Merge pull request #708 from hvitved/csharp/ssa-read-splitting

Approved by calumgrant

Author: semmle-qlci

csharp/ql/src/semmle/code/csharp/Assignable.qll

@@ -100,7 +100,10 @@ class AssignableRead extends AssignableAccess {
    * - The read of `this.Field` on line 11 is next to the read on line 10.
    */
   AssignableRead getANextRead() {
-    Ssa::Internal::adjacentReadPairSameVar(this, result)
+    forex(ControlFlow::Node cfn |
+      cfn = result.getAControlFlowNode() |
+      Ssa::Internal::adjacentReadPairSameVar(this.getAControlFlowNode(), cfn)
+    )
   }
 
   /**
@@ -502,9 +505,12 @@ class AssignableDefinition extends TAssignableDefinition {
    * `AssignableRead.getANextRead()`.
    */
   AssignableRead getAFirstRead() {
-    exists(Ssa::ExplicitDefinition def |
-      def.getADefinition() = this |
-      result = def.getAFirstRead()
+    forex(ControlFlow::Node cfn |
+      cfn = result.getAControlFlowNode() |
+      exists(Ssa::ExplicitDefinition def |
+        result = def.getAFirstReadAtNode(cfn) |
+        this = def.getADefinition()
+      )
     )
   }
 

csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll

@@ -423,20 +423,20 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) {
 }
 
 /**
- * Holds if SSA definition `def` can reach a read `ar`, without passing
+ * Holds if SSA definition `def` can reach a read at `cfn`, without passing
  * through an intermediate dereference that always (`always = true`) or
  * maybe (`always = false`) throws a null reference exception.
  */
-private predicate defReaches(Ssa::Definition def, AssignableRead ar, boolean always) {
-  ar = def.getAFirstRead() and
+private predicate defReaches(Ssa::Definition def, ControlFlow::Node cfn, boolean always) {
+  exists(def.getAFirstReadAtNode(cfn)) and
   (always = true or always = false)
   or
-  exists(AssignableRead mid |
+  exists(ControlFlow::Node mid |
     defReaches(def, mid, always) |
-    ar = mid.getANextRead() and
+    Ssa::Internal::adjacentReadPairSameVar(mid, cfn) and
     not mid = any(Dereference d |
       if always = true then d.isAlwaysNull(def.getSourceVariable()) else d.isMaybeNull(def, _, _, _, _)
-    )
+    ).getAControlFlowNode()
   )
 }
 
@@ -528,7 +528,7 @@ class Dereference extends G::DereferenceableExpr {
    */
   predicate isFirstAlwaysNull(Ssa::SourceVariable v) {
     this.isAlwaysNull(v) and
-    defReaches(v.getAnSsaDefinition(), this, true)
+    defReaches(v.getAnSsaDefinition(), this.getAControlFlowNode(), true)
   }
 
   /**
@@ -551,6 +551,6 @@ class Dereference extends G::DereferenceableExpr {
    */
   predicate isFirstMaybeNull(Ssa::Definition def, SourcePathNode source, SinkPathNode sink, string msg, Element reason) {
     this.isMaybeNull(def, source, sink, msg, reason) and
-    defReaches(def, this, false)
+    defReaches(def, this.getAControlFlowNode(), false)
   }
 }

csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll

@@ -760,16 +760,16 @@ module Ssa {
 
     private cached module Cached {
       /**
-       * Holds if `read` is a last read of the non-trivial SSA definition `def`.
-       * That is, `read` can reach the end of the enclosing callable, or another
+       * Holds if `cfn` is a last read of the non-trivial SSA definition `def`.
+       * That is, `cfn` can reach the end of the enclosing callable, or another
        * SSA definition for the underlying source variable, without passing through
        * another read.
        */
       cached
-      predicate lastRead(TrackedDefinition def, AssignableRead read) {
+      predicate lastRead(TrackedDefinition def, ControlFlow::Node cfn) {
         exists(TrackedVar v, BasicBlock bb, int i, int rnk |
-          read = def.getARead() and
-          variableRead(bb, i, v, read.getAControlFlowNode(), _) and
+          exists(def.getAReadAtNode(cfn)) and
+          variableRead(bb, i, v, cfn, _) and
           rnk = ssaRefRank(bb, i, v, SsaRead()) |
           // Next reference to `v` inside `bb` is a write
           rnk + 1 = ssaRefRank(bb, _, v, SsaDef())
@@ -854,27 +854,29 @@ module Ssa {
       }
 
       /**
-       * Holds if the value defined at non-trivial SSA definition `def` can reach `read`
-       * without passing through any other read.
+       * Holds if the value defined at non-trivial SSA definition `def` can reach a
+       * read at `cfn`, without passing through any other read.
        */
       cached
-      predicate firstReadSameVar(TrackedDefinition def, AssignableRead read) {
+      predicate firstReadSameVar(TrackedDefinition def, ControlFlow::Node cfn) {
         exists(TrackedVar v, BasicBlock b1, int i1, BasicBlock b2, int i2 |
           adjacentVarRefs(v, b1, i1, b2, i2) and
           definesAt(def, b1, i1, v) and
-          variableRead(b2, i2, v, read.getAControlFlowNode(), _)
+          variableRead(b2, i2, v, cfn, _)
         )
       }
 
       /**
-       * INTERNAL: Use `AssignableRead.getANextRead()` instead.
+       * Holds if the read at `cfn2` is a read of the same SSA definition as the
+       * read at `cfn1`, and `cfn2` can be reached from `cfn1` without passing
+       * through another read.
        */
       cached
-      predicate adjacentReadPairSameVar(AssignableRead read1, AssignableRead read2) {
+      predicate adjacentReadPairSameVar(ControlFlow::Node cfn1, ControlFlow::Node cfn2) {
         exists(TrackedVar v, BasicBlock bb1, int i1, BasicBlock bb2, int i2 |
           adjacentVarRefs(v, bb1, i1, bb2, i2) and
-          variableRead(bb1, i1, v, read1.getAControlFlowNode(), _) and
-          variableRead(bb2, i2, v, read2.getAControlFlowNode(), _)
+          variableRead(bb1, i1, v, cfn1, _) and
+          variableRead(bb2, i2, v, cfn2, _)
         )
       }
     }
@@ -2074,8 +2076,45 @@ module Ssa {
      * Subsequent reads can be found by following the steps defined by
      * `AssignableRead.getANextRead()`.
      */
-    AssignableRead getAFirstRead() {
-      firstReadSameVar(this, result)
+    AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) }
+
+    /**
+     * Gets a read of the source variable underlying this SSA definition at
+     * control flow node `cfn` that can be reached from this SSA definition
+     * without passing through any other SSA definition or read. Example:
+     *
+     * ```
+     * int Field;
+     *
+     * void SetField(int i) {
+     *   this.Field = i;
+     *   Use(this.Field);
+     *   if (i > 0)
+     *     this.Field = i - 1;
+     *   else if (i < 0)
+     *     SetField(1);
+     *   Use(this.Field);
+     *   Use(this.Field);
+     * }
+     * ```
+     *
+     * - The read of `i` on line 4 can be reached from the explicit SSA
+     *   definition (wrapping an implicit entry definition) on line 3.
+     * - The reads of `i` on lines 6 and 7 are not the first reads of any SSA
+     *   definition.
+     * - The read of `this.Field` on line 5 can be reached from the explicit SSA
+     *   definition on line 4.
+     * - The read of `this.Field` on line 10 can be reached from the phi node
+     *   between lines 9 and 10.
+     * - The read of `this.Field` on line 11 is not the first read of any SSA
+     *   definition.
+     *
+     * Subsequent reads can be found by following the steps defined by
+     * `AssignableRead.getANextRead()`.
+     */
+    AssignableRead getAFirstReadAtNode(ControlFlow::Node cfn) {
+      firstReadSameVar(this, cfn) and
+      result.getAControlFlowNode() = cfn
     }
 
     /**
@@ -2106,8 +2145,39 @@ module Ssa {
      * - The read of `this.Field` on line 11 is a last read of the phi node
      *   between lines 9 and 10.
      */
-    AssignableRead getALastRead() {
-      lastRead(this, result)
+    AssignableRead getALastRead() { result = this.getALastReadAtNode(_) }
+
+    /**
+     * Gets a last read of the source variable underlying this SSA definition at
+     * control flow node `cfn`. That is, a read that can reach the end of the
+     * enclosing callable, or another SSA definition for the source variable,
+     * without passing through any other read. Example:
+     *
+     * ```
+     * int Field;
+     *
+     * void SetField(int i) {
+     *   this.Field = i;
+     *   Use(this.Field);
+     *   if (i > 0)
+     *     this.Field = i - 1;
+     *   else if (i < 0)
+     *     SetField(1);
+     *   Use(this.Field);
+     *   Use(this.Field);
+     * }
+     * ```
+     *
+     * - The reads of `i` on lines 7 and 8 are the last reads for the implicit
+     *   parameter definition on line 3.
+     * - The read of `this.Field` on line 5 is a last read of the definition on
+     *   line 4.
+     * - The read of `this.Field` on line 11 is a last read of the phi node
+     *   between lines 9 and 10.
+     */
+    AssignableRead getALastReadAtNode(ControlFlow::Node cfn) {
+      lastRead(this, cfn) and
+      result.getAControlFlowNode() = cfn
     }
 
     /**

csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected

@@ -135,6 +135,13 @@
 | Properties.cs:74:23:74:23 | a | Properties.cs:74:23:74:54 | Action a = ... | Properties.cs:77:9:77:9 | access to local variable a |
 | Properties.cs:75:23:75:23 | b | Properties.cs:75:23:75:35 | Action b = ... | Properties.cs:80:9:80:9 | access to local variable b |
 | Properties.cs:106:37:106:37 | p | Properties.cs:106:37:106:37 | p | Properties.cs:106:42:106:42 | access to parameter p |
+| Splitting.cs:3:18:3:18 | b | Splitting.cs:3:18:3:18 | b | Splitting.cs:6:13:6:13 | access to parameter b |
+| Splitting.cs:5:13:5:13 | x | Splitting.cs:10:13:10:19 | ... = ... | Splitting.cs:11:13:11:13 | access to local variable x |
+| Splitting.cs:22:18:22:18 | b | Splitting.cs:22:18:22:18 | b | Splitting.cs:25:13:25:13 | access to parameter b |
+| Splitting.cs:24:13:24:13 | x | Splitting.cs:29:13:29:19 | ... = ... | Splitting.cs:30:13:30:13 | access to local variable x |
+| Splitting.cs:24:13:24:13 | x | Splitting.cs:32:9:32:15 | ... = ... | Splitting.cs:33:9:33:9 | access to local variable x |
+| Splitting.cs:42:18:42:18 | b | Splitting.cs:42:18:42:18 | b | Splitting.cs:45:13:45:13 | access to parameter b |
+| Splitting.cs:44:13:44:13 | x | Splitting.cs:49:13:49:19 | ... = ... | Splitting.cs:50:13:50:13 | access to local variable x |
 | Test.cs:3:9:3:13 | field | Test.cs:57:9:57:17 | ... = ... | Test.cs:58:13:58:17 | access to field field |
 | Test.cs:5:15:5:20 | param1 | Test.cs:5:15:5:20 | param1 | Test.cs:11:13:11:18 | access to parameter param1 |
 | Test.cs:5:67:5:72 | param2 | Test.cs:5:67:5:72 | param2 | Test.cs:39:27:39:32 | access to parameter param2 |

csharp/ql/test/library-tests/dataflow/ssa/PreSsaConsistency.ql

@@ -1,9 +1,19 @@
 import csharp
 import ControlFlow::Internal
 
-query predicate defReadInconsistency(
+class CallableWithSplitting extends Callable {
+  CallableWithSplitting() {
+    this = any(SplitControlFlowElement e).getEnclosingCallable()
+  }
+}
+
+query
+predicate defReadInconsistency(
   AssignableRead ar, Expr e, PreSsa::SimpleAssignable a, boolean b
 ) {
+  // Exclude definitions in callables with CFG splitting, as SSA definitions may be
+  // very different from pre-SSA definitions
+  not ar.getEnclosingCallable() instanceof CallableWithSplitting and
   exists(AssignableDefinition def | e = def.getExpr() |
     b = true and
     exists(PreSsa::Definition ssaDef | ssaDef.getAssignable() = a |
@@ -31,21 +41,33 @@ query predicate defReadInconsistency(
 query predicate readReadInconsistency(
   LocalScopeVariableRead read1, LocalScopeVariableRead read2, PreSsa::SimpleAssignable a, boolean b
 ) {
-  b = true and
-  a = read1.getTarget() and
-  PreSsa::adjacentReadPairSameVar(read1, read2) and
-  not Ssa::Internal::adjacentReadPairSameVar(read1, read2)
-  or
-  b = false and
-  a = read1.getTarget() and
-  Ssa::Internal::adjacentReadPairSameVar(read1, read2) and
-  read1.getTarget() instanceof PreSsa::SimpleAssignable and
-  not PreSsa::adjacentReadPairSameVar(read1, read2)
+  // Exclude definitions in callables with CFG splitting, as SSA definitions may be
+  // very different from pre-SSA definitions
+  not read1.getEnclosingCallable() instanceof CallableWithSplitting and
+  (
+    b = true and
+    a = read1.getTarget() and
+    PreSsa::adjacentReadPairSameVar(read1, read2) and
+    not Ssa::Internal::adjacentReadPairSameVar(read1.getAControlFlowNode(), read2.getAControlFlowNode())
+    or
+    b = false and
+    a = read1.getTarget() and
+    Ssa::Internal::adjacentReadPairSameVar(read1.getAControlFlowNode(), read2.getAControlFlowNode()) and
+    read1.getTarget() instanceof PreSsa::SimpleAssignable and
+    not PreSsa::adjacentReadPairSameVar(read1, read2) and
+    // Exclude split CFG elements because SSA may be more precise than pre-SSA
+    // in those cases
+    not read1 instanceof SplitControlFlowElement and
+    not read2 instanceof SplitControlFlowElement
+  )
 }
 
 query predicate phiInconsistency(
   ControlFlowElement cfe, Expr e, PreSsa::SimpleAssignable a, boolean b
 ) {
+  // Exclude definitions in callables with CFG splitting, as SSA definitions may be
+  // very different from pre-SSA definitions
+  not cfe.getEnclosingCallable() instanceof CallableWithSplitting and
   exists(AssignableDefinition adef | e = adef.getExpr() |
     b = true and
     exists(PreSsa::Definition def | a = def.getAssignable() |

csharp/ql/test/library-tests/dataflow/ssa/ReadAdjacentRead.expected

@@ -98,6 +98,14 @@
 | Properties.cs:104:16:104:20 | Props | Properties.cs:114:20:114:35 | access to field Props | Properties.cs:115:21:115:36 | access to field Props |
 | Properties.cs:104:16:104:20 | Props | Properties.cs:115:21:115:30 | access to field Props | Properties.cs:116:17:116:26 | access to field Props |
 | Properties.cs:104:16:104:20 | Props | Properties.cs:115:21:115:36 | access to field Props | Properties.cs:116:17:116:32 | access to field Props |
+| Splitting.cs:3:18:3:18 | b | Splitting.cs:6:13:6:13 | access to parameter b | Splitting.cs:15:13:15:13 | access to parameter b |
+| Splitting.cs:5:13:5:13 | x | Splitting.cs:13:9:13:9 | access to local variable x | Splitting.cs:14:9:14:9 | access to local variable x |
+| Splitting.cs:5:13:5:13 | x | Splitting.cs:14:9:14:9 | access to local variable x | Splitting.cs:17:13:17:13 | access to local variable x |
+| Splitting.cs:22:18:22:18 | b | Splitting.cs:25:13:25:13 | access to parameter b | Splitting.cs:35:13:35:13 | access to parameter b |
+| Splitting.cs:24:13:24:13 | x | Splitting.cs:33:9:33:9 | access to local variable x | Splitting.cs:34:9:34:9 | access to local variable x |
+| Splitting.cs:24:13:24:13 | x | Splitting.cs:34:9:34:9 | access to local variable x | Splitting.cs:37:13:37:13 | access to local variable x |
+| Splitting.cs:42:18:42:18 | b | Splitting.cs:45:13:45:13 | access to parameter b | Splitting.cs:52:13:52:13 | access to parameter b |
+| Splitting.cs:44:13:44:13 | x | Splitting.cs:54:9:54:9 | access to local variable x | Splitting.cs:55:9:55:9 | access to local variable x |
 | Test.cs:8:13:8:13 | x | Test.cs:25:16:25:16 | access to local variable x | Test.cs:25:16:25:16 | access to local variable x |
 | Test.cs:9:13:9:13 | y | Test.cs:25:20:25:20 | access to local variable y | Test.cs:31:13:31:13 | access to local variable y |
 | Test.cs:9:13:9:13 | y | Test.cs:25:20:25:20 | access to local variable y | Test.cs:43:20:43:20 | access to local variable y |

csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected

@@ -33,6 +33,8 @@
 | Properties.cs:33:19:33:22 | Properties.stat | Properties.cs:50:9:50:17 | SSA phi(Properties.stat) | Properties.cs:49:17:49:32 | SSA call def(Properties.stat) |
 | Properties.cs:61:23:61:23 | i | Properties.cs:63:16:63:16 | SSA phi(i) | Properties.cs:61:23:61:23 | SSA param(i) |
 | Properties.cs:61:23:61:23 | i | Properties.cs:63:16:63:16 | SSA phi(i) | Properties.cs:63:16:63:18 | SSA def(i) |
+| Splitting.cs:44:13:44:13 | x | Splitting.cs:54:9:54:21 | SSA phi(x) | Splitting.cs:46:13:46:19 | [b (line 42): true] SSA def(x) |
+| Splitting.cs:44:13:44:13 | x | Splitting.cs:54:9:54:21 | SSA phi(x) | Splitting.cs:49:13:49:19 | [b (line 42): false] SSA def(x) |
 | Test.cs:5:15:5:20 | param1 | Test.cs:25:16:25:16 | SSA phi(param1) | Test.cs:5:15:5:20 | SSA param(param1) |
 | Test.cs:5:15:5:20 | param1 | Test.cs:25:16:25:16 | SSA phi(param1) | Test.cs:27:17:27:24 | SSA def(param1) |
 | Test.cs:5:15:5:20 | param1 | Test.cs:33:9:33:19 | SSA phi(param1) | Test.cs:25:16:25:16 | SSA phi(param1) |

csharp/ql/test/library-tests/dataflow/ssa/Splitting.cs

@@ -0,0 +1,57 @@
+class Splitting
+{
+    void M1(bool b)
+    {
+        var x = "";
+        if (b)
+            x = "a";
+        else
+        {
+            x = "b";
+            x.ToString();
+        }
+        x.ToString();
+        x.ToString();
+        if (b)
+        {
+            x.ToString();
+            x = "c";
+        }
+    }
+
+    void M2(bool b)
+    {
+        var x = "";
+        if (b)
+            x = "a";
+        else
+        {
+            x = "b";
+            x.ToString();
+        }
+        x = "c";
+        x.ToString();
+        x.ToString();
+        if (b)
+        {
+            x.ToString();
+            x = "d";
+        }
+    }
+
+    void M3(bool b)
+    {
+        var x = "";
+        if (b)
+            x = "a";
+        else
+        {
+            x = "b";
+            x.ToString();
+        }
+        if (b)
+            b = false;
+        x.ToString();
+        x.ToString();
+    }
+}