github
diff --git a/‎config/identical-files.json‎
Lines changed: 16 additions & 4 deletions b/‎config/identical-files.json‎
Lines changed: 16 additions & 4 deletions
diff --git a/‎csharp/ql/src/Linq/Helpers.qll‎
Lines changed: 11 additions & 0 deletions b/‎csharp/ql/src/Linq/Helpers.qll‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/commons/ComparisonTest.qll‎
Lines changed: 1 addition & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/commons/ComparisonTest.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 27 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll‎
Lines changed: 0 additions & 2 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll‎
Lines changed: 7 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/SignAnalysis.qll‎
Lines changed: 9 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/SignAnalysis.qll‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll‎
Lines changed: 64 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll‎
Lines changed: 64 additions & 0 deletions
@@ -50,6 +50,18 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
     "python/ql/src/experimental/dataflow/internal/DataFlowImplConsistency.qll"
   ],
+  "SsaReadPosition Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+  ],
+  "Sign Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+  ],
+  "SignAnalysis Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+  ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
@@ -87,7 +99,7 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll" 
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
   ],
   "IR IRType": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
@@ -109,11 +121,11 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
-  "IR TInstruction":[
+  "IR TInstruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
-  "IR TIRVariable":[
+  "IR TIRVariable": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
@@ -381,4 +393,4 @@
     "javascript/ql/src/Comments/CommentedOutCodeReferences.qhelp",
     "python/ql/src/Lexical/CommentedOutCodeReferences.qhelp"
   ]
-}
+}
@@ -132,6 +132,17 @@ class AnyCall extends MethodCall {
   }
 }
 
+/** A LINQ Count(...) call. */
+class CountCall extends MethodCall {
+  CountCall() {
+    exists(Method m |
+      m = getTarget() and
+      isEnumerableType(m.getDeclaringType()) and
+      m.hasName("Count")
+    )
+  }
+}
+
 /** A variable of type IEnumerable&lt;T>, for some T. */
 class IEnumerableSequence extends Variable {
   IEnumerableSequence() { isIEnumerableType(getType()) }
 
@@ -2,7 +2,7 @@
  * Provides classes for capturing various ways of performing comparison tests.
  */
 
-import csharp
+private import csharp
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
@@ -31,6 +31,33 @@ class Guard extends Expr {
   predicate controlsNode(ControlFlow::Nodes::ElementNode cfn, AccessOrCallExpr sub, AbstractValue v) {
     isGuardedByNode(cfn, this, sub, v)
   }
+
+  /**
+   * Holds if guard is an equality test between `e1` and `e2`. If the test is
+   * negated, that is `!=`, then `polarity` is false, otherwise `polarity` is
+   * true.
+   */
+  predicate isEquality(Expr e1, Expr e2, boolean polarity) {
+    exists(Expr exp1, Expr exp2 | equalityGuard(exp1, exp2, polarity) |
+      e1 = exp1 and e2 = exp2
+      or
+      e2 = exp1 and e1 = exp2
+    )
+  }
+
+  private predicate equalityGuard(Expr e1, Expr e2, boolean polarity) {
+    exists(ComparisonTest eqtest |
+      eqtest.getExpr() = this and
+      eqtest.getAnArgument() = e1 and
+      eqtest.getAnArgument() = e2 and
+      not e1 = e2 and
+      (
+        polarity = true and eqtest.getComparisonKind().isEquality()
+        or
+        polarity = false and eqtest.getComparisonKind().isInequality()
+      )
+    )
+  }
 }
 
 /** An abstract value. */
 
@@ -21,10 +21,8 @@ import csharp
 private import ControlFlow
 private import internal.CallableReturns
 private import semmle.code.csharp.commons.Assertions
-private import semmle.code.csharp.commons.ComparisonTest
 private import semmle.code.csharp.controlflow.Guards as G
 private import semmle.code.csharp.controlflow.Guards::AbstractValues
-private import semmle.code.csharp.dataflow.SSA
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.Test
 
 
@@ -2537,6 +2537,13 @@ module Ssa {
       )
     }
 
+    /** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
+    predicate hasInputFromBlock(Definition inp, BasicBlock bb) {
+      this.getAnInput() = inp and
+      this.getBasicBlock().getAPredecessor() = bb and
+      inp.isLiveAtEndOfBlock(bb)
+    }
+
     override string toString() {
       result = getToStringPrefix(this) + "SSA phi(" + getSourceVariable() + ")"
     }
 
@@ -0,0 +1,9 @@
+/**
+ * Provides sign analysis to determine whether expression are always positive
+ * or negative.
+ *
+ * The analysis is implemented as an abstract interpretation over the
+ * three-valued domain `{negative, zero, positive}`.
+ */
+
+import semmle.code.csharp.dataflow.internal.rangeanalysis.SignAnalysisCommon
@@ -0,0 +1,64 @@
+/**
+ * Provides classes and predicates to represent constant integer expressions.
+ */
+
+private import csharp
+private import Ssa
+
+/**
+ * Holds if property `p` matches `property` in `baseClass` or any overrides.
+ */
+predicate propertyOverrides(Property p, string baseClass, string property) {
+  exists(Property p2 |
+    p2.getSourceDeclaration().getDeclaringType().hasQualifiedName(baseClass) and
+    p2.hasName(property)
+  |
+    p.overridesOrImplementsOrEquals(p2)
+  )
+}
+
+/**
+ * Holds if expression `e` is either
+ * - a compile time constant with integer value `val`, or
+ * - a read of a compile time constant with integer value `val`, or
+ * - a read of the `Length` of an array with `val` lengths.
+ */
+private predicate constantIntegerExpr(Expr e, int val) {
+  e.getValue().toInt() = val
+  or
+  exists(ExplicitDefinition v, Expr src |
+    e = v.getARead() and
+    src = v.getADefinition().getSource() and
+    constantIntegerExpr(src, val)
+  )
+  or
+  isArrayLengthAccess(e, val)
+}
+
+private int getArrayLength(ArrayCreation arrCreation, int index) {
+  constantIntegerExpr(arrCreation.getLengthArgument(index), result)
+}
+
+private int getArrayLengthRec(ArrayCreation arrCreation, int index) {
+  index = 0 and result = getArrayLength(arrCreation, 0)
+  or
+  index > 0 and
+  result = getArrayLength(arrCreation, index) * getArrayLengthRec(arrCreation, index - 1)
+}
+
+private predicate isArrayLengthAccess(PropertyAccess pa, int length) {
+  propertyOverrides(pa.getTarget(), "System.Array", "Length") and
+  exists(ExplicitDefinition arr, ArrayCreation arrCreation |
+    getArrayLengthRec(arrCreation, arrCreation.getNumberOfLengthArguments() - 1) = length and
+    arrCreation = arr.getADefinition().getSource() and
+    pa.getQualifier() = arr.getARead()
+  )
+}
+
+/** An expression that always has the same integer value. */
+class ConstantIntegerExpr extends Expr {
+  ConstantIntegerExpr() { constantIntegerExpr(this, _) }
+
+  /** Gets the integer value of this expression. */
+  int getIntValue() { constantIntegerExpr(this, result) }
+}
Original file line number	Diff line number	Diff line change
`@@ -2537,6 +2537,13 @@ module Ssa {`
`2537`	`2537`	`)`
`2538`	`2538`	`}`
`2539`	`2539`
	`2540`	+ /** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
	`2541`	`+ predicate hasInputFromBlock(Definition inp, BasicBlock bb) {`
	`2542`	`+ this.getAnInput() = inp and`
	`2543`	`+ this.getBasicBlock().getAPredecessor() = bb and`
	`2544`	`+ inp.isLiveAtEndOfBlock(bb)`
	`2545`	`+ }`
	`2546`	`+`
`2540`	`2547`	`override string toString() {`
`2541`	`2548`	`result = getToStringPrefix(this) + "SSA phi(" + getSourceVariable() + ")"`
`2542`	`2549`	`}`