C#: Remove FPs from cs/dereferenced-value-may-be-null

Apply a conservative approach by filtering out results for accesses to
captured nullable values, when there is an (implicit) call to the capturing
callable which is `null`-guarded. For example:

```
bool M(int? i, IEnumerable<int> @is)
{
    if (i.HasValue)
        return @is.Any(j => j == i.Value); // GOOD
    return false;
}
```

Author: hvitved

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -33,20 +33,28 @@ class Guard extends Expr {
   }
 
   /**
-   * Holds if basic block `bb` is guarded by this expression having value `v`.
+   * Holds if `cfn` is guarded by this expression having value `v`.
+   *
+   * Note: This predicate is inlined.
    */
-  predicate controlsBasicBlock(BasicBlock bb, AbstractValue v) {
-    Internal::guardControls(this, bb, v)
+  pragma[inline]
+  predicate controlsNode(ControlFlow::Nodes::ElementNode cfn, AbstractValue v) {
+    guardControls(this, cfn.getBasicBlock(), v)
   }
 
+  /**
+   * Holds if basic block `bb` is guarded by this expression having value `v`.
+   */
+  predicate controlsBasicBlock(BasicBlock bb, AbstractValue v) { guardControls(this, bb, v) }
+
   /**
    * Holds if this guard is an equality test between `e1` and `e2`. If the test is
    * negated, that is `!=`, then `polarity` is false, otherwise `polarity` is
    * true.
    */
   predicate isEquality(Expr e1, Expr e2, boolean polarity) {
     exists(BooleanValue v |
-      this = Internal::getAnEqualityCheck(e1, v, e2) and
+      this = getAnEqualityCheck(e1, v, e2) and
       polarity = v.getValue()
     )
   }

csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll

@@ -177,6 +177,19 @@ private predicate isNullDefaultArgument(Ssa::ExplicitDefinition def, AlwaysNullE
   )
 }
 
+/**
+ * Holds if `edef` is an implicit entry definition for a captured variable that
+ * may be guarded, because a call to the capturing callable is guarded.
+ */
+private predicate isMaybeGuardedCapturedDef(Ssa::ImplicitEntryDefinition edef) {
+  exists(Ssa::ExplicitDefinition def, ControlFlow::Nodes::ElementNode c, G::Guard g, NullValue nv |
+    def.isCapturedVariableDefinitionFlowIn(edef, c, _) and
+    g = def.getARead() and
+    g.controlsNode(c, nv) and
+    nv.isNonNull()
+  )
+}
+
 /** Holds if `def` is an SSA definition that may be `null`. */
 private predicate defMaybeNull(Ssa::Definition def, string msg, Element reason) {
   not nonNullDef(def) and
@@ -214,6 +227,7 @@ private predicate defMaybeNull(Ssa::Definition def, string msg, Element reason)
     exists(Dereference d | dereferenceAt(_, _, def, d) |
       d.hasNullableType() and
       not def instanceof Ssa::PhiNode and
+      not isMaybeGuardedCapturedDef(def) and
       reason = def.getSourceVariable().getAssignable() and
       msg = "because it has a nullable type"
     )

csharp/ql/test/query-tests/Nullness/E.cs

@@ -9,9 +9,9 @@ public void Ex1(long[][][] a1, int ix, int len)
         long[][] a2 = null;
         var haveA2 = ix < len && (a2 = a1[ix]) != null;
         long[] a3 = null;
-        var haveA3 = haveA2 && (a3 = a2[ix]) != null; // GOOD (false positive)
+        var haveA3 = haveA2 && (a3 = a2[ix]) != null; // GOOD (FALSE POSITIVE)
         if (haveA3)
-            a3[0] = 0; // GOOD (false positive)
+            a3[0] = 0; // GOOD (FALSE POSITIVE)
     }
 
     public void Ex2(bool x, bool y)
@@ -24,7 +24,7 @@ public void Ex2(bool x, bool y)
             s2 = (s1 == null) ? null : "";
         }
         if (s2 != null)
-            s1.ToString(); // GOOD (false positive)
+            s1.ToString(); // GOOD (FALSE POSITIVE)
     }
 
     public void Ex3(IEnumerable<string> ss)
@@ -58,7 +58,7 @@ public void Ex4(IEnumerable<string> list, int step)
                 slice = new List<string>();
                 result.Add(slice);
             }
-            slice.Add(str); // GOOD (false positive)
+            slice.Add(str); // GOOD (FALSE POSITIVE)
             ++index;
         }
     }
@@ -70,7 +70,7 @@ public void Ex5(bool hasArr, int[] arr)
             arrLen = arr == null ? 0 : arr.Length;
 
         if (arrLen > 0)
-            arr[0] = 0; // GOOD (false positive)
+            arr[0] = 0; // GOOD (FALSE POSITIVE)
     }
 
     public const int MY_CONST_A = 1;
@@ -109,7 +109,7 @@ public void Ex7(int[] arr1)
             arr2 = new int[arr1.Length];
 
         for (var i = 0; i < arr1.Length; i++)
-            arr2[i] = arr1[i]; // GOOD (false positive)
+            arr2[i] = arr1[i]; // GOOD (FALSE POSITIVE)
     }
 
     public void Ex8(int x, int lim)
@@ -122,7 +122,7 @@ public void Ex8(int x, int lim)
             int j = 0;
             while (!stop && j < lim)
             {
-                int step = (j * obj.GetHashCode()) % 10; // GOOD (false positive)
+                int step = (j * obj.GetHashCode()) % 10; // GOOD (FALSE POSITIVE)
                 if (step == 0)
                 {
                     obj.ToString(); // GOOD
@@ -156,15 +156,15 @@ public void Ex9(bool cond, object obj1)
             cond = true;
         }
         if (cond)
-            obj2.ToString(); // GOOD (false positive)
+            obj2.ToString(); // GOOD (FALSE POSITIVE)
     }
 
     public void Ex10(int[] a)
     {
         int n = a == null ? 0 : a.Length;
         for (var i = 0; i < n; i++)
         {
-            int x = a[i]; // GOOD (false positive)
+            int x = a[i]; // GOOD (FALSE POSITIVE)
             if (x > 7)
                 a = new int[n];
         }
@@ -175,15 +175,15 @@ public void Ex11(object obj, bool b1)
         bool b2 = obj == null ? false : b1;
         if (b2 == null)
         {
-            obj.ToString(); // GOOD (false positive)
+            obj.ToString(); // GOOD (FALSE POSITIVE)
         }
         if (obj == null)
         {
             b1 = true;
         }
         if (b1 == null)
         {
-            obj.ToString(); // GOOD (false positive)
+            obj.ToString(); // GOOD (FALSE POSITIVE)
         }
     }
 
@@ -372,7 +372,7 @@ static int Ex36(object o)
         if (o is string)
         {
             var s = o as string;
-            return s.Length; // GOOD (false positive)
+            return s.Length; // GOOD (FALSE POSITIVE)
         }
         return -1;
     }
@@ -383,7 +383,7 @@ static bool Ex37(E e1, E e2)
             return false;
         if (e1 == null && e2 == null)
             return true;
-        return e1.Long == e2.Long; // GOOD (false positive)
+        return e1.Long == e2.Long; // GOOD (FALSE POSITIVE)
     }
 
     int Ex38(int? i)
@@ -420,14 +420,14 @@ static bool Ex42(int? i, IEnumerable<int> @is)
     static bool Ex43(int? i, IEnumerable<int> @is)
     {
         if (i.HasValue)
-            return @is.Any(j => j == i.Value); // GOOD (FALSE POSITIVE)
+            return @is.Any(j => j == i.Value); // GOOD
         return false;
     }
 
     static bool Ex44(int? i, IEnumerable<int> @is)
     {
         if (i.HasValue)
-            @is = @is.Where(j => j == i.Value); // BAD (always)
+            @is = @is.Where(j => j == i.Value); // BAD (always) (FALSE NEGATIVE)
         i = null;
         return @is.Any();
     }

csharp/ql/test/query-tests/Nullness/NullMaybe.expected

@@ -408,10 +408,6 @@ nodes
 | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:417:24:417:40 | SSA capture def(i) |
 | E.cs:417:34:417:34 | access to parameter i |
-| E.cs:423:28:423:44 | SSA capture def(i) |
-| E.cs:423:38:423:38 | access to parameter i |
-| E.cs:430:29:430:45 | SSA capture def(i) |
-| E.cs:430:39:430:39 | access to parameter i |
 | Forwarding.cs:7:16:7:23 | SSA def(s) |
 | Forwarding.cs:9:13:9:30 | [false] !... |
 | Forwarding.cs:14:9:17:9 | if (...) ... |
@@ -802,8 +798,6 @@ edges
 | E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i |
-| E.cs:423:28:423:44 | SSA capture def(i) | E.cs:423:38:423:38 | access to parameter i |
-| E.cs:430:29:430:45 | SSA capture def(i) | E.cs:430:39:430:39 | access to parameter i |
 | Forwarding.cs:7:16:7:23 | SSA def(s) | Forwarding.cs:9:13:9:30 | [false] !... |
 | Forwarding.cs:9:13:9:30 | [false] !... | Forwarding.cs:14:9:17:9 | if (...) ... |
 | Forwarding.cs:14:9:17:9 | if (...) ... | Forwarding.cs:19:9:22:9 | if (...) ... |
@@ -917,8 +911,6 @@ edges
 | E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:382:58:382:67 | ... == ... | this |
 | E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:384:27:384:36 | ... == ... | this |
 | E.cs:417:34:417:34 | access to parameter i | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:415:27:415:27 | i | i | E.cs:415:27:415:27 | i | this |
-| E.cs:423:38:423:38 | access to parameter i | E.cs:423:28:423:44 | SSA capture def(i) | E.cs:423:38:423:38 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:420:27:420:27 | i | i | E.cs:420:27:420:27 | i | this |
-| E.cs:430:39:430:39 | access to parameter i | E.cs:430:29:430:45 | SSA capture def(i) | E.cs:430:39:430:39 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:427:27:427:27 | i | i | E.cs:427:27:427:27 | i | this |
 | GuardedString.cs:35:31:35:31 | access to local variable s | GuardedString.cs:7:16:7:32 | SSA def(s) | GuardedString.cs:35:31:35:31 | access to local variable s | Variable $@ may be null here because of $@ assignment. | GuardedString.cs:7:16:7:16 | s | s | GuardedString.cs:7:16:7:32 | String s = ... | this |
 | NullMaybeBad.cs:7:27:7:27 | access to parameter o | NullMaybeBad.cs:13:17:13:20 | null | NullMaybeBad.cs:7:27:7:27 | access to parameter o | Variable $@ may be null here because of $@ null argument. | NullMaybeBad.cs:5:25:5:25 | o | o | NullMaybeBad.cs:13:17:13:20 | null | this |
 | StringConcatenation.cs:16:17:16:17 | access to local variable s | StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:16:17:16:17 | access to local variable s | Variable $@ may be null here because of $@ assignment. | StringConcatenation.cs:14:16:14:16 | s | s | StringConcatenation.cs:14:16:14:23 | String s = ... | this |