Merge pull request #2095 from hvitved/csharp/type-unification

C#: Type unification library

Author: calumgrant

change-notes/1.23/analysis-csharp.md

@@ -47,5 +47,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
   `TaintTracking::localExprTaint` predicate to make it easy to use the most
   common case of local data flow and taint: from one `Expr` to another.
 * Data is now tracked through null-coalescing expressions (`??`).
+* A new library `semmle.code.csharp.Unification` has been added. This library exposes two predicates `unifiable` and `subsumes` for calculating type unification and type subsumption, respectively.
 
 ## Changes to autobuilder

csharp/ql/src/semmle/code/csharp/Caching.qll

@@ -79,4 +79,21 @@ module Stages {
       forceCachingInSameStageRev()
     }
   }
+
+  cached
+  module UnificationStage {
+    private import semmle.code.csharp.Unification
+
+    cached
+    predicate forceCachingInSameStage() { any() }
+
+    cached
+    private predicate forceCachingInSameStageRev() {
+      exists(CompoundTypeKind k)
+      or
+      exists(Unification::UnconstrainedTypeParameter utp)
+      or
+      forceCachingInSameStageRev()
+    }
+  }
 }

csharp/ql/src/semmle/code/csharp/Conversion.qll

@@ -15,29 +15,48 @@ import Type
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
-/**
- * INTERNAL: Do not use.
- *
- * Holds if there exists an implicit conversion from `fromType` to `toType`.
- *
- * 6.1: Implicit type conversions.
- *
- * The following conversions are classified as implicit conversions:
- *
- * - Identity conversions
- * - Implicit numeric conversions
- * - Implicit nullable conversions
- * - Implicit reference conversions
- * - Boxing conversions
- * - User-defined implicit conversions
- */
 cached
-predicate implicitConversion(Type fromType, Type toType) {
-  implicitConversionNonNull(fromType, toType)
-  or
-  defaultNullConversion(fromType, toType)
+private module Cached {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Holds if there exists an implicit conversion from `fromType` to `toType`.
+   *
+   * 6.1: Implicit type conversions.
+   *
+   * The following conversions are classified as implicit conversions:
+   *
+   * - Identity conversions
+   * - Implicit numeric conversions
+   * - Implicit nullable conversions
+   * - Implicit reference conversions
+   * - Boxing conversions
+   * - User-defined implicit conversions
+   */
+  cached
+  predicate implicitConversion(Type fromType, Type toType) {
+    implicitConversionNonNull(fromType, toType)
+    or
+    defaultNullConversion(fromType, toType)
+  }
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Holds if there is a constant expression conversion from `fromType` to `toType`.
+   *
+   * 6.1.9: Implicit constant expression conversions.
+   */
+  cached
+  predicate convConstantExpr(SignedIntegralConstantExpr e, SimpleType toType) {
+    convConstantIntExpr(e, toType)
+    or
+    convConstantLongExpr(e) and toType instanceof ULongType
+  }
 }
 
+import Cached
+
 private predicate implicitConversionNonNull(Type fromType, Type toType) {
   convIdentity(fromType, toType)
   or
@@ -477,7 +496,7 @@ predicate convNullableType(ValueOrRefType fromType, NullableType toType) {
 // This is a deliberate, small Cartesian product, so we have manually lifted it to force the
 // evaluator to evaluate it in its entirety, rather than trying to optimize it in context.
 pragma[noinline]
-private predicate defaultNullConversion(Type fromType, Type toType) {
+predicate defaultNullConversion(Type fromType, Type toType) {
   fromType instanceof NullType and convNullType(toType)
 }
 
@@ -612,19 +631,6 @@ private predicate convBoxingValueType(ValueType fromType, Type toType) {
   toType = fromType.getABaseInterface+()
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * Holds if there is a constant expression conversion from `fromType` to `toType`.
- *
- * 6.1.9: Implicit constant expression conversions.
- */
-predicate convConstantExpr(SignedIntegralConstantExpr e, SimpleType toType) {
-  convConstantIntExpr(e, toType)
-  or
-  convConstantLongExpr(e) and toType instanceof ULongType
-}
-
 private class SignedIntegralConstantExpr extends Expr {
   SignedIntegralConstantExpr() {
     this.getType() instanceof SignedIntegralType and

csharp/ql/src/semmle/code/csharp/Implements.qll

@@ -236,63 +236,13 @@ private Type getArgumentOrReturnType(Method m, int i) {
 }
 
 /**
- * INTERNAL: Do not use.
- *
  * Provides an implementation of Global Value Numbering for types
  * (see https://en.wikipedia.org/wiki/Global_value_numbering), where
  * types are considered equal modulo identity conversions and method
  * type parameters (at the same index).
  */
-module Gvn {
-  private newtype TCompoundTypeKind =
-    TPointerTypeKind() or
-    TNullableTypeKind() or
-    TArrayTypeKind(int dim, int rnk) {
-      exists(ArrayType at | dim = at.getDimension() and rnk = at.getRank())
-    } or
-    TConstructedType(UnboundGenericType ugt)
-
-  /** A type kind for a compound type. */
-  class CompoundTypeKind extends TCompoundTypeKind {
-    int getNumberOfTypeParameters() {
-      this = TPointerTypeKind() and result = 1
-      or
-      this = TNullableTypeKind() and result = 1
-      or
-      this = TArrayTypeKind(_, _) and result = 1
-      or
-      exists(UnboundGenericType ugt | this = TConstructedType(ugt) |
-        result = ugt.getNumberOfTypeParameters()
-      )
-    }
-
-    string toString() {
-      this = TPointerTypeKind() and result = "*"
-      or
-      this = TNullableTypeKind() and result = "?"
-      or
-      exists(int dim, int rnk | this = TArrayTypeKind(dim, rnk) |
-        result = "[" + dim + ", " + rnk + "]"
-      )
-      or
-      exists(UnboundGenericType ugt | this = TConstructedType(ugt) |
-        result = ugt.getNameWithoutBrackets()
-      )
-    }
-
-    Location getLocation() { result instanceof EmptyLocation }
-  }
-
-  /** Gets the type kind for type `t`, if any. */
-  CompoundTypeKind getTypeKind(Type t) {
-    result = TPointerTypeKind() and t instanceof PointerType
-    or
-    result = TNullableTypeKind() and t instanceof NullableType
-    or
-    t = any(ArrayType at | result = TArrayTypeKind(at.getDimension(), at.getRank()))
-    or
-    result = TConstructedType(t.(ConstructedType).getUnboundGeneric())
-  }
+private module Gvn {
+  private import semmle.code.csharp.Unification
 
   private class MethodTypeParameter extends TypeParameter {
     MethodTypeParameter() { this = any(UnboundGenericMethod ugm).getATypeParameter() }
@@ -310,38 +260,47 @@ module Gvn {
   private newtype TGvnType =
     TLeafGvnType(int i) { id(_, i) } or
     TMethodTypeParameterGvnType(int i) { i = any(MethodTypeParameter p).getIndex() } or
-    TConstructedGvnType(TConstructedGvnType0 t)
+    TConstructedGvnType(ConstructedGvnTypeList l)
 
-  private newtype TConstructedGvnType0 =
+  private newtype TConstructedGvnTypeList =
     TConstructedGvnTypeNil(CompoundTypeKind k) or
-    TConstructedGvnTypeCons(TGvnType head, TConstructedGvnType0 tail) {
-      gvnConstructedCons(_, _, head, tail)
+    TConstructedGvnTypeCons(GvnType head, ConstructedGvnTypeList tail) {
+      gvnConstructedCons(_, _, _, head, tail)
     }
 
-  private TConstructedGvnType0 gvnConstructed(Type t, int i) {
-    result = TConstructedGvnTypeNil(getTypeKind(t)) and i = -1
+  private ConstructedGvnTypeList gvnConstructed(Type t, CompoundTypeKind k, int i) {
+    result = TConstructedGvnTypeNil(k) and
+    i = -1 and
+    k = getTypeKind(t)
     or
-    exists(TGvnType head, TConstructedGvnType0 tail | gvnConstructedCons(t, i, head, tail) |
+    exists(GvnType head, ConstructedGvnTypeList tail | gvnConstructedCons(t, k, i, head, tail) |
       result = TConstructedGvnTypeCons(head, tail)
     )
   }
 
   pragma[noinline]
-  private TGvnType gvnTypeChild(Type t, int i) { result = getGlobalValueNumber(t.getChild(i)) }
+  private GvnType gvnTypeChild(Type t, int i) { result = getGlobalValueNumber(t.getChild(i)) }
 
   pragma[noinline]
-  private predicate gvnConstructedCons(Type t, int i, TGvnType head, TConstructedGvnType0 tail) {
-    tail = gvnConstructed(t, i - 1) and
+  private predicate gvnConstructedCons(
+    Type t, CompoundTypeKind k, int i, GvnType head, ConstructedGvnTypeList tail
+  ) {
+    tail = gvnConstructed(t, k, i - 1) and
     head = gvnTypeChild(t, i)
   }
 
   /** Gets the global value number for a given type. */
+  pragma[nomagic]
   GvnType getGlobalValueNumber(Type t) {
     result = TLeafGvnType(any(int i | id(t, i)))
     or
     result = TMethodTypeParameterGvnType(t.(MethodTypeParameter).getIndex())
     or
-    result = TConstructedGvnType(gvnConstructed(t, getTypeKind(t).getNumberOfTypeParameters() - 1))
+    exists(ConstructedGvnTypeList l, CompoundTypeKind k, int i |
+      l = gvnConstructed(t, k, i) and
+      i = k.getNumberOfTypeParameters() - 1 and
+      result = TConstructedGvnType(l)
+    )
   }
 
   /** A global value number for a type. */
@@ -351,40 +310,42 @@ module Gvn {
       or
       exists(int i | this = TMethodTypeParameterGvnType(i) | result = "M!" + i)
       or
-      exists(GvnConstructedType t | this = TConstructedGvnType(t) | result = t.toString())
+      exists(ConstructedGvnTypeList l | this = TConstructedGvnType(l) | result = l.toString())
     }
 
     Location getLocation() { result instanceof EmptyLocation }
   }
 
-  /** A global value number for a constructed type. */
-  class GvnConstructedType extends TConstructedGvnType0 {
-    private CompoundTypeKind getKind() {
-      this = TConstructedGvnTypeNil(result)
+  private class ConstructedGvnTypeList extends TConstructedGvnTypeList {
+    private int length() {
+      this = TConstructedGvnTypeNil(_) and result = -1
       or
-      exists(GvnConstructedType tail | this = TConstructedGvnTypeCons(_, tail) |
-        result = tail.getKind()
+      exists(ConstructedGvnTypeList tail | this = TConstructedGvnTypeCons(_, tail) |
+        result = tail.length() + 1
       )
     }
 
     private GvnType getArg(int i) {
-      this = TConstructedGvnTypeCons(result, TConstructedGvnTypeNil(_)) and
-      i = 0
-      or
-      exists(GvnConstructedType tail | this = TConstructedGvnTypeCons(result, tail) |
-        exists(tail.getArg(i - 1))
+      exists(GvnType head, ConstructedGvnTypeList tail |
+        this = TConstructedGvnTypeCons(head, tail)
+      |
+        result = head and
+        i = this.length()
+        or
+        result = tail.getArg(i)
       )
     }
 
     language[monotonicAggregates]
     string toString() {
-      exists(CompoundTypeKind k | k = this.getKind() |
-        result = k + "<" +
-            concat(int i |
-              i in [0 .. k.getNumberOfTypeParameters() - 1]
-            |
-              this.getArg(i).toString(), ", "
-            ) + ">"
+      exists(CompoundTypeKind k, string args |
+        this = gvnConstructed(_, k, _) and
+        args = concat(int i |
+            i in [0 .. k.getNumberOfTypeParameters() - 1]
+          |
+            this.getArg(i).toString(), ", " order by i
+          ) and
+        result = k.toString(args)
       )
     }
 

csharp/ql/src/semmle/code/csharp/Type.qll

@@ -941,6 +941,8 @@ class TupleType extends ValueType, @tuple_type {
   }
 
   override string getLabel() { result = getUnderlyingType().getLabel() }
+
+  override Type getChild(int i) { result = this.getUnderlyingType().getChild(i) }
 }
 
 /**