Add support for Array.Length in non SSA variable bounds

Author: tamasvajk

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -16,6 +16,7 @@ module Private {
 
 private module Impl {
   private import csharp
+  private import ConstantUtils
   private import semmle.code.csharp.dataflow.SSA::Ssa
 
   /** Holds if this `v` is of type `IntegralType`. */
@@ -24,7 +25,7 @@ private module Impl {
   }
 
   /** Holds if this `e` is a bound expression and it is not an SSA variable read. */
-  predicate nonSsaVariableBoundedExpr(Expr e) { none() } // todo: we could add array.Length calls
+  predicate nonSsaVariableBoundedExpr(Expr e) { systemArrayLengthAccess(e.(PropertyRead)) }
 
   /** Gets an expression where SSA variable `v` is read. */
   Expr getARead(Definition v) { result = v.getARead() }

csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll

@@ -17,6 +17,13 @@ predicate propertyOverrides(Property p, string baseClass, string property) {
   )
 }
 
+/**
+ * Holds if `pa` is an access to the `Length` property of an array.
+ */
+predicate systemArrayLengthAccess(PropertyAccess pa) {
+  propertyOverrides(pa.getTarget(), "System.Array", "Length")
+}
+
 /**
  * Holds if expression `e` is either
  * - a compile time constant with integer value `val`, or
@@ -47,7 +54,7 @@ private int getArrayLengthRec(ArrayCreation arrCreation, int index) {
 }
 
 private predicate isArrayLengthAccess(PropertyAccess pa, int length) {
-  propertyOverrides(pa.getTarget(), "System.Array", "Length") and
+  systemArrayLengthAccess(pa) and
   exists(ExplicitDefinition arr, ArrayCreation arrCreation |
     getArrayLengthRec(arrCreation, arrCreation.getNumberOfLengthArguments() - 1) = length and
     arrCreation = arr.getADefinition().getSource() and