From f2960a7670ca241eb392dc6094993a45d73671a0 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 21 May 2026 13:12:24 +0200
Subject: [PATCH 1/3] C#: Extract the indexer as the call target when using
 range expressions with spans.

---
 .../Entities/Expressions/ElementAccess.cs     | 35 +++++++++++++++++--
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
index 345e691a8a85..6f8321321855 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs
@@ -1,4 +1,5 @@
 using System.IO;
+using System.Linq;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.Kinds;
@@ -17,6 +18,35 @@ protected ElementAccess(ExpressionNodeInfo info, ExpressionSyntax qualifier, Bra
         private readonly ExpressionSyntax qualifier;
         private readonly BracketedArgumentListSyntax argumentList;
 
+
+        private IPropertySymbol? GetIndexerSymbol()
+        {
+            var symbol = Context.GetSymbolInfo(base.Syntax).Symbol;
+
+            if (symbol is IPropertySymbol { IsIndexer: true } indexer)
+                return indexer;
+
+            // In some cases, Roslyn translates the use of range expressions directly into method calls.
+            // E.g. `a[0..3]` is translated into `a.Slice(0, 3)`, if `a` is a `Span<T>`.
+            // In this case, we want to populate the indexer access as normal (as this reflects the source code more accurately).
+            if (symbol is IMethodSymbol method)
+            {
+                var indexers = method
+                    .ContainingType
+                    .GetMembers()
+                    .OfType<IPropertySymbol>()
+                    .Where(p => p.IsIndexer);
+
+                var intIndexer = indexers
+                    .Where(i => i.Parameters.Length == 1 && i.Parameters[0].Type.SpecialType == SpecialType.System_Int32)
+                    .FirstOrDefault();
+
+                return intIndexer;
+            }
+
+            return null;
+        }
+
         protected override void PopulateExpression(TextWriter trapFile)
         {
             if (Kind == ExprKind.POINTER_INDIRECTION)
@@ -32,9 +62,8 @@ protected override void PopulateExpression(TextWriter trapFile)
                 Create(Context, qualifier, this, -1);
                 PopulateArguments(trapFile, argumentList, 0);
 
-                var symbolInfo = Context.GetSymbolInfo(base.Syntax);
-
-                if (symbolInfo.Symbol is IPropertySymbol indexer)
+                var indexer = GetIndexerSymbol();
+                if (indexer is not null)
                 {
                     trapFile.expr_access(this, Indexer.Create(Context, indexer));
                 }

From f6fe07502ad263b256144b143e2df8e46278a3e8 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 21 May 2026 13:30:20 +0200
Subject: [PATCH 2/3] C#: Update DB quality expected test output.

---
 .../Telemetry/DatabaseQuality/IsNotOkayCall.expected          | 2 --
 .../query-tests/Telemetry/DatabaseQuality/NoTarget.expected   | 2 --
 .../ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs  | 4 ++--
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected
index dcdb8b09058c..e69de29bb2d1 100644
--- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected
+++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected
@@ -1,2 +0,0 @@
-| Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
-| Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected
index a76dd08cdb6b..b96815507f14 100644
--- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected
+++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected
@@ -7,7 +7,5 @@
 | Quality.cs:20:13:20:23 | access to property MyProperty6 | Call without target $@. | Quality.cs:20:13:20:23 | access to property MyProperty6 | access to property MyProperty6 |
 | Quality.cs:23:9:23:14 | access to event Event1 | Call without target $@. | Quality.cs:23:9:23:14 | access to event Event1 | access to event Event1 |
 | Quality.cs:23:9:23:30 | delegate call | Call without target $@. | Quality.cs:23:9:23:30 | delegate call | delegate call |
-| Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
-| Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |
diff --git a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs
index e10ce10f6c4b..648083edad8d 100644
--- a/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs
+++ b/csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs
@@ -23,10 +23,10 @@ public Test()
         Event1.Invoke(this, 5);
 
         var str = "abcd";
-        var sub = str[..3];         // TODO: this is not an indexer call, but rather a `str.Substring(0, 3)` call.
+        var sub = str[..3];
 
         Span<int> sp = null;
-        var slice = sp[..3];        // TODO: this is not an indexer call, but rather a `sp.Slice(0, 3)` call.
+        var slice = sp[..3];
 
         Span<byte> guidBytes = stackalloc byte[16];
         guidBytes[08] = 1;

From 9167814918a320b5b62549a8cc5749ec9abd7a50 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 21 May 2026 13:34:43 +0200
Subject: [PATCH 3/3] C#: Add change-note.

---
 csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md

diff --git a/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md b/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md
new file mode 100644
index 000000000000..b7bc97b9a94e
--- /dev/null
+++ b/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved extraction of span range-access expressions (for example, `a[0..3]`) so the indexer is recorded as the call target.