C#: Add Guard::controlsBasicBlock() and simplify Guard::isEquality()

Author: hvitved

csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll

@@ -33,29 +33,21 @@ class Guard extends Expr {
   }
 
   /**
-   * Holds if guard is an equality test between `e1` and `e2`. If the test is
+   * Holds if basic block `bb` is guarded by this expression having value `v`.
+   */
+  predicate controlsBasicBlock(BasicBlock bb, AbstractValue v) {
+    Internal::guardControls(this, bb, v)
+  }
+
+  /**
+   * Holds if this guard is an equality test between `e1` and `e2`. If the test is
    * negated, that is `!=`, then `polarity` is false, otherwise `polarity` is
    * true.
    */
   predicate isEquality(Expr e1, Expr e2, boolean polarity) {
-    exists(Expr exp1, Expr exp2 | equalityGuard(exp1, exp2, polarity) |
-      e1 = exp1 and e2 = exp2
-      or
-      e2 = exp1 and e1 = exp2
-    )
-  }
-
-  private predicate equalityGuard(Expr e1, Expr e2, boolean polarity) {
-    exists(ComparisonTest eqtest |
-      eqtest.getExpr() = this and
-      eqtest.getAnArgument() = e1 and
-      eqtest.getAnArgument() = e2 and
-      not e1 = e2 and
-      (
-        polarity = true and eqtest.getComparisonKind().isEquality()
-        or
-        polarity = false and eqtest.getComparisonKind().isInequality()
-      )
+    exists(BooleanValue v |
+      this = Internal::getAnEqualityCheck(e1, v, e2) and
+      polarity = v.getValue()
     )
   }
 }
@@ -970,31 +962,28 @@ module Internal {
     e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand())
   }
 
-  /** Holds if basic block `bb` only is reached when guard `g` has abstract value `v`. */
-  private predicate guardControls(Guard g, BasicBlock bb, AbstractValue v) {
-    exists(ControlFlowElement cfe, ConditionalSuccessor s, AbstractValue v0, Guard g0 |
-      cfe.controlsBlock(bb, s)
-    |
-      v0.branch(cfe, s, g0) and
-      impliesSteps(g0, v0, g, v)
+  pragma[noinline]
+  private predicate assertionControlsNodeInSameBasicBlock0(
+    Guard g, AbstractValue v, BasicBlock bb, int i
+  ) {
+    exists(Assertion a, Guard g0, AbstractValue v0 |
+      asserts(a, g0, v0) and
+      impliesSteps(g0, v0, g, v) and
+      bb.getNode(i) = a.getAControlFlowNode()
     )
   }
 
   /**
    * Holds if control flow node `cfn` only is reached when guard `g` evaluates to `v`,
    * because of an assertion.
    */
-  private predicate guardAssertionControlsNode(Guard g, ControlFlow::Node cfn, AbstractValue v) {
-    exists(Assertion a, Guard g0, AbstractValue v0 |
-      asserts(a, g0, v0) and
-      impliesSteps(g0, v0, g, v)
-    |
-      a.strictlyDominates(cfn.getBasicBlock())
-      or
-      exists(BasicBlock bb, int i, int j | bb.getNode(i) = a.getAControlFlowNode() |
-        bb.getNode(j) = cfn and
-        j > i
-      )
+  private predicate assertionControlsNodeInSameBasicBlock(
+    Guard g, ControlFlow::Node cfn, AbstractValue v
+  ) {
+    exists(BasicBlock bb, int i, int j |
+      assertionControlsNodeInSameBasicBlock0(g, v, bb, i) and
+      bb.getNode(j) = cfn and
+      j > i
     )
   }
 
@@ -1004,7 +993,7 @@ module Internal {
    */
   private predicate guardAssertionControlsElement(Guard g, ControlFlowElement cfe, AbstractValue v) {
     forex(ControlFlow::Node cfn | cfn = cfe.getAControlFlowNode() |
-      guardAssertionControlsNode(g, cfn, v)
+      assertionControlsNodeInSameBasicBlock(g, cfn, v)
     )
   }
 
@@ -1318,24 +1307,6 @@ module Internal {
       )
     }
 
-    /**
-     * Gets an expression that tests whether expression `e1` is equal to
-     * expression `e2`.
-     *
-     * If the returned expression has abstract value `v`, then expression `e1` is
-     * guaranteed to be equal to `e2`, and if the returned expression has abstract
-     * value `v.getDualValue()`, then this expression is guaranteed to be
-     * non-equal to `e`.
-     *
-     * For example, if the expression `x != ""` evaluates to `false` then the
-     * expression `x` is guaranteed to be equal to `""`.
-     */
-    Expr getAnEqualityCheck(Expr e1, AbstractValue v, Expr e2) {
-      result = getABooleanEqualityCheck(e1, v, e2)
-      or
-      result = getAMatchingEqualityCheck(e1, v, e2)
-    }
-
     private Expr getAnEqualityCheckVal(Expr e, AbstractValue v, AbstractValue vExpr) {
       result = getAnEqualityCheck(e, v, vExpr.getAnExpr())
     }
@@ -1491,6 +1462,29 @@ module Internal {
         not e = any(LocalVariableDeclStmt s).getAVariableDeclExpr()
       }
 
+      /**
+       * Gets an expression that tests whether expression `e1` is equal to
+       * expression `e2`.
+       *
+       * If the returned expression has abstract value `v`, then expression `e1` is
+       * guaranteed to be equal to `e2`, and if the returned expression has abstract
+       * value `v.getDualValue()`, then this expression is guaranteed to be
+       * non-equal to `e`.
+       *
+       * For example, if the expression `x != ""` evaluates to `false` then the
+       * expression `x` is guaranteed to be equal to `""`.
+       */
+      cached
+      Expr getAnEqualityCheck(Expr e1, AbstractValue v, Expr e2) {
+        result = getABooleanEqualityCheck(e1, v, e2)
+        or
+        result = getABooleanEqualityCheck(e2, v, e1)
+        or
+        result = getAMatchingEqualityCheck(e1, v, e2)
+        or
+        result = getAMatchingEqualityCheck(e2, v, e1)
+      }
+
       cached
       predicate isCustomNullCheck(Call call, Expr arg, BooleanValue v, boolean isNull) {
         exists(Callable callable, Parameter p |
@@ -1776,7 +1770,7 @@ module Internal {
       exists(Guard g | e = getAChildExprStar(g) |
         guardControls(g, bb, _)
         or
-        guardAssertionControlsNode(g, bb.getANode(), _)
+        assertionControlsNodeInSameBasicBlock(g, bb.getANode(), _)
       )
     }
   }
@@ -1785,6 +1779,21 @@ module Internal {
   private module Cached {
     private import semmle.code.csharp.Caching
 
+    /** Holds if basic block `bb` only is reached when guard `g` has abstract value `v`. */
+    cached
+    predicate guardControls(Guard g, BasicBlock bb, AbstractValue v) {
+      exists(AbstractValue v0, Guard g0 | impliesSteps(g0, v0, g, v) |
+        exists(ControlFlowElement cfe, ConditionalSuccessor s |
+          v0.branch(cfe, s, g0) and cfe.controlsBlock(bb, s)
+        )
+        or
+        exists(Assertion a |
+          asserts(a, g0, v0) and
+          a.strictlyDominates(bb)
+        )
+      )
+    }
+
     pragma[noinline]
     private predicate isGuardedByNode0(
       ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub,
@@ -1840,7 +1849,7 @@ module Internal {
     ) {
       isGuardedByNode0(guarded, _, g, sub, v)
       or
-      guardAssertionControlsNode(g, guarded, v) and
+      assertionControlsNodeInSameBasicBlock(g, guarded, v) and
       exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded.getElement()))
     }
 

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll

@@ -243,7 +243,7 @@ private module Impl {
    */
   predicate guardControlsSsaRead(Guard guard, SsaReadPosition controlled, boolean testIsTrue) {
     exists(BooleanValue b | b.getValue() = testIsTrue |
-      guard.controlsNode(controlled.(SsaReadPositionBlock).getBlock().getANode(), _, b)
+      guard.controlsBasicBlock(controlled.(SsaReadPositionBlock).getBlock(), b)
     )
   }
 

csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.cs

@@ -155,7 +155,7 @@ int Guards(int x, int y)
 
         if (y is -1)
         {
-            return y; // strictly negative [MISSING]
+            return y; // strictly negative
         }
 
         if (x < y)
@@ -289,7 +289,7 @@ void Loop(int i, int j, int k)
     void Assert(int i, bool b)
     {
         Debug.Assert(i > 0);
-        System.Console.WriteLine(i); // strictly positive
+        System.Console.WriteLine(i); // strictly positive [MISSING]
 
         if (b)
             System.Console.WriteLine(i); // strictly positive

csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.expected

@@ -106,6 +106,7 @@
 | SignAnalysis.cs:153:20:153:20 | access to parameter y | strictlyPositive |
 | SignAnalysis.cs:156:18:156:19 | -... | strictlyNegative |
 | SignAnalysis.cs:156:19:156:19 | 1 | strictlyPositive |
+| SignAnalysis.cs:158:20:158:20 | access to parameter y | strictlyNegative |
 | SignAnalysis.cs:161:13:161:13 | access to parameter x | positive |
 | SignAnalysis.cs:163:20:163:20 | access to parameter y | strictlyPositive |
 | SignAnalysis.cs:166:22:166:22 | 1 | strictlyPositive |
@@ -154,8 +155,6 @@
 | SignAnalysis.cs:278:42:278:42 | access to parameter k | positive |
 | SignAnalysis.cs:280:21:280:21 | access to parameter k | positive |
 | SignAnalysis.cs:280:26:280:26 | 5 | strictlyPositive |
-| SignAnalysis.cs:291:22:291:22 | access to parameter i | strictlyPositive |
-| SignAnalysis.cs:292:34:292:34 | access to parameter i | strictlyPositive |
 | SignAnalysis.cs:295:38:295:38 | access to parameter i | strictlyPositive |
 | SignAnalysis.cs:300:27:300:28 | -... | strictlyNegative |
 | SignAnalysis.cs:300:28:300:28 | 1 | strictlyPositive |

csharp/ql/test/query-tests/Nullness/EqualityCheck.expected

@@ -191,8 +191,11 @@
 | E.cs:85:18:85:29 | ... != ... | false | E.cs:85:18:85:21 | access to parameter vals | E.cs:85:26:85:29 | null |
 | E.cs:85:18:85:29 | ... != ... | false | E.cs:85:26:85:29 | null | E.cs:85:18:85:21 | access to parameter vals |
 | E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_A | E.cs:90:17:90:27 | access to local variable switchguard | E.cs:92:18:92:27 | access to constant MY_CONST_A |
+| E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_A | E.cs:92:18:92:27 | access to constant MY_CONST_A | E.cs:90:17:90:27 | access to local variable switchguard |
 | E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_B | E.cs:90:17:90:27 | access to local variable switchguard | E.cs:97:18:97:27 | access to constant MY_CONST_B |
+| E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_B | E.cs:97:18:97:27 | access to constant MY_CONST_B | E.cs:90:17:90:27 | access to local variable switchguard |
 | E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_C | E.cs:90:17:90:27 | access to local variable switchguard | E.cs:95:18:95:27 | access to constant MY_CONST_C |
+| E.cs:90:17:90:27 | access to local variable switchguard | match access to constant MY_CONST_C | E.cs:95:18:95:27 | access to constant MY_CONST_C | E.cs:90:17:90:27 | access to local variable switchguard |
 | E.cs:126:21:126:29 | ... == ... | true | E.cs:126:21:126:24 | access to local variable step | E.cs:126:29:126:29 | 0 |
 | E.cs:126:21:126:29 | ... == ... | true | E.cs:126:29:126:29 | 0 | E.cs:126:21:126:24 | access to local variable step |
 | E.cs:153:13:153:24 | ... != ... | false | E.cs:153:13:153:16 | access to local variable obj2 | E.cs:153:21:153:24 | null |
@@ -216,6 +219,7 @@
 | E.cs:293:13:293:24 | ... == ... | true | E.cs:293:15:293:19 | call to method M2 | E.cs:293:24:293:24 | (...) ... |
 | E.cs:293:13:293:24 | ... == ... | true | E.cs:293:24:293:24 | (...) ... | E.cs:293:15:293:19 | call to method M2 |
 | E.cs:321:13:321:30 | ... is ... | true | E.cs:321:14:321:21 | ... ?? ... | E.cs:321:27:321:30 | null |
+| E.cs:321:13:321:30 | ... is ... | true | E.cs:321:27:321:30 | null | E.cs:321:14:321:21 | ... ?? ... |
 | E.cs:355:13:355:21 | dynamic call to operator != | false | E.cs:355:13:355:13 | access to local variable x | E.cs:355:18:355:21 | null |
 | E.cs:355:13:355:21 | dynamic call to operator != | false | E.cs:355:18:355:21 | null | E.cs:355:13:355:13 | access to local variable x |
 | E.cs:362:13:362:29 | ... != ... | false | E.cs:362:13:362:13 | access to local variable x | E.cs:362:18:362:29 | (...) ... |