Merge pull request #17222 from hvitved/ruby/hash-splat-param-arg-matching

Ruby: Rework (hash) splat argument/parameter matching

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -563,7 +563,11 @@ private module Cached {
     THashSplatArgumentPosition() or
     TSynthHashSplatArgumentPosition() or
     TSplatArgumentPosition(int pos) { exists(Call c | c.getArgument(pos) instanceof SplatExpr) } or
-    TSynthSplatArgumentPosition() or
+    TSynthSplatArgumentPosition(int actualSplatPos) {
+      actualSplatPos = -1 // represents no actual splat
+      or
+      exists(Call c | c.getArgument(actualSplatPos) instanceof SplatExpr)
+    } or
     TAnyArgumentPosition() or
     TAnyKeywordArgumentPosition()
 
@@ -590,11 +594,15 @@ private module Cached {
     THashSplatParameterPosition() or
     TSynthHashSplatParameterPosition() or
     TSplatParameterPosition(int pos) {
-      pos = 0
+      pos = 0 // needed for flow summaries
       or
       exists(Parameter p | p.getPosition() = pos and p instanceof SplatParameter)
     } or
-    TSynthSplatParameterPosition() or
+    TSynthSplatParameterPosition(int actualSplatPos) {
+      actualSplatPos = -1 // represents no actual splat
+      or
+      exists(Callable c | c.getParameter(actualSplatPos) instanceof SplatParameter)
+    } or
     TAnyParameterPosition() or
     TAnyKeywordParameterPosition()
 }
@@ -1383,8 +1391,14 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents a splat parameter at position `n`. */
   predicate isSplat(int n) { this = TSplatParameterPosition(n) }
 
-  /** Holds if this position represents a synthetic splat parameter. */
-  predicate isSynthSplat() { this = TSynthSplatParameterPosition() }
+  /**
+   * Holds if this position represents a synthetic splat parameter.
+   *
+   * `actualSplatPos` indicates the position of the (unique) actual splat
+   * parameter belonging to the same method, with `-1` representing no actual
+   * splat parameter.
+   */
+  predicate isSynthSplat(int actualSplatPos) { this = TSynthSplatParameterPosition(actualSplatPos) }
 
   /**
    * Holds if this position represents any parameter, except `self` parameters. This
@@ -1419,7 +1433,11 @@ class ParameterPosition extends TParameterPosition {
     or
     exists(int pos | this.isSplat(pos) and result = "* (position " + pos + ")")
     or
-    this.isSynthSplat() and result = "synthetic *"
+    exists(int actualSplatPos, string suffix |
+      this.isSynthSplat(actualSplatPos) and
+      result = "synthetic *" + suffix and
+      if actualSplatPos = -1 then suffix = "" else suffix = " (actual at " + actualSplatPos + ")"
+    )
   }
 }
 
@@ -1458,8 +1476,14 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents a splat argument at position `n`. */
   predicate isSplat(int n) { this = TSplatArgumentPosition(n) }
 
-  /** Holds if this position represents a synthetic splat argument. */
-  predicate isSynthSplat() { this = TSynthSplatArgumentPosition() }
+  /**
+   * Holds if this position represents a synthetic splat argument.
+   *
+   * `actualSplatPos` indicates the position of the (unique) actual splat
+   * argument belonging to the same call, with `-1` representing no actual
+   * splat argument.
+   */
+  predicate isSynthSplat(int actualSplatPos) { this = TSynthSplatArgumentPosition(actualSplatPos) }
 
   /** Gets a textual representation of this position. */
   string toString() {
@@ -1483,7 +1507,11 @@ class ArgumentPosition extends TArgumentPosition {
     or
     exists(int pos | this.isSplat(pos) and result = "* (position " + pos + ")")
     or
-    this.isSynthSplat() and result = "synthetic *"
+    exists(int actualSplatPos, string suffix |
+      this.isSynthSplat(actualSplatPos) and
+      result = "synthetic *" + suffix and
+      if actualSplatPos = -1 then suffix = "" else suffix = " (actual at " + actualSplatPos + ")"
+    )
   }
 }
 
@@ -1517,19 +1545,29 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   exists(string name | ppos.isKeyword(name) and apos.isKeyword(name))
   or
   (ppos.isHashSplat() or ppos.isSynthHashSplat()) and
-  (apos.isHashSplat() or apos.isSynthHashSplat())
+  (apos.isHashSplat() or apos.isSynthHashSplat()) and
+  // prevent synthetic hash-splat parameters from matching synthetic hash-splat
+  // arguments when direct keyword matching is possible
+  not (ppos.isSynthHashSplat() and apos.isSynthHashSplat())
   or
   exists(int pos |
     (
       ppos.isSplat(pos)
       or
-      ppos.isSynthSplat() and pos = 0
+      ppos.isSynthSplat(_) and
+      pos = 0
     ) and
     (
       apos.isSplat(pos)
       or
-      apos.isSynthSplat() and pos = 0
+      apos.isSynthSplat(_) and pos = 0
     )
+  ) and
+  // prevent synthetic splat parameters from matching synthetic splat arguments
+  // when direct positional matching is possible
+  not exists(int actualSplatPos |
+    ppos.isSynthSplat(actualSplatPos) and
+    apos.isSynthSplat(actualSplatPos)
   )
   or
   ppos.isAny() and argumentPositionIsNotSelf(apos)

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -195,7 +195,9 @@ private class Argument extends CfgNodes::ExprCfgNode {
       not this.getExpr().(Pair).getKey().getConstantValue().isSymbol(_) and
       not this.getExpr() instanceof HashSplatExpr and
       not this.getExpr() instanceof SplatExpr and
-      arg.isPositional(i)
+      arg.isPositional(i) and
+      // There are no splat arguments before the positional argument
+      not splatArgumentAt(call, any(int j | j < i))
     )
     or
     exists(CfgNodes::ExprNodes::PairCfgNode p |
@@ -217,7 +219,9 @@ private class Argument extends CfgNodes::ExprCfgNode {
     exists(int pos |
       this = call.getArgument(pos) and
       this.getExpr() instanceof SplatExpr and
-      arg.isSplat(pos)
+      arg.isSplat(pos) and
+      // There are no earlier splat arguments
+      not splatArgumentAt(call, any(int j | j < pos))
     )
     or
     this = call.getAnArgument() and
@@ -432,7 +436,7 @@ private predicate splatParameterAt(Callable c, int pos) {
 }
 
 private predicate splatArgumentAt(CfgNodes::ExprNodes::CallCfgNode c, int pos) {
-  exists(Argument arg, ArgumentPosition apos | arg.isArgumentOf(c, apos) and apos.isSplat(pos))
+  c.getArgument(pos).getExpr() instanceof SplatExpr
 }
 
 /** A collection of cached types and predicates to be evaluated in the same stage. */
@@ -661,8 +665,8 @@ private module Cached {
         name = [input, output].regexpFind("(?<=(^|\\.)Field\\[)[^\\]]+(?=\\])", _, _).trim()
       )
     } or
-    TSplatContent(int i, Boolean shifted) { i in [0 .. 10] } or
-    THashSplatContent(ConstantValue::ConstantSymbolValue cv) or
+    deprecated TSplatContent(int i, Boolean shifted) { i in [0 .. 10] } or
+    deprecated THashSplatContent(ConstantValue::ConstantSymbolValue cv) or
     TCapturedVariableContent(VariableCapture::CapturedVariable v) or
     // Only used by type-tracking
     TAttributeName(string name) { name = any(SetterMethodCall c).getTargetName() }
@@ -686,29 +690,16 @@ private module Cached {
     TUnknownElementContentApprox() or
     TKnownIntegerElementContentApprox() or
     TKnownElementContentApprox(string approx) { approx = approxKnownElementIndex(_) } or
-    TSplatContentApprox(Boolean shifted) or
-    THashSplatContentApprox(string approx) { approx = approxKnownElementIndex(_) } or
     TNonElementContentApprox(Content c) { not c instanceof Content::ElementContent } or
     TCapturedVariableContentApprox(VariableCapture::CapturedVariable v)
 
   cached
   newtype TDataFlowType =
     TLambdaDataFlowType(Callable c) { c = any(LambdaSelfReferenceNode n).getCallable() } or
-    // In order to reduce the set of cons-candidates, we annotate all implicit (hash) splat
-    // creations with the name of the method that they are passed into. This includes
-    // array/hash literals as well (where the name is simply `[]`), because of how they
-    // are modeled (see `Array.qll` and `Hash.qll`).
-    TSynthHashSplatArgumentType(string methodName) {
-      methodName = any(SynthHashSplatArgumentNode n).getMethodName()
-    } or
-    TSynthSplatArgumentType(string methodName) {
-      methodName = any(SynthSplatArgumentNode n).getMethodName()
-    } or
     TUnknownDataFlowType()
 }
 
-class TElementContent =
-  TKnownElementContent or TUnknownElementContent or TSplatContent or THashSplatContent;
+class TElementContent = TKnownElementContent or TUnknownElementContent;
 
 import Cached
 
@@ -933,7 +924,12 @@ private module ParameterNodes {
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       exists(Callable callable | callable = c.asCfgScope() |
-        exists(int i | pos.isPositional(i) and callable.getParameter(i) = parameter |
+        exists(int i |
+          pos.isPositional(i) and
+          callable.getParameter(i) = parameter and
+          // There are no splat parameters before the positional parameter
+          not splatParameterAt(callable, any(int m | m < i))
+        |
           parameter instanceof SimpleParameter
           or
           parameter instanceof OptionalParameter
@@ -952,7 +948,9 @@ private module ParameterNodes {
           parameter = callable.getParameter(n).(SplatParameter) and
           pos.isSplat(n) and
           // There are no positional parameters after the splat
-          not exists(SimpleParameter p, int m | m > n | p = callable.getParameter(m))
+          not exists(SimpleParameter p, int m | m > n | p = callable.getParameter(m)) and
+          // There are no earlier splat parameters
+          not splatParameterAt(callable, any(int m | m < n))
         )
         or
         parameter = callable.getAParameter().(BlockParameter) and
@@ -1123,18 +1121,6 @@ private module ParameterNodes {
    *
    * by adding read steps out of the synthesized parameter node to the relevant
    * keyword parameters.
-   *
-   * In order to avoid redundancy (and improve performance) in cases like
-   *
-   * ```rb
-   * foo(p1: taint(1), p2: taint(2))
-   * ```
-   *
-   * where direct keyword matching is possible, we use a special `HashSplatContent`
-   * (instead of reusing `KnownElementContent`) when we construct a synthesized hash
-   * splat argument (`SynthHashSplatArgumentNode`) at the call site, and then only
-   * add read steps out of this node for actual hash-splat arguments (which will use
-   * a normal `KnownElementContent`).
    */
   class SynthHashSplatParameterNode extends ParameterNodeImpl, TSynthHashSplatParameterNode {
     private DataFlowCallable callable;
@@ -1188,18 +1174,6 @@ private module ParameterNodes {
    * by adding read steps out of the synthesized parameter node to the relevant
    * positional parameters.
    *
-   * In order to avoid redundancy (and improve performance) in cases like
-   *
-   * ```rb
-   * foo(a, b, c)
-   * ```
-   *
-   * where direct positional matching is possible, we use a special `SplatContent`
-   * (instead of reusing `KnownElementContent`) when we construct a synthesized
-   * splat argument (`SynthSplatArgumentNode`) at the call site, and then only
-   * add read steps out of this node for actual splat arguments (which will use
-   * `KnownElementContent` or `TSplatContent(_, true)`).
-   *
    * We don't yet correctly handle cases where a positional argument follows the
    * splat argument, e.g. in
    *
@@ -1217,12 +1191,8 @@ private module ParameterNodes {
     /** Holds if a read-step should be added into parameter `p`. */
     predicate readInto(ParameterNode p, ContentSet c) {
       exists(int n |
-        isParameterNode(p, callable, any(ParameterPosition pos | pos.isPositional(n))) and
-        not exists(int i | splatParameterAt(callable.asCfgScope(), i) and i < n)
+        isParameterNode(p, callable, any(ParameterPosition pos | pos.isPositional(n)))
       |
-        // Important: do not include `TSplatContent(_, false)` here, as normal parameter matching is possible
-        c = getSplatContent(n, true)
-        or
         c = getArrayContent(n)
         or
         c.isSingleton(TUnknownElementContent())
@@ -1232,7 +1202,13 @@ private module ParameterNodes {
     final override Parameter getParameter() { none() }
 
     final override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-      c = callable and pos.isSynthSplat()
+      c = callable and
+      exists(int actualSplat | pos.isSynthSplat(actualSplat) |
+        exists(TSynthSplatParameterShiftNode(c, actualSplat, _))
+        or
+        not exists(TSynthSplatParameterShiftNode(c, _, _)) and
+        actualSplat = -1
+      )
     }
 
     final override CfgScope getCfgScope() { result = callable.asCfgScope() }
@@ -1271,11 +1247,7 @@ private module ParameterNodes {
      */
     predicate readFrom(SynthSplatParameterNode synthSplat, ContentSet cs) {
       synthSplat.isParameterOf(callable, _) and
-      (
-        cs = getSplatContent(pos + splatPos, _)
-        or
-        cs = getArrayContent(pos + splatPos)
-      )
+      cs = getArrayContent(pos + splatPos)
     }
 
     /**
@@ -1454,24 +1426,7 @@ module ArgumentNodes {
         not cv.isSymbol(_)
       )
     |
-      if call instanceof CfgNodes::ExprNodes::HashLiteralCfgNode
-      then
-        /*
-         * Needed for cases like
-         *
-         * ```rb
-         * hash = { a: taint, b: safe }
-         *
-         * def foo(a:, b:)
-         *   sink(a)
-         * end
-         *
-         * foo(**hash)
-         * ```
-         */
-
-        c.isSingleton(Content::getElementContent(cv))
-      else c.isSingleton(THashSplatContent(cv))
+      c.isSingleton(Content::getElementContent(cv))
     )
   }
 
@@ -1506,31 +1461,10 @@ module ArgumentNodes {
    * `call`, into a synthetic splat argument.
    */
   predicate synthSplatStore(CfgNodes::ExprNodes::CallCfgNode call, Argument arg, ContentSet c) {
-    exists(int n |
-      exists(ArgumentPosition pos |
-        arg.isArgumentOf(call, pos) and
-        pos.isPositional(n) and
-        not exists(int i | splatArgumentAt(call, i) and i < n)
-      )
-    |
-      if call instanceof CfgNodes::ExprNodes::ArrayLiteralCfgNode
-      then
-        /*
-         * Needed for cases like
-         *
-         * ```rb
-         * arr = [taint, safe]
-         *
-         * def foo(a, b)
-         *   sink(a)
-         * end
-         *
-         * foo(*arr)
-         * ```
-         */
-
-        c = getArrayContent(n)
-      else c = getSplatContent(n, false)
+    exists(int n, ArgumentPosition pos |
+      arg.isArgumentOf(call, pos) and
+      pos.isPositional(n) and
+      c = getArrayContent(n)
     )
   }
 
@@ -1552,7 +1486,14 @@ module ArgumentNodes {
 
     override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
       call = call_ and
-      pos.isSynthSplat()
+      exists(int actualSplat | pos.isSynthSplat(actualSplat) |
+        any(SynthSplatArgumentShiftNode shift |
+          shift = TSynthSplatArgumentShiftNode(_, actualSplat, _)
+        ).storeInto(this, _)
+        or
+        not any(SynthSplatArgumentShiftNode shift).storeInto(this, _) and
+        actualSplat = -1
+      )
     }
 
     override string toStringImpl() { result = "synthetic splat argument" }
@@ -1583,8 +1524,6 @@ module ArgumentNodes {
     predicate readFrom(Node splatArg, ContentSet cs) {
       splatArg.asExpr().(Argument).isArgumentOf(c, any(ArgumentPosition p | p.isSplat(splatPos))) and
       (
-        cs = getSplatContent(n - splatPos, _)
-        or
         cs = getArrayContent(n - splatPos)
         or
         n = -1 and
@@ -1599,7 +1538,7 @@ module ArgumentNodes {
     predicate storeInto(SynthSplatArgumentNode synthSplat, ContentSet cs) {
       synthSplat = TSynthSplatArgumentNode(c) and
       (
-        cs = getSplatContent(n, true)
+        cs = getArrayContent(n)
         or
         n = -1 and
         cs.isSingleton(TUnknownElementContent())
@@ -1813,10 +1752,6 @@ private ContentSet getArrayContent(int n) {
   )
 }
 
-private ContentSet getSplatContent(int n, boolean adjusted) {
-  result.isSingleton(TSplatContent(n, adjusted))
-}
-
 /**
  * Subset of `storeStep` that should be shared with type-tracking.
  */
@@ -1977,13 +1912,8 @@ DataFlowType getNodeType(Node n) {
     result = TLambdaDataFlowType(c)
   )
   or
-  result = TSynthHashSplatArgumentType(n.(SynthHashSplatArgumentNode).getMethodName())
-  or
-  result = TSynthSplatArgumentType(n.(SynthSplatArgumentNode).getMethodName())
-  or
   not n instanceof LambdaSelfReferenceNode and
   not mustHaveLambdaType(n, _) and
-  not n instanceof SynthHashSplatOrSplatArgumentNode and
   result = TUnknownDataFlowType()
 }
 
@@ -2209,17 +2139,6 @@ class ContentApprox extends TContentApprox {
       result = "approximated element " + approx
     )
     or
-    exists(boolean shifted, string s |
-      this = TSplatContentApprox(shifted) and
-      (if shifted = true then s = " (shifted)" else s = "") and
-      result = "approximated splat position" + s
-    )
-    or
-    exists(string s |
-      this = THashSplatContentApprox(s) and
-      result = "approximated hash-splat position " + s
-    )
-    or
     exists(Content c |
       this = TNonElementContentApprox(c) and
       result = c.toString()
@@ -2259,13 +2178,6 @@ ContentApprox getContentApprox(Content c) {
   result =
     TKnownElementContentApprox(approxKnownElementIndex(c.(Content::KnownElementContent).getIndex()))
   or
-  exists(boolean shifted |
-    c = TSplatContent(_, shifted) and
-    result = TSplatContentApprox(shifted)
-  )
-  or
-  result = THashSplatContentApprox(approxKnownElementIndex(c.(Content::HashSplatContent).getKey()))
-  or
   result = TNonElementContentApprox(c)
 }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -586,7 +586,7 @@ module Content {
    *
    * we have an implicit splat argument containing `[1, 2, 3]`.
    */
-  class SplatContent extends ElementContent, TSplatContent {
+  deprecated class SplatContent extends Content, TSplatContent {
     private int i;
     private boolean shifted;
 
@@ -629,7 +629,7 @@ module Content {
    *
    * we have an implicit hash-splat argument containing `{:a => 1, :b => 2, :c => 3}`.
    */
-  class HashSplatContent extends ElementContent, THashSplatContent {
+  deprecated class HashSplatContent extends Content, THashSplatContent {
     private ConstantValue::ConstantSymbolValue cv;
 
     HashSplatContent() { this = THashSplatContent(cv) }
@@ -797,20 +797,13 @@ class ContentSet extends TContentSet {
   private Content getAnElementReadContent() {
     exists(Content::KnownElementContent c | this.isKnownOrUnknownElement(c) |
       result = c or
-      result = TSplatContent(c.getIndex().getInt(), _) or
-      result = THashSplatContent(c.getIndex()) or
       result = TUnknownElementContent()
     )
     or
     exists(int lower, boolean includeUnknown |
       this = TElementLowerBoundContent(lower, includeUnknown)
     |
-      exists(int i |
-        result.(Content::KnownElementContent).getIndex().isInt(i) or
-        result = TSplatContent(i, _)
-      |
-        i >= lower
-      )
+      exists(int i | result.(Content::KnownElementContent).getIndex().isInt(i) | i >= lower)
       or
       includeUnknown = true and
       result = TUnknownElementContent()
@@ -821,11 +814,6 @@ class ContentSet extends TContentSet {
     |
       type = result.(Content::KnownElementContent).getIndex().getValueType()
       or
-      type = "int" and
-      result instanceof Content::SplatContent
-      or
-      type = result.(Content::HashSplatContent).getKey().getValueType()
-      or
       includeUnknown = true and
       result = TUnknownElementContent()
     )

ruby/ql/test/library-tests/dataflow/api-graphs/VerifyApiGraphExpectations.expected

@@ -1,2 +1,2 @@
-failures
 testFailures
+failures

ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected

@@ -2356,6 +2356,16 @@ edges
 | array_flow.rb:1686:14:1686:14 | w | array_flow.rb:1690:10:1690:10 | w | provenance |  |
 | array_flow.rb:1686:18:1686:18 | a [element 2] | array_flow.rb:1686:11:1686:11 | z | provenance |  |
 | array_flow.rb:1686:18:1686:18 | a [element 3] | array_flow.rb:1686:14:1686:14 | w | provenance |  |
+| array_flow.rb:1693:10:1693:14 | *args [element 1] | array_flow.rb:1694:17:1694:20 | args [element 1] | provenance |  |
+| array_flow.rb:1694:16:1694:20 | * ... [element 1] | array_flow.rb:1694:5:1694:21 | call to [] [element 1] | provenance |  |
+| array_flow.rb:1694:17:1694:20 | args [element 1] | array_flow.rb:1694:16:1694:20 | * ... [element 1] | provenance |  |
+| array_flow.rb:1697:13:1697:13 | y | array_flow.rb:1699:10:1699:10 | y | provenance |  |
+| array_flow.rb:1704:5:1704:5 | a [element 1] | array_flow.rb:1705:11:1705:11 | a [element 1] | provenance |  |
+| array_flow.rb:1704:9:1704:31 | call to m141 [element 1] | array_flow.rb:1704:5:1704:5 | a [element 1] | provenance |  |
+| array_flow.rb:1704:17:1704:27 | call to source | array_flow.rb:1693:10:1693:14 | *args [element 1] | provenance |  |
+| array_flow.rb:1704:17:1704:27 | call to source | array_flow.rb:1704:9:1704:31 | call to m141 [element 1] | provenance |  |
+| array_flow.rb:1705:10:1705:11 | * ... [element 1] | array_flow.rb:1697:13:1697:13 | y | provenance |  |
+| array_flow.rb:1705:11:1705:11 | a [element 1] | array_flow.rb:1705:10:1705:11 | * ... [element 1] | provenance |  |
 nodes
 | array_flow.rb:2:5:2:5 | a [element 0] | semmle.label | a [element 0] |
 | array_flow.rb:2:9:2:20 | * ... [element 0] | semmle.label | * ... [element 0] |
@@ -4849,11 +4859,23 @@ nodes
 | array_flow.rb:1686:18:1686:18 | a [element 3] | semmle.label | a [element 3] |
 | array_flow.rb:1689:10:1689:10 | z | semmle.label | z |
 | array_flow.rb:1690:10:1690:10 | w | semmle.label | w |
+| array_flow.rb:1693:10:1693:14 | *args [element 1] | semmle.label | *args [element 1] |
+| array_flow.rb:1694:5:1694:21 | call to [] [element 1] | semmle.label | call to [] [element 1] |
+| array_flow.rb:1694:16:1694:20 | * ... [element 1] | semmle.label | * ... [element 1] |
+| array_flow.rb:1694:17:1694:20 | args [element 1] | semmle.label | args [element 1] |
+| array_flow.rb:1697:13:1697:13 | y | semmle.label | y |
+| array_flow.rb:1699:10:1699:10 | y | semmle.label | y |
+| array_flow.rb:1704:5:1704:5 | a [element 1] | semmle.label | a [element 1] |
+| array_flow.rb:1704:9:1704:31 | call to m141 [element 1] | semmle.label | call to m141 [element 1] |
+| array_flow.rb:1704:17:1704:27 | call to source | semmle.label | call to source |
+| array_flow.rb:1705:10:1705:11 | * ... [element 1] | semmle.label | * ... [element 1] |
+| array_flow.rb:1705:11:1705:11 | a [element 1] | semmle.label | a [element 1] |
 subpaths
 | array_flow.rb:251:9:251:9 | a [element 2] | array_flow.rb:251:30:251:30 | x | array_flow.rb:253:9:253:25 | call to [] [element 0] | array_flow.rb:251:9:254:7 | call to collect_concat [element] |
 | array_flow.rb:507:9:507:9 | a [element 3] | array_flow.rb:507:26:507:26 | x | array_flow.rb:509:9:509:9 | x | array_flow.rb:507:9:510:7 | call to filter_map [element] |
 | array_flow.rb:571:9:571:9 | a [element 2] | array_flow.rb:571:24:571:24 | x | array_flow.rb:573:9:573:25 | call to [] [element 0] | array_flow.rb:571:9:574:7 | call to flat_map [element] |
 | array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:19:1678:19 | x | array_flow.rb:1679:9:1679:9 | x | array_flow.rb:1678:9:1680:7 | call to map [element] |
+| array_flow.rb:1704:17:1704:27 | call to source | array_flow.rb:1693:10:1693:14 | *args [element 1] | array_flow.rb:1694:5:1694:21 | call to [] [element 1] | array_flow.rb:1704:9:1704:31 | call to m141 [element 1] |
 testFailures
 arrayLiteral
 | array_flow.rb:9:9:9:25 | call to [] |
@@ -5046,6 +5068,7 @@ arrayLiteral
 | array_flow.rb:1668:14:1668:41 | ...[...] |
 | array_flow.rb:1677:9:1677:29 | call to [] |
 | array_flow.rb:1685:9:1685:44 | call to [] |
+| array_flow.rb:1694:5:1694:21 | call to [] |
 #select
 | array_flow.rb:3:10:3:13 | ...[...] | array_flow.rb:2:10:2:20 | call to source | array_flow.rb:3:10:3:13 | ...[...] | $@ | array_flow.rb:2:10:2:20 | call to source | call to source |
 | array_flow.rb:5:10:5:13 | ...[...] | array_flow.rb:2:10:2:20 | call to source | array_flow.rb:5:10:5:13 | ...[...] | $@ | array_flow.rb:2:10:2:20 | call to source | call to source |
@@ -5749,3 +5772,4 @@ arrayLiteral
 | array_flow.rb:1681:10:1681:13 | ...[...] | array_flow.rb:1677:16:1677:28 | call to source | array_flow.rb:1681:10:1681:13 | ...[...] | $@ | array_flow.rb:1677:16:1677:28 | call to source | call to source |
 | array_flow.rb:1689:10:1689:10 | z | array_flow.rb:1685:16:1685:28 | call to source | array_flow.rb:1689:10:1689:10 | z | $@ | array_flow.rb:1685:16:1685:28 | call to source | call to source |
 | array_flow.rb:1690:10:1690:10 | w | array_flow.rb:1685:31:1685:43 | call to source | array_flow.rb:1690:10:1690:10 | w | $@ | array_flow.rb:1685:31:1685:43 | call to source | call to source |
+| array_flow.rb:1699:10:1699:10 | y | array_flow.rb:1704:17:1704:27 | call to source | array_flow.rb:1699:10:1699:10 | y | $@ | array_flow.rb:1704:17:1704:27 | call to source | call to source |

ruby/ql/test/library-tests/dataflow/array-flow/array_flow.rb

@@ -1689,3 +1689,18 @@ def m140
     sink z # $ hasValueFlow=140.1
     sink w # $ hasValueFlow=140.2
 end
+
+def m141(*args)
+    ::Array.[](*args)
+end
+
+def m142(x, y, z)
+    sink(x)
+    sink(y) # $ hasValueFlow=143
+    sink(z)
+end
+
+def m143
+    a = m141(0, source(143), 1)
+    m142(*a)
+end

ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.expected

@@ -64,4 +64,5 @@ testFailures
 | array_flow.rb:1626:19:1626:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
 | array_flow.rb:1626:19:1626:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.2 |
 | array_flow.rb:1627:19:1627:40 | # $ hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
+| array_flow.rb:1699:13:1699:32 | # $ hasValueFlow=143 | Missing result:hasValueFlow=143 |
 failures

ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.expected

@@ -78,14 +78,14 @@ edges
 | semantics.rb:60:5:60:5 | a | semantics.rb:66:14:66:15 | &... | provenance |  |
 | semantics.rb:60:9:60:18 | call to source | semantics.rb:60:5:60:5 | a | provenance |  |
 | semantics.rb:60:9:60:18 | call to source | semantics.rb:60:5:60:5 | a | provenance |  |
-| semantics.rb:61:10:61:15 | call to s10 [splat position 0] | semantics.rb:61:10:61:15 | call to s10 | provenance |  |
+| semantics.rb:61:10:61:15 | call to s10 [element 0] | semantics.rb:61:10:61:15 | call to s10 | provenance |  |
 | semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 | provenance |  |
 | semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 | provenance |  |
-| semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 [splat position 0] | provenance |  |
-| semantics.rb:62:10:62:18 | call to s10 [splat position 1] | semantics.rb:62:10:62:18 | call to s10 | provenance |  |
+| semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 [element 0] | provenance |  |
+| semantics.rb:62:10:62:18 | call to s10 [element 1] | semantics.rb:62:10:62:18 | call to s10 | provenance |  |
 | semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 | provenance |  |
 | semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 | provenance |  |
-| semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 [splat position 1] | provenance |  |
+| semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 [element 1] | provenance |  |
 | semantics.rb:63:19:63:19 | a | semantics.rb:63:10:63:20 | call to s10 | provenance |  |
 | semantics.rb:63:19:63:19 | a | semantics.rb:63:10:63:20 | call to s10 | provenance |  |
 | semantics.rb:64:27:64:27 | a | semantics.rb:64:10:64:28 | call to s10 | provenance |  |
@@ -144,14 +144,14 @@ edges
 | semantics.rb:108:5:108:5 | b | semantics.rb:110:27:110:27 | b | provenance |  |
 | semantics.rb:108:9:108:18 | call to source | semantics.rb:108:5:108:5 | b | provenance |  |
 | semantics.rb:108:9:108:18 | call to source | semantics.rb:108:5:108:5 | b | provenance |  |
-| semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | semantics.rb:109:10:109:34 | ...[...] | provenance |  |
-| semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | semantics.rb:109:10:109:34 | ...[...] | provenance |  |
-| semantics.rb:109:19:109:19 | a | semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | provenance |  |
-| semantics.rb:109:19:109:19 | a | semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | provenance |  |
-| semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | semantics.rb:110:10:110:34 | ...[...] | provenance |  |
-| semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | semantics.rb:110:10:110:34 | ...[...] | provenance |  |
-| semantics.rb:110:27:110:27 | b | semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | provenance |  |
-| semantics.rb:110:27:110:27 | b | semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | provenance |  |
+| semantics.rb:109:10:109:28 | call to s15 [element :foo] | semantics.rb:109:10:109:34 | ...[...] | provenance |  |
+| semantics.rb:109:10:109:28 | call to s15 [element :foo] | semantics.rb:109:10:109:34 | ...[...] | provenance |  |
+| semantics.rb:109:19:109:19 | a | semantics.rb:109:10:109:28 | call to s15 [element :foo] | provenance |  |
+| semantics.rb:109:19:109:19 | a | semantics.rb:109:10:109:28 | call to s15 [element :foo] | provenance |  |
+| semantics.rb:110:10:110:28 | call to s15 [element :bar] | semantics.rb:110:10:110:34 | ...[...] | provenance |  |
+| semantics.rb:110:10:110:28 | call to s15 [element :bar] | semantics.rb:110:10:110:34 | ...[...] | provenance |  |
+| semantics.rb:110:27:110:27 | b | semantics.rb:110:10:110:28 | call to s15 [element :bar] | provenance |  |
+| semantics.rb:110:27:110:27 | b | semantics.rb:110:10:110:28 | call to s15 [element :bar] | provenance |  |
 | semantics.rb:114:5:114:5 | a | semantics.rb:116:14:116:14 | a | provenance |  |
 | semantics.rb:114:5:114:5 | a | semantics.rb:116:14:116:14 | a | provenance |  |
 | semantics.rb:114:5:114:5 | a | semantics.rb:119:17:119:17 | a | provenance |  |
@@ -192,18 +192,18 @@ edges
 | semantics.rb:126:5:126:5 | b | semantics.rb:129:17:129:17 | b | provenance |  |
 | semantics.rb:126:9:126:18 | call to source | semantics.rb:126:5:126:5 | b | provenance |  |
 | semantics.rb:126:9:126:18 | call to source | semantics.rb:126:5:126:5 | b | provenance |  |
-| semantics.rb:127:10:127:18 | call to s17 [splat position 0] | semantics.rb:127:10:127:18 | call to s17 | provenance |  |
-| semantics.rb:127:10:127:18 | call to s17 [splat position 1] | semantics.rb:127:10:127:18 | call to s17 | provenance |  |
-| semantics.rb:127:14:127:14 | a | semantics.rb:127:10:127:18 | call to s17 [splat position 0] | provenance |  |
-| semantics.rb:127:17:127:17 | b | semantics.rb:127:10:127:18 | call to s17 [splat position 1] | provenance |  |
-| semantics.rb:128:10:128:18 | call to s17 [splat position 0] | semantics.rb:128:10:128:21 | ...[...] | provenance |  |
-| semantics.rb:128:10:128:18 | call to s17 [splat position 0] | semantics.rb:128:10:128:21 | ...[...] | provenance |  |
-| semantics.rb:128:14:128:14 | a | semantics.rb:128:10:128:18 | call to s17 [splat position 0] | provenance |  |
-| semantics.rb:128:14:128:14 | a | semantics.rb:128:10:128:18 | call to s17 [splat position 0] | provenance |  |
-| semantics.rb:129:10:129:18 | call to s17 [splat position 1] | semantics.rb:129:10:129:21 | ...[...] | provenance |  |
-| semantics.rb:129:10:129:18 | call to s17 [splat position 1] | semantics.rb:129:10:129:21 | ...[...] | provenance |  |
-| semantics.rb:129:17:129:17 | b | semantics.rb:129:10:129:18 | call to s17 [splat position 1] | provenance |  |
-| semantics.rb:129:17:129:17 | b | semantics.rb:129:10:129:18 | call to s17 [splat position 1] | provenance |  |
+| semantics.rb:127:10:127:18 | call to s17 [element 0] | semantics.rb:127:10:127:18 | call to s17 | provenance |  |
+| semantics.rb:127:10:127:18 | call to s17 [element 1] | semantics.rb:127:10:127:18 | call to s17 | provenance |  |
+| semantics.rb:127:14:127:14 | a | semantics.rb:127:10:127:18 | call to s17 [element 0] | provenance |  |
+| semantics.rb:127:17:127:17 | b | semantics.rb:127:10:127:18 | call to s17 [element 1] | provenance |  |
+| semantics.rb:128:10:128:18 | call to s17 [element 0] | semantics.rb:128:10:128:21 | ...[...] | provenance |  |
+| semantics.rb:128:10:128:18 | call to s17 [element 0] | semantics.rb:128:10:128:21 | ...[...] | provenance |  |
+| semantics.rb:128:14:128:14 | a | semantics.rb:128:10:128:18 | call to s17 [element 0] | provenance |  |
+| semantics.rb:128:14:128:14 | a | semantics.rb:128:10:128:18 | call to s17 [element 0] | provenance |  |
+| semantics.rb:129:10:129:18 | call to s17 [element 1] | semantics.rb:129:10:129:21 | ...[...] | provenance |  |
+| semantics.rb:129:10:129:18 | call to s17 [element 1] | semantics.rb:129:10:129:21 | ...[...] | provenance |  |
+| semantics.rb:129:17:129:17 | b | semantics.rb:129:10:129:18 | call to s17 [element 1] | provenance |  |
+| semantics.rb:129:17:129:17 | b | semantics.rb:129:10:129:18 | call to s17 [element 1] | provenance |  |
 | semantics.rb:133:5:133:5 | a | semantics.rb:135:12:135:12 | a | provenance |  |
 | semantics.rb:133:5:133:5 | a | semantics.rb:135:12:135:12 | a | provenance |  |
 | semantics.rb:133:5:133:5 | a | semantics.rb:137:14:137:14 | a | provenance |  |
@@ -1191,12 +1191,12 @@ nodes
 | semantics.rb:60:9:60:18 | call to source | semmle.label | call to source |
 | semantics.rb:61:10:61:15 | call to s10 | semmle.label | call to s10 |
 | semantics.rb:61:10:61:15 | call to s10 | semmle.label | call to s10 |
-| semantics.rb:61:10:61:15 | call to s10 [splat position 0] | semmle.label | call to s10 [splat position 0] |
+| semantics.rb:61:10:61:15 | call to s10 [element 0] | semmle.label | call to s10 [element 0] |
 | semantics.rb:61:14:61:14 | a | semmle.label | a |
 | semantics.rb:61:14:61:14 | a | semmle.label | a |
 | semantics.rb:62:10:62:18 | call to s10 | semmle.label | call to s10 |
 | semantics.rb:62:10:62:18 | call to s10 | semmle.label | call to s10 |
-| semantics.rb:62:10:62:18 | call to s10 [splat position 1] | semmle.label | call to s10 [splat position 1] |
+| semantics.rb:62:10:62:18 | call to s10 [element 1] | semmle.label | call to s10 [element 1] |
 | semantics.rb:62:17:62:17 | a | semmle.label | a |
 | semantics.rb:62:17:62:17 | a | semmle.label | a |
 | semantics.rb:63:10:63:20 | call to s10 | semmle.label | call to s10 |
@@ -1269,14 +1269,14 @@ nodes
 | semantics.rb:108:5:108:5 | b | semmle.label | b |
 | semantics.rb:108:9:108:18 | call to source | semmle.label | call to source |
 | semantics.rb:108:9:108:18 | call to source | semmle.label | call to source |
-| semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | semmle.label | call to s15 [hash-splat position :foo] |
-| semantics.rb:109:10:109:28 | call to s15 [hash-splat position :foo] | semmle.label | call to s15 [hash-splat position :foo] |
+| semantics.rb:109:10:109:28 | call to s15 [element :foo] | semmle.label | call to s15 [element :foo] |
+| semantics.rb:109:10:109:28 | call to s15 [element :foo] | semmle.label | call to s15 [element :foo] |
 | semantics.rb:109:10:109:34 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:109:10:109:34 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:109:19:109:19 | a | semmle.label | a |
 | semantics.rb:109:19:109:19 | a | semmle.label | a |
-| semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | semmle.label | call to s15 [hash-splat position :bar] |
-| semantics.rb:110:10:110:28 | call to s15 [hash-splat position :bar] | semmle.label | call to s15 [hash-splat position :bar] |
+| semantics.rb:110:10:110:28 | call to s15 [element :bar] | semmle.label | call to s15 [element :bar] |
+| semantics.rb:110:10:110:28 | call to s15 [element :bar] | semmle.label | call to s15 [element :bar] |
 | semantics.rb:110:10:110:34 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:110:10:110:34 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:110:27:110:27 | b | semmle.label | b |
@@ -1322,18 +1322,18 @@ nodes
 | semantics.rb:126:9:126:18 | call to source | semmle.label | call to source |
 | semantics.rb:126:9:126:18 | call to source | semmle.label | call to source |
 | semantics.rb:127:10:127:18 | call to s17 | semmle.label | call to s17 |
-| semantics.rb:127:10:127:18 | call to s17 [splat position 0] | semmle.label | call to s17 [splat position 0] |
-| semantics.rb:127:10:127:18 | call to s17 [splat position 1] | semmle.label | call to s17 [splat position 1] |
+| semantics.rb:127:10:127:18 | call to s17 [element 0] | semmle.label | call to s17 [element 0] |
+| semantics.rb:127:10:127:18 | call to s17 [element 1] | semmle.label | call to s17 [element 1] |
 | semantics.rb:127:14:127:14 | a | semmle.label | a |
 | semantics.rb:127:17:127:17 | b | semmle.label | b |
-| semantics.rb:128:10:128:18 | call to s17 [splat position 0] | semmle.label | call to s17 [splat position 0] |
-| semantics.rb:128:10:128:18 | call to s17 [splat position 0] | semmle.label | call to s17 [splat position 0] |
+| semantics.rb:128:10:128:18 | call to s17 [element 0] | semmle.label | call to s17 [element 0] |
+| semantics.rb:128:10:128:18 | call to s17 [element 0] | semmle.label | call to s17 [element 0] |
 | semantics.rb:128:10:128:21 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:128:10:128:21 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:128:14:128:14 | a | semmle.label | a |
 | semantics.rb:128:14:128:14 | a | semmle.label | a |
-| semantics.rb:129:10:129:18 | call to s17 [splat position 1] | semmle.label | call to s17 [splat position 1] |
-| semantics.rb:129:10:129:18 | call to s17 [splat position 1] | semmle.label | call to s17 [splat position 1] |
+| semantics.rb:129:10:129:18 | call to s17 [element 1] | semmle.label | call to s17 [element 1] |
+| semantics.rb:129:10:129:18 | call to s17 [element 1] | semmle.label | call to s17 [element 1] |
 | semantics.rb:129:10:129:21 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:129:10:129:21 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:129:17:129:17 | b | semmle.label | b |

ruby/ql/test/library-tests/dataflow/params/TypeTracker.expected

@@ -69,10 +69,10 @@ def splatstuff(*x)
 def splatmid(x, y, *z, w, r)
     sink x # $ hasValueFlow=27 $ hasValueFlow=32 $ hasValueFlow=45
     sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ hasValueFlow=33
-    sink z[0] # MISSING: $ hasValueFlow=47 $ hasValueFlow=29 $ hasValueFlow=34
+    sink z[0] # $ MISSING: hasValueFlow=47 $ hasValueFlow=29 $ hasValueFlow=34
     sink z[1] # $ MISSING: hasValueFlow=48 $ hasValueFlow=35
-    sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36
-    sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37
+    sink w # $ MISSING: hasValueFlow=30 $ hasValueFlow=50 $ hasValueFlow=36
+    sink r # $ MISSING: hasValueFlow=31 $ hasValueFlow=51 $ hasValueFlow=37
 end
 
 splatmid(taint(27), taint(28), taint(29), taint(30), taint(31))
@@ -82,9 +82,9 @@ def splatmid(x, y, *z, w, r)
 
 def pos_many(t, u, v, w, x, y, z)
     sink t # $ hasValueFlow=38 $ hasValueFlow=66
-    sink u # $ hasValueFlow=39 $ hasValueFlow=67 $ SPURIOUS: hasValueFlow=68
+    sink u # $ hasValueFlow=39 $ hasValueFlow=67
     sink v # $ hasValueFlow=40
-    sink w # $ hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
+    sink w # $ hasValueFlow=41
     sink x # $ hasValueFlow=42
     sink y # $ hasValueFlow=43
     sink z # $ MISSING: hasValueFlow=44
@@ -99,7 +99,7 @@ def splatmidsmall(a, *splats, b)
     sink a # $ hasValueFlow=52 $ hasValueFlow=55
     sink splats[0] # $ MISSING: hasValueFlow=53
     sink splats[1]
-    sink b # $ hasValueFlow=57 $ MISSING: hasValueFlow=54
+    sink b # $ MISSING: hasValueFlow=57 $ hasValueFlow=54
 end
 
 splatmidsmall(taint(52), *[taint(53), taint(54)])

ruby/ql/test/library-tests/dataflow/params/params-flow.expected

@@ -67,21 +67,21 @@ edges
 | params_flow.rb:107:10:107:33 | call to values_at [element 0] | params_flow.rb:107:10:107:33 | call to values_at | provenance |  |
 | params_flow.rb:107:10:107:33 | call to values_at [element 1] | params_flow.rb:107:10:107:33 | call to values_at | provenance |  |
 | params_flow.rb:111:10:111:15 | call to params | params_flow.rb:111:10:111:29 | call to merge | provenance |  |
-| params_flow.rb:112:10:112:29 | call to merge [splat position 0] | params_flow.rb:112:10:112:29 | call to merge | provenance |  |
+| params_flow.rb:112:10:112:29 | call to merge [element 0] | params_flow.rb:112:10:112:29 | call to merge | provenance |  |
 | params_flow.rb:112:23:112:28 | call to params | params_flow.rb:112:10:112:29 | call to merge | provenance |  |
-| params_flow.rb:112:23:112:28 | call to params | params_flow.rb:112:10:112:29 | call to merge [splat position 0] | provenance |  |
+| params_flow.rb:112:23:112:28 | call to params | params_flow.rb:112:10:112:29 | call to merge [element 0] | provenance |  |
 | params_flow.rb:116:10:116:15 | call to params | params_flow.rb:116:10:116:37 | call to reverse_merge | provenance |  |
 | params_flow.rb:117:31:117:36 | call to params | params_flow.rb:117:10:117:37 | call to reverse_merge | provenance |  |
 | params_flow.rb:121:10:121:15 | call to params | params_flow.rb:121:10:121:43 | call to with_defaults | provenance |  |
 | params_flow.rb:122:31:122:36 | call to params | params_flow.rb:122:10:122:37 | call to with_defaults | provenance |  |
 | params_flow.rb:126:10:126:15 | call to params | params_flow.rb:126:10:126:30 | call to merge! | provenance |  |
-| params_flow.rb:127:10:127:30 | call to merge! [splat position 0] | params_flow.rb:127:10:127:30 | call to merge! | provenance |  |
+| params_flow.rb:127:10:127:30 | call to merge! [element 0] | params_flow.rb:127:10:127:30 | call to merge! | provenance |  |
 | params_flow.rb:127:24:127:29 | call to params | params_flow.rb:127:10:127:30 | call to merge! | provenance |  |
-| params_flow.rb:127:24:127:29 | call to params | params_flow.rb:127:10:127:30 | call to merge! [splat position 0] | provenance |  |
+| params_flow.rb:127:24:127:29 | call to params | params_flow.rb:127:10:127:30 | call to merge! [element 0] | provenance |  |
 | params_flow.rb:130:5:130:5 | [post] p | params_flow.rb:131:10:131:10 | p | provenance |  |
-| params_flow.rb:130:5:130:5 | [post] p [splat position 0] | params_flow.rb:131:10:131:10 | p | provenance |  |
+| params_flow.rb:130:5:130:5 | [post] p [element 0] | params_flow.rb:131:10:131:10 | p | provenance |  |
 | params_flow.rb:130:14:130:19 | call to params | params_flow.rb:130:5:130:5 | [post] p | provenance |  |
-| params_flow.rb:130:14:130:19 | call to params | params_flow.rb:130:5:130:5 | [post] p [splat position 0] | provenance |  |
+| params_flow.rb:130:14:130:19 | call to params | params_flow.rb:130:5:130:5 | [post] p [element 0] | provenance |  |
 | params_flow.rb:135:10:135:15 | call to params | params_flow.rb:135:10:135:38 | call to reverse_merge! | provenance |  |
 | params_flow.rb:136:32:136:37 | call to params | params_flow.rb:136:10:136:38 | call to reverse_merge! | provenance |  |
 | params_flow.rb:139:5:139:5 | [post] p | params_flow.rb:140:10:140:10 | p | provenance |  |
@@ -213,7 +213,7 @@ nodes
 | params_flow.rb:111:10:111:15 | call to params | semmle.label | call to params |
 | params_flow.rb:111:10:111:29 | call to merge | semmle.label | call to merge |
 | params_flow.rb:112:10:112:29 | call to merge | semmle.label | call to merge |
-| params_flow.rb:112:10:112:29 | call to merge [splat position 0] | semmle.label | call to merge [splat position 0] |
+| params_flow.rb:112:10:112:29 | call to merge [element 0] | semmle.label | call to merge [element 0] |
 | params_flow.rb:112:23:112:28 | call to params | semmle.label | call to params |
 | params_flow.rb:116:10:116:15 | call to params | semmle.label | call to params |
 | params_flow.rb:116:10:116:37 | call to reverse_merge | semmle.label | call to reverse_merge |
@@ -226,10 +226,10 @@ nodes
 | params_flow.rb:126:10:126:15 | call to params | semmle.label | call to params |
 | params_flow.rb:126:10:126:30 | call to merge! | semmle.label | call to merge! |
 | params_flow.rb:127:10:127:30 | call to merge! | semmle.label | call to merge! |
-| params_flow.rb:127:10:127:30 | call to merge! [splat position 0] | semmle.label | call to merge! [splat position 0] |
+| params_flow.rb:127:10:127:30 | call to merge! [element 0] | semmle.label | call to merge! [element 0] |
 | params_flow.rb:127:24:127:29 | call to params | semmle.label | call to params |
 | params_flow.rb:130:5:130:5 | [post] p | semmle.label | [post] p |
-| params_flow.rb:130:5:130:5 | [post] p [splat position 0] | semmle.label | [post] p [splat position 0] |
+| params_flow.rb:130:5:130:5 | [post] p [element 0] | semmle.label | [post] p [element 0] |
 | params_flow.rb:130:14:130:19 | call to params | semmle.label | call to params |
 | params_flow.rb:131:10:131:10 | p | semmle.label | p |
 | params_flow.rb:135:10:135:15 | call to params | semmle.label | call to params |