Java, C#: cleanup sign analysis

tamasvajk · tamasvajk · commit 37fc1d6f0fbd · 2020-10-02T09:09:23.000+02:00
Add missing QL doc, improve readability
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
@@ -11,7 +11,7 @@ private import SsaReadPositionCommon
 private import Sign
 
 /** Gets the sign of `e` if this can be directly determined. */
-Sign certainExprSign(Expr e) {
+private Sign certainExprSign(Expr e) {
   exists(int i | e.(ConstantIntegerExpr).getIntValue() = i |
     i < 0 and result = TNeg()
     or
@@ -185,29 +185,32 @@ private predicate hasGuard(SsaVariable v, SsaReadPosition pos, Sign s) {
   s = TZero() and zeroBound(_, v, pos)
 }
 
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where the sign
+ * might be ruled out by a guard.
+ */
 pragma[noinline]
 private Sign guardedSsaSign(SsaVariable v, SsaReadPosition pos) {
-  // SSA variable can have sign `result`
   result = ssaDefSign(v) and
   pos.hasReadOfVar(v) and
-  // there are guards at this position on `v` that might restrict it to be sign `result`.
-  // (So we need to check if they are satisfied)
   hasGuard(v, pos, result)
 }
 
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where no guard
+ * can rule it out.
+ */
 pragma[noinline]
 private Sign unguardedSsaSign(SsaVariable v, SsaReadPosition pos) {
-  // SSA variable can have sign `result`
   result = ssaDefSign(v) and
   pos.hasReadOfVar(v) and
-  // there's no guard at this position on `v` that might restrict it to be sign `result`.
   not hasGuard(v, pos, result)
 }
 
 /**
- * Gets the sign of `v` at read position `pos`, when there's at least one guard
- * on `v` at position `pos`. Each bound corresponding to a given sign must be met
- * in order for `v` to be of that sign.
+ * Gets a possible sign of `v` at read position `pos`, where a guard could have
+ * ruled out the sign but does not.
+ * This does not check that the definition of `v` also allows the sign.
  */
 private Sign guardedSsaSignOk(SsaVariable v, SsaReadPosition pos) {
   result = TPos() and
@@ -221,7 +224,7 @@ private Sign guardedSsaSignOk(SsaVariable v, SsaReadPosition pos) {
 }
 
 /** Gets a possible sign for `v` at `pos`. */
-Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
+private Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
   result = unguardedSsaSign(v, pos)
   or
   result = guardedSsaSign(v, pos) and
@@ -230,7 +233,7 @@ Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
 
 /** Gets a possible sign for `v`. */
 pragma[nomagic]
-Sign ssaDefSign(SsaVariable v) {
+private Sign ssaDefSign(SsaVariable v) {
   result = explicitSsaDefSign(v)
   or
   result = implicitSsaDefSign(v)
@@ -250,18 +253,23 @@ Sign exprSign(Expr e) {
     or
     not exists(certainExprSign(e)) and
     (
-      unknownSign(e)
+      anySign(s) and unknownSign(e)
       or
-      exists(SsaVariable v | getARead(v) = e | s = ssaVariableSign(v, e))
+      exists(SsaVariable v | getARead(v) = e |
+        s = ssaSign(v, any(SsaReadPositionBlock bb | getAnExpression(bb) = e))
+        or
+        not exists(SsaReadPositionBlock bb | getAnExpression(bb) = e) and
+        s = ssaDefSign(v)
+      )
       or
-      e =
-        any(VarAccess access |
-          not exists(SsaVariable v | getARead(v) = access) and
-          (
-            s = fieldSign(getField(access.(FieldAccess))) or
-            not access instanceof FieldAccess
-          )
+      exists(VarAccess access | access = e |
+        not exists(SsaVariable v | getARead(v) = access) and
+        (
+          s = fieldSign(getField(access.(FieldAccess)))
+          or
+          anySign(s) and not access instanceof FieldAccess
         )
+      )
       or
       s = specificSubExprSign(e)
     )
@@ -272,6 +280,12 @@ Sign exprSign(Expr e) {
   )
 }
 
+/**
+ * Dummy predicate that holds for any sign. This is added to improve readability
+ * of cases where the sign is unrestricted.
+ */
+predicate anySign(Sign s) { any() }
+
 /** Holds if `e` can be positive and cannot be negative. */
 predicate positive(Expr e) {
   exprSign(e) = TPos() and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
@@ -48,6 +48,10 @@ private module Impl {
 
   private class BooleanValue = AbstractValues::BooleanValue;
 
+  /**
+   * Gets the value of the expression if it can't be converted to integer, but
+   * can be converted to float.
+   */
   float getNonIntegerValue(Expr e) {
     exists(string s |
       s = e.getValue() and
@@ -56,8 +60,13 @@ private module Impl {
     )
   }
 
+  /** Gets the character value of expression `e`. */
   string getCharValue(Expr e) { result = e.getValue() and e.getType() instanceof CharType }
 
+  /**
+   * Holds if `e` is an access to the size of a container (`string`, `Array`,
+   * `IEnumerable`, or `ICollection`).
+   */
   predicate containerSizeAccess(Expr e) {
     exists(Property p | p = e.(PropertyAccess).getTarget() |
       propertyOverrides(p, "System.Collections.Generic.IEnumerable<>", "Count") or
@@ -69,6 +78,7 @@ private module Impl {
     e instanceof CountCall
   }
 
+  /** Holds if `e` is by definition strictly positive. */
   predicate positiveExpression(Expr e) { e instanceof SizeofExpr }
 
   abstract class NumericOrCharType extends Type { }
@@ -97,10 +107,12 @@ private module Impl {
     }
   }
 
+  /** Returns the sign of explicit SSA definition `v`. */
   Sign explicitSsaDefSign(Ssa::ExplicitDefinition v) {
     exists(AssignableDefinition def | def = v.getADefinition() |
       result = exprSign(def.getSource())
       or
+      anySign(result) and
       not exists(def.getSource()) and
       not def.getElement() instanceof MutatorOperation
       or
@@ -110,14 +122,11 @@ private module Impl {
     )
   }
 
+  /** Returns the sign of implicit SSA definition `v`. */
   Sign implicitSsaDefSign(Ssa::ImplicitDefinition v) {
-    result = fieldSign(v.getSourceVariable().getAssignable()) or
-    not v.getSourceVariable().getAssignable() instanceof Field
-  }
-
-  pragma[inline]
-  Sign ssaVariableSign(Ssa::Definition v, Expr e) {
-    result = ssaSign(v, any(SsaReadPositionBlock bb | getAnExpression(bb) = e))
+    result = fieldSign(v.getSourceVariable().getAssignable())
+    or
+    anySign(result) and not v.getSourceVariable().getAssignable() instanceof Field
   }
 
   /** Gets a possible sign for `f`. */
@@ -133,9 +142,12 @@ private module Impl {
       exists(AssignOperation a | a.getLValue() = f.getAnAccess() | result = exprSign(a))
       or
       not exists(f.getInitializer()) and result = TZero()
-    else any()
+    else anySign(result)
   }
 
+  /**
+   * Holds if `e` has type `NumericOrCharType`, but the sign of `e` is unknown.
+   */
   predicate unknownIntegerAccess(Expr e) {
     e.getType() instanceof NumericOrCharType and
     not e = getARead(_) and
@@ -171,6 +183,7 @@ private module Impl {
     not e instanceof NullCoalescingExpr
   }
 
+  /** Gets a possible sign for `e` from the signs of its child nodes. */
   Sign specificSubExprSign(Expr e) {
     // The expression types that are handled here should be excluded in `unknownIntegerAccess`.
     // Keep them in sync.
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll b/java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
@@ -11,7 +11,7 @@ private import SsaReadPositionCommon
 private import Sign
 
 /** Gets the sign of `e` if this can be directly determined. */
-Sign certainExprSign(Expr e) {
+private Sign certainExprSign(Expr e) {
   exists(int i | e.(ConstantIntegerExpr).getIntValue() = i |
     i < 0 and result = TNeg()
     or
@@ -185,29 +185,32 @@ private predicate hasGuard(SsaVariable v, SsaReadPosition pos, Sign s) {
   s = TZero() and zeroBound(_, v, pos)
 }
 
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where the sign
+ * might be ruled out by a guard.
+ */
 pragma[noinline]
 private Sign guardedSsaSign(SsaVariable v, SsaReadPosition pos) {
-  // SSA variable can have sign `result`
   result = ssaDefSign(v) and
   pos.hasReadOfVar(v) and
-  // there are guards at this position on `v` that might restrict it to be sign `result`.
-  // (So we need to check if they are satisfied)
   hasGuard(v, pos, result)
 }
 
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where no guard
+ * can rule it out.
+ */
 pragma[noinline]
 private Sign unguardedSsaSign(SsaVariable v, SsaReadPosition pos) {
-  // SSA variable can have sign `result`
   result = ssaDefSign(v) and
   pos.hasReadOfVar(v) and
-  // there's no guard at this position on `v` that might restrict it to be sign `result`.
   not hasGuard(v, pos, result)
 }
 
 /**
- * Gets the sign of `v` at read position `pos`, when there's at least one guard
- * on `v` at position `pos`. Each bound corresponding to a given sign must be met
- * in order for `v` to be of that sign.
+ * Gets a possible sign of `v` at read position `pos`, where a guard could have
+ * ruled out the sign but does not.
+ * This does not check that the definition of `v` also allows the sign.
  */
 private Sign guardedSsaSignOk(SsaVariable v, SsaReadPosition pos) {
   result = TPos() and
@@ -221,7 +224,7 @@ private Sign guardedSsaSignOk(SsaVariable v, SsaReadPosition pos) {
 }
 
 /** Gets a possible sign for `v` at `pos`. */
-Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
+private Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
   result = unguardedSsaSign(v, pos)
   or
   result = guardedSsaSign(v, pos) and
@@ -230,7 +233,7 @@ Sign ssaSign(SsaVariable v, SsaReadPosition pos) {
 
 /** Gets a possible sign for `v`. */
 pragma[nomagic]
-Sign ssaDefSign(SsaVariable v) {
+private Sign ssaDefSign(SsaVariable v) {
   result = explicitSsaDefSign(v)
   or
   result = implicitSsaDefSign(v)
@@ -250,18 +253,23 @@ Sign exprSign(Expr e) {
     or
     not exists(certainExprSign(e)) and
     (
-      unknownSign(e)
+      anySign(s) and unknownSign(e)
       or
-      exists(SsaVariable v | getARead(v) = e | s = ssaVariableSign(v, e))
+      exists(SsaVariable v | getARead(v) = e |
+        s = ssaSign(v, any(SsaReadPositionBlock bb | getAnExpression(bb) = e))
+        or
+        not exists(SsaReadPositionBlock bb | getAnExpression(bb) = e) and
+        s = ssaDefSign(v)
+      )
       or
-      e =
-        any(VarAccess access |
-          not exists(SsaVariable v | getARead(v) = access) and
-          (
-            s = fieldSign(getField(access.(FieldAccess))) or
-            not access instanceof FieldAccess
-          )
+      exists(VarAccess access | access = e |
+        not exists(SsaVariable v | getARead(v) = access) and
+        (
+          s = fieldSign(getField(access.(FieldAccess)))
+          or
+          anySign(s) and not access instanceof FieldAccess
         )
+      )
       or
       s = specificSubExprSign(e)
     )
@@ -272,6 +280,12 @@ Sign exprSign(Expr e) {
   )
 }
 
+/**
+ * Dummy predicate that holds for any sign. This is added to improve readability
+ * of cases where the sign is unrestricted.
+ */
+predicate anySign(Sign s) { any() }
+
 /** Holds if `e` can be positive and cannot be negative. */
 predicate positive(Expr e) {
   exprSign(e) = TPos() and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
