.cs:87:19:87:27 | "tainted" : String | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String |
 | CSharp7.cs:90:20:90:21 | access to local variable t1 [field Item1] : String | CSharp7.cs:90:20:90:27 | access to field Item1 : String |
+| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String |
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:181:23:181:25 | access to local variable src : String |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:182:23:182:25 | access to local variable src : String |
+| CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String |
+| CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h |
 nodes
 | CSharp7.cs:39:9:39:21 | SSA def(x) : String | semmle.label | SSA def(x) : String |
 | CSharp7.cs:39:13:39:21 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:42:19:42:19 | x : String | semmle.label | x : String |
+| CSharp7.cs:44:9:44:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
 | CSharp7.cs:49:22:49:23 | SSA def(t1) : String | semmle.label | SSA def(t1) : String |
 | CSharp7.cs:51:18:51:19 | access to local variable t1 | semmle.label | access to local variable t1 |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | semmle.label | "tainted" : String |
 | CSharp7.cs:55:30:55:31 | SSA def(t4) : String | semmle.label | SSA def(t4) : String |
 | CSharp7.cs:56:18:56:19 | access to local variable t4 | semmle.label | access to local variable t4 |
+| CSharp7.cs:80:21:80:21 | x : String | semmle.label | x : String |
+| CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String | semmle.label | (..., ...) [field Item1] : String |
+| CSharp7.cs:82:16:82:26 | access to field Item1 : String | semmle.label | access to field Item1 : String |
+| CSharp7.cs:82:20:82:20 | access to parameter x : String | semmle.label | access to parameter x : String |
 | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String | semmle.label | (..., ...) [field Item1] : String |
 | CSharp7.cs:87:19:87:27 | "tainted" : String | semmle.label | "tainted" : String |
 | CSharp7.cs:90:18:90:28 | call to method I | semmle.label | call to method I |
@ -27,10 +43,19 @@ nodes
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | semmle.label | access to field Item1 : String |
 | CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
 | CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+subpaths
+| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:13 | SSA def(y) : String | CSharp7.cs:55:30:55:31 | SSA def(t4) : String |
+| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I : String |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g : String |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h : String |
 #select
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:56:18:56:19 | access to local variable t4 | $@ | CSharp7.cs:56:18:56:19 | access to local variable t4 | access to local variable t4 |
--- a/csharp/ql/test/library-tests/csharp7/GlobalTaintTracking.expected
+++ b/csharp/ql/test/library-tests/csharp7/GlobalTaintTracking.expected
@ -1,27 +1,48 @@
 edges
 | CSharp7.cs:39:9:39:21 | SSA def(x) : String | CSharp7.cs:49:22:49:23 | SSA def(t1) : String |
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:9:39:21 | SSA def(x) : String |
+| CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:13 | SSA def(y) : String |
 | CSharp7.cs:49:22:49:23 | SSA def(t1) : String | CSharp7.cs:51:18:51:19 | access to local variable t1 |
+| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:55:30:55:31 | SSA def(t4) : String |
 | CSharp7.cs:55:30:55:31 | SSA def(t4) : String | CSharp7.cs:56:18:56:19 | access to local variable t4 |
+| CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:20:82:20 | access to parameter x : String |
+| CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String |
+| CSharp7.cs:82:20:82:20 | access to parameter x : String | CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String |
 | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String | CSharp7.cs:90:20:90:21 | access to local variable t1 [field Item1] : String |
 | CSharp7.cs:87:19:87:27 | "tainted" : String | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String |
 | CSharp7.cs:90:20:90:21 | access to local variable t1 [field Item1] : String | CSharp7.cs:90:20:90:27 | access to field Item1 : String |
+| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String |
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:180:23:180:25 | access to local variable src : String |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:181:23:181:25 | access to local variable src : String |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:182:23:182:25 | access to local variable src : String |
+| CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:33:176:33 | access to parameter s : String |
+| CSharp7.cs:176:31:176:34 | call to local function g : String | CSharp7.cs:176:31:176:39 | ... + ... : String |
+| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String |
+| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String |
+| CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String |
+| CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String |
+| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:180:21:180:26 | call to local function f |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h |
 nodes
 | CSharp7.cs:39:9:39:21 | SSA def(x) : String | semmle.label | SSA def(x) : String |
 | CSharp7.cs:39:13:39:21 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:42:19:42:19 | x : String | semmle.label | x : String |
+| CSharp7.cs:44:9:44:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
 | CSharp7.cs:49:22:49:23 | SSA def(t1) : String | semmle.label | SSA def(t1) : String |
 | CSharp7.cs:51:18:51:19 | access to local variable t1 | semmle.label | access to local variable t1 |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | semmle.label | "tainted" : String |
 | CSharp7.cs:55:30:55:31 | SSA def(t4) : String | semmle.label | SSA def(t4) : String |
 | CSharp7.cs:56:18:56:19 | access to local variable t4 | semmle.label | access to local variable t4 |
+| CSharp7.cs:80:21:80:21 | x : String | semmle.label | x : String |
+| CSharp7.cs:82:16:82:24 | (..., ...) [field Item1] : String | semmle.label | (..., ...) [field Item1] : String |
+| CSharp7.cs:82:16:82:26 | access to field Item1 : String | semmle.label | access to field Item1 : String |
+| CSharp7.cs:82:20:82:20 | access to parameter x : String | semmle.label | access to parameter x : String |
 | CSharp7.cs:87:18:87:34 | (..., ...) [field Item1] : String | semmle.label | (..., ...) [field Item1] : String |
 | CSharp7.cs:87:19:87:27 | "tainted" : String | semmle.label | "tainted" : String |
 | CSharp7.cs:90:18:90:28 | call to method I | semmle.label | call to method I |
@ -29,12 +50,27 @@ nodes
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | semmle.label | access to field Item1 : String |
 | CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
 | CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
+| CSharp7.cs:176:25:176:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:176:31:176:34 | call to local function g : String | semmle.label | call to local function g : String |
+| CSharp7.cs:176:31:176:39 | ... + ... : String | semmle.label | ... + ... : String |
+| CSharp7.cs:176:33:176:33 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
+| CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
+| CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
 | CSharp7.cs:180:21:180:26 | call to local function f | semmle.label | call to local function f |
 | CSharp7.cs:180:23:180:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+subpaths
+| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:13 | SSA def(y) : String | CSharp7.cs:55:30:55:31 | SSA def(t4) : String |
+| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I : String |
+| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String |
+| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:180:21:180:26 | call to local function f : String |
+| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g : String |
+| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h : String |
 #select
 | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:56:18:56:19 | access to local variable t4 | $@ | CSharp7.cs:56:18:56:19 | access to local variable t4 | access to local variable t4 |
--- a/csharp/ql/test/library-tests/dataflow/async/Async.expected
+++ b/csharp/ql/test/library-tests/dataflow/async/Async.expected
@ -1,6 +1,8 @@
 edges
 | Async.cs:9:37:9:41 | input : String | Async.cs:11:21:11:25 | access to parameter input : String |
 | Async.cs:11:21:11:25 | access to parameter input : String | Async.cs:11:14:11:26 | call to method Return |
+| Async.cs:11:21:11:25 | access to parameter input : String | Async.cs:14:34:14:34 | x : String |
+| Async.cs:14:34:14:34 | x : String | Async.cs:16:16:16:16 | access to parameter x : String |
 | Async.cs:14:34:14:34 | x : String | Async.cs:16:16:16:16 | access to parameter x : String |
 | Async.cs:16:16:16:16 | access to parameter x : String | Async.cs:11:14:11:26 | call to method Return |
 | Async.cs:19:41:19:45 | input : String | Async.cs:21:32:21:36 | access to parameter input : String |
@ -19,9 +21,12 @@ edges
 | Async.cs:41:33:41:37 | input : String | Async.cs:43:25:43:29 | access to parameter input : String |
 | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String | Async.cs:43:14:43:37 | access to property Result |
 | Async.cs:43:25:43:29 | access to parameter input : String | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String |
+| Async.cs:43:25:43:29 | access to parameter input : String | Async.cs:46:44:46:44 | x : String |
+| Async.cs:46:44:46:44 | x : String | Async.cs:48:32:48:32 | access to parameter x : String |
 | Async.cs:46:44:46:44 | x : String | Async.cs:48:32:48:32 | access to parameter x : String |
 | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String |
 | Async.cs:48:32:48:32 | access to parameter x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String |
+| Async.cs:48:32:48:32 | access to parameter x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String |
 | Async.cs:51:52:51:52 | x : String | Async.cs:51:58:51:58 | access to parameter x : String |
 | Async.cs:51:58:51:58 | access to parameter x : String | Async.cs:32:14:32:32 | call to method ReturnAwait2 [property Result] : String |
 nodes
@ -29,6 +34,8 @@ nodes
 | Async.cs:11:14:11:26 | call to method Return | semmle.label | call to method Return |
 | Async.cs:11:21:11:25 | access to parameter input : String | semmle.label | access to parameter input : String |
 | Async.cs:14:34:14:34 | x : String | semmle.label | x : String |
+| Async.cs:14:34:14:34 | x : String | semmle.label | x : String |
+| Async.cs:16:16:16:16 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:16:16:16:16 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:19:41:19:45 | input : String | semmle.label | input : String |
 | Async.cs:21:14:21:37 | await ... | semmle.label | await ... |
@ -50,10 +57,16 @@ nodes
 | Async.cs:43:14:43:37 | access to property Result | semmle.label | access to property Result |
 | Async.cs:43:25:43:29 | access to parameter input : String | semmle.label | access to parameter input : String |
 | Async.cs:46:44:46:44 | x : String | semmle.label | x : String |
+| Async.cs:46:44:46:44 | x : String | semmle.label | x : String |
 | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String | semmle.label | call to method FromResult<String> [property Result] : String |
+| Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String | semmle.label | call to method FromResult<String> [property Result] : String |
+| Async.cs:48:32:48:32 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:48:32:48:32 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:51:52:51:52 | x : String | semmle.label | x : String |
 | Async.cs:51:58:51:58 | access to parameter x : String | semmle.label | access to parameter x : String |
+subpaths
+| Async.cs:11:21:11:25 | access to parameter input : String | Async.cs:14:34:14:34 | x : String | Async.cs:16:16:16:16 | access to parameter x : String | Async.cs:11:14:11:26 | call to method Return : String |
+| Async.cs:43:25:43:29 | access to parameter input : String | Async.cs:46:44:46:44 | x : String | Async.cs:48:16:48:33 | call to method FromResult<String> [property Result] : String | Async.cs:43:14:43:30 | call to method ReturnTask [property Result] : String |
 #select
 | Async.cs:11:14:11:26 | call to method Return | Async.cs:9:37:9:41 | input : String | Async.cs:11:14:11:26 | call to method Return | $@ flows to here and is used. | Async.cs:9:37:9:41 | input | User-provided value |
 | Async.cs:11:14:11:26 | call to method Return | Async.cs:14:34:14:34 | x : String | Async.cs:11:14:11:26 | call to method Return | $@ flows to here and is used. | Async.cs:14:34:14:34 | x | User-provided value |
--- a/csharp/ql/test/library-tests/dataflow/call-sensitivity/CallSensitivityFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/call-sensitivity/CallSensitivityFlow.expected
@ -1,4 +1,6 @@
 edges
+| CallSensitivityFlow.cs:7:38:7:38 | o : Object | CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object |
+| CallSensitivityFlow.cs:7:38:7:38 | o : Object | CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object |
 | CallSensitivityFlow.cs:19:39:19:39 | o : Object | CallSensitivityFlow.cs:23:18:23:18 | access to parameter o |
 | CallSensitivityFlow.cs:27:40:27:40 | o : Object | CallSensitivityFlow.cs:31:18:31:18 | access to parameter o |
 | CallSensitivityFlow.cs:27:40:27:40 | o : Object | CallSensitivityFlow.cs:31:18:31:18 | access to parameter o |
@ -15,12 +17,14 @@ edges
 | CallSensitivityFlow.cs:82:31:82:42 | object creation of type Object : Object | CallSensitivityFlow.cs:56:46:56:46 | o : Object |
 | CallSensitivityFlow.cs:83:31:83:42 | object creation of type Object : Object | CallSensitivityFlow.cs:56:46:56:46 | o : Object |
 | CallSensitivityFlow.cs:84:31:84:42 | object creation of type Object : Object | CallSensitivityFlow.cs:56:46:56:46 | o : Object |
+| CallSensitivityFlow.cs:85:26:85:37 | object creation of type Object : Object | CallSensitivityFlow.cs:7:38:7:38 | o : Object |
 | CallSensitivityFlow.cs:85:26:85:37 | object creation of type Object : Object | CallSensitivityFlow.cs:85:14:85:44 | call to method FlowThrough |
 | CallSensitivityFlow.cs:87:31:87:42 | object creation of type Object : Object | CallSensitivityFlow.cs:56:46:56:46 | o : Object |
 | CallSensitivityFlow.cs:101:24:101:35 | object creation of type Object : Object | CallSensitivityFlow.cs:19:39:19:39 | o : Object |
 | CallSensitivityFlow.cs:102:25:102:36 | object creation of type Object : Object | CallSensitivityFlow.cs:27:40:27:40 | o : Object |
 | CallSensitivityFlow.cs:103:26:103:37 | object creation of type Object : Object | CallSensitivityFlow.cs:35:41:35:41 | o : Object |
 | CallSensitivityFlow.cs:104:30:104:41 | object creation of type Object : Object | CallSensitivityFlow.cs:43:45:43:45 | o : Object |
+| CallSensitivityFlow.cs:105:26:105:37 | object creation of type Object : Object | CallSensitivityFlow.cs:7:38:7:38 | o : Object |
 | CallSensitivityFlow.cs:105:26:105:37 | object creation of type Object : Object | CallSensitivityFlow.cs:105:14:105:41 | call to method FlowThrough |
 | CallSensitivityFlow.cs:117:26:117:37 | object creation of type Object : Object | CallSensitivityFlow.cs:124:43:124:43 | o : Object |
 | CallSensitivityFlow.cs:118:27:118:38 | object creation of type Object : Object | CallSensitivityFlow.cs:132:44:132:44 | o : Object |
@ -38,6 +42,10 @@ edges
 | CallSensitivityFlow.cs:187:17:187:30 | call to method CallMOut : Object | CallSensitivityFlow.cs:188:14:188:14 | access to local variable o |
 | CallSensitivityFlow.cs:205:40:205:40 | o : Object | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o |
 nodes
+| CallSensitivityFlow.cs:7:38:7:38 | o : Object | semmle.label | o : Object |
+| CallSensitivityFlow.cs:7:38:7:38 | o : Object | semmle.label | o : Object |
+| CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object | semmle.label | access to parameter o : Object |
 | CallSensitivityFlow.cs:19:39:19:39 | o : Object | semmle.label | o : Object |
 | CallSensitivityFlow.cs:23:18:23:18 | access to parameter o | semmle.label | access to parameter o |
 | CallSensitivityFlow.cs:27:40:27:40 | o : Object | semmle.label | o : Object |
@ -89,6 +97,9 @@ nodes
 | CallSensitivityFlow.cs:188:14:188:14 | access to local variable o | semmle.label | access to local variable o |
 | CallSensitivityFlow.cs:205:40:205:40 | o : Object | semmle.label | o : Object |
 | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o | semmle.label | access to parameter o |
+subpaths
+| CallSensitivityFlow.cs:85:26:85:37 | object creation of type Object : Object | CallSensitivityFlow.cs:7:38:7:38 | o : Object | CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object | CallSensitivityFlow.cs:85:14:85:44 | call to method FlowThrough : Object |
+| CallSensitivityFlow.cs:105:26:105:37 | object creation of type Object : Object | CallSensitivityFlow.cs:7:38:7:38 | o : Object | CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object | CallSensitivityFlow.cs:105:14:105:41 | call to method FlowThrough : Object |
 #select
 | CallSensitivityFlow.cs:78:24:78:35 | object creation of type Object : Object | CallSensitivityFlow.cs:78:24:78:35 | object creation of type Object : Object | CallSensitivityFlow.cs:23:18:23:18 | access to parameter o | $@ | CallSensitivityFlow.cs:23:18:23:18 | access to parameter o | access to parameter o |
 | CallSensitivityFlow.cs:79:25:79:36 | object creation of type Object : Object | CallSensitivityFlow.cs:79:25:79:36 | object creation of type Object : Object | CallSensitivityFlow.cs:31:18:31:18 | access to parameter o | $@ | CallSensitivityFlow.cs:31:18:31:18 | access to parameter o | access to parameter o |
--- a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected
@ -7,6 +7,7 @@ edges
 | CollectionFlow.cs:15:14:15:16 | access to local variable as [element] : A | CollectionFlow.cs:15:14:15:19 | access to array element |
 | CollectionFlow.cs:16:18:16:20 | access to local variable as [element] : A | CollectionFlow.cs:373:40:373:41 | ts [element] : A |
 | CollectionFlow.cs:17:20:17:22 | access to local variable as [element] : A | CollectionFlow.cs:17:14:17:23 | call to method First<A> |
+| CollectionFlow.cs:17:20:17:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A |
 | CollectionFlow.cs:31:17:31:23 | object creation of type A : A | CollectionFlow.cs:32:53:32:53 | access to local variable a : A |
 | CollectionFlow.cs:32:38:32:57 | { ..., ... } [field As, element] : A | CollectionFlow.cs:33:14:33:14 | access to local variable c [field As, element] : A |
 | CollectionFlow.cs:32:38:32:57 | { ..., ... } [field As, element] : A | CollectionFlow.cs:34:18:34:18 | access to local variable c [field As, element] : A |
@ -19,6 +20,7 @@ edges
 | CollectionFlow.cs:34:18:34:21 | access to field As [element] : A | CollectionFlow.cs:373:40:373:41 | ts [element] : A |
 | CollectionFlow.cs:35:20:35:20 | access to local variable c [field As, element] : A | CollectionFlow.cs:35:20:35:23 | access to field As [element] : A |
 | CollectionFlow.cs:35:20:35:23 | access to field As [element] : A | CollectionFlow.cs:35:14:35:24 | call to method First<A> |
+| CollectionFlow.cs:35:20:35:23 | access to field As [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A |
 | CollectionFlow.cs:49:17:49:23 | object creation of type A : A | CollectionFlow.cs:51:18:51:18 | access to local variable a : A |
 | CollectionFlow.cs:51:9:51:11 | [post] access to local variable as [element] : A | CollectionFlow.cs:52:14:52:16 | access to local variable as [element] : A |
 | CollectionFlow.cs:51:9:51:11 | [post] access to local variable as [element] : A | CollectionFlow.cs:53:18:53:20 | access to local variable as [element] : A |
@ -27,6 +29,7 @@ edges
 | CollectionFlow.cs:52:14:52:16 | access to local variable as [element] : A | CollectionFlow.cs:52:14:52:19 | access to array element |
 | CollectionFlow.cs:53:18:53:20 | access to local variable as [element] : A | CollectionFlow.cs:373:40:373:41 | ts [element] : A |
 | CollectionFlow.cs:54:20:54:22 | access to local variable as [element] : A | CollectionFlow.cs:54:14:54:23 | call to method First<A> |
+| CollectionFlow.cs:54:20:54:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A |
 | CollectionFlow.cs:69:17:69:23 | object creation of type A : A | CollectionFlow.cs:71:19:71:19 | access to local variable a : A |
 | CollectionFlow.cs:71:9:71:12 | [post] access to local variable list [element] : A | CollectionFlow.cs:72:14:72:17 | access to local variable list [element] : A |
 | CollectionFlow.cs:71:9:71:12 | [post] access to local variable list [element] : A | CollectionFlow.cs:73:22:73:25 | access to local variable list [element] : A |
@ -35,6 +38,7 @@ edges
 | CollectionFlow.cs:72:14:72:17 | access to local variable list [element] : A | CollectionFlow.cs:72:14:72:20 | access to indexer |
 | CollectionFlow.cs:73:22:73:25 | access to local variable list [element] : A | CollectionFlow.cs:375:49:375:52 | list [element] : A |
 | CollectionFlow.cs:74:24:74:27 | access to local variable list [element] : A | CollectionFlow.cs:74:14:74:28 | call to method ListFirst<A> |
+| CollectionFlow.cs:74:24:74:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A |
 | CollectionFlow.cs:88:17:88:23 | object creation of type A : A | CollectionFlow.cs:89:36:89:36 | access to local variable a : A |
 | CollectionFlow.cs:89:20:89:38 | object creation of type List<A> [element] : A | CollectionFlow.cs:90:14:90:17 | access to local variable list [element] : A |
 | CollectionFlow.cs:89:20:89:38 | object creation of type List<A> [element] : A | CollectionFlow.cs:91:22:91:25 | access to local variable list [element] : A |
@ -43,6 +47,7 @@ edges
 | CollectionFlow.cs:90:14:90:17 | access to local variable list [element] : A | CollectionFlow.cs:90:14:90:20 | access to indexer |
 | CollectionFlow.cs:91:22:91:25 | access to local variable list [element] : A | CollectionFlow.cs:375:49:375:52 | list [element] : A |
 | CollectionFlow.cs:92:24:92:27 | access to local variable list [element] : A | CollectionFlow.cs:92:14:92:28 | call to method ListFirst<A> |
+| CollectionFlow.cs:92:24:92:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A |
 | CollectionFlow.cs:105:17:105:23 | object creation of type A : A | CollectionFlow.cs:107:18:107:18 | access to local variable a : A |
 | CollectionFlow.cs:107:9:107:12 | [post] access to local variable list [element] : A | CollectionFlow.cs:108:14:108:17 | access to local variable list [element] : A |
 | CollectionFlow.cs:107:9:107:12 | [post] access to local variable list [element] : A | CollectionFlow.cs:109:22:109:25 | access to local variable list [element] : A |
@ -51,6 +56,7 @@ edges
 | CollectionFlow.cs:108:14:108:17 | access to local variable list [element] : A | CollectionFlow.cs:108:14:108:20 | access to indexer |
 | CollectionFlow.cs:109:22:109:25 | access to local variable list [element] : A | CollectionFlow.cs:375:49:375:52 | list [element] : A |
 | CollectionFlow.cs:110:24:110:27 | access to local variable list [element] : A | CollectionFlow.cs:110:14:110:28 | call to method ListFirst<A> |
+| CollectionFlow.cs:110:24:110:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A |
 | CollectionFlow.cs:124:17:124:23 | object creation of type A : A | CollectionFlow.cs:126:19:126:19 | access to local variable a : A |
 | CollectionFlow.cs:126:9:126:12 | [post] access to local variable dict [element, property Value] : A | CollectionFlow.cs:127:14:127:17 | access to local variable dict [element, property Value] : A |
 | CollectionFlow.cs:126:9:126:12 | [post] access to local variable dict [element, property Value] : A | CollectionFlow.cs:128:23:128:26 | access to local variable dict [element, property Value] : A |
@ -61,8 +67,11 @@ edges
 | CollectionFlow.cs:127:14:127:17 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:127:14:127:20 | access to indexer |
 | CollectionFlow.cs:128:23:128:26 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:377:61:377:64 | dict [element, property Value] : A |
 | CollectionFlow.cs:129:28:129:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:129:14:129:32 | call to method DictIndexZero<A> |
+| CollectionFlow.cs:129:28:129:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A |
 | CollectionFlow.cs:130:29:130:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:130:14:130:33 | call to method DictFirstValue<A> |
+| CollectionFlow.cs:130:29:130:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A |
 | CollectionFlow.cs:131:30:131:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:131:14:131:34 | call to method DictValuesFirst<A> |
+| CollectionFlow.cs:131:30:131:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A |
 | CollectionFlow.cs:147:17:147:23 | object creation of type A : A | CollectionFlow.cs:148:52:148:52 | access to local variable a : A |
 | CollectionFlow.cs:148:20:148:56 | object creation of type Dictionary<Int32,A> [element, property Value] : A | CollectionFlow.cs:149:14:149:17 | access to local variable dict [element, property Value] : A |
 | CollectionFlow.cs:148:20:148:56 | object creation of type Dictionary<Int32,A> [element, property Value] : A | CollectionFlow.cs:150:23:150:26 | access to local variable dict [element, property Value] : A |
@ -73,8 +82,11 @@ edges
 | CollectionFlow.cs:149:14:149:17 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:149:14:149:20 | access to indexer |
 | CollectionFlow.cs:150:23:150:26 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:377:61:377:64 | dict [element, property Value] : A |
 | CollectionFlow.cs:151:28:151:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:151:14:151:32 | call to method DictIndexZero<A> |
+| CollectionFlow.cs:151:28:151:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A |
 | CollectionFlow.cs:152:29:152:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:152:14:152:33 | call to method DictFirstValue<A> |
+| CollectionFlow.cs:152:29:152:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A |
 | CollectionFlow.cs:153:30:153:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:153:14:153:34 | call to method DictValuesFirst<A> |
+| CollectionFlow.cs:153:30:153:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A |
 | CollectionFlow.cs:168:17:168:23 | object creation of type A : A | CollectionFlow.cs:169:53:169:53 | access to local variable a : A |
 | CollectionFlow.cs:169:20:169:55 | object creation of type Dictionary<Int32,A> [element, property Value] : A | CollectionFlow.cs:170:14:170:17 | access to local variable dict [element, property Value] : A |
 | CollectionFlow.cs:169:20:169:55 | object creation of type Dictionary<Int32,A> [element, property Value] : A | CollectionFlow.cs:171:23:171:26 | access to local variable dict [element, property Value] : A |
@ -85,8 +97,11 @@ edges
 | CollectionFlow.cs:170:14:170:17 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:170:14:170:20 | access to indexer |
 | CollectionFlow.cs:171:23:171:26 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:377:61:377:64 | dict [element, property Value] : A |
 | CollectionFlow.cs:172:28:172:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:172:14:172:32 | call to method DictIndexZero<A> |
+| CollectionFlow.cs:172:28:172:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A |
 | CollectionFlow.cs:173:29:173:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:173:14:173:33 | call to method DictFirstValue<A> |
+| CollectionFlow.cs:173:29:173:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A |
 | CollectionFlow.cs:174:30:174:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:174:14:174:34 | call to method DictValuesFirst<A> |
+| CollectionFlow.cs:174:30:174:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A |
 | CollectionFlow.cs:190:17:190:23 | object creation of type A : A | CollectionFlow.cs:191:49:191:49 | access to local variable a : A |
 | CollectionFlow.cs:191:20:191:56 | object creation of type Dictionary<A,Int32> [element, property Key] : A | CollectionFlow.cs:192:14:192:17 | access to local variable dict [element, property Key] : A |
 | CollectionFlow.cs:191:20:191:56 | object creation of type Dictionary<A,Int32> [element, property Key] : A | CollectionFlow.cs:193:21:193:24 | access to local variable dict [element, property Key] : A |
@ -97,7 +112,9 @@ edges
 | CollectionFlow.cs:192:14:192:22 | access to property Keys [element] : A | CollectionFlow.cs:192:14:192:30 | call to method First<A> |
 | CollectionFlow.cs:193:21:193:24 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:379:59:379:62 | dict [element, property Key] : A |
 | CollectionFlow.cs:194:28:194:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:194:14:194:32 | call to method DictKeysFirst<A> |
+| CollectionFlow.cs:194:28:194:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A |
 | CollectionFlow.cs:195:27:195:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:195:14:195:31 | call to method DictFirstKey<A> |
+| CollectionFlow.cs:195:27:195:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A |
 | CollectionFlow.cs:209:17:209:23 | object creation of type A : A | CollectionFlow.cs:210:48:210:48 | access to local variable a : A |
 | CollectionFlow.cs:210:20:210:55 | object creation of type Dictionary<A,Int32> [element, property Key] : A | CollectionFlow.cs:211:14:211:17 | access to local variable dict [element, property Key] : A |
 | CollectionFlow.cs:210:20:210:55 | object creation of type Dictionary<A,Int32> [element, property Key] : A | CollectionFlow.cs:212:21:212:24 | access to local variable dict [element, property Key] : A |
@ -108,7 +125,9 @@ edges
 | CollectionFlow.cs:211:14:211:22 | access to property Keys [element] : A | CollectionFlow.cs:211:14:211:30 | call to method First<A> |
 | CollectionFlow.cs:212:21:212:24 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:379:59:379:62 | dict [element, property Key] : A |
 | CollectionFlow.cs:213:28:213:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:213:14:213:32 | call to method DictKeysFirst<A> |
+| CollectionFlow.cs:213:28:213:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A |
 | CollectionFlow.cs:214:27:214:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:214:14:214:31 | call to method DictFirstKey<A> |
+| CollectionFlow.cs:214:27:214:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A |
 | CollectionFlow.cs:228:17:228:23 | object creation of type A : A | CollectionFlow.cs:229:27:229:27 | access to local variable a : A |
 | CollectionFlow.cs:229:25:229:29 | { ..., ... } [element] : A | CollectionFlow.cs:230:27:230:29 | access to local variable as [element] : A |
 | CollectionFlow.cs:229:27:229:27 | access to local variable a : A | CollectionFlow.cs:229:25:229:29 | { ..., ... } [element] : A |
@ -133,22 +152,30 @@ edges
 | CollectionFlow.cs:282:9:282:12 | access to local variable list [element, property Key] : A | CollectionFlow.cs:282:21:282:23 | kvp [property Key] : A |
 | CollectionFlow.cs:282:21:282:23 | kvp [property Key] : A | CollectionFlow.cs:284:18:284:20 | access to parameter kvp [property Key] : A |
 | CollectionFlow.cs:284:18:284:20 | access to parameter kvp [property Key] : A | CollectionFlow.cs:284:18:284:24 | access to property Key |
+| CollectionFlow.cs:301:32:301:38 | element : A | CollectionFlow.cs:301:55:301:61 | access to parameter element : A |
+| CollectionFlow.cs:301:55:301:61 | access to parameter element : A | CollectionFlow.cs:301:44:301:48 | [post] access to parameter array [element] : A |
 | CollectionFlow.cs:305:17:305:23 | object creation of type A : A | CollectionFlow.cs:307:23:307:23 | access to local variable a : A |
 | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A | CollectionFlow.cs:308:14:308:16 | access to local variable as [element] : A |
 | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A | CollectionFlow.cs:309:18:309:20 | access to local variable as [element] : A |
 | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A | CollectionFlow.cs:310:20:310:22 | access to local variable as [element] : A |
+| CollectionFlow.cs:307:23:307:23 | access to local variable a : A | CollectionFlow.cs:301:32:301:38 | element : A |
 | CollectionFlow.cs:307:23:307:23 | access to local variable a : A | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A |
 | CollectionFlow.cs:308:14:308:16 | access to local variable as [element] : A | CollectionFlow.cs:308:14:308:19 | access to array element |
 | CollectionFlow.cs:309:18:309:20 | access to local variable as [element] : A | CollectionFlow.cs:373:40:373:41 | ts [element] : A |
 | CollectionFlow.cs:310:20:310:22 | access to local variable as [element] : A | CollectionFlow.cs:310:14:310:23 | call to method First<A> |
+| CollectionFlow.cs:310:20:310:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A |
+| CollectionFlow.cs:323:34:323:40 | element : A | CollectionFlow.cs:323:55:323:61 | access to parameter element : A |
+| CollectionFlow.cs:323:55:323:61 | access to parameter element : A | CollectionFlow.cs:323:46:323:49 | [post] access to parameter list [element] : A |
 | CollectionFlow.cs:327:17:327:23 | object creation of type A : A | CollectionFlow.cs:329:23:329:23 | access to local variable a : A |
 | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A | CollectionFlow.cs:330:14:330:17 | access to local variable list [element] : A |
 | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A | CollectionFlow.cs:331:22:331:25 | access to local variable list [element] : A |
 | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A | CollectionFlow.cs:332:24:332:27 | access to local variable list [element] : A |
+| CollectionFlow.cs:329:23:329:23 | access to local variable a : A | CollectionFlow.cs:323:34:323:40 | element : A |
 | CollectionFlow.cs:329:23:329:23 | access to local variable a : A | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A |
 | CollectionFlow.cs:330:14:330:17 | access to local variable list [element] : A | CollectionFlow.cs:330:14:330:20 | access to indexer |
 | CollectionFlow.cs:331:22:331:25 | access to local variable list [element] : A | CollectionFlow.cs:375:49:375:52 | list [element] : A |
 | CollectionFlow.cs:332:24:332:27 | access to local variable list [element] : A | CollectionFlow.cs:332:14:332:28 | call to method ListFirst<A> |
+| CollectionFlow.cs:332:24:332:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A |
 | CollectionFlow.cs:346:20:346:26 | object creation of type A : A | CollectionFlow.cs:395:49:395:52 | args [element] : A |
 | CollectionFlow.cs:347:26:347:32 | object creation of type A : A | CollectionFlow.cs:395:49:395:52 | args [element] : A |
 | CollectionFlow.cs:348:26:348:32 | object creation of type A : A | CollectionFlow.cs:395:49:395:52 | args [element] : A |
@ -172,6 +199,32 @@ edges
 | CollectionFlow.cs:379:59:379:62 | dict [element, property Key] : A | CollectionFlow.cs:379:73:379:76 | access to parameter dict [element, property Key] : A |
 | CollectionFlow.cs:379:73:379:76 | access to parameter dict [element, property Key] : A | CollectionFlow.cs:379:73:379:81 | access to property Keys [element] : A |
 | CollectionFlow.cs:379:73:379:81 | access to property Keys [element] : A | CollectionFlow.cs:379:73:379:89 | call to method First<T> |
+| CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A |
+| CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A |
+| CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A |
+| CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A |
+| CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A | CollectionFlow.cs:385:67:385:70 | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:385:67:385:70 | access to parameter dict [element, property Value] : A | CollectionFlow.cs:385:67:385:73 | access to indexer : A |
+| CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A | CollectionFlow.cs:387:68:387:71 | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:387:68:387:71 | access to parameter dict [element, property Value] : A | CollectionFlow.cs:387:68:387:79 | call to method First<KeyValuePair<Int32,T>> [property Value] : A |
+| CollectionFlow.cs:387:68:387:79 | call to method First<KeyValuePair<Int32,T>> [property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A |
+| CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A | CollectionFlow.cs:389:69:389:72 | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:389:69:389:72 | access to parameter dict [element, property Value] : A | CollectionFlow.cs:389:69:389:79 | access to property Values [element] : A |
+| CollectionFlow.cs:389:69:389:79 | access to property Values [element] : A | CollectionFlow.cs:389:69:389:87 | call to method First<T> : A |
+| CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A | CollectionFlow.cs:391:67:391:70 | access to parameter dict [element, property Key] : A |
+| CollectionFlow.cs:391:67:391:70 | access to parameter dict [element, property Key] : A | CollectionFlow.cs:391:67:391:75 | access to property Keys [element] : A |
+| CollectionFlow.cs:391:67:391:75 | access to property Keys [element] : A | CollectionFlow.cs:391:67:391:83 | call to method First<T> : A |
+| CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A | CollectionFlow.cs:393:66:393:69 | access to parameter dict [element, property Key] : A |
+| CollectionFlow.cs:393:66:393:69 | access to parameter dict [element, property Key] : A | CollectionFlow.cs:393:66:393:77 | call to method First<KeyValuePair<T,Int32>> [property Key] : A |
+| CollectionFlow.cs:393:66:393:77 | call to method First<KeyValuePair<T,Int32>> [property Key] : A | CollectionFlow.cs:393:66:393:81 | access to property Key : A |
 | CollectionFlow.cs:395:49:395:52 | args [element] : A | CollectionFlow.cs:395:63:395:66 | access to parameter args [element] : A |
 | CollectionFlow.cs:395:49:395:52 | args [element] : A | CollectionFlow.cs:395:63:395:66 | access to parameter args [element] : A |
 | CollectionFlow.cs:395:63:395:66 | access to parameter args [element] : A | CollectionFlow.cs:395:63:395:69 | access to array element |
@ -315,6 +368,9 @@ nodes
 | CollectionFlow.cs:282:21:282:23 | kvp [property Key] : A | semmle.label | kvp [property Key] : A |
 | CollectionFlow.cs:284:18:284:20 | access to parameter kvp [property Key] : A | semmle.label | access to parameter kvp [property Key] : A |
 | CollectionFlow.cs:284:18:284:24 | access to property Key | semmle.label | access to property Key |
+| CollectionFlow.cs:301:32:301:38 | element : A | semmle.label | element : A |
+| CollectionFlow.cs:301:44:301:48 | [post] access to parameter array [element] : A | semmle.label | [post] access to parameter array [element] : A |
+| CollectionFlow.cs:301:55:301:61 | access to parameter element : A | semmle.label | access to parameter element : A |
 | CollectionFlow.cs:305:17:305:23 | object creation of type A : A | semmle.label | object creation of type A : A |
 | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A | semmle.label | [post] access to local variable as [element] : A |
 | CollectionFlow.cs:307:23:307:23 | access to local variable a : A | semmle.label | access to local variable a : A |
@ -323,6 +379,9 @@ nodes
 | CollectionFlow.cs:309:18:309:20 | access to local variable as [element] : A | semmle.label | access to local variable as [element] : A |
 | CollectionFlow.cs:310:14:310:23 | call to method First<A> | semmle.label | call to method First<A> |
 | CollectionFlow.cs:310:20:310:22 | access to local variable as [element] : A | semmle.label | access to local variable as [element] : A |
+| CollectionFlow.cs:323:34:323:40 | element : A | semmle.label | element : A |
+| CollectionFlow.cs:323:46:323:49 | [post] access to parameter list [element] : A | semmle.label | [post] access to parameter list [element] : A |
+| CollectionFlow.cs:323:55:323:61 | access to parameter element : A | semmle.label | access to parameter element : A |
 | CollectionFlow.cs:327:17:327:23 | object creation of type A : A | semmle.label | object creation of type A : A |
 | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A | semmle.label | [post] access to local variable list [element] : A |
 | CollectionFlow.cs:329:23:329:23 | access to local variable a : A | semmle.label | access to local variable a : A |
@ -358,11 +417,72 @@ nodes
 | CollectionFlow.cs:379:73:379:76 | access to parameter dict [element, property Key] : A | semmle.label | access to parameter dict [element, property Key] : A |
 | CollectionFlow.cs:379:73:379:81 | access to property Keys [element] : A | semmle.label | access to property Keys [element] : A |
 | CollectionFlow.cs:379:73:379:89 | call to method First<T> | semmle.label | call to method First<T> |
+| CollectionFlow.cs:381:34:381:35 | ts [element] : A | semmle.label | ts [element] : A |
+| CollectionFlow.cs:381:34:381:35 | ts [element] : A | semmle.label | ts [element] : A |
+| CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A | semmle.label | access to parameter ts [element] : A |
+| CollectionFlow.cs:381:41:381:42 | access to parameter ts [element] : A | semmle.label | access to parameter ts [element] : A |
+| CollectionFlow.cs:381:41:381:45 | access to array element : A | semmle.label | access to array element : A |
+| CollectionFlow.cs:381:41:381:45 | access to array element : A | semmle.label | access to array element : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | semmle.label | list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | semmle.label | list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | semmle.label | list [element] : A |
+| CollectionFlow.cs:383:43:383:46 | list [element] : A | semmle.label | list [element] : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | semmle.label | access to parameter list [element] : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | semmle.label | access to parameter list [element] : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | semmle.label | access to parameter list [element] : A |
+| CollectionFlow.cs:383:52:383:55 | access to parameter list [element] : A | semmle.label | access to parameter list [element] : A |
+| CollectionFlow.cs:383:52:383:58 | access to indexer : A | semmle.label | access to indexer : A |
+| CollectionFlow.cs:383:52:383:58 | access to indexer : A | semmle.label | access to indexer : A |
+| CollectionFlow.cs:383:52:383:58 | access to indexer : A | semmle.label | access to indexer : A |
+| CollectionFlow.cs:383:52:383:58 | access to indexer : A | semmle.label | access to indexer : A |
+| CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A | semmle.label | dict [element, property Value] : A |
+| CollectionFlow.cs:385:67:385:70 | access to parameter dict [element, property Value] : A | semmle.label | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:385:67:385:73 | access to indexer : A | semmle.label | access to indexer : A |
+| CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A | semmle.label | dict [element, property Value] : A |
+| CollectionFlow.cs:387:68:387:71 | access to parameter dict [element, property Value] : A | semmle.label | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:387:68:387:79 | call to method First<KeyValuePair<Int32,T>> [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> [property Value] : A |
+| CollectionFlow.cs:387:68:387:85 | access to property Value : A | semmle.label | access to property Value : A |
+| CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A | semmle.label | dict [element, property Value] : A |
+| CollectionFlow.cs:389:69:389:72 | access to parameter dict [element, property Value] : A | semmle.label | access to parameter dict [element, property Value] : A |
+| CollectionFlow.cs:389:69:389:79 | access to property Values [element] : A | semmle.label | access to property Values [element] : A |
+| CollectionFlow.cs:389:69:389:87 | call to method First<T> : A | semmle.label | call to method First<T> : A |
+| CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A | semmle.label | dict [element, property Key] : A |
+| CollectionFlow.cs:391:67:391:70 | access to parameter dict [element, property Key] : A | semmle.label | access to parameter dict [element, property Key] : A |
+| CollectionFlow.cs:391:67:391:75 | access to property Keys [element] : A | semmle.label | access to property Keys [element] : A |
+| CollectionFlow.cs:391:67:391:83 | call to method First<T> : A | semmle.label | call to method First<T> : A |
+| CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A | semmle.label | dict [element, property Key] : A |
+| CollectionFlow.cs:393:66:393:69 | access to parameter dict [element, property Key] : A | semmle.label | access to parameter dict [element, property Key] : A |
+| CollectionFlow.cs:393:66:393:77 | call to method First<KeyValuePair<T,Int32>> [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> [property Key] : A |
+| CollectionFlow.cs:393:66:393:81 | access to property Key : A | semmle.label | access to property Key : A |
 | CollectionFlow.cs:395:49:395:52 | args [element] : A | semmle.label | args [element] : A |
 | CollectionFlow.cs:395:49:395:52 | args [element] : A | semmle.label | args [element] : A |
 | CollectionFlow.cs:395:63:395:66 | access to parameter args [element] : A | semmle.label | access to parameter args [element] : A |
 | CollectionFlow.cs:395:63:395:66 | access to parameter args [element] : A | semmle.label | access to parameter args [element] : A |
 | CollectionFlow.cs:395:63:395:69 | access to array element | semmle.label | access to array element |
+subpaths
+| CollectionFlow.cs:17:20:17:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A | CollectionFlow.cs:17:14:17:23 | call to method First<A> : A |
+| CollectionFlow.cs:35:20:35:23 | access to field As [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A | CollectionFlow.cs:35:14:35:24 | call to method First<A> : A |
+| CollectionFlow.cs:54:20:54:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A | CollectionFlow.cs:54:14:54:23 | call to method First<A> : A |
+| CollectionFlow.cs:74:24:74:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A | CollectionFlow.cs:74:14:74:28 | call to method ListFirst<A> : A |
+| CollectionFlow.cs:92:24:92:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A | CollectionFlow.cs:92:14:92:28 | call to method ListFirst<A> : A |
+| CollectionFlow.cs:110:24:110:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A | CollectionFlow.cs:110:14:110:28 | call to method ListFirst<A> : A |
+| CollectionFlow.cs:129:28:129:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A | CollectionFlow.cs:385:67:385:73 | access to indexer : A | CollectionFlow.cs:129:14:129:32 | call to method DictIndexZero<A> : A |
+| CollectionFlow.cs:130:29:130:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A | CollectionFlow.cs:130:14:130:33 | call to method DictFirstValue<A> : A |
+| CollectionFlow.cs:131:30:131:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A | CollectionFlow.cs:389:69:389:87 | call to method First<T> : A | CollectionFlow.cs:131:14:131:34 | call to method DictValuesFirst<A> : A |
+| CollectionFlow.cs:151:28:151:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A | CollectionFlow.cs:385:67:385:73 | access to indexer : A | CollectionFlow.cs:151:14:151:32 | call to method DictIndexZero<A> : A |
+| CollectionFlow.cs:152:29:152:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A | CollectionFlow.cs:152:14:152:33 | call to method DictFirstValue<A> : A |
+| CollectionFlow.cs:153:30:153:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A | CollectionFlow.cs:389:69:389:87 | call to method First<T> : A | CollectionFlow.cs:153:14:153:34 | call to method DictValuesFirst<A> : A |
+| CollectionFlow.cs:172:28:172:31 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:385:58:385:61 | dict [element, property Value] : A | CollectionFlow.cs:385:67:385:73 | access to indexer : A | CollectionFlow.cs:172:14:172:32 | call to method DictIndexZero<A> : A |
+| CollectionFlow.cs:173:29:173:32 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:387:59:387:62 | dict [element, property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A | CollectionFlow.cs:173:14:173:33 | call to method DictFirstValue<A> : A |
+| CollectionFlow.cs:174:30:174:33 | access to local variable dict [element, property Value] : A | CollectionFlow.cs:389:60:389:63 | dict [element, property Value] : A | CollectionFlow.cs:389:69:389:87 | call to method First<T> : A | CollectionFlow.cs:174:14:174:34 | call to method DictValuesFirst<A> : A |
+| CollectionFlow.cs:194:28:194:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A | CollectionFlow.cs:391:67:391:83 | call to method First<T> : A | CollectionFlow.cs:194:14:194:32 | call to method DictKeysFirst<A> : A |
+| CollectionFlow.cs:195:27:195:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A | CollectionFlow.cs:393:66:393:81 | access to property Key : A | CollectionFlow.cs:195:14:195:31 | call to method DictFirstKey<A> : A |
+| CollectionFlow.cs:213:28:213:31 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:391:58:391:61 | dict [element, property Key] : A | CollectionFlow.cs:391:67:391:83 | call to method First<T> : A | CollectionFlow.cs:213:14:213:32 | call to method DictKeysFirst<A> : A |
+| CollectionFlow.cs:214:27:214:30 | access to local variable dict [element, property Key] : A | CollectionFlow.cs:393:57:393:60 | dict [element, property Key] : A | CollectionFlow.cs:393:66:393:81 | access to property Key : A | CollectionFlow.cs:214:14:214:31 | call to method DictFirstKey<A> : A |
+| CollectionFlow.cs:307:23:307:23 | access to local variable a : A | CollectionFlow.cs:301:32:301:38 | element : A | CollectionFlow.cs:301:44:301:48 | [post] access to parameter array [element] : A | CollectionFlow.cs:307:18:307:20 | [post] access to local variable as [element] : A |
+| CollectionFlow.cs:310:20:310:22 | access to local variable as [element] : A | CollectionFlow.cs:381:34:381:35 | ts [element] : A | CollectionFlow.cs:381:41:381:45 | access to array element : A | CollectionFlow.cs:310:14:310:23 | call to method First<A> : A |
+| CollectionFlow.cs:329:23:329:23 | access to local variable a : A | CollectionFlow.cs:323:34:323:40 | element : A | CollectionFlow.cs:323:46:323:49 | [post] access to parameter list [element] : A | CollectionFlow.cs:329:17:329:20 | [post] access to local variable list [element] : A |
+| CollectionFlow.cs:332:24:332:27 | access to local variable list [element] : A | CollectionFlow.cs:383:43:383:46 | list [element] : A | CollectionFlow.cs:383:52:383:58 | access to indexer : A | CollectionFlow.cs:332:14:332:28 | call to method ListFirst<A> : A |
 #select
 | CollectionFlow.cs:13:17:13:23 | object creation of type A : A | CollectionFlow.cs:13:17:13:23 | object creation of type A : A | CollectionFlow.cs:15:14:15:19 | access to array element | $@ | CollectionFlow.cs:15:14:15:19 | access to array element | access to array element |
 | CollectionFlow.cs:13:17:13:23 | object creation of type A : A | CollectionFlow.cs:13:17:13:23 | object creation of type A : A | CollectionFlow.cs:17:14:17:23 | call to method First<A> | $@ | CollectionFlow.cs:17:14:17:23 | call to method First<A> | call to method First<A> |
--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
@ -106,6 +106,7 @@ nodes
 | ExternalFlow.cs:92:18:92:18 | (...) ... | semmle.label | (...) ... |
 | ExternalFlow.cs:121:46:121:46 | s : Object | semmle.label | s : Object |
 | ExternalFlow.cs:123:34:123:41 | elements [element] : Object | semmle.label | elements [element] : Object |
+subpaths
 invalidModelRow
 #select
 | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | $@ | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | object creation of type Object : Object |
--- a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
@ -2,18 +2,33 @@ edges
 | A.cs:5:17:5:23 | object creation of type C : C | A.cs:6:24:6:24 | access to local variable c : C |
 | A.cs:6:17:6:25 | call to method Make [field c] : C | A.cs:7:14:7:14 | access to local variable b [field c] : C |
 | A.cs:6:24:6:24 | access to local variable c : C | A.cs:6:17:6:25 | call to method Make [field c] : C |
+| A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C |
 | A.cs:7:14:7:14 | access to local variable b [field c] : C | A.cs:7:14:7:16 | access to field c |
 | A.cs:13:9:13:9 | [post] access to local variable b [field c] : C1 | A.cs:14:14:14:14 | access to local variable b [field c] : C1 |
 | A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:13:9:13:9 | [post] access to local variable b [field c] : C1 |
+| A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:145:27:145:27 | c : C1 |
 | A.cs:14:14:14:14 | access to local variable b [field c] : C1 | A.cs:14:14:14:20 | call to method Get |
+| A.cs:14:14:14:14 | access to local variable b [field c] : C1 | A.cs:146:18:146:20 | this [field c] : C1 |
 | A.cs:15:15:15:28 | object creation of type B [field c] : C | A.cs:15:14:15:35 | call to method Get |
+| A.cs:15:15:15:28 | object creation of type B [field c] : C | A.cs:146:18:146:20 | this [field c] : C |
 | A.cs:15:21:15:27 | object creation of type C : C | A.cs:15:15:15:28 | object creation of type B [field c] : C |
+| A.cs:15:21:15:27 | object creation of type C : C | A.cs:141:20:141:20 | c : C |
 | A.cs:22:14:22:33 | call to method SetOnB [field c] : C2 | A.cs:24:14:24:15 | access to local variable b2 [field c] : C2 |
 | A.cs:22:25:22:32 | object creation of type C2 : C2 | A.cs:22:14:22:33 | call to method SetOnB [field c] : C2 |
+| A.cs:22:25:22:32 | object creation of type C2 : C2 | A.cs:42:29:42:29 | c : C2 |
 | A.cs:24:14:24:15 | access to local variable b2 [field c] : C2 | A.cs:24:14:24:17 | access to field c |
 | A.cs:31:14:31:37 | call to method SetOnBWrap [field c] : C2 | A.cs:33:14:33:15 | access to local variable b2 [field c] : C2 |
 | A.cs:31:29:31:36 | object creation of type C2 : C2 | A.cs:31:14:31:37 | call to method SetOnBWrap [field c] : C2 |
+| A.cs:31:29:31:36 | object creation of type C2 : C2 | A.cs:36:33:36:33 | c : C2 |
 | A.cs:33:14:33:15 | access to local variable b2 [field c] : C2 | A.cs:33:14:33:17 | access to field c |
+| A.cs:36:33:36:33 | c : C2 | A.cs:38:29:38:29 | access to parameter c : C2 |
+| A.cs:38:18:38:30 | call to method SetOnB [field c] : C2 | A.cs:39:16:39:28 | ... ? ... : ... [field c] : C2 |
+| A.cs:38:29:38:29 | access to parameter c : C2 | A.cs:38:18:38:30 | call to method SetOnB [field c] : C2 |
+| A.cs:38:29:38:29 | access to parameter c : C2 | A.cs:42:29:42:29 | c : C2 |
+| A.cs:42:29:42:29 | c : C2 | A.cs:47:20:47:20 | access to parameter c : C2 |
+| A.cs:47:13:47:14 | [post] access to local variable b2 [field c] : C2 | A.cs:48:20:48:21 | access to local variable b2 [field c] : C2 |
+| A.cs:47:20:47:20 | access to parameter c : C2 | A.cs:47:13:47:14 | [post] access to local variable b2 [field c] : C2 |
+| A.cs:47:20:47:20 | access to parameter c : C2 | A.cs:145:27:145:27 | c : C2 |
 | A.cs:55:17:55:23 | object creation of type A : A | A.cs:57:16:57:16 | access to local variable a : A |
 | A.cs:57:9:57:10 | [post] access to local variable c1 [field a] : A | A.cs:58:12:58:13 | access to local variable c1 [field a] : A |
 | A.cs:57:16:57:16 | access to local variable a : A | A.cs:57:9:57:10 | [post] access to local variable c1 [field a] : A |
@ -22,20 +37,25 @@ edges
 | A.cs:64:19:64:23 | (...) ... [field a] : A | A.cs:64:18:64:26 | access to field a |
 | A.cs:83:9:83:9 | [post] access to parameter b [field c] : C | A.cs:88:12:88:12 | [post] access to local variable b [field c] : C |
 | A.cs:83:15:83:21 | object creation of type C : C | A.cs:83:9:83:9 | [post] access to parameter b [field c] : C |
+| A.cs:83:15:83:21 | object creation of type C : C | A.cs:145:27:145:27 | c : C |
 | A.cs:88:12:88:12 | [post] access to local variable b [field c] : C | A.cs:89:14:89:14 | access to local variable b [field c] : C |
 | A.cs:89:14:89:14 | access to local variable b [field c] : C | A.cs:89:14:89:16 | access to field c |
+| A.cs:95:20:95:20 | b : B | A.cs:97:13:97:13 | access to parameter b : B |
 | A.cs:97:13:97:13 | [post] access to parameter b [field c] : C | A.cs:98:22:98:36 | ... ? ... : ... [field c] : C |
 | A.cs:97:13:97:13 | [post] access to parameter b [field c] : C | A.cs:105:23:105:23 | [post] access to local variable b [field c] : C |
+| A.cs:97:13:97:13 | access to parameter b : B | A.cs:98:22:98:36 | ... ? ... : ... : B |
 | A.cs:97:19:97:25 | object creation of type C : C | A.cs:97:13:97:13 | [post] access to parameter b [field c] : C |
 | A.cs:98:13:98:16 | [post] this access [field b, field c] : C | A.cs:105:17:105:29 | object creation of type D [field b, field c] : C |
 | A.cs:98:13:98:16 | [post] this access [field b] : B | A.cs:105:17:105:29 | object creation of type D [field b] : B |
 | A.cs:98:22:98:36 | ... ? ... : ... : B | A.cs:98:13:98:16 | [post] this access [field b] : B |
+| A.cs:98:22:98:36 | ... ? ... : ... : B | A.cs:98:13:98:16 | [post] this access [field b] : B |
 | A.cs:98:22:98:36 | ... ? ... : ... [field c] : C | A.cs:98:13:98:16 | [post] this access [field b, field c] : C |
 | A.cs:98:30:98:36 | object creation of type B : B | A.cs:98:22:98:36 | ... ? ... : ... : B |
 | A.cs:104:17:104:23 | object creation of type B : B | A.cs:105:23:105:23 | access to local variable b : B |
 | A.cs:105:17:105:29 | object creation of type D [field b, field c] : C | A.cs:107:14:107:14 | access to local variable d [field b, field c] : C |
 | A.cs:105:17:105:29 | object creation of type D [field b] : B | A.cs:106:14:106:14 | access to local variable d [field b] : B |
 | A.cs:105:23:105:23 | [post] access to local variable b [field c] : C | A.cs:108:14:108:14 | access to local variable b [field c] : C |
+| A.cs:105:23:105:23 | access to local variable b : B | A.cs:95:20:95:20 | b : B |
 | A.cs:105:23:105:23 | access to local variable b : B | A.cs:105:17:105:29 | object creation of type D [field b] : B |
 | A.cs:106:14:106:14 | access to local variable d [field b] : B | A.cs:106:14:106:16 | access to field b |
 | A.cs:107:14:107:14 | access to local variable d [field b, field c] : C | A.cs:107:14:107:16 | access to field b [field c] : C |
@ -44,11 +64,14 @@ edges
 | A.cs:113:17:113:23 | object creation of type B : B | A.cs:114:29:114:29 | access to local variable b : B |
 | A.cs:114:18:114:54 | object creation of type MyList [field head] : B | A.cs:115:35:115:36 | access to local variable l1 [field head] : B |
 | A.cs:114:29:114:29 | access to local variable b : B | A.cs:114:18:114:54 | object creation of type MyList [field head] : B |
+| A.cs:114:29:114:29 | access to local variable b : B | A.cs:157:25:157:28 | head : B |
 | A.cs:115:18:115:37 | object creation of type MyList [field next, field head] : B | A.cs:116:35:116:36 | access to local variable l2 [field next, field head] : B |
 | A.cs:115:35:115:36 | access to local variable l1 [field head] : B | A.cs:115:18:115:37 | object creation of type MyList [field next, field head] : B |
+| A.cs:115:35:115:36 | access to local variable l1 [field head] : B | A.cs:157:38:157:41 | next [field head] : B |
 | A.cs:116:18:116:37 | object creation of type MyList [field next, field next, field head] : B | A.cs:119:14:119:15 | access to local variable l3 [field next, field next, field head] : B |
 | A.cs:116:18:116:37 | object creation of type MyList [field next, field next, field head] : B | A.cs:121:41:121:41 | access to local variable l [field next, field next, field head] : B |
 | A.cs:116:35:116:36 | access to local variable l2 [field next, field head] : B | A.cs:116:18:116:37 | object creation of type MyList [field next, field next, field head] : B |
+| A.cs:116:35:116:36 | access to local variable l2 [field next, field head] : B | A.cs:157:38:157:41 | next [field next, field head] : B |
 | A.cs:119:14:119:15 | access to local variable l3 [field next, field next, field head] : B | A.cs:119:14:119:20 | access to field next [field next, field head] : B |
 | A.cs:119:14:119:20 | access to field next [field next, field head] : B | A.cs:119:14:119:25 | access to field next [field head] : B |
 | A.cs:119:14:119:25 | access to field next [field head] : B | A.cs:119:14:119:30 | access to field head |
@ -57,20 +80,53 @@ edges
 | A.cs:121:41:121:46 | access to field next [field head] : B | A.cs:123:18:123:18 | access to local variable l [field head] : B |
 | A.cs:121:41:121:46 | access to field next [field next, field head] : B | A.cs:121:41:121:41 | access to local variable l [field next, field head] : B |
 | A.cs:123:18:123:18 | access to local variable l [field head] : B | A.cs:123:18:123:23 | access to field head |
+| A.cs:141:20:141:20 | c : C | A.cs:143:22:143:22 | access to parameter c : C |
+| A.cs:143:22:143:22 | access to parameter c : C | A.cs:143:13:143:16 | [post] this access [field c] : C |
+| A.cs:145:27:145:27 | c : C | A.cs:145:41:145:41 | access to parameter c : C |
+| A.cs:145:27:145:27 | c : C1 | A.cs:145:41:145:41 | access to parameter c : C1 |
+| A.cs:145:27:145:27 | c : C2 | A.cs:145:41:145:41 | access to parameter c : C2 |
+| A.cs:145:41:145:41 | access to parameter c : C | A.cs:145:32:145:35 | [post] this access [field c] : C |
+| A.cs:145:41:145:41 | access to parameter c : C1 | A.cs:145:32:145:35 | [post] this access [field c] : C1 |
+| A.cs:145:41:145:41 | access to parameter c : C2 | A.cs:145:32:145:35 | [post] this access [field c] : C2 |
+| A.cs:146:18:146:20 | this [field c] : C | A.cs:146:33:146:36 | this access [field c] : C |
+| A.cs:146:18:146:20 | this [field c] : C1 | A.cs:146:33:146:36 | this access [field c] : C1 |
+| A.cs:146:33:146:36 | this access [field c] : C | A.cs:146:33:146:38 | access to field c : C |
+| A.cs:146:33:146:36 | this access [field c] : C1 | A.cs:146:33:146:38 | access to field c : C1 |
+| A.cs:147:32:147:32 | c : C | A.cs:149:26:149:26 | access to parameter c : C |
+| A.cs:149:26:149:26 | access to parameter c : C | A.cs:141:20:141:20 | c : C |
+| A.cs:149:26:149:26 | access to parameter c : C | A.cs:149:20:149:27 | object creation of type B [field c] : C |
+| A.cs:157:25:157:28 | head : B | A.cs:159:25:159:28 | access to parameter head : B |
+| A.cs:157:38:157:41 | next [field head] : B | A.cs:160:25:160:28 | access to parameter next [field head] : B |
+| A.cs:157:38:157:41 | next [field next, field head] : B | A.cs:160:25:160:28 | access to parameter next [field next, field head] : B |
+| A.cs:159:25:159:28 | access to parameter head : B | A.cs:159:13:159:16 | [post] this access [field head] : B |
+| A.cs:160:25:160:28 | access to parameter next [field head] : B | A.cs:160:13:160:16 | [post] this access [field next, field head] : B |
+| A.cs:160:25:160:28 | access to parameter next [field next, field head] : B | A.cs:160:13:160:16 | [post] this access [field next, field next, field head] : B |
 | B.cs:5:17:5:26 | object creation of type Elem : Elem | B.cs:6:27:6:27 | access to local variable e : Elem |
 | B.cs:6:18:6:34 | object creation of type Box1 [field elem1] : Elem | B.cs:7:27:7:28 | access to local variable b1 [field elem1] : Elem |
 | B.cs:6:27:6:27 | access to local variable e : Elem | B.cs:6:18:6:34 | object creation of type Box1 [field elem1] : Elem |
+| B.cs:6:27:6:27 | access to local variable e : Elem | B.cs:29:26:29:27 | e1 : Elem |
 | B.cs:7:18:7:29 | object creation of type Box2 [field box1, field elem1] : Elem | B.cs:8:14:8:15 | access to local variable b2 [field box1, field elem1] : Elem |
 | B.cs:7:27:7:28 | access to local variable b1 [field elem1] : Elem | B.cs:7:18:7:29 | object creation of type Box2 [field box1, field elem1] : Elem |
+| B.cs:7:27:7:28 | access to local variable b1 [field elem1] : Elem | B.cs:39:26:39:27 | b1 [field elem1] : Elem |
 | B.cs:8:14:8:15 | access to local variable b2 [field box1, field elem1] : Elem | B.cs:8:14:8:20 | access to field box1 [field elem1] : Elem |
 | B.cs:8:14:8:20 | access to field box1 [field elem1] : Elem | B.cs:8:14:8:26 | access to field elem1 |
 | B.cs:14:17:14:26 | object creation of type Elem : Elem | B.cs:15:33:15:33 | access to local variable e : Elem |
 | B.cs:15:18:15:34 | object creation of type Box1 [field elem2] : Elem | B.cs:16:27:16:28 | access to local variable b1 [field elem2] : Elem |
 | B.cs:15:33:15:33 | access to local variable e : Elem | B.cs:15:18:15:34 | object creation of type Box1 [field elem2] : Elem |
+| B.cs:15:33:15:33 | access to local variable e : Elem | B.cs:29:35:29:36 | e2 : Elem |
 | B.cs:16:18:16:29 | object creation of type Box2 [field box1, field elem2] : Elem | B.cs:18:14:18:15 | access to local variable b2 [field box1, field elem2] : Elem |
 | B.cs:16:27:16:28 | access to local variable b1 [field elem2] : Elem | B.cs:16:18:16:29 | object creation of type Box2 [field box1, field elem2] : Elem |
+| B.cs:16:27:16:28 | access to local variable b1 [field elem2] : Elem | B.cs:39:26:39:27 | b1 [field elem2] : Elem |
 | B.cs:18:14:18:15 | access to local variable b2 [field box1, field elem2] : Elem | B.cs:18:14:18:20 | access to field box1 [field elem2] : Elem |
 | B.cs:18:14:18:20 | access to field box1 [field elem2] : Elem | B.cs:18:14:18:26 | access to field elem2 |
+| B.cs:29:26:29:27 | e1 : Elem | B.cs:31:26:31:27 | access to parameter e1 : Elem |
+| B.cs:29:35:29:36 | e2 : Elem | B.cs:32:26:32:27 | access to parameter e2 : Elem |
+| B.cs:31:26:31:27 | access to parameter e1 : Elem | B.cs:31:13:31:16 | [post] this access [field elem1] : Elem |
+| B.cs:32:26:32:27 | access to parameter e2 : Elem | B.cs:32:13:32:16 | [post] this access [field elem2] : Elem |
+| B.cs:39:26:39:27 | b1 [field elem1] : Elem | B.cs:41:25:41:26 | access to parameter b1 [field elem1] : Elem |
+| B.cs:39:26:39:27 | b1 [field elem2] : Elem | B.cs:41:25:41:26 | access to parameter b1 [field elem2] : Elem |
+| B.cs:41:25:41:26 | access to parameter b1 [field elem1] : Elem | B.cs:41:13:41:16 | [post] this access [field box1, field elem1] : Elem |
+| B.cs:41:25:41:26 | access to parameter b1 [field elem2] : Elem | B.cs:41:13:41:16 | [post] this access [field box1, field elem2] : Elem |
 | C.cs:3:18:3:19 | [post] this access [field s1] : Elem | C.cs:12:15:12:21 | object creation of type C [field s1] : Elem |
 | C.cs:3:23:3:32 | object creation of type Elem : Elem | C.cs:3:18:3:19 | [post] this access [field s1] : Elem |
 | C.cs:4:27:4:28 | [post] this access [field s2] : Elem | C.cs:12:15:12:21 | object creation of type C [field s2] : Elem |
@ -97,38 +153,77 @@ edges
 | C.cs:24:14:24:15 | this access [field s2] : Elem | C.cs:24:14:24:15 | access to field s2 |
 | C.cs:25:14:25:15 | this access [field s3] : Elem | C.cs:25:14:25:15 | access to field s3 |
 | C.cs:27:14:27:15 | this access [property s5] : Elem | C.cs:27:14:27:15 | access to property s5 |
+| D.cs:8:9:8:11 | this [field trivialPropField] : Object | D.cs:8:22:8:25 | this access [field trivialPropField] : Object |
+| D.cs:8:22:8:25 | this access [field trivialPropField] : Object | D.cs:8:22:8:42 | access to field trivialPropField : Object |
+| D.cs:9:9:9:11 | value : Object | D.cs:9:39:9:43 | access to parameter value : Object |
+| D.cs:9:39:9:43 | access to parameter value : Object | D.cs:9:15:9:18 | [post] this access [field trivialPropField] : Object |
+| D.cs:14:9:14:11 | this [field trivialPropField] : Object | D.cs:14:22:14:25 | this access [field trivialPropField] : Object |
+| D.cs:14:22:14:25 | this access [field trivialPropField] : Object | D.cs:14:22:14:42 | access to field trivialPropField : Object |
+| D.cs:15:9:15:11 | value : Object | D.cs:15:34:15:38 | access to parameter value : Object |
+| D.cs:15:34:15:38 | access to parameter value : Object | D.cs:9:9:9:11 | value : Object |
+| D.cs:15:34:15:38 | access to parameter value : Object | D.cs:15:15:15:18 | [post] this access [field trivialPropField] : Object |
+| D.cs:18:28:18:29 | o1 : Object | D.cs:21:24:21:25 | access to parameter o1 : Object |
+| D.cs:18:39:18:40 | o2 : Object | D.cs:22:27:22:28 | access to parameter o2 : Object |
+| D.cs:18:50:18:51 | o3 : Object | D.cs:23:27:23:28 | access to parameter o3 : Object |
+| D.cs:21:9:21:11 | [post] access to local variable ret [property AutoProp] : Object | D.cs:24:16:24:18 | access to local variable ret [property AutoProp] : Object |
+| D.cs:21:24:21:25 | access to parameter o1 : Object | D.cs:21:9:21:11 | [post] access to local variable ret [property AutoProp] : Object |
+| D.cs:22:9:22:11 | [post] access to local variable ret [field trivialPropField] : Object | D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object |
+| D.cs:22:27:22:28 | access to parameter o2 : Object | D.cs:9:9:9:11 | value : Object |
+| D.cs:22:27:22:28 | access to parameter o2 : Object | D.cs:22:9:22:11 | [post] access to local variable ret [field trivialPropField] : Object |
+| D.cs:23:9:23:11 | [post] access to local variable ret [field trivialPropField] : Object | D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object |
+| D.cs:23:27:23:28 | access to parameter o3 : Object | D.cs:15:9:15:11 | value : Object |
+| D.cs:23:27:23:28 | access to parameter o3 : Object | D.cs:23:9:23:11 | [post] access to local variable ret [field trivialPropField] : Object |
 | D.cs:29:17:29:28 | object creation of type Object : Object | D.cs:31:24:31:24 | access to local variable o : Object |
 | D.cs:29:17:29:28 | object creation of type Object : Object | D.cs:37:26:37:26 | access to local variable o : Object |
 | D.cs:29:17:29:28 | object creation of type Object : Object | D.cs:43:32:43:32 | access to local variable o : Object |
 | D.cs:31:17:31:37 | call to method Create [property AutoProp] : Object | D.cs:32:14:32:14 | access to local variable d [property AutoProp] : Object |
+| D.cs:31:24:31:24 | access to local variable o : Object | D.cs:18:28:18:29 | o1 : Object |
 | D.cs:31:24:31:24 | access to local variable o : Object | D.cs:31:17:31:37 | call to method Create [property AutoProp] : Object |
 | D.cs:32:14:32:14 | access to local variable d [property AutoProp] : Object | D.cs:32:14:32:23 | access to property AutoProp |
 | D.cs:37:13:37:33 | call to method Create [field trivialPropField] : Object | D.cs:39:14:39:14 | access to local variable d [field trivialPropField] : Object |
 | D.cs:37:13:37:33 | call to method Create [field trivialPropField] : Object | D.cs:40:14:40:14 | access to local variable d [field trivialPropField] : Object |
 | D.cs:37:13:37:33 | call to method Create [field trivialPropField] : Object | D.cs:41:14:41:14 | access to local variable d [field trivialPropField] : Object |
+| D.cs:37:26:37:26 | access to local variable o : Object | D.cs:18:39:18:40 | o2 : Object |
 | D.cs:37:26:37:26 | access to local variable o : Object | D.cs:37:13:37:33 | call to method Create [field trivialPropField] : Object |
+| D.cs:39:14:39:14 | access to local variable d [field trivialPropField] : Object | D.cs:8:9:8:11 | this [field trivialPropField] : Object |
 | D.cs:39:14:39:14 | access to local variable d [field trivialPropField] : Object | D.cs:39:14:39:26 | access to property TrivialProp |
 | D.cs:40:14:40:14 | access to local variable d [field trivialPropField] : Object | D.cs:40:14:40:31 | access to field trivialPropField |
+| D.cs:41:14:41:14 | access to local variable d [field trivialPropField] : Object | D.cs:14:9:14:11 | this [field trivialPropField] : Object |
 | D.cs:41:14:41:14 | access to local variable d [field trivialPropField] : Object | D.cs:41:14:41:26 | access to property ComplexProp |
 | D.cs:43:13:43:33 | call to method Create [field trivialPropField] : Object | D.cs:45:14:45:14 | access to local variable d [field trivialPropField] : Object |
 | D.cs:43:13:43:33 | call to method Create [field trivialPropField] : Object | D.cs:46:14:46:14 | access to local variable d [field trivialPropField] : Object |
 | D.cs:43:13:43:33 | call to method Create [field trivialPropField] : Object | D.cs:47:14:47:14 | access to local variable d [field trivialPropField] : Object |
+| D.cs:43:32:43:32 | access to local variable o : Object | D.cs:18:50:18:51 | o3 : Object |
 | D.cs:43:32:43:32 | access to local variable o : Object | D.cs:43:13:43:33 | call to method Create [field trivialPropField] : Object |
+| D.cs:45:14:45:14 | access to local variable d [field trivialPropField] : Object | D.cs:8:9:8:11 | this [field trivialPropField] : Object |
 | D.cs:45:14:45:14 | access to local variable d [field trivialPropField] : Object | D.cs:45:14:45:26 | access to property TrivialProp |
 | D.cs:46:14:46:14 | access to local variable d [field trivialPropField] : Object | D.cs:46:14:46:31 | access to field trivialPropField |
+| D.cs:47:14:47:14 | access to local variable d [field trivialPropField] : Object | D.cs:14:9:14:11 | this [field trivialPropField] : Object |
 | D.cs:47:14:47:14 | access to local variable d [field trivialPropField] : Object | D.cs:47:14:47:26 | access to property ComplexProp |
+| E.cs:8:29:8:29 | o : Object | E.cs:11:21:11:21 | access to parameter o : Object |
+| E.cs:11:9:11:11 | [post] access to local variable ret [field Field] : Object | E.cs:12:16:12:18 | access to local variable ret [field Field] : Object |
+| E.cs:11:21:11:21 | access to parameter o : Object | E.cs:11:9:11:11 | [post] access to local variable ret [field Field] : Object |
 | E.cs:22:17:22:28 | object creation of type Object : Object | E.cs:23:25:23:25 | access to local variable o : Object |
 | E.cs:23:17:23:26 | call to method CreateS [field Field] : Object | E.cs:24:14:24:14 | access to local variable s [field Field] : Object |
+| E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object |
 | E.cs:23:25:23:25 | access to local variable o : Object | E.cs:23:17:23:26 | call to method CreateS [field Field] : Object |
 | E.cs:24:14:24:14 | access to local variable s [field Field] : Object | E.cs:24:14:24:20 | access to field Field |
+| F.cs:6:28:6:29 | o1 : Object | F.cs:6:65:6:66 | access to parameter o1 : Object |
+| F.cs:6:39:6:40 | o2 : Object | F.cs:6:78:6:79 | access to parameter o2 : Object |
+| F.cs:6:54:6:81 | { ..., ... } [field Field1] : Object | F.cs:6:46:6:81 | object creation of type F [field Field1] : Object |
+| F.cs:6:54:6:81 | { ..., ... } [field Field2] : Object | F.cs:6:46:6:81 | object creation of type F [field Field2] : Object |
+| F.cs:6:65:6:66 | access to parameter o1 : Object | F.cs:6:54:6:81 | { ..., ... } [field Field1] : Object |
+| F.cs:6:78:6:79 | access to parameter o2 : Object | F.cs:6:54:6:81 | { ..., ... } [field Field2] : Object |
 | F.cs:10:17:10:28 | object creation of type Object : Object | F.cs:11:24:11:24 | access to local variable o : Object |
 | F.cs:10:17:10:28 | object creation of type Object : Object | F.cs:15:26:15:26 | access to local variable o : Object |
 | F.cs:10:17:10:28 | object creation of type Object : Object | F.cs:19:32:19:32 | access to local variable o : Object |
 | F.cs:10:17:10:28 | object creation of type Object : Object | F.cs:23:32:23:32 | access to local variable o : Object |
 | F.cs:11:17:11:31 | call to method Create [field Field1] : Object | F.cs:12:14:12:14 | access to local variable f [field Field1] : Object |
+| F.cs:11:24:11:24 | access to local variable o : Object | F.cs:6:28:6:29 | o1 : Object |
 | F.cs:11:24:11:24 | access to local variable o : Object | F.cs:11:17:11:31 | call to method Create [field Field1] : Object |
 | F.cs:12:14:12:14 | access to local variable f [field Field1] : Object | F.cs:12:14:12:21 | access to field Field1 |
 | F.cs:15:13:15:27 | call to method Create [field Field2] : Object | F.cs:17:14:17:14 | access to local variable f [field Field2] : Object |
+| F.cs:15:26:15:26 | access to local variable o : Object | F.cs:6:39:6:40 | o2 : Object |
 | F.cs:15:26:15:26 | access to local variable o : Object | F.cs:15:13:15:27 | call to method Create [field Field2] : Object |
 | F.cs:17:14:17:14 | access to local variable f [field Field2] : Object | F.cs:17:14:17:21 | access to field Field2 |
 | F.cs:19:21:19:34 | { ..., ... } [field Field1] : Object | F.cs:20:14:20:14 | access to local variable f [field Field1] : Object |
@ -146,6 +241,7 @@ edges
 | G.cs:17:9:17:9 | [post] access to local variable b [field Box1, field Elem] : Elem | G.cs:18:18:18:18 | access to local variable b [field Box1, field Elem] : Elem |
 | G.cs:17:9:17:14 | [post] access to field Box1 [field Elem] : Elem | G.cs:17:9:17:9 | [post] access to local variable b [field Box1, field Elem] : Elem |
 | G.cs:17:24:17:24 | access to local variable e : Elem | G.cs:17:9:17:14 | [post] access to field Box1 [field Elem] : Elem |
+| G.cs:17:24:17:24 | access to local variable e : Elem | G.cs:64:34:64:34 | e : Elem |
 | G.cs:18:18:18:18 | access to local variable b [field Box1, field Elem] : Elem | G.cs:37:38:37:39 | b2 [field Box1, field Elem] : Elem |
 | G.cs:23:18:23:27 | object creation of type Elem : Elem | G.cs:25:28:25:28 | access to local variable e : Elem |
 | G.cs:25:9:25:9 | [post] access to local variable b [field Box1, field Elem] : Elem | G.cs:26:18:26:18 | access to local variable b [field Box1, field Elem] : Elem |
@ -156,10 +252,13 @@ edges
 | G.cs:33:9:33:9 | [post] access to local variable b [field Box1, field Elem] : Elem | G.cs:34:18:34:18 | access to local variable b [field Box1, field Elem] : Elem |
 | G.cs:33:9:33:19 | [post] call to method GetBox1 [field Elem] : Elem | G.cs:33:9:33:9 | [post] access to local variable b [field Box1, field Elem] : Elem |
 | G.cs:33:29:33:29 | access to local variable e : Elem | G.cs:33:9:33:19 | [post] call to method GetBox1 [field Elem] : Elem |
+| G.cs:33:29:33:29 | access to local variable e : Elem | G.cs:64:34:64:34 | e : Elem |
 | G.cs:34:18:34:18 | access to local variable b [field Box1, field Elem] : Elem | G.cs:37:38:37:39 | b2 [field Box1, field Elem] : Elem |
 | G.cs:37:38:37:39 | b2 [field Box1, field Elem] : Elem | G.cs:39:14:39:15 | access to parameter b2 [field Box1, field Elem] : Elem |
 | G.cs:39:14:39:15 | access to parameter b2 [field Box1, field Elem] : Elem | G.cs:39:14:39:25 | call to method GetBox1 [field Elem] : Elem |
+| G.cs:39:14:39:15 | access to parameter b2 [field Box1, field Elem] : Elem | G.cs:71:21:71:27 | this [field Box1, field Elem] : Elem |
 | G.cs:39:14:39:25 | call to method GetBox1 [field Elem] : Elem | G.cs:39:14:39:35 | call to method GetElem |
+| G.cs:39:14:39:25 | call to method GetBox1 [field Elem] : Elem | G.cs:63:21:63:27 | this [field Elem] : Elem |
 | G.cs:44:18:44:27 | object creation of type Elem : Elem | G.cs:46:30:46:30 | access to local variable e : Elem |
 | G.cs:46:9:46:16 | [post] access to field boxfield [field Box1, field Elem] : Elem | G.cs:46:9:46:16 | [post] this access [field boxfield, field Box1, field Elem] : Elem |
 | G.cs:46:9:46:16 | [post] this access [field boxfield, field Box1, field Elem] : Elem | G.cs:47:9:47:13 | this access [field boxfield, field Box1, field Elem] : Elem |
@ -170,44 +269,99 @@ edges
 | G.cs:52:14:52:21 | access to field boxfield [field Box1, field Elem] : Elem | G.cs:52:14:52:26 | access to field Box1 [field Elem] : Elem |
 | G.cs:52:14:52:21 | this access [field boxfield, field Box1, field Elem] : Elem | G.cs:52:14:52:21 | access to field boxfield [field Box1, field Elem] : Elem |
 | G.cs:52:14:52:26 | access to field Box1 [field Elem] : Elem | G.cs:52:14:52:31 | access to field Elem |
+| G.cs:63:21:63:27 | this [field Elem] : Elem | G.cs:63:34:63:37 | this access [field Elem] : Elem |
+| G.cs:63:34:63:37 | this access [field Elem] : Elem | G.cs:63:34:63:37 | access to field Elem : Elem |
+| G.cs:64:34:64:34 | e : Elem | G.cs:64:46:64:46 | access to parameter e : Elem |
+| G.cs:64:46:64:46 | access to parameter e : Elem | G.cs:64:39:64:42 | [post] this access [field Elem] : Elem |
+| G.cs:71:21:71:27 | this [field Box1, field Elem] : Elem | G.cs:71:34:71:37 | this access [field Box1, field Elem] : Elem |
+| G.cs:71:34:71:37 | this access [field Box1, field Elem] : Elem | G.cs:71:34:71:37 | access to field Box1 [field Elem] : Elem |
+| H.cs:13:15:13:15 | a [field FieldA] : Object | H.cs:16:22:16:22 | access to parameter a [field FieldA] : Object |
+| H.cs:16:9:16:11 | [post] access to local variable ret [field FieldA] : Object | H.cs:17:16:17:18 | access to local variable ret [field FieldA] : Object |
+| H.cs:16:22:16:22 | access to parameter a [field FieldA] : Object | H.cs:16:22:16:29 | access to field FieldA : Object |
+| H.cs:16:22:16:29 | access to field FieldA : Object | H.cs:16:9:16:11 | [post] access to local variable ret [field FieldA] : Object |
 | H.cs:23:9:23:9 | [post] access to local variable a [field FieldA] : Object | H.cs:24:27:24:27 | access to local variable a [field FieldA] : Object |
 | H.cs:23:20:23:31 | object creation of type Object : Object | H.cs:23:9:23:9 | [post] access to local variable a [field FieldA] : Object |
 | H.cs:24:21:24:28 | call to method Clone [field FieldA] : Object | H.cs:25:14:25:18 | access to local variable clone [field FieldA] : Object |
+| H.cs:24:27:24:27 | access to local variable a [field FieldA] : Object | H.cs:13:15:13:15 | a [field FieldA] : Object |
 | H.cs:24:27:24:27 | access to local variable a [field FieldA] : Object | H.cs:24:21:24:28 | call to method Clone [field FieldA] : Object |
 | H.cs:25:14:25:18 | access to local variable clone [field FieldA] : Object | H.cs:25:14:25:25 | access to field FieldA |
+| H.cs:33:19:33:19 | a [field FieldA] : A | H.cs:36:20:36:20 | access to parameter a [field FieldA] : A |
+| H.cs:33:19:33:19 | a [field FieldA] : Object | H.cs:36:20:36:20 | access to parameter a [field FieldA] : Object |
+| H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : A | H.cs:37:16:37:16 | access to local variable b [field FieldB] : A |
+| H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : Object | H.cs:37:16:37:16 | access to local variable b [field FieldB] : Object |
+| H.cs:36:20:36:20 | access to parameter a [field FieldA] : A | H.cs:36:20:36:27 | access to field FieldA : A |
+| H.cs:36:20:36:20 | access to parameter a [field FieldA] : Object | H.cs:36:20:36:27 | access to field FieldA : Object |
+| H.cs:36:20:36:27 | access to field FieldA : A | H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : A |
+| H.cs:36:20:36:27 | access to field FieldA : Object | H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : Object |
 | H.cs:43:9:43:9 | [post] access to local variable a [field FieldA] : Object | H.cs:44:27:44:27 | access to local variable a [field FieldA] : Object |
 | H.cs:43:20:43:31 | object creation of type Object : Object | H.cs:43:9:43:9 | [post] access to local variable a [field FieldA] : Object |
 | H.cs:44:17:44:28 | call to method Transform [field FieldB] : Object | H.cs:45:14:45:14 | access to local variable b [field FieldB] : Object |
+| H.cs:44:27:44:27 | access to local variable a [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object |
 | H.cs:44:27:44:27 | access to local variable a [field FieldA] : Object | H.cs:44:17:44:28 | call to method Transform [field FieldB] : Object |
 | H.cs:45:14:45:14 | access to local variable b [field FieldB] : Object | H.cs:45:14:45:21 | access to field FieldB |
+| H.cs:53:25:53:25 | a [field FieldA] : Object | H.cs:55:21:55:21 | access to parameter a [field FieldA] : Object |
+| H.cs:55:21:55:21 | access to parameter a [field FieldA] : Object | H.cs:55:21:55:28 | access to field FieldA : Object |
+| H.cs:55:21:55:28 | access to field FieldA : Object | H.cs:55:9:55:10 | [post] access to parameter b1 [field FieldB] : Object |
 | H.cs:63:9:63:9 | [post] access to local variable a [field FieldA] : Object | H.cs:64:22:64:22 | access to local variable a [field FieldA] : Object |
 | H.cs:63:20:63:31 | object creation of type Object : Object | H.cs:63:9:63:9 | [post] access to local variable a [field FieldA] : Object |
+| H.cs:64:22:64:22 | access to local variable a [field FieldA] : Object | H.cs:53:25:53:25 | a [field FieldA] : Object |
 | H.cs:64:22:64:22 | access to local variable a [field FieldA] : Object | H.cs:64:25:64:26 | [post] access to local variable b1 [field FieldB] : Object |
 | H.cs:64:25:64:26 | [post] access to local variable b1 [field FieldB] : Object | H.cs:65:14:65:15 | access to local variable b1 [field FieldB] : Object |
 | H.cs:65:14:65:15 | access to local variable b1 [field FieldB] : Object | H.cs:65:14:65:22 | access to field FieldB |
+| H.cs:77:30:77:30 | o : Object | H.cs:79:20:79:20 | access to parameter o : Object |
+| H.cs:79:9:79:9 | [post] access to parameter a [field FieldA] : Object | H.cs:80:22:80:22 | access to parameter a [field FieldA] : Object |
+| H.cs:79:20:79:20 | access to parameter o : Object | H.cs:79:9:79:9 | [post] access to parameter a [field FieldA] : Object |
+| H.cs:80:22:80:22 | access to parameter a [field FieldA] : Object | H.cs:53:25:53:25 | a [field FieldA] : Object |
+| H.cs:80:22:80:22 | access to parameter a [field FieldA] : Object | H.cs:80:25:80:26 | [post] access to parameter b1 [field FieldB] : Object |
 | H.cs:88:17:88:17 | [post] access to local variable a [field FieldA] : Object | H.cs:89:14:89:14 | access to local variable a [field FieldA] : Object |
+| H.cs:88:20:88:31 | object creation of type Object : Object | H.cs:77:30:77:30 | o : Object |
 | H.cs:88:20:88:31 | object creation of type Object : Object | H.cs:88:17:88:17 | [post] access to local variable a [field FieldA] : Object |
 | H.cs:88:20:88:31 | object creation of type Object : Object | H.cs:88:34:88:35 | [post] access to local variable b1 [field FieldB] : Object |
 | H.cs:88:34:88:35 | [post] access to local variable b1 [field FieldB] : Object | H.cs:90:14:90:15 | access to local variable b1 [field FieldB] : Object |
 | H.cs:89:14:89:14 | access to local variable a [field FieldA] : Object | H.cs:89:14:89:21 | access to field FieldA |
 | H.cs:90:14:90:15 | access to local variable b1 [field FieldB] : Object | H.cs:90:14:90:22 | access to field FieldB |
+| H.cs:102:23:102:23 | a [field FieldA] : Object | H.cs:105:23:105:23 | access to parameter a [field FieldA] : Object |
+| H.cs:105:9:105:12 | [post] access to local variable temp [field FieldB, field FieldA] : Object | H.cs:106:29:106:32 | access to local variable temp [field FieldB, field FieldA] : Object |
+| H.cs:105:23:105:23 | access to parameter a [field FieldA] : Object | H.cs:105:9:105:12 | [post] access to local variable temp [field FieldB, field FieldA] : Object |
+| H.cs:106:26:106:39 | (...) ... [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object |
+| H.cs:106:26:106:39 | (...) ... [field FieldA] : Object | H.cs:106:16:106:40 | call to method Transform [field FieldB] : Object |
+| H.cs:106:29:106:32 | access to local variable temp [field FieldB, field FieldA] : Object | H.cs:106:29:106:39 | access to field FieldB [field FieldA] : Object |
+| H.cs:106:29:106:39 | access to field FieldB [field FieldA] : Object | H.cs:106:26:106:39 | (...) ... [field FieldA] : Object |
 | H.cs:112:9:112:9 | [post] access to local variable a [field FieldA] : Object | H.cs:113:31:113:31 | access to local variable a [field FieldA] : Object |
 | H.cs:112:20:112:31 | object creation of type Object : Object | H.cs:112:9:112:9 | [post] access to local variable a [field FieldA] : Object |
 | H.cs:113:17:113:32 | call to method TransformWrap [field FieldB] : Object | H.cs:114:14:114:14 | access to local variable b [field FieldB] : Object |
+| H.cs:113:31:113:31 | access to local variable a [field FieldA] : Object | H.cs:102:23:102:23 | a [field FieldA] : Object |
 | H.cs:113:31:113:31 | access to local variable a [field FieldA] : Object | H.cs:113:17:113:32 | call to method TransformWrap [field FieldB] : Object |
 | H.cs:114:14:114:14 | access to local variable b [field FieldB] : Object | H.cs:114:14:114:21 | access to field FieldB |
+| H.cs:122:18:122:18 | a [field FieldA] : Object | H.cs:124:26:124:26 | access to parameter a [field FieldA] : Object |
+| H.cs:124:16:124:27 | call to method Transform [field FieldB] : Object | H.cs:124:16:124:34 | access to field FieldB : Object |
+| H.cs:124:26:124:26 | access to parameter a [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object |
+| H.cs:124:26:124:26 | access to parameter a [field FieldA] : Object | H.cs:124:16:124:27 | call to method Transform [field FieldB] : Object |
 | H.cs:130:9:130:9 | [post] access to local variable a [field FieldA] : Object | H.cs:131:18:131:18 | access to local variable a [field FieldA] : Object |
 | H.cs:130:20:130:31 | object creation of type Object : Object | H.cs:130:9:130:9 | [post] access to local variable a [field FieldA] : Object |
+| H.cs:131:18:131:18 | access to local variable a [field FieldA] : Object | H.cs:122:18:122:18 | a [field FieldA] : Object |
 | H.cs:131:18:131:18 | access to local variable a [field FieldA] : Object | H.cs:131:14:131:19 | call to method Get |
+| H.cs:138:27:138:27 | o : A | H.cs:141:20:141:25 | ... as ... : A |
+| H.cs:141:9:141:9 | [post] access to local variable a [field FieldA] : A | H.cs:142:26:142:26 | access to local variable a [field FieldA] : A |
+| H.cs:141:20:141:25 | ... as ... : A | H.cs:141:9:141:9 | [post] access to local variable a [field FieldA] : A |
+| H.cs:142:16:142:27 | call to method Transform [field FieldB] : A | H.cs:142:16:142:34 | access to field FieldB : A |
+| H.cs:142:26:142:26 | access to local variable a [field FieldA] : A | H.cs:33:19:33:19 | a [field FieldA] : A |
+| H.cs:142:26:142:26 | access to local variable a [field FieldA] : A | H.cs:142:16:142:27 | call to method Transform [field FieldB] : A |
 | H.cs:147:17:147:32 | call to method Through : A | H.cs:148:14:148:14 | access to local variable a |
+| H.cs:147:25:147:31 | object creation of type A : A | H.cs:138:27:138:27 | o : A |
 | H.cs:147:25:147:31 | object creation of type A : A | H.cs:147:17:147:32 | call to method Through : A |
+| H.cs:153:32:153:32 | o : Object | H.cs:156:20:156:20 | access to parameter o : Object |
 | H.cs:155:17:155:23 | object creation of type B : B | H.cs:156:9:156:9 | access to local variable b : B |
+| H.cs:156:9:156:9 | [post] access to local variable b [field FieldB] : Object | H.cs:157:20:157:20 | access to local variable b [field FieldB] : Object |
 | H.cs:156:9:156:9 | access to local variable b : B | H.cs:157:20:157:20 | access to local variable b : B |
+| H.cs:156:20:156:20 | access to parameter o : Object | H.cs:156:9:156:9 | [post] access to local variable b [field FieldB] : Object |
 | H.cs:157:9:157:9 | [post] access to parameter a [field FieldA] : B | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA] : B |
 | H.cs:157:20:157:20 | access to local variable b : B | H.cs:157:9:157:9 | [post] access to parameter a [field FieldA] : B |
+| H.cs:157:20:157:20 | access to local variable b [field FieldB] : Object | H.cs:157:9:157:9 | [post] access to parameter a [field FieldA, field FieldB] : Object |
 | H.cs:163:17:163:28 | object creation of type Object : Object | H.cs:164:22:164:22 | access to local variable o : Object |
 | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA, field FieldB] : Object | H.cs:165:21:165:21 | access to local variable a [field FieldA, field FieldB] : Object |
 | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA] : B | H.cs:165:21:165:21 | access to local variable a [field FieldA] : B |
+| H.cs:164:22:164:22 | access to local variable o : Object | H.cs:153:32:153:32 | o : Object |
 | H.cs:164:22:164:22 | access to local variable o : Object | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA, field FieldB] : Object |
 | H.cs:165:17:165:28 | (...) ... : B | H.cs:166:14:166:14 | access to local variable b |
 | H.cs:165:17:165:28 | (...) ... [field FieldB] : Object | H.cs:167:14:167:14 | access to local variable b [field FieldB] : Object |
@ -271,6 +425,14 @@ nodes
 | A.cs:31:29:31:36 | object creation of type C2 : C2 | semmle.label | object creation of type C2 : C2 |
 | A.cs:33:14:33:15 | access to local variable b2 [field c] : C2 | semmle.label | access to local variable b2 [field c] : C2 |
 | A.cs:33:14:33:17 | access to field c | semmle.label | access to field c |
+| A.cs:36:33:36:33 | c : C2 | semmle.label | c : C2 |
+| A.cs:38:18:38:30 | call to method SetOnB [field c] : C2 | semmle.label | call to method SetOnB [field c] : C2 |
+| A.cs:38:29:38:29 | access to parameter c : C2 | semmle.label | access to parameter c : C2 |
+| A.cs:39:16:39:28 | ... ? ... : ... [field c] : C2 | semmle.label | ... ? ... : ... [field c] : C2 |
+| A.cs:42:29:42:29 | c : C2 | semmle.label | c : C2 |
+| A.cs:47:13:47:14 | [post] access to local variable b2 [field c] : C2 | semmle.label | [post] access to local variable b2 [field c] : C2 |
+| A.cs:47:20:47:20 | access to parameter c : C2 | semmle.label | access to parameter c : C2 |
+| A.cs:48:20:48:21 | access to local variable b2 [field c] : C2 | semmle.label | access to local variable b2 [field c] : C2 |
 | A.cs:55:17:55:23 | object creation of type A : A | semmle.label | object creation of type A : A |
 | A.cs:57:9:57:10 | [post] access to local variable c1 [field a] : A | semmle.label | [post] access to local variable c1 [field a] : A |
 | A.cs:57:16:57:16 | access to local variable a : A | semmle.label | access to local variable a : A |
@ -283,10 +445,14 @@ nodes
 | A.cs:88:12:88:12 | [post] access to local variable b [field c] : C | semmle.label | [post] access to local variable b [field c] : C |
 | A.cs:89:14:89:14 | access to local variable b [field c] : C | semmle.label | access to local variable b [field c] : C |
 | A.cs:89:14:89:16 | access to field c | semmle.label | access to field c |
+| A.cs:95:20:95:20 | b : B | semmle.label | b : B |
 | A.cs:97:13:97:13 | [post] access to parameter b [field c] : C | semmle.label | [post] access to parameter b [field c] : C |
+| A.cs:97:13:97:13 | access to parameter b : B | semmle.label | access to parameter b : B |
 | A.cs:97:19:97:25 | object creation of type C : C | semmle.label | object creation of type C : C |
 | A.cs:98:13:98:16 | [post] this access [field b, field c] : C | semmle.label | [post] this access [field b, field c] : C |
 | A.cs:98:13:98:16 | [post] this access [field b] : B | semmle.label | [post] this access [field b] : B |
+| A.cs:98:13:98:16 | [post] this access [field b] : B | semmle.label | [post] this access [field b] : B |
+| A.cs:98:22:98:36 | ... ? ... : ... : B | semmle.label | ... ? ... : ... : B |
 | A.cs:98:22:98:36 | ... ? ... : ... : B | semmle.label | ... ? ... : ... : B |
 | A.cs:98:22:98:36 | ... ? ... : ... [field c] : C | semmle.label | ... ? ... : ... [field c] : C |
 | A.cs:98:30:98:36 | object creation of type B : B | semmle.label | object creation of type B : B |
@ -319,6 +485,36 @@ nodes
 | A.cs:121:41:121:46 | access to field next [field next, field head] : B | semmle.label | access to field next [field next, field head] : B |
 | A.cs:123:18:123:18 | access to local variable l [field head] : B | semmle.label | access to local variable l [field head] : B |
 | A.cs:123:18:123:23 | access to field head | semmle.label | access to field head |
+| A.cs:141:20:141:20 | c : C | semmle.label | c : C |
+| A.cs:143:13:143:16 | [post] this access [field c] : C | semmle.label | [post] this access [field c] : C |
+| A.cs:143:22:143:22 | access to parameter c : C | semmle.label | access to parameter c : C |
+| A.cs:145:27:145:27 | c : C | semmle.label | c : C |
+| A.cs:145:27:145:27 | c : C1 | semmle.label | c : C1 |
+| A.cs:145:27:145:27 | c : C2 | semmle.label | c : C2 |
+| A.cs:145:32:145:35 | [post] this access [field c] : C | semmle.label | [post] this access [field c] : C |
+| A.cs:145:32:145:35 | [post] this access [field c] : C1 | semmle.label | [post] this access [field c] : C1 |
+| A.cs:145:32:145:35 | [post] this access [field c] : C2 | semmle.label | [post] this access [field c] : C2 |
+| A.cs:145:41:145:41 | access to parameter c : C | semmle.label | access to parameter c : C |
+| A.cs:145:41:145:41 | access to parameter c : C1 | semmle.label | access to parameter c : C1 |
+| A.cs:145:41:145:41 | access to parameter c : C2 | semmle.label | access to parameter c : C2 |
+| A.cs:146:18:146:20 | this [field c] : C | semmle.label | this [field c] : C |
+| A.cs:146:18:146:20 | this [field c] : C1 | semmle.label | this [field c] : C1 |
+| A.cs:146:33:146:36 | this access [field c] : C | semmle.label | this access [field c] : C |
+| A.cs:146:33:146:36 | this access [field c] : C1 | semmle.label | this access [field c] : C1 |
+| A.cs:146:33:146:38 | access to field c : C | semmle.label | access to field c : C |
+| A.cs:146:33:146:38 | access to field c : C1 | semmle.label | access to field c : C1 |
+| A.cs:147:32:147:32 | c : C | semmle.label | c : C |
+| A.cs:149:20:149:27 | object creation of type B [field c] : C | semmle.label | object creation of type B [field c] : C |
+| A.cs:149:26:149:26 | access to parameter c : C | semmle.label | access to parameter c : C |
+| A.cs:157:25:157:28 | head : B | semmle.label | head : B |
+| A.cs:157:38:157:41 | next [field head] : B | semmle.label | next [field head] : B |
+| A.cs:157:38:157:41 | next [field next, field head] : B | semmle.label | next [field next, field head] : B |
+| A.cs:159:13:159:16 | [post] this access [field head] : B | semmle.label | [post] this access [field head] : B |
+| A.cs:159:25:159:28 | access to parameter head : B | semmle.label | access to parameter head : B |
+| A.cs:160:13:160:16 | [post] this access [field next, field head] : B | semmle.label | [post] this access [field next, field head] : B |
+| A.cs:160:13:160:16 | [post] this access [field next, field next, field head] : B | semmle.label | [post] this access [field next, field next, field head] : B |
+| A.cs:160:25:160:28 | access to parameter next [field head] : B | semmle.label | access to parameter next [field head] : B |
+| A.cs:160:25:160:28 | access to parameter next [field next, field head] : B | semmle.label | access to parameter next [field next, field head] : B |
 | B.cs:5:17:5:26 | object creation of type Elem : Elem | semmle.label | object creation of type Elem : Elem |
 | B.cs:6:18:6:34 | object creation of type Box1 [field elem1] : Elem | semmle.label | object creation of type Box1 [field elem1] : Elem |
 | B.cs:6:27:6:27 | access to local variable e : Elem | semmle.label | access to local variable e : Elem |
@ -335,6 +531,18 @@ nodes
 | B.cs:18:14:18:15 | access to local variable b2 [field box1, field elem2] : Elem | semmle.label | access to local variable b2 [field box1, field elem2] : Elem |
 | B.cs:18:14:18:20 | access to field box1 [field elem2] : Elem | semmle.label | access to field box1 [field elem2] : Elem |
 | B.cs:18:14:18:26 | access to field elem2 | semmle.label | access to field elem2 |
+| B.cs:29:26:29:27 | e1 : Elem | semmle.label | e1 : Elem |
+| B.cs:29:35:29:36 | e2 : Elem | semmle.label | e2 : Elem |
+| B.cs:31:13:31:16 | [post] this access [field elem1] : Elem | semmle.label | [post] this access [field elem1] : Elem |
+| B.cs:31:26:31:27 | access to parameter e1 : Elem | semmle.label | access to parameter e1 : Elem |
+| B.cs:32:13:32:16 | [post] this access [field elem2] : Elem | semmle.label | [post] this access [field elem2] : Elem |
+| B.cs:32:26:32:27 | access to parameter e2 : Elem | semmle.label | access to parameter e2 : Elem |
+| B.cs:39:26:39:27 | b1 [field elem1] : Elem | semmle.label | b1 [field elem1] : Elem |
+| B.cs:39:26:39:27 | b1 [field elem2] : Elem | semmle.label | b1 [field elem2] : Elem |
+| B.cs:41:13:41:16 | [post] this access [field box1, field elem1] : Elem | semmle.label | [post] this access [field box1, field elem1] : Elem |
+| B.cs:41:13:41:16 | [post] this access [field box1, field elem2] : Elem | semmle.label | [post] this access [field box1, field elem2] : Elem |
+| B.cs:41:25:41:26 | access to parameter b1 [field elem1] : Elem | semmle.label | access to parameter b1 [field elem1] : Elem |
+| B.cs:41:25:41:26 | access to parameter b1 [field elem2] : Elem | semmle.label | access to parameter b1 [field elem2] : Elem |
 | C.cs:3:18:3:19 | [post] this access [field s1] : Elem | semmle.label | [post] this access [field s1] : Elem |
 | C.cs:3:23:3:32 | object creation of type Elem : Elem | semmle.label | object creation of type Elem : Elem |
 | C.cs:4:27:4:28 | [post] this access [field s2] : Elem | semmle.label | [post] this access [field s2] : Elem |
@ -367,6 +575,30 @@ nodes
 | C.cs:27:14:27:15 | access to property s5 | semmle.label | access to property s5 |
 | C.cs:27:14:27:15 | this access [property s5] : Elem | semmle.label | this access [property s5] : Elem |
 | C.cs:28:14:28:15 | access to property s6 | semmle.label | access to property s6 |
+| D.cs:8:9:8:11 | this [field trivialPropField] : Object | semmle.label | this [field trivialPropField] : Object |
+| D.cs:8:22:8:25 | this access [field trivialPropField] : Object | semmle.label | this access [field trivialPropField] : Object |
+| D.cs:8:22:8:42 | access to field trivialPropField : Object | semmle.label | access to field trivialPropField : Object |
+| D.cs:9:9:9:11 | value : Object | semmle.label | value : Object |
+| D.cs:9:15:9:18 | [post] this access [field trivialPropField] : Object | semmle.label | [post] this access [field trivialPropField] : Object |
+| D.cs:9:39:9:43 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:14:9:14:11 | this [field trivialPropField] : Object | semmle.label | this [field trivialPropField] : Object |
+| D.cs:14:22:14:25 | this access [field trivialPropField] : Object | semmle.label | this access [field trivialPropField] : Object |
+| D.cs:14:22:14:42 | access to field trivialPropField : Object | semmle.label | access to field trivialPropField : Object |
+| D.cs:15:9:15:11 | value : Object | semmle.label | value : Object |
+| D.cs:15:15:15:18 | [post] this access [field trivialPropField] : Object | semmle.label | [post] this access [field trivialPropField] : Object |
+| D.cs:15:34:15:38 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:18:28:18:29 | o1 : Object | semmle.label | o1 : Object |
+| D.cs:18:39:18:40 | o2 : Object | semmle.label | o2 : Object |
+| D.cs:18:50:18:51 | o3 : Object | semmle.label | o3 : Object |
+| D.cs:21:9:21:11 | [post] access to local variable ret [property AutoProp] : Object | semmle.label | [post] access to local variable ret [property AutoProp] : Object |
+| D.cs:21:24:21:25 | access to parameter o1 : Object | semmle.label | access to parameter o1 : Object |
+| D.cs:22:9:22:11 | [post] access to local variable ret [field trivialPropField] : Object | semmle.label | [post] access to local variable ret [field trivialPropField] : Object |
+| D.cs:22:27:22:28 | access to parameter o2 : Object | semmle.label | access to parameter o2 : Object |
+| D.cs:23:9:23:11 | [post] access to local variable ret [field trivialPropField] : Object | semmle.label | [post] access to local variable ret [field trivialPropField] : Object |
+| D.cs:23:27:23:28 | access to parameter o3 : Object | semmle.label | access to parameter o3 : Object |
+| D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object | semmle.label | access to local variable ret [field trivialPropField] : Object |
+| D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object | semmle.label | access to local variable ret [field trivialPropField] : Object |
+| D.cs:24:16:24:18 | access to local variable ret [property AutoProp] : Object | semmle.label | access to local variable ret [property AutoProp] : Object |
 | D.cs:29:17:29:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | D.cs:31:17:31:37 | call to method Create [property AutoProp] : Object | semmle.label | call to method Create [property AutoProp] : Object |
 | D.cs:31:24:31:24 | access to local variable o : Object | semmle.label | access to local variable o : Object |
@ -388,11 +620,23 @@ nodes
 | D.cs:46:14:46:31 | access to field trivialPropField | semmle.label | access to field trivialPropField |
 | D.cs:47:14:47:14 | access to local variable d [field trivialPropField] : Object | semmle.label | access to local variable d [field trivialPropField] : Object |
 | D.cs:47:14:47:26 | access to property ComplexProp | semmle.label | access to property ComplexProp |
+| E.cs:8:29:8:29 | o : Object | semmle.label | o : Object |
+| E.cs:11:9:11:11 | [post] access to local variable ret [field Field] : Object | semmle.label | [post] access to local variable ret [field Field] : Object |
+| E.cs:11:21:11:21 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| E.cs:12:16:12:18 | access to local variable ret [field Field] : Object | semmle.label | access to local variable ret [field Field] : Object |
 | E.cs:22:17:22:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | E.cs:23:17:23:26 | call to method CreateS [field Field] : Object | semmle.label | call to method CreateS [field Field] : Object |
 | E.cs:23:25:23:25 | access to local variable o : Object | semmle.label | access to local variable o : Object |
 | E.cs:24:14:24:14 | access to local variable s [field Field] : Object | semmle.label | access to local variable s [field Field] : Object |
 | E.cs:24:14:24:20 | access to field Field | semmle.label | access to field Field |
+| F.cs:6:28:6:29 | o1 : Object | semmle.label | o1 : Object |
+| F.cs:6:39:6:40 | o2 : Object | semmle.label | o2 : Object |
+| F.cs:6:46:6:81 | object creation of type F [field Field1] : Object | semmle.label | object creation of type F [field Field1] : Object |
+| F.cs:6:46:6:81 | object creation of type F [field Field2] : Object | semmle.label | object creation of type F [field Field2] : Object |
+| F.cs:6:54:6:81 | { ..., ... } [field Field1] : Object | semmle.label | { ..., ... } [field Field1] : Object |
+| F.cs:6:54:6:81 | { ..., ... } [field Field2] : Object | semmle.label | { ..., ... } [field Field2] : Object |
+| F.cs:6:65:6:66 | access to parameter o1 : Object | semmle.label | access to parameter o1 : Object |
+| F.cs:6:78:6:79 | access to parameter o2 : Object | semmle.label | access to parameter o2 : Object |
 | F.cs:10:17:10:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | F.cs:11:17:11:31 | call to method Create [field Field1] : Object | semmle.label | call to method Create [field Field1] : Object |
 | F.cs:11:24:11:24 | access to local variable o : Object | semmle.label | access to local variable o : Object |
@ -445,24 +689,57 @@ nodes
 | G.cs:52:14:52:21 | this access [field boxfield, field Box1, field Elem] : Elem | semmle.label | this access [field boxfield, field Box1, field Elem] : Elem |
 | G.cs:52:14:52:26 | access to field Box1 [field Elem] : Elem | semmle.label | access to field Box1 [field Elem] : Elem |
 | G.cs:52:14:52:31 | access to field Elem | semmle.label | access to field Elem |
+| G.cs:63:21:63:27 | this [field Elem] : Elem | semmle.label | this [field Elem] : Elem |
+| G.cs:63:34:63:37 | access to field Elem : Elem | semmle.label | access to field Elem : Elem |
+| G.cs:63:34:63:37 | this access [field Elem] : Elem | semmle.label | this access [field Elem] : Elem |
+| G.cs:64:34:64:34 | e : Elem | semmle.label | e : Elem |
+| G.cs:64:39:64:42 | [post] this access [field Elem] : Elem | semmle.label | [post] this access [field Elem] : Elem |
+| G.cs:64:46:64:46 | access to parameter e : Elem | semmle.label | access to parameter e : Elem |
+| G.cs:71:21:71:27 | this [field Box1, field Elem] : Elem | semmle.label | this [field Box1, field Elem] : Elem |
+| G.cs:71:34:71:37 | access to field Box1 [field Elem] : Elem | semmle.label | access to field Box1 [field Elem] : Elem |
+| G.cs:71:34:71:37 | this access [field Box1, field Elem] : Elem | semmle.label | this access [field Box1, field Elem] : Elem |
+| H.cs:13:15:13:15 | a [field FieldA] : Object | semmle.label | a [field FieldA] : Object |
+| H.cs:16:9:16:11 | [post] access to local variable ret [field FieldA] : Object | semmle.label | [post] access to local variable ret [field FieldA] : Object |
+| H.cs:16:22:16:22 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
+| H.cs:16:22:16:29 | access to field FieldA : Object | semmle.label | access to field FieldA : Object |
+| H.cs:17:16:17:18 | access to local variable ret [field FieldA] : Object | semmle.label | access to local variable ret [field FieldA] : Object |
 | H.cs:23:9:23:9 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:23:20:23:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:24:21:24:28 | call to method Clone [field FieldA] : Object | semmle.label | call to method Clone [field FieldA] : Object |
 | H.cs:24:27:24:27 | access to local variable a [field FieldA] : Object | semmle.label | access to local variable a [field FieldA] : Object |
 | H.cs:25:14:25:18 | access to local variable clone [field FieldA] : Object | semmle.label | access to local variable clone [field FieldA] : Object |
 | H.cs:25:14:25:25 | access to field FieldA | semmle.label | access to field FieldA |
+| H.cs:33:19:33:19 | a [field FieldA] : A | semmle.label | a [field FieldA] : A |
+| H.cs:33:19:33:19 | a [field FieldA] : Object | semmle.label | a [field FieldA] : Object |
+| H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : A | semmle.label | [post] access to local variable b [field FieldB] : A |
+| H.cs:36:9:36:9 | [post] access to local variable b [field FieldB] : Object | semmle.label | [post] access to local variable b [field FieldB] : Object |
+| H.cs:36:20:36:20 | access to parameter a [field FieldA] : A | semmle.label | access to parameter a [field FieldA] : A |
+| H.cs:36:20:36:20 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
+| H.cs:36:20:36:27 | access to field FieldA : A | semmle.label | access to field FieldA : A |
+| H.cs:36:20:36:27 | access to field FieldA : Object | semmle.label | access to field FieldA : Object |
+| H.cs:37:16:37:16 | access to local variable b [field FieldB] : A | semmle.label | access to local variable b [field FieldB] : A |
+| H.cs:37:16:37:16 | access to local variable b [field FieldB] : Object | semmle.label | access to local variable b [field FieldB] : Object |
 | H.cs:43:9:43:9 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:43:20:43:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:44:17:44:28 | call to method Transform [field FieldB] : Object | semmle.label | call to method Transform [field FieldB] : Object |
 | H.cs:44:27:44:27 | access to local variable a [field FieldA] : Object | semmle.label | access to local variable a [field FieldA] : Object |
 | H.cs:45:14:45:14 | access to local variable b [field FieldB] : Object | semmle.label | access to local variable b [field FieldB] : Object |
 | H.cs:45:14:45:21 | access to field FieldB | semmle.label | access to field FieldB |
+| H.cs:53:25:53:25 | a [field FieldA] : Object | semmle.label | a [field FieldA] : Object |
+| H.cs:55:9:55:10 | [post] access to parameter b1 [field FieldB] : Object | semmle.label | [post] access to parameter b1 [field FieldB] : Object |
+| H.cs:55:21:55:21 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
+| H.cs:55:21:55:28 | access to field FieldA : Object | semmle.label | access to field FieldA : Object |
 | H.cs:63:9:63:9 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:63:20:63:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:64:22:64:22 | access to local variable a [field FieldA] : Object | semmle.label | access to local variable a [field FieldA] : Object |
 | H.cs:64:25:64:26 | [post] access to local variable b1 [field FieldB] : Object | semmle.label | [post] access to local variable b1 [field FieldB] : Object |
 | H.cs:65:14:65:15 | access to local variable b1 [field FieldB] : Object | semmle.label | access to local variable b1 [field FieldB] : Object |
 | H.cs:65:14:65:22 | access to field FieldB | semmle.label | access to field FieldB |
+| H.cs:77:30:77:30 | o : Object | semmle.label | o : Object |
+| H.cs:79:9:79:9 | [post] access to parameter a [field FieldA] : Object | semmle.label | [post] access to parameter a [field FieldA] : Object |
+| H.cs:79:20:79:20 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| H.cs:80:22:80:22 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
+| H.cs:80:25:80:26 | [post] access to parameter b1 [field FieldB] : Object | semmle.label | [post] access to parameter b1 [field FieldB] : Object |
 | H.cs:88:17:88:17 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:88:20:88:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:88:34:88:35 | [post] access to local variable b1 [field FieldB] : Object | semmle.label | [post] access to local variable b1 [field FieldB] : Object |
@ -470,23 +747,45 @@ nodes
 | H.cs:89:14:89:21 | access to field FieldA | semmle.label | access to field FieldA |
 | H.cs:90:14:90:15 | access to local variable b1 [field FieldB] : Object | semmle.label | access to local variable b1 [field FieldB] : Object |
 | H.cs:90:14:90:22 | access to field FieldB | semmle.label | access to field FieldB |
+| H.cs:102:23:102:23 | a [field FieldA] : Object | semmle.label | a [field FieldA] : Object |
+| H.cs:105:9:105:12 | [post] access to local variable temp [field FieldB, field FieldA] : Object | semmle.label | [post] access to local variable temp [field FieldB, field FieldA] : Object |
+| H.cs:105:23:105:23 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
+| H.cs:106:16:106:40 | call to method Transform [field FieldB] : Object | semmle.label | call to method Transform [field FieldB] : Object |
+| H.cs:106:26:106:39 | (...) ... [field FieldA] : Object | semmle.label | (...) ... [field FieldA] : Object |
+| H.cs:106:29:106:32 | access to local variable temp [field FieldB, field FieldA] : Object | semmle.label | access to local variable temp [field FieldB, field FieldA] : Object |
+| H.cs:106:29:106:39 | access to field FieldB [field FieldA] : Object | semmle.label | access to field FieldB [field FieldA] : Object |
 | H.cs:112:9:112:9 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:112:20:112:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:113:17:113:32 | call to method TransformWrap [field FieldB] : Object | semmle.label | call to method TransformWrap [field FieldB] : Object |
 | H.cs:113:31:113:31 | access to local variable a [field FieldA] : Object | semmle.label | access to local variable a [field FieldA] : Object |
 | H.cs:114:14:114:14 | access to local variable b [field FieldB] : Object | semmle.label | access to local variable b [field FieldB] : Object |
 | H.cs:114:14:114:21 | access to field FieldB | semmle.label | access to field FieldB |
+| H.cs:122:18:122:18 | a [field FieldA] : Object | semmle.label | a [field FieldA] : Object |
+| H.cs:124:16:124:27 | call to method Transform [field FieldB] : Object | semmle.label | call to method Transform [field FieldB] : Object |
+| H.cs:124:16:124:34 | access to field FieldB : Object | semmle.label | access to field FieldB : Object |
+| H.cs:124:26:124:26 | access to parameter a [field FieldA] : Object | semmle.label | access to parameter a [field FieldA] : Object |
 | H.cs:130:9:130:9 | [post] access to local variable a [field FieldA] : Object | semmle.label | [post] access to local variable a [field FieldA] : Object |
 | H.cs:130:20:130:31 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:131:14:131:19 | call to method Get | semmle.label | call to method Get |
 | H.cs:131:18:131:18 | access to local variable a [field FieldA] : Object | semmle.label | access to local variable a [field FieldA] : Object |
+| H.cs:138:27:138:27 | o : A | semmle.label | o : A |
+| H.cs:141:9:141:9 | [post] access to local variable a [field FieldA] : A | semmle.label | [post] access to local variable a [field FieldA] : A |
+| H.cs:141:20:141:25 | ... as ... : A | semmle.label | ... as ... : A |
+| H.cs:142:16:142:27 | call to method Transform [field FieldB] : A | semmle.label | call to method Transform [field FieldB] : A |
+| H.cs:142:16:142:34 | access to field FieldB : A | semmle.label | access to field FieldB : A |
+| H.cs:142:26:142:26 | access to local variable a [field FieldA] : A | semmle.label | access to local variable a [field FieldA] : A |
 | H.cs:147:17:147:32 | call to method Through : A | semmle.label | call to method Through : A |
 | H.cs:147:25:147:31 | object creation of type A : A | semmle.label | object creation of type A : A |
 | H.cs:148:14:148:14 | access to local variable a | semmle.label | access to local variable a |
+| H.cs:153:32:153:32 | o : Object | semmle.label | o : Object |
 | H.cs:155:17:155:23 | object creation of type B : B | semmle.label | object creation of type B : B |
+| H.cs:156:9:156:9 | [post] access to local variable b [field FieldB] : Object | semmle.label | [post] access to local variable b [field FieldB] : Object |
 | H.cs:156:9:156:9 | access to local variable b : B | semmle.label | access to local variable b : B |
+| H.cs:156:20:156:20 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| H.cs:157:9:157:9 | [post] access to parameter a [field FieldA, field FieldB] : Object | semmle.label | [post] access to parameter a [field FieldA, field FieldB] : Object |
 | H.cs:157:9:157:9 | [post] access to parameter a [field FieldA] : B | semmle.label | [post] access to parameter a [field FieldA] : B |
 | H.cs:157:20:157:20 | access to local variable b : B | semmle.label | access to local variable b : B |
+| H.cs:157:20:157:20 | access to local variable b [field FieldB] : Object | semmle.label | access to local variable b [field FieldB] : Object |
 | H.cs:163:17:163:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA, field FieldB] : Object | semmle.label | [post] access to local variable a [field FieldA, field FieldB] : Object |
 | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA] : B | semmle.label | [post] access to local variable a [field FieldA] : B |
@ -538,6 +837,56 @@ nodes
 | J.cs:22:14:22:21 | access to property Prop1 | semmle.label | access to property Prop1 |
 | J.cs:23:14:23:15 | access to local variable r3 [property Prop2] : Object | semmle.label | access to local variable r3 [property Prop2] : Object |
 | J.cs:23:14:23:21 | access to property Prop2 | semmle.label | access to property Prop2 |
+subpaths
+| A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C | A.cs:149:20:149:27 | object creation of type B [field c] : C | A.cs:6:17:6:25 | call to method Make [field c] : C |
+| A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:145:27:145:27 | c : C1 | A.cs:145:32:145:35 | [post] this access [field c] : C1 | A.cs:13:9:13:9 | [post] access to local variable b [field c] : C1 |
+| A.cs:14:14:14:14 | access to local variable b [field c] : C1 | A.cs:146:18:146:20 | this [field c] : C1 | A.cs:146:33:146:38 | access to field c : C1 | A.cs:14:14:14:20 | call to method Get : C1 |
+| A.cs:15:15:15:28 | object creation of type B [field c] : C | A.cs:146:18:146:20 | this [field c] : C | A.cs:146:33:146:38 | access to field c : C | A.cs:15:14:15:35 | call to method Get : C |
+| A.cs:15:21:15:27 | object creation of type C : C | A.cs:141:20:141:20 | c : C | A.cs:143:13:143:16 | [post] this access [field c] : C | A.cs:15:15:15:28 | object creation of type B [field c] : C |
+| A.cs:22:25:22:32 | object creation of type C2 : C2 | A.cs:42:29:42:29 | c : C2 | A.cs:48:20:48:21 | access to local variable b2 [field c] : C2 | A.cs:22:14:22:33 | call to method SetOnB [field c] : C2 |
+| A.cs:31:29:31:36 | object creation of type C2 : C2 | A.cs:36:33:36:33 | c : C2 | A.cs:39:16:39:28 | ... ? ... : ... [field c] : C2 | A.cs:31:14:31:37 | call to method SetOnBWrap [field c] : C2 |
+| A.cs:38:29:38:29 | access to parameter c : C2 | A.cs:42:29:42:29 | c : C2 | A.cs:48:20:48:21 | access to local variable b2 [field c] : C2 | A.cs:38:18:38:30 | call to method SetOnB [field c] : C2 |
+| A.cs:47:20:47:20 | access to parameter c : C2 | A.cs:145:27:145:27 | c : C2 | A.cs:145:32:145:35 | [post] this access [field c] : C2 | A.cs:47:13:47:14 | [post] access to local variable b2 [field c] : C2 |
+| A.cs:83:15:83:21 | object creation of type C : C | A.cs:145:27:145:27 | c : C | A.cs:145:32:145:35 | [post] this access [field c] : C | A.cs:83:9:83:9 | [post] access to parameter b [field c] : C |
+| A.cs:105:23:105:23 | access to local variable b : B | A.cs:95:20:95:20 | b : B | A.cs:98:13:98:16 | [post] this access [field b] : B | A.cs:105:17:105:29 | object creation of type D [field b] : B |
+| A.cs:114:29:114:29 | access to local variable b : B | A.cs:157:25:157:28 | head : B | A.cs:159:13:159:16 | [post] this access [field head] : B | A.cs:114:18:114:54 | object creation of type MyList [field head] : B |
+| A.cs:115:35:115:36 | access to local variable l1 [field head] : B | A.cs:157:38:157:41 | next [field head] : B | A.cs:160:13:160:16 | [post] this access [field next, field head] : B | A.cs:115:18:115:37 | object creation of type MyList [field next, field head] : B |
+| A.cs:116:35:116:36 | access to local variable l2 [field next, field head] : B | A.cs:157:38:157:41 | next [field next, field head] : B | A.cs:160:13:160:16 | [post] this access [field next, field next, field head] : B | A.cs:116:18:116:37 | object creation of type MyList [field next, field next, field head] : B |
+| A.cs:149:26:149:26 | access to parameter c : C | A.cs:141:20:141:20 | c : C | A.cs:143:13:143:16 | [post] this access [field c] : C | A.cs:149:20:149:27 | object creation of type B [field c] : C |
+| B.cs:6:27:6:27 | access to local variable e : Elem | B.cs:29:26:29:27 | e1 : Elem | B.cs:31:13:31:16 | [post] this access [field elem1] : Elem | B.cs:6:18:6:34 | object creation of type Box1 [field elem1] : Elem |
+| B.cs:7:27:7:28 | access to local variable b1 [field elem1] : Elem | B.cs:39:26:39:27 | b1 [field elem1] : Elem | B.cs:41:13:41:16 | [post] this access [field box1, field elem1] : Elem | B.cs:7:18:7:29 | object creation of type Box2 [field box1, field elem1] : Elem |
+| B.cs:15:33:15:33 | access to local variable e : Elem | B.cs:29:35:29:36 | e2 : Elem | B.cs:32:13:32:16 | [post] this access [field elem2] : Elem | B.cs:15:18:15:34 | object creation of type Box1 [field elem2] : Elem |
+| B.cs:16:27:16:28 | access to local variable b1 [field elem2] : Elem | B.cs:39:26:39:27 | b1 [field elem2] : Elem | B.cs:41:13:41:16 | [post] this access [field box1, field elem2] : Elem | B.cs:16:18:16:29 | object creation of type Box2 [field box1, field elem2] : Elem |
+| D.cs:15:34:15:38 | access to parameter value : Object | D.cs:9:9:9:11 | value : Object | D.cs:9:15:9:18 | [post] this access [field trivialPropField] : Object | D.cs:15:15:15:18 | [post] this access [field trivialPropField] : Object |
+| D.cs:22:27:22:28 | access to parameter o2 : Object | D.cs:9:9:9:11 | value : Object | D.cs:9:15:9:18 | [post] this access [field trivialPropField] : Object | D.cs:22:9:22:11 | [post] access to local variable ret [field trivialPropField] : Object |
+| D.cs:23:27:23:28 | access to parameter o3 : Object | D.cs:15:9:15:11 | value : Object | D.cs:15:15:15:18 | [post] this access [field trivialPropField] : Object | D.cs:23:9:23:11 | [post] access to local variable ret [field trivialPropField] : Object |
+| D.cs:31:24:31:24 | access to local variable o : Object | D.cs:18:28:18:29 | o1 : Object | D.cs:24:16:24:18 | access to local variable ret [property AutoProp] : Object | D.cs:31:17:31:37 | call to method Create [property AutoProp] : Object |
+| D.cs:37:26:37:26 | access to local variable o : Object | D.cs:18:39:18:40 | o2 : Object | D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object | D.cs:37:13:37:33 | call to method Create [field trivialPropField] : Object |
+| D.cs:39:14:39:14 | access to local variable d [field trivialPropField] : Object | D.cs:8:9:8:11 | this [field trivialPropField] : Object | D.cs:8:22:8:42 | access to field trivialPropField : Object | D.cs:39:14:39:26 | access to property TrivialProp : Object |
+| D.cs:41:14:41:14 | access to local variable d [field trivialPropField] : Object | D.cs:14:9:14:11 | this [field trivialPropField] : Object | D.cs:14:22:14:42 | access to field trivialPropField : Object | D.cs:41:14:41:26 | access to property ComplexProp : Object |
+| D.cs:43:32:43:32 | access to local variable o : Object | D.cs:18:50:18:51 | o3 : Object | D.cs:24:16:24:18 | access to local variable ret [field trivialPropField] : Object | D.cs:43:13:43:33 | call to method Create [field trivialPropField] : Object |
+| D.cs:45:14:45:14 | access to local variable d [field trivialPropField] : Object | D.cs:8:9:8:11 | this [field trivialPropField] : Object | D.cs:8:22:8:42 | access to field trivialPropField : Object | D.cs:45:14:45:26 | access to property TrivialProp : Object |
+| D.cs:47:14:47:14 | access to local variable d [field trivialPropField] : Object | D.cs:14:9:14:11 | this [field trivialPropField] : Object | D.cs:14:22:14:42 | access to field trivialPropField : Object | D.cs:47:14:47:26 | access to property ComplexProp : Object |
+| E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object | E.cs:12:16:12:18 | access to local variable ret [field Field] : Object | E.cs:23:17:23:26 | call to method CreateS [field Field] : Object |
+| F.cs:11:24:11:24 | access to local variable o : Object | F.cs:6:28:6:29 | o1 : Object | F.cs:6:46:6:81 | object creation of type F [field Field1] : Object | F.cs:11:17:11:31 | call to method Create [field Field1] : Object |
+| F.cs:15:26:15:26 | access to local variable o : Object | F.cs:6:39:6:40 | o2 : Object | F.cs:6:46:6:81 | object creation of type F [field Field2] : Object | F.cs:15:13:15:27 | call to method Create [field Field2] : Object |
+| G.cs:17:24:17:24 | access to local variable e : Elem | G.cs:64:34:64:34 | e : Elem | G.cs:64:39:64:42 | [post] this access [field Elem] : Elem | G.cs:17:9:17:14 | [post] access to field Box1 [field Elem] : Elem |
+| G.cs:33:29:33:29 | access to local variable e : Elem | G.cs:64:34:64:34 | e : Elem | G.cs:64:39:64:42 | [post] this access [field Elem] : Elem | G.cs:33:9:33:19 | [post] call to method GetBox1 [field Elem] : Elem |
+| G.cs:39:14:39:15 | access to parameter b2 [field Box1, field Elem] : Elem | G.cs:71:21:71:27 | this [field Box1, field Elem] : Elem | G.cs:71:34:71:37 | access to field Box1 [field Elem] : Elem | G.cs:39:14:39:25 | call to method GetBox1 [field Elem] : Elem |
+| G.cs:39:14:39:25 | call to method GetBox1 [field Elem] : Elem | G.cs:63:21:63:27 | this [field Elem] : Elem | G.cs:63:34:63:37 | access to field Elem : Elem | G.cs:39:14:39:35 | call to method GetElem : Elem |
+| H.cs:24:27:24:27 | access to local variable a [field FieldA] : Object | H.cs:13:15:13:15 | a [field FieldA] : Object | H.cs:17:16:17:18 | access to local variable ret [field FieldA] : Object | H.cs:24:21:24:28 | call to method Clone [field FieldA] : Object |
+| H.cs:44:27:44:27 | access to local variable a [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object | H.cs:37:16:37:16 | access to local variable b [field FieldB] : Object | H.cs:44:17:44:28 | call to method Transform [field FieldB] : Object |
+| H.cs:64:22:64:22 | access to local variable a [field FieldA] : Object | H.cs:53:25:53:25 | a [field FieldA] : Object | H.cs:55:9:55:10 | [post] access to parameter b1 [field FieldB] : Object | H.cs:64:25:64:26 | [post] access to local variable b1 [field FieldB] : Object |
+| H.cs:80:22:80:22 | access to parameter a [field FieldA] : Object | H.cs:53:25:53:25 | a [field FieldA] : Object | H.cs:55:9:55:10 | [post] access to parameter b1 [field FieldB] : Object | H.cs:80:25:80:26 | [post] access to parameter b1 [field FieldB] : Object |
+| H.cs:88:20:88:31 | object creation of type Object : Object | H.cs:77:30:77:30 | o : Object | H.cs:79:9:79:9 | [post] access to parameter a [field FieldA] : Object | H.cs:88:17:88:17 | [post] access to local variable a [field FieldA] : Object |
+| H.cs:88:20:88:31 | object creation of type Object : Object | H.cs:77:30:77:30 | o : Object | H.cs:80:25:80:26 | [post] access to parameter b1 [field FieldB] : Object | H.cs:88:34:88:35 | [post] access to local variable b1 [field FieldB] : Object |
+| H.cs:106:26:106:39 | (...) ... [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object | H.cs:37:16:37:16 | access to local variable b [field FieldB] : Object | H.cs:106:16:106:40 | call to method Transform [field FieldB] : Object |
+| H.cs:113:31:113:31 | access to local variable a [field FieldA] : Object | H.cs:102:23:102:23 | a [field FieldA] : Object | H.cs:106:16:106:40 | call to method Transform [field FieldB] : Object | H.cs:113:17:113:32 | call to method TransformWrap [field FieldB] : Object |
+| H.cs:124:26:124:26 | access to parameter a [field FieldA] : Object | H.cs:33:19:33:19 | a [field FieldA] : Object | H.cs:37:16:37:16 | access to local variable b [field FieldB] : Object | H.cs:124:16:124:27 | call to method Transform [field FieldB] : Object |
+| H.cs:131:18:131:18 | access to local variable a [field FieldA] : Object | H.cs:122:18:122:18 | a [field FieldA] : Object | H.cs:124:16:124:34 | access to field FieldB : Object | H.cs:131:14:131:19 | call to method Get : Object |
+| H.cs:142:26:142:26 | access to local variable a [field FieldA] : A | H.cs:33:19:33:19 | a [field FieldA] : A | H.cs:37:16:37:16 | access to local variable b [field FieldB] : A | H.cs:142:16:142:27 | call to method Transform [field FieldB] : A |
+| H.cs:147:25:147:31 | object creation of type A : A | H.cs:138:27:138:27 | o : A | H.cs:142:16:142:34 | access to field FieldB : A | H.cs:147:17:147:32 | call to method Through : A |
+| H.cs:164:22:164:22 | access to local variable o : Object | H.cs:153:32:153:32 | o : Object | H.cs:157:9:157:9 | [post] access to parameter a [field FieldA, field FieldB] : Object | H.cs:164:19:164:19 | [post] access to local variable a [field FieldA, field FieldB] : Object |
 #select
 | A.cs:7:14:7:16 | access to field c | A.cs:5:17:5:23 | object creation of type C : C | A.cs:7:14:7:16 | access to field c | $@ | A.cs:5:17:5:23 | object creation of type C : C | object creation of type C : C |
 | A.cs:14:14:14:20 | call to method Get | A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:14:14:14:20 | call to method Get | $@ | A.cs:13:15:13:22 | object creation of type C1 : C1 | object creation of type C1 : C1 |
--- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@ -21,7 +21,9 @@ edges
 | Capture.cs:125:25:125:31 | tainted : String | Capture.cs:194:25:194:31 | access to parameter tainted : String |
 | Capture.cs:160:22:160:38 | call to local function CaptureThrough4 : String | Capture.cs:161:15:161:20 | access to local variable sink36 |
 | Capture.cs:168:25:168:31 | access to parameter tainted : String | Capture.cs:169:15:169:20 | access to local variable sink37 |
+| Capture.cs:188:26:188:26 | s : String | Capture.cs:191:20:191:22 | call to local function M : String |
 | Capture.cs:194:22:194:32 | call to local function Id : String | Capture.cs:195:15:195:20 | access to local variable sink38 |
+| Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:188:26:188:26 | s : String |
 | Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:194:22:194:32 | call to local function Id : String |
 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 |
 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:27:15:27:32 | access to property SinkProperty0 |
@ -108,14 +110,18 @@ edges
 | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 |
 | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String |
 | GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String |
+| GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
 | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 |
 | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String |
 | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String |
 | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
+| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
 | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
+| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String |
 | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String | GlobalDataFlow.cs:77:15:77:19 | access to local variable sink2 |
 | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String |
 | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:80:15:80:19 | access to local variable sink3 |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String |
@ -125,6 +131,7 @@ edges
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
+| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
 | GlobalDataFlow.cs:83:22:83:87 | call to method Select<String,String> [element] : String | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | GlobalDataFlow.cs:84:15:84:20 | access to local variable sink14 |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | GlobalDataFlow.cs:85:59:85:64 | access to local variable sink14 : String |
@ -143,11 +150,16 @@ edges
 | GlobalDataFlow.cs:87:70:87:113 | (...) ... [element] : String | GlobalDataFlow.cs:87:22:87:128 | call to method Zip<String,String,String> [element] : String |
 | GlobalDataFlow.cs:87:104:87:113 | { ..., ... } [element] : String | GlobalDataFlow.cs:87:70:87:113 | (...) ... [element] : String |
 | GlobalDataFlow.cs:87:106:87:111 | access to local variable sink15 : String | GlobalDataFlow.cs:87:104:87:113 | { ..., ... } [element] : String |
+| GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String |
+| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
 | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
 | GlobalDataFlow.cs:157:21:157:25 | call to method Out : String | GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
 | GlobalDataFlow.cs:160:20:160:24 | SSA def(sink7) : String | GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
 | GlobalDataFlow.cs:163:20:163:24 | SSA def(sink8) : String | GlobalDataFlow.cs:164:15:164:19 | access to local variable sink8 |
@ -196,8 +208,16 @@ edges
 | GlobalDataFlow.cs:278:26:278:35 | sinkParam5 : String | GlobalDataFlow.cs:280:15:280:24 | access to parameter sinkParam5 |
 | GlobalDataFlow.cs:283:26:283:35 | sinkParam6 : String | GlobalDataFlow.cs:285:15:285:24 | access to parameter sinkParam6 |
 | GlobalDataFlow.cs:288:26:288:35 | sinkParam7 : String | GlobalDataFlow.cs:290:15:290:24 | access to parameter sinkParam7 |
+| GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String |
+| GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String |
+| GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
+| GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String |
+| GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String |
 | GlobalDataFlow.cs:315:31:315:40 | sinkParam8 : String | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
+| GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String |
 | GlobalDataFlow.cs:327:32:327:42 | sinkParam11 : String | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | GlobalDataFlow.cs:157:21:157:25 | call to method Out : String |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | GlobalDataFlow.cs:193:22:193:42 | object creation of type Lazy<String> [property Value] : String |
@ -210,6 +230,15 @@ edges
 | GlobalDataFlow.cs:382:41:382:41 | x : String | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | GlobalDataFlow.cs:54:15:54:15 | x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | GlobalDataFlow.cs:268:26:268:35 | sinkParam3 : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
@ -233,14 +262,22 @@ edges
 | GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | Splitting.cs:11:19:11:19 | access to local variable x |
 | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String |
 | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String |
+| Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String |
+| Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:29:20:29 | access to parameter s : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
 | Splitting.cs:21:9:21:11 | value : String | Splitting.cs:21:28:21:32 | access to parameter value : String |
+| Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:16:26:16:26 | x : String |
 | Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:21:21:21:33 | call to method Return<String> |
 | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted : String |
 | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted : String |
@ -251,7 +288,9 @@ edges
 | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
 | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
 | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String | Splitting.cs:34:19:34:19 | access to local variable x |
+| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String |
 | Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String |
 | Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
@ -284,6 +323,8 @@ nodes
 | Capture.cs:161:15:161:20 | access to local variable sink36 | semmle.label | access to local variable sink36 |
 | Capture.cs:168:25:168:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:169:15:169:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
+| Capture.cs:188:26:188:26 | s : String | semmle.label | s : String |
+| Capture.cs:191:20:191:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:194:22:194:32 | call to local function Id : String | semmle.label | call to local function Id : String |
 | Capture.cs:194:25:194:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:195:15:195:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
@ -324,6 +365,8 @@ nodes
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | semmle.label | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | semmle.label | { ..., ... } [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | semmle.label | access to local variable sink3 : String |
+| GlobalDataFlow.cs:81:79:81:79 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 | semmle.label | access to local variable sink13 |
 | GlobalDataFlow.cs:83:22:83:87 | call to method Select<String,String> [element] : String | semmle.label | call to method Select<String,String> [element] : String |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | semmle.label | call to method First<String> : String |
@ -343,6 +386,9 @@ nodes
 | GlobalDataFlow.cs:87:104:87:113 | { ..., ... } [element] : String | semmle.label | { ..., ... } [element] : String |
 | GlobalDataFlow.cs:87:106:87:111 | access to local variable sink15 : String | semmle.label | access to local variable sink15 : String |
 | GlobalDataFlow.cs:88:15:88:20 | access to local variable sink16 | semmle.label | access to local variable sink16 |
+| GlobalDataFlow.cs:138:40:138:40 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | semmle.label | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | semmle.label | delegate call : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | semmle.label | access to local variable sink3 : String |
 | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 | semmle.label | access to local variable sink4 |
@ -411,10 +457,21 @@ nodes
 | GlobalDataFlow.cs:285:15:285:24 | access to parameter sinkParam6 | semmle.label | access to parameter sinkParam6 |
 | GlobalDataFlow.cs:288:26:288:35 | sinkParam7 : String | semmle.label | sinkParam7 : String |
 | GlobalDataFlow.cs:290:15:290:24 | access to parameter sinkParam7 | semmle.label | access to parameter sinkParam7 |
+| GlobalDataFlow.cs:298:26:298:26 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String | semmle.label | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:300:27:300:28 | x0 : String | semmle.label | x0 : String |
+| GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | semmle.label | access to parameter x0 : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | semmle.label | ... ? ... : ... : String |
+| GlobalDataFlow.cs:304:32:304:32 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
+| GlobalDataFlow.cs:310:32:310:32 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
 | GlobalDataFlow.cs:315:31:315:40 | sinkParam8 : String | semmle.label | sinkParam8 : String |
 | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 | semmle.label | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | semmle.label | sinkParam9 : String |
 | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 | semmle.label | access to parameter sinkParam9 |
+| GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String | semmle.label | access to parameter sinkParam9 : String |
 | GlobalDataFlow.cs:327:32:327:42 | sinkParam11 : String | semmle.label | sinkParam11 : String |
 | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 | semmle.label | access to parameter sinkParam11 |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | semmle.label | "taint source" : String |
@ -427,6 +484,15 @@ nodes
 | GlobalDataFlow.cs:382:41:382:41 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
@ -461,6 +527,11 @@ nodes
 | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | semmle.label | [b (line 3): false] access to local variable x |
 | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | semmle.label | [b (line 3): true] access to local variable x |
 | Splitting.cs:11:19:11:19 | access to local variable x | semmle.label | access to local variable x |
+| Splitting.cs:16:26:16:26 | x : String | semmle.label | x : String |
+| Splitting.cs:16:32:16:32 | access to parameter x : String | semmle.label | access to parameter x : String |
+| Splitting.cs:18:24:18:24 | s : String | semmle.label | s : String |
+| Splitting.cs:20:22:20:30 | call to method Return<String> : String | semmle.label | call to method Return<String> : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | semmle.label | access to parameter s : String |
 | Splitting.cs:21:9:21:11 | value : String | semmle.label | value : String |
 | Splitting.cs:21:21:21:33 | call to method Return<String> | semmle.label | call to method Return<String> |
 | Splitting.cs:21:28:21:32 | access to parameter value : String | semmle.label | access to parameter value : String |
@ -479,6 +550,27 @@ nodes
 | Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
 | Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
 | Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
+subpaths
+| Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:188:26:188:26 | s : String | Capture.cs:191:20:191:22 | call to local function M : String | Capture.cs:194:22:194:32 | call to local function Id : String |
+| GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String |
+| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
+| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
+| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
+| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:215:89:215:89 | access to parameter x : String | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String | GlobalDataFlow.cs:215:76:215:90 | call to method ReturnCheck2<String> : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
+| Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:21:21:21:33 | call to method Return<String> : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 #select
 | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
 | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
--- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
@ -21,7 +21,9 @@ edges
 | Capture.cs:125:25:125:31 | tainted : String | Capture.cs:194:25:194:31 | access to parameter tainted : String |
 | Capture.cs:160:22:160:38 | call to local function CaptureThrough4 : String | Capture.cs:161:15:161:20 | access to local variable sink36 |
 | Capture.cs:168:25:168:31 | access to parameter tainted : String | Capture.cs:169:15:169:20 | access to local variable sink37 |
+| Capture.cs:188:26:188:26 | s : String | Capture.cs:191:20:191:22 | call to local function M : String |
 | Capture.cs:194:22:194:32 | call to local function Id : String | Capture.cs:195:15:195:20 | access to local variable sink38 |
+| Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:188:26:188:26 | s : String |
 | Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:194:22:194:32 | call to local function Id : String |
 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 |
 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:27:15:27:32 | access to property SinkProperty0 |
@ -108,14 +110,18 @@ edges
 | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 |
 | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String |
 | GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String |
+| GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
 | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 |
 | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String |
 | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String | GlobalDataFlow.cs:73:21:73:101 | (...) ... : String |
 | GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
+| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
 | GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
+| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String |
 | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String | GlobalDataFlow.cs:77:15:77:19 | access to local variable sink2 |
 | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String |
 | GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:80:15:80:19 | access to local variable sink3 |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String |
 | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String |
@ -125,6 +131,7 @@ edges
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
+| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
 | GlobalDataFlow.cs:83:22:83:87 | call to method Select<String,String> [element] : String | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | GlobalDataFlow.cs:84:15:84:20 | access to local variable sink14 |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | GlobalDataFlow.cs:85:59:85:64 | access to local variable sink14 : String |
@ -160,11 +167,16 @@ edges
 | GlobalDataFlow.cs:97:35:97:40 | SSA def(sink22) : Boolean | GlobalDataFlow.cs:98:15:98:20 | access to local variable sink22 |
 | GlobalDataFlow.cs:100:24:100:29 | access to local variable sink18 : String | GlobalDataFlow.cs:100:82:100:88 | SSA def(sink21b) : Int32 |
 | GlobalDataFlow.cs:100:82:100:88 | SSA def(sink21b) : Int32 | GlobalDataFlow.cs:101:15:101:21 | access to local variable sink21b |
+| GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String |
+| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
 | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
 | GlobalDataFlow.cs:157:21:157:25 | call to method Out : String | GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
 | GlobalDataFlow.cs:160:20:160:24 | SSA def(sink7) : String | GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
 | GlobalDataFlow.cs:163:20:163:24 | SSA def(sink8) : String | GlobalDataFlow.cs:164:15:164:19 | access to local variable sink8 |
@ -213,8 +225,16 @@ edges
 | GlobalDataFlow.cs:278:26:278:35 | sinkParam5 : String | GlobalDataFlow.cs:280:15:280:24 | access to parameter sinkParam5 |
 | GlobalDataFlow.cs:283:26:283:35 | sinkParam6 : String | GlobalDataFlow.cs:285:15:285:24 | access to parameter sinkParam6 |
 | GlobalDataFlow.cs:288:26:288:35 | sinkParam7 : String | GlobalDataFlow.cs:290:15:290:24 | access to parameter sinkParam7 |
+| GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String |
+| GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String |
+| GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String |
+| GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String |
+| GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String |
 | GlobalDataFlow.cs:315:31:315:40 | sinkParam8 : String | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
+| GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String |
 | GlobalDataFlow.cs:327:32:327:42 | sinkParam11 : String | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | GlobalDataFlow.cs:157:21:157:25 | call to method Out : String |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | GlobalDataFlow.cs:193:22:193:42 | object creation of type Lazy<String> [property Value] : String |
@ -227,6 +247,15 @@ edges
 | GlobalDataFlow.cs:382:41:382:41 | x : String | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | GlobalDataFlow.cs:54:15:54:15 | x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | GlobalDataFlow.cs:268:26:268:35 | sinkParam3 : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | GlobalDataFlow.cs:398:11:398:11 | access to parameter x : String |
@ -238,7 +267,10 @@ edges
 | GlobalDataFlow.cs:405:16:405:21 | access to local variable sink11 : String | GlobalDataFlow.cs:167:22:167:43 | call to method TaintedParam : String |
 | GlobalDataFlow.cs:427:9:427:11 | value : String | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
 | GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | GlobalDataFlow.cs:201:22:201:32 | access to property OutProperty : String |
+| GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String |
+| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb [element] : String |
 | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb [element] : String | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb [element] : String |
+| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String |
 | GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb [element] : String |
 | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb [element] : String | GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String |
 | GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String | GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 |
@ -256,14 +288,22 @@ edges
 | GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
 | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
 | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | Splitting.cs:11:19:11:19 | access to local variable x |
 | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String |
 | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String |
+| Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String |
+| Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:29:20:29 | access to parameter s : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
 | Splitting.cs:21:9:21:11 | value : String | Splitting.cs:21:28:21:32 | access to parameter value : String |
+| Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:16:26:16:26 | x : String |
 | Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:21:21:21:33 | call to method Return<String> |
 | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted : String |
 | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted : String |
@ -274,7 +314,9 @@ edges
 | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
 | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
 | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String | Splitting.cs:34:19:34:19 | access to local variable x |
+| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String |
 | Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String |
 | Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
@ -307,6 +349,8 @@ nodes
 | Capture.cs:161:15:161:20 | access to local variable sink36 | semmle.label | access to local variable sink36 |
 | Capture.cs:168:25:168:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:169:15:169:20 | access to local variable sink37 | semmle.label | access to local variable sink37 |
+| Capture.cs:188:26:188:26 | s : String | semmle.label | s : String |
+| Capture.cs:191:20:191:22 | call to local function M : String | semmle.label | call to local function M : String |
 | Capture.cs:194:22:194:32 | call to local function Id : String | semmle.label | call to local function Id : String |
 | Capture.cs:194:25:194:31 | access to parameter tainted : String | semmle.label | access to parameter tainted : String |
 | Capture.cs:195:15:195:20 | access to local variable sink38 | semmle.label | access to local variable sink38 |
@ -347,6 +391,8 @@ nodes
 | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | semmle.label | (...) ... [element] : String |
 | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | semmle.label | { ..., ... } [element] : String |
 | GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | semmle.label | access to local variable sink3 : String |
+| GlobalDataFlow.cs:81:79:81:79 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 | semmle.label | access to local variable sink13 |
 | GlobalDataFlow.cs:83:22:83:87 | call to method Select<String,String> [element] : String | semmle.label | call to method Select<String,String> [element] : String |
 | GlobalDataFlow.cs:83:22:83:95 | call to method First<String> : String | semmle.label | call to method First<String> : String |
@ -383,6 +429,9 @@ nodes
 | GlobalDataFlow.cs:100:24:100:29 | access to local variable sink18 : String | semmle.label | access to local variable sink18 : String |
 | GlobalDataFlow.cs:100:82:100:88 | SSA def(sink21b) : Int32 | semmle.label | SSA def(sink21b) : Int32 |
 | GlobalDataFlow.cs:101:15:101:21 | access to local variable sink21b | semmle.label | access to local variable sink21b |
+| GlobalDataFlow.cs:138:40:138:40 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | semmle.label | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:139:21:139:34 | delegate call : String | semmle.label | delegate call : String |
 | GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | semmle.label | access to local variable sink3 : String |
 | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 | semmle.label | access to local variable sink4 |
@ -451,10 +500,21 @@ nodes
 | GlobalDataFlow.cs:285:15:285:24 | access to parameter sinkParam6 | semmle.label | access to parameter sinkParam6 |
 | GlobalDataFlow.cs:288:26:288:35 | sinkParam7 : String | semmle.label | sinkParam7 : String |
 | GlobalDataFlow.cs:290:15:290:24 | access to parameter sinkParam7 | semmle.label | access to parameter sinkParam7 |
+| GlobalDataFlow.cs:298:26:298:26 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String | semmle.label | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:300:27:300:28 | x0 : String | semmle.label | x0 : String |
+| GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | semmle.label | access to parameter x0 : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | semmle.label | ... ? ... : ... : String |
+| GlobalDataFlow.cs:304:32:304:32 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
+| GlobalDataFlow.cs:310:32:310:32 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | semmle.label | SSA def(y) : String |
 | GlobalDataFlow.cs:315:31:315:40 | sinkParam8 : String | semmle.label | sinkParam8 : String |
 | GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 | semmle.label | access to parameter sinkParam8 |
 | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | semmle.label | sinkParam9 : String |
 | GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 | semmle.label | access to parameter sinkParam9 |
+| GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String | semmle.label | access to parameter sinkParam9 : String |
 | GlobalDataFlow.cs:327:32:327:42 | sinkParam11 : String | semmle.label | sinkParam11 : String |
 | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 | semmle.label | access to parameter sinkParam11 |
 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | semmle.label | "taint source" : String |
@ -467,6 +527,15 @@ nodes
 | GlobalDataFlow.cs:382:41:382:41 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:384:11:384:11 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:387:46:387:46 | x : String | semmle.label | x : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:16:389:19 | delegate call : String | semmle.label | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | semmle.label | access to parameter x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
 | GlobalDataFlow.cs:396:52:396:52 | x : String | semmle.label | x : String |
@ -479,6 +548,9 @@ nodes
 | GlobalDataFlow.cs:427:9:427:11 | value : String | semmle.label | value : String |
 | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | semmle.label | access to local variable sink20 |
 | GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | semmle.label | "taint source" : String |
+| GlobalDataFlow.cs:446:64:446:64 | s : String | semmle.label | s : String |
+| GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb [element] : String | semmle.label | [post] access to parameter sb [element] : String |
+| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | semmle.label | access to parameter s : String |
 | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb [element] : String | semmle.label | [post] access to local variable sb [element] : String |
 | GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | semmle.label | "taint source" : String |
 | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb [element] : String | semmle.label | access to local variable sb [element] : String |
@ -509,6 +581,11 @@ nodes
 | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | semmle.label | [b (line 3): false] access to local variable x |
 | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | semmle.label | [b (line 3): true] access to local variable x |
 | Splitting.cs:11:19:11:19 | access to local variable x | semmle.label | access to local variable x |
+| Splitting.cs:16:26:16:26 | x : String | semmle.label | x : String |
+| Splitting.cs:16:32:16:32 | access to parameter x : String | semmle.label | access to parameter x : String |
+| Splitting.cs:18:24:18:24 | s : String | semmle.label | s : String |
+| Splitting.cs:20:22:20:30 | call to method Return<String> : String | semmle.label | call to method Return<String> : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | semmle.label | access to parameter s : String |
 | Splitting.cs:21:9:21:11 | value : String | semmle.label | value : String |
 | Splitting.cs:21:21:21:33 | call to method Return<String> | semmle.label | call to method Return<String> |
 | Splitting.cs:21:28:21:32 | access to parameter value : String | semmle.label | access to parameter value : String |
@ -527,6 +604,28 @@ nodes
 | Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
 | Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
 | Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
+subpaths
+| Capture.cs:194:25:194:31 | access to parameter tainted : String | Capture.cs:188:26:188:26 | s : String | Capture.cs:191:20:191:22 | call to local function M : String | Capture.cs:194:22:194:32 | call to local function Id : String |
+| GlobalDataFlow.cs:71:28:71:45 | access to property SinkProperty0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:71:21:71:46 | call to method Return<String> : String |
+| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
+| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
+| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
+| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
+| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
+| GlobalDataFlow.cs:215:89:215:89 | access to parameter x : String | GlobalDataFlow.cs:321:32:321:41 | sinkParam9 : String | GlobalDataFlow.cs:324:16:324:25 | access to parameter sinkParam9 : String | GlobalDataFlow.cs:215:76:215:90 | call to method ReturnCheck2<String> : String |
+| GlobalDataFlow.cs:300:37:300:37 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
+| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb [element] : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb [element] : String |
+| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
+| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
+| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
+| Splitting.cs:21:28:21:32 | access to parameter value : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:21:21:21:33 | call to method Return<String> : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element : String |
+| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:18:24:18:24 | s : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 #select
 | Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
--- a/csharp/ql/test/library-tests/dataflow/tuples/Tuples.expected
+++ b/csharp/ql/test/library-tests/dataflow/tuples/Tuples.expected
@ -144,6 +144,7 @@ nodes
 | Tuples.cs:89:24:89:37 | "taint source" : String | semmle.label | "taint source" : String |
 | Tuples.cs:90:14:90:14 | access to local variable r [property i] : String | semmle.label | access to local variable r [property i] : String |
 | Tuples.cs:90:14:90:16 | access to property i | semmle.label | access to property i |
+subpaths
 #select
 | Tuples.cs:7:21:7:34 | "taint source" : String | Tuples.cs:7:21:7:34 | "taint source" : String | Tuples.cs:9:14:9:14 | access to local variable a | $@ | Tuples.cs:9:14:9:14 | access to local variable a | access to local variable a |
 | Tuples.cs:7:21:7:34 | "taint source" : String | Tuples.cs:7:21:7:34 | "taint source" : String | Tuples.cs:14:14:14:14 | access to local variable a | $@ | Tuples.cs:14:14:14:14 | access to local variable a | access to local variable a |
--- a/csharp/ql/test/library-tests/dataflow/types/Types.expected
+++ b/csharp/ql/test/library-tests/dataflow/types/Types.expected
@ -42,7 +42,11 @@ edges
 | Types.cs:120:25:120:31 | object creation of type A : A | Types.cs:122:30:122:30 | access to local variable a : A |
 | Types.cs:121:26:121:33 | object creation of type E2 : Types.E<D>.E2 | Types.cs:123:30:123:31 | access to local variable e2 : Types.E<D>.E2 |
 | Types.cs:122:30:122:30 | access to local variable a : A | Types.cs:122:22:122:31 | call to method Through |
+| Types.cs:122:30:122:30 | access to local variable a : A | Types.cs:130:34:130:34 | x : A |
 | Types.cs:123:30:123:31 | access to local variable e2 : Types.E<D>.E2 | Types.cs:123:22:123:32 | call to method Through |
+| Types.cs:123:30:123:31 | access to local variable e2 : Types.E<D>.E2 | Types.cs:130:34:130:34 | x : Types.E<D>.E2 |
+| Types.cs:130:34:130:34 | x : A | Types.cs:130:40:130:40 | access to parameter x : A |
+| Types.cs:130:34:130:34 | x : Types.E<D>.E2 | Types.cs:130:40:130:40 | access to parameter x : Types.E<D>.E2 |
 | Types.cs:138:21:138:25 | this [field Field] : Object | Types.cs:138:32:138:35 | this access [field Field] : Object |
 | Types.cs:138:32:138:35 | this access [field Field] : Object | Types.cs:153:30:153:30 | this [field Field] : Object |
 | Types.cs:144:13:144:13 | [post] access to parameter c [field Field] : Object | Types.cs:145:13:145:13 | access to parameter c [field Field] : Object |
@ -107,6 +111,10 @@ nodes
 | Types.cs:122:30:122:30 | access to local variable a : A | semmle.label | access to local variable a : A |
 | Types.cs:123:22:123:32 | call to method Through | semmle.label | call to method Through |
 | Types.cs:123:30:123:31 | access to local variable e2 : Types.E<D>.E2 | semmle.label | access to local variable e2 : Types.E<D>.E2 |
+| Types.cs:130:34:130:34 | x : A | semmle.label | x : A |
+| Types.cs:130:34:130:34 | x : Types.E<D>.E2 | semmle.label | x : Types.E<D>.E2 |
+| Types.cs:130:40:130:40 | access to parameter x : A | semmle.label | access to parameter x : A |
+| Types.cs:130:40:130:40 | access to parameter x : Types.E<D>.E2 | semmle.label | access to parameter x : Types.E<D>.E2 |
 | Types.cs:138:21:138:25 | this [field Field] : Object | semmle.label | this [field Field] : Object |
 | Types.cs:138:32:138:35 | this access [field Field] : Object | semmle.label | this access [field Field] : Object |
 | Types.cs:144:13:144:13 | [post] access to parameter c [field Field] : Object | semmle.label | [post] access to parameter c [field Field] : Object |
@ -115,6 +123,9 @@ nodes
 | Types.cs:153:30:153:30 | this [field Field] : Object | semmle.label | this [field Field] : Object |
 | Types.cs:153:42:153:45 | this access [field Field] : Object | semmle.label | this access [field Field] : Object |
 | Types.cs:153:42:153:51 | access to field Field | semmle.label | access to field Field |
+subpaths
+| Types.cs:122:30:122:30 | access to local variable a : A | Types.cs:130:34:130:34 | x : A | Types.cs:130:40:130:40 | access to parameter x : A | Types.cs:122:22:122:31 | call to method Through : A |
+| Types.cs:123:30:123:31 | access to local variable e2 : Types.E<D>.E2 | Types.cs:130:34:130:34 | x : Types.E<D>.E2 | Types.cs:130:40:130:40 | access to parameter x : Types.E<D>.E2 | Types.cs:123:22:123:32 | call to method Through : Types.E<D>.E2 |
 #select
 | Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:50:18:50:18 | access to local variable c | $@ | Types.cs:50:18:50:18 | access to local variable c | access to local variable c |
 | Types.cs:25:12:25:18 | object creation of type C : C | Types.cs:25:12:25:18 | object creation of type C : C | Types.cs:63:33:63:36 | (...) ... | $@ | Types.cs:63:33:63:36 | (...) ... | (...) ... |
--- a/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected
+++ b/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected
@ -341,6 +341,7 @@ nodes
 | EntityFrameworkCore.cs:245:18:245:46 | access to property Addresses [element, property Street] : String | semmle.label | access to property Addresses [element, property Street] : String |
 | EntityFrameworkCore.cs:245:18:245:54 | call to method First<Address> [property Street] : String | semmle.label | call to method First<Address> [property Street] : String |
 | EntityFrameworkCore.cs:245:18:245:61 | access to property Street | semmle.label | access to property Street |
+subpaths
 #select
 | EntityFramework.cs:129:18:129:25 | access to property Title | EntityFramework.cs:124:25:124:33 | "tainted" : String | EntityFramework.cs:129:18:129:25 | access to property Title | $@ | EntityFramework.cs:124:25:124:33 | "tainted" : String | "tainted" : String |
 | EntityFramework.cs:204:18:204:41 | access to property Name | EntityFramework.cs:61:24:61:32 | "tainted" : String | EntityFramework.cs:204:18:204:41 | access to property Name | $@ | EntityFramework.cs:61:24:61:32 | "tainted" : String | "tainted" : String |
--- a/Abuse/FormatInvalid/FormatInvalid.expected
+++ b/Abuse/FormatInvalid/FormatInvalid.expected
@ -84,6 +84,7 @@ nodes
 | FormatUnusedArgumentBad.cs:7:27:7:54 | "Error processing file: {0}" | semmle.label | "Error processing file: {0}" |
 | FormatUnusedArgumentBad.cs:8:27:8:60 | "Error processing file: {1} ({1})" | semmle.label | "Error processing file: {1} ({1})" |
 | FormatUnusedArgumentBad.cs:9:27:9:58 | "Error processing file: %s (%d)" | semmle.label | "Error processing file: %s (%d)" |
+subpaths
 #select
 | FormatInvalid.cs:27:23:27:28 | "{ 0}" | FormatInvalid.cs:27:23:27:28 | "{ 0}" | FormatInvalid.cs:27:23:27:28 | "{ 0}" | Invalid format string used in $@ formatting call. | FormatInvalid.cs:27:9:27:32 | call to method Format | this | FormatInvalid.cs:27:9:27:32 | call to method Format | this |
 | FormatInvalid.cs:30:23:30:31 | "{0,--1}" | FormatInvalid.cs:30:23:30:31 | "{0,--1}" | FormatInvalid.cs:30:23:30:31 | "{0,--1}" | Invalid format string used in $@ formatting call. | FormatInvalid.cs:30:9:30:35 | call to method Format | this | FormatInvalid.cs:30:9:30:35 | call to method Format | this |
--- a/Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected
+++ b/Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected
@ -9,6 +9,7 @@ nodes
 | Program.cs:23:31:23:34 | year : Int32 | semmle.label | year : Int32 |
 | Program.cs:26:39:26:42 | access to parameter year | semmle.label | access to parameter year |
 | Program.cs:33:18:33:29 | ... - ... : Int32 | semmle.label | ... - ... : Int32 |
+subpaths
 #select
 | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:13:39:13:50 | ... - ... | arithmetic operation |
 | Program.cs:17:37:17:43 | access to local variable endYear | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:15:27:15:38 | ... + ... : Int32 | arithmetic operation |
--- a/Features/CWE-020/UntrustedDataToExternalAPI.expected
+++ b/Features/CWE-020/UntrustedDataToExternalAPI.expected
@ -5,6 +5,7 @@ nodes
 | UntrustedData.cs:9:20:9:42 | access to property QueryString | semmle.label | access to property QueryString |
 | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UntrustedData.cs:13:28:13:31 | access to local variable name | semmle.label | access to local variable name |
+subpaths
 #select
 | UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | Call to System.Web.HttpRequest.get_QueryString with untrusted data from $@. | UntrustedData.cs:9:20:9:30 | access to property Request | access to property Request |
 | UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | Call to System.Collections.Specialized.NameValueCollection.get_Item with untrusted data from $@. | UntrustedData.cs:9:20:9:42 | access to property QueryString | access to property QueryString |
--- a/Features/CWE-022/TaintedPath/TaintedPath.expected
+++ b/Features/CWE-022/TaintedPath/TaintedPath.expected
@ -15,6 +15,7 @@ nodes
 | TaintedPath.cs:36:25:36:31 | access to local variable badPath | semmle.label | access to local variable badPath |
 | TaintedPath.cs:38:49:38:55 | access to local variable badPath | semmle.label | access to local variable badPath |
 | TaintedPath.cs:51:26:51:29 | access to local variable path | semmle.label | access to local variable path |
+subpaths
 #select
 | TaintedPath.cs:12:50:12:53 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:12:50:12:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
 | TaintedPath.cs:17:51:17:54 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:17:51:17:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
--- a/Features/CWE-022/ZipSlip/ZipSlip.expected
+++ b/Features/CWE-022/ZipSlip/ZipSlip.expected
@ -42,6 +42,7 @@ nodes
 | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | semmle.label | call to method Combine : String |
 | ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | semmle.label | access to property FullName : String |
 | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | semmle.label | access to local variable destFileName |
+subpaths
 #select
 | ZipSlip.cs:15:52:15:65 | access to property FullName | ZipSlip.cs:15:52:15:65 | access to property FullName : String | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | file system operation |
 | ZipSlip.cs:15:52:15:65 | access to property FullName | ZipSlip.cs:15:52:15:65 | access to property FullName : String | ZipSlip.cs:35:45:35:56 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:35:45:35:56 | access to local variable destFilePath | file system operation |
--- a/Features/CWE-078/CommandInjection.expected
+++ b/Features/CWE-078/CommandInjection.expected
@ -17,6 +17,7 @@ nodes
 | CommandInjection.cs:32:39:32:47 | access to local variable userInput | semmle.label | access to local variable userInput |
 | CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
 | CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
+subpaths
 #select
 | CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
 | CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
--- a/Features/CWE-078/StoredCommandInjection.expected
+++ b/Features/CWE-078/StoredCommandInjection.expected
@ -3,5 +3,6 @@ edges
 nodes
 | StoredCommandInjection.cs:22:46:22:80 | ... + ... | semmle.label | ... + ... |
 | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | semmle.label | call to method GetString : String |
+subpaths
 #select
 | StoredCommandInjection.cs:22:46:22:80 | ... + ... | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:22:54:22:80 | call to method GetString | Stored user-provided value |
--- a/Features/CWE-079/StoredXSS/StoredXSS.expected
+++ b/Features/CWE-079/StoredXSS/StoredXSS.expected
@ -3,5 +3,6 @@ edges
 nodes
 | StoredXSS.cs:24:44:24:86 | ... + ... | semmle.label | ... + ... |
 | StoredXSS.cs:24:60:24:86 | call to method GetString : String | semmle.label | call to method GetString : String |
+subpaths
 #select
 | StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value |
--- a/Features/CWE-089/SecondOrderSqlInjection.expected
+++ b/Features/CWE-089/SecondOrderSqlInjection.expected
@ -3,5 +3,6 @@ edges
 nodes
 | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | semmle.label | ... + ... |
 | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString : String | semmle.label | call to method GetString : String |
+subpaths
 #select
 | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString : String | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value |
--- a/Features/CWE-089/SqlInjection.expected
+++ b/Features/CWE-089/SqlInjection.expected
@ -36,6 +36,7 @@ nodes
 | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | semmle.label | access to local variable query |
 | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | semmle.label | access to property Text : String |
 | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | semmle.label | access to local variable query |
+subpaths
 #select
 | SqlInjection.cs:34:50:34:55 | access to local variable query1 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:34:50:34:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:69:56:69:61 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:69:56:69:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
--- a/Features/CWE-090/LDAPInjection.expected
+++ b/Features/CWE-090/LDAPInjection.expected
@ -13,6 +13,7 @@ nodes
 | LDAPInjection.cs:24:53:24:77 | ... + ... | semmle.label | ... + ... |
 | LDAPInjection.cs:27:48:27:70 | ... + ... | semmle.label | ... + ... |
 | LDAPInjection.cs:29:20:29:42 | ... + ... | semmle.label | ... + ... |
+subpaths
 #select
 | LDAPInjection.cs:14:54:14:78 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
 | LDAPInjection.cs:16:21:16:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
--- a/Features/CWE-090/StoredLDAPInjection.expected
+++ b/Features/CWE-090/StoredLDAPInjection.expected
@ -3,5 +3,6 @@ edges
 nodes
 | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | semmle.label | ... + ... |
 | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | semmle.label | call to method GetString : String |
+subpaths
 #select
 | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString | Stored user-provided value |
--- a/Features/CWE-094/CodeInjection.expected
+++ b/Features/CWE-094/CodeInjection.expected
@ -6,6 +6,7 @@ nodes
 | CodeInjection.cs:29:64:29:67 | access to local variable code | semmle.label | access to local variable code |
 | CodeInjection.cs:40:36:40:39 | access to local variable code | semmle.label | access to local variable code |
 | CodeInjection.cs:56:36:56:44 | access to property Text | semmle.label | access to property Text |
+subpaths
 #select
 | CodeInjection.cs:29:64:29:67 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:29:64:29:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:23:23:23:45 | access to property QueryString | User-provided value |
 | CodeInjection.cs:40:36:40:39 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:40:36:40:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:23:23:23:45 | access to property QueryString | User-provided value |
--- a/Features/CWE-099/ResourceInjection.expected
+++ b/Features/CWE-099/ResourceInjection.expected
@ -5,6 +5,7 @@ nodes
 | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | semmle.label | access to local variable connectionString |
 | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | semmle.label | access to local variable connectionString |
+subpaths
 #select
 | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | User-provided value |
 | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | User-provided value |
--- a/Features/CWE-112/MissingXMLValidation.expected
+++ b/Features/CWE-112/MissingXMLValidation.expected
@ -21,6 +21,7 @@ nodes
 | MissingXMLValidation.cs:35:43:35:57 | access to local variable userProvidedXml : String | semmle.label | access to local variable userProvidedXml : String |
 | MissingXMLValidation.cs:45:26:45:58 | object creation of type StringReader | semmle.label | object creation of type StringReader |
 | MissingXMLValidation.cs:45:43:45:57 | access to local variable userProvidedXml : String | semmle.label | access to local variable userProvidedXml : String |
+subpaths
 #select
 | MissingXMLValidation.cs:16:26:16:58 | object creation of type StringReader | MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:16:26:16:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because there is no 'XmlReaderSettings' instance specifying schema validation. | MissingXMLValidation.cs:12:34:12:56 | access to property QueryString | User-provided value |
 | MissingXMLValidation.cs:21:26:21:58 | object creation of type StringReader | MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:21:26:21:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:12:34:12:56 | access to property QueryString | User-provided value |
--- a/Features/CWE-117/LogForging.expected
+++ b/Features/CWE-117/LogForging.expected
@ -5,6 +5,7 @@ nodes
 | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | LogForging.cs:20:21:20:43 | ... + ... | semmle.label | ... + ... |
 | LogForging.cs:26:50:26:72 | ... + ... | semmle.label | ... + ... |
+subpaths
 #select
 | LogForging.cs:20:21:20:43 | ... + ... | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:20:21:20:43 | ... + ... | $@ flows to log entry. | LogForging.cs:17:27:17:49 | access to property QueryString | User-provided value |
 | LogForging.cs:26:50:26:72 | ... + ... | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:26:50:26:72 | ... + ... | $@ flows to log entry. | LogForging.cs:17:27:17:49 | access to property QueryString | User-provided value |
--- a/Features/CWE-134/UncontrolledFormatString.expected
+++ b/Features/CWE-134/UncontrolledFormatString.expected
@ -12,6 +12,7 @@ nodes
 | UncontrolledFormatString.cs:32:23:32:31 | access to property Text | semmle.label | access to property Text |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | semmle.label | access to local variable format |
+subpaths
 #select
 | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | $@ flows to here and is used as a format string. | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine | call to method ReadLine |
 | UncontrolledFormatString.cs:12:23:12:26 | access to local variable path | UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:12:23:12:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString | access to property QueryString |
--- a/Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected
+++ b/Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected
@ -16,6 +16,7 @@ nodes
 | ExposureInTransmittedData.cs:31:56:31:56 | access to local variable p | semmle.label | access to local variable p |
 | ExposureInTransmittedData.cs:32:24:32:52 | ... + ... | semmle.label | ... + ... |
 | ExposureInTransmittedData.cs:33:27:33:27 | access to local variable p | semmle.label | access to local variable p |
+subpaths
 #select
 | ExposureInTransmittedData.cs:14:32:14:39 | access to local variable password | ExposureInTransmittedData.cs:14:32:14:39 | access to local variable password | ExposureInTransmittedData.cs:14:32:14:39 | access to local variable password | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:14:32:14:39 | access to local variable password | access to local variable password |
 | ExposureInTransmittedData.cs:18:32:18:44 | call to method ToString | ExposureInTransmittedData.cs:18:32:18:44 | call to method ToString | ExposureInTransmittedData.cs:18:32:18:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:18:32:18:44 | call to method ToString | call to method ToString |
--- a/Features/CWE-209/ExceptionInformationExposure.expected
+++ b/Features/CWE-209/ExceptionInformationExposure.expected
@ -9,6 +9,7 @@ nodes
 | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | semmle.label | access to property StackTrace |
 | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | semmle.label | call to method ToString |
 | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | semmle.label | call to method ToString |
+subpaths
 #select
 | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | call to method ToString |
 | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex | access to local variable ex : Exception |
--- a/Features/CWE-312/CleartextStorage.expected
+++ b/Features/CWE-312/CleartextStorage.expected
@ -8,6 +8,7 @@ nodes
 | CleartextStorage.cs:72:21:72:33 | access to property Text | semmle.label | access to property Text |
 | CleartextStorage.cs:73:21:73:29 | access to property Text | semmle.label | access to property Text |
 | CleartextStorage.cs:74:21:74:29 | access to property Text | semmle.label | access to property Text |
+subpaths
 #select
 | CleartextStorage.cs:13:50:13:59 | access to field accountKey | CleartextStorage.cs:13:50:13:59 | access to field accountKey | CleartextStorage.cs:13:50:13:59 | access to field accountKey | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:13:50:13:59 | access to field accountKey | access to field accountKey |
 | CleartextStorage.cs:14:62:14:74 | call to method GetPassword | CleartextStorage.cs:14:62:14:74 | call to method GetPassword | CleartextStorage.cs:14:62:14:74 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:14:62:14:74 | call to method GetPassword | call to method GetPassword |
--- a/Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected
+++ b/Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected
@ -9,6 +9,7 @@ nodes
 | Test.cs:28:13:28:17 | access to local variable store | semmle.label | access to local variable store |
 | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | semmle.label | object creation of type X509Store : X509Store |
 | Test.cs:73:13:73:17 | access to local variable store | semmle.label | access to local variable store |
+subpaths
 #select
 | Test.cs:18:13:18:17 | access to local variable store | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:18:13:18:17 | access to local variable store | Certificate added to the root certificate store. |
 | Test.cs:28:13:28:17 | access to local variable store | Test.cs:25:31:25:86 | object creation of type X509Store : X509Store | Test.cs:28:13:28:17 | access to local variable store | Certificate added to the root certificate store. |
--- a/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected
+++ b/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected
@ -7,6 +7,7 @@ nodes
 | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | semmle.label | access to local variable connectString |
 | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String |
 | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | semmle.label | access to local variable connectString |
+subpaths
 #select
 | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string |
 | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string |
--- a/Features/CWE-338/InsecureRandomness.expected
+++ b/Features/CWE-338/InsecureRandomness.expected
@ -30,6 +30,7 @@ nodes
 | InsecureRandomness.cs:72:31:72:39 | call to method Next : Int32 | semmle.label | call to method Next : Int32 |
 | InsecureRandomness.cs:74:16:74:21 | access to local variable result : String | semmle.label | access to local variable result : String |
 | InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | semmle.label | call to method GeneratePassword |
+subpaths
 #select
 | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
 | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |
--- a/Features/CWE-359/ExposureOfPrivateInformation.expected
+++ b/Features/CWE-359/ExposureOfPrivateInformation.expected
@ -4,6 +4,7 @@ nodes
 | ExposureOfPrivateInformation.cs:18:50:18:65 | call to method getTelephone | semmle.label | call to method getTelephone |
 | ExposureOfPrivateInformation.cs:22:21:22:36 | call to method getTelephone | semmle.label | call to method getTelephone |
 | ExposureOfPrivateInformation.cs:40:21:40:33 | access to property Text | semmle.label | access to property Text |
+subpaths
 #select
 | ExposureOfPrivateInformation.cs:16:50:16:84 | access to indexer | ExposureOfPrivateInformation.cs:16:50:16:84 | access to indexer | ExposureOfPrivateInformation.cs:16:50:16:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:16:50:16:84 | access to indexer | access to indexer |
 | ExposureOfPrivateInformation.cs:18:50:18:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:18:50:18:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:18:50:18:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:65 | call to method getTelephone | call to method getTelephone |
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected
@ -45,6 +45,7 @@ nodes
 | XmlSerializerUntrustedInputBad.cs:13:48:13:80 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
 | XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
 | XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String | semmle.label | access to property Text : String |
+subpaths
 #select
 | BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream | BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | User-provided data |
 | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
--- a/Features/CWE-601/UrlRedirect/UrlRedirect.expected
+++ b/Features/CWE-601/UrlRedirect/UrlRedirect.expected
@ -42,6 +42,7 @@ nodes
 | UrlRedirectCore.cs:53:32:53:45 | object creation of type Uri | semmle.label | object creation of type Uri |
 | UrlRedirectCore.cs:53:40:53:44 | access to parameter value : String | semmle.label | access to parameter value : String |
 | UrlRedirectCore.cs:56:31:56:35 | access to parameter value | semmle.label | access to parameter value |
+subpaths
 #select
 | UrlRedirect.cs:12:31:12:61 | access to indexer | UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:12:31:12:53 | access to property QueryString | user-provided value |
 | UrlRedirect.cs:37:44:37:74 | access to indexer | UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:37:44:37:66 | access to property QueryString | user-provided value |
--- a/Features/CWE-611/UntrustedDataInsecureXml.expected
+++ b/Features/CWE-611/UntrustedDataInsecureXml.expected
@ -3,5 +3,6 @@ edges
 nodes
 | Test.cs:11:50:11:72 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | Test.cs:11:50:11:84 | access to indexer | semmle.label | access to indexer |
+subpaths
 #select
 | Test.cs:11:50:11:84 | access to indexer | Test.cs:11:50:11:72 | access to property QueryString : NameValueCollection | Test.cs:11:50:11:84 | access to indexer | $@ flows to here and is loaded insecurely as XML (DTD processing is enabled with an insecure resolver). | Test.cs:11:50:11:72 | access to property QueryString | User-provided value |
--- a/Features/CWE-643/StoredXPathInjection.expected
+++ b/Features/CWE-643/StoredXPathInjection.expected
@ -8,6 +8,7 @@ nodes
 | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | semmle.label | call to method GetString : String |
 | StoredXPathInjection.cs:25:45:25:148 | ... + ... | semmle.label | ... + ... |
 | StoredXPathInjection.cs:28:41:28:144 | ... + ... | semmle.label | ... + ... |
+subpaths
 #select
 | StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:22:39:22:65 | call to method GetString | Stored user-provided value |
 | StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:23:39:23:65 | call to method GetString | Stored user-provided value |
--- a/Features/CWE-643/XPathInjection.expected
+++ b/Features/CWE-643/XPathInjection.expected
@ -23,6 +23,7 @@ nodes
 | XPathInjection.cs:40:21:40:21 | access to local variable s | semmle.label | access to local variable s |
 | XPathInjection.cs:46:22:46:22 | access to local variable s | semmle.label | access to local variable s |
 | XPathInjection.cs:52:21:52:21 | access to local variable s | semmle.label | access to local variable s |
+subpaths
 #select
 | XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:10:27:10:49 | access to property QueryString | User-provided value |
 | XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
--- a/Features/CWE-730/ReDoS/ReDoS.expected
+++ b/Features/CWE-730/ReDoS/ReDoS.expected
@ -11,6 +11,7 @@ nodes
 | ExponentialRegex.cs:19:139:19:147 | access to local variable userInput | semmle.label | access to local variable userInput |
 | ExponentialRegex.cs:22:43:22:51 | access to local variable userInput | semmle.label | access to local variable userInput |
 | ExponentialRegex.cs:24:21:24:29 | access to local variable userInput | semmle.label | access to local variable userInput |
+subpaths
 #select
 | ExponentialRegex.cs:15:40:15:48 | access to local variable userInput | ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:15:40:15:48 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:11:28:11:50 | access to property QueryString | User-provided value |
 | ExponentialRegex.cs:16:42:16:50 | access to local variable userInput | ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:16:42:16:50 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:11:28:11:50 | access to property QueryString | User-provided value |
--- a/Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected
+++ b/Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected
@ -3,4 +3,5 @@ edges
 nodes
 | ExponentialRegex.cs:13:28:13:50 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | ExponentialRegex.cs:16:40:16:48 | access to local variable userInput | semmle.label | access to local variable userInput |
+subpaths
 #select
--- a/Features/CWE-730/RegexInjection/RegexInjection.expected
+++ b/Features/CWE-730/RegexInjection/RegexInjection.expected
@ -3,5 +3,6 @@ edges
 nodes
 | RegexInjection.cs:10:24:10:46 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | RegexInjection.cs:14:19:14:23 | access to local variable regex | semmle.label | access to local variable regex |
+subpaths
 #select
 | RegexInjection.cs:14:19:14:23 | access to local variable regex | RegexInjection.cs:10:24:10:46 | access to property QueryString : NameValueCollection | RegexInjection.cs:14:19:14:23 | access to local variable regex | $@ flows to the construction of a regular expression. | RegexInjection.cs:10:24:10:46 | access to property QueryString | User-provided value |
--- a/Features/CWE-798/HardcodedConnectionString.expected
+++ b/Features/CWE-798/HardcodedConnectionString.expected
@ -14,6 +14,7 @@ nodes
 | TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | semmle.label | "myusername" |
 | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | semmle.label | "mypassword" |
 | TestHardcodedCredentials.cs:26:19:26:28 | "username" | semmle.label | "username" |
+subpaths
 #select
 | HardcodedCredentials.cs:54:48:54:63 | "Password=12345" | HardcodedCredentials.cs:54:48:54:63 | "Password=12345" | HardcodedCredentials.cs:54:48:54:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:54:30:54:64 | object creation of type SqlConnection | object creation of type SqlConnection |
 | HardcodedCredentials.cs:56:49:56:63 | "User Id=12345" | HardcodedCredentials.cs:56:49:56:63 | "User Id=12345" | HardcodedCredentials.cs:56:49:56:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:56:31:56:64 | object creation of type SqlConnection | object creation of type SqlConnection |
--- a/Features/CWE-798/HardcodedCredentials.expected
+++ b/Features/CWE-798/HardcodedCredentials.expected
@ -12,6 +12,7 @@ nodes
 | TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | semmle.label | "myusername" |
 | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | semmle.label | "mypassword" |
 | TestHardcodedCredentials.cs:26:19:26:28 | "username" | semmle.label | "username" |
+subpaths
 #select
 | HardcodedCredentials.cs:15:25:15:36 | "myPa55word" | HardcodedCredentials.cs:15:25:15:36 | "myPa55word" | HardcodedCredentials.cs:15:25:15:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:15:25:15:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:15:13:15:20 | access to local variable password | access to local variable password |
 | HardcodedCredentials.cs:31:19:31:28 | "username" | HardcodedCredentials.cs:31:19:31:28 | "username" | HardcodedCredentials.cs:31:19:31:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:31:19:31:28 | "username" | name | HardcodedCredentials.cs:29:31:43:13 | object creation of type MembershipUser | object creation of type MembershipUser |
--- a/Features/CWE-807/ConditionalBypass.expected
+++ b/Features/CWE-807/ConditionalBypass.expected
@ -41,6 +41,7 @@ nodes
 | ConditionalBypass.cs:84:13:84:23 | access to local variable adminCookie : HttpCookie | semmle.label | access to local variable adminCookie : HttpCookie |
 | ConditionalBypass.cs:84:13:84:29 | access to property Value : String | semmle.label | access to property Value : String |
 | ConditionalBypass.cs:84:13:84:40 | ... == ... | semmle.label | ... == ... |
+subpaths
 #select
 | ConditionalBypass.cs:17:13:17:33 | call to method login | ConditionalBypass.cs:12:26:12:48 | access to property QueryString : NameValueCollection | ConditionalBypass.cs:16:13:16:30 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:16:13:16:30 | ... == ... | this condition | ConditionalBypass.cs:12:26:12:48 | access to property QueryString | user input |
 | ConditionalBypass.cs:23:13:23:33 | call to method login | ConditionalBypass.cs:19:34:19:52 | access to property Cookies : HttpCookieCollection | ConditionalBypass.cs:22:13:22:45 | call to method Equals | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:22:13:22:45 | call to method Equals | this condition | ConditionalBypass.cs:19:34:19:52 | access to property Cookies | user input |
--- a/Features/CWE-838/InappropriateEncoding.expected
+++ b/Features/CWE-838/InappropriateEncoding.expected
@ -29,6 +29,7 @@ nodes
 | SqlEncode.cs:15:46:15:50 | access to local variable query | semmle.label | access to local variable query |
 | UrlEncode.cs:10:31:10:69 | ... + ... | semmle.label | ... + ... |
 | UrlEncode.cs:10:43:10:69 | call to method HtmlEncode : String | semmle.label | call to method HtmlEncode : String |
+subpaths
 #select
 | HtmlEncode.cs:10:28:10:65 | ... + ... | HtmlEncode.cs:10:40:10:65 | call to method UrlEncode : String | HtmlEncode.cs:10:28:10:65 | ... + ... | This HTML expression may include data from a $@. | HtmlEncode.cs:10:40:10:65 | call to method UrlEncode | possibly inappropriately encoded value |
 | InappropriateEncoding.cs:18:46:18:51 | access to local variable query1 | InappropriateEncoding.cs:13:28:13:40 | call to method Encode : String | InappropriateEncoding.cs:18:46:18:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:13:28:13:40 | call to method Encode | possibly inappropriately encoded value |
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll
@ -3258,24 +3258,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

-  private predicate isHidden() {
-    hiddenNode(this.(PathNodeImpl).getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.(PathNodeImpl).getNodeEx() instanceof TNodeImplicitRead
-  }
-
  private PathNode getASuccessorIfHidden() {
-    this.isHidden() and
+    this.(PathNodeImpl).isHidden() and
    result = this.(PathNodeImpl).getASuccessorImpl()
  }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@ -3287,6 +3279,14 @@ abstract private class PathNodeImpl extends PathNode {

  abstract NodeEx getNodeEx();

+  predicate isHidden() {
+    hiddenNode(this.getNodeEx().asNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+    or
+    this.getNodeEx() instanceof TNodeImplicitRead
+  }
+
  private string ppAp() {
    this instanceof PathNodeSink and result = ""
    or
@ -3313,9 +3313,14 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
+}

-/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+/** Holds if `n` can reach a sink or is used in a subpath. */
+private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
 private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
@ -3331,6 +3336,8 @@ module PathGraph {
  query predicate nodes(PathNode n, string key, string val) {
    reach(n) and key = "semmle.label" and val = n.toString()
  }
+
+  query predicate subpaths = Subpaths::subpaths/4;
 }

 /**
@ -3622,6 +3629,86 @@ private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext c
  )
 }

+private module Subpaths {
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths01(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    pathThroughCallable(arg, out, _, apout) and
+    pathIntoCallable(arg, par, _, innercc, sc, _) and
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple and `ret` is determined by
+   * `kind`, `sc`, `apout`, and `innercc`.
+   */
+  pragma[nomagic]
+  private predicate subpaths02(
+    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    NodeEx out, AccessPath apout
+  ) {
+    subpaths01(arg, par, sc, innercc, kind, out, apout) and
+    out.asNode() = kind.getAnOutNode(_)
+  }
+
+  pragma[nomagic]
+  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
+   */
+  pragma[nomagic]
+  private predicate subpaths03(
+    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, AccessPath apout
+  ) {
+    exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
+      subpaths02(arg, par, sc, innercc, kind, out, apout) and
+      ret.getNodeEx() = retnode and
+      kind = retnode.getKind() and
+      innercc = ret.getCallContext() and
+      sc = ret.getSummaryCtx() and
+      ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and
+      apout = ret.getAp() and
+      not ret.isHidden()
+    )
+  }
+
+  /**
+   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+   * `ret -> out` is summarized as the edge `arg -> out`.
+   */
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
+    exists(ParamNodeEx p, NodeEx o, AccessPath apout |
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
+      subpaths03(arg, p, ret, o, apout) and
+      par.getNodeEx() = p and
+      out.getNodeEx() = o and
+      out.getAp() = apout
+    )
+  }
+
+  /**
+   * Holds if `n` can reach a return node in a summarized subpath.
+   */
+  predicate retReach(PathNode n) {
+    subpaths(_, _, n, _)
+    or
+    exists(PathNode mid |
+      retReach(mid) and
+      n.getASuccessor() = mid and
+      not subpaths(_, mid, _, _)
+    )
+  }
+}
+
 /**
 * Holds if data can flow (inter-procedurally) from `source` to `sink`.
 *
--- a/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected
@ -95,6 +95,7 @@ nodes
 | XsltInjection.java:108:5:108:46 | load(...) | semmle.label | load(...) |
 | XsltInjection.java:109:5:109:49 | load(...) | semmle.label | load(...) |
 | XsltInjection.java:110:5:110:50 | load(...) | semmle.label | load(...) |
+subpaths
 #select
 | XsltInjection.java:31:5:31:59 | newTransformer(...) | XsltInjection.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjection.java:31:5:31:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjection.java:30:44:30:66 | getInputStream(...) | this user input |
 | XsltInjection.java:36:5:36:74 | newTransformer(...) | XsltInjection.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjection.java:36:5:36:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjection.java:35:66:35:88 | getInputStream(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
@ -6,6 +6,7 @@ nodes
 | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | semmle.label | ... + ... |
 | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | semmle.label | ... + ... |
+subpaths
 #select
 | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value |
 | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) | User-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
@ -9,6 +9,7 @@ nodes
 | BeanShellInjection.java:22:20:22:23 | code | semmle.label | code |
 | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
+subpaths
 #select
 | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
 | BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
@ -9,6 +9,7 @@ nodes
 | JShellInjection.java:24:31:24:35 | input | semmle.label | input |
 | JShellInjection.java:29:18:29:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JShellInjection.java:37:16:37:28 | source(...) | semmle.label | source(...) |
+subpaths
 #select
 | JShellInjection.java:15:15:15:19 | input | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | JShell injection from $@. | JShellInjection.java:12:18:12:45 | getParameter(...) | this user input |
 | JShellInjection.java:24:31:24:35 | input | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | JShell injection from $@. | JShellInjection.java:20:18:20:45 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@ -37,6 +37,7 @@ nodes
 | JakartaExpressionInjection.java:89:13:89:13 | e | semmle.label | e |
 | JakartaExpressionInjection.java:95:24:95:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:99:13:99:13 | e | semmle.label | e |
+subpaths
 #select
 | JakartaExpressionInjection.java:34:28:34:37 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:34:28:34:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
 | JakartaExpressionInjection.java:42:32:42:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:42:32:42:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
@ -13,6 +13,7 @@ nodes
 | JythonInjection.java:97:23:97:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:106:61:106:75 | getBytes(...) | semmle.label | getBytes(...) |
 | JythonInjection.java:131:40:131:63 | getInputStream(...) | semmle.label | getInputStream(...) |
+subpaths
 #select
 | JythonInjection.java:36:13:36:34 | exec(...) | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | Jython evaluate $@. | JythonInjection.java:28:23:28:50 | getParameter(...) | user input |
 | JythonInjection.java:58:27:58:48 | eval(...) | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | Jython evaluate $@. | JythonInjection.java:53:23:53:50 | getParameter(...) | user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@ -46,6 +46,7 @@ nodes
 | ScriptEngineTest.java:96:59:96:62 | code : String | semmle.label | code : String |
 | ScriptEngineTest.java:97:54:97:57 | code : String | semmle.label | code : String |
 | ScriptEngineTest.java:98:54:98:57 | code : String | semmle.label | code : String |
+subpaths
 #select
 | RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
 | RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
@ -42,6 +42,7 @@ nodes
 | SpelInjection.java:77:13:77:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:83:5:83:14 | expression | semmle.label | expression |
+subpaths
 #select
 | SpelInjection.java:23:5:23:14 | expression | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression | SpEL injection from $@. | SpelInjection.java:15:22:15:44 | getInputStream(...) | this user input |
 | SpelInjection.java:34:5:34:14 | expression | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression | SpEL injection from $@. | SpelInjection.java:27:22:27:44 | getInputStream(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@ -46,6 +46,7 @@ nodes
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | semmle.label | cookie : Cookie |
 | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | semmle.label | cookie |
+subpaths
 #select
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
--- a/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.expected
@ -9,6 +9,7 @@ nodes
 | Test.java:31:40:31:48 | signature | semmle.label | signature |
 | Test.java:47:22:47:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
 | Test.java:48:40:48:42 | tag | semmle.label | tag |
+subpaths
 #select
 | Test.java:15:43:15:51 | actualMac | Test.java:14:28:14:44 | doFinal(...) : byte[] | Test.java:15:43:15:51 | actualMac | Possible timing attack against $@ validation. | Test.java:14:28:14:44 | doFinal(...) : byte[] | MAC |
 | Test.java:31:40:31:48 | signature | Test.java:30:28:30:40 | sign(...) : byte[] | Test.java:31:40:31:48 | signature | Possible timing attack against $@ validation. | Test.java:30:28:30:40 | sign(...) : byte[] | signature |
--- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.expected
@ -32,6 +32,7 @@ nodes
 | Test.java:176:44:176:46 | tag | semmle.label | tag |
 | Test.java:201:34:201:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
 | Test.java:204:26:204:36 | computedTag | semmle.label | computedTag |
+subpaths
 #select
 | Test.java:23:47:23:55 | actualMac | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | Timing attack against $@ validation. | Test.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
 | Test.java:36:47:36:55 | actualMac | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | Timing attack against $@ validation. | Test.java:34:25:34:33 | actualMac : byte[] | MAC |
--- a/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
@ -90,6 +90,7 @@ nodes
 | InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
 | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
 | InsecureTrustManagerTest.java:415:22:415:33 | trustManager | semmle.label | trustManager |
+subpaths
 #select
 | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
 | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
--- a/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.expected
@ -13,5 +13,6 @@ nodes
 | DisabledRevocationChecking.java:25:15:25:22 | parameter this [flag] : Boolean | semmle.label | parameter this [flag] : Boolean |
 | DisabledRevocationChecking.java:28:33:28:36 | flag | semmle.label | flag |
 | DisabledRevocationChecking.java:28:33:28:36 | this <.field> [flag] : Boolean | semmle.label | this <.field> [flag] : Boolean |
+subpaths
 #select
 | DisabledRevocationChecking.java:17:12:17:16 | false | DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag | Revocation checking is disabled $@. | DisabledRevocationChecking.java:17:12:17:16 | false | here |
--- a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.expected
@ -125,6 +125,7 @@ nodes
 | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
 | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String | semmle.label | protocols [[]] : String |
 | UnsafeTlsVersion.java:121:32:121:40 | protocols | semmle.label | protocols |
+subpaths
 #select
 | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |
 | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | $@ is unsafe | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | SSLv2 |
--- a/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.expected
@ -3,5 +3,6 @@ edges
 nodes
 | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | UnvalidatedCors.java:27:67:27:69 | url | semmle.label | url |
+subpaths
 #select
 | UnvalidatedCors.java:27:67:27:69 | url | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | CORS header is being set using user controlled value $@. | UnvalidatedCors.java:21:22:21:48 | getHeader(...) | user-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
@ -14,6 +14,7 @@ nodes
 | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | semmle.label | split(...) : String[] |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | semmle.label | ...[...] : String |
+subpaths
 #select
 | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
 | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
@ -48,6 +48,7 @@ nodes
 | JsonpController.java:116:16:116:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:130:21:130:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:131:16:131:24 | resultStr | semmle.label | resultStr |
+subpaths
 #select
 | JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
 | JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
@ -51,6 +51,7 @@ nodes
 | UnsafeReflection.java:119:21:119:26 | method | semmle.label | method |
 | UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean |
 | UnsafeReflection.java:119:41:119:44 | data | semmle.label | data |
+subpaths
 #select
 | UnsafeReflection.java:25:29:25:62 | ...[...] | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:62 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:21:28:21:60 | getParameter(...) | user input |
 | UnsafeReflection.java:39:13:39:41 | ...[...] | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:41 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:33:28:33:60 | getParameter(...) | user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
@ -7,6 +7,7 @@ nodes
 | UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | semmle.label | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl |
 | UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
 | UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
+subpaths
 #select
 | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
 | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
@ -50,6 +50,7 @@ nodes
 | InsecureBasicAuth.java:145:21:145:28 | protocol : String | semmle.label | protocol : String |
 | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
 | InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn |
+subpaths
 #select
 | InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url |
 | InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" | HTTP url |
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@ -102,6 +102,7 @@ nodes
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
+subpaths
 #select
 | InsecureLdapAuth.java:20:49:20:59 | environment | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
 | InsecureLdapAuth.java:34:49:34:59 | environment | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
--- a/Показать больше
+++ b/Показать больше