Merge pull request #152 from hvitved/csharp/base-ssa

C#: Fix bug in BaseSsa library

Author: calumgrant

csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll

@@ -119,11 +119,11 @@ module Ssa {
       ad.getAControlFlowNode() = bb.getNode(i)
       and
       // In cases like `(x, x) = (0, 1)`, we discard the first (dead) definition of `x`
-      not exists(TupleAssignmentDefinition tdef, TupleAssignmentDefinition other |
-        tdef = ad |
-        other.getAssignment() = tdef.getAssignment() and
-        other.getEvaluationOrder() > tdef.getEvaluationOrder() and
-        other = v.getADefinition()
+      not exists(TupleAssignmentDefinition first, TupleAssignmentDefinition second |
+        first = ad |
+        second.getAssignment() = first.getAssignment() and
+        second.getEvaluationOrder() > first.getEvaluationOrder() and
+        second = v.getADefinition()
       )
       and
       // In cases like `M(out x, out x)`, there is no inherent evaluation order, so we
@@ -1094,7 +1094,7 @@ module Ssa {
 
     private module SimpleDelegateAnalysis {
       private import semmle.code.csharp.dataflow.DelegateDataFlow
-      private import semmle.code.csharp.dataflow.DataFlowInternal
+      private import semmle.code.csharp.dataflow.internal.Steps
       private import semmle.code.csharp.frameworks.system.linq.Expressions
 
       /**
@@ -1124,7 +1124,7 @@ module Ssa {
       }
 
       private predicate delegateFlowStep(Expr pred, Expr succ) {
-        DataFlowInternal::stepClosed(pred, succ)
+        Steps::stepClosed(pred, succ)
         or
         exists(Call call, Callable callable |
           callable.getSourceDeclaration().canReturn(pred) and

csharp/ql/src/semmle/code/csharp/dataflow/internal/BaseSSA.qll

@@ -0,0 +1,127 @@
+import csharp
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides a simple SSA implementation for local scope variables.
+ */
+module BaseSsa {
+  private import ControlFlowGraph
+  private import AssignableDefinitions
+
+  private class SimpleLocalScopeVariable extends LocalScopeVariable {
+    SimpleLocalScopeVariable() {
+      not exists(AssignableDefinition def1, AssignableDefinition def2 |
+        def1.getTarget() = this and
+        def2.getTarget() = this and
+        def1.getEnclosingCallable() != def2.getEnclosingCallable()
+      )
+    }
+  }
+
+  /**
+   * Holds if the `i`th node of basic block `bb` is assignable definition `def`,
+   * targeting local scope variable `v`.
+   */
+  private predicate defAt(BasicBlock bb, int i, AssignableDefinition def, SimpleLocalScopeVariable v) {
+    bb.getNode(i) = def.getAControlFlowNode() and
+    v = def.getTarget() and
+    // In cases like `(x, x) = (0, 1)`, we discard the first (dead) definition of `x`
+    not exists(TupleAssignmentDefinition first, TupleAssignmentDefinition second |
+      first = def |
+      second.getAssignment() = first.getAssignment() and
+      second.getEvaluationOrder() > first.getEvaluationOrder() and
+      second.getTarget() = v
+    )
+  }
+
+  /**
+   * Holds if basic block `bb` would need to start with a phi node for local scope
+   * variable `v` in an SSA representation.
+   */
+  private predicate needsPhiNode(BasicBlock bb, SimpleLocalScopeVariable v) {
+    exists(BasicBlock def |
+      def.inDominanceFrontier(bb) |
+      defAt(def, _, _, v) or
+      needsPhiNode(def, v)
+    )
+  }
+
+  private newtype SsaRefKind = SsaRead() or SsaDef()
+
+  /**
+   * Holds if the `i`th node of basic block `bb` is a reference to `v`,
+   * either a read (when `k` is `SsaRead()`) or a write including phi nodes
+   * (when `k` is `SsaDef()`).
+   */
+  private predicate ssaRef(BasicBlock bb, int i, SimpleLocalScopeVariable v, SsaRefKind k) {
+    bb.getNode(i).getElement() = v.getAnAccess().(VariableRead) and
+    k = SsaRead()
+    or
+    defAt(bb, i, _, v) and
+    k = SsaDef()
+    or
+    needsPhiNode(bb, v) and
+    i = -1 and
+    k = SsaDef()
+  }
+
+  /**
+   * Gets the (1-based) rank of the reference to `v` at the `i`th node of basic
+   * block `bb`, which has the given reference kind `k`.
+   */
+  private int ssaRefRank(BasicBlock bb, int i, SimpleLocalScopeVariable v, SsaRefKind k) {
+    i = rank[result](int j | ssaRef(bb, j, v, _)) and
+    ssaRef(bb, i, v, k)
+  }
+
+  /**
+   * Holds if definition `def` of local scope variable `v` inside basic block
+   * `bb` reaches the reference at rank `rnk`, without passing through another
+   * definition of `v`, including phi nodes.
+   */
+  private predicate defReachesRank(BasicBlock bb, AssignableDefinition def, SimpleLocalScopeVariable v, int rnk) {
+    exists(int i |
+      rnk = ssaRefRank(bb, i, v, SsaDef()) |
+      defAt(bb, i, def, v)
+    )
+    or
+    defReachesRank(bb, def, v, rnk - 1) and
+    rnk = ssaRefRank(bb, _, v, SsaRead())
+  }
+
+  /**
+   * Holds if definition `def` of local scope variable `v` reaches the end of
+   * basic block `bb` without passing through another definition of `v`, including
+   * phi nodes.
+   */
+  private predicate reachesEndOf(AssignableDefinition def, SimpleLocalScopeVariable v, BasicBlock bb) {
+    exists(int rnk |
+      defReachesRank(bb, def, v, rnk) and
+      rnk = max(ssaRefRank(bb, _, v, _))
+    )
+    or
+    exists(BasicBlock mid |
+      reachesEndOf(def, v, mid) and
+      not exists(ssaRefRank(mid, _, v, SsaDef())) and
+      bb = mid.getASuccessor()
+    )
+  }
+
+  /**
+   * Gets a read of the SSA definition for variable `v` at definition `def`. That is,
+   * a read that is guaranteed to read the value assigned at definition `def`.
+   */
+  cached AssignableRead getARead(AssignableDefinition def, SimpleLocalScopeVariable v) {
+    exists(BasicBlock bb, int i, int rnk |
+      result.getTarget() = v and
+      result.getAControlFlowNode() = bb.getNode(i) and
+      rnk = ssaRefRank(bb, i, v, SsaRead())
+      |
+      defReachesRank(bb, def, v, rnk)
+      or
+      reachesEndOf(def, v, bb.getAPredecessor()) and
+      not ssaRefRank(bb, _, v, SsaDef()) < rnk
+    )
+  }
+}

…ode/csharp/dataflow/DataFlowInternal.qll …/code/csharp/dataflow/internal/Steps.qllcsharp/ql/src/semmle/code/csharp/dataflow/DataFlowInternal.qll renamed to csharp/ql/src/semmle/code/csharp/dataflow/internal/Steps.qll csharp/ql/src/semmle/code/csharp/dataflow/DataFlowInternal.qll renamed to csharp/ql/src/semmle/code/csharp/dataflow/internal/Steps.qll

@@ -1,108 +1,5 @@
 import csharp
 
-private cached module MiniSsa {
-  private import ControlFlowGraph
-
-  /**
-   * Holds if the `i`th node of basic block `bb` is assignable definition `def`,
-   * targeting local scope variable `v`.
-   */
-  private predicate defAt(BasicBlock bb, int i, AssignableDefinition def, LocalScopeVariable v) {
-    bb.getNode(i) = def.getAControlFlowNode() and
-    v = def.getTarget()
-  }
-
-  /**
-   * Holds if basic block `bb` would need to start with a phi node for local scope
-   * variable `v` in an SSA representation.
-   */
-  private predicate needsPhiNode(BasicBlock bb, LocalScopeVariable v) {
-    exists(BasicBlock def |
-      def.inDominanceFrontier(bb) |
-      defAt(def, _, _, v) or
-      needsPhiNode(def, v)
-    )
-  }
-
-  private newtype SsaRefKind = SsaRead() or SsaDef()
-
-  /**
-   * Holds if the `i`th node of basic block `bb` is a reference to `v`,
-   * either a read (when `k` is `SsaRead()`) or a write including phi nodes
-   * (when `k` is `SsaDef()`).
-   */
-  private predicate ssaRef(BasicBlock bb, int i, LocalScopeVariable v, SsaRefKind k) {
-    bb.getNode(i).getElement() = v.getAnAccess().(VariableRead) and
-    k = SsaRead()
-    or
-    defAt(bb, i, _, v) and
-    k = SsaDef()
-    or
-    needsPhiNode(bb, v) and
-    i = -1 and
-    k = SsaDef()
-  }
-
-  /**
-   * Gets the (1-based) rank of the reference to `v` at the `i`th node of basic
-   * block `bb`, which has the given reference kind `k`.
-   */
-  private int ssaRefRank(BasicBlock bb, int i, LocalScopeVariable v, SsaRefKind k) {
-    i = rank[result](int j | ssaRef(bb, j, v, _)) and
-    ssaRef(bb, i, v, k)
-  }
-
-  /**
-   * Holds if definition `def` of local scope variable `v` inside basic block
-   * `bb` reaches the reference at rank `rnk`, without passing through another
-   * definition of `v`, including phi nodes.
-   */
-  private predicate defReachesRank(BasicBlock bb, AssignableDefinition def, LocalScopeVariable v, int rnk) {
-    exists(int i |
-      rnk = ssaRefRank(bb, i, v, SsaDef()) |
-      defAt(bb, i, def, v)
-    )
-    or
-    defReachesRank(bb, def, v, rnk - 1) and
-    rnk = ssaRefRank(bb, _, v, SsaRead())
-  }
-
-  /**
-   * Holds if definition `def` of local scope variable `v` reaches the end of
-   * basic block `bb` without passing through another definition of `v`, including
-   * phi nodes.
-   */
-  private predicate reachesEndOf(AssignableDefinition def, LocalScopeVariable v, BasicBlock bb) {
-    exists(int rnk |
-      defReachesRank(bb, def, v, rnk) and
-      rnk = max(ssaRefRank(bb, _, v, _))
-    )
-    or
-    exists(BasicBlock mid |
-      reachesEndOf(def, v, mid) and
-      not exists(ssaRefRank(mid, _, v, SsaDef())) and
-      bb = mid.getASuccessor()
-    )
-  }
-
-  /**
-   * Gets a read of the SSA definition for variable `v` at definition `def`. That is,
-   * a read that is guaranteed to read the value assigned at definition `def`.
-   */
-  cached AssignableRead getARead(AssignableDefinition def, LocalScopeVariable v) {
-    exists(BasicBlock bb, int i, int rnk |
-      result.getTarget() = v and
-      result.getAControlFlowNode() = bb.getNode(i) and
-      rnk = ssaRefRank(bb, i, v, SsaRead())
-      |
-      defReachesRank(bb, def, v, rnk)
-      or
-      reachesEndOf(def, v, bb.getAPredecessor()) and
-      not ssaRefRank(bb, i, v, SsaDef()) < rnk
-    )
-  }
-}
-
 /**
  * INTERNAL: Do not use.
  *
@@ -112,12 +9,14 @@ private cached module MiniSsa {
  * Instead, this library relies on a self-contained, minimalistic SSA-like
  * implementation.
  */
-module DataFlowInternal {
+module Steps {
+  private import semmle.code.csharp.dataflow.internal.BaseSSA
+
   /**
    * Gets a read that is guaranteed to read the value assigned at definition `def`.
    */
   private AssignableRead getARead(AssignableDefinition def) {
-    result = MiniSsa::getARead(def, _)
+    result = BaseSsa::getARead(def, _)
     or
     exists(LocalScopeVariable v |
       def.getTarget() = v |

csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll

@@ -9,7 +9,7 @@ import csharp
 private import RuntimeCallable
 private import OverridableCallable
 private import semmle.code.csharp.Conversion
-private import semmle.code.csharp.dataflow.DataFlowInternal
+private import semmle.code.csharp.dataflow.internal.Steps
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Reflection
 
@@ -145,8 +145,8 @@ private module Internal {
    * using simple data flow.
    */
   private Expr getAMethodCallArgSource(MethodCallArg e) {
-    DataFlowInternal::stepOpen*(result, e) and
-    not DataFlowInternal::stepOpen(_, result)
+    Steps::stepOpen*(result, e) and
+    not Steps::stepOpen(_, result)
   }
 
   /**
@@ -302,7 +302,7 @@ private module Internal {
     }
 
     private predicate stepExpr0(Expr succ, Expr pred) {
-      DataFlowInternal::stepOpen(pred, succ)
+      Steps::stepOpen(pred, succ)
       or
       exists(Assignable a |
         a instanceof Field or

csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.expected

@@ -0,0 +1,10 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.BaseSSA
+
+from AssignableRead ar, AssignableDefinition def, LocalScopeVariable v
+where ar = BaseSsa::getARead(def, v)
+  and not exists(Ssa::ExplicitDefinition edef |
+    edef.getADefinition() = def and
+    edef.getARead() = ar
+  )
+select ar, def

csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql

@@ -1,5 +1,6 @@
 | Capture.cs:6:16:6:16 | i | Capture.cs:8:17:8:17 | access to parameter i | Capture.cs:33:13:33:13 | access to parameter i |
 | Capture.cs:8:13:8:13 | x | Capture.cs:16:17:16:17 | access to local variable x | Capture.cs:17:21:17:21 | access to local variable x |
+| Capture.cs:8:13:8:13 | x | Capture.cs:45:13:45:13 | access to local variable x | Capture.cs:47:13:47:13 | access to local variable x |
 | Capture.cs:10:16:10:16 | a | Capture.cs:38:9:38:9 | access to local variable a | Capture.cs:46:12:46:12 | access to local variable a |
 | Capture.cs:65:45:65:51 | strings | Capture.cs:68:18:68:24 | access to parameter strings | Capture.cs:70:9:70:15 | access to parameter strings |
 | Consistency.cs:5:9:5:13 | Field | Consistency.cs:26:13:26:19 | access to field Field | Consistency.cs:27:13:27:19 | access to field Field |

csharp/ql/test/library-tests/dataflow/ssa/ReadAdjacentRead.expected

@@ -17,7 +17,6 @@ WARNING: Predicate getAFirstUncertainRead has been deprecated and may be removed
 | Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:40:13:40:13 | access to local variable x |
 | Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:44:11:44:11 | access to local variable x |
 | Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:45:13:45:13 | access to local variable x |
-| Capture.cs:46:9:46:13 | SSA call def(x) | Capture.cs:47:13:47:13 | access to local variable x |
 | Capture.cs:50:20:50:20 | SSA param(a) | Capture.cs:54:9:54:9 | access to parameter a |
 | Capture.cs:52:16:52:43 | SSA def(b) | Capture.cs:53:9:53:9 | access to local variable b |
 | Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:54:9:54:9 | access to parameter a |

csharp/ql/test/library-tests/dataflow/ssa/SsaAdjacentUncertainRead.expected

@@ -1,10 +1,8 @@
 | in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:38:9:38:11 | delegate call |
 | in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:44:9:44:12 | call to method M |
-| in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:46:9:46:13 | call to method M2 |
 | in | Capture.cs:8:13:8:13 | x | Capture.cs:8:13:8:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:38:9:38:11 | delegate call |
 | in | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:25:13:25:15 | delegate call |
 | in | Capture.cs:8:13:8:13 | x | Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:44:9:44:12 | call to method M |
-| in | Capture.cs:8:13:8:13 | x | Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:46:9:46:13 | call to method M2 |
 | in | Capture.cs:17:17:17:17 | y | Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:25:13:25:15 | delegate call |
 | in | Capture.cs:59:13:59:13 | i | Capture.cs:59:13:59:17 | SSA def(i) | Capture.cs:60:31:60:38 | SSA capture def(i) | Capture.cs:61:9:61:25 | call to method Select |
 | in | Capture.cs:67:13:67:13 | c | Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:18:68:50 | call to method Where |
@@ -31,7 +29,6 @@
 | out | Capture.cs:6:16:6:16 | i | Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:38:9:38:11 | SSA call def(i) | Capture.cs:38:9:38:11 | delegate call |
 | out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:38:9:38:11 | delegate call |
 | out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:44:9:44:12 | call to method M |
-| out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:46:9:46:13 | SSA call def(x) | Capture.cs:46:9:46:13 | call to method M2 |
 | out | Capture.cs:29:13:29:13 | z | Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:32:9:32:11 | SSA call def(z) | Capture.cs:32:9:32:11 | delegate call |
 | out | Capture.cs:50:20:50:20 | a | Capture.cs:52:28:52:40 | SSA def(a) | Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:53:9:53:11 | delegate call |
 | out | Capture.cs:59:13:59:13 | i | Capture.cs:60:36:60:38 | SSA def(i) | Capture.cs:61:9:61:25 | SSA call def(i) | Capture.cs:61:9:61:25 | call to method Select |

csharp/ql/test/library-tests/dataflow/ssa/SsaCapturedVariableDef.expected

@@ -8,7 +8,6 @@
 | Capture.cs:8:13:8:13 | x | Capture.cs:38:9:38:11 | SSA call def(x) |
 | Capture.cs:8:13:8:13 | x | Capture.cs:43:9:43:13 | SSA def(x) |
 | Capture.cs:8:13:8:13 | x | Capture.cs:44:9:44:12 | SSA call def(x) |
-| Capture.cs:8:13:8:13 | x | Capture.cs:46:9:46:13 | SSA call def(x) |
 | Capture.cs:10:16:10:16 | a | Capture.cs:10:16:27:9 | SSA def(a) |
 | Capture.cs:17:17:17:17 | y | Capture.cs:17:17:17:21 | SSA def(y) |
 | Capture.cs:17:17:17:17 | y | Capture.cs:19:24:23:13 | SSA capture def(y) |