C#: Implement CFG for not patterns

Author: hvitved

csharp/ql/src/semmle/code/csharp/controlflow/internal/Completion.qll

@@ -232,37 +232,61 @@ private Expr getQualifier(QualifiableExpr e) {
   result = e.getChildExpr(-1)
 }
 
+pragma[noinline]
+private predicate typePatternMustHaveMatchingCompletion(
+  TypePatternExpr tpe, Type t, Type strippedType
+) {
+  exists(Expr e, Expr stripped | mustHaveMatchingCompletion(e, tpe) |
+    stripped = e.stripCasts() and
+    t = tpe.getCheckedType() and
+    strippedType = stripped.getType() and
+    not t.containsTypeParameters() and
+    not strippedType.containsTypeParameters()
+  )
+}
+
+pragma[noinline]
+private Type typePatternCommonSubTypeLeft(Type t) {
+  typePatternMustHaveMatchingCompletion(_, t, _) and
+  result.isImplicitlyConvertibleTo(t) and
+  not result instanceof DynamicType
+}
+
+pragma[noinline]
+private Type typePatternCommonSubTypeRight(Type strippedType) {
+  typePatternMustHaveMatchingCompletion(_, _, strippedType) and
+  result.isImplicitlyConvertibleTo(strippedType) and
+  not result instanceof DynamicType
+}
+
+pragma[noinline]
+private predicate typePatternCommonSubType(Type t, Type strippedType) {
+  typePatternCommonSubTypeLeft(t) = typePatternCommonSubTypeRight(strippedType)
+}
+
 /**
- * Holds if expression `e` constantly matches (`value = true`) or constantly
- * non-matches (`value = false`).
+ * Holds if pattern expression `pe` constantly matches (`value = true`) or
+ * constantly non-matches (`value = false`).
  */
-private predicate isMatchingConstant(Expr e, boolean value) {
-  exists(Switch s | mustHaveMatchingCompletion(s, e) |
-    exists(Expr stripped | stripped = s.getExpr().stripCasts() |
-      exists(Case c, string strippedValue |
-        c = s.getACase() and
-        e = c.getPattern() and
-        strippedValue = stripped.getValue()
-      |
-        if strippedValue = e.getValue() then value = true else value = false
-      )
-      or
-      exists(Case c, TypePatternExpr tpe, Type t, Type strippedType | c = s.getACase() |
-        tpe = c.getPattern() and
-        e = tpe and
-        t = tpe.getCheckedType() and
-        strippedType = stripped.getType() and
-        not t.isImplicitlyConvertibleTo(strippedType) and
-        not t instanceof Interface and
-        not t.containsTypeParameters() and
-        not strippedType.containsTypeParameters() and
-        value = false
+private predicate isMatchingConstant(PatternExpr pe, boolean value) {
+  exists(Expr e | mustHaveMatchingCompletion(e, pe) |
+    exists(Expr stripped | stripped = e.stripCasts() |
+      exists(string strippedValue, string patternValue |
+        strippedValue = stripped.getValue() and
+        patternValue = pe.getValue() and
+        if strippedValue = patternValue then value = true else value = false
       )
     )
     or
-    e instanceof DiscardPatternExpr and
+    pe instanceof DiscardPatternExpr and
     value = true
   )
+  or
+  exists(Type t, Type strippedType |
+    typePatternMustHaveMatchingCompletion(pe, t, strippedType) and
+    not typePatternCommonSubType(t, strippedType) and
+    value = false
+  )
 }
 
 private class Overflowable extends UnaryOperation {
@@ -518,7 +542,20 @@ predicate switchMatching(Switch s, Case c, PatternExpr pe) {
   pe = c.getPattern()
 }
 
-private predicate mustHaveMatchingCompletion(Switch s, PatternExpr pe) { switchMatching(s, _, pe) }
+/**
+ * Holds if `pe` must have a matching completion, and `e` is the expression
+ * that is being matched.
+ */
+private predicate mustHaveMatchingCompletion(Expr e, PatternExpr pe) {
+  exists(Switch s |
+    switchMatching(s, _, pe) and
+    e = s.getExpr()
+  )
+  or
+  pe = any(IsExpr ie | inBooleanContext(ie) and e = ie.getExpr()).getPattern()
+  or
+  pe = any(UnaryPatternExpr upe | mustHaveMatchingCompletion(e, upe)).getPattern()
+}
 
 /**
  * Holds if a normal completion of `cfe` must be a matching completion. Thats is,
@@ -565,7 +602,13 @@ class SimpleCompletion extends NonNestedNormalCompletion, TSimpleCompletion {
  * completion (`NullnessCompletion`), a matching completion (`MatchingCompletion`),
  * or an emptiness completion (`EmptinessCompletion`).
  */
-abstract class ConditionalCompletion extends NonNestedNormalCompletion { }
+abstract class ConditionalCompletion extends NonNestedNormalCompletion {
+  /** Gets the Boolean value of this completion. */
+  abstract boolean getValue();
+
+  /** Gets the dual completion. */
+  abstract ConditionalCompletion getDual();
+}
 
 /**
  * A completion that represents evaluation of an expression
@@ -576,10 +619,9 @@ class BooleanCompletion extends ConditionalCompletion {
 
   BooleanCompletion() { this = TBooleanCompletion(value) }
 
-  /** Gets the Boolean value of this completion. */
-  boolean getValue() { result = value }
+  override boolean getValue() { result = value }
 
-  BooleanCompletion getDual() { result = TBooleanCompletion(value.booleanNot()) }
+  override BooleanCompletion getDual() { result = TBooleanCompletion(value.booleanNot()) }
 
   override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value }
 
@@ -611,6 +653,10 @@ class NullnessCompletion extends ConditionalCompletion, TNullnessCompletion {
   /** Holds if the last sub expression of this expression evaluates to a non-`null` value. */
   predicate isNonNull() { value = false }
 
+  override boolean getValue() { result = value }
+
+  override NullnessCompletion getDual() { result = TNullnessCompletion(value.booleanNot()) }
+
   override NullnessSuccessor getAMatchingSuccessorType() { result.getValue() = value }
 
   override string toString() { if this.isNull() then result = "null" else result = "non-null" }
@@ -631,6 +677,10 @@ class MatchingCompletion extends ConditionalCompletion, TMatchingCompletion {
   /** Holds if there is not a match. */
   predicate isNonMatch() { value = false }
 
+  override boolean getValue() { result = value }
+
+  override MatchingCompletion getDual() { result = TMatchingCompletion(value.booleanNot()) }
+
   override MatchingSuccessor getAMatchingSuccessorType() { result.getValue() = value }
 
   override string toString() { if this.isMatch() then result = "match" else result = "no-match" }
@@ -648,6 +698,10 @@ class EmptinessCompletion extends ConditionalCompletion, TEmptinessCompletion {
   /** Holds if the emptiness test evaluates to `true`. */
   predicate isEmpty() { value = true }
 
+  override boolean getValue() { result = value }
+
+  override EmptinessCompletion getDual() { result = TEmptinessCompletion(value.booleanNot()) }
+
   override EmptinessSuccessor getAMatchingSuccessorType() { result.getValue() = value }
 
   override string toString() { if this.isEmpty() then result = "empty" else result = "non-empty" }

csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll

@@ -368,7 +368,8 @@ module Expressions {
       not this instanceof NoNodeExpr and
       not this instanceof SwitchExpr and
       not this instanceof SwitchCaseExpr and
-      not this instanceof ConstructorInitializer
+      not this instanceof ConstructorInitializer and
+      not this instanceof NotPatternExpr
     }
 
     final override ControlFlowElement getChildElement(int i) { result = getExprChild(this, i) }
@@ -515,20 +516,14 @@ module Expressions {
 
     LogicalNotExprTree() { operand = this.getOperand() }
 
-    final override predicate propagatesAbnormal(ControlFlowElement child) {
-      child = this.getOperand()
-    }
+    final override predicate propagatesAbnormal(ControlFlowElement child) { child = operand }
 
     final override predicate first(ControlFlowElement first) { first(operand, first) }
 
     final override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       succ = this and
-      (
-        last(operand, pred, c.(BooleanCompletion).getDual())
-        or
-        last(operand, pred, c) and
-        c instanceof SimpleCompletion
-      )
+      last(operand, pred, c) and
+      c instanceof NormalCompletion
     }
   }
 
@@ -925,6 +920,22 @@ module Expressions {
       )
     }
   }
+
+  private class NotPatternExprTree extends PostOrderTree, NotPatternExpr {
+    private PatternExpr operand;
+
+    NotPatternExprTree() { operand = this.getPattern() }
+
+    final override predicate propagatesAbnormal(ControlFlowElement child) { child = operand }
+
+    final override predicate first(ControlFlowElement first) { first(operand, first) }
+
+    final override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      succ = this and
+      last(operand, pred, c) and
+      c instanceof NormalCompletion
+    }
+  }
 }
 
 module Statements {

csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll

@@ -465,6 +465,12 @@ module ConditionalCompletionSplitting {
         or
         last(succ.(SwitchCaseExpr).getBody(), pred, c) and
         completion = c
+        or
+        last(succ.(NotPatternExpr).getPattern(), pred, c) and
+        completion.(MatchingCompletion).getDual() = c
+        or
+        last(succ.(IsExpr).getPattern(), pred, c) and
+        completion.(BooleanCompletion).getValue() = c.(MatchingCompletion).getValue()
       )
     }
 

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -924,11 +924,17 @@
 | NullCoalescing.cs:15:31:15:31 | 0 | NullCoalescing.cs:16:17:16:18 | "" | 5 |
 | NullCoalescing.cs:16:17:16:25 | ... ?? ... | NullCoalescing.cs:17:13:17:19 | (...) ... | 5 |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:13:10:13:11 | exit M6 | 4 |
-| Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:8:13:8:23 | ... is ... | 9 |
+| Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:8:18:8:23 | Int32 i1 | 8 |
+| Patterns.cs:8:13:8:23 | [false] ... is ... | Patterns.cs:8:13:8:23 | [false] ... is ... | 1 |
+| Patterns.cs:8:13:8:23 | [true] ... is ... | Patterns.cs:8:13:8:23 | [true] ... is ... | 1 |
 | Patterns.cs:9:9:11:9 | {...} | Patterns.cs:10:13:10:42 | call to method WriteLine | 6 |
-| Patterns.cs:12:14:18:9 | if (...) ... | Patterns.cs:12:18:12:31 | ... is ... | 4 |
+| Patterns.cs:12:14:18:9 | if (...) ... | Patterns.cs:12:23:12:31 | String s1 | 3 |
+| Patterns.cs:12:18:12:31 | [false] ... is ... | Patterns.cs:12:18:12:31 | [false] ... is ... | 1 |
+| Patterns.cs:12:18:12:31 | [true] ... is ... | Patterns.cs:12:18:12:31 | [true] ... is ... | 1 |
 | Patterns.cs:13:9:15:9 | {...} | Patterns.cs:14:13:14:45 | call to method WriteLine | 6 |
-| Patterns.cs:16:14:18:9 | if (...) ... | Patterns.cs:16:18:16:28 | ... is ... | 4 |
+| Patterns.cs:16:14:18:9 | if (...) ... | Patterns.cs:16:23:16:28 | Object v1 | 3 |
+| Patterns.cs:16:18:16:28 | [false] ... is ... | Patterns.cs:16:18:16:28 | [false] ... is ... | 1 |
+| Patterns.cs:16:18:16:28 | [true] ... is ... | Patterns.cs:16:18:16:28 | [true] ... is ... | 1 |
 | Patterns.cs:17:9:18:9 | {...} | Patterns.cs:17:9:18:9 | {...} | 1 |
 | Patterns.cs:20:9:38:9 | switch (...) {...} | Patterns.cs:22:18:22:22 | "xyz" | 4 |
 | Patterns.cs:23:17:23:22 | break; | Patterns.cs:23:17:23:22 | break; | 1 |
@@ -944,26 +950,37 @@
 | Patterns.cs:35:13:35:20 | default: | Patterns.cs:37:17:37:22 | break; | 5 |
 | Patterns.cs:40:9:42:9 | switch (...) {...} | Patterns.cs:5:10:5:11 | exit M1 | 4 |
 | Patterns.cs:47:24:47:25 | enter M2 | Patterns.cs:47:24:47:25 | exit M2 | 7 |
-| Patterns.cs:50:24:50:25 | enter M3 | Patterns.cs:51:9:51:21 | ... is ... | 5 |
+| Patterns.cs:50:24:50:25 | enter M3 | Patterns.cs:51:18:51:21 | null | 3 |
+| Patterns.cs:51:9:51:21 | [false] ... is ... | Patterns.cs:51:9:51:21 | [false] ... is ... | 1 |
+| Patterns.cs:51:9:51:21 | [true] ... is ... | Patterns.cs:51:9:51:21 | [true] ... is ... | 1 |
 | Patterns.cs:51:9:51:39 | ... ? ... : ... | Patterns.cs:50:24:50:25 | exit M3 | 3 |
+| Patterns.cs:51:14:51:21 | [match] not ... | Patterns.cs:51:14:51:21 | [match] not ... | 1 |
+| Patterns.cs:51:14:51:21 | [no-match] not ... | Patterns.cs:51:14:51:21 | [no-match] not ... | 1 |
 | Patterns.cs:51:25:51:25 | access to parameter c | Patterns.cs:51:25:51:30 | ... is ... | 3 |
 | Patterns.cs:51:34:51:34 | access to parameter c | Patterns.cs:51:34:51:39 | ... is ... | 3 |
 | Patterns.cs:53:24:53:25 | enter M4 | Patterns.cs:53:24:53:25 | exit M4 | 10 |
-| Patterns.cs:56:26:56:27 | enter M5 | Patterns.cs:60:13:60:17 | not ... | 5 |
+| Patterns.cs:56:26:56:27 | enter M5 | Patterns.cs:60:17:60:17 | 1 | 4 |
 | Patterns.cs:58:16:62:9 | ... switch { ... } | Patterns.cs:56:26:56:27 | exit M5 | 4 |
+| Patterns.cs:60:13:60:17 | [match] not ... | Patterns.cs:60:13:60:17 | [match] not ... | 1 |
+| Patterns.cs:60:13:60:17 | [no-match] not ... | Patterns.cs:60:13:60:17 | [no-match] not ... | 1 |
 | Patterns.cs:60:22:60:28 | "not 1" | Patterns.cs:60:13:60:28 | ... => ... | 2 |
 | Patterns.cs:61:13:61:13 | _ | Patterns.cs:61:13:61:13 | _ | 1 |
 | Patterns.cs:61:18:61:24 | "other" | Patterns.cs:61:13:61:24 | ... => ... | 2 |
-| Patterns.cs:65:26:65:27 | enter M6 | Patterns.cs:69:13:69:17 | not ... | 5 |
+| Patterns.cs:65:26:65:27 | enter M6 | Patterns.cs:69:17:69:17 | 2 | 4 |
+| Patterns.cs:69:13:69:17 | [no-match] not ... | Patterns.cs:69:13:69:17 | [no-match] not ... | 1 |
 | Patterns.cs:70:13:70:13 | 2 | Patterns.cs:70:13:70:13 | 2 | 1 |
 | Patterns.cs:70:18:70:27 | "possible" | Patterns.cs:65:26:65:27 | exit M6 | 6 |
 | PostDominance.cs:5:10:5:11 | enter M1 | PostDominance.cs:5:10:5:11 | exit M1 | 7 |
-| PostDominance.cs:10:10:10:11 | enter M2 | PostDominance.cs:12:13:12:21 | ... is ... | 6 |
+| PostDominance.cs:10:10:10:11 | enter M2 | PostDominance.cs:12:18:12:21 | null | 5 |
 | PostDominance.cs:10:10:10:11 | exit M2 (normal) | PostDominance.cs:10:10:10:11 | exit M2 | 2 |
+| PostDominance.cs:12:13:12:21 | [false] ... is ... | PostDominance.cs:12:13:12:21 | [false] ... is ... | 1 |
+| PostDominance.cs:12:13:12:21 | [true] ... is ... | PostDominance.cs:12:13:12:21 | [true] ... is ... | 1 |
 | PostDominance.cs:13:13:13:19 | return ...; | PostDominance.cs:13:13:13:19 | return ...; | 1 |
 | PostDominance.cs:14:9:14:29 | ...; | PostDominance.cs:14:9:14:28 | call to method WriteLine | 3 |
-| PostDominance.cs:17:10:17:11 | enter M3 | PostDominance.cs:19:13:19:21 | ... is ... | 6 |
+| PostDominance.cs:17:10:17:11 | enter M3 | PostDominance.cs:19:18:19:21 | null | 5 |
 | PostDominance.cs:17:10:17:11 | exit M3 | PostDominance.cs:17:10:17:11 | exit M3 | 1 |
+| PostDominance.cs:19:13:19:21 | [false] ... is ... | PostDominance.cs:19:13:19:21 | [false] ... is ... | 1 |
+| PostDominance.cs:19:13:19:21 | [true] ... is ... | PostDominance.cs:19:13:19:21 | [true] ... is ... | 1 |
 | PostDominance.cs:20:45:20:53 | nameof(...) | PostDominance.cs:17:10:17:11 | exit M3 (abnormal) | 4 |
 | PostDominance.cs:21:9:21:29 | ...; | PostDominance.cs:17:10:17:11 | exit M3 (normal) | 4 |
 | Qualifiers.cs:7:16:7:21 | enter Method | Qualifiers.cs:7:16:7:21 | exit Method | 4 |
@@ -1079,7 +1096,9 @@
 | Switch.cs:156:50:156:52 | "b" | Switch.cs:156:41:156:52 | ... => ... | 2 |
 | Switch.cs:158:13:158:49 | ...; | Switch.cs:158:13:158:48 | call to method WriteLine | 5 |
 | Switch.cs:160:13:160:49 | ...; | Switch.cs:160:13:160:48 | call to method WriteLine | 5 |
-| TypeAccesses.cs:3:10:3:10 | enter M | TypeAccesses.cs:7:13:7:22 | ... is ... | 14 |
+| TypeAccesses.cs:3:10:3:10 | enter M | TypeAccesses.cs:7:18:7:22 | Int32 j | 13 |
+| TypeAccesses.cs:7:13:7:22 | [false] ... is ... | TypeAccesses.cs:7:13:7:22 | [false] ... is ... | 1 |
+| TypeAccesses.cs:7:13:7:22 | [true] ... is ... | TypeAccesses.cs:7:13:7:22 | [true] ... is ... | 1 |
 | TypeAccesses.cs:7:25:7:25 | ; | TypeAccesses.cs:7:25:7:25 | ; | 1 |
 | TypeAccesses.cs:8:9:8:28 | ... ...; | TypeAccesses.cs:3:10:3:10 | exit M | 5 |
 | VarDecls.cs:5:18:5:19 | enter M1 | VarDecls.cs:5:18:5:19 | exit M1 | 19 |