C#: Skip foreach loop bodies in the CFG when the iteration expression is empty

Author: hvitved

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -318,7 +318,7 @@ module ControlFlow {
 
     class BooleanSplit = BooleanSplitting::BooleanSplitImpl;
 
-    class LoopUnrollingSplit = LoopUnrollingSplitting::LoopUnrollingSplitImpl;
+    class LoopSplit = LoopSplitting::LoopSplitImpl;
   }
 
   class BasicBlock = BBs::BasicBlock;

csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll

@@ -30,7 +30,7 @@ private module Cached {
     TFinallySplitKind(int nestLevel) { nestLevel = FinallySplitting::nestLevel(_) } or
     TExceptionHandlerSplitKind() or
     TBooleanSplitKind(BooleanSplitting::BooleanSplitSubKind kind) { kind.startsSplit(_) } or
-    TLoopUnrollingSplitKind(LoopUnrollingSplitting::UnrollableLoopStmt loop)
+    TLoopSplitKind(LoopSplitting::AnalyzableLoopStmt loop)
 
   cached
   newtype TSplit =
@@ -43,7 +43,7 @@ private module Cached {
       kind.startsSplit(_) and
       (branch = true or branch = false)
     } or
-    TLoopUnrollingSplit(LoopUnrollingSplitting::UnrollableLoopStmt loop)
+    TLoopSplit(LoopSplitting::AnalyzableLoopStmt loop)
 
   cached
   newtype TSplits =
@@ -1109,7 +1109,7 @@ module BooleanSplitting {
   }
 }
 
-module LoopUnrollingSplitting {
+module LoopSplitting {
   private import semmle.code.csharp.controlflow.Guards as Guards
   private import PreBasicBlocks
   private import PreSsa
@@ -1125,51 +1125,78 @@ module LoopUnrollingSplitting {
   }
 
   /**
-   * A loop where the body is guaranteed to be executed at least once, and
-   * can therefore be unrolled in the control flow graph.
+   * A loop where the body is guaranteed to be executed at least once, and hence
+   * can be unrolled in the control flow graph, or where the body is guaranteed
+   * to never be executed, and hence can be removed from the control flow graph.
    */
-  abstract class UnrollableLoopStmt extends LoopStmt {
-    /** Holds if the step `pred --c--> succ` should start loop unrolling. */
-    abstract predicate startUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c);
+  abstract class AnalyzableLoopStmt extends LoopStmt {
+    /** Holds if the step `pred --c--> succ` should start the split. */
+    abstract predicate start(ControlFlowElement pred, ControlFlowElement succ, Completion c);
 
-    /** Holds if the step `pred --c--> succ` should stop loop unrolling. */
-    abstract predicate stopUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c);
+    /** Holds if the step `pred --c--> succ` should stop the split. */
+    abstract predicate stop(ControlFlowElement pred, ControlFlowElement succ, Completion c);
 
     /**
-     * Holds if any step `pred --c--> _` should be pruned from the unrolled loop
-     * (the loop condition evaluating to `false`).
+     * Holds if any step `pred --c--> _` should be pruned from the control flow graph.
      */
     abstract predicate pruneLoopCondition(ControlFlowElement pred, ConditionalCompletion c);
+
+    /**
+     * Holds if the body is guaranteed to be executed at least once. If not, the
+     * body is guaranteed to never be executed.
+     */
+    abstract predicate isUnroll();
   }
 
-  private class UnrollableForeachStmt extends UnrollableLoopStmt, ForeachStmt {
-    UnrollableForeachStmt() {
-      exists(Guards::AbstractValues::EmptyCollectionValue v | v.isNonEmpty() |
-        emptinessGuarded(_, this.getIterableExpr(), v)
-        or
-        this.getIterableExpr() = v.getAnExpr()
-      )
+  private class AnalyzableForeachStmt extends AnalyzableLoopStmt, ForeachStmt {
+    Guards::AbstractValues::EmptyCollectionValue v;
+
+    AnalyzableForeachStmt() {
+      /*
+       * We use `unique` to avoid degenerate cases like
+       * ```csharp
+       * if (xs.Length == 0)
+       *     return;
+       * if (xs.Length > 0)
+       *     return;
+       * foreach (var x in xs)
+       *     ....
+       * ```
+       * where the iterator expression `xs` is guarded by both an emptiness check
+       * and a non-emptiness check.
+       */
+
+      v =
+        unique(Guards::AbstractValues::EmptyCollectionValue v0 |
+          emptinessGuarded(_, this.getIterableExpr(), v0)
+          or
+          this.getIterableExpr() = v0.getAnExpr()
+        |
+          v0
+        )
     }
 
-    override predicate startUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+    override predicate start(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       pred = last(this.getIterableExpr(), c) and
       succ = this
     }
 
-    override predicate stopUnroll(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+    override predicate stop(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       pred = this and
       succ = succ(pred, c)
     }
 
     override predicate pruneLoopCondition(ControlFlowElement pred, ConditionalCompletion c) {
       pred = this and
-      c.(EmptinessCompletion).isEmpty()
+      c = any(EmptinessCompletion ec | if v.isEmpty() then not ec.isEmpty() else ec.isEmpty())
     }
+
+    override predicate isUnroll() { v.isNonEmpty() }
   }
 
   /**
-   * A split for loops where the body is guaranteed to be executed at least once, and
-   * can therefore be unrolled in the control flow graph. For example, in
+   * A split for loops where the body is guaranteed to be executed at least once, or
+   * guaranteed to never be executed. For example, in
    *
    * ```csharp
    * void M(string[] args)
@@ -1184,21 +1211,23 @@ module LoopUnrollingSplitting {
    * the `foreach` loop is guaranteed to be executed at least once, as a result of the
    * `args.Length == 0` check.
    */
-  class LoopUnrollingSplitImpl extends SplitImpl, TLoopUnrollingSplit {
-    UnrollableLoopStmt loop;
+  class LoopSplitImpl extends SplitImpl, TLoopSplit {
+    AnalyzableLoopStmt loop;
 
-    LoopUnrollingSplitImpl() { this = TLoopUnrollingSplit(loop) }
+    LoopSplitImpl() { this = TLoopSplit(loop) }
 
     override string toString() {
-      result = "unroll (line " + loop.getLocation().getStartLine() + ")"
+      if loop.isUnroll()
+      then result = "unroll (line " + loop.getLocation().getStartLine() + ")"
+      else result = "skip (line " + loop.getLocation().getStartLine() + ")"
     }
   }
 
-  private int getListOrder(UnrollableLoopStmt loop) {
+  private int getListOrder(AnalyzableLoopStmt loop) {
     exists(Callable c, int r | c = loop.getEnclosingCallable() |
       result = r + BooleanSplitting::getNextListOrder() - 1 and
       loop =
-        rank[r](UnrollableLoopStmt loop0 |
+        rank[r](AnalyzableLoopStmt loop0 |
           loop0.getEnclosingCallable() = c
         |
           loop0 order by loop0.getLocation().getStartLine(), loop0.getLocation().getStartColumn()
@@ -1210,21 +1239,21 @@ module LoopUnrollingSplitting {
     result = max(int i | i = getListOrder(_) + 1 or i = BooleanSplitting::getNextListOrder())
   }
 
-  private class LoopUnrollingSplitKind extends SplitKind, TLoopUnrollingSplitKind {
-    private UnrollableLoopStmt loop;
+  private class LoopSplitKind extends SplitKind, TLoopSplitKind {
+    private AnalyzableLoopStmt loop;
 
-    LoopUnrollingSplitKind() { this = TLoopUnrollingSplitKind(loop) }
+    LoopSplitKind() { this = TLoopSplitKind(loop) }
 
     override int getListOrder() { result = getListOrder(loop) }
 
     override string toString() { result = "Unroll" }
   }
 
-  private class LoopUnrollingSplitInternal extends SplitInternal, LoopUnrollingSplitImpl {
-    override LoopUnrollingSplitKind getKind() { result = TLoopUnrollingSplitKind(loop) }
+  private class LoopUnrollingSplitInternal extends SplitInternal, LoopSplitImpl {
+    override LoopSplitKind getKind() { result = TLoopSplitKind(loop) }
 
     override predicate hasEntry(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-      loop.startUnroll(pred, succ, c)
+      loop.start(pred, succ, c)
     }
 
     override predicate hasEntry(Callable pred, ControlFlowElement succ) { none() }
@@ -1241,7 +1270,7 @@ module LoopUnrollingSplitting {
 
     override predicate hasExit(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       this.appliesToPredecessor(pred, c) and
-      loop.stopUnroll(pred, succ, c)
+      loop.stop(pred, succ, c)
     }
 
     override Callable hasExit(ControlFlowElement pred, Completion c) {
@@ -1252,7 +1281,7 @@ module LoopUnrollingSplitting {
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       this.appliesToPredecessor(pred, c) and
       succ = succ(pred, c) and
-      not loop.stopUnroll(pred, succ, c)
+      not loop.stop(pred, succ, c)
     }
   }
 }

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -429,10 +429,7 @@
 | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | 1 |
 | LoopUnrolling.cs:24:22:24:24 | Char arg | LoopUnrolling.cs:25:13:26:40 | [unroll (line 25)] foreach (... ... in ...) ... | 3 |
 | LoopUnrolling.cs:25:26:25:29 | Char arg0 | LoopUnrolling.cs:25:13:26:40 | foreach (... ... in ...) ... | 5 |
-| LoopUnrolling.cs:29:10:29:11 | enter M4 | LoopUnrolling.cs:32:27:32:28 | access to local variable xs | 7 |
-| LoopUnrolling.cs:29:10:29:11 | exit M4 | LoopUnrolling.cs:29:10:29:11 | exit M4 | 1 |
-| LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:32:22:32:22 | String x | LoopUnrolling.cs:33:13:33:32 | call to method WriteLine | 4 |
+| LoopUnrolling.cs:29:10:29:11 | enter M4 | LoopUnrolling.cs:29:10:29:11 | exit M4 | 9 |
 | LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:40:9:42:41 | [unroll (line 40)] foreach (... ... in ...) ... | 18 |
 | LoopUnrolling.cs:36:10:36:11 | exit M5 | LoopUnrolling.cs:36:10:36:11 | exit M5 | 1 |
 | LoopUnrolling.cs:40:9:42:41 | foreach (... ... in ...) ... | LoopUnrolling.cs:40:9:42:41 | foreach (... ... in ...) ... | 1 |
@@ -449,17 +446,9 @@
 | LoopUnrolling.cs:67:10:67:11 | enter M8 | LoopUnrolling.cs:69:14:69:23 | call to method Any | 6 |
 | LoopUnrolling.cs:67:10:67:11 | exit M8 | LoopUnrolling.cs:67:10:67:11 | exit M8 | 1 |
 | LoopUnrolling.cs:70:13:70:19 | return ...; | LoopUnrolling.cs:70:13:70:19 | return ...; | 1 |
-| LoopUnrolling.cs:71:9:71:21 | ...; | LoopUnrolling.cs:72:29:72:32 | access to parameter args | 4 |
-| LoopUnrolling.cs:72:9:73:35 | foreach (... ... in ...) ... | LoopUnrolling.cs:72:9:73:35 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:72:22:72:24 | String arg | LoopUnrolling.cs:73:13:73:34 | call to method WriteLine | 4 |
-| LoopUnrolling.cs:76:10:76:11 | enter M9 | LoopUnrolling.cs:79:27:79:28 | access to local variable xs | 8 |
-| LoopUnrolling.cs:76:10:76:11 | exit M9 | LoopUnrolling.cs:76:10:76:11 | exit M9 | 1 |
-| LoopUnrolling.cs:79:9:82:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:79:9:82:9 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:79:22:79:22 | String x | LoopUnrolling.cs:81:13:81:32 | call to method WriteLine | 5 |
-| LoopUnrolling.cs:85:10:85:12 | enter M10 | LoopUnrolling.cs:88:27:88:28 | access to local variable xs | 8 |
-| LoopUnrolling.cs:85:10:85:12 | exit M10 | LoopUnrolling.cs:85:10:85:12 | exit M10 | 1 |
-| LoopUnrolling.cs:88:9:91:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:88:9:91:9 | foreach (... ... in ...) ... | 1 |
-| LoopUnrolling.cs:88:22:88:22 | String x | LoopUnrolling.cs:90:13:90:32 | call to method WriteLine | 5 |
+| LoopUnrolling.cs:71:9:71:21 | ...; | LoopUnrolling.cs:72:9:73:35 | [skip (line 72)] foreach (... ... in ...) ... | 5 |
+| LoopUnrolling.cs:76:10:76:11 | enter M9 | LoopUnrolling.cs:76:10:76:11 | exit M9 | 10 |
+| LoopUnrolling.cs:85:10:85:12 | enter M10 | LoopUnrolling.cs:85:10:85:12 | exit M10 | 10 |
 | LoopUnrolling.cs:94:10:94:12 | enter M11 | LoopUnrolling.cs:97:9:100:9 | [unroll (line 97)] foreach (... ... in ...) ... | 9 |
 | LoopUnrolling.cs:94:10:94:12 | exit M11 | LoopUnrolling.cs:94:10:94:12 | exit M11 | 1 |
 | LoopUnrolling.cs:97:22:97:22 | String x | LoopUnrolling.cs:97:9:100:9 | foreach (... ... in ...) ... | 6 |

csharp/ql/test/library-tests/controlflow/graph/Condition.expected

@@ -434,8 +434,6 @@ conditionBlock
 | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | LoopUnrolling.cs:24:22:24:24 | Char arg | false |
 | LoopUnrolling.cs:24:9:26:40 | foreach (... ... in ...) ... | LoopUnrolling.cs:25:26:25:29 | Char arg0 | false |
 | LoopUnrolling.cs:24:22:24:24 | Char arg | LoopUnrolling.cs:25:26:25:29 | Char arg0 | false |
-| LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | LoopUnrolling.cs:29:10:29:11 | exit M4 | true |
-| LoopUnrolling.cs:32:9:33:33 | foreach (... ... in ...) ... | LoopUnrolling.cs:32:22:32:22 | String x | false |
 | LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:36:10:36:11 | exit M5 | false |
 | LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:40:9:42:41 | foreach (... ... in ...) ... | false |
 | LoopUnrolling.cs:36:10:36:11 | enter M5 | LoopUnrolling.cs:40:22:40:22 | String x | false |
@@ -454,13 +452,6 @@ conditionBlock
 | LoopUnrolling.cs:62:13:63:37 | [b (line 55): false] if (...) ... | LoopUnrolling.cs:58:22:58:22 | [b (line 55): false] String x | false |
 | LoopUnrolling.cs:67:10:67:11 | enter M8 | LoopUnrolling.cs:70:13:70:19 | return ...; | false |
 | LoopUnrolling.cs:67:10:67:11 | enter M8 | LoopUnrolling.cs:71:9:71:21 | ...; | true |
-| LoopUnrolling.cs:67:10:67:11 | enter M8 | LoopUnrolling.cs:72:9:73:35 | foreach (... ... in ...) ... | true |
-| LoopUnrolling.cs:67:10:67:11 | enter M8 | LoopUnrolling.cs:72:22:72:24 | String arg | true |
-| LoopUnrolling.cs:72:9:73:35 | foreach (... ... in ...) ... | LoopUnrolling.cs:72:22:72:24 | String arg | false |
-| LoopUnrolling.cs:79:9:82:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:76:10:76:11 | exit M9 | true |
-| LoopUnrolling.cs:79:9:82:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:79:22:79:22 | String x | false |
-| LoopUnrolling.cs:88:9:91:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:85:10:85:12 | exit M10 | true |
-| LoopUnrolling.cs:88:9:91:9 | foreach (... ... in ...) ... | LoopUnrolling.cs:88:22:88:22 | String x | false |
 | LoopUnrolling.cs:94:10:94:12 | enter M11 | LoopUnrolling.cs:94:10:94:12 | exit M11 | false |
 | LoopUnrolling.cs:94:10:94:12 | enter M11 | LoopUnrolling.cs:97:22:97:22 | String x | false |
 | LoopUnrolling.cs:97:22:97:22 | String x | LoopUnrolling.cs:94:10:94:12 | exit M11 | true |