Merge pull request #3610 from hvitved/csharp/dataflow/call-sensitivity

C#: Add call-sensitivity to data-flow call resolution

Author: calumgrant

csharp/ql/src/semmle/code/csharp/Unification.qll

@@ -685,7 +685,7 @@ module Unification {
   private import Cached
 
   /**
-   * Holds if types `t1` and `t2` are unifiable. That is, is it possible to replace
+   * Holds if types `t1` and `t2` are unifiable. That is, it is possible to replace
    * all type parameters in `t1` and `t2` with some (other) types to make the two
    * substituted terms equal.
    *
@@ -722,7 +722,7 @@ module Unification {
   }
 
   /**
-   * Holds if type `t1` subsumes type `t2`. That is, is it possible to replace all
+   * Holds if type `t1` subsumes type `t2`. That is, it is possible to replace all
    * type parameters in `t1` with some (other) types to make the two types equal.
    *
    * The same limitations that apply to the predicate `unifiable()` apply to this

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -117,23 +117,52 @@ private module Cached {
     result = call.(DelegateDataFlowCall).getARuntimeTarget(cc)
   }
 
+  /**
+   * Holds if the set of viable implementations that can be called by `call`
+   * might be improved by knowing the call context. This is the case if the
+   * call is a delegate call, or if the qualifier accesses a parameter of
+   * the enclosing callable `c` (including the implicit `this` parameter).
+   */
+  private predicate mayBenefitFromCallContext(DataFlowCall call, Callable c) {
+    c = call.getEnclosingCallable() and
+    (
+      exists(CallContext cc | exists(viableDelegateCallable(call, cc)) |
+        not cc instanceof EmptyCallContext
+      )
+      or
+      call.(NonDelegateDataFlowCall).getDispatchCall().mayBenefitFromCallContext()
+    )
+  }
+
   /**
    * Holds if the call context `ctx` reduces the set of viable run-time
    * targets of call `call` in `c`.
    */
   cached
   predicate reducedViableImplInCallContext(DataFlowCall call, DataFlowCallable c, DataFlowCall ctx) {
-    c = viableImpl(ctx) and
-    c = call.getEnclosingCallable() and
-    exists(CallContext cc | exists(viableDelegateCallable(call, cc)) |
-      not cc instanceof EmptyCallContext
+    exists(int tgts, int ctxtgts |
+      mayBenefitFromCallContext(call, c) and
+      c = viableCallable(ctx) and
+      ctxtgts = count(viableImplInCallContext(call, ctx)) and
+      tgts = strictcount(viableImpl(call)) and
+      ctxtgts < tgts
     )
   }
 
+  /**
+   * Gets a viable dispatch target of `call` in the context `ctx`. This is
+   * restricted to those `call`s for which a context might make a difference.
+   */
   private DotNet::Callable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
     exists(ArgumentCallContext cc | result = viableDelegateCallable(call, cc) |
       cc.isArgument(ctx.getExpr(), _)
     )
+    or
+    result =
+      call
+          .(NonDelegateDataFlowCall)
+          .getDispatchCall()
+          .getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall).getDispatchCall())
   }
 
   /**
@@ -155,9 +184,10 @@ private module Cached {
   cached
   predicate reducedViableImplInReturn(DataFlowCallable c, DataFlowCall call) {
     exists(int tgts, int ctxtgts |
+      mayBenefitFromCallContext(call, _) and
       c = viableImpl(call) and
-      ctxtgts = strictcount(DataFlowCall ctx | c = viableImplInCallContext(call, ctx)) and
-      tgts = strictcount(DataFlowCall ctx | viableImpl(ctx) = call.getEnclosingCallable()) and
+      ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContext(call, ctx)) and
+      tgts = strictcount(DataFlowCall ctx | viableCallable(ctx) = call.getEnclosingCallable()) and
       ctxtgts < tgts
     )
   }
@@ -278,6 +308,9 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
 
   NonDelegateDataFlowCall() { this = TNonDelegateCall(cfn, dc) }
 
+  /** Gets the underlying call. */
+  DispatchCall getDispatchCall() { result = dc }
+
   override DotNet::Callable getARuntimeTarget() {
     result = getCallableForDataFlow(dc.getADynamicTarget())
   }