Merge pull request #537 from hvitved/csharp/guards-splitting

C#: Make guards library work with CFG splitting

Author: calumgrant

csharp/ql/src/semmle/code/csharp/commons/Assertions.qll

@@ -2,6 +2,8 @@
 private import semmle.code.csharp.frameworks.system.Diagnostics
 private import semmle.code.csharp.frameworks.test.VisualStudio
 private import semmle.code.csharp.frameworks.System
+private import ControlFlow
+private import ControlFlow::BasicBlocks
 
 /** An assertion method. */
 abstract class AssertMethod extends Method {
@@ -46,6 +48,49 @@ class Assertion extends MethodCall {
   Expr getExpr() {
     result = this.getArgumentForParameter(target.getAssertedParameter())
   }
+
+  pragma[nomagic]
+  private JoinBlockPredecessor getAPossiblyDominatedPredecessor(JoinBlock jb) {
+    exists(BasicBlock bb |
+      bb = this.getAControlFlowNode().getBasicBlock() |
+      result = bb.getASuccessor*()
+    ) and
+    result.getASuccessor() = jb
+  }
+
+  pragma[nomagic]
+  private predicate isPossiblyDominatedJoinBlock(JoinBlock jb) {
+    exists(this.getAPossiblyDominatedPredecessor(jb)) and
+    forall(BasicBlock pred |
+      pred = jb.getAPredecessor() |
+      pred = this.getAPossiblyDominatedPredecessor(jb)
+    )
+  }
+
+  /**
+   * Holds if this assertion strictly dominates basic block `bb`. That is, `bb`
+   * can only be reached from the callable entry point by going via *some* basic
+   * block containing this element.
+   *
+   * This predicate is different from
+   * `this.getAControlFlowNode().getBasicBlock().strictlyDominates(bb)`
+   * in that it takes control flow splitting into account.
+   */
+  pragma[nomagic]
+  predicate strictlyDominates(BasicBlock bb) {
+    this.getAControlFlowNode().getBasicBlock().immediatelyDominates(bb)
+    or
+    if bb instanceof JoinBlock then
+      this.isPossiblyDominatedJoinBlock(bb) and
+      forall(BasicBlock pred |
+        pred = this.getAPossiblyDominatedPredecessor(bb) |
+        this.strictlyDominates(pred)
+        or
+        this.getAControlFlowNode().getBasicBlock() = pred
+      )
+    else
+      this.strictlyDominates(bb.getAPredecessor())
+  }
 }
 
 /** A trivially failing assertion, for example `Debug.Assert(false)`. */

csharp/ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll

@@ -15,7 +15,7 @@ class BasicBlock extends TBasicBlockStart {
     result.getFirstNode() = getLastNode().getASuccessor()
   }
 
-  /** Gets an immediate successor of this basic block of a given flow type, if any. */
+  /** Gets an immediate successor of this basic block of a given type, if any. */
   BasicBlock getASuccessorByType(ControlFlow::SuccessorType t) {
     result.getFirstNode() = this.getLastNode().getASuccessorByType(t)
   }
@@ -25,6 +25,11 @@ class BasicBlock extends TBasicBlockStart {
     result.getASuccessor() = this
   }
 
+  /** Gets an immediate predecessor of this basic block of a given type, if any. */
+  BasicBlock getAPredecessorByType(ControlFlow::SuccessorType t) {
+    result.getASuccessorByType(t) = this
+  }
+
   /**
    * Gets an immediate `true` successor, if any.
    *
@@ -134,6 +139,31 @@ class BasicBlock extends TBasicBlockStart {
     result = strictcount(getANode())
   }
 
+  /**
+   * Holds if this basic block immediately dominates basic block `bb`.
+   *
+   * That is, all paths reaching basic block `bb` from some entry point
+   * basic block must go through this basic block (which is an immediate
+   * predecessor of `bb`).
+   *
+   * Example:
+   *
+   * ```
+   * int M(string s) {
+   *   if (s == null)
+   *     throw new ArgumentNullException(nameof(s));
+   *   return s.Length;
+   * }
+   * ```
+   *
+   * The basic block starting on line 2 strictly dominates the
+   * basic block on line 4 (all paths from the entry point of `M`
+   * to `return s.Length;` must go through the null check).
+   */
+  predicate immediatelyDominates(BasicBlock bb) {
+    bbIDominates(this, bb)
+  }
+
   /**
    * Holds if this basic block strictly dominates basic block `bb`.
    *
@@ -419,24 +449,42 @@ private predicate exitBB(BasicBlock bb) {
   bb.getLastNode() instanceof ControlFlow::Nodes::ExitNode
 }
 
-/**
- * A basic block with more than one predecessor.
- */
+/** A basic block with more than one predecessor. */
 class JoinBlock extends BasicBlock {
   JoinBlock() { getFirstNode().isJoin() }
 }
 
+/** A basic block that is an immediate predecessor of a join block. */
+class JoinBlockPredecessor extends BasicBlock {
+  JoinBlockPredecessor() {
+    this.getASuccessor() instanceof JoinBlock
+  }
+}
+
 /** A basic block that terminates in a condition, splitting the subsequent control flow. */
 class ConditionBlock extends BasicBlock {
   ConditionBlock() {
     this.getLastNode().isCondition()
   }
 
+  /**
+   * Holds if basic block `succ` is immediately controlled by this basic
+   * block with conditional value `s`. That is, `succ` is an immediate
+   * successor of this block, and `succ` can only be reached from
+   * the callable entry point by going via the `s` edge out of this basic block.
+   */
+  predicate immediatelyControls(BasicBlock succ, ConditionalSuccessor s) {
+    succ = this.getASuccessorByType(s) and
+    forall(BasicBlock pred |
+      pred = succ.getAPredecessor() and pred != this |
+      succ.dominates(pred)
+    )
+  }
+
   /**
    * Holds if basic block `controlled` is controlled by this basic block with
-   * Boolean value `testIsTrue`. That is, `controlled` can only be reached from
-   * the callable entry point by going via the true edge (`testIsTrue = true`)
-   * or false edge (`testIsTrue = false`) out of this basic block.
+   * conditional value `s`. That is, `controlled` can only be reached from
+   * the callable entry point by going via the `s` edge out of this basic block.
    */
   predicate controls(BasicBlock controlled, ConditionalSuccessor s) {
     /*
@@ -473,7 +521,7 @@ class ConditionBlock extends BasicBlock {
      * directly.
      */
     exists(BasicBlock succ |
-      isCandidateSuccessor(succ, s) |
+      this.immediatelyControls(succ, s) |
       succ.dominates(controlled)
     )
   }
@@ -529,14 +577,6 @@ class ConditionBlock extends BasicBlock {
     impliesSub(getLastNode().getElement(), cond, testIsTrue, condIsTrue) and
     controls(controlled, any(BooleanSuccessor s | s.getValue() = testIsTrue))
   }
-
-  private predicate isCandidateSuccessor(BasicBlock succ, ConditionalSuccessor s) {
-    succ = this.getASuccessorByType(s) and
-    forall(BasicBlock pred |
-      pred = succ.getAPredecessor() and pred != this |
-      succ.dominates(pred)
-    )
-  }
 }
 
 /**

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll

@@ -1,7 +1,10 @@
 /** Provides the class `ControlFlowElement`. */
 
- import csharp
+import csharp
 private import semmle.code.csharp.ExprOrStmtParent
+private import ControlFlow
+private import ControlFlow::BasicBlocks
+private import SuccessorTypes
 
 /**
  * A program element that can possess control flow. That is, either a statement or
@@ -25,21 +28,21 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
    * several `ControlFlow::Node`s, for example to represent the continuation
    * flow in a `try/catch/finally` construction.
    */
-  ControlFlow::Node getAControlFlowNode() {
+  Node getAControlFlowNode() {
     result.getElement() = this
   }
 
   /**
    * Gets a first control flow node executed within this element.
    */
-  ControlFlow::Node getAControlFlowEntryNode() {
+  Node getAControlFlowEntryNode() {
     result = ControlFlowGraph::Internal::getAControlFlowEntryNode(this).getAControlFlowNode()
   }
 
   /**
    * Gets a potential last control flow node executed within this element.
    */
-  ControlFlow::Node getAControlFlowExitNode() {
+  Node getAControlFlowExitNode() {
     result = ControlFlowGraph::Internal::getAControlFlowExitNode(this).getAControlFlowNode()
   }
 
@@ -59,7 +62,7 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
   /** Gets an element that is reachable from this element. */
   ControlFlowElement getAReachableElement() {
     // Reachable in same basic block
-    exists(ControlFlow::BasicBlock bb, int i, int j |
+    exists(BasicBlock bb, int i, int j |
       bb.getNode(i) = getAControlFlowNode() and
       bb.getNode(j) = result.getAControlFlowNode() and
       i < j
@@ -68,4 +71,91 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
     // Reachable in different basic blocks
     getAControlFlowNode().getBasicBlock().getASuccessor+().getANode() = result.getAControlFlowNode()
   }
+
+  /**
+   * Holds if basic block `succ` is immediately controlled by this control flow
+   * element with conditional value `s`. That is, `succ` can only be reached from
+   * the callable entry point by going via the `s` edge out of *some* basic block
+   * `pred` ending with this element, and `pred` is an immediate predecessor
+   * of `succ`.
+   *
+   * This predicate is different from
+   * `this.getAControlFlowNode().getBasicBlock().(ConditionBlock).immediatelyControls(succ, s)`
+   * in that it takes control flow splitting into account.
+   */
+  pragma[nomagic]
+  private predicate immediatelyControls(BasicBlock succ, ConditionalSuccessor s) {
+    exists(ConditionBlock cb |
+      cb.getLastNode() = this.getAControlFlowNode() |
+      succ = cb.getASuccessorByType(s) and
+      forall(BasicBlock pred, SuccessorType  t |
+        pred = succ.getAPredecessorByType(t) and pred != cb |
+        succ.dominates(pred)
+        or
+        // `pred` might be another split of `cfe`
+        pred.getLastNode().getElement() = this and
+        pred.getASuccessorByType(t) = succ and
+        t = s
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private JoinBlockPredecessor getAPossiblyControlledPredecessor(JoinBlock controlled, ConditionalSuccessor s) {
+    exists(BasicBlock mid |
+      this.immediatelyControls(mid, s) |
+      result = mid.getASuccessor*()
+    ) and
+    result.getASuccessor() = controlled
+  }
+
+  pragma[nomagic]
+  private predicate isPossiblyControlledJoinBlock(JoinBlock controlled, ConditionalSuccessor s) {
+    exists(this.getAPossiblyControlledPredecessor(controlled, s)) and
+    forall(BasicBlock pred |
+      pred = controlled.getAPredecessor() |
+      pred = this.getAPossiblyControlledPredecessor(controlled, s)
+    )
+  }
+
+  /**
+   * Holds if basic block `controlled` is controlled by this control flow element
+   * with conditional value `s`. That is, `controlled` can only be reached from
+   * the callable entry point by going via the `s` edge out of *some* basic block
+   * ending with this element.
+   *
+   * This predicate is different from
+   * `this.getAControlFlowNode().getBasicBlock().(ConditionBlock).controls(controlled, s)`
+   * in that it takes control flow splitting into account.
+   */
+  cached
+  predicate controlsBlock(BasicBlock controlled, ConditionalSuccessor s) {
+    this.immediatelyControls(controlled, s)
+    or
+    if controlled instanceof JoinBlock then
+      this.isPossiblyControlledJoinBlock(controlled, s) and
+      forall(BasicBlock pred |
+        pred = this.getAPossiblyControlledPredecessor(controlled, s) |
+        this.controlsBlock(pred, s)
+      )
+    else
+      this.controlsBlock(controlled.getAPredecessor(), s)
+  }
+
+  /**
+   * Holds if control flow element `controlled` is controlled by this control flow
+   * element with conditional value `s`. That is, `controlled` can only be reached
+   * from the callable entry point by going via the `s` edge out of this element.
+   *
+   * This predicate is different from
+   * `this.getAControlFlowNode().getBasicBlock().(ConditionBlock).controls(controlled.getAControlFlowNode().getBasicBlock(), s)`
+   * in that it takes control flow splitting into account.
+   */
+  pragma[inline] // potentially very large predicate, so must be inlined
+  predicate controlsElement(ControlFlowElement controlled, ConditionalSuccessor s) {
+    forex(BasicBlock bb |
+      bb = controlled.getAControlFlowNode().getBasicBlock() |
+      this.controlsBlock(bb, s)
+    )
+  }
 }

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -183,7 +183,7 @@ module ControlFlow {
       )
     }
 
-    /** Gets a successor node of a given flow type, if any. */
+    /** Gets a successor node of a given type, if any. */
     Node getASuccessorByType(SuccessorType t) {
       result = getASuccessorByType(this, t)
     }
@@ -372,6 +372,7 @@ module ControlFlow {
     class EntryBlock = BBs::EntryBasicBlock;
     class ExitBlock = BBs::ExitBasicBlock;
     class JoinBlock = BBs::JoinBlock;
+    class JoinBlockPredecessor = BBs::JoinBlockPredecessor;
     class ConditionBlock = BBs::ConditionBlock;
   }
 
@@ -2549,7 +2550,7 @@ module ControlFlow {
           ) > 1
         }
 
-        private predicate isCandidateSuccessor(PreBasicBlock succ, ConditionalCompletion c) {
+        private predicate immediatelyControls(PreBasicBlock succ, ConditionalCompletion c) {
           succ = succ(this.getLastElement(), c) and
           forall(PreBasicBlock pred |
             pred = succ.getAPredecessor() and pred != this |
@@ -2559,7 +2560,7 @@ module ControlFlow {
 
         predicate controls(PreBasicBlock controlled, ConditionalSuccessor s) {
           exists(PreBasicBlock succ, ConditionalCompletion c |
-            isCandidateSuccessor(succ, c) |
+            immediatelyControls(succ, c) |
             succ.dominates(controlled) and
             s.matchesCompletion(c)
           )