github
diff --git a/‎csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs‎
Lines changed: 4 additions & 2 deletions b/‎csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/CIL.qll‎
Lines changed: 1 addition & 0 deletions b/‎csharp/ql/src/semmle/code/cil/CIL.qll‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/CallableReturns.qll‎
Lines changed: 55 additions & 0 deletions b/‎csharp/ql/src/semmle/code/cil/CallableReturns.qll‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/ControlFlow.qll‎
Lines changed: 1 addition & 1 deletion b/‎csharp/ql/src/semmle/code/cil/ControlFlow.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/cil/DataFlow.qll‎
Lines changed: 18 additions & 13 deletions b/‎csharp/ql/src/semmle/code/cil/DataFlow.qll‎
Lines changed: 18 additions & 13 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/InstructionGroups.qll‎
Lines changed: 3 additions & 0 deletions b/‎csharp/ql/src/semmle/code/cil/InstructionGroups.qll‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/Instructions.qll‎
Lines changed: 1 addition & 1 deletion b/‎csharp/ql/src/semmle/code/cil/Instructions.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/cil/Method.qll‎
Lines changed: 17 additions & 7 deletions b/‎csharp/ql/src/semmle/code/cil/Method.qll‎
Lines changed: 17 additions & 7 deletions
diff --git a/‎csharp/ql/src/semmle/code/cil/Stubs.qll‎
Lines changed: 54 additions & 0 deletions b/‎csharp/ql/src/semmle/code/cil/Stubs.qll‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/Generics.qll‎
Lines changed: 2 additions & 10 deletions b/‎csharp/ql/src/semmle/code/csharp/Generics.qll‎
Lines changed: 2 additions & 10 deletions
@@ -37,19 +37,21 @@ public Assembly(Context cx) : base(cx)
             if (!def.PublicKey.IsNil)
                 assemblyName.SetPublicKey(cx.mdReader.GetBlobBytes(def.PublicKey));
 
-            ShortId = cx.GetId(assemblyName.FullName) + "#file:///" + cx.assemblyPath.Replace("\\", "/");
+            ShortId = cx.GetId(FullName) + "#file:///" + cx.assemblyPath.Replace("\\", "/");
 
             file = new File(cx, cx.assemblyPath);
         }
 
         static readonly Id suffix = new StringId(";assembly");
 
+        string FullName => assemblyName.GetPublicKey() is null ? assemblyName.FullName + ", PublicKeyToken=null" : assemblyName.FullName;
+
         public override IEnumerable<IExtractionProduct> Contents
         {
             get
             {
                 yield return file;
-                yield return Tuples.assemblies(this, file, assemblyName.FullName, assemblyName.Name, assemblyName.Version.ToString());
+                yield return Tuples.assemblies(this, file, FullName, assemblyName.Name, assemblyName.Version.ToString());
 
                 if (cx.pdb != null)
                 {
 
@@ -17,3 +17,4 @@ import Handler
 import ControlFlow
 import DataFlow
 import Attribute
+import Stubs
@@ -0,0 +1,55 @@
+/**
+ * Provides predicates for analysing the return values of callables.
+ */
+
+private import CIL
+
+cached
+private module Cached {
+  /** Holds if method `m` always returns null. */
+  cached
+  predicate alwaysNullMethod(Method m) { forex(Expr e | m.canReturn(e) | alwaysNullExpr(e)) }
+
+  /** Holds if method `m` always returns non-null. */
+  cached
+  predicate alwaysNotNullMethod(Method m) { forex(Expr e | m.canReturn(e) | alwaysNotNullExpr(e)) }
+
+  /** Holds if method `m` always throws an exception. */
+  cached
+  predicate alwaysThrowsMethod(Method m) {
+    m.hasBody() and
+    not exists(m.getImplementation().getAnInstruction().(Return))
+  }
+
+  /** Holds if method `m` always throws an exception of type `t`. */
+  cached
+  predicate alwaysThrowsException(Method m, Type t) {
+    alwaysThrowsMethod(m) and
+    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExpr().getType())
+  }
+}
+import Cached
+
+/** Holds if expression `expr` always evaluates to `null`. */
+private predicate alwaysNullExpr(Expr expr) {
+  expr instanceof NullLiteral
+  or
+  alwaysNullMethod(expr.(StaticCall).getTarget())
+  or
+  forex(VariableUpdate vu | DefUse::variableUpdateUse(_, vu, expr) |
+    alwaysNullExpr(vu.getSource())
+  )
+}
+
+/** Holds if expression `expr` always evaluates to non-null. */
+private predicate alwaysNotNullExpr(Expr expr) {
+  expr instanceof Opcodes::Newobj
+  or
+  expr instanceof Literal and not expr instanceof NullLiteral
+  or
+  alwaysNotNullMethod(expr.(StaticCall).getTarget())
+  or
+  forex(VariableUpdate vu | DefUse::variableUpdateUse(_, vu, expr) |
+    alwaysNotNullExpr(vu.getSource())
+  )
+}
@@ -137,6 +137,6 @@ class TrueFlow extends FlowType, TTrueFlow {
 }
 
 /** False control flow. */
-class FalseFlow extends FlowType, TTrueFlow {
+class FalseFlow extends FlowType, TFalseFlow {
   override string toString() { result = "false" }
 }
@@ -60,7 +60,7 @@ class Tainted extends TaintType, TTaintedValue { }
 private predicate localExactStep(DataFlowNode src, DataFlowNode sink) {
   src = sink.(Opcodes::Dup).getAnOperand()
   or
-  DefUse::defUse(_, src, sink)
+  defUse(_, src, sink)
   or
   src = sink.(ParameterReadAccess).getTarget()
   or
@@ -88,7 +88,7 @@ private predicate localTaintStep(DataFlowNode src, DataFlowNode sink) {
 }
 
 cached
-private module DefUse {
+module DefUse {
   /**
    * A classification of variable references into reads and writes.
    */
@@ -185,21 +185,26 @@ private module DefUse {
     )
   }
 
-  /** Holds if the update `def` can be used at the read `use`. */
+  /** Holds if the variable update `vu` can be used at the read `use`. */
   cached
-  predicate defUse(StackVariable target, DataFlowNode def, ReadAccess use) {
-    exists(VariableUpdate vu | def = vu.getSource() |
-      defReachesReadWithinBlock(target, vu, use)
-      or
-      exists(BasicBlock bb, int i |
-        exists(refRank(bb, i, target, Read())) and
-        use = bb.getNode(i) and
-        defReachesEndOfBlock(bb.getAPredecessor(), vu, target) and
-        not defReachesReadWithinBlock(target, _, use)
-      )
+  predicate variableUpdateUse(StackVariable target, VariableUpdate vu, ReadAccess use) {
+    defReachesReadWithinBlock(target, vu, use)
+    or
+    exists(BasicBlock bb, int i |
+      exists(refRank(bb, i, target, Read())) and
+      use = bb.getNode(i) and
+      defReachesEndOfBlock(bb.getAPredecessor(), vu, target) and
+      not defReachesReadWithinBlock(target, _, use)
     )
   }
+
+  /** Holds if the update `def` can be used at the read `use`. */
+  cached
+  predicate defUse(StackVariable target, Expr def, ReadAccess use) {
+    exists(VariableUpdate vu | def = vu.getSource() | variableUpdateUse(target, vu, use))
+  }
 }
+private import DefUse
 
 abstract library class VariableUpdate extends Instruction {
   abstract Expr getSource();
 
@@ -127,6 +127,9 @@ class FloatLiteral extends Literal, @cil_ldc_r { }
 /** An expression that pushes a `null` value onto the stack. */
 class NullLiteral extends Literal, @cil_ldnull { }
 
+/** An expression that pushes a string onto the stack. */
+class StringLiteral extends Literal, @cil_ldstr { }
+
 /** A branch with one operand. */
 class UnaryBranch extends ConditionalBranch, @cil_unary_jump {
   override int getPopCount() { result = 1 }
 
@@ -234,7 +234,7 @@ module Opcodes {
     override string getOpcodeName() { result = "nop" }
   }
 
-  class Ldstr extends Literal, @cil_ldstr {
+  class Ldstr extends StringLiteral, @cil_ldstr {
     override string getOpcodeName() { result = "ldstr" }
 
     override string getExtra() { result = "\"" + getValue() + "\"" }
 
@@ -50,6 +50,11 @@ class MethodImplementation extends EntryPoint, @cil_method_implementation {
   int getStackSize() { cil_method_stack_size(this, result) }
 
   override string toString() { result = getMethod().toString() }
+
+  /** Gets a string representing the disassembly of this implementation. */
+  string getDisassembly() {
+    result = concat(Instruction i | i = this.getAnInstruction() | i.toString(), ", " order by i.getIndex())
+  }
 }
 
 /**
@@ -63,6 +68,11 @@ class Method extends DotNet::Callable, Element, Member, TypeContainer, DataFlowN
    */
   MethodImplementation getAnImplementation() { result.getMethod() = this }
 
+  /** Gets the "best" implementation of this method, if any. */
+  BestImplementation getImplementation() {
+    result = getAnImplementation()
+  }
+
   override Method getMethod() { result = this }
 
   override string getName() { cil_method(this, result, _, _) }
@@ -102,7 +112,7 @@ class Method extends DotNet::Callable, Element, Member, TypeContainer, DataFlowN
   int getCallPopCount() { result = count(getRawParameter(_)) }
 
   /** Gets a method called by this method. */
-  Method getACallee() { result = getAnImplementation().getAnInstruction().(Call).getTarget() }
+  Method getACallee() { result = getImplementation().getAnInstruction().(Call).getTarget() }
 
   /** Holds if this method is `virtual`. */
   predicate isVirtual() { cil_virtual(this) }
@@ -168,10 +178,10 @@ class Method extends DotNet::Callable, Element, Member, TypeContainer, DataFlowN
   /** Gets a method that overrides this method, if any. */
   final Method getAnOverrider() { result.getOverriddenMethod() = this }
 
-  override predicate hasBody() { exists(getAnImplementation()) }
+  override predicate hasBody() { exists(getImplementation()) }
 
   override predicate canReturn(DotNet::Expr expr) {
-    exists(Return ret | ret.getImplementation().getMethod() = this and expr = ret.getExpr())
+    exists(Return ret | ret.getImplementation() = this.getImplementation() and expr = ret.getExpr())
   }
 }
 
@@ -198,7 +208,7 @@ class InstanceConstructor extends Constructor {
 /** A method that always returns the `this` parameter. */
 class ChainingMethod extends Method {
   ChainingMethod() {
-    forex(Return ret | ret = getAnImplementation().getAnInstruction() |
+    forex(Return ret | ret = getImplementation().getAnInstruction() |
       ret.getExpr() instanceof ThisAccess
     )
   }
@@ -232,7 +242,7 @@ class TrivialGetter extends Method {
 
   /** Gets the underlying field of this getter. */
   Field getField() {
-    getAnImplementation().getAnInstruction().(FieldReadAccess).getTarget() = result
+    getImplementation().getAnInstruction().(FieldReadAccess).getTarget() = result
   }
 }
 
@@ -249,7 +259,7 @@ class Setter extends Accessor {
  */
 class TrivialSetter extends Method {
   TrivialSetter() {
-    exists(MethodImplementation impl | impl = getAnImplementation() |
+    exists(MethodImplementation impl | impl = getImplementation() |
       impl.getInstruction(0) instanceof ThisAccess and
       impl.getInstruction(1).(ParameterReadAccess).getTarget().getIndex() = 1 and
       impl.getInstruction(2) instanceof FieldWriteAccess
@@ -258,7 +268,7 @@ class TrivialSetter extends Method {
 
   /** Gets the underlying field of this setter. */
   Field getField() {
-    result = getAnImplementation().getAnInstruction().(FieldWriteAccess).getTarget()
+    result = getImplementation().getAnInstruction().(FieldWriteAccess).getTarget()
   }
 }
 
 
@@ -0,0 +1,54 @@
+/**
+ * Provides classes and predicates for identifying stub code.
+ */
+
+import CIL
+
+/**
+ * The average number of instructions per method,
+ * below which an assembly is probably a stub.
+ */
+private float stubInstructionThreshold() { result = 5.1 }
+
+cached
+private module Cached {
+  /**
+   * A simple heuristic for determining whether an assembly is a
+   * reference assembly where the method bodies have dummy implementations.
+   * Look at the average number of instructions per method.
+   */
+  cached
+  predicate assemblyIsStubImpl(Assembly asm) {
+    exists(int totalInstructions, int totalImplementations |
+      totalInstructions = count(Instruction i | i.getImplementation().getLocation() = asm) and
+      totalImplementations = count(MethodImplementation i |
+          i.getImplementation().getLocation() = asm
+        ) and
+      totalInstructions.(float) / totalImplementations.(float) < stubInstructionThreshold()
+    )
+  }
+
+  cached
+  predicate bestImplementation(MethodImplementation mi) {
+    not assemblyIsStubImpl(mi.getLocation()) and
+    not exists(MethodImplementation better | mi.getMethod() = better.getMethod() |
+      mi.getNumberOfInstructions() < better.getNumberOfInstructions()
+      or
+      mi.getNumberOfInstructions() = better.getNumberOfInstructions() and
+      mi.getLocation().getFile().toString() > better.getLocation().getFile().toString()
+    ) and
+    exists(mi.getAnInstruction())
+  }
+}
+private import Cached
+
+predicate assemblyIsStub = assemblyIsStubImpl/1;
+
+/**
+ * A method implementation that is the "best" one for a particular method,
+ * if there are several potential implementations to choose between, and
+ * excludes implementations that are probably from stub/reference assemblies.
+ */
+class BestImplementation extends MethodImplementation {
+  BestImplementation() { bestImplementation(this) }
+}
@@ -126,11 +126,7 @@ class TypeParameter extends DotNet::TypeParameter, Type, @type_parameter {
   /** Gets the constraints on this type parameter, if any. */
   TypeParameterConstraints getConstraints() { result.getTypeParameter() = this }
 
-  /**
-   * Holds if this type parameter is guaranteed to always be instantiated
-   * to a reference type.
-   */
-  predicate isRefType() {
+  override predicate isRefType() {
     exists(TypeParameterConstraints tpc | tpc = getConstraints() |
       tpc.hasRefTypeConstraint() or
       exists(tpc.getClassConstraint()) or
@@ -139,11 +135,7 @@ class TypeParameter extends DotNet::TypeParameter, Type, @type_parameter {
     )
   }
 
-  /**
-   * Holds if this type parameter is guaranteed to always be instantiated
-   * to a value type.
-   */
-  predicate isValueType() {
+  override predicate isValueType() {
     exists(TypeParameterConstraints tpc | tpc = getConstraints() |
       tpc.hasValueTypeConstraint() or
       tpc.getATypeParameterConstraint().isValueType()
Original file line number	Diff line number	Diff line change
`@@ -37,19 +37,21 @@ public Assembly(Context cx) : base(cx)`
`37`	`37`	`if (!def.PublicKey.IsNil)`
`38`	`38`	`assemblyName.SetPublicKey(cx.mdReader.GetBlobBytes(def.PublicKey));`
`39`	`39`
`40`		`- ShortId = cx.GetId(assemblyName.FullName) + "#file:///" + cx.assemblyPath.Replace("\\", "/");`
	`40`	`+ ShortId = cx.GetId(FullName) + "#file:///" + cx.assemblyPath.Replace("\\", "/");`
`41`	`41`
`42`	`42`	`file = new File(cx, cx.assemblyPath);`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`static readonly Id suffix = new StringId(";assembly");`
`46`	`46`
	`47`	`+ string FullName => assemblyName.GetPublicKey() is null ? assemblyName.FullName + ", PublicKeyToken=null" : assemblyName.FullName;`
	`48`	`+`
`47`	`49`	`public override IEnumerable<IExtractionProduct> Contents`
`48`	`50`	`{`
`49`	`51`	`get`
`50`	`52`	`{`
`51`	`53`	`yield return file;`
`52`		`- yield return Tuples.assemblies(this, file, assemblyName.FullName, assemblyName.Name, assemblyName.Version.ToString());`
	`54`	`+ yield return Tuples.assemblies(this, file, FullName, assemblyName.Name, assemblyName.Version.ToString());`
`53`	`55`
`54`	`56`	`if (cx.pdb != null)`
`55`	`57`	`{`
Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,6 @@ class TrueFlow extends FlowType, TTrueFlow {`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`/** False control flow. */`
`140`		`-class FalseFlow extends FlowType, TTrueFlow {`
	`140`	`+class FalseFlow extends FlowType, TFalseFlow {`
`141`	`141`	`override string toString() { result = "false" }`
`142`	`142`	`}`
Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ module Opcodes {`
`234`	`234`	`override string getOpcodeName() { result = "nop" }`
`235`	`235`	`}`
`236`	`236`
`237`		`- class Ldstr extends Literal, @cil_ldstr {`
	`237`	`+ class Ldstr extends StringLiteral, @cil_ldstr {`
`238`	`238`	`override string getOpcodeName() { result = "ldstr" }`
`239`	`239`
`240`	`240`	`override string getExtra() { result = "\"" + getValue() + "\"" }`