C#: Use parameter CFG nodes in SSA

Author: hvitved

csharp/ql/lib/semmle/code/csharp/Assignable.qll

@@ -204,7 +204,7 @@ private class RefArg extends AssignableAccess {
   AssignableDefinition getAnAnalyzableRefDef(Parameter p) {
     this.isAnalyzable(p) and
     result.getTarget() = p and
-    not result = TImplicitParameterDefinition(_)
+    not result = TImplicitParameterDefinition(_, _)
   }
 
   /**
@@ -271,6 +271,11 @@ module AssignableInternal {
     def = TPatternDefinition(result)
     or
     def = TAssignOperationDefinition(result)
+    or
+    exists(Parameter p |
+      def = TImplicitParameterDefinition(p, true) and
+      result = p.getDefaultValue()
+    )
   }
 
   /** A local variable declaration at the top-level of a pattern. */
@@ -304,12 +309,18 @@ module AssignableInternal {
         not lvde instanceof TopLevelPatternDecl and
         not lvde.isOutArgument()
       } or
-      TImplicitParameterDefinition(Parameter p) {
+      TImplicitParameterDefinition(Parameter p, boolean isDefault) {
         exists(Callable c | p = c.getAParameter() |
           c.hasBody()
           or
           // Same as `c.(Constructor).hasInitializer()`, but avoids negative recursion warning
           c.getAChildExpr() instanceof @constructor_init_expr
+        ) and
+        (
+          isDefault = false
+          or
+          p.hasDefaultValue() and
+          isDefault = true
         )
       } or
       TAddressOfDefinition(AddressOfExpr aoe) or
@@ -673,7 +684,7 @@ module AssignableDefinitions {
   class ImplicitParameterDefinition extends AssignableDefinition, TImplicitParameterDefinition {
     Parameter p;
 
-    ImplicitParameterDefinition() { this = TImplicitParameterDefinition(p) }
+    ImplicitParameterDefinition() { this = TImplicitParameterDefinition(p, false) }
 
     /** Gets the underlying parameter. */
     Parameter getParameter() { result = p }
@@ -688,7 +699,27 @@ module AssignableDefinitions {
 
     override string toString() { result = p.toString() }
 
-    override Location getLocation() { result = this.getTarget().getLocation() }
+    override Location getLocation() { result = p.getLocation() }
+  }
+
+  /**
+   * A default value assigned to a parameter.
+   */
+  class ParameterDefaultDefinition extends AssignableDefinition, TImplicitParameterDefinition {
+    Parameter p;
+
+    ParameterDefaultDefinition() { this = TImplicitParameterDefinition(p, true) }
+
+    /** Gets the underlying parameter. */
+    Parameter getParameter() { result = p }
+
+    override Expr getElement() { result = p.getDefaultValue() }
+
+    override Callable getEnclosingCallable() { result = p.getCallable() }
+
+    override string toString() { result = p.getDefaultValue().toString() }
+
+    override Location getLocation() { result = p.getDefaultValue().getLocation() }
   }
 
   /**

csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll

@@ -527,14 +527,15 @@ module Ssa {
    * An SSA definition representing the implicit initialization of a parameter
    * at the beginning of a callable.
    */
-  class ImplicitParameterDefinition extends ImplicitEntryDefinition {
+  class ImplicitParameterDefinition extends ExplicitDefinition {
     private Parameter p;
 
     ImplicitParameterDefinition() {
-      exists(SourceVariable sv, Callable c |
-        implicitEntryDef(this, sv, c) and
-        localScopeSourceVariable(sv, p, _, c)
-      )
+      p = ad.(AssignableDefinitions::ImplicitParameterDefinition).getParameter()
+      // exists(SourceVariable sv, Callable c |
+      //   implicitEntryDef(this, sv, c) and
+      //   localScopeSourceVariable(sv, p, _, c)
+      // )
     }
 
     /** Gets the parameter that this entry definition represents. */
@@ -545,14 +546,6 @@ module Ssa {
     override string toString() {
       result = "SSA param(" + pragma[only_bind_out](this.getParameter()) + ")"
     }
-
-    override Location getLocation() {
-      not NearestLocation<NearestLocationInput>::nearestLocation(this, _, _) and
-      result = p.getLocation()
-      or
-      // multi-bodied method: use matching parameter location
-      NearestLocation<NearestLocationInput>::nearestLocation(this, result, _)
-    }
   }
 
   /**

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -126,7 +126,6 @@ private module SourceVariableImpl {
    */
   predicate variableDefinition(BasicBlock bb, int i, Ssa::SourceVariable v, AssignableDefinition ad) {
     ad = v.getADefinition() and
-    ad.getExpr().getControlFlowNode() = bb.getNode(i) and
     // In cases like `(x, x) = (0, 1)`, we discard the first (dead) definition of `x`
     not exists(TupleAssignmentDefinition first, TupleAssignmentDefinition second | first = ad |
       second.getAssignment() = first.getAssignment() and
@@ -136,7 +135,13 @@ private module SourceVariableImpl {
     // In cases like `M(out x, out x)`, there is no inherent evaluation order, so we
     // collapse the two definitions of `x`, using the first access as the representative,
     // and expose both definitions in `ExplicitDefinition.getADefinition()`
-    not ad = getASameOutRefDefAfter(v, _)
+    not ad = getASameOutRefDefAfter(v, _) and
+    (
+      ad.getExpr().getControlFlowNode() = bb.getNode(i)
+      or
+      ad.(AssignableDefinitions::ImplicitParameterDefinition).getParameter().getControlFlowNode() =
+        bb.getNode(i)
+    )
   }
 
   /**
@@ -771,8 +776,6 @@ private module Cached {
       or
       // Each tracked field and property has an implicit entry definition
       v instanceof PlainFieldOrPropSourceVariable
-      or
-      v.getAssignable() instanceof Parameter
     )
   }
 

csharp/ql/test/library-tests/dataflow/ssa/DefAdjacentRead.expected

@@ -83,7 +83,6 @@
 | Fields.cs:95:19:95:19 | f | Fields.cs:95:19:95:19 | f | Fields.cs:97:9:97:9 | access to parameter f |
 | Fields.cs:107:33:107:33 | f | Fields.cs:107:33:107:33 | f | Fields.cs:107:38:107:38 | access to parameter f |
 | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:28:5:28 | access to parameter x |
-| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:28:3:28 | access to parameter x |
 | OutRef.cs:5:9:5:13 | Field | OutRef.cs:13:28:13:32 | access to field Field | OutRef.cs:15:13:15:17 | access to field Field |
 | OutRef.cs:5:9:5:13 | Field | OutRef.cs:16:21:16:25 | access to field Field | OutRef.cs:17:13:17:17 | access to field Field |
 | OutRef.cs:5:9:5:13 | Field | OutRef.cs:16:32:16:36 | access to field Field | OutRef.cs:17:13:17:17 | access to field Field |

csharp/ql/test/library-tests/dataflow/ssa/SsaDef.expected

@@ -160,7 +160,6 @@
 | Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:109:10:109:10 | SSA qualifier def(this.Field.Field.xs) |
 | Fields.cs:116:21:116:39 | this.Field.Field.xs | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) |
 | MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationA.cs:5:22:5:22 | SSA param(x) |
-| MultiImplementationA.cs:5:22:5:22 | x | MultiImplementationB.cs:3:22:3:22 | SSA param(x) |
 | OutRef.cs:9:13:9:13 | j | OutRef.cs:9:13:9:17 | SSA def(j) |
 | OutRef.cs:9:13:9:13 | j | OutRef.cs:10:32:10:32 | SSA def(j) |
 | OutRef.cs:9:13:9:13 | j | OutRef.cs:22:22:22:22 | SSA def(j) |

csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected

@@ -146,7 +146,6 @@
 | Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:114:9:114:22 | call to method SetField |
 | Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | call to method SetField |
 | MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x |
-| MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationA.cs:5:22:5:22 | x |
 | OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:7:10:7:10 | M |
 | OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... |
 | OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:9:10:33 | call to method OutRefM |