Sync Bound between C# and Java

Author: tamasvajk

config/identical-files.json

@@ -62,6 +62,10 @@
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
+  "Bound Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/BoundCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundCommon.qll"
+  ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"

csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll

@@ -1,58 +1,5 @@
-private import csharp
-private import Ssa
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils
-
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(Definition v) { v.getSourceVariable().getType() instanceof IntegralType }
-
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = getExpr(0) }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `sc` of line `sl` to
-   * column `ec` of line `el` in file `path`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
-  }
-}
-
 /**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
+ * Provides classes for representing abstract bounds for use in, for example, range analysis.
  */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class DefinitionBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  Definition getDefinition() { this = TBoundSsa(result) }
-
-  override string toString() { result = getDefinition().toString() }
-
-  override Expr getExpr(int delta) { result = getDefinition().getARead() and delta = 0 }
 
-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    getDefinition().getLocation().hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
+import semmle.code.csharp.dataflow.internal.rangeanalysis.BoundCommon

csharp/ql/src/semmle/code/csharp/dataflow/RangeAnalysis.qll

@@ -567,7 +567,7 @@ private predicate boundedPhiInp(
     or
     boundedPhi(inp, b, d, upper, fromBackEdge0, origdelta)
     or
-    b.(DefinitionBound).getDefinition() = inp and
+    b.(SsaBound).getSsa() = inp and
     d = 0 and
     (upper = true or upper = false) and
     fromBackEdge0 = false and
@@ -651,8 +651,8 @@ private predicate bbSucc(BasicBlock pre, BasicBlock post) { post = pre.getASucce
 private predicate selfBoundedPhiInp(
   PhiNode phi, Definition inp, SsaReadPositionPhiInputEdge edge, boolean upper
 ) {
-  exists(int d, DefinitionBound phibound |
-    phibound.getDefinition() = phi and
+  exists(int d, SsaBound phibound |
+    phibound.getSsa() = phi and
     boundedPhiInp(phi, inp, edge, phibound, d, upper, _, _) and
     (
       upper = true and d <= 0

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundCommon.qll

@@ -0,0 +1,75 @@
+/**
+ * Provides classes for representing abstract bounds for use in, for example, range analysis.
+ */
+
+private import BoundSpecific
+
+private newtype TBound =
+  TBoundZero() or
+  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
+  TBoundExpr(Expr e) { nonSsaVariableBoundedExpr(e) }
+
+/**
+ * A bound that may be inferred for an expression plus/minus an integer delta.
+ */
+abstract class Bound extends TBound {
+  /** Gets a textual representation of this bound. */
+  abstract string toString();
+
+  /** Gets an expression that equals this bound plus `delta`. */
+  abstract Expr getExpr(int delta);
+
+  /** Gets an expression that equals this bound. */
+  Expr getExpr() { result = getExpr(0) }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `sc` of line `sl` to
+   * column `ec` of line `el` in file `path`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
+  }
+}
+
+/**
+ * The bound that corresponds to the integer 0. This is used to represent all
+ * integer bounds as bounds are always accompanied by an added integer delta.
+ */
+class ZeroBound extends Bound, TBoundZero {
+  override string toString() { result = "0" }
+
+  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
+}
+
+/**
+ * A bound corresponding to the value of an SSA variable.
+ */
+class SsaBound extends Bound, TBoundSsa {
+  /** Gets the SSA variable that equals this bound. */
+  SsaVariable getSsa() { this = TBoundSsa(result) }
+
+  override string toString() { result = getSsa().toString() }
+
+  override Expr getExpr(int delta) { result = getSsa().getAUse() and delta = 0 }
+
+  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    getSsa().getLocation().hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
+
+/**
+ * A bound that corresponds to the value of a specific expression that might be
+ * interesting, but isn't otherwise represented by the value of an SSA variable.
+ */
+class ExprBound extends Bound, TBoundExpr {
+  override string toString() { result = getExpr().toString() }
+
+  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
+
+  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    getExpr().getLocation().hasLocationInfo(path, sl, sc, el, ec)
+  }
+}

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -0,0 +1,21 @@
+/**
+ * Provides C#-specific definitions for bounds.
+ */
+
+private import csharp as CS
+private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+
+class SsaVariable extends Ssa::Definition {
+  /** Gets a read of the source variable underlying this SSA definition. */
+  Expr getAUse() { result = getARead() }
+}
+
+class Expr = CS::Expr;
+
+class IntegralType = CS::IntegralType;
+
+class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+/** Holds if `e` is a bound expression and it is not an SSA variable read. */
+predicate nonSsaVariableBoundedExpr(Expr e) { CU::systemArrayLengthAccess(e.(CS::PropertyRead)) }

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll

@@ -17,6 +17,13 @@ predicate propertyOverrides(Property p, string baseClass, string property) {
   )
 }
 
+/**
+ * Holds if `pa` is an access to the `Length` property of an array.
+ */
+predicate systemArrayLengthAccess(PropertyAccess pa) {
+  propertyOverrides(pa.getTarget(), "System.Array", "Length")
+}
+
 /**
  * Holds if expression `e` is either
  * - a compile time constant with integer value `val`, or
@@ -47,7 +54,7 @@ private int getArrayLengthRec(ArrayCreation arrCreation, int index) {
 }
 
 private predicate isArrayLengthAccess(PropertyAccess pa, int length) {
-  propertyOverrides(pa.getTarget(), "System.Array", "Length") and
+  systemArrayLengthAccess(pa) and
   exists(ExplicitDefinition arr, ArrayCreation arrCreation |
     getArrayLengthRec(arrCreation, arrCreation.getNumberOfLengthArguments() - 1) = length and
     arrCreation = arr.getADefinition().getSource() and

csharp/ql/test/library-tests/dataflow/rangeanalysis/RangeAnalysis.expected

@@ -1,41 +1,41 @@
-| RangeAnalysis.cs:7:9:7:9 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:7:9:7:9 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:7:9:7:9 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:7:9:7:9 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:7:13:7:15 | 500 | ZeroBound | 500 | lower |
 | RangeAnalysis.cs:7:13:7:15 | 500 | ZeroBound | 500 | upper |
-| RangeAnalysis.cs:9:11:9:11 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:9:11:9:11 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:9:11:9:11 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:9:11:9:11 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:9:11:9:11 | access to parameter x | ZeroBound | 499 | upper |
 | RangeAnalysis.cs:9:15:9:17 | 400 | ZeroBound | 400 | lower |
 | RangeAnalysis.cs:9:15:9:17 | 400 | ZeroBound | 400 | upper |
-| RangeAnalysis.cs:11:16:11:16 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:11:16:11:16 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:11:16:11:16 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:11:16:11:16 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:11:16:11:16 | access to parameter x | ZeroBound | 401 | lower |
 | RangeAnalysis.cs:11:16:11:16 | access to parameter x | ZeroBound | 499 | upper |
-| RangeAnalysis.cs:14:11:14:11 | access to parameter y | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:14:11:14:11 | access to parameter y | DefinitionBound | 0 | upper |
-| RangeAnalysis.cs:14:16:14:16 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:14:16:14:16 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:14:11:14:11 | access to parameter y | SsaBound | 0 | lower |
+| RangeAnalysis.cs:14:11:14:11 | access to parameter y | SsaBound | 0 | upper |
+| RangeAnalysis.cs:14:16:14:16 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:14:16:14:16 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:14:16:14:16 | access to parameter x | ZeroBound | 400 | upper |
-| RangeAnalysis.cs:14:21:14:21 | access to parameter y | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:14:21:14:21 | access to parameter y | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:14:21:14:21 | access to parameter y | SsaBound | 0 | lower |
+| RangeAnalysis.cs:14:21:14:21 | access to parameter y | SsaBound | 0 | upper |
 | RangeAnalysis.cs:14:21:14:21 | access to parameter y | ZeroBound | 400 | upper |
 | RangeAnalysis.cs:14:25:14:27 | 300 | ZeroBound | 300 | lower |
 | RangeAnalysis.cs:14:25:14:27 | 300 | ZeroBound | 300 | upper |
-| RangeAnalysis.cs:16:16:16:16 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:16:16:16:16 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:16:16:16:16 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:16:16:16:16 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:16:16:16:16 | access to parameter x | ZeroBound | 400 | upper |
-| RangeAnalysis.cs:16:16:16:20 | ... + ... | DefinitionBound | 1 | lower |
-| RangeAnalysis.cs:16:20:16:20 | access to parameter y | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:16:20:16:20 | access to parameter y | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:16:16:16:20 | ... + ... | SsaBound | 1 | lower |
+| RangeAnalysis.cs:16:20:16:20 | access to parameter y | SsaBound | 0 | lower |
+| RangeAnalysis.cs:16:20:16:20 | access to parameter y | SsaBound | 0 | upper |
 | RangeAnalysis.cs:16:20:16:20 | access to parameter y | ZeroBound | 301 | lower |
 | RangeAnalysis.cs:16:20:16:20 | access to parameter y | ZeroBound | 400 | upper |
-| RangeAnalysis.cs:19:11:19:11 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:19:11:19:11 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:19:11:19:11 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:19:11:19:11 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:19:11:19:11 | access to parameter x | ZeroBound | 400 | upper |
 | RangeAnalysis.cs:19:15:19:17 | 500 | ZeroBound | 500 | lower |
 | RangeAnalysis.cs:19:15:19:17 | 500 | ZeroBound | 500 | upper |
-| RangeAnalysis.cs:21:16:21:16 | access to parameter x | DefinitionBound | 0 | lower |
-| RangeAnalysis.cs:21:16:21:16 | access to parameter x | DefinitionBound | 0 | upper |
+| RangeAnalysis.cs:21:16:21:16 | access to parameter x | SsaBound | 0 | lower |
+| RangeAnalysis.cs:21:16:21:16 | access to parameter x | SsaBound | 0 | upper |
 | RangeAnalysis.cs:21:16:21:16 | access to parameter x | ZeroBound | 400 | upper |
 | RangeAnalysis.cs:21:16:21:16 | access to parameter x | ZeroBound | 501 | lower |
 | RangeAnalysis.cs:25:12:25:12 | 0 | ZeroBound | 0 | lower |

java/ql/src/semmle/code/java/dataflow/Bound.qll

@@ -2,79 +2,4 @@
  * Provides classes for representing abstract bounds for use in, for example, range analysis.
  */
 
-import java
-private import SSA
-private import RangeUtils
-
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    e.(FieldRead).getField() instanceof ArrayLengthField and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
-
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = getExpr(0) }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `sc` of line `sl` to
-   * column `ec` of line `el` in file `path`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
-  }
-}
-
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = getSsa().getAUse() and delta = 0 }
-
-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    getSsa().getLocation().hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    getExpr().hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
+import semmle.code.java.dataflow.internal.rangeanalysis.BoundCommon

java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll

@@ -68,11 +68,11 @@ private Expr modExpr(Expr arg, int mod) {
   exists(RemExpr rem |
     result = rem and
     arg = rem.getLeftOperand() and
-    rem.getRightOperand().(CompileTimeConstantExpr).getIntValue() = mod and
+    rem.getRightOperand().(ConstantIntegerExpr).getIntValue() = mod and
     mod >= 2
   )
   or
-  exists(CompileTimeConstantExpr c |
+  exists(ConstantIntegerExpr c |
     mod = 2.pow([1 .. 30]) and
     c.getIntValue() = mod - 1 and
     result.(AndBitwiseExpr).hasOperands(arg, c)
@@ -84,7 +84,7 @@ private Expr modExpr(Expr arg, int mod) {
  * its `testIsTrue` branch.
  */
 private Guard moduloCheck(SsaVariable v, int val, int mod, boolean testIsTrue) {
-  exists(Expr rem, CompileTimeConstantExpr c, int r, boolean polarity |
+  exists(Expr rem, ConstantIntegerExpr c, int r, boolean polarity |
     result.isEquality(rem, c, polarity) and
     c.getIntValue() = r and
     rem = modExpr(v.getAUse(), mod) and