Merge pull request #2139 from hvitved/csharp/dataflow/callcontext-bool-pruning

C#: Data-flow pruning based on call contexts

Author: calumgrant

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -3,10 +3,12 @@ private import cil
 private import dotnet
 private import DataFlowPublic
 private import DataFlowDispatch
+private import DataFlowImplCommon::Public
 private import ControlFlowReachability
 private import DelegateDataFlow
 private import semmle.code.csharp.Caching
 private import semmle.code.csharp.ExprOrStmtParent
+private import semmle.code.csharp.controlflow.Guards
 private import semmle.code.csharp.dataflow.LibraryTypeDataFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.EntityFramework
@@ -439,6 +441,22 @@ private module Cached {
       c.(FieldLikeContent).getField() = node2.asExpr().(FieldLikeRead).getTarget()
     )
   }
+
+  /**
+   * Holds if the node `n` is unreachable when the call context is `call`.
+   */
+  cached
+  predicate isUnreachableInCall(Node n, DataFlowCall call) {
+    exists(
+      SsaDefinitionNode paramNode, Ssa::ExplicitDefinition param, Guard guard,
+      ControlFlow::SuccessorTypes::BooleanSuccessor bs
+    |
+      viableConstantBooleanParamArg(paramNode, bs.getValue().booleanNot(), call) and
+      paramNode.getDefinition() = param and
+      param.getARead() = guard and
+      guard.controlsBlock(n.getControlFlowNode().getBasicBlock(), bs)
+    )
+  }
 }
 
 import Cached
@@ -1358,4 +1376,31 @@ class DataFlowType = DotNet::Type;
 
 class DataFlowLocation = Location;
 
-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
+/** Holds if `e` is an expression that always has the same Boolean value `val`. */
+private predicate constantBooleanExpr(Expr e, boolean val) {
+  e = any(AbstractValues::BooleanValue bv | val = bv.getValue()).getAnExpr()
+  or
+  exists(Ssa::ExplicitDefinition def, Expr src |
+    e = def.getARead() and
+    src = def.getADefinition().getSource() and
+    constantBooleanExpr(src, val)
+  )
+}
+
+/** An argument that always has the same Boolean value. */
+private class ConstantBooleanArgumentNode extends ExprNode {
+  ConstantBooleanArgumentNode() { constantBooleanExpr(this.(ArgumentNode).asExpr(), _) }
+
+  /** Gets the Boolean value of this expression. */
+  boolean getBooleanValue() { constantBooleanExpr(this.getExpr(), result) }
+}
+
+pragma[noinline]
+private predicate viableConstantBooleanParamArg(
+  SsaDefinitionNode paramNode, boolean b, DataFlowCall call
+) {
+  exists(ConstantBooleanArgumentNode arg |
+    viableParamArg(call, paramNode, arg) and
+    b = arg.getBooleanValue()
+  )
+}

csharp/ql/test/library-tests/dataflow/call-sensitivity/CallSensitivityFlow.cs

@@ -0,0 +1,220 @@
+public class A
+{
+    public static void Sink(object o)
+    {
+    }
+
+    public object FlowThrough(object o, bool cond)
+    {
+        if (cond)
+        {
+            return o;
+        }
+        else
+        {
+            return null;
+        }
+    }
+
+    public void CallSinkIfTrue(object o, bool cond)
+    {
+        if (cond)
+        {
+            Sink(o);
+        }
+    }
+
+    public void CallSinkIfFalse(object o, bool cond)
+    {
+        if (!cond)
+        {
+            Sink(o);
+        }
+    }
+
+    public void CallSinkFromLoop(object o, bool cond)
+    {
+        while (cond)
+        {
+            Sink(o);
+        }
+    }
+
+    public void LocalCallSensitivity(object o, bool c)
+    {
+        object o1 = o;
+        object o2 = null;
+        if (c)
+        {
+            object tmp = o1;
+            o2 = 1 == 1 ? (tmp) : (tmp);
+        }
+        object o3 = o2;
+        Sink(o3);
+    }
+
+    public void LocalCallSensitivity2(object o, bool b, bool c)
+    {
+        object o1 = o;
+        object o2 = null;
+        if (b || c)
+        {
+            object tmp = o1;
+            o2 = 1 == 1 ? (tmp) : (tmp);
+        }
+        object o3 = o2;
+        Sink(o3);
+    }
+
+    public void M1()
+    {
+        // should not exhibit flow
+        CallSinkIfTrue(new object(), false);
+        CallSinkIfFalse(new object(), true);
+        CallSinkFromLoop(new object(), false);
+        LocalCallSensitivity(new object(), false);
+        Sink(FlowThrough(new object(), false));
+        // should exhibit flow
+        CallSinkIfTrue(new object(), true);
+        CallSinkIfFalse(new object(), false);
+        CallSinkFromLoop(new object(), true);
+        LocalCallSensitivity(new object(), true);
+        LocalCallSensitivity2(new object(), true, true);
+        LocalCallSensitivity2(new object(), false, true);
+        LocalCallSensitivity2(new object(), true, false);
+        Sink(FlowThrough(new object(), true));
+        // expected false positive
+        LocalCallSensitivity2(new object(), false, false);
+    }
+
+    public void M2()
+    {
+        bool t = true;
+        bool f = false;
+        // should not exhibit flow
+        CallSinkIfTrue(new object(), f);
+        CallSinkIfFalse(new object(), t);
+        CallSinkFromLoop(new object(), f);
+        LocalCallSensitivity(new object(), f);
+        Sink(FlowThrough(new object(), f));
+        // should exhibit flow
+        CallSinkIfTrue(new object(), t);
+        CallSinkIfFalse(new object(), f);
+        CallSinkFromLoop(new object(), t);
+        LocalCallSensitivity(new object(), t);
+        Sink(FlowThrough(new object(), t));
+    }
+
+    public void M3(InterfaceA b)
+    {
+        bool t = true;
+        bool f = false;
+        // should not exhibit flow
+        b.CallSinkIfTrue(new object(), f);
+        b.CallSinkIfFalse(new object(), t);
+        b.LocalCallSensitivity(new object(), f);
+        // should exhibit flow
+        b.CallSinkIfTrue(new object(), t);
+        b.CallSinkIfFalse(new object(), f);
+        b.LocalCallSensitivity(new object(), t);
+    }
+
+    class B : InterfaceA
+    {
+        public void CallSinkIfTrue(object o, bool cond)
+        {
+            if (cond)
+            {
+                Sink(o);
+            }
+        }
+
+
+        public void CallSinkIfFalse(object o, bool cond)
+        {
+            if (!cond)
+            {
+                Sink(o);
+            }
+        }
+
+
+        public void LocalCallSensitivity(object o, bool c)
+        {
+            object o1 = o;
+            object o2 = null;
+            if (c)
+            {
+                object tmp = o1;
+                o2 = 1 == 1 ? (tmp) : (tmp);
+            }
+            object o3 = o2;
+            Sink(o3);
+        }
+    }
+}
+
+public class A2
+{
+
+    public static void Sink(object o)
+    {
+    }
+
+    public void M()
+    {
+
+    }
+
+    public void Callsite(InterfaceB intF)
+    {
+        B b = new B();
+        // in both possible implementations of foo, this callsite is relevant
+        // in IntA, it improves virtual dispatch,
+        // and in IntB, it improves the dataflow analysis.
+        intF.Foo(b, new object(), false);
+    }
+
+    private class B : A2
+    {
+        public void M()
+        {
+
+        }
+    }
+
+    private class IntA : InterfaceB
+    {
+
+        public void Foo(A2 obj, object o, bool cond)
+        {
+            obj.M();
+            Sink(o);
+        }
+    }
+
+    private class IntB : InterfaceB
+    {
+
+        public void Foo(A2 obj, object o, bool cond)
+        {
+            if (cond)
+            {
+                Sink(o);
+            }
+        }
+    }
+
+}
+
+public interface InterfaceA
+{
+    void CallSinkIfTrue(object o, bool cond);
+    void CallSinkIfFalse(object o, bool cond);
+    void LocalCallSensitivity(object o, bool c);
+}
+
+public interface InterfaceB
+{
+    void Foo(A2 a, object o, bool cond);
+}