github
diff --git a/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 13 additions & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/Stmt.qll‎
Lines changed: 3 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/Stmt.qll‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 64 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 64 additions & 0 deletions
@@ -39,6 +39,12 @@ class AssignableMemberAccess extends MemberAccess, AssignableAccess {
   override AssignableMember getTarget() { result = AssignableAccess.super.getTarget() }
 }
 
+private predicate nameOfChild(NameOfExpr noe, Expr child) {
+  child = noe
+  or
+  exists(Expr mid | nameOfChild(noe, mid) | child = mid.getAChildExpr())
+}
+
 /**
  * An access to an assignable that reads the underlying value. Either a
  * variable read (`VariableRead`), a property read (`PropertyRead`), an
@@ -67,7 +73,7 @@ class AssignableRead extends AssignableAccess {
       or
       this = any(AssignableDefinitions::AddressOfDefinition def).getTargetAccess()
     ) and
-    not this = any(NameOfExpr noe).getAChildExpr*()
+    not nameOfChild(_, this)
   }
 
   /**
@@ -669,6 +675,9 @@ module AssignableDefinitions {
 
     IsPatternDefinition() { this = TIsPatternDefinition(ipe) }
 
+    /** Gets the underlying `is` expression. */
+    IsPatternExpr getIsPatternExpr() { result = ipe }
+
     /** Gets the underlying local variable declaration. */
     LocalVariableDeclExpr getDeclaration() { result = ipe.getVariableDeclExpr() }
 
@@ -696,6 +705,9 @@ module AssignableDefinitions {
 
     TypeCasePatternDefinition() { this = TTypeCasePatternDefinition(tc) }
 
+    /** Gets the underlying `case` statement. */
+    TypeCase getTypeCase() { result = tc }
+
     /** Gets the underlying local variable declaration. */
     LocalVariableDeclExpr getDeclaration() { result = tc.getVariableDeclExpr() }
 
 
@@ -262,6 +262,9 @@ class CaseStmt extends Stmt, @case {
    * ```
    */
   Expr getCondition() { result = this.getChild(2) }
+
+  /** Gets the `switch` statement that this `case` statement belongs to. */
+  SwitchStmt getSwitchStmt() { result.getACase() = this }
 }
 
 /**
 
@@ -581,13 +581,77 @@ class GuardedControlFlowNode extends ControlFlow::Nodes::ElementNode {
   }
 }
 
+/**
+ * A guarded data flow node. A guarded data flow node is like a guarded expression
+ * (`GuardedExpr`), except control flow graph splitting is taken into account. That
+ * is, one data flow node belonging to an expression may be guarded, while another
+ * split need not be guarded:
+ *
+ * ```
+ * if (b)
+ *     if (x == null)
+ *         return;
+ * x.ToString();
+ * if (b)
+ *     ...
+ * ```
+ *
+ * In the example above, the node for `x.ToString()` is null-guarded in the
+ * split `b == true`, but not in the split `b == false`.
+ */
+class GuardedDataFlowNode extends DataFlow::ExprNode {
+  private Guard g;
+  private AccessOrCallExpr sub0;
+  private AbstractValue v0;
+
+  GuardedDataFlowNode() {
+    exists(ControlFlow::Nodes::ElementNode cfn |
+      exists(this.getExprAtNode(cfn)) |
+      isGuardedByNode(cfn, g, sub0, v0)
+    )
+  }
+
+  /**
+   * Gets an expression that guards this data flow node. That is, this data flow
+   * node is only reached when the returned expression has abstract value `v`.
+   *
+   * The expression `sub` is a sub expression of the guarding expression that is
+   * structurally equal to the expression belonging to this data flow node.
+   *
+   * In case this data flow node or `sub` accesses an SSA variable in its
+   * left-most qualifier, then so must the other (accessing the same SSA
+   * variable).
+   */
+  Expr getAGuard(Expr sub, AbstractValue v) {
+    result = g and
+    sub = sub0 and
+    v = v0
+  }
+
+  /**
+   * Holds if this data flow node must have abstract value `v`. That is, this
+   * data flow node is guarded by a structurally equal expression having
+   * abstract value `v`.
+   */
+  predicate mustHaveValue(AbstractValue v) {
+    exists(Expr e | e = this.getAGuard(e, v))
+  }
+}
+
 /** An expression guarded by a `null` check. */
 class NullGuardedExpr extends GuardedExpr {
   NullGuardedExpr() {
     this.mustHaveValue(any(NullValue v | not v.isNull()))
   }
 }
 
+/** A data flow node guarded by a `null` check. */
+class NullGuardedDataFlowNode extends GuardedDataFlowNode {
+  NullGuardedDataFlowNode() {
+    this.mustHaveValue(any(NullValue v | not v.isNull()))
+  }
+}
+
 /** INTERNAL: Do not use. */
 module Internal {
   private import ControlFlow::Internal
Original file line number	Diff line number	Diff line change
`@@ -262,6 +262,9 @@ class CaseStmt extends Stmt, @case {`
`262`	`262`	* ```
`263`	`263`	`*/`
`264`	`264`	`Expr getCondition() { result = this.getChild(2) }`
	`265`	`+`
	`266`	+ /** Gets the `switch` statement that this `case` statement belongs to. */
	`267`	`+ SwitchStmt getSwitchStmt() { result.getACase() = this }`
`265`	`268`	`}`
`266`	`269`
`267`	`270`	`/**`