Merge pull request github#1982 from hvitved/csharp/null-maybe-dynamic

calumgrant · web-flow · commit b31cd8ab3233 · 2019-09-20T14:46:01.000+01:00
C#: Remove false positives from `cs/dereferenced-value-may-be-null`
diff --git a/change-notes/1.23/analysis-csharp.md b/change-notes/1.23/analysis-csharp.md
@@ -15,6 +15,7 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
+| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Fewer false positive results | More `null` checks are now taken into account, including `null` checks for `dynamic` expressions and `null` checks such as `object alwaysNull = null; if (x != alwaysNull) ...`. |
 
 ## Removal of old queries
 
diff --git a/csharp/ql/src/semmle/code/csharp/commons/ComparisonTest.qll b/csharp/ql/src/semmle/code/csharp/commons/ComparisonTest.qll
@@ -121,7 +121,10 @@ private newtype TComparisonTest =
     )
   } or
   TComparisonOperatorCall(OperatorCall oc, ComparisonKind kind, Expr first, Expr second) {
-    exists(Operator o | o = oc.getTarget() |
+    exists(Operator o |
+      o = oc.getTarget() or
+      o.getName() = oc.(DynamicOperatorCall).getLateBoundTargetName()
+    |
       o instanceof EQOperator and
       kind.isEquality() and
       first = oc.getArgument(0) and
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
@@ -277,11 +277,12 @@ class DereferenceableExpr extends Expr {
   private Expr getABooleanNullCheck(BooleanValue v, boolean isNull) {
     exists(boolean branch | branch = v.getValue() |
       // Comparison with `null`, for example `x != null`
-      exists(ComparisonTest ct, ComparisonKind ck, NullLiteral nl |
+      exists(ComparisonTest ct, ComparisonKind ck, Expr e |
         ct.getExpr() = result and
         ct.getAnArgument() = this and
-        ct.getAnArgument() = nl and
-        this != nl and
+        ct.getAnArgument() = e and
+        e = any(NullValue nv | nv.isNull()).getAnExpr() and
+        this != e and
         ck = ct.getComparisonKind()
       |
         ck.isEquality() and isNull = branch
diff --git a/csharp/ql/test/library-tests/commons/ComparisonTest/ComparisonTest.cs b/csharp/ql/test/library-tests/commons/ComparisonTest/ComparisonTest.cs
@@ -106,4 +106,16 @@ void M(int x, int y)
             b = x.CompareTo(y).CompareTo(0).CompareTo(1) == 0;
         }
     }
+
+    void DynamicComparisons(object o1, object o2)
+    {
+        dynamic d1 = o1;
+        dynamic d2 = o2;
+        var b = d1 == d2;
+        b = d1 != d2;
+        b = d1 > d2;
+        b = d1 < d2;
+        b = d1 >= d2;
+        b = d1 <= d2;
+    }
 }
diff --git a/csharp/ql/test/library-tests/commons/ComparisonTest/comparisonTest.expected b/csharp/ql/test/library-tests/commons/ComparisonTest/comparisonTest.expected
@@ -62,3 +62,9 @@
 | ComparisonTest.cs:106:17:106:61 | ... == ... | < | ComparisonTest.cs:106:42:106:42 | 0 | ComparisonTest.cs:106:17:106:30 | call to method CompareTo |
 | ComparisonTest.cs:106:17:106:61 | ... == ... | = | ComparisonTest.cs:106:17:106:43 | call to method CompareTo | ComparisonTest.cs:106:55:106:55 | 1 |
 | ComparisonTest.cs:106:17:106:61 | ... == ... | = | ComparisonTest.cs:106:17:106:56 | call to method CompareTo | ComparisonTest.cs:106:61:106:61 | 0 |
+| ComparisonTest.cs:114:17:114:24 | dynamic call to operator == | = | ComparisonTest.cs:114:17:114:18 | access to local variable d1 | ComparisonTest.cs:114:23:114:24 | access to local variable d2 |
+| ComparisonTest.cs:115:13:115:20 | dynamic call to operator != | != | ComparisonTest.cs:115:13:115:14 | access to local variable d1 | ComparisonTest.cs:115:19:115:20 | access to local variable d2 |
+| ComparisonTest.cs:116:13:116:19 | dynamic call to operator > | < | ComparisonTest.cs:116:18:116:19 | access to local variable d2 | ComparisonTest.cs:116:13:116:14 | access to local variable d1 |
+| ComparisonTest.cs:117:13:117:19 | dynamic call to operator < | < | ComparisonTest.cs:117:13:117:14 | access to local variable d1 | ComparisonTest.cs:117:18:117:19 | access to local variable d2 |
+| ComparisonTest.cs:118:13:118:20 | dynamic call to operator >= | <= | ComparisonTest.cs:118:19:118:20 | access to local variable d2 | ComparisonTest.cs:118:13:118:14 | access to local variable d1 |
+| ComparisonTest.cs:119:13:119:20 | dynamic call to operator <= | <= | ComparisonTest.cs:119:13:119:14 | access to local variable d1 | ComparisonTest.cs:119:19:119:20 | access to local variable d2 |
diff --git a/csharp/ql/test/query-tests/Nullness/E.cs b/csharp/ql/test/query-tests/Nullness/E.cs
@@ -342,6 +342,26 @@ static void Ex30(string s, object o)
         var x = s ?? o as string;
         x.ToString(); // BAD (maybe)
     }
+
+    static void Ex31(string s, object o)
+    {
+        dynamic x = s ?? o as string;
+        x.ToString(); // BAD (maybe)
+    }
+
+    static void Ex32(string s, object o)
+    {
+        dynamic x = s ?? o as string;
+        if (x != null)
+            x.ToString(); // GOOD
+    }
+
+    static void Ex33(string s, object o)
+    {
+        var x = s ?? o as string;
+        if (x != (string)null)
+            x.ToString(); // GOOD
+    }
 }
 
 public static class Extensions
diff --git a/csharp/ql/test/query-tests/Nullness/EqualityCheck.expected b/csharp/ql/test/query-tests/Nullness/EqualityCheck.expected
@@ -216,6 +216,10 @@
 | E.cs:293:13:293:24 | ... == ... | true | E.cs:293:15:293:19 | call to method M2 | E.cs:293:24:293:24 | (...) ... |
 | E.cs:293:13:293:24 | ... == ... | true | E.cs:293:24:293:24 | (...) ... | E.cs:293:15:293:19 | call to method M2 |
 | E.cs:321:13:321:30 | ... is ... | true | E.cs:321:14:321:21 | ... ?? ... | E.cs:321:27:321:30 | null |
+| E.cs:355:13:355:21 | dynamic call to operator != | false | E.cs:355:13:355:13 | access to local variable x | E.cs:355:18:355:21 | null |
+| E.cs:355:13:355:21 | dynamic call to operator != | false | E.cs:355:18:355:21 | null | E.cs:355:13:355:13 | access to local variable x |
+| E.cs:362:13:362:29 | ... != ... | false | E.cs:362:13:362:13 | access to local variable x | E.cs:362:18:362:29 | (...) ... |
+| E.cs:362:13:362:29 | ... != ... | false | E.cs:362:18:362:29 | (...) ... | E.cs:362:13:362:13 | access to local variable x |
 | Forwarding.cs:59:13:59:21 | ... == ... | true | Forwarding.cs:59:13:59:13 | access to parameter o | Forwarding.cs:59:18:59:21 | null |
 | Forwarding.cs:59:13:59:21 | ... == ... | true | Forwarding.cs:59:18:59:21 | null | Forwarding.cs:59:13:59:13 | access to parameter o |
 | Forwarding.cs:78:16:78:39 | call to method ReferenceEquals | true | Forwarding.cs:78:32:78:32 | access to parameter o | Forwarding.cs:78:35:78:38 | null |
diff --git a/csharp/ql/test/query-tests/Nullness/Implications.expected b/csharp/ql/test/query-tests/Nullness/Implications.expected
diff --git a/csharp/ql/test/query-tests/Nullness/NullCheck.expected b/csharp/ql/test/query-tests/Nullness/NullCheck.expected
diff --git a/csharp/ql/test/query-tests/Nullness/NullMaybe.expected b/csharp/ql/test/query-tests/Nullness/NullMaybe.expected

Original file line number	Diff line number	Diff line change
`@@ -106,4 +106,16 @@ void M(int x, int y)`
`106`	`106`	`b = x.CompareTo(y).CompareTo(0).CompareTo(1) == 0;`
`107`	`107`	`}`
`108`	`108`	`}`
	`109`	`+`
	`110`	`+ void DynamicComparisons(object o1, object o2)`
	`111`	`+ {`
	`112`	`+ dynamic d1 = o1;`
	`113`	`+ dynamic d2 = o2;`
	`114`	`+ var b = d1 == d2;`
	`115`	`+ b = d1 != d2;`
	`116`	`+ b = d1 > d2;`
	`117`	`+ b = d1 < d2;`
	`118`	`+ b = d1 >= d2;`
	`119`	`+ b = d1 <= d2;`
	`120`	`+ }`
`109`	`121`	`}`