Merge pull request #2308 from hvitved/csharp/dataflow/types

C#: Type-based pruning for data flow

Author: calumgrant

csharp/ql/src/semmle/code/csharp/Caching.qll

@@ -89,7 +89,9 @@ module Stages {
 
     cached
     private predicate forceCachingInSameStageRev() {
-      exists(CompoundTypeKind k)
+      exists(Gvn::CompoundTypeKind k)
+      or
+      exists(any(Gvn::GvnType t).toString())
       or
       exists(Unification::UnconstrainedTypeParameter utp)
       or

csharp/ql/src/semmle/code/csharp/Conversion.qll

@@ -24,20 +24,25 @@ private module Cached {
    *
    * 6.1: Implicit type conversions.
    *
-   * The following conversions are classified as implicit conversions:
+   * The following conversions are included:
    *
    * - Identity conversions
    * - Implicit numeric conversions
    * - Implicit nullable conversions
    * - Implicit reference conversions
    * - Boxing conversions
-   * - User-defined implicit conversions
    */
   cached
-  predicate implicitConversion(Type fromType, Type toType) {
-    implicitConversionNonNull(fromType, toType)
+  predicate implicitConversionRestricted(Type fromType, Type toType) {
+    convIdentity(fromType, toType)
     or
-    defaultNullConversion(fromType, toType)
+    convNumeric(fromType, toType)
+    or
+    convNullableType(fromType, toType)
+    or
+    convRefTypeNonNull(fromType, toType)
+    or
+    convBoxing(fromType, toType)
   }
 
   /**
@@ -58,21 +63,36 @@ private module Cached {
 import Cached
 
 private predicate implicitConversionNonNull(Type fromType, Type toType) {
-  convIdentity(fromType, toType)
-  or
-  convNumeric(fromType, toType)
-  or
-  convNullableType(fromType, toType)
-  or
-  convRefTypeNonNull(fromType, toType)
-  or
-  convBoxing(fromType, toType)
+  implicitConversionRestricted(fromType, toType)
   or
   convConversionOperator(fromType, toType)
   or
   fromType instanceof DynamicType // 6.1.8
 }
 
+/**
+ * INTERNAL: Do not use.
+ *
+ * Holds if there exists an implicit conversion from `fromType` to `toType`.
+ *
+ * 6.1: Implicit type conversions.
+ *
+ * The following conversions are classified as implicit conversions:
+ *
+ * - Identity conversions
+ * - Implicit numeric conversions
+ * - Implicit nullable conversions
+ * - Implicit reference conversions
+ * - Boxing conversions
+ * - User-defined implicit conversions
+ */
+pragma[nomagic]
+predicate implicitConversion(Type fromType, Type toType) {
+  implicitConversionNonNull(fromType, toType)
+  or
+  defaultNullConversion(fromType, toType)
+}
+
 /**
  * A generic type. This includes both constructed generic types and unbound
  * generic types (which correspond to constructed generic types where the

csharp/ql/src/semmle/code/csharp/Implements.qll

@@ -130,7 +130,7 @@ private DeclarationWithAccessors getACompatibleInterfaceAccessorCandidate(Declar
   d.isPublic()
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate getACompatibleInterfaceAccessorAux(
   DeclarationWithAccessors d, ValueOrRefType t, string name
 ) {
@@ -242,7 +242,7 @@ private Type getArgumentOrReturnType(Method m, int i) {
  * type parameters (at the same index).
  */
 private module Gvn {
-  private import semmle.code.csharp.Unification
+  private import semmle.code.csharp.Unification::Gvn as Unification
 
   private class MethodTypeParameter extends TypeParameter {
     MethodTypeParameter() { this = any(UnboundGenericMethod ugm).getATypeParameter() }
@@ -251,27 +251,26 @@ private module Gvn {
   private class LeafType extends Type {
     LeafType() {
       not exists(this.getAChild()) and
-      not this instanceof MethodTypeParameter
+      not this instanceof MethodTypeParameter and
+      not this instanceof DynamicType
     }
   }
 
-  private predicate id(LeafType t, int i) = equivalenceRelation(convIdentity/2)(t, i)
-
   private newtype TGvnType =
-    TLeafGvnType(int i) { id(_, i) } or
+    TLeafGvnType(LeafType t) or
     TMethodTypeParameterGvnType(int i) { i = any(MethodTypeParameter p).getIndex() } or
     TConstructedGvnType(ConstructedGvnTypeList l)
 
   private newtype TConstructedGvnTypeList =
-    TConstructedGvnTypeNil(CompoundTypeKind k) or
+    TConstructedGvnTypeNil(Unification::CompoundTypeKind k) or
     TConstructedGvnTypeCons(GvnType head, ConstructedGvnTypeList tail) {
       gvnConstructedCons(_, _, _, head, tail)
     }
 
-  private ConstructedGvnTypeList gvnConstructed(Type t, CompoundTypeKind k, int i) {
+  private ConstructedGvnTypeList gvnConstructed(Type t, Unification::CompoundTypeKind k, int i) {
     result = TConstructedGvnTypeNil(k) and
     i = -1 and
-    k = getTypeKind(t)
+    k = Unification::getTypeKind(t)
     or
     exists(GvnType head, ConstructedGvnTypeList tail | gvnConstructedCons(t, k, i, head, tail) |
       result = TConstructedGvnTypeCons(head, tail)
@@ -283,7 +282,7 @@ private module Gvn {
 
   pragma[noinline]
   private predicate gvnConstructedCons(
-    Type t, CompoundTypeKind k, int i, GvnType head, ConstructedGvnTypeList tail
+    Type t, Unification::CompoundTypeKind k, int i, GvnType head, ConstructedGvnTypeList tail
   ) {
     tail = gvnConstructed(t, k, i - 1) and
     head = gvnTypeChild(t, i)
@@ -292,11 +291,14 @@ private module Gvn {
   /** Gets the global value number for a given type. */
   pragma[nomagic]
   GvnType getGlobalValueNumber(Type t) {
-    result = TLeafGvnType(any(int i | id(t, i)))
+    result = TLeafGvnType(t)
+    or
+    t instanceof DynamicType and
+    result = TLeafGvnType(any(ObjectType ot))
     or
     result = TMethodTypeParameterGvnType(t.(MethodTypeParameter).getIndex())
     or
-    exists(ConstructedGvnTypeList l, CompoundTypeKind k, int i |
+    exists(ConstructedGvnTypeList l, Unification::CompoundTypeKind k, int i |
       l = gvnConstructed(t, k, i) and
       i = k.getNumberOfTypeParameters() - 1 and
       result = TConstructedGvnType(l)
@@ -306,7 +308,7 @@ private module Gvn {
   /** A global value number for a type. */
   class GvnType extends TGvnType {
     string toString() {
-      exists(int i | this = TLeafGvnType(i) | result = i.toString())
+      exists(LeafType t | this = TLeafGvnType(t) | result = t.toString())
       or
       exists(int i | this = TMethodTypeParameterGvnType(i) | result = "M!" + i)
       or
@@ -338,12 +340,12 @@ private module Gvn {
 
     language[monotonicAggregates]
     string toString() {
-      exists(CompoundTypeKind k, string args |
+      exists(Unification::CompoundTypeKind k, string args |
         this = gvnConstructed(_, k, _) and
         args = concat(int i |
             i in [0 .. k.getNumberOfTypeParameters() - 1]
           |
-            this.getArg(i).toString(), ", " order by i
+            this.getArg(i).toString(), "," order by i
           ) and
         result = k.toString(args)
       )

csharp/ql/src/semmle/code/csharp/Type.qll

@@ -827,16 +827,13 @@ class ArrayType extends DotNet::ArrayType, RefType, @array_type {
     getRank() = that.getRank()
   }
 
-  private string getRankString(int i) {
-    i in [0 .. getRank() - 1] and
-    if i = getRank() - 1 then result = "" else result = "," + getRankString(i + 1)
-  }
-
   /**
    * INTERNAL: Do not use.
    * Gets a string representing the array suffix, for example `[,,,]`.
    */
-  string getArraySuffix() { result = "[" + getRankString(0) + "]" }
+  string getArraySuffix() {
+    result = "[" + concat(int i | i in [0 .. this.getRank() - 2] | ",") + "]"
+  }
 
   private string getDimensionString(Type elementType) {
     exists(Type et, string res |

csharp/ql/src/semmle/code/csharp/Unification.qll

@@ -2,28 +2,24 @@ import csharp
 private import Conversion
 private import Caching
 
-pragma[noinline]
-private Type getAProperSubType(Type t) {
-  not result instanceof DynamicType and
-  not result instanceof NullType and
-  result.isImplicitlyConvertibleTo(t)
-}
-
 /**
+ * INTERNAL: Do not use.
+ *
  * Provides an implementation of Global Value Numbering for types (see
  * https://en.wikipedia.org/wiki/Global_value_numbering), where types are considered
  * equal modulo identity conversions and type parameters.
  */
-private module Gvn {
+module Gvn {
   private class LeafType extends Type {
     LeafType() {
       not exists(this.getAChild()) and
-      not this instanceof TypeParameter
+      not this instanceof TypeParameter and
+      not this instanceof DynamicType
     }
   }
 
   /** A type kind for a compound type. */
-  class CompoundTypeKindImpl extends TCompoundTypeKind {
+  class CompoundTypeKind extends TCompoundTypeKind {
     /** Gets the number of type parameters for this kind. */
     int getNumberOfTypeParameters() {
       this = TPointerTypeKind() and result = 1
@@ -44,8 +40,8 @@ private module Gvn {
       or
       this = TNullableTypeKind() and result = args + "?"
       or
-      exists(int dim, int rnk | this = TArrayTypeKind(dim, rnk) |
-        result = args + "[" + dim + ", " + rnk + "]"
+      exists(int rnk | this = TArrayTypeKind(_, rnk) |
+        result = args + "[" + concat(int i | i in [0 .. rnk - 2] | ",") + "]"
       )
       or
       exists(UnboundGenericType ugt | this = TConstructedType(ugt) |
@@ -61,7 +57,7 @@ private module Gvn {
   }
 
   /** Gets the type kind for type `t`, if any. */
-  CompoundTypeKind getTypeKindImpl(Type t) {
+  CompoundTypeKind getTypeKind(Type t) {
     result = TPointerTypeKind() and t instanceof PointerType
     or
     result = TNullableTypeKind() and t instanceof NullableType
@@ -86,11 +82,13 @@ private module Gvn {
     CompoundTypeKind getKind() { none() }
 
     /** Gets a textual representation of this GVN. */
+    cached
     string toString() {
-      exists(int i | this = TLeafGvnType(i) | result = i.toString())
+      Stages::UnificationStage::forceCachingInSameStage() and
+      exists(LeafType t | this = TLeafGvnType(t) | result = t.toString())
       or
       this instanceof TTypeParameterGvnType and
-      result = "<type parameter>"
+      result = "T"
       or
       exists(ConstructedGvnTypeList l | this = TConstructedGvnType(l) | result = l.toString())
     }
@@ -99,6 +97,8 @@ private module Gvn {
     Location getLocation() { result instanceof EmptyLocation }
   }
 
+  class TypeParameterGvnType extends GvnType, TTypeParameterGvnType { }
+
   class ConstructedGvnType extends GvnType, TConstructedGvnType {
     private ConstructedGvnTypeList l;
 
@@ -157,7 +157,7 @@ private module Gvn {
         args = concat(int i |
             i in [0 .. k.getNumberOfTypeParameters() - 1]
           |
-            this.getArg(i).toString(), ", " order by i
+            this.getArg(i).toString(), "," order by i
           ) and
         result = k.toString(args)
       )
@@ -356,8 +356,6 @@ private module Gvn {
     not result instanceof ConstructedGvnType
   }
 
-  private predicate id(LeafType t, int i) = equivalenceRelation(convIdentity/2)(t, i)
-
   cached
   private module Cached {
     cached
@@ -367,11 +365,11 @@ private module Gvn {
       TArrayTypeKind(int dim, int rnk) {
         exists(ArrayType at | dim = at.getDimension() and rnk = at.getRank())
       } or
-      TConstructedType(UnboundGenericType ugt)
+      TConstructedType(UnboundGenericType ugt) { exists(ugt.getATypeParameter()) }
 
     cached
     newtype TGvnType =
-      TLeafGvnType(int i) { id(_, i) } or
+      TLeafGvnType(LeafType t) or
       TTypeParameterGvnType() or
       TConstructedGvnType(ConstructedGvnTypeList l)
 
@@ -385,7 +383,10 @@ private module Gvn {
     /** Gets the GVN for type `t`. */
     cached
     GvnType getGlobalValueNumber(Type t) {
-      result = TLeafGvnType(any(int i | id(t, i)))
+      result = TLeafGvnType(t)
+      or
+      t instanceof DynamicType and
+      result = TLeafGvnType(any(ObjectType ot))
       or
       t instanceof TypeParameter and
       result = TTypeParameterGvnType()
@@ -430,10 +431,6 @@ private module Gvn {
   import Cached
 }
 
-class CompoundTypeKind = Gvn::CompoundTypeKindImpl;
-
-predicate getTypeKind = Gvn::getTypeKindImpl/1;
-
 /** Provides definitions related to type unification. */
 module Unification {
   /** A type parameter that is compatible with any type. */
@@ -557,19 +554,19 @@ module Unification {
 
     cached
     predicate typeConstraintUnifiable(TTypeConstraint ttc, Type t) {
-      exists(Type t0 | ttc = TTypeConstraint(t0) | t = getAProperSubType(t0))
+      exists(Type t0 | ttc = TTypeConstraint(t0) | implicitConversionRestricted(t, t0))
       or
       exists(Type t0, Type t1 | ttc = TTypeConstraint(t0) and unifiable(t0, t1) |
-        t = getAProperSubType(t1)
+        implicitConversionRestricted(t, t1)
       )
     }
 
     cached
     predicate typeConstraintSubsumes(TTypeConstraint ttc, Type t) {
-      exists(Type t0 | ttc = TTypeConstraint(t0) | t = getAProperSubType(t0))
+      exists(Type t0 | ttc = TTypeConstraint(t0) | implicitConversionRestricted(t, t0))
       or
       exists(Type t0, Type t1 | ttc = TTypeConstraint(t0) and subsumes(t0, t1) |
-        t = getAProperSubType(t1)
+        implicitConversionRestricted(t, t1)
       )
     }
   }