More precise Nullness tracking by taking correlated instanceof expressions into account.

criemen · criemen · commit 3e5324e77211 · 2019-11-21T18:38:27.000+01:00
Fixes #2238.
diff --git a/java/ql/src/semmle/code/java/dataflow/NullGuards.qll b/java/ql/src/semmle/code/java/dataflow/NullGuards.qll
@@ -24,6 +24,12 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {
   )
 }
 
+/** Gets an instanceof expression of `v` with type `type` */
+InstanceOfExpr instanceofExpr(SsaVariable v, Expr type) {
+  result.getTypeName() = type and
+  result.getExpr() = v.getAUse()
+}
+
 /** Gets an expression that is provably not `null`. */
 Expr clearlyNotNullExpr(Expr reason) {
   result instanceof ClassInstanceExpr and reason = result
diff --git a/java/ql/src/semmle/code/java/dataflow/Nullness.qll b/java/ql/src/semmle/code/java/dataflow/Nullness.qll
@@ -515,6 +515,13 @@ private predicate correlatedConditions(
       cond2.getCondition() = enumConstEquality(v.getAUse(), pol2, c) and
       inverted = pol1.booleanXor(pol2)
     )
+    or
+    exists(SsaVariable v, Expr t1, Expr t2 |
+      cond1.getCondition() = instanceofExpr(v, t1) and
+      cond2.getCondition() = instanceofExpr(v, t2) and
+      t1.getType() = t2.getType() and
+      inverted = false
+    )
   )
 }
 
diff --git a/java/ql/test/query-tests/Nullness/NullMaybe.expected b/java/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -17,8 +17,6 @@
 | B.java:190:7:190:7 | o | Variable $@ may be null here because of $@ assignment. | B.java:178:5:178:20 | Object o | o | B.java:186:5:186:12 | ...=... | this |
 | B.java:279:7:279:7 | a | Variable $@ may be null here because of $@ assignment. | B.java:276:5:276:19 | int[] a | a | B.java:276:11:276:18 | a | this |
 | B.java:292:7:292:7 | b | Variable $@ may be null here because of $@ assignment. | B.java:287:5:287:44 | int[] b | b | B.java:287:11:287:43 | b | this |
-| B.java:334:7:334:7 | x | Variable $@ may be null here because of $@ assignment. | B.java:329:5:329:20 | Object x | x | B.java:329:12:329:19 | x | this |
-| B.java:344:7:344:7 | x | Variable $@ may be null here because of $@ assignment. | B.java:339:5:339:20 | Object x | x | B.java:339:12:339:19 | x | this |
 | C.java:9:44:9:45 | a2 | Variable $@ may be null here as suggested by $@ null guard. | C.java:6:5:6:23 | long[][] a2 | a2 | C.java:7:34:7:54 | ... != ... | this |
 | C.java:9:44:9:45 | a2 | Variable $@ may be null here because of $@ assignment. | C.java:6:5:6:23 | long[][] a2 | a2 | C.java:6:14:6:22 | a2 | this |
 | C.java:10:17:10:18 | a3 | Variable $@ may be null here as suggested by $@ null guard. | C.java:8:5:8:21 | long[] a3 | a3 | C.java:9:38:9:58 | ... != ... | this |

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,12 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {`
`24`	`24`	`)`
`25`	`25`	`}`
`26`	`26`
	`27`	+/** Gets an instanceof expression of `v` with type `type` */
	`28`	`+InstanceOfExpr instanceofExpr(SsaVariable v, Expr type) {`
	`29`	`+ result.getTypeName() = type and`
	`30`	`+ result.getExpr() = v.getAUse()`
	`31`	`+}`
	`32`	`+`
`27`	`33`	/** Gets an expression that is provably not `null`. */
`28`	`34`	`Expr clearlyNotNullExpr(Expr reason) {`
`29`	`35`	`result instanceof ClassInstanceExpr and reason = result`
Original file line number	Diff line number	Diff line change
`@@ -515,6 +515,13 @@ private predicate correlatedConditions(`
`515`	`515`	`cond2.getCondition() = enumConstEquality(v.getAUse(), pol2, c) and`
`516`	`516`	`inverted = pol1.booleanXor(pol2)`
`517`	`517`	`)`
	`518`	`+ or`
	`519`	`+ exists(SsaVariable v, Expr t1, Expr t2 \|`
	`520`	`+ cond1.getCondition() = instanceofExpr(v, t1) and`
	`521`	`+ cond2.getCondition() = instanceofExpr(v, t2) and`
	`522`	`+ t1.getType() = t2.getType() and`
	`523`	`+ inverted = false`
	`524`	`+ )`
`518`	`525`	`)`
`519`	`526`	`}`
`520`	`527`