C#: Teach guards library about unique assignments

hvitved · hvitved · commit 3b0d1599adf5 · 2018-11-30T17:43:10.000+01:00
For example, in

```
void M(object x)
{
    var y = x == null ? 1 : 2;
    if (y == 2)
        x.ToString();
}
```

the guard `y == 2` implies that the guard `x == null` must be false,
as the assignment of `2` to `y` is unique.
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
@@ -980,6 +980,82 @@ module Internal {
     )
   }
 
+  /**
+   * Holds if `def` can have a value that is not representable as an
+   * abstract value.
+   */
+  private predicate hasPossibleUnknownValue(PreSsa::Definition def) {
+    exists(PreSsa::Definition input |
+      input = def.getAPhiInput*() and
+      not exists(input.getAPhiInput())
+    |
+      not exists(input.getDefinition().getSource())
+      or
+      exists(Expr e |
+        e = stripConditionalExpr(input.getDefinition().getSource()) |
+        not e = any(AbstractValue v).getAnExpr()
+      )
+    )
+  }
+
+  /**
+   * Gets an ultimate definition of `def` that is not itself a phi node. The
+   * boolean `fromBackEdge` indicates whether the flow from `result` to `def`
+   * goes through a back edge.
+   */
+  PreSsa::Definition getADefinition(PreSsa::Definition def, boolean fromBackEdge) {
+    result = def and
+    not exists(def.getAPhiInput()) and
+    fromBackEdge = false
+    or
+    exists(PreSsa::Definition input, PreBasicBlocks::PreBasicBlock pred, boolean fbe |
+      input = def.getAPhiInput() |
+      pred = def.getBasicBlock().getAPredecessor() and
+      PreSsa::ssaDefReachesEndOfBlock(pred, input, _) and
+      result = getADefinition(input, fbe) and
+      (if def.getBasicBlock().dominates(pred) then fromBackEdge = true else fromBackEdge = fbe)
+    )
+  }
+
+  /**
+   * Holds if `e` has abstract value `v` and may be assigned to `def`. The Boolean
+   * `fromBackEdge` indicates whether the flow from `e` to `def` goes through a
+   * back edge.
+   */
+  private predicate possibleValue(PreSsa::Definition def, boolean fromBackEdge, Expr e, AbstractValue v) {
+    not hasPossibleUnknownValue(def) and
+    exists(PreSsa::Definition input |
+      input = getADefinition(def, fromBackEdge) |
+      e = stripConditionalExpr(input.getDefinition().getSource()) and
+      v.getAnExpr() = e
+    )
+  }
+
+  private predicate nonUniqueValue(PreSsa::Definition def, Expr e, AbstractValue v) {
+    possibleValue(def, false, e, v) and
+    possibleValue(def, _, any(Expr other | other != e), v)
+  }
+
+  /**
+   * Holds if `e` has abstract value `v` and may be assigned to `def` without going
+   * through back edges, and all other possible ultimate definitions of `def` do not
+   * have abstract value `v`. The trivial case where `def` is an explicit update with
+   * source `e is excluded.
+   */
+  private predicate uniqueValue(PreSsa::Definition def, Expr e, AbstractValue v) {
+    possibleValue(def, false, e, v) and
+    not nonUniqueValue(def, e, v) and
+    exists(Expr other | possibleValue(def, _, other, _) and other != e)
+  }
+
+  /**
+   * Holds if `guard` having abstract value `vGuard` implies that `def` has
+   * abstract value `vDef`.
+   */
+  private predicate guardImpliesEqual(Guard guard, AbstractValue vGuard, PreSsa::Definition def, AbstractValue vDef) {
+    guard = getAnEqualityCheck(def.getARead(), vGuard, vDef.getAnExpr())
+  }
+
   /**
    * A helper class for calculating structurally equal access/call expressions.
    */
@@ -1167,6 +1243,15 @@ module Internal {
         conditionalAssignVal(g2, v2.getDualValue(), def, v) and
         guardImpliesNotEqual(g1, v1, def, v)
       )
+      or
+      exists(PreSsa::Definition def, Expr e, AbstractValue v |
+        // If `def = g2 ? v : ...` and all other assignments to `def` are different from
+        // `v` then a guard proving `def == v` ensures that `g2` evaluates to `v2`.
+        uniqueValue(def, e, v) and
+        guardImpliesEqual(g1, v1, def, v) and
+        g2.preControlsDirect(any(PreBasicBlocks::PreBasicBlock bb | e = bb.getAnElement()), v2) and
+        not g2.preControlsDirect(any(PreBasicBlocks::PreBasicBlock bb | g1 = bb.getAnElement()), v2)
+      )
     }
 
     cached
diff --git a/csharp/ql/test/query-tests/Nullness/D.cs b/csharp/ql/test/query-tests/Nullness/D.cs
@@ -75,7 +75,7 @@ public void NullGuards()
         var o8 = maybe ? null : "";
         int track = o8 == null ? 42 : 1 + 1;
         if (track == 2)
-            o8.ToString(); // GOOD (false positive)
+            o8.ToString(); // GOOD
         if (track != 42)
             o8.ToString(); // GOOD (false positive)
         if (track < 42)
diff --git a/csharp/ql/test/query-tests/Nullness/E.cs b/csharp/ql/test/query-tests/Nullness/E.cs
@@ -90,12 +90,12 @@ public void Ex6(int[] vals, bool b1, bool b2)
         switch (switchguard)
         {
             case MY_CONST_A:
-                vals[0] = 0; // GOOD (false positive)
+                vals[0] = 0; // GOOD
                 break;
             case MY_CONST_C:
                 break;
             case MY_CONST_B:
-                vals[0] = 0; // GOOD (false positive)
+                vals[0] = 0; // GOOD
                 break;
             default:
                 throw new Exception();
diff --git a/csharp/ql/test/query-tests/Nullness/Implications.expected b/csharp/ql/test/query-tests/Nullness/Implications.expected
@@ -717,8 +717,10 @@
 | D.cs:76:21:76:30 | ... == ... | false | D.cs:76:21:76:22 | access to local variable o8 | non-null |
 | D.cs:76:21:76:30 | ... == ... | true | D.cs:75:18:75:22 | access to field maybe | true |
 | D.cs:76:21:76:30 | ... == ... | true | D.cs:76:21:76:22 | access to local variable o8 | null |
+| D.cs:77:13:77:22 | ... == ... | true | D.cs:76:21:76:30 | ... == ... | false |
 | D.cs:78:13:78:14 | access to local variable o8 | non-null | D.cs:75:18:75:34 | ... ? ... : ... | non-null |
 | D.cs:78:13:78:14 | access to local variable o8 | null | D.cs:75:18:75:34 | ... ? ... : ... | null |
+| D.cs:79:13:79:23 | ... != ... | false | D.cs:76:21:76:30 | ... == ... | true |
 | D.cs:80:13:80:14 | access to local variable o8 | non-null | D.cs:75:18:75:34 | ... ? ... : ... | non-null |
 | D.cs:80:13:80:14 | access to local variable o8 | null | D.cs:75:18:75:34 | ... ? ... : ... | null |
 | D.cs:82:13:82:14 | access to local variable o8 | non-null | D.cs:75:18:75:34 | ... ? ... : ... | non-null |
@@ -1152,6 +1154,10 @@
 | E.cs:85:18:85:29 | ... != ... | true | E.cs:85:18:85:21 | access to parameter vals | non-null |
 | E.cs:85:18:85:35 | ... && ... | true | E.cs:85:18:85:29 | ... != ... | true |
 | E.cs:85:18:85:35 | ... && ... | true | E.cs:85:34:85:35 | access to parameter b2 | true |
+| E.cs:90:17:90:27 | access to local variable switchguard | match case ...: | E.cs:83:13:83:24 | ... != ... | true |
+| E.cs:90:17:90:27 | access to local variable switchguard | match case ...: | E.cs:83:29:83:30 | access to parameter b1 | true |
+| E.cs:90:17:90:27 | access to local variable switchguard | match case ...: | E.cs:85:18:85:29 | ... != ... | true |
+| E.cs:90:17:90:27 | access to local variable switchguard | match case ...: | E.cs:85:34:85:35 | access to parameter b2 | true |
 | E.cs:107:15:107:25 | Int32[] arr2 = ... | non-null | E.cs:107:15:107:18 | access to local variable arr2 | non-null |
 | E.cs:107:15:107:25 | Int32[] arr2 = ... | null | E.cs:107:15:107:18 | access to local variable arr2 | null |
 | E.cs:109:13:109:39 | ... = ... | non-null | E.cs:109:13:109:16 | access to local variable arr2 | non-null |
diff --git a/csharp/ql/test/query-tests/Nullness/NullMaybe.expected b/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -10,7 +10,6 @@
 | D.cs:32:9:32:13 | access to parameter param | Variable '$@' may be null here as suggested by $@ null check. | D.cs:26:32:26:36 | param | param | D.cs:28:13:28:25 | ... != ... | this |
 | D.cs:62:13:62:14 | access to local variable o5 | Variable '$@' may be null here because of $@ assignment. | D.cs:58:13:58:14 | o5 | o5 | D.cs:58:13:58:41 | String o5 = ... | this |
 | D.cs:73:13:73:14 | access to local variable o7 | Variable '$@' may be null here because of $@ assignment. | D.cs:68:13:68:14 | o7 | o7 | D.cs:68:13:68:34 | String o7 = ... | this |
-| D.cs:78:13:78:14 | access to local variable o8 | Variable '$@' may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
 | D.cs:80:13:80:14 | access to local variable o8 | Variable '$@' may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
 | D.cs:82:13:82:14 | access to local variable o8 | Variable '$@' may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
 | D.cs:84:13:84:14 | access to local variable o8 | Variable '$@' may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
@@ -55,10 +54,6 @@
 | E.cs:43:13:43:16 | access to local variable last | Variable '$@' may be null here because of $@ assignment. | E.cs:32:16:32:19 | last | last | E.cs:37:9:37:19 | ... = ... | this |
 | E.cs:61:13:61:17 | access to local variable slice | Variable '$@' may be null here because of $@ assignment. | E.cs:51:22:51:26 | slice | slice | E.cs:51:22:51:33 | List<String> slice = ... | this |
 | E.cs:73:13:73:15 | access to parameter arr | Variable '$@' may be null here as suggested by $@ null check. | E.cs:66:40:66:42 | arr | arr | E.cs:70:22:70:32 | ... == ... | this |
-| E.cs:93:17:93:20 | access to parameter vals | Variable '$@' may be null here as suggested by $@ null check. | E.cs:80:27:80:30 | vals | vals | E.cs:83:13:83:24 | ... != ... | this |
-| E.cs:93:17:93:20 | access to parameter vals | Variable '$@' may be null here as suggested by $@ null check. | E.cs:80:27:80:30 | vals | vals | E.cs:85:18:85:29 | ... != ... | this |
-| E.cs:98:17:98:20 | access to parameter vals | Variable '$@' may be null here as suggested by $@ null check. | E.cs:80:27:80:30 | vals | vals | E.cs:83:13:83:24 | ... != ... | this |
-| E.cs:98:17:98:20 | access to parameter vals | Variable '$@' may be null here as suggested by $@ null check. | E.cs:80:27:80:30 | vals | vals | E.cs:85:18:85:29 | ... != ... | this |
 | E.cs:112:13:112:16 | access to local variable arr2 | Variable '$@' may be null here because of $@ assignment. | E.cs:107:15:107:18 | arr2 | arr2 | E.cs:107:15:107:25 | Int32[] arr2 = ... | this |
 | E.cs:125:33:125:35 | access to local variable obj | Variable '$@' may be null here because of $@ assignment. | E.cs:119:13:119:15 | obj | obj | E.cs:137:25:137:34 | ... = ... | this |
 | E.cs:159:13:159:16 | access to local variable obj2 | Variable '$@' may be null here as suggested by $@ null check. | E.cs:152:16:152:19 | obj2 | obj2 | E.cs:153:13:153:24 | ... != ... | this |
