C#: Prune CFG for obviously impossible nullness/matching edges

Author: hvitved

csharp/ql/src/semmle/code/csharp/controlflow/Completion.qll

@@ -81,11 +81,11 @@ class Completion extends TCompletion {
     or
     if mustHaveBooleanCompletion(cfe) then
       exists(boolean value |
-        isConstant(cfe, value) |
+        isBooleanConstant(cfe, value) |
         this = TBooleanCompletion(value, value)
       )
       or
-      not isConstant(cfe, _) and
+      not isBooleanConstant(cfe, _) and
       exists(boolean b | this = TBooleanCompletion(b, b))
       or
       // Corner case: In `if (x ?? y) { ... }`, `x` must have both a `true`
@@ -94,8 +94,20 @@ class Completion extends TCompletion {
       mustHaveNullnessCompletion(cfe) and
       this = TNullnessCompletion(true)
     else if mustHaveNullnessCompletion(cfe) then
+      exists(boolean value |
+        isNullnessConstant(cfe, value) |
+        this = TNullnessCompletion(value)
+      )
+      or
+      not isNullnessConstant(cfe, _) and
       this = TNullnessCompletion(_)
-    else if mustHaveMatchingCompletion(cfe) then
+    else if mustHaveMatchingCompletion(_, cfe) then
+      exists(boolean value |
+        isMatchingConstant(cfe, value) |
+        this = TMatchingCompletion(value)
+      )
+      or
+      not isMatchingConstant(cfe, _) and
       this = TMatchingCompletion(_)
     else if mustHaveEmptinessCompletion(cfe) then
       this = TEmptinessCompletion(_)
@@ -118,14 +130,82 @@ class Completion extends TCompletion {
   }
 }
 
-private predicate isConstant(Expr e, boolean value) {
-  e.getValue() = "true" and
-  value = true
-  or
-  e.getValue() = "false" and
-  value = false
-  or
-  isConstantComparison(e, value)
+/** Holds if expression `e` has the Boolean constant value `value`. */
+private predicate isBooleanConstant(Expr e, boolean value) {
+  mustHaveBooleanCompletion(e) and
+  (
+    e.getValue() = "true" and
+    value = true
+    or
+    e.getValue() = "false" and
+    value = false
+    or
+    isConstantComparison(e, value)
+  )
+}
+
+/**
+ * Holds if expression `e` is constantly `null` (`value = true`) or constantly
+ * non-`null` (`value = false`).
+ */
+private predicate isNullnessConstant(Expr e, boolean value) {
+  mustHaveNullnessCompletion(e) and
+  exists(Expr stripped |
+    stripped = e.stripCasts() |
+    stripped.getType() = any(ValueType t |
+      not t instanceof NullableType and
+      // Extractor bug: the type of `x?.Length` is reported as `int`, but it should
+      // be `int?`
+      not getQualifier*(stripped).(QualifiableExpr).isConditional()
+    ) and
+    value = false
+    or
+    stripped instanceof NullLiteral and
+    value = true
+    or
+    stripped.hasValue() and
+    not stripped instanceof NullLiteral and
+    value = false
+  )
+}
+
+private Expr getQualifier(QualifiableExpr e) {
+  // `e.getQualifier()` does not work for calls to extension methods
+  result = e.getChildExpr(-1)
+}
+
+/**
+ * Holds if expression `e` constantly matches (`value = true`) or constantly
+ * non-matches (`value = false`).
+ */
+private predicate isMatchingConstant(Expr e, boolean value) {
+  exists(SwitchStmt ss |
+    mustHaveMatchingCompletion(ss, e) |
+    exists(Expr stripped |
+      stripped = ss.getCondition().stripCasts() |
+      exists(ConstCase cc, string strippedValue |
+        cc = ss.getAConstCase() and
+        e = cc.getExpr() and
+        strippedValue = stripped.getValue() |
+        if strippedValue = e.getValue() then
+          value = true
+        else
+          value = false
+      )
+      or
+      exists(TypeCase tc, Type t, Type strippedType |
+        tc = ss.getATypeCase() |
+        e = tc.getTypeAccess() and
+        t = e.getType() and
+        strippedType = stripped.getType() and
+        not t.isImplicitlyConvertibleTo(strippedType) and
+        not t instanceof Interface and
+        not t.containsTypeParameters() and
+        not strippedType.containsTypeParameters() and
+        value = false
+      )
+    )
+  )
 }
 
 /** A control flow element that is inside a `try` block. */
@@ -325,12 +405,10 @@ private predicate inNullnessContext(Expr e, boolean isNullnessCompletionForParen
  * Holds if a normal completion of `e` must be a matching completion. Thats is,
  * whether `e` determines a match in a `switch` statement.
  */
-private predicate mustHaveMatchingCompletion(Expr e) {
-  exists(SwitchStmt ss |
-    e = ss.getAConstCase().getExpr()
-    or
-    e = ss.getATypeCase().getTypeAccess() // use type access to represent the type test
-  )
+private predicate mustHaveMatchingCompletion(SwitchStmt ss, Expr e) {
+  e = ss.getAConstCase().getExpr()
+  or
+  e = ss.getATypeCase().getTypeAccess() // use type access to represent the type test
 }
 
 /**

csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -2022,6 +2022,7 @@ module Internal {
         c instanceof SimpleCompletion
         or
         cfe = tc.getTypeAccess() and
+        c.isValidFor(cfe) and
         c = any(MatchingCompletion mc |
           if mc.isMatch() then
             if exists(tc.getVariableDeclExpr()) then

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -70,13 +70,7 @@
 | ConditionalAccess.cs:19:12:19:13 | enter M6 | ConditionalAccess.cs:19:40:19:41 | access to parameter s1 | 2 |
 | ConditionalAccess.cs:19:12:19:13 | exit M6 | ConditionalAccess.cs:19:12:19:13 | exit M6 | 1 |
 | ConditionalAccess.cs:19:58:19:59 | access to parameter s2 | ConditionalAccess.cs:19:43:19:60 | call to method CommaJoinWith | 2 |
-| ConditionalAccess.cs:21:10:21:11 | enter M7 | ConditionalAccess.cs:23:18:23:29 | (...) ... | 6 |
-| ConditionalAccess.cs:23:13:23:38 | Nullable<Int32> j = ... | ConditionalAccess.cs:24:18:24:24 | (...) ... | 5 |
-| ConditionalAccess.cs:23:32:23:38 | access to property Length | ConditionalAccess.cs:23:32:23:38 | access to property Length | 1 |
-| ConditionalAccess.cs:24:13:24:37 | String s = ... | ConditionalAccess.cs:25:13:25:14 | "" | 4 |
-| ConditionalAccess.cs:24:27:24:37 | call to method ToString | ConditionalAccess.cs:24:27:24:37 | call to method ToString | 1 |
-| ConditionalAccess.cs:25:9:25:32 | ... = ... | ConditionalAccess.cs:21:10:21:11 | exit M7 | 2 |
-| ConditionalAccess.cs:25:31:25:31 | access to local variable s | ConditionalAccess.cs:25:16:25:32 | call to method CommaJoinWith | 2 |
+| ConditionalAccess.cs:21:10:21:11 | enter M7 | ConditionalAccess.cs:21:10:21:11 | exit M7 | 20 |
 | ConditionalAccess.cs:31:26:31:38 | enter CommaJoinWith | ConditionalAccess.cs:31:26:31:38 | exit CommaJoinWith | 7 |
 | ExitMethods.cs:6:10:6:11 | enter M1 | ExitMethods.cs:6:10:6:11 | exit M1 | 7 |
 | ExitMethods.cs:12:10:12:11 | enter M2 | ExitMethods.cs:12:10:12:11 | exit M2 | 7 |
@@ -142,20 +136,13 @@
 | NullCoalescing.cs:9:41:9:41 | access to parameter s | NullCoalescing.cs:9:41:9:41 | access to parameter s | 1 |
 | NullCoalescing.cs:9:45:9:45 | access to parameter s | NullCoalescing.cs:9:45:9:45 | access to parameter s | 1 |
 | NullCoalescing.cs:9:51:9:58 | ... ?? ... | NullCoalescing.cs:9:51:9:52 | "" | 2 |
-| NullCoalescing.cs:9:57:9:58 | "" | NullCoalescing.cs:9:57:9:58 | "" | 1 |
 | NullCoalescing.cs:11:9:11:10 | enter M5 | NullCoalescing.cs:11:44:11:45 | access to parameter b1 | 4 |
 | NullCoalescing.cs:11:9:11:10 | exit M5 | NullCoalescing.cs:11:9:11:10 | exit M5 | 1 |
 | NullCoalescing.cs:11:51:11:58 | ... && ... | NullCoalescing.cs:11:51:11:52 | access to parameter b2 | 2 |
 | NullCoalescing.cs:11:57:11:58 | access to parameter b3 | NullCoalescing.cs:11:57:11:58 | access to parameter b3 | 1 |
 | NullCoalescing.cs:11:64:11:64 | 0 | NullCoalescing.cs:11:64:11:64 | 0 | 1 |
 | NullCoalescing.cs:11:68:11:68 | 1 | NullCoalescing.cs:11:68:11:68 | 1 | 1 |
-| NullCoalescing.cs:13:10:13:11 | enter M6 | NullCoalescing.cs:15:17:15:26 | (...) ... | 7 |
-| NullCoalescing.cs:15:13:15:31 | Int32 j = ... | NullCoalescing.cs:16:17:16:18 | "" | 5 |
-| NullCoalescing.cs:15:31:15:31 | 0 | NullCoalescing.cs:15:31:15:31 | 0 | 1 |
-| NullCoalescing.cs:16:13:16:25 | String s = ... | NullCoalescing.cs:17:13:17:19 | (...) ... | 6 |
-| NullCoalescing.cs:16:23:16:25 | "a" | NullCoalescing.cs:16:23:16:25 | "a" | 1 |
-| NullCoalescing.cs:17:9:17:24 | ... = ... | NullCoalescing.cs:13:10:13:11 | exit M6 | 2 |
-| NullCoalescing.cs:17:24:17:24 | 1 | NullCoalescing.cs:17:24:17:24 | 1 | 1 |
+| NullCoalescing.cs:13:10:13:11 | enter M6 | NullCoalescing.cs:13:10:13:11 | exit M6 | 21 |
 | Patterns.cs:5:10:5:13 | enter Test | Patterns.cs:8:13:8:23 | ... is ... | 10 |
 | Patterns.cs:9:9:11:9 | {...} | Patterns.cs:10:13:10:42 | call to method WriteLine | 6 |
 | Patterns.cs:12:14:18:9 | if (...) ... | Patterns.cs:12:18:12:31 | ... is ... | 4 |
@@ -204,15 +191,9 @@
 | Switch.cs:50:13:50:39 | case Boolean: | Switch.cs:50:18:50:21 | access to type Boolean | 2 |
 | Switch.cs:50:30:50:30 | access to parameter o | Switch.cs:50:30:50:38 | ... != ... | 3 |
 | Switch.cs:51:17:51:22 | break; | Switch.cs:51:17:51:22 | break; | 1 |
-| Switch.cs:55:10:55:11 | enter M5 | Switch.cs:59:18:59:18 | 2 | 8 |
-| Switch.cs:55:10:55:11 | exit M5 | Switch.cs:55:10:55:11 | exit M5 | 1 |
-| Switch.cs:60:15:60:20 | break; | Switch.cs:60:15:60:20 | break; | 1 |
-| Switch.cs:61:13:61:20 | case ...: | Switch.cs:61:18:61:18 | 3 | 2 |
-| Switch.cs:62:15:62:20 | break; | Switch.cs:62:15:62:20 | break; | 1 |
-| Switch.cs:66:10:66:11 | enter M6 | Switch.cs:70:18:70:20 | access to type Int32 | 7 |
+| Switch.cs:55:10:55:11 | enter M5 | Switch.cs:55:10:55:11 | exit M5 | 12 |
+| Switch.cs:66:10:66:11 | enter M6 | Switch.cs:72:18:72:19 | "" | 9 |
 | Switch.cs:66:10:66:11 | exit M6 | Switch.cs:66:10:66:11 | exit M6 | 1 |
-| Switch.cs:71:15:71:20 | break; | Switch.cs:71:15:71:20 | break; | 1 |
-| Switch.cs:72:13:72:21 | case ...: | Switch.cs:72:18:72:19 | "" | 2 |
 | Switch.cs:73:15:73:20 | break; | Switch.cs:73:15:73:20 | break; | 1 |
 | Switch.cs:77:10:77:11 | enter M7 | Switch.cs:81:18:81:18 | 1 | 6 |
 | Switch.cs:77:10:77:11 | exit M7 | Switch.cs:77:10:77:11 | exit M7 | 1 |