github
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 16 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll‎
Lines changed: 0 additions & 12 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/SignAnalysis.qll‎
Lines changed: 38 additions & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/dataflow/SignAnalysis.qll‎
Lines changed: 38 additions & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll‎
Lines changed: 5 additions & 6 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll‎
Lines changed: 19 additions & 25 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll‎
Lines changed: 19 additions & 25 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll‎
Lines changed: 49 additions & 75 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll‎
Lines changed: 49 additions & 75 deletions
@@ -310,6 +310,22 @@ module ControlFlow {
       Split getASplit() { result = splits.getASplit() }
     }
 
+    /** A control-flow node for an expression. */
+    class ExprNode extends ElementNode {
+      Expr e;
+
+      ExprNode() { e = unique(Expr e_ | e_ = this.getElement() | e_) }
+
+      /** Gets the expression that this control-flow node belongs to. */
+      Expr getExpr() { result = e }
+
+      /** Gets the value of this expression node, if any. */
+      string getValue() { result = e.getValue() }
+
+      /** Gets the type of this expression node. */
+      Type getType() { result = e.getType() }
+    }
+
     class Split = SplitImpl;
 
     class FinallySplit = FinallySplitting::FinallySplitImpl;
 
@@ -111,18 +111,6 @@ private predicate evenlyDivisibleExpr(Expr e, int factor) {
   )
 }
 
-/**
- * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
- * in an arbitrary 1-based numbering of the input edges to `phi`.
- */
-private predicate rankedPhiInput(
-  SsaPhiNode phi, SsaVariable inp, SsaReadPositionPhiInputEdge edge, int r
-) {
-  edge.phiInput(phi, inp) and
-  edge =
-    rank[r](SsaReadPositionPhiInputEdge e | e.phiInput(phi, _) | e order by getId(e.getOrigBlock()))
-}
-
 /**
  * Holds if `rix` is the number of input edges to `phi`.
  */
 
@@ -6,4 +6,41 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
-import semmle.code.csharp.dataflow.internal.rangeanalysis.SignAnalysisCommon
+import csharp
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SignAnalysisCommon as Common
+
+/** Holds if `e` can be positive and cannot be negative. */
+predicate positiveExpr(Expr e) {
+  forex(ControlFlow::Node cfn | cfn = e.getAControlFlowNode() |
+    positive(cfn) or strictlyPositive(cfn)
+  )
+}
+
+/** Holds if `e` can be negative and cannot be positive. */
+predicate negativeExpr(Expr e) {
+  forex(ControlFlow::Node cfn | cfn = e.getAControlFlowNode() |
+    negative(cfn) or strictlyNegative(cfn)
+  )
+}
+
+/** Holds if `e` is strictly positive. */
+predicate strictlyPositiveExpr(Expr e) {
+  forex(ControlFlow::Node cfn | cfn = e.getAControlFlowNode() | strictlyPositive(cfn))
+}
+
+/** Holds if `e` is strictly negative. */
+predicate strictlyNegativeExpr(Expr e) {
+  forex(ControlFlow::Node cfn | cfn = e.getAControlFlowNode() | strictlyNegative(cfn))
+}
+
+/** Holds if `e` can be positive and cannot be negative. */
+predicate positive(ControlFlow::Nodes::ExprNode e) { Common::positive(e) }
+
+/** Holds if `e` can be negative and cannot be positive. */
+predicate negative(ControlFlow::Nodes::ExprNode e) { Common::negative(e) }
+
+/** Holds if `e` is strictly positive. */
+predicate strictlyPositive(ControlFlow::Nodes::ExprNode e) { Common::strictlyPositive(e) }
+
+/** Holds if `e` is strictly negative. */
+predicate strictlyNegative(ControlFlow::Nodes::ExprNode e) { Common::strictlyNegative(e) }
@@ -5,17 +5,16 @@
 private import csharp as CS
 private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
 private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
 
-class SsaVariable extends Ssa::Definition {
-  /** Gets a read of the source variable underlying this SSA definition. */
-  Expr getAUse() { result = getARead() }
-}
+class SsaVariable = SU::SsaVariable;
 
-class Expr = CS::Expr;
+class Expr = CS::ControlFlow::Nodes::ExprNode;
 
 class IntegralType = CS::IntegralType;
 
 class ConstantIntegerExpr = CU::ConstantIntegerExpr;
 
 /** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.(CS::PropertyRead)) }
+predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
@@ -4,18 +4,10 @@
 
 private import csharp
 private import Ssa
+private import SsaUtils
+private import RangeUtils
 
-/**
- * Holds if property `p` matches `property` in `baseClass` or any overrides.
- */
-predicate propertyOverrides(Property p, string baseClass, string property) {
-  exists(Property p2 |
-    p2.getSourceDeclaration().getDeclaringType().hasQualifiedName(baseClass) and
-    p2.hasName(property)
-  |
-    p.overridesOrImplementsOrEquals(p2)
-  )
-}
+private class ExprNode = ControlFlow::Nodes::ExprNode;
 
 /**
  * Holds if `pa` is an access to the `Length` property of an array.
@@ -30,40 +22,42 @@ predicate systemArrayLengthAccess(PropertyAccess pa) {
  * - a read of a compile time constant with integer value `val`, or
  * - a read of the `Length` of an array with `val` lengths.
  */
-private predicate constantIntegerExpr(Expr e, int val) {
+private predicate constantIntegerExpr(ExprNode e, int val) {
   e.getValue().toInt() = val
   or
-  exists(ExplicitDefinition v, Expr src |
-    e = v.getARead() and
-    src = v.getADefinition().getSource() and
+  exists(ExprNode src |
+    e = getAnExplicitDefinitionRead(src) and
     constantIntegerExpr(src, val)
   )
   or
   isArrayLengthAccess(e, val)
 }
 
-private int getArrayLength(ArrayCreation arrCreation, int index) {
-  constantIntegerExpr(arrCreation.getLengthArgument(index), result)
+private int getArrayLength(ExprNode e, int index) {
+  exists(ArrayCreation arrCreation, ExprNode length |
+    hasChild(arrCreation, arrCreation.getLengthArgument(index), e, length) and
+    constantIntegerExpr(length, result)
+  )
 }
 
-private int getArrayLengthRec(ArrayCreation arrCreation, int index) {
+private int getArrayLengthRec(ExprNode arrCreation, int index) {
   index = 0 and result = getArrayLength(arrCreation, 0)
   or
   index > 0 and
   result = getArrayLength(arrCreation, index) * getArrayLengthRec(arrCreation, index - 1)
 }
 
-private predicate isArrayLengthAccess(PropertyAccess pa, int length) {
-  systemArrayLengthAccess(pa) and
-  exists(ExplicitDefinition arr, ArrayCreation arrCreation |
-    getArrayLengthRec(arrCreation, arrCreation.getNumberOfLengthArguments() - 1) = length and
-    arrCreation = arr.getADefinition().getSource() and
-    pa.getQualifier() = arr.getARead()
+private predicate isArrayLengthAccess(ExprNode e, int length) {
+  exists(PropertyAccess pa, ExprNode arrCreation |
+    systemArrayLengthAccess(pa) and
+    getArrayLengthRec(arrCreation,
+      arrCreation.getExpr().(ArrayCreation).getNumberOfLengthArguments() - 1) = length and
+    hasChild(pa, pa.getQualifier(), e, getAnExplicitDefinitionRead(arrCreation))
   )
 }
 
 /** An expression that always has the same integer value. */
-class ConstantIntegerExpr extends Expr {
+class ConstantIntegerExpr extends ExprNode {
   ConstantIntegerExpr() { constantIntegerExpr(this, _) }
 
   /** Gets the integer value of this expression. */
 
@@ -1,110 +1,84 @@
 module Private {
   private import csharp as CS
   private import ConstantUtils as CU
-  private import semmle.code.csharp.controlflow.Guards as G
   private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
   private import SsaUtils as SU
-  private import SignAnalysisSpecific::Private as SA
+  private import SsaReadPositionCommon
 
   class BasicBlock = CS::Ssa::BasicBlock;
 
-  class SsaVariable extends CS::Ssa::Definition {
-    CS::AssignableRead getAUse() { result = this.getARead() }
-  }
+  class SsaVariable = SU::SsaVariable;
 
   class SsaPhiNode = CS::Ssa::PhiNode;
 
-  class Expr = CS::Expr;
+  class Expr = CS::ControlFlow::Nodes::ExprNode;
 
-  class Guard = G::Guard;
+  class Guard = RU::Guard;
 
   class ConstantIntegerExpr = CU::ConstantIntegerExpr;
 
-  class ConditionalExpr extends CS::ConditionalExpr {
-    /** Gets the "then" expression of this conditional expression. */
-    Expr getTrueExpr() { result = this.getThen() }
+  class ConditionalExpr = RU::ExprNode::ConditionalExpr;
 
-    /** Gets the "else" expression of this conditional expression. */
-    Expr getFalseExpr() { result = this.getElse() }
-  }
+  class AddExpr = RU::ExprNode::AddExpr;
 
-  /** Represent an addition expression. */
-  class AddExpr extends CS::AddExpr {
-    /** Gets the LHS operand of this add expression. */
-    Expr getLhs() { result = this.getLeftOperand() }
+  class SubExpr = RU::ExprNode::SubExpr;
 
-    /** Gets the RHS operand of this add expression. */
-    Expr getRhs() { result = this.getRightOperand() }
-  }
+  class RemExpr = RU::ExprNode::RemExpr;
 
-  /** Represent a subtraction expression. */
-  class SubExpr extends CS::SubExpr {
-    /** Gets the LHS operand of this subtraction expression. */
-    Expr getLhs() { result = this.getLeftOperand() }
+  class BitwiseAndExpr = RU::ExprNode::BitwiseAndExpr;
 
-    /** Gets the RHS operand of this subtraction expression. */
-    Expr getRhs() { result = this.getRightOperand() }
-  }
+  class MulExpr = RU::ExprNode::MulExpr;
 
-  class RemExpr = CS::RemExpr;
-
-  /** Represent a bitwise and or an assign-and expression. */
-  class BitwiseAndExpr extends CS::Expr {
-    BitwiseAndExpr() { this instanceof CS::BitwiseAndExpr or this instanceof CS::AssignAndExpr }
-
-    /** Gets an operand of this bitwise and operation. */
-    Expr getAnOperand() {
-      result = this.(CS::BitwiseAndExpr).getAnOperand() or
-      result = this.(CS::AssignAndExpr).getRValue() or
-      result = this.(CS::AssignAndExpr).getLValue()
-    }
-
-    /** Holds if this expression has operands `e1` and `e2`. */
-    predicate hasOperands(Expr e1, Expr e2) {
-      this.getAnOperand() = e1 and
-      this.getAnOperand() = e2 and
-      e1 != e2
-    }
-  }
+  class LShiftExpr = RU::ExprNode::LShiftExpr;
 
-  /** Represent a multiplication or an assign-mul expression. */
-  class MulExpr extends CS::Expr {
-    MulExpr() { this instanceof CS::MulExpr or this instanceof CS::AssignMulExpr }
+  predicate guardDirectlyControlsSsaRead = RU::guardControlsSsaRead/3;
 
-    /** Gets an operand of this multiplication. */
-    Expr getAnOperand() {
-      result = this.(CS::MulExpr).getAnOperand() or
-      result = this.(CS::AssignMulExpr).getRValue() or
-      result = this.(CS::AssignMulExpr).getLValue()
-    }
-  }
+  predicate guardControlsSsaRead = RU::guardControlsSsaRead/3;
 
-  /** Represent a left shift or an assign-lshift expression. */
-  class LShiftExpr extends CS::Expr {
-    LShiftExpr() { this instanceof CS::LShiftExpr or this instanceof CS::AssignLShiftExpr }
+  predicate valueFlowStep = RU::valueFlowStep/3;
 
-    /** Gets the RHS operand of this shift. */
-    Expr getRhs() {
-      result = this.(CS::LShiftExpr).getRightOperand() or
-      result = this.(CS::AssignLShiftExpr).getRValue()
-    }
-  }
+  predicate eqFlowCond = RU::eqFlowCond/5;
 
-  predicate guardDirectlyControlsSsaRead = SA::guardControlsSsaRead/3;
+  predicate ssaUpdateStep = RU::ssaUpdateStep/3;
 
-  predicate guardControlsSsaRead = SA::guardControlsSsaRead/3;
+  Expr getABasicBlockExpr(BasicBlock bb) { result = bb.getANode() }
 
-  predicate valueFlowStep = RU::valueFlowStep/3;
+  private class CallableOrCFE extends CS::Element {
+    CallableOrCFE() { this instanceof CS::Callable or this instanceof CS::ControlFlowElement }
+  }
 
-  predicate eqFlowCond = RU::eqFlowCond/5;
+  private predicate id(CallableOrCFE x, CallableOrCFE y) { x = y }
 
-  predicate ssaUpdateStep = RU::ssaUpdateStep/3;
+  private predicate idOf(CallableOrCFE x, int y) = equivalenceRelation(id/2)(x, y)
 
-  Expr getABasicBlockExpr(BasicBlock bb) { result = bb.getANode().getElement() }
+  private class PhiInputEdgeBlock extends BasicBlock {
+    PhiInputEdgeBlock() { this = any(SsaReadPositionPhiInputEdge edge).getOrigBlock() }
+  }
 
-  private predicate id(CS::ControlFlowElement x, CS::ControlFlowElement y) { x = y }
+  int getId(PhiInputEdgeBlock bb) {
+    idOf(bb.getFirstNode().getElement(), result)
+    or
+    idOf(bb.(CS::ControlFlow::BasicBlocks::EntryBlock).getCallable(), result)
+  }
 
-  private predicate idOf(CS::ControlFlowElement x, int y) = equivalenceRelation(id/2)(x, y)
+  private string getSplitString(PhiInputEdgeBlock bb) {
+    result = bb.getFirstNode().(CS::ControlFlow::Nodes::ElementNode).getSplitsString()
+    or
+    not exists(bb.getFirstNode().(CS::ControlFlow::Nodes::ElementNode).getSplitsString()) and
+    result = ""
+  }
 
-  int getId(BasicBlock bb) { idOf(bb.getFirstNode().getElement(), result) }
+  /**
+   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+   * in an arbitrary 1-based numbering of the input edges to `phi`.
+   */
+  predicate rankedPhiInput(SsaPhiNode phi, SsaVariable inp, SsaReadPositionPhiInputEdge edge, int r) {
+    edge.phiInput(phi, inp) and
+    edge =
+      rank[r](SsaReadPositionPhiInputEdge e |
+        e.phiInput(phi, _)
+      |
+        e order by getId(e.getOrigBlock()), getSplitString(e.getOrigBlock())
+      )
+  }
 }