C#: Use parameter CFG nodes in SSA

Author: hvitved

csharp/ql/lib/semmle/code/csharp/Assignable.qll

@@ -204,7 +204,7 @@ private class RefArg extends AssignableAccess {
   AssignableDefinition getAnAnalyzableRefDef(Parameter p) {
     this.isAnalyzable(p) and
     result.getTarget() = p and
-    not result = TImplicitParameterDefinition(_)
+    not result = TImplicitParameterDefinition(_, _)
   }
 
   /**
@@ -271,6 +271,11 @@ module AssignableInternal {
     def = TPatternDefinition(result)
     or
     def = TAssignOperationDefinition(result)
+    or
+    exists(Parameter p |
+      def = TImplicitParameterDefinition(p, true) and
+      result = p.getDefaultValue()
+    )
   }
 
   /** A local variable declaration at the top-level of a pattern. */
@@ -304,12 +309,18 @@ module AssignableInternal {
         not lvde instanceof TopLevelPatternDecl and
         not lvde.isOutArgument()
       } or
-      TImplicitParameterDefinition(Parameter p) {
+      TImplicitParameterDefinition(Parameter p, boolean isDefault) {
         exists(Callable c | p = c.getAParameter() |
           c.hasBody()
           or
           // Same as `c.(Constructor).hasInitializer()`, but avoids negative recursion warning
           c.getAChildExpr() instanceof @constructor_init_expr
+        ) and
+        (
+          isDefault = false
+          or
+          p.hasDefaultValue() and
+          isDefault = true
         )
       } or
       TAddressOfDefinition(AddressOfExpr aoe) or
@@ -349,6 +360,8 @@ module AssignableInternal {
         any(AssignableDefinitions::PatternDefinition pd | result = pd.getDeclaration().getVariable())
       or
       def = any(AssignableDefinitions::InitializerDefinition init | result = init.getAssignable())
+      or
+      def = TImplicitParameterDefinition(result, _)
     }
 
     // Not defined by dispatch in order to avoid too conservative negative recursion error
@@ -492,11 +505,6 @@ class AssignableDefinition extends TAssignableDefinition {
       exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) |
         this = def.getADefinition()
       )
-      or
-      exists(Ssa::ImplicitParameterDefinition def | result = def.getAFirstReadAtNode(cfn) |
-        this.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() =
-          def.getParameter()
-      )
     )
   }
 
@@ -673,7 +681,7 @@ module AssignableDefinitions {
   class ImplicitParameterDefinition extends AssignableDefinition, TImplicitParameterDefinition {
     Parameter p;
 
-    ImplicitParameterDefinition() { this = TImplicitParameterDefinition(p) }
+    ImplicitParameterDefinition() { this = TImplicitParameterDefinition(p, false) }
 
     /** Gets the underlying parameter. */
     Parameter getParameter() { result = p }
@@ -688,7 +696,32 @@ module AssignableDefinitions {
 
     override string toString() { result = p.toString() }
 
-    override Location getLocation() { result = this.getTarget().getLocation() }
+    override Location getLocation() { result = p.getLocation() }
+  }
+
+  /**
+   * A default value assigned to a parameter.
+   */
+  class ParameterDefaultDefinition extends AssignableDefinition, TImplicitParameterDefinition {
+    Parameter p;
+
+    ParameterDefaultDefinition() { this = TImplicitParameterDefinition(p, true) }
+
+    /** Gets the underlying parameter. */
+    Parameter getParameter() { result = p }
+
+    /** Gets the default value expression for the parameter. */
+    Expr getDefaultValue() { result = p.getDefaultValue() }
+
+    override Expr getSource() { result = p.getDefaultValue() }
+
+    override Expr getElement() { result = p.getDefaultValue() }
+
+    override Callable getEnclosingCallable() { result = p.getCallable() }
+
+    override string toString() { result = p.getDefaultValue().toString() }
+
+    override Location getLocation() { result = p.getDefaultValue().getLocation() }
   }
 
   /**

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -205,7 +205,7 @@ private module LogicInput implements GuardsImpl::LogicInputSig {
     }
   }
 
-  class SsaParameterInit extends SsaDefinition instanceof Ssa::ImplicitParameterDefinition {
+  class SsaParameterInit extends SsaDefinition instanceof Ssa::ParameterDefinition {
     Parameter getParameter() { result = super.getParameter() }
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll

@@ -130,7 +130,7 @@ private predicate dereferenceAt(ControlFlowNode node, Ssa::Definition def, Deref
   d = def.getAReadAtNode(node)
 }
 
-private predicate isMaybeNullArgument(Ssa::ImplicitParameterDefinition def, MaybeNullExpr arg) {
+private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) {
   exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p |
     p = def.getParameter()
   |
@@ -181,7 +181,7 @@ private predicate hasMultipleParamsArguments(Call c) {
   )
 }
 
-private predicate isNullDefaultArgument(Ssa::ImplicitParameterDefinition def, AlwaysNullExpr arg) {
+private predicate isNullDefaultArgument(Ssa::ParameterDefinition def, AlwaysNullExpr arg) {
   exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p |
     p = def.getParameter()
   |
@@ -337,8 +337,7 @@ class Dereference extends G::DereferenceableExpr {
         or
         p.fromSource() and
         exists(
-          Ssa::ImplicitParameterDefinition def,
-          AssignableDefinitions::ImplicitParameterDefinition pdef
+          Ssa::ParameterDefinition def, AssignableDefinitions::ImplicitParameterDefinition pdef
         |
           p = def.getParameter()
         |

csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll

@@ -482,8 +482,8 @@ module Ssa {
 
   /**
    * An SSA definition representing the implicit initialization of a variable
-   * at the beginning of a callable. Either a parameter, a local scope variable
-   * captured by the callable, or a field or property accessed inside the callable.
+   * at the beginning of a callable. Either a local scope variable captured by
+   * the callable or a field or property accessed inside the callable.
    */
   class ImplicitEntryDefinition extends ImplicitDefinition {
     ImplicitEntryDefinition() {
@@ -507,34 +507,21 @@ module Ssa {
     override Location getLocation() { result = this.getCallable().getLocation() }
   }
 
-  private module NearestLocationInput implements NearestLocationInputSig {
-    class C = ImplicitParameterDefinition;
-
-    predicate relevantLocations(ImplicitParameterDefinition def, Location l1, Location l2) {
-      not def.getBasicBlock() instanceof EntryBasicBlock and
-      l1 = def.getParameter().getALocation() and
-      l2 = def.getBasicBlock().getLocation()
-    }
-  }
-
-  pragma[nomagic]
-  private predicate implicitEntryDef(ImplicitEntryDefinition def, SourceVariable v, Callable c) {
-    v = def.getSourceVariable() and
-    c = def.getCallable()
-  }
+  deprecated class ImplicitParameterDefinition = ParameterDefinition;
 
   /**
    * An SSA definition representing the implicit initialization of a parameter
    * at the beginning of a callable.
    */
-  class ImplicitParameterDefinition extends ImplicitEntryDefinition {
+  class ParameterDefinition extends ExplicitDefinition {
     private Parameter p;
 
-    ImplicitParameterDefinition() {
-      exists(SourceVariable sv, Callable c |
-        implicitEntryDef(this, sv, c) and
-        localScopeSourceVariable(sv, p, _, c)
-      )
+    ParameterDefinition() {
+      p = ad.(AssignableDefinitions::ImplicitParameterDefinition).getParameter()
+      // exists(SourceVariable sv, Callable c |
+      //   implicitEntryDef(this, sv, c) and
+      //   localScopeSourceVariable(sv, p, _, c)
+      // )
     }
 
     /** Gets the parameter that this entry definition represents. */
@@ -545,14 +532,6 @@ module Ssa {
     override string toString() {
       result = "SSA param(" + pragma[only_bind_out](this.getParameter()) + ")"
     }
-
-    override Location getLocation() {
-      not NearestLocation<NearestLocationInput>::nearestLocation(this, _, _) and
-      result = p.getLocation()
-      or
-      // multi-bodied method: use matching parameter location
-      NearestLocation<NearestLocationInput>::nearestLocation(this, result, _)
-    }
   }
 
   /**

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -1288,7 +1288,7 @@ private module NearestLocationInputParamAfterCallable implements NearestLocation
 
 private module ParameterNodes {
   pragma[nomagic]
-  private predicate ssaParamDef(Ssa::ImplicitParameterDefinition ssaDef, Parameter p, Location l) {
+  private predicate ssaParamDef(Ssa::ParameterDefinition ssaDef, Parameter p, Location l) {
     p = ssaDef.getParameter() and
     l = ssaDef.getLocation()
   }
@@ -1343,7 +1343,7 @@ private module ParameterNodes {
     }
 
     /** Gets the SSA definition corresponding to this parameter, if any. */
-    Ssa::ImplicitParameterDefinition getSsaDefinition() {
+    Ssa::ParameterDefinition getSsaDefinition() {
       exists(Parameter p, Location l |
         l = this.getParameterLocation(p) and
         ssaParamDef(result, p, l)

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -126,7 +126,6 @@ private module SourceVariableImpl {
    */
   predicate variableDefinition(BasicBlock bb, int i, Ssa::SourceVariable v, AssignableDefinition ad) {
     ad = v.getADefinition() and
-    ad.getExpr().getControlFlowNode() = bb.getNode(i) and
     // In cases like `(x, x) = (0, 1)`, we discard the first (dead) definition of `x`
     not exists(TupleAssignmentDefinition first, TupleAssignmentDefinition second | first = ad |
       second.getAssignment() = first.getAssignment() and
@@ -136,7 +135,13 @@ private module SourceVariableImpl {
     // In cases like `M(out x, out x)`, there is no inherent evaluation order, so we
     // collapse the two definitions of `x`, using the first access as the representative,
     // and expose both definitions in `ExplicitDefinition.getADefinition()`
-    not ad = getASameOutRefDefAfter(v, _)
+    not ad = getASameOutRefDefAfter(v, _) and
+    (
+      ad.getExpr().getControlFlowNode() = bb.getNode(i)
+      or
+      ad.(AssignableDefinitions::ImplicitParameterDefinition).getParameter().getControlFlowNode() =
+        bb.getNode(i)
+    )
   }
 
   /**
@@ -771,8 +776,6 @@ private module Cached {
       or
       // Each tracked field and property has an implicit entry definition
       v instanceof PlainFieldOrPropSourceVariable
-      or
-      v.getAssignable() instanceof Parameter
     )
   }
 
@@ -963,7 +966,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
   predicate ssaDefHasSource(WriteDefinition def) {
     // exclude flow directly from RHS to SSA definition, as we instead want to
     // go from RHS to matching assignable definition, and from there to SSA definition
-    def instanceof Ssa::ImplicitParameterDefinition
+    def instanceof Ssa::ParameterDefinition
   }
 
   /**

csharp/ql/test/library-tests/csharp7/DefUse.ql

@@ -6,7 +6,7 @@ where
   (
     ult.(Ssa::ExplicitDefinition).getADefinition() = def
     or
-    ult.(Ssa::ImplicitParameterDefinition).getParameter() =
+    ult.(Ssa::ParameterDefinition).getParameter() =
       def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter()
   ) and
   read = ssaDef.getARead()

csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql

@@ -24,8 +24,7 @@ private LocalScopeVariableRead getAReachableUncertainRead(
   AssignableDefinitions::ImplicitParameterDefinition p
 ) {
   exists(Ssa::Definition ssaDef |
-    p.getParameter() =
-      ssaDef.getAnUltimateDefinition().(Ssa::ImplicitParameterDefinition).getParameter()
+    p.getParameter() = ssaDef.getAnUltimateDefinition().(Ssa::ParameterDefinition).getParameter()
   |
     result = ssaDef.getARead()
   )

csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql

@@ -12,7 +12,7 @@ where
     edef.getADefinition() = def and
     edef.getARead() = ar
   ) and
-  not exists(Ssa::ImplicitParameterDefinition edef |
+  not exists(Ssa::ParameterDefinition edef |
     edef.getParameter() = def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() and
     edef.getARead() = ar
   )

csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected

@@ -62,8 +62,6 @@
 | DefUse.cs:171:23:171:23 | a | DefUse.cs:171:23:180:9 | Action a = ... | DefUse.cs:181:9:181:9 | access to local variable a |
 | DefUse.cs:171:23:171:23 | a | DefUse.cs:186:9:190:9 | ... = ... | DefUse.cs:191:9:191:9 | access to local variable a |
 | DefaultParam.cs:3:20:3:20 | b | DefaultParam.cs:3:20:3:20 | b | DefaultParam.cs:5:16:5:16 | access to parameter b |
-| DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:3:30:3:30 | s | DefaultParam.cs:5:20:5:20 | access to parameter s |
-| DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:3:42:3:42 | i | DefaultParam.cs:5:24:5:24 | access to parameter i |
 | Example.cs:4:9:4:13 | Field | Example.cs:8:9:8:22 | ... = ... | Example.cs:9:13:9:22 | access to field Field |
 | Example.cs:6:23:6:23 | i | Example.cs:6:23:6:23 | i | Example.cs:8:22:8:22 | access to parameter i |
 | Example.cs:18:16:18:16 | p | Example.cs:18:16:18:16 | p | Example.cs:22:17:22:17 | access to parameter p |