Merge pull request #2412 from Cornelius-Riemenschneider/nullness-corr-cond

aschackmull · web-flow · commit 18e170803658 · 2019-11-26T10:33:34.000+01:00
Java: Nullness library: track instanceof expressions in correlated conditions
diff --git a/java/ql/src/semmle/code/java/dataflow/NullGuards.qll b/java/ql/src/semmle/code/java/dataflow/NullGuards.qll
@@ -24,6 +24,21 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {
   )
 }
 
+/** Gets an instanceof expression of `v` with type `type` */
+InstanceOfExpr instanceofExpr(SsaVariable v, Type type) {
+  result.getTypeName().getType() = type and
+  result.getExpr() = v.getAUse()
+}
+
+/**
+ * Gets an expression of the form `v1 == v2` or `v1 != v2`.
+ * The predicate is symmetric in `v1` and `v2`.
+ */
+EqualityTest varEqualityTestExpr(SsaVariable v1, SsaVariable v2, boolean isEqualExpr) {
+  result.hasOperands(v1.getAUse(), v2.getAUse()) and
+  isEqualExpr = result.polarity()
+}
+
 /** Gets an expression that is provably not `null`. */
 Expr clearlyNotNullExpr(Expr reason) {
   result instanceof ClassInstanceExpr and reason = result
diff --git a/java/ql/src/semmle/code/java/dataflow/Nullness.qll b/java/ql/src/semmle/code/java/dataflow/Nullness.qll
@@ -515,6 +515,18 @@ private predicate correlatedConditions(
       cond2.getCondition() = enumConstEquality(v.getAUse(), pol2, c) and
       inverted = pol1.booleanXor(pol2)
     )
+    or
+    exists(SsaVariable v, Type type |
+      cond1.getCondition() = instanceofExpr(v, type) and
+      cond2.getCondition() = instanceofExpr(v, type) and
+      inverted = false
+    )
+    or
+    exists(SsaVariable v1, SsaVariable v2, boolean branch1, boolean branch2 |
+      cond1.getCondition() = varEqualityTestExpr(v1, v2, branch1) and
+      cond2.getCondition() = varEqualityTestExpr(v1, v2, branch2) and
+      inverted = branch1.booleanXor(branch2)
+    )
   )
 }
 
diff --git a/java/ql/test/query-tests/Nullness/B.java b/java/ql/test/query-tests/Nullness/B.java
@@ -324,4 +324,51 @@ public void corrConds2(Object x, Object y) {
     if (x != null) y.hashCode(); // OK
     if (y != null) x.hashCode(); // OK
   }
+
+  public void corrConds3(Object y) {
+    Object x = null;
+    if(y instanceof String) {
+      x = new Object();
+    }
+    if(y instanceof String) {
+      x.hashCode(); // OK
+    }
+  }
+
+  public void corrConds4(Object y) {
+    Object x = null;
+    if(!(y instanceof String)) {
+      x = new Object();
+    }
+    if(!(y instanceof String)) {
+      x.hashCode(); // OK
+    }
+  }
+
+  public void corrConds5(Object y, Object z) {
+    Object x = null;
+    if(y == z) {
+      x = new Object();
+    }
+    if(y == z) {
+      x.hashCode(); // OK
+    }
+
+    Object x2 = null;
+    if(y != z) {
+      x2 = new Object();
+    }
+    if(y != z) {
+      x2.hashCode(); // OK
+    }
+
+    Object x3 = null;
+    if(y != z) {
+      x3 = new Object();
+    }
+    if(!(y == z)) {
+      x3.hashCode(); // OK
+    }
+  }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -515,6 +515,18 @@ private predicate correlatedConditions(`
`515`	`515`	`cond2.getCondition() = enumConstEquality(v.getAUse(), pol2, c) and`
`516`	`516`	`inverted = pol1.booleanXor(pol2)`
`517`	`517`	`)`
	`518`	`+ or`
	`519`	`+ exists(SsaVariable v, Type type \|`
	`520`	`+ cond1.getCondition() = instanceofExpr(v, type) and`
	`521`	`+ cond2.getCondition() = instanceofExpr(v, type) and`
	`522`	`+ inverted = false`
	`523`	`+ )`
	`524`	`+ or`
	`525`	`+ exists(SsaVariable v1, SsaVariable v2, boolean branch1, boolean branch2 \|`
	`526`	`+ cond1.getCondition() = varEqualityTestExpr(v1, v2, branch1) and`
	`527`	`+ cond2.getCondition() = varEqualityTestExpr(v1, v2, branch2) and`
	`528`	`+ inverted = branch1.booleanXor(branch2)`
	`529`	`+ )`
`518`	`530`	`)`
`519`	`531`	`}`
`520`	`532`