C#: Loop unrolling for foreach statements

Author: hvitved

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll

@@ -32,19 +32,19 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
    * several `ControlFlow::Node`s, for example to represent the continuation
    * flow in a `try/catch/finally` construction.
    */
-  Node getAControlFlowNode() { result.getElement() = this }
+  Nodes::ElementNode getAControlFlowNode() { result.getElement() = this }
 
   /**
    * Gets a first control flow node executed within this element.
    */
-  Node getAControlFlowEntryNode() {
+  Nodes::ElementNode getAControlFlowEntryNode() {
     result = Internal::getAControlFlowEntryNode(this).getAControlFlowNode()
   }
 
   /**
    * Gets a potential last control flow node executed within this element.
    */
-  Node getAControlFlowExitNode() {
+  Nodes::ElementNode getAControlFlowExitNode() {
     result = Internal::getAControlFlowExitNode(this).getAControlFlowNode()
   }
 

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -318,6 +318,8 @@ module ControlFlow {
     class ExceptionHandlerSplit = ExceptionHandlerSplitting::ExceptionHandlerSplitImpl;
 
     class BooleanSplit = BooleanSplitting::BooleanSplitImpl;
+
+    class LoopUnrollingSplit = LoopUnrollingSplitting::LoopUnrollingSplitImpl;
   }
 
   class BasicBlock = BBs::BasicBlock;

csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll

@@ -1020,7 +1020,7 @@ module Internal {
     }
 
     /** Holds if pre-basic-block `bb` only is reached when guard `g` has abstract value `v`. */
-    private predicate preControls(Guard g, PreBasicBlocks::PreBasicBlock bb, AbstractValue v) {
+    predicate preControls(Guard g, PreBasicBlocks::PreBasicBlock bb, AbstractValue v) {
       exists(AbstractValue v0, Guard g0 | preControlsDirect(g0, bb, v0) |
         preImpliesSteps(g0, v0, g, v)
       )

csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll

@@ -29,7 +29,8 @@ private module Cached {
     TInitializerSplitKind() or
     TFinallySplitKind() or
     TExceptionHandlerSplitKind() or
-    TBooleanSplitKind(BooleanSplitting::BooleanSplitSubKind kind) { kind.startsSplit(_) }
+    TBooleanSplitKind(BooleanSplitting::BooleanSplitSubKind kind) { kind.startsSplit(_) } or
+    TLoopUnrollingSplitKind(LoopUnrollingSplitting::UnrollableLoopStmt loop)
 
   cached
   newtype TSplit =
@@ -39,7 +40,8 @@ private module Cached {
     TBooleanSplit(BooleanSplitting::BooleanSplitSubKind kind, boolean branch) {
       kind.startsSplit(_) and
       (branch = true or branch = false)
-    }
+    } or
+    TLoopUnrollingSplit(LoopUnrollingSplitting::UnrollableLoopStmt loop)
 
   cached
   newtype TSplits =
@@ -1023,6 +1025,165 @@ module BooleanSplitting {
   }
 }
 
+module LoopUnrollingSplitting {
+  private import semmle.code.csharp.controlflow.Guards as Guards
+  private import PreBasicBlocks
+  private import PreSsa
+
+  /** Holds if `ce` is guarded by a (non-)empty check, as specified by `v`. */
+  private predicate emptinessGuarded(
+    Guards::Guard g, Guards::CollectionExpr ce, Guards::AbstractValues::EmptyCollectionValue v
+  ) {
+    exists(PreBasicBlock bb | Guards::Internal::preControls(g, bb, v) |
+      PreSsa::adjacentReadPairSameVar(g, ce) and
+      bb.getAnElement() = ce
+    )
+  }
+
+  /**
+   * A loop where the body is guaranteed to be executed at least once, and
+   * can therefore be unrolled in the control flow graph.
+   */
+  abstract class UnrollableLoopStmt extends LoopStmt {
+    /** Holds if the step `pred --c--> succ` should start loop unrolling. */
+    abstract predicate startUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c);
+
+    /** Holds if the step `pred --c--> succ` should stop loop unrolling. */
+    abstract predicate stopUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c);
+
+    /**
+     * Holds if any step `pred --c--> _` should be pruned from the unrolled loop
+     * (the loop condition evaluating to `false`).
+     */
+    abstract predicate pruneLoopCondition(ControlFlowElement pred, ConditionalCompletion c);
+
+    /** Gets a descendant that belongs to the body of this loop. */
+    ControlFlowElement getABodyDescendant() {
+      result = this.getBody()
+      or
+      exists(ControlFlowElement mid |
+        mid = this.getABodyDescendant() and
+        result = getAChild(mid, mid.getEnclosingCallable())
+      )
+    }
+  }
+
+  private class UnrollableForeachStmt extends UnrollableLoopStmt, ForeachStmt {
+    UnrollableForeachStmt() {
+      exists(Guards::AbstractValues::EmptyCollectionValue v | v.isNonEmpty() |
+        emptinessGuarded(_, this.getIterableExpr(), v)
+        or
+        this.getIterableExpr() = v.getAnExpr()
+      )
+    }
+
+    override predicate startUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      pred = last(this.getIterableExpr(), c) and
+      succ = this
+    }
+
+    override predicate stopUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      pred = last(this.getBody(), c) and
+      succ = succ(pred, c) and
+      not succ = this.getABodyDescendant()
+    }
+
+    override predicate pruneLoopCondition(ControlFlowElement pred, ConditionalCompletion c) {
+      pred = this and
+      c.(EmptinessCompletion).isEmpty()
+    }
+  }
+
+  /**
+   * A split for loops where the body is guaranteed to be executed at least once, and
+   * can therefore be unrolled in the control flow graph. For example, in
+   *
+   * ```
+   * void M(string[] args)
+   * {
+   *     if (args.Length == 0)
+   *         return;
+   *     foreach (var arg in args)
+   *         System.Console.WriteLine(args);
+   * }
+   * ```
+   *
+   * the `foreach` loop is guaranteed to be executed at least once, as a result of the
+   * `args.Length == 0` check.
+   */
+  class LoopUnrollingSplitImpl extends SplitImpl, TLoopUnrollingSplit {
+    UnrollableLoopStmt loop;
+
+    LoopUnrollingSplitImpl() { this = TLoopUnrollingSplit(loop) }
+
+    override string toString() {
+      result = "unroll (line " + loop.getLocation().getStartLine() + ")"
+    }
+  }
+
+  private int getListOrder(UnrollableLoopStmt loop) {
+    exists(Callable c, int r | c = loop.getEnclosingCallable() |
+      result = r + BooleanSplitting::getNextListOrder() - 1 and
+      loop = rank[r](UnrollableLoopStmt loop0 |
+          loop0.getEnclosingCallable() = c
+        |
+          loop0 order by loop0.getLocation().getStartLine(), loop0.getLocation().getStartColumn()
+        )
+    )
+  }
+
+  int getNextListOrder() {
+    result = max(int i | i = getListOrder(_) + 1 or i = BooleanSplitting::getNextListOrder())
+  }
+
+  private class LoopUnrollingSplitKind extends SplitKind, TLoopUnrollingSplitKind {
+    private UnrollableLoopStmt loop;
+
+    LoopUnrollingSplitKind() { this = TLoopUnrollingSplitKind(loop) }
+
+    override int getListOrder() { result = getListOrder(loop) }
+
+    override string toString() { result = "Unroll" }
+  }
+
+  private class LoopUnrollingSplitInternal extends SplitInternal, LoopUnrollingSplitImpl {
+    override LoopUnrollingSplitKind getKind() { result = TLoopUnrollingSplitKind(loop) }
+
+    override predicate hasEntry(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      loop.startUnroll(pred, succ, c)
+    }
+
+    override predicate hasEntry(Callable pred, ControlFlowElement succ) { none() }
+
+    /**
+     * Holds if this split applies to control flow element `pred`, where `pred`
+     * is a valid predecessor.
+     */
+    private predicate appliesToPredecessor(ControlFlowElement pred) {
+      this.appliesTo(pred) and
+      (exists(succ(pred, _)) or exists(succExit(pred, _)))
+    }
+
+    override predicate hasExit(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      this.appliesToPredecessor(pred) and
+      loop.stopUnroll(pred, succ, c)
+    }
+
+    override Callable hasExit(ControlFlowElement pred, Completion c) {
+      this.appliesToPredecessor(pred) and
+      result = succExit(pred, c) and
+      not loop.pruneLoopCondition(pred, c)
+    }
+
+    override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+      this.appliesToPredecessor(pred) and
+      succ = succ(pred, c) and
+      not loop.pruneLoopCondition(pred, c) and
+      not loop.stopUnroll(pred, succ, c)
+    }
+  }
+}
+
 /**
  * A set of control flow node splits. The set is represented by a list of splits,
  * ordered by ascending rank.

csharp/ql/src/semmle/code/csharp/dataflow/internal/BaseSSA.qll

@@ -9,14 +9,13 @@ module BaseSsa {
   private import ControlFlow
   private import AssignableDefinitions
 
+  pragma[noinline]
+  Callable getAnAssigningCallable(LocalScopeVariable v) {
+    result = any(AssignableDefinition def | def.getTarget() = v).getEnclosingCallable()
+  }
+
   private class SimpleLocalScopeVariable extends LocalScopeVariable {
-    SimpleLocalScopeVariable() {
-      not exists(AssignableDefinition def1, AssignableDefinition def2 |
-        def1.getTarget() = this and
-        def2.getTarget() = this and
-        def1.getEnclosingCallable() != def2.getEnclosingCallable()
-      )
-    }
+    SimpleLocalScopeVariable() { not getAnAssigningCallable(this) != getAnAssigningCallable(this) }
   }
 
   /**

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -290,38 +290,39 @@
 | LoopUnrolling.cs:10:13:10:19 | return ...; | LoopUnrolling.cs:10:13:10:19 | return ...; | 1 |
 | LoopUnrolling.cs:11:9:12:35 | foreach (... ... in ...) ... | LoopUnrolling.cs:11:9:12:35 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:11:21:11:23 | String arg | LoopUnrolling.cs:12:13:12:34 | call to method WriteLine | 4 |
-| LoopUnrolling.cs:11:28:11:31 | access to parameter args | LoopUnrolling.cs:11:28:11:31 | access to parameter args | 1 |
-| LoopUnrolling.cs:15:10:15:11 | enter M2 | LoopUnrolling.cs:18:26:18:27 | access to local variable xs | 10 |
+| LoopUnrolling.cs:11:28:11:31 | access to parameter args | LoopUnrolling.cs:12:13:12:34 | [unroll (line 11)] call to method WriteLine | 6 |
+| LoopUnrolling.cs:15:10:15:11 | enter M2 | LoopUnrolling.cs:19:13:19:32 | [unroll (line 18)] call to method WriteLine | 15 |
 | LoopUnrolling.cs:15:10:15:11 | exit M2 | LoopUnrolling.cs:15:10:15:11 | exit M2 | 1 |
 | LoopUnrolling.cs:18:9:19:33 | foreach (... ... in ...) ... | LoopUnrolling.cs:18:9:19:33 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:18:21:18:21 | String x | LoopUnrolling.cs:19:13:19:32 | call to method WriteLine | 4 |
 | LoopUnrolling.cs:22:10:22:11 | enter M3 | LoopUnrolling.cs:24:29:24:32 | access to parameter args | 3 |
 | LoopUnrolling.cs:22:10:22:11 | exit M3 | LoopUnrolling.cs:22:10:22:11 | exit M3 | 1 |
 | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:24:22:24:24 | Char arg | LoopUnrolling.cs:25:34:25:37 | access to parameter args | 2 |
+| LoopUnrolling.cs:24:22:24:24 | Char arg | LoopUnrolling.cs:26:17:26:39 | [unroll (line 25)] call to method WriteLine | 7 |
 | LoopUnrolling.cs:25:13:26:40 | foreach (... ... in ...) ... | LoopUnrolling.cs:25:13:26:40 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:25:26:25:29 | Char arg0 | LoopUnrolling.cs:26:17:26:39 | call to method WriteLine | 4 |
 | LoopUnrolling.cs:29:10:29:11 | enter M4 | LoopUnrolling.cs:32:26:32:27 | access to local variable xs | 7 |
 | LoopUnrolling.cs:29:10:29:11 | exit M4 | LoopUnrolling.cs:29:10:29:11 | exit M4 | 1 |
 | LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:32:21:32:21 | String x | LoopUnrolling.cs:33:13:33:32 | call to method WriteLine | 4 |
-| LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:40:26:40:27 | access to local variable xs | 17 |
+| LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:42:17:42:40 | [unroll (line 40), unroll (line 41)] call to method WriteLine | 27 |
 | LoopUnrolling.cs:36:10:36:11 | exit M5 | LoopUnrolling.cs:36:10:36:11 | exit M5 | 1 |
 | LoopUnrolling.cs:40:9:42:41 | foreach (... ... in ...) ... | LoopUnrolling.cs:40:9:42:41 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:40:21:40:21 | String x | LoopUnrolling.cs:41:30:41:31 | access to local variable ys | 2 |
+| LoopUnrolling.cs:40:21:40:21 | String x | LoopUnrolling.cs:42:17:42:40 | [unroll (line 41)] call to method WriteLine | 9 |
+| LoopUnrolling.cs:41:13:42:41 | [unroll (line 40)] foreach (... ... in ...) ... | LoopUnrolling.cs:41:13:42:41 | [unroll (line 40)] foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:41:13:42:41 | foreach (... ... in ...) ... | LoopUnrolling.cs:41:13:42:41 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:41:25:41:25 | String y | LoopUnrolling.cs:42:17:42:40 | call to method WriteLine | 6 |
-| LoopUnrolling.cs:45:10:45:11 | enter M6 | LoopUnrolling.cs:48:9:52:9 | foreach (... ... in ...) ... | 11 |
-| LoopUnrolling.cs:45:10:45:11 | exit M6 | LoopUnrolling.cs:45:10:45:11 | exit M6 | 1 |
-| LoopUnrolling.cs:48:21:48:21 | String x | LoopUnrolling.cs:49:9:52:9 | {...} | 2 |
-| LoopUnrolling.cs:50:13:50:17 | Label: | LoopUnrolling.cs:51:13:51:23 | goto ...; | 5 |
-| LoopUnrolling.cs:55:10:55:11 | enter M7 | LoopUnrolling.cs:58:9:64:9 | foreach (... ... in ...) ... | 11 |
+| LoopUnrolling.cs:41:25:41:25 | [unroll (line 40)] String y | LoopUnrolling.cs:42:17:42:40 | [unroll (line 40)] call to method WriteLine | 6 |
+| LoopUnrolling.cs:45:10:45:11 | enter M6 | LoopUnrolling.cs:49:9:52:9 | [unroll (line 48)] {...} | 13 |
+| LoopUnrolling.cs:50:13:50:17 | [unroll (line 48)] Label: | LoopUnrolling.cs:51:13:51:23 | [unroll (line 48)] goto ...; | 5 |
+| LoopUnrolling.cs:55:10:55:11 | enter M7 | LoopUnrolling.cs:60:17:60:17 | [unroll (line 58)] access to parameter b | 15 |
 | LoopUnrolling.cs:55:10:55:11 | exit M7 | LoopUnrolling.cs:55:10:55:11 | exit M7 | 1 |
-| LoopUnrolling.cs:58:21:58:21 | String x | LoopUnrolling.cs:60:17:60:17 | access to parameter b | 4 |
-| LoopUnrolling.cs:58:21:58:21 | [b (line 55): false] String x | LoopUnrolling.cs:60:17:60:17 | [b (line 55): false] access to parameter b | 4 |
-| LoopUnrolling.cs:58:21:58:21 | [b (line 55): true] String x | LoopUnrolling.cs:60:17:60:17 | [b (line 55): true] access to parameter b | 4 |
-| LoopUnrolling.cs:61:17:61:37 | [b (line 55): true] ...; | LoopUnrolling.cs:58:9:64:9 | [b (line 55): true] foreach (... ... in ...) ... | 9 |
-| LoopUnrolling.cs:62:13:63:37 | [b (line 55): false] if (...) ... | LoopUnrolling.cs:58:9:64:9 | [b (line 55): false] foreach (... ... in ...) ... | 3 |
+| LoopUnrolling.cs:58:9:64:9 | [b (line 55): false] foreach (... ... in ...) ... | LoopUnrolling.cs:58:9:64:9 | [b (line 55): false] foreach (... ... in ...) ... | 1 |
+| LoopUnrolling.cs:58:9:64:9 | [b (line 55): true] foreach (... ... in ...) ... | LoopUnrolling.cs:58:9:64:9 | [b (line 55): true] foreach (... ... in ...) ... | 1 |
+| LoopUnrolling.cs:58:21:58:21 | [b (line 55): false] String x | LoopUnrolling.cs:62:17:62:17 | [b (line 55): false] access to parameter b | 6 |
+| LoopUnrolling.cs:58:21:58:21 | [b (line 55): true] String x | LoopUnrolling.cs:63:17:63:36 | [b (line 55): true] call to method WriteLine | 12 |
+| LoopUnrolling.cs:61:17:61:37 | [b (line 55): true, unroll (line 58)] ...; | LoopUnrolling.cs:63:17:63:36 | [b (line 55): true, unroll (line 58)] call to method WriteLine | 8 |
+| LoopUnrolling.cs:62:13:63:37 | [b (line 55): false, unroll (line 58)] if (...) ... | LoopUnrolling.cs:62:17:62:17 | [b (line 55): false, unroll (line 58)] access to parameter b | 2 |
 | LoopUnrolling.cs:67:10:67:11 | enter M7 | LoopUnrolling.cs:69:14:69:23 | call to method Any | 6 |
 | LoopUnrolling.cs:67:10:67:11 | exit M7 | LoopUnrolling.cs:67:10:67:11 | exit M7 | 1 |
 | LoopUnrolling.cs:70:13:70:19 | return ...; | LoopUnrolling.cs:70:13:70:19 | return ...; | 1 |