github
diff --git a/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 13 additions & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/Stmt.qll‎
Lines changed: 3 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/Stmt.qll‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 14 additions & 7 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 158 additions & 17 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 158 additions & 17 deletions
@@ -39,6 +39,12 @@ class AssignableMemberAccess extends MemberAccess, AssignableAccess {
   override AssignableMember getTarget() { result = AssignableAccess.super.getTarget() }
 }
 
+private predicate nameOfChild(NameOfExpr noe, Expr child) {
+  child = noe
+  or
+  exists(Expr mid | nameOfChild(noe, mid) | child = mid.getAChildExpr())
+}
+
 /**
  * An access to an assignable that reads the underlying value. Either a
  * variable read (`VariableRead`), a property read (`PropertyRead`), an
@@ -67,7 +73,7 @@ class AssignableRead extends AssignableAccess {
       or
       this = any(AssignableDefinitions::AddressOfDefinition def).getTargetAccess()
     ) and
-    not this = any(NameOfExpr noe).getAChildExpr*()
+    not nameOfChild(_, this)
   }
 
   /**
@@ -696,6 +702,9 @@ module AssignableDefinitions {
 
     IsPatternDefinition() { this = TIsPatternDefinition(ipe) }
 
+    /** Gets the underlying `is` expression. */
+    IsPatternExpr getIsPatternExpr() { result = ipe }
+
     /** Gets the underlying local variable declaration. */
     LocalVariableDeclExpr getDeclaration() { result = ipe.getVariableDeclExpr() }
 
@@ -721,6 +730,9 @@ module AssignableDefinitions {
 
     TypeCasePatternDefinition() { this = TTypeCasePatternDefinition(tc) }
 
+    /** Gets the underlying `case` statement. */
+    TypeCase getTypeCase() { result = tc }
+
     /** Gets the underlying local variable declaration. */
     LocalVariableDeclExpr getDeclaration() { result = tc.getVariableDeclExpr() }
 
 
@@ -262,6 +262,9 @@ class CaseStmt extends Stmt, @case {
    * ```
    */
   Expr getCondition() { result = this.getChild(2) }
+
+  /** Gets the `switch` statement that this `case` statement belongs to. */
+  SwitchStmt getSwitchStmt() { result.getACase() = this }
 }
 
 /**
 
@@ -867,6 +867,8 @@ module ControlFlow {
      * pre-order.
      */
     private module Successor {
+      private import semmle.code.csharp.ExprOrStmtParent
+
       /**
        * A control flow element where the children are evaluated following a
        * standard left-to-right evaluation. The actual evaluation order is
@@ -2436,11 +2438,16 @@ module ControlFlow {
        * Gets the control flow element that is first executed when entering
        * callable `c`.
        */
-      ControlFlowElement succEntry(Callable c) {
-        if exists(c.(Constructor).getInitializer()) then
-          result = first(c.(Constructor).getInitializer())
-        else
-          result = first(c.getBody())
+      ControlFlowElement succEntry(@top_level_exprorstmt_parent p) {
+        p = any(Callable c |
+            if exists(c.(Constructor).getInitializer()) then
+              result = first(c.(Constructor).getInitializer())
+            else
+              result = first(c.getBody())
+          )
+        or
+        expr_parent_top_level_adjusted(any(Expr e | result = first(e)), _, p) and
+        not p instanceof Callable
       }
 
       /**
@@ -3807,8 +3814,8 @@ module ControlFlow {
        * Holds if `succ` with splits `succSplits` is the first element that is executed
        * when entering callable `pred`.
        */
-      pragma [noinline]
-      predicate succEntrySplits(Callable pred, ControlFlowElement succ, Splits succSplits, SuccessorType t) {
+      pragma[noinline]
+      predicate succEntrySplits(@top_level_exprorstmt_parent pred, ControlFlowElement succ, Splits succSplits, SuccessorType t) {
         succ = succEntry(pred) and
         t instanceof NormalSuccessor and
         succSplits = TSplitsNil() // initially no splits
 
@@ -417,26 +417,30 @@ class AccessOrCallExpr extends Expr {
    * An expression can have more than one SSA qualifier in the presence
    * of control flow splitting.
    */
-  Ssa::Definition getAnSsaQualifier() { result = getAnSsaQualifier(this) }
+  Ssa::Definition getAnSsaQualifier(ControlFlow::Node cfn) {
+    result = getAnSsaQualifier(this, cfn)
+  }
 }
 
 private Declaration getDeclarationTarget(Expr e) {
   e = any(AssignableAccess aa | result = aa.getTarget()) or
   result = e.(Call).getTarget()
 }
 
-private Ssa::Definition getAnSsaQualifier(Expr e) {
-  e = getATrackedAccess(result)
+private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlow::Node cfn) {
+  e = getATrackedAccess(result, cfn)
   or
-  not e = getATrackedAccess(_) and
-  result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier())
+  not e = getATrackedAccess(_, _) and
+  result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier(), cfn)
 }
 
-private AssignableAccess getATrackedAccess(Ssa::Definition def) {
+private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlow::Node cfn) {
   (
-    result = def.getARead()
+    result = def.getAReadAtNode(cfn)
     or
-    result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess()
+    result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and
+    result.getAControlFlowNode() = cfn and
+    cfn.getBasicBlock() = def.getBasicBlock()
   ) and
   not def instanceof Ssa::ImplicitUntrackedDefinition
 }
@@ -483,7 +487,7 @@ class GuardedExpr extends AccessOrCallExpr {
   private AccessOrCallExpr sub0;
   private AbstractValue v0;
 
-  GuardedExpr() { isGuardedBy(this, g, sub0, v0) }
+  GuardedExpr() { isGuardedByExpr(this, g, sub0, v0) }
 
   /**
    * Gets an expression that guards this expression. That is, this expression is
@@ -525,13 +529,129 @@ class GuardedExpr extends AccessOrCallExpr {
   }
 }
 
+/**
+ * A guarded control flow node. A guarded control flow node is like a guarded
+ * expression (`GuardedExpr`), except control flow graph splitting is taken
+ * into account. That is, one control flow node belonging to an expression may
+ * be guarded, while another split need not be guarded:
+ *
+ * ```
+ * if (b)
+ *     if (x == null)
+ *         return;
+ * x.ToString();
+ * if (b)
+ *     ...
+ * ```
+ *
+ * In the example above, the node for `x.ToString()` is null-guarded in the
+ * split `b == true`, but not in the split `b == false`.
+ */
+class GuardedControlFlowNode extends ControlFlow::Nodes::ElementNode {
+  private Guard g;
+  private AccessOrCallExpr sub0;
+  private AbstractValue v0;
+
+  GuardedControlFlowNode() { isGuardedByNode(this, g, sub0, v0) }
+
+  /**
+   * Gets an expression that guards this control flow node. That is, this control
+   * flow node is only reached when the returned expression has abstract value `v`.
+   *
+   * The expression `sub` is a sub expression of the guarding expression that is
+   * structurally equal to the expression belonging to this control flow node.
+   *
+   * In case this control flow node or `sub` accesses an SSA variable in its
+   * left-most qualifier, then so must the other (accessing the same SSA
+   * variable).
+   */
+  Expr getAGuard(Expr sub, AbstractValue v) {
+    result = g and
+    sub = sub0 and
+    v = v0
+  }
+
+  /**
+   * Holds if this control flow node must have abstract value `v`. That is, this
+   * control flow node is guarded by a structurally equal expression having
+   * abstract value `v`.
+   */
+  predicate mustHaveValue(AbstractValue v) {
+    exists(Expr e | e = this.getAGuard(e, v))
+  }
+}
+
+/**
+ * A guarded data flow node. A guarded data flow node is like a guarded expression
+ * (`GuardedExpr`), except control flow graph splitting is taken into account. That
+ * is, one data flow node belonging to an expression may be guarded, while another
+ * split need not be guarded:
+ *
+ * ```
+ * if (b)
+ *     if (x == null)
+ *         return;
+ * x.ToString();
+ * if (b)
+ *     ...
+ * ```
+ *
+ * In the example above, the node for `x.ToString()` is null-guarded in the
+ * split `b == true`, but not in the split `b == false`.
+ */
+class GuardedDataFlowNode extends DataFlow::ExprNode {
+  private Guard g;
+  private AccessOrCallExpr sub0;
+  private AbstractValue v0;
+
+  GuardedDataFlowNode() {
+    exists(ControlFlow::Nodes::ElementNode cfn |
+      exists(this.getExprAtNode(cfn)) |
+      isGuardedByNode(cfn, g, sub0, v0)
+    )
+  }
+
+  /**
+   * Gets an expression that guards this data flow node. That is, this data flow
+   * node is only reached when the returned expression has abstract value `v`.
+   *
+   * The expression `sub` is a sub expression of the guarding expression that is
+   * structurally equal to the expression belonging to this data flow node.
+   *
+   * In case this data flow node or `sub` accesses an SSA variable in its
+   * left-most qualifier, then so must the other (accessing the same SSA
+   * variable).
+   */
+  Expr getAGuard(Expr sub, AbstractValue v) {
+    result = g and
+    sub = sub0 and
+    v = v0
+  }
+
+  /**
+   * Holds if this data flow node must have abstract value `v`. That is, this
+   * data flow node is guarded by a structurally equal expression having
+   * abstract value `v`.
+   */
+  predicate mustHaveValue(AbstractValue v) {
+    exists(Expr e | e = this.getAGuard(e, v))
+  }
+}
+
 /** An expression guarded by a `null` check. */
 class NullGuardedExpr extends GuardedExpr {
   NullGuardedExpr() {
     this.mustHaveValue(any(NullValue v | not v.isNull()))
   }
 }
 
+/** A data flow node guarded by a `null` check. */
+class NullGuardedDataFlowNode extends GuardedDataFlowNode {
+  NullGuardedDataFlowNode() {
+    this.mustHaveValue(any(NullValue v | not v.isNull()))
+  }
+}
+
 /** INTERNAL: Do not use. */
 module Internal {
   private import ControlFlow::Internal
@@ -653,7 +773,7 @@ module Internal {
      * Holds if control flow node `cfn` only is reached when this guard evaluates to `v`,
      * because of an assertion.
      */
-    private predicate assertionControlsNode(ControlFlow::Node cfn, AbstractValue v) {
+    predicate assertionControlsNode(ControlFlow::Node cfn, AbstractValue v) {
       exists(Assertion a, Guard g, AbstractValue v0 |
         asserts(a, g, v0) and
         impliesSteps(g, v0, this, v)
@@ -1097,30 +1217,51 @@ module Internal {
 
   private cached module Cached {
     pragma[noinline]
-    private predicate isGuardedBy0(ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
+    private predicate isGuardedByNode0(ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
       cfn = guarded.getAControlFlowNode() and
       g.controls(cfn.getBasicBlock(), v) and
       exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded))
     }
 
     pragma[noinline]
-    private predicate isGuardedBy1(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
+    private predicate isGuardedByExpr1(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
       forex(ControlFlow::Node cfn |
         cfn = guarded.getAControlFlowNode() |
-        isGuardedBy0(cfn, guarded, g, sub, v)
+        isGuardedByNode0(cfn, guarded, g, sub, v)
       )
       or
       g.assertionControlsElement(guarded, v) and
       exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded))
     }
 
     cached
-    predicate isGuardedBy(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
-      isGuardedBy1(guarded, g, sub, v) and
+    predicate isGuardedByExpr(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
+      isGuardedByExpr1(guarded, g, sub, v) and
+      sub = g.getAChildExpr*() and
+      forall(Ssa::Definition def |
+        def = sub.getAnSsaQualifier(_) |
+        def = guarded.getAnSsaQualifier(_)
+      )
+    }
+
+    pragma[noinline]
+    private predicate isGuardedByNode1(ControlFlow::Nodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
+      isGuardedByNode0(guarded, _, g, sub, v)
+      or
+      g.assertionControlsNode(guarded, v) and
+      exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded.getElement()))
+    }
+
+    cached
+    predicate isGuardedByNode(ControlFlow::Nodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
+      isGuardedByNode1(guarded, g, sub, v) and
       sub = g.getAChildExpr*() and
       forall(Ssa::Definition def |
-        def = sub.getAnSsaQualifier() |
-        def = guarded.getAnSsaQualifier()
+        def = sub.getAnSsaQualifier(_) |
+        exists(ControlFlow::Node cfn |
+          def = guarded.getElement().(AccessOrCallExpr).getAnSsaQualifier(cfn) |
+          cfn.getBasicBlock() = guarded.getBasicBlock()
+        )
       )
     }
Original file line number	Diff line number	Diff line change
`@@ -262,6 +262,9 @@ class CaseStmt extends Stmt, @case {`
`262`	`262`	* ```
`263`	`263`	`*/`
`264`	`264`	`Expr getCondition() { result = this.getChild(2) }`
	`265`	`+`
	`266`	+ /** Gets the `switch` statement that this `case` statement belongs to. */
	`267`	`+ SwitchStmt getSwitchStmt() { result.getACase() = this }`
`265`	`268`	`}`
`266`	`269`
`267`	`270`	`/**`