Merge pull request #2766 from hvitved/csharp/stackalloc

C#: Extract `stackalloc` information

Author: calumgrant

change-notes/1.24/analysis-csharp.md

@@ -29,6 +29,7 @@ The following changes in version 1.24 affect C# analysis in all applications.
 * Tuple expressions, for example `(int,bool)` in `default((int,bool))` are now extracted correctly.
 * Expression nullability flow state is extracted.
 * Implicitly typed `stackalloc` expressions are now extracted correctly.
+* The difference between `stackalloc` array creations and normal array creations is extracted.
 
 ## Changes to libraries
 
@@ -39,5 +40,6 @@ The following changes in version 1.24 affect C# analysis in all applications.
 * The taint tracking library now tracks flow through (implicit or explicit) conversion operator calls.
 * [Code contracts](https://docs.microsoft.com/en-us/dotnet/framework/debug-trace-profile/code-contracts) are now recognized, and are treated like any other assertion methods.
 * Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
+* `stackalloc` array creations are now represented by the QL class `Stackalloc`. Previously they were represented by the class `ArrayCreation`.
 
 ## Changes to autobuilder

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ArrayCreation.cs

@@ -90,6 +90,12 @@ class StackAllocArrayCreation : ExplicitArrayCreation<StackAllocArrayCreationExp
 
         public override InitializerExpressionSyntax Initializer => Syntax.Initializer;
 
+        protected override void PopulateExpression(TextWriter trapFile)
+        {
+            base.PopulateExpression(trapFile);
+            trapFile.stackalloc_array_creation(this);
+        }
+
         public static Expression Create(ExpressionNodeInfo info) => new StackAllocArrayCreation(info).TryPopulate();
     }
 
@@ -103,6 +109,7 @@ protected override void PopulateExpression(TextWriter trapFile)
         {
             ArrayInitializer.Create(new ExpressionNodeInfo(cx, Syntax.Initializer, this, -1));
             trapFile.implicitly_typed_array_creation(this);
+            trapFile.stackalloc_array_creation(this);
         }
     }
 

csharp/extractor/Semmle.Extraction.CSharp/Tuples.cs

@@ -466,6 +466,11 @@ internal static void specific_type_parameter_nullability(this TextWriter trapFil
             trapFile.WriteTuple("specific_type_parameter_nullability", constraints, baseType, nullability);
         }
 
+        internal static void stackalloc_array_creation(this TextWriter trapFile, Expression array)
+        {
+            trapFile.WriteTuple("stackalloc_array_creation", array);
+        }
+
         internal static void stmt_location(this TextWriter trapFile, Statement stmt, Location location)
         {
             trapFile.WriteTuple("stmt_location", stmt, location);

csharp/ql/src/semmle/code/csharp/exprs/Creation.qll

@@ -372,6 +372,13 @@ class ArrayCreation extends Expr, @array_creation_expr {
   override string toString() { result = "array creation of type " + this.getType().getName() }
 }
 
+/**
+ * A `stackalloc` array creation, for example `stackalloc char[] { 'x', 'y' }`.
+ */
+class Stackalloc extends ArrayCreation {
+  Stackalloc() { stackalloc_array_creation(this) }
+}
+
 /**
  * An anonymous function. Either a lambda expression (`LambdaExpr`) or an
  * anonymous method expression (`AnonymousMethodExpr`).

csharp/ql/src/semmlecode.csharp.dbscheme

@@ -1084,6 +1084,9 @@ implicitly_typed_array_creation(
 explicitly_sized_array_creation(
   unique int id: @array_creation_expr ref);
 
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
 mutator_invocation_mode(
   unique int id: @operator_invocation_expr ref,
   int mode: int ref /* prefix = 1, postfix = 2*/);

csharp/ql/src/semmlecode.csharp.dbscheme.stats

@@ -28440,6 +28440,17 @@
 <dependencies/>
 </relation>
 <relation>
+<name>stackalloc_array_creation</name>
+<cardinality>50</cardinality>
+<columnsizes>
+<e>
+<k>id</k>
+<v>50</v>
+</e>
+</columnsizes>
+<dependencies/>
+</relation>
+<relation>
 <name>mutator_invocation_mode</name>
 <cardinality>0</cardinality>
 <columnsizes>

csharp/ql/test/library-tests/csharp7.3/ArrayCreations.expected

@@ -1,6 +1,20 @@
+arrayCreation
 | csharp73.cs:9:20:9:49 | array creation of type Char* | 0 | csharp73.cs:9:20:9:49 | 2 |
 | csharp73.cs:10:20:10:45 | array creation of type Char* | 0 | csharp73.cs:10:36:10:36 | 1 |
 | csharp73.cs:11:20:11:37 | array creation of type Char[] | 0 | csharp73.cs:11:20:11:37 | 1 |
 | csharp73.cs:12:20:12:38 | array creation of type Char* | 0 | csharp73.cs:12:36:12:37 | 10 |
 | csharp73.cs:13:20:13:31 | array creation of type Char[] | 0 | csharp73.cs:13:29:13:30 | 10 |
 | csharp73.cs:22:23:22:33 | array creation of type Int32[] | 0 | csharp73.cs:22:31:22:32 | 10 |
+arrayElement
+| csharp73.cs:9:20:9:49 | array creation of type Char* | 0 | csharp73.cs:9:40:9:42 | x |
+| csharp73.cs:9:20:9:49 | array creation of type Char* | 1 | csharp73.cs:9:45:9:47 | y |
+| csharp73.cs:10:20:10:45 | array creation of type Char* | 0 | csharp73.cs:10:41:10:43 | x |
+| csharp73.cs:11:20:11:37 | array creation of type Char[] | 0 | csharp73.cs:11:33:11:35 | x |
+| csharp73.cs:14:20:14:43 | array creation of type Int32* | 0 | csharp73.cs:14:35:14:35 | 1 |
+| csharp73.cs:14:20:14:43 | array creation of type Int32* | 1 | csharp73.cs:14:38:14:38 | 2 |
+| csharp73.cs:14:20:14:43 | array creation of type Int32* | 2 | csharp73.cs:14:41:14:41 | 3 |
+stackalloc
+| csharp73.cs:9:20:9:49 | array creation of type Char* |
+| csharp73.cs:10:20:10:45 | array creation of type Char* |
+| csharp73.cs:12:20:12:38 | array creation of type Char* |
+| csharp73.cs:14:20:14:43 | array creation of type Int32* |

csharp/ql/test/library-tests/csharp7.3/ArrayCreations.ql

@@ -1,4 +1,11 @@
 import csharp
 
-from ArrayCreation creation, int i
-select creation, i, creation.getLengthArgument(i)
+query predicate arrayCreation(ArrayCreation creation, int i, Expr length) {
+  length = creation.getLengthArgument(i)
+}
+
+query predicate arrayElement(ArrayCreation array, int i, Expr element) {
+  element = array.getInitializer().getElement(i)
+}
+
+query predicate stackalloc(Stackalloc a) { any() }