Merge pull request #3986 from hvitved/csharp/null-maybe-null-coalescing-assignment

hvitved · web-flow · commit 632713c475aa · 2020-07-30T14:20:00.000+02:00
C#: Fix false-positives in `cs/dereferenced-value-may-be-null`
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
@@ -876,6 +876,8 @@ module Internal {
     not e.(QualifiableExpr).isConditional()
     or
     e instanceof SuppressNullableWarningExpr
+    or
+    e.stripCasts().getType() = any(ValueType t | not t instanceof NullableType)
   }
 
   /** Holds if expression `e2` is a non-`null` value whenever `e1` is. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll
@@ -197,42 +197,44 @@ private predicate isNullDefaultArgument(Ssa::ExplicitDefinition def, AlwaysNullE
 
 /** Holds if `def` is an SSA definition that may be `null`. */
 private predicate defMaybeNull(Ssa::Definition def, string msg, Element reason) {
-  // A variable compared to `null` might be `null`
-  exists(G::DereferenceableExpr de | de = def.getARead() |
-    reason = de.getANullCheck(_, true) and
-    msg = "as suggested by $@ null check" and
-    not de = any(Ssa::PseudoDefinition pdef).getARead() and
-    strictcount(Element e | e = any(Ssa::Definition def0 | de = def0.getARead()).getElement()) = 1 and
-    not nonNullDef(def) and
-    // Don't use a check as reason if there is a `null` assignment
-    // or argument
-    not def.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof MaybeNullExpr and
-    not isMaybeNullArgument(def, _)
-  )
-  or
-  // A parameter might be `null` if there is a `null` argument somewhere
-  isMaybeNullArgument(def, reason) and
+  not nonNullDef(def) and
   (
-    if reason instanceof AlwaysNullExpr
-    then msg = "because of $@ null argument"
-    else msg = "because of $@ potential null argument"
-  )
-  or
-  isNullDefaultArgument(def, reason) and msg = "because the parameter has a null default value"
-  or
-  // If the source of a variable is `null` then the variable may be `null`
-  exists(AssignableDefinition adef | adef = def.(Ssa::ExplicitDefinition).getADefinition() |
-    adef.getSource() instanceof MaybeNullExpr and
-    reason = adef.getExpr() and
-    msg = "because of $@ assignment"
-  )
-  or
-  // A variable of nullable type may be null
-  exists(Dereference d | dereferenceAt(_, _, def, d) |
-    d.hasNullableType() and
-    not def instanceof Ssa::PseudoDefinition and
-    reason = def.getSourceVariable().getAssignable() and
-    msg = "because it has a nullable type"
+    // A variable compared to `null` might be `null`
+    exists(G::DereferenceableExpr de | de = def.getARead() |
+      reason = de.getANullCheck(_, true) and
+      msg = "as suggested by $@ null check" and
+      not de = any(Ssa::PseudoDefinition pdef).getARead() and
+      strictcount(Element e | e = any(Ssa::Definition def0 | de = def0.getARead()).getElement()) = 1 and
+      // Don't use a check as reason if there is a `null` assignment
+      // or argument
+      not def.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof MaybeNullExpr and
+      not isMaybeNullArgument(def, _)
+    )
+    or
+    // A parameter might be `null` if there is a `null` argument somewhere
+    isMaybeNullArgument(def, reason) and
+    (
+      if reason instanceof AlwaysNullExpr
+      then msg = "because of $@ null argument"
+      else msg = "because of $@ potential null argument"
+    )
+    or
+    isNullDefaultArgument(def, reason) and msg = "because the parameter has a null default value"
+    or
+    // If the source of a variable is `null` then the variable may be `null`
+    exists(AssignableDefinition adef | adef = def.(Ssa::ExplicitDefinition).getADefinition() |
+      adef.getSource() instanceof MaybeNullExpr and
+      reason = adef.getExpr() and
+      msg = "because of $@ assignment"
+    )
+    or
+    // A variable of nullable type may be null
+    exists(Dereference d | dereferenceAt(_, _, def, d) |
+      d.hasNullableType() and
+      not def instanceof Ssa::PseudoDefinition and
+      reason = def.getSourceVariable().getAssignable() and
+      msg = "because it has a nullable type"
+    )
   )
 }
 
diff --git a/csharp/ql/test/library-tests/cil/dataflow/Nullness.expected b/csharp/ql/test/library-tests/cil/dataflow/Nullness.expected
@@ -8,7 +8,10 @@ alwaysNull
 | dataflow.cs:80:21:80:44 | access to property NullProperty |
 | dataflow.cs:89:31:89:44 | call to method NullFunction |
 alwaysNotNull
+| dataflow.cs:71:13:71:20 | access to local variable nonNull1 |
+| dataflow.cs:71:13:71:35 | Int32 nonNull1 = ... |
 | dataflow.cs:71:24:71:35 | default(...) |
+| dataflow.cs:71:32:71:34 | access to type Int32 |
 | dataflow.cs:72:27:72:30 | this access |
 | dataflow.cs:72:27:72:40 | call to method GetType |
 | dataflow.cs:73:30:73:33 | true |
@@ -25,6 +28,7 @@ alwaysNotNull
 | dataflow.cs:85:24:85:30 | access to local variable nonNull |
 | dataflow.cs:85:24:85:55 | call to method ReturnsNonNullIndirect |
 | dataflow.cs:86:24:86:30 | access to local variable nonNull |
+| dataflow.cs:89:24:89:27 | access to field cond |
 | dataflow.cs:89:24:89:27 | this access |
 | dataflow.cs:89:31:89:44 | this access |
 | dataflow.cs:89:48:89:51 | this access |
diff --git a/csharp/ql/test/query-tests/Nullness/E.cs b/csharp/ql/test/query-tests/Nullness/E.cs
@@ -385,6 +385,32 @@ static bool Ex37(E e1, E e2)
             return true;
         return e1.Long == e2.Long; // GOOD (false positive)
     }
+
+    int Ex38(int? i)
+    {
+        i ??= 0;
+        return i.Value; // GOOD
+    }
+
+    System.Drawing.Color Ex39(System.Drawing.Color? color)
+    {
+        color ??= System.Drawing.Color.White;
+        return color.Value; // GOOD
+    }
+
+    int Ex40()
+    {
+        int? i = null;
+        i ??= null;
+        return i.Value; // BAD (always)
+    }
+
+    int Ex41()
+    {
+        int? i = 1;
+        i ??= null;
+        return i.Value; // GOOD
+    }
 }
 
 public static class Extensions
@@ -393,4 +419,4 @@ public static void M1(this string s) { }
     public static int M2(this string s) => s.Length;
 }
 
-// semmle-extractor-options: /r:System.Linq.dll
+// semmle-extractor-options: /r:System.Linq.dll /r:System.Drawing.Primitives.dll
diff --git a/csharp/ql/test/query-tests/Nullness/Implications.expected b/csharp/ql/test/query-tests/Nullness/Implications.expected
@@ -1115,12 +1115,14 @@
 | E.cs:176:13:176:14 | access to local variable b2 | true | E.cs:175:19:175:42 | ... ? ... : ... | true |
 | E.cs:176:13:176:22 | ... == ... | false | E.cs:176:13:176:14 | (...) ... | non-null |
 | E.cs:176:13:176:22 | ... == ... | true | E.cs:176:13:176:14 | (...) ... | null |
+| E.cs:176:13:176:22 | ... == ... | true | E.cs:176:19:176:22 | null | non-null |
 | E.cs:180:13:180:23 | ... == ... | false | E.cs:180:13:180:15 | access to parameter obj | non-null |
 | E.cs:180:13:180:23 | ... == ... | true | E.cs:180:13:180:15 | access to parameter obj | null |
 | E.cs:184:13:184:14 | (...) ... | non-null | E.cs:184:13:184:14 | access to parameter b1 | non-null |
 | E.cs:184:13:184:14 | (...) ... | null | E.cs:184:13:184:14 | access to parameter b1 | null |
 | E.cs:184:13:184:22 | ... == ... | false | E.cs:184:13:184:14 | (...) ... | non-null |
 | E.cs:184:13:184:22 | ... == ... | true | E.cs:184:13:184:14 | (...) ... | null |
+| E.cs:184:13:184:22 | ... == ... | true | E.cs:184:19:184:22 | null | non-null |
 | E.cs:193:19:193:29 | call to method ToString | non-null | E.cs:193:17:193:17 | access to parameter o | non-null |
 | E.cs:198:17:198:29 | ... ? ... : ... | non-null | E.cs:198:17:198:17 | access to parameter b | false |
 | E.cs:198:17:198:29 | ... ? ... : ... | non-null | E.cs:198:28:198:29 | "" | non-null |
@@ -1256,6 +1258,26 @@
 | E.cs:384:13:384:36 | ... && ... | true | E.cs:384:27:384:36 | ... == ... | true |
 | E.cs:384:27:384:36 | ... == ... | false | E.cs:384:27:384:28 | access to parameter e2 | non-null |
 | E.cs:384:27:384:36 | ... == ... | true | E.cs:384:27:384:28 | access to parameter e2 | null |
+| E.cs:404:9:404:9 | access to local variable i | non-null | E.cs:403:18:403:21 | null | non-null |
+| E.cs:404:9:404:9 | access to local variable i | null | E.cs:403:18:403:21 | null | null |
+| E.cs:404:9:404:18 | ... = ... | non-null | E.cs:404:9:404:9 | access to local variable i | non-null |
+| E.cs:404:9:404:18 | ... = ... | non-null | E.cs:404:9:404:18 | ... ?? ... | non-null |
+| E.cs:404:9:404:18 | ... = ... | null | E.cs:404:9:404:9 | access to local variable i | null |
+| E.cs:404:9:404:18 | ... = ... | null | E.cs:404:9:404:18 | ... ?? ... | null |
+| E.cs:404:9:404:18 | ... ?? ... | null | E.cs:404:9:404:9 | access to local variable i | null |
+| E.cs:404:9:404:18 | ... ?? ... | null | E.cs:404:15:404:18 | null | null |
+| E.cs:405:16:405:16 | access to local variable i | non-null | E.cs:404:9:404:18 | ... ?? ... | non-null |
+| E.cs:405:16:405:16 | access to local variable i | null | E.cs:404:9:404:18 | ... ?? ... | null |
+| E.cs:411:9:411:9 | access to local variable i | non-null | E.cs:410:18:410:18 | (...) ... | non-null |
+| E.cs:411:9:411:9 | access to local variable i | null | E.cs:410:18:410:18 | (...) ... | null |
+| E.cs:411:9:411:18 | ... = ... | non-null | E.cs:411:9:411:9 | access to local variable i | non-null |
+| E.cs:411:9:411:18 | ... = ... | non-null | E.cs:411:9:411:18 | ... ?? ... | non-null |
+| E.cs:411:9:411:18 | ... = ... | null | E.cs:411:9:411:9 | access to local variable i | null |
+| E.cs:411:9:411:18 | ... = ... | null | E.cs:411:9:411:18 | ... ?? ... | null |
+| E.cs:411:9:411:18 | ... ?? ... | null | E.cs:411:9:411:9 | access to local variable i | null |
+| E.cs:411:9:411:18 | ... ?? ... | null | E.cs:411:15:411:18 | null | null |
+| E.cs:412:16:412:16 | access to local variable i | non-null | E.cs:411:9:411:18 | ... ?? ... | non-null |
+| E.cs:412:16:412:16 | access to local variable i | null | E.cs:411:9:411:18 | ... ?? ... | null |
 | Forwarding.cs:9:13:9:30 | !... | false | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | true |
 | Forwarding.cs:9:13:9:30 | !... | true | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | false |
 | Forwarding.cs:9:14:9:14 | access to local variable s | empty | Forwarding.cs:7:20:7:23 | null | empty |
diff --git a/csharp/ql/test/query-tests/Nullness/NullAlways.expected b/csharp/ql/test/query-tests/Nullness/NullAlways.expected
@@ -36,6 +36,7 @@
 | E.cs:323:13:323:14 | access to parameter s1 | Variable $@ is always null here. | E.cs:319:29:319:30 | s1 | s1 |
 | E.cs:324:13:324:14 | access to parameter s2 | Variable $@ is always null here. | E.cs:319:40:319:41 | s2 | s2 |
 | E.cs:331:9:331:9 | access to local variable x | Variable $@ is always null here. | E.cs:330:13:330:13 | x | x |
+| E.cs:405:16:405:16 | access to local variable i | Variable $@ is always null here. | E.cs:403:14:403:14 | i | i |
 | Forwarding.cs:36:31:36:31 | access to local variable s | Variable $@ is always null here. | Forwarding.cs:7:16:7:16 | s | s |
 | Forwarding.cs:40:27:40:27 | access to local variable s | Variable $@ is always null here. | Forwarding.cs:7:16:7:16 | s | s |
 | NullAlwaysBad.cs:9:30:9:30 | access to parameter s | Variable $@ is always null here. | NullAlwaysBad.cs:7:29:7:29 | s | s |
diff --git a/csharp/ql/test/query-tests/Nullness/NullCheck.expected b/csharp/ql/test/query-tests/Nullness/NullCheck.expected
@@ -219,10 +219,12 @@
 | E.cs:175:19:175:29 | ... == ... | E.cs:175:19:175:21 | access to parameter obj | true | true |
 | E.cs:176:13:176:22 | ... == ... | E.cs:176:13:176:14 | (...) ... | false | false |
 | E.cs:176:13:176:22 | ... == ... | E.cs:176:13:176:14 | (...) ... | true | true |
+| E.cs:176:13:176:22 | ... == ... | E.cs:176:19:176:22 | null | true | false |
 | E.cs:180:13:180:23 | ... == ... | E.cs:180:13:180:15 | access to parameter obj | false | false |
 | E.cs:180:13:180:23 | ... == ... | E.cs:180:13:180:15 | access to parameter obj | true | true |
 | E.cs:184:13:184:22 | ... == ... | E.cs:184:13:184:14 | (...) ... | false | false |
 | E.cs:184:13:184:22 | ... == ... | E.cs:184:13:184:14 | (...) ... | true | true |
+| E.cs:184:13:184:22 | ... == ... | E.cs:184:19:184:22 | null | true | false |
 | E.cs:193:17:193:17 | access to parameter o | E.cs:193:17:193:17 | access to parameter o | non-null | false |
 | E.cs:193:17:193:17 | access to parameter o | E.cs:193:17:193:17 | access to parameter o | null | true |
 | E.cs:208:13:208:23 | ... is ... | E.cs:208:13:208:13 | access to parameter s | false | true |
@@ -276,6 +278,14 @@
 | E.cs:384:13:384:22 | ... == ... | E.cs:384:13:384:14 | access to parameter e1 | true | true |
 | E.cs:384:27:384:36 | ... == ... | E.cs:384:27:384:28 | access to parameter e2 | false | false |
 | E.cs:384:27:384:36 | ... == ... | E.cs:384:27:384:28 | access to parameter e2 | true | true |
+| E.cs:391:9:391:9 | access to parameter i | E.cs:391:9:391:9 | access to parameter i | non-null | false |
+| E.cs:391:9:391:9 | access to parameter i | E.cs:391:9:391:9 | access to parameter i | null | true |
+| E.cs:397:9:397:13 | access to parameter color | E.cs:397:9:397:13 | access to parameter color | non-null | false |
+| E.cs:397:9:397:13 | access to parameter color | E.cs:397:9:397:13 | access to parameter color | null | true |
+| E.cs:404:9:404:9 | access to local variable i | E.cs:404:9:404:9 | access to local variable i | non-null | false |
+| E.cs:404:9:404:9 | access to local variable i | E.cs:404:9:404:9 | access to local variable i | null | true |
+| E.cs:411:9:411:9 | access to local variable i | E.cs:411:9:411:9 | access to local variable i | non-null | false |
+| E.cs:411:9:411:9 | access to local variable i | E.cs:411:9:411:9 | access to local variable i | null | true |
 | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | Forwarding.cs:9:14:9:14 | access to local variable s | false | false |
 | Forwarding.cs:14:13:14:32 | call to method IsNotNullOrEmpty | Forwarding.cs:14:13:14:13 | access to local variable s | true | false |
 | Forwarding.cs:19:14:19:23 | call to method IsNull | Forwarding.cs:19:14:19:14 | access to local variable s | false | false |
diff --git a/csharp/ql/test/query-tests/Nullness/NullMaybe.expected b/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -370,6 +370,9 @@ nodes
 | E.cs:384:27:384:28 | access to parameter e2 |
 | E.cs:386:16:386:17 | access to parameter e1 |
 | E.cs:386:27:386:28 | access to parameter e2 |
+| E.cs:404:9:404:18 | SSA def(i) |
+| E.cs:404:9:404:18 | SSA def(i) |
+| E.cs:405:16:405:16 | access to local variable i |
 | Forwarding.cs:7:16:7:23 | SSA def(s) |
 | Forwarding.cs:14:9:17:9 | if (...) ... |
 | Forwarding.cs:19:9:22:9 | if (...) ... |
@@ -719,6 +722,8 @@ edges
 | E.cs:384:9:385:24 | if (...) ... | E.cs:384:27:384:28 | access to parameter e2 |
 | E.cs:384:9:385:24 | if (...) ... | E.cs:386:27:386:28 | access to parameter e2 |
 | E.cs:384:27:384:28 | access to parameter e2 | E.cs:386:16:386:17 | access to parameter e1 |
+| E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
+| E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
 | Forwarding.cs:7:16:7:23 | SSA def(s) | Forwarding.cs:14:9:17:9 | if (...) ... |
 | Forwarding.cs:14:9:17:9 | if (...) ... | Forwarding.cs:19:9:22:9 | if (...) ... |
 | Forwarding.cs:19:9:22:9 | if (...) ... | Forwarding.cs:24:9:27:9 | if (...) ... |

Original file line number	Diff line number	Diff line change
`@@ -876,6 +876,8 @@ module Internal {`
`876`	`876`	`not e.(QualifiableExpr).isConditional()`
`877`	`877`	`or`
`878`	`878`	`e instanceof SuppressNullableWarningExpr`
	`879`	`+ or`
	`880`	`+ e.stripCasts().getType() = any(ValueType t \| not t instanceof NullableType)`
`879`	`881`	`}`
`880`	`882`
`881`	`883`	/** Holds if expression `e2` is a non-`null` value whenever `e1` is. */